CyberWire Daily - Criminal markets and the criminals who shop there. Elections may be safe and secure, but influence operations seem here to stay. TikTok’s state of play. Indictments and extraditions.
Episode Date: September 17, 2020Cerberus is available for free, the Empire Market’s old and betrayed customers are probably looking for another marketplace where English is spoken, and it seems the Russian mob is selling access to... North Korea’s Lazarus Group. NSA thinks US elections will be safe and secure, but that influence operations are probably here to stay. Betsy Carmelite from BAH on medical device security, our guest is Jonathan Langer from Medigate on lessons to help clinical and IT leaders at institutions heavily affected by COVID-19. Two Iranians are indicted for espionage and theft, and more evidence allegedly surfaces of Huawei’s role in sanctions evasion. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/181 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Cerberus is available for free.
The Empire Market's old and betrayed customers are probably looking for another marketplace where English is spoken.
And it seems the Russian mob is selling access to North Korea's Lazarus Group.
NSA thinks U.S. elections will be safe and secure, but that influence operations are probably here to stay.
Betsy Carmelite from Booz Allen Hamilton on medical device security.
Betsy Carmelite from Booz Allen Hamilton on medical device security.
Our guest is Jonathan Langer from Medigate on lessons to help clinical and IT leaders at institutions heavily affected by COVID-19.
Two Iranians are indicted for espionage and theft.
And more evidence allegedly surfaces of Huawei's role in sanctions evasion. From the Cyber Wire studios at Data Tribe, I'm Elliot Peltzman in for Dave Bittner
with your Cyber Wire summary for Thursday, September 17th, 2020.
Some notes from the criminal underground have surfaced at midweek.
First, Kaspersky researchers say that the proprietors of Cerberus malware,
having made an attempt to auction it off on a dark web block, have now simply released its source code, Cerberus V2, for free to
Russophone hacking communities.
ZDNet points out that Cerberus had earlier this year been on offer in the form of malware
as a service, but that the developers attempted to auction it off in July.
They'd set initial bids at $50,000 and hoped to raise $100,000.
They'd set initial bids at $50,000 and hoped to raise $100,000.
Those attempts were unsuccessful, no takers, and so the source has now simply been dumped.
The reasons for the free release are unclear.
When the auction was announced, the people hawking Cerberus said they were putting it on the block due to a lack of time and because the team is broken up.
That team would have been the group that developed and maintained the malware. What this means is that defenders
should expect to see more Cerberus attacks using the last version released, and that some attackers
who've picked up the code will probably try their hand at developing evolved versions.
Second, now that the Empire market has fallen in an exit scam, its proprietors departing
for parts unknown with users' cash, where are the criminals to go to trade their altcoins for
drugs, guns, and so forth? Security firm Digital Shadows this morning released its review of the
Empire's possible successors in the criminal contraband market. The researchers conclude that Empire's
disappointed members are likely to turn to another anglophone marketplace, which will probably end up
fleecing them too. Digital Shadows notes that there are a number of relatively stable and
well-established Russian-language dark web sites where contraband is traded, why don't the English speakers simply move over to
one of those? Well, for one thing, the Russophones tend to find the Anglophones somewhat tiresome.
They treat the English speakers rudely. And for another thing, the Anglophones have trouble
communicating in Russian. The English speakers we're talking about there are probably, let's be
honest, for the most part, largely Americans.
You know that someone who speaks several languages is called polylingual, and someone who speaks two languages is bilingual.
What do you call someone who speaks one language?
Huh. American.
That one always kills me.
Brego, danke, Sean, I'll be here all week.
kills me. Brego, danke, Sean, I'll be here all week. Anyways, expect one of the smaller English-speaking markets to fill Empire's ecological niche, and expect them to eventually scam their customers, too.
And third, Dark Reading reports that researchers at security firm Intel 471 have concluded that
there's a connection between Russian cybercriminals and the North Korean government's Lazarus Group.
Pyongyang has long been interested in redressing its sanctions-induced financial shortfalls,
and the Lazarus Group has served that objective with financially motivated hacking.
The basis for Intel 471's conclusion is the Lazarus Group's access to financial services organizations that was
evidently purchased from Russian gangs who've used TrickBot to establish themselves in the targets.
There was a lot of speculation yesterday that the U.S. administration would probably welcome
ByteDance's proposal to establish the U.S. TikTok operations as an independent company,
establish the U.S. TikTok operations as an independent company, with Oracle taking a minority share. That speculation seems now to be premature. The Wall Street Journal reports that
U.S. Treasury Secretary Mnuchin and other officials have signaled that a minority stake
by an American company in TikTok won't be enough to allay security concerns.
Dark Trace tells CNBC,
all of the political woofing about TikTok
shouldn't obscure the general need for the greater transparency
about what companies do with the data they collect.
And it would be a bad thing
should companies entangled with questionable data handling
come to believe that, from a cost-benefit point of view,
it's better to spend your money on lobbying than on security. As the U.S. elections approach, General Paul Nakasone, NSA Director and
Commander of the U.S. Cyber Command, said that he's confident those elections will be safe and
secure. The organizations he leads have made election security a priority. Meritok says General Nakasone explained
at yesterday's Intelligence and National Security Summit that their approach has had three main
areas of emphasis, which he phrased as questions. First, how do we generate incredible insights on
our adversaries? Second, how do we share information and intelligence with the lead of our nation's
election security, which is DHS and also FBI? And the last piece, how do we impose outcomes
on any adversary that attempts to interfere with our democratic processes? Again, he's confident
that they have these areas under control, but influence operations, General Nakasone said, are the
great disruptor, and they're here to stay. Cyberscoop quotes him as saying, quote,
We've seen it now in our democratic processes. I think we're going to see it in our diplomatic
processes. We're going to see it in warfare. We're going to see it sowing civil distrust in different countries. End quote.
Foreign Affairs has a long essay in its current issue on how Russian influence operations have evolved since 2016.
In general, direct troll farming, while it hasn't gone away, has fallen from its former position of prominence.
It's the sort of inauthentic behavior that's just grown too easy to detect.
Instead, the operators have done other things, from the low-level grift of persuading people
to rent their social media accounts through the establishment of plausible front organizations,
to the hiring of cynics or useful idiots to write for them. While Russia has been the leader,
other governments have shown themselves willing to learn from the best,
and state-run online influence campaigns are likely to become, the essayist argues,
a permanent feature of future democratic elections.
China, Iran, and Venezuela have already shown their ability to adapt some Russian methods to their own purposes.
They haven't been dull pupils, but their positive
objectives are inherently more difficult to achieve than the negative, disruptive goals
Moscow is interested in. The U.S. Attorney for the District of New Jersey has indicted two Iranian
nationals, Human Haidarian and Mehdi Farhadi, on charges of conspiracy to commit fraud and related activity,
computer fraud, unauthorized access to protected computers, computer fraud, unauthorized damage
to protected computers, conspiracy to commit wire fraud, access device fraud, and aggravated
identity theft. The allegations describe an increasingly common pattern,
a mix of state-directed espionage and privately profitable crime as a hacker's side hustle.
And finally, Reuters reports that connections have surfaced between Huawei executives
and an obscure Hong Kong-based company, Skycom,
that's at the center of U.S. investigation and evasion of sanctions against
Iran. Huawei's CFO, Meng Wanzhou, currently faces extradition to the U.S. in a Vancouver court.
Reuters thinks the disclosures of closer Huawei ties to Skycom
are likely to lend support to the U.S. case for her extradition from Canada.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with BlackLOAK. Learn more at blackcloak.io.
Jonathan Langer and his team at Medigate have been diligently working to protect hospitals
along the East Coast and New York City during COVID-19. We'll hear now from his recent
conversation with Dave
about lessons they've learned.
Well, healthcare organizations naturally are in a very,
let's say a very challenging situation right now
given the pandemic.
I think on the one hand,
the challenge is addressing the concern around the pandemic,
treating people the way they should be to the best of their ability,
and to that end, expanding some of the facilities, moving medical devices from location to location, moving physicians, of course.
There's a huge challenge there. The other challenge is, of course, at the same time, just like other enterprises are doing, is or I guess was setting up a remote networking capability to allow the unessential workers to continue to support the enterprise.
Doing those two at once, that's quite a heavy lift the way that I'm seeing things.
Well, take us through some of those specific challenges. that's quite a heavy lift the way that I'm seeing things.
Well, take us through some of those specific challenges.
What sort of things are you and your team tracking?
So what we're doing right now, what we're tracking is,
I think in high level, I would say that the security concerns that healthcare organizations had before the pandemic
have in fact been, I think, even heightened.
Given the pandemic, everyone is more focused on medical devices,
on their assets over the network, finding them, using them, protecting them.
The other piece that we're hearing more,
and this is where we're addressing this challenge as well,
is that they're saying security is important, but now more than time, also harnessing the capabilities of the technology
to actually provide operational efficiency and I'd say medical device fleet optimization as well
for the enterprise. So it's security that naturally is bringing in a technology,
but at the same time, the entire enterprise is benefiting from it.
That's what we're trying to cater to these days.
And what are some of the practical ways that they're able to do that? What sort of things
can they put in place? So to me, the first step in this process is inventory. You have to have
good network visibility and proper inventory in order to understand, just from a security
perspective, what you need to handle. Based on that, you can assess risk and prioritize your
assets and really start a security program. But what we've realized, which I think this is a very
interesting notion these days, is that this technology with regard to inventory can also
give you key insights in terms of the usability of the devices, the utilization of the devices.
And if you're good and you have the right healthcare focus, perhaps also prescriptive recommendations as to how to manage these devices to the most efficient way so that you get more out of them and actually save funds.
That's the challenge, that full circle that we're trying to do from security all the way
back to operational efficiency and back to security. That's Jonathan Langer from Medigate. Thank you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And I am pleased to be joined once again by Betsy Carmelite. She's a senior associate at Booz Allen Hamilton. Betsy, it's
always great to have you back. I wanted to touch today on medical device security and some of the
things that you and your team have been looking at in that area. What do you have to share with
us today? Sure. To jump in, I think, you know, if you're looking at kind of current day, especially
during our COVID-19 environment, and you're looking at
threats to medical devices, let's say in a hospital setting, this can really stir up some
nightmare type of situations in your mind. For example, if critical patient information
becomes unavailable as a result of a cyber attack, that would then have an impact on how a doctor can treat that patient.
Also, if a device such as a CT scanner were to go down,
ER doctors lose critical capabilities to select treatment for, let's say, a stroke patient.
And we've also seen an increase in the exploitation and phishing campaigns
and threats to federal agencies,
with healthcare being a key target.
Why are they targeting healthcare?
What's the draw there from the threat actors?
Sure.
So cybercriminals really continue to target medical and life science devices and organizations because there is a profit to be gained there. We're seeing,
you know, clinical labs with devices involved in COVID-19 research and testing targeted.
Major hospitals are experiencing ransomware. You know, we've seen the recent reports of ransomware
targeting a medical ventilator manufacturer. And really, these cyber criminals
are looking for ways to monetize and gain revenue. They believe these organizations have the best
chances of paying the ransom because every victim is really measured by their estimated revenue
and who is likely to pay the largest amount. Yeah. and obviously, I mean, hospitals, places like that
are literally dealing with life and death situations.
Right, right.
And they're also looking at organizations and companies
that might share compromised infrastructure accounts or vendors.
This is why we've really seen a rise in attacks on healthcare entities
over the years and more recently. That healthcare
data just has a high value on the black market, could possibly include all of a patient's PII.
Now, what sort of advice do you have for folks who are operating on the medical side of things?
Any words of wisdom? Sure. We've been looking at this fairly closely for the last year or so.
We really think that the medical device and broader healthcare ecosystem needs to transform
across stakeholder collaboration.
It's really needed to do this.
So we're looking at regulators, healthcare delivery organizations, manufacturers.
They all need to play a role in
this together. Secondly, we're seeing that medical device manufacturers have adopted processes for
vulnerability disclosure and coordinating that together. And that's all with an end game to
promote patient safety and the security of medical devices.
So that level of information sharing, also inclusive of disclosing the existence of
vulnerabilities and with mitigation plans, is key to really minimizing the impact of security
vulnerabilities, both for patients, organizations, and for the privacy of the data that could be at risk.
Do you suppose that everything we're going through and have gone through with the COVID pandemic
is going to leave us stronger on the other side of this?
When the pandemic is in the rearview mirror, are medical organizations,
having been through this experience, will they be in a
better place security-wise? I think medical device organizations can seize this opportunity
to work to address cybersecurity, not just in a defensive posture, but looking at it as security
by design. So they can take this opportunity to look at security
through the product lifecycle,
which includes during the design phase,
the development phase, through to end of life,
so that they're able to secure those devices at every stage
and have the flexibility to work those security architectures
into the devices.
And I think it will probably also prepare them to have business continuity plans,
backup protection, disaster recovery processes more solidly in place as well.
All right. Well, Betsy Carmelite, thanks for joining us.
Thank you. all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals
and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for
CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker
too. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is
Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, And I'm Elliot Peltzman.
Thanks for listening. Thank you. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.