CyberWire Daily - Cyberattack on US HHS probably a minor probe. Disinformation about COVID-19 continues to serve as both phishbait and disruption. US prosecutors move to stop prosecution Concord Management.
Episode Date: March 17, 2020The cyberattack on the US Department of Health and Human Services seems now to have been a minor incident. Disinformation about COVID-19 and measures to contain the pandemic continues to serve as both... phishbait and disruption. And US prosecutors move to stop prosecution of a Russian influence shop fingered by the Mueller investigation. Ben Yelin from UMD CHHS on HHS issuing health data rules, guest is Kevin Mitnick from KnowBe4 on the state of cybersecurity from the RSAC 2020 floor. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_17.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The cyber attack on the U.S. Department of Health and Homeland Services
seems now to have been a minor incident.
Disinformation about COVID-19 and measures to
contain the pandemic continue to serve as both fish bait and disruption. And U.S. prosecutors
moved to stop prosecution of a Russian influence shop fingered by the Mueller investigation.
From the Cyber Wire studios at DataTribe,
I'm Dave Bittner with your Cyber Wire summary for Tuesday, March 17, 2020.
The widely reported cyber attack on the U.S. Department of Health and Human Services,
Bloomberg reported yesterday morning,
now seems less serious than early reports made it out to be.
Bloomberg quoted a statement by U.S. National Security Council spokesman John Ulyot,
who said, quote,
We are aware of a cyber incident related to the Health and Human Services computer networks,
and the federal government is investigating this incident thoroughly.
HHS and federal government cybersecurity professionals
are continuously monitoring and taking appropriate actions to secure our
federal networks, end quote. The New York Times reports the incident appears to have been an
opportunistic and relatively crude probing of the department's networks for vulnerabilities.
There was speculation that the incident represented a state-sponsored attack,
but it looks more like the sort of preparatory distributed denial of service attack
organizations see all the time. DDoS attacks, if that's what the incident turns out to be,
are commodity operations that many people could mount, as Vox observes.
And people have jumped to conclusions about DDoS before, as some historical reflection will show.
Remember Mirai, the IoT worm that clogged the
internet along the U.S. eastern seaboard and elsewhere for several hours back in September
of 2016? It was widely believed at the time, and not by crazies but by well-informed and serious
people, to be a Russian demonstration. Moscow's shot across Washington's bow intended to show the
smug Yankees that their infrastructure could be held at risk.
Which, in a way, we suppose it did.
But it wasn't the Russians at all.
By January of 2017, Krebs on Security had tracked down the principal mastermind,
a self-described passionate entrepreneur,
who was running some kind of Minecraft-themed click scheme from his dorms at Rutgers.
In the case of the HHS incident, it seems there's not much to worry about.
A Department of Homeland Security source told The Washington Post's Ellen Nakashima
that on a scale of 1 to 10, it's about a 2.
As is usually the case with widespread crises,
criminals seek to take advantage of fear, uncertainty, and doubt.
Proofpoint reports that TA-505, the Russian-speaking criminal gang Microsoft calls Evil Corps,
and others know as Graceful Spider,
is back with a ransomware downloader it's using against targets in the U.S. healthcare, manufacturing, and pharmaceutical sectors.
TA-505 is best known
for Lockheed ransomware and the Drydex banking trojan. The fish bait is coronavirus-themed,
and another criminal group, TA-564, is doing much the same against Canadian citizens,
in this case spoofing the Public Health Agency of Canada. Neither campaign spam is particularly well-crafted or convincing,
bearing as it does the usage errors and eccentric capitalization
that have long been the familiar stigmata of the Russian mob.
But they've been successful. Their secret is volume.
The troll farmers of St. Petersburg are a lot more fluent and high-spirited,
but then they can afford to be.
They're working on the government's
dime. There's also some disinformation circulating that attributes COVID-19 to 5G networks, CNET
reports. The reason the virus emerged in Wuhan, the influencers say, and various Russian state
outlets suggest, is because there are, of course, so many 5G towers around Wuhan. You won't swallow that one,
but some people do, like influencers and those whom they influence. This particular rumor is
marginally less plausible than, say, chemtrails, if you're keeping score at home. There are a
handful of people in the cybersecurity world who need no introduction, and it's fair to say Kevin Mitnick is among them.
Depending on your point of view, he's either famous, infamous, or perhaps notorious for his use of social engineering in his younger days,
activities that found him at odds with both telecommunications companies and law enforcement.
These days, he runs his own consulting firm and serves as the
chief hacking officer at security awareness company KnowBefore. Kevin Mitnick and I sat
down together at the RSA conference. I still see that we have the same problems that we did last
year. I see ransomware is getting much worse, not in how prolific it is, but the new types of attacks. Like, for example, Threat Actor compromises MSP.
They get enough data from the MSP,
they could access internal networks of their clients,
the MSP's clients.
They basically deploy ransomware into the MSP
after they've compromised their client's next field data.
And now the game has changed.
It's not that, hey, we'll give you your data back
if you give us some money via Bitcoin
or other cryptocurrency.
But tell you what, we're going to expose
your client's data publicly unless you pay us.
After wiping their data, of course.
So then it becomes, what company out there,
what MSP, you'll be out of business, right? You get a bunch
of your clients and all their data is going to expose, you're going to pay. I mean, you'd be
nuts not to. You're going to decide to pay or just go out of business. Because calling the FBI and
the Secret Service will probably be largely a waste of time because they'll get involved and
do their investigation, but that's after the damage is done. When you were coming up and you were first exploring all of these things
and many of the exploits that you are famous for,
do you suppose back then could you have imagined what we have today,
the types of attacks that we're seeing,
the way that cybersecurity and cyber itself is in every part of the world?
Did you have that vision back then
for where things might be heading?
Well, I had the vision for self-driving cars.
Okay.
But I did not have the vision.
I remember telling my dad about that's going to be,
you know, maybe not in his lifetime,
but my lifetime,
where cars are going to be automated.
And I remember driving down the 405 freeway,
and this is in LA, part of California,
and I was explaining how the system would work with cameras and all this.
And this is when I was probably 10.
And now I'm a lot older.
But as far as the hacking and seeing where social engineering was going
and to ransomware, you know, at the time I was doing this,
when I was a teenager and young adult, no.
Because back then I was using dial-up.
The internet wasn't even born.
It was the ARPANET.
Right.
So this is 1995 and prior.
So the computers weren't a household name like today.
Not everyone had their iPhone or other device that they carry in their pocket with all the time.
It was a different world.
I always thought, though, when I testified at Congress in 2000,
Joseph Lieberman and Fred Thompson invited me to testify for Congress.
And I warned him back in 2000, March of 2000,
that social engineering is here and now and a way in,
not only to private sector but public sector networks and systems.
And it will probably be here for a long time
unless you start doing, you know,
unless you start educating the masses.
I was going for mass education,
like public service announcements on television
and stuff to educate the everyday person,
not people here at RSA.
They should know better.
But, you know, and they never did it, of course.
And, you know, here we are today, 2020.
This was in 2000, so 20 years later, nothing has changed.
Wow.
Are you optimistic for the future?
Do you feel as though people have sat up and are taking note that they're starting to put the things in place to get ahead of these things?
Yeah, like I look at new technologies that are coming on the market like passwordless authentication.
Right?
So a lot of phishing attacks, if you go from not the pretext phone call side, but from the phishing side,
a lot of those attacks are what we call credential harvesting attacks.
So it's not to get a malicious payload onto the victim's endpoint.
It's to get the credentials.
So in those types of attacks, if people adopt, companies adopt these passwordless technologies,
then there's no passwords to steal.
You just see these scams happening all the time.
So I really think, I'm really a true believer that education is key.
That's Kevin Mitnick from KnowBefore.
The U.S. National Security Council warns that foreign influence operations are also
using fear of coronavirus to push the line that the U.S. is under a national lockdown that's
tantamount to a martial law, black helicopters and the whole nine yards. Because corroborative
detail gives artistic verisimilitude to an otherwise bald and unconvincing narrative,
the specific authority for the coming
national jackboot is the Stafford Act. So stock up on canned goods, batteries, pistol ammunition,
dog chow for the indispensably rowdy dog, or actually don't. Because of course, the Stafford
Act, under which the president declared a state of emergency, has nothing to do with national
quarantines or martial law. It's a law that facilitates federal delivery of assistance to the states and to others
during times of emergency. Mother Jones and U.S. News, two publications that tend to see the news
from markedly different perspectives, have both reported on the false news, and they reach much
the same conclusion. It's, of course, bogus.
Much of the disinformation is being disseminated by email, text, WhatsApp, and TikTok,
the Washington Post writes,
noting that these are harder to track than similar campaigns over Twitter or Facebook would be.
Much of the messaging is delivered as an image file,
which also makes them more difficult to screen.
Text messages may be an unusually convincing way of disseminating false rumors, as an image file, which also makes them more difficult to screen.
Text messages may be an unusually convincing way of disseminating false rumors.
Graham Brookie, who directs the Atlantic Council's Digital Forensic Research Lab,
told the Washington Post that text messages are effective persuaders because of their homey familiarity. It's the same technology friends and families use to stay in touch,
so the news reported by text just strikes people as sounding right.
Some of the disinformation is probably state-run,
like the Chinese claims we discussed yesterday that COVID-19 started in the U.S. Army.
But much of it is no doubt spontaneously generated,
and it's certainly not confined to the U.S.
A great deal of fake news about mobs,
rioting, and panic are circulating elsewhere too, particularly in Europe.
And finally, the U.S. Justice Department has decided not to continue its prosecution of
Concord Management and Consulting, a company which, despite its old-fashioned American-sounding name,
is a Russian firm which does no business in the
U.S. The company had been indicted for influence operations as a result of Special Counsel Mueller's
investigation of Russian operations during the U.S. 2016 elections. The Washington Post reports
that prosecutors cited a, quote, change in the balance of the government's proof due to a
classification determination, end quote, in their filing for dismiss the government's proof due to a classification determination,
end quote, in their filing for dismissal.
This led them to conclude that proceeding would no longer be in the interest of either justice or national security.
The prosecutor's filing essentially argues that Concord would use discovery
and the trial itself to further its own ends,
and that the company was essentially beyond the reach of U.S'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security.
But more importantly, he's my co-host on the Caveat podcast, which you have not yet checked out.
What are you waiting for? It's great.
It really is great. You should check it out.
Ben, article we're going to talk about today,
this comes from The Hill, written by Maggie Miller and Nathaniel Weichsel,
and it's HHS introduces new rules to give patients more control over their health data.
What's going on here?
So the Department of Health and Human Services has finalized two new rules
that are going to be put in the Federal Register and will have the force of law.
One of the rules was issued by the Department's Office of the National Coordinator for Health Information Technology, ONC, and one was written by CMS, the Centers for Medicare and Medicaid Services, led by Cima Verma. So the first rule, the ONC rule,
implements portions of the 2016 21st Century Cures Act.
It requires health providers to allow patients
to electronically access their own data
and the patients would not have to pay to access their own data.
And it puts into place some security protocols
so that that data is protected.
The CMS rule ensures the exchange of health information between providers by making sure that those exchanges are secure, that they comply with cybersecurity best practices.
And then it requires third-party groups to provide information on their data privacy policies before information is shared with them. Although I'll note that those third-party groups are not subject to those rather stringent cybersecurity
regulations. And the fact that those third-party vendors have not been included in the enforcement
of this rule has concerned probably the key interest group who really has a stake in this,
and that's the American Hospital Association.
They said that the rule did not go far enough.
These rules didn't go far enough to protect patient data
because oftentimes, and I think we've mentioned on our podcast
and perhaps on CyberWire as well,
these third-party developers aren't as secure
and are not as subject to these same regulations.
So if your doctor's office is using some sort of third-party vendor,
there have been instances where those vendors have been selling
anonymized information, private health information,
even though it is anonymized, for profit to other companies.
So I think that's the large basis of concern here.
Yeah, it's interesting to me that you'll be able to access your information
electronically. I remember not long ago, I had reached out to my general practitioner about some
information I was hoping to get, and I asked, could they just email it to me? And they said,
no, for security reasons, we don't email things. However, we could fax it to you.
Ah, the old fax machine comes back.
That's what I replied. I said, I'm sorry,
I left my fax machine in 1995.
Yeah, exactly.
How do those things work
anyway? I don't know. It has something to do
with a landline. It's all very
ancient.
It is.
Good to see, I suppose, some pressure
to get them to catch up
with that, because access to your information I suppose, some pressure to get them to catch up with that because access to your information, I think, is key for consumers of this sort of thing.
It's good to be able to have access to that information.
But interesting that the American Hospital Association thinks that this isn't enough.
Yeah, and I think largely that's due to the third-party application issue.
I think there is broader agreement among all stakeholders
that overall the intent of these rules is a wise one, the third-party application issue. I think there is broader agreement among all stakeholders that
overall the intent of these rules is a wise one, and that's to both protect consumer data and give
consumers a secure portal to review their own health information and provide things like
price transparencies. You can log into your personalized system, see how much your procedures have cost, see how much insurance will cover.
So I think it'll have a major effect downstream for healthcare consumers, which, you know, eventually will be all of us.
Right, right, right.
All right.
Well, that's an interesting development.
Ben Yellen, thanks for joining us.
Thank you.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
cybersecurity teams, and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.