CyberWire Daily - Cyberespionage and influence operations. Reading the US State Department’s mail. Risk management and strategic complacency. Volumetric attacks. Keeping suspect hardware out.
Episode Date: March 31, 2021Charming Kitten is back, and interested in medical researchers’ credentials. Russian services appear to have been reading some US State Department emails (it’s thought their access was confined to... unclassified systems). Risk management practices and questions about the risks of growing too blasé about “management.” Recognizing the approach of an intelligence officer. Volumetric attacks are up. Joe Carrigan examines a sophisticated Microsoft spoof. Our guest is Donna Grindle from Kardon on updates to the HITECH ACT. More concerns, in India and the US, about Chinese telecom hardware. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/61 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Charming Kitten is back and interested in medical researchers' credentials.
Russian services appear to have been reading some U.S. State Department emails,
risk management practices,
and questions about the risks of growing too blasé about management.
Recognizing the approach of an intelligence officer,
volumetric attacks are up.
Joe Kerrigan examines a sophisticated Microsoft spoof.
Our guest is Donna Grindle from Cardin
on updates to the HITECH Act.
More concerns in India and the U.S. about Chinese telecom hardware. Our guest is Donna Grindle from Cardin on updates to the HITECH Act.
More concerns in India and the U.S. about Chinese telecom hardware.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your Cyber Cyber Wire summary for Wednesday, March 31st, 2021.
Charming Kitten, also known as Phosphorus or TA-453,
the well-known threat actor associated with Iran's Islamic Revolutionary Guard Corps,
has resurfaced in a cyber espionage campaign directed against Israeli and U.S. medical researchers.
Proofpoint researchers conclude that the current campaign, they call Bad Blood,
is fishing for credentials belonging to geneticists, neurologists, and oncologists.
The campaign uses emails spoofing communications from israeli scientists proof point is confident in its conclusions but also admits that as is often
the case attribution is based on circumstantial evidence bad blood's objective remains obscure
as the record points out proof point told the record that the pandemic has produced a surge in collection against biomedical research targets.
But the specialties said to be of interest to Charming Kitten, genetics, oncology, and neurology, don't bear any close and immediate connections to COVID-19 research.
Nonetheless, the collection proceeds and continues to prospect senior researchers.
Politico reports that Russia's holiday bear may have successfully accessed U.S. State Department emails.
It doesn't appear that classified communications were compromised,
but emails exchanged by Foggy Bottom's Bureau of European and Eurasian Affairs
and Bureau of East Asian and Pacific Affairs were apparently
being read in Moscow. Dark Reading has a summary of the current state of knowledge about the
sunburst exploitation of SolarWinds Orion platform. The U.S. is still considering its options with
respect to response, retaliation, defense, and deterrence in what the Atlantic Council
characterizes as a strategic failure.
The Council's report said, quote, the sunburst crisis was a failure of strategy more than it
was the product of an information technology problem or a mythical adversary. Overlooking
that question of strategy invites crises larger and more frequent than those the United States
is battling today. The U.S. government and industry should embrace the idea of persistent flow
to address this strategic shortfall,
emphasizing that effective cybersecurity is more about speed, balance, and concentrated action.
Both the public and private sectors must work together to ruthlessly prioritize risk,
make linchpin systems in the cloud more defensible,
and make federal cyber risk management more self-adaptive, end quote.
In particular, the report claims that U.S. government risk management
was too heavy on management and too light on defense.
According to the website Stuff, New Zealand's intelligence and security agencies
have released guidance
to politicians and academics on recognizing and fending off foreign influence operations.
The advice is intended to be generally applicable and does not call out particular states since,
quote, the foreign states conducting espionage or interference against New Zealand change over time,
end quote. Much of the advice they give would be familiar to anyone
who's undergone counterintelligence, familiarization, or training.
Spies approach you, well, the way spies do,
seeking to gain your confidence,
offering inducements, and cultivating you over time.
Whether it's done in person or in cyberspace,
the process is much the same.
Whether it's done in person or in cyberspace, the process is much the same.
Akamai warns that volumetric distributed denial-of-service attacks are increasing in frequency and severity.
Some of the larger attacks recently observed have been conducted in connection with criminal extortion attempts.
Unpatched systems don't simply become a non-issue over time.
Vulnerabilities remain exploitable even if they fall temporarily out of fashion.
Quoting Checkpoint Research,
Leaping Computer reports that WannaCry ransomware is back and undergoing a minor resurgence.
Checkpoint itself said, quote,
Worryingly, WannaCry, the wormable ransomware that made its debut four years ago, is also trending again, although it is unclear why.
Since the beginning of the year, the number of organizations affected with WannaCry globally has increased by 53%. In fact, CPR found that there are 40 times more affected organizations in March 2021 when compared to October 2020. The new samples still use the Eternal Blue exploit to propagate,
for which patches have been available for over four years.
This highlights why it's critical that organizations patch their systems
as soon as updates are available.
End quote.
According to the Economic Times,
India's government is moving closer to blocking the country's mobile carriers from using Chinese telecommunication equipment.
New Delhi is concerned both about security, and relations with China have grown more tense over recent months,
and about fostering the growth of a domestic telecom manufacturing sector.
Chinese hardware manufacturers are also coming under renewed scrutiny in the U.S.
Reuters says that a member of the U.S. Federal Communications Commission
has called for tougher measures to exclude Chinese hardware from U.S. networks.
Commissioner Brendan Carr called for an outright ban on equipment manufactured by both Huawei and ZTE.
Current rip-and-replace restrictions on Chinese telecommunications hardware
simply preclude companies from purchasing it with federal funds. Carr calls this a gaping loophole
since it's still permissible to purchase and connect such devices using private funds. He said,
quote, it makes no sense to allow that exact same equipment to get purchased and inserted
into our communication network
as long as federal dollars are not involved, end quote.
Carr also suggested that such restrictions would be over-determined in any case.
It's fully warranted by security concerns,
and also on the grounds that the U.S. should avoid trading in goods that may have been produced by forced labor.
That second reservation is an allusion to Beijing's repression of ethnic and religious minorities,
especially the Muslim Uyghurs in Xinjiang.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000
companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Donna Grindle is founder of healthcare security and technology services company Cardin and host
of the Help Me With HIPAA podcast. She joined me and my co-host Ben Yellen on the Caveat podcast
to discuss recent amendments to the HITECH Act and how they might affect practitioners in the space.
So the HITECH Act was signed as part of what we know as the stimulus bill, the ARRA
in 2009. And so it was the healthcare part of that huge stimulus bill. It included several
different things, but the one big thing was funding to help push the healthcare industry towards electronic medical records because
it was lagging behind on technology. And it became known at that time as the Meaningful
Use Program. And if you were a certified EHR, so all of these vendors jumped into the market to become a certified EHR because if a hospital or doctor's office
implemented one and then proved they were meaningfully using it, then they got funding
to help pay for the cost of installing and securing and all of those things. So we're
talking thousands and thousands of dollars that we're rolling into healthcare to put these things in.
Ah, is that why my kid's pediatrician
and my primary care physician
started using tablets all of a sudden?
Yeah, really.
And a lot of that goes back to that, yeah.
You know, it just, the whole industry started moving,
whether they were,
the meaningful use program applied to them or not.
Now the industry standard was electronic medical records.
Once that kicked in, another part of it was saying, okay, we're going to stiffen up the
rules for privacy, security.
We're going to add enforcement, which was never part of HIPAA, really.
I mean, there was, but voluntary compliance, we kind of call it like, it's like a speed limit.
It's a really strong suggestion.
And so they had changed that.
That's where high tech added the enforcement.
Everybody yells about $1.5 million today.
That's where it came from as part of the High Tech Act.
And that actual enforcement piece is what got the amendment in January 2021.
Help me understand here and forgive how naive this question is, but do I have a master medical record?
Is there one record or are my records scattered about?
And if so, why don't I have a master medical record?
No, you do not. They are scattered about, scattered to the wind.
And that's why we always say you can cancel a credit card. You can't cancel your medical record.
So medical identity theft is a real problem. People don't understand it until it happens to them. But if I were to get your information and go and file your insurance and say that I'm you at a hospital in another state and all of my records get in there and then you end up, say, in a car accident in that state at that hospital, they'll say, yeah, we've had them here before.
And they're going to use my blood type if you're not awake enough to know it. So it can be quite dangerous.
But that's why you can't cancel them because there's not one main one. The reason there's
not one main one is that we don't have a main healthcare system. And on top, you know.
I want to log on to a website, Donna. I want to log on to a website.
I want to see all my medical record for my whole life. Just let me log on to a website. Why is that
so hard? Because I don't know where your data is. I promise I can't find it. Oh, man. So yeah,
there's a lot really up in the air. And I'm anticipating between now and June, a lot's either going to get pushed out or it's just going to start happening because of the timeframes that are built into the law with this.
So it's going to be – it's really interesting to see because there's just so much to overcome.
Our thanks to Donna Grindle for joining us.
You can hear more of our conversation on the Caveat podcast.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
and joining me once again is joe kerrigan he's from the johns hopkins university information security institute and also my co-host over on the hacking humans podcast hello joe hi dave
i got some interesting um research from the folks over at area one security this is from their
threat research team,
and it's titled Sophisticated Microsoft Spoof Targets Financial Departments.
Take us through what they discovered here, Joe. So this is actually a very advanced spear phishing campaign. First off, one of the things they note is that they are going after people in the treasury organization of businesses and in the C-suite, and they're
targeting assistants in those areas as well, like executive assistants. A lot of CEOs, almost every
CEO has an executive assistant, and these people are also being targeted. And the idea is that these guys can get into, if they manage to compromise somebody in the finance department's email, they can start sending out invoices to people with payment instructions that reward the attackers.
So wire this payment directly to this account, and thank you very much. And then the victim company,
who is a customer of the compromise company, then sends a payment to the attackers, and
they make off with a huge pile of money. Now, what's interesting in this is the way these guys
are going about it. They're using a very sophisticated phishing kit. They are registering domains that are Microsoft lookalike
domains. They are registering them quickly and then executing these spear phishing attacks with
those domains relatively quickly so that once you determine or it is determined by the security
community that this website is part of phishing infrastructure, it very quickly disseminates
throughout the community. So they're
making hay while the sun shines, if you will. One of the things that's really interesting that
they're doing that you don't generally see in phishing campaigns is they're setting up SPF
records, which is the secure sender policy framework. These are DNS entries that are
text records that say, yes, this domain is allowed to send email for us.
So a lot of times if you have, you know, if you can set up your receiving email to go,
let's check and make sure the SPF record for this is okay. If you don't have an SPF record,
we're not accepting the email. Well, these guys do have an SPF record for this. So it just bypasses that security check right there.
I'm not saying that SPF records are garbage. You should still use them. It's an extra step
that people have to go through, but it's not that hard to get around apparently.
Right. One of the things that caught my eye here was that evidently these attackers are
specifically targeting new CEOs during their transition periods, which that's fascinating.
So on the social engineering side. Right. What's also interesting is the article says that they're
targeting these new CEOs before public announcements have been made. Right. Which to me says they're
already in somebody's email. Right. There's already some compromise going on. Think about it. I'm the new
CEO, but nobody knows I'm the new CEO. Maybe my guard is not up as much as it should be.
Right. Well, you're not going to be familiar with what stuff looks like at the new office. So you
don't know what normal is. So you start getting all, because part of any onboarding, doesn't
matter if you're the CEO or the intern, any onboarding process is full of an avalanche of documents usually.
Absolutely.
So it's read this, sign this, and you're not sure yet, you're not acclimated to what's normal.
So that's a great opportunity for people to swoop in and take advantage of that.
Indeed, it absolutely is.
of that. Indeed, it absolutely is. One of the very convincing parts of this phishing kit is that they're sending out policy updates and security updates emails that are fake. And if you click
on a link, you're taken to a page that looks like the login page for Microsoft. It even has your
company logo on it and your email address. And the way they do that is, you know, they put the email address into the link,
so it's easy to pull it up.
But the company logo is pulled from an online service
that just displays your logo.
So they know, they match your domain
with the logo for your domain,
and you get a really convincing login page.
Right.
So it looks like it might be some sort of enterprise account
that's combining, you know, your logo with Microsoft's logo.
Exactly.
And that's what happens when you log into Microsoft 365 accounts.
So it's more convincing.
Another thing they're doing is they're sending HTML pages with JavaScript in it, obfuscated JavaScript, that just does the credential harvesting for you as an attachment. So if you don't get a PDF, you get the HTML page that also does all the redirects
through the different sites. So you may not even be going out to a server. We've talked about this
before. I can't remember if it was on the CyberWire Daily podcast or on Hacking Humans, where
a malicious actor sends out an HTML page that then just submits a request, you know,
sends out an HTML page that then just submits a request,
submits the credentials you enter,
and they collect your credentials that way.
You don't actually have to connect to a web server.
Yeah.
Well, it's an interesting report.
Definitely worth a read here.
Again, it's the folks over at Area One Security on their blog. It's titled Sophisticated Microsoft Spoof Targets Financial Departments.
Joe Kerrigan,
thanks for joining us.
It's my pleasure, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Comes with everything you see here.
Some assembly required.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're
co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire
team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening.
We'll see you back here tomorrow. Thank you. products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.