CyberWire Daily - Data exposure reported in the Philippines. FISA targets down during the pandemic. Babuk changes its focus. New variant of the Buer loader in the wild. US Justice Department reviews its cyber strategy.
Episode Date: May 3, 2021Possible data exposure at the Philippines’ Office of the Solicitor General. In the US, FISA surveillance targets dropped during 2020’s pandemic. The Babuk gang says it’s giving up encryption to ...concentrate on doxing. A new version of the Buer loader is out in the wild. Rick Howard looks at security in the energy sector. Betsy Carmelite from Booz Allen Hamilton on telemedicine security concerns. The US Justice Department undertakes a review of its cybersecurity policies and strategy. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/84 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Possible data exposure at the Philippines office of the Solicitor General.
In the U.S., FISA surveillance targets dropped during 2020's pandemic.
The Babak gang says it's giving up encryption to concentrate on doxing.
A new version of the viewer loader is out in the wild.
Rick Howard looks at security in the energy sector.
Betsy Carmelite from Booz Allen Hamelite on telemedicine security concerns.
And the U.S. Justice Department undertakes a review of its cybersecurity policies and strategy.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire
summary for Monday, May 3rd, 2021.
London-based security outfit Turgensec says that the Philippines Office of the Solicitor General
left about 345,000 documents exposed to
the internet, GMA New Online reports. Philippine authorities are investigating. Turgensec says the
data was exposed for about two months and that it appears to have been accessed by a third party.
The company says it disclosed the exposure to Philippine authorities on March 1st and March 24th.
The exposure was closed on April 24th.
According to TurgeonSec, data exposed includes hundreds of thousands of files
ranging from documents generated in the day-to-day running of the Solicitor General of the Philippines
to staff training documents, internal passwords and policies, staffing
payment information, information on financial processes and activities, including audits,
and several hundred files titled with presumably sensitive keywords such as private, confidential,
witness, and password.
The exposure, the company says, appears to have been a matter of database misconfiguration.
The AP says that the number of surveillance warrants issued in the U.S. Director of National Intelligence attributes the decline in large part to the effects of the COVID-19 pandemic.
The New York Times reports that the report listed just 451 targets of wiretaps and search warrants
under FISA last year. The report notes that many factors contributed to the statistical shifts and fluctuations that show up in this annual assessment, but that in this case,
quote, ODNI assesses that in calendar year 2020, the impact of the COVID-19 pandemic likely influenced target behavior, which in turn may have impacted some of the numbers reported for that year, end quote.
So the pandemic affected those being watched more than it did the watchers.
The Babook ransomware gang says, according to the record,
that it intends to give up ransomware attacks after its current caper directed against the Washington, D.C. Metropolitan Police.
This is not due to an attack of conscience, however, nor to any newfound sense of public
spirit or civility. It's just that Babock has found it easier to simply steal documents and
extort money by threatening their release. So, online extortion, which began by encrypting data
to deny it to their owners and moved to a double extortion, by not only encrypting information but also
threatening to make it public, may be moving to a third doxing-only stage. In any case,
paying ransom seems to be making less sense than ever before. Forbes reports that 92% of victims
who pay don't get their files back. So this part of the bandit economy seems to have eaten its own business
model. No more golden eggs from this particular well-cooked goose. Researchers at security firm
Proofpoint have found a new form of the Bewer loader. Bewer is commodity malware traded widely
in criminal markets. It's distributed by email and permits its criminal users to install further
malware packages on its victims' devices. It's a first-stage loader for additional payloads,
Proofpoint says, including cobalt strike and multiple ransomware strains, as well as possibly
providing victim access to other threat actors in the underground marketplace. The emails represent
themselves as shipping documents from
logistics company DHL. They are, of course, spoofed emails, and the attachments that carry the viewer
payload are malicious Microsoft Word or Excel files. Proofpoint expects the campaign to continue.
The Washington Post reports that the U.S. Justice Department has begun a 120-day review of its cybersecurity policies.
Prompted by the SolarWinds incident, which many see as a bellwether of future attack trends,
the department's review is intended to examine ways justice might better deter and defend against cyberattacks.
Deputy Attorney General Lisa Monaco said Friday,
cyber attacks. Deputy Attorney General Lisa Monaco said Friday, quote, we need to rethink and really assess are we using the most effective strategies against this kind of new evolution, this pivot
point that I think we're at today in the cyber threat. There is no time to lose on what can we
be doing better working with our partners across borders to address these threats. The Justice Department's efforts against ransomware have received considerable attention recently,
but the review will extend beyond that particular problem.
Justice has also adopted a more aggressive stance toward cybercrime,
participating, for example, in an international effort to take down the Emotet botnet.
That interest in international cooperation seems
likely to continue. According to the record, the department plans to hire a liaison prosecutor
who will be expected to train and develop skills for prosecutors, police, and judges,
including through case-based mentoring on transnational organized cybercrime cases,
to identify gaps in existing laws,
advise legislative bodies on the enactment of effective legislation
and amendment of existing laws to increase enforcement efficacy,
and to build capacity within the law enforcement agencies
to combat transnational organized cybercrime.
It's not a new post, but the position has been vacant since December.
Whoever's hired for the job, good hunting.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Cozy up with the familiar flavors of pistachio or shake up your mood with an iced brown sugar oat shake and espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Rick Howard. He is the CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, always great to have you back.
Hey, Dave.
So for this season of CSO Perspectives, you've been covering some of the key critical infrastructure verticals,
things like finance and healthcare, to see if anything makes them unique in terms of strategy and tactics.
What do you have for us this week?
Yeah, so thanks for that.
On the pro side, we're talking about the energy vertical this week,
and we've invited some of our favorite guests to the hash table to get their views.
We have Helen Patton, the committee chair to the Cybersecurity Canon Project,
and also she's the advisory CISO for Duo Security at Cisco.
That's a title.
And we have my friend Steve Winterfeld, the Akamai advisory CISO for Duo Security at Cisco. That's a title, okay?
And we have my friend, Steve Winterfeld,
the Akamai Advisory CISO,
and both of those folks are regulars for our hash table discussions.
But also we have a special guest this week,
Mark Sachs, currently the Deputy Director
of Auburn University's McCrary Institute
for Cyber and Critical Infrastructure Security.
And they pretty much had every letter in the alphabet for that title. Okay. But in a previous life, he was the chief
security officer of the NERC for three years. That's the North American Electric Reliability
Corporation. And at the same time, he had oversight of the EISAC, the Electricity Information Sharing
and Analysis Center. So he fits right into the energy discussion.
Yeah, I mean, that is quite the mix of cybersecurity personalities.
I'm guessing not everybody agreed on everything.
How'd that go for you?
Well, you got that right.
There was a major disagreement about whether or not the energy vertical would move completely
over to a cloud-delivered infrastructure-as-code kind of
environment, the way that all the other verticals seem to be moving towards. Now, no spoilers here,
but I bet you can guess who was the guy that was against that idea. Hint, hint, it might be the
NERC guy. I'm just saying. All right. So, CSO Perspectives, is this something that is reserved
for the cool kids who have CyberWire Pro subscriptions?
Or what's going on over on the ad-supported side this week?
Well, you know, Dave, we've been talking the last couple weeks about the release of CSO Perspectives episodes from Season 1 to the public for free.
Now, these have ads, and if you're like me, you avoid ads like the plague.
And that is one of the main—
I know. We have to make money somehow, right? Right, right. like me, you avoid ads like the plague. And that is one of the main reasons you want to subscribe
to CW Pro. You get all the Cyber Wire content without the ads, right? But for this week on the
free side, we're doing a bit of an indulgence for me, okay? Instead of tackling some thorny
cybersecurity issue, we're talking about my four favorite cybersecurity novels.
And I have some very specific criteria for what makes a good book in this genre.
Yeah, you know, I'm actually glad to hear it because so many novels that I've read that have some sort of cybersecurity element, and I'd say this extends even to pop TV and movies.
element. And I'd say this extends even to pop TV and movies. They have sort of what I call a Harry Potter version of cyber, which is, you know, they don't really explain what's happening, but somehow
magically and mystically, they're able to break into highly classified government buildings. You
know, they say things like magnify, you know, and we're in, I think we may have watched the same
shows. Yeah. I mean, it's all good fun, but of course it's not terribly realistic.
Well, I'm totally with you on that, all right?
I want to be able to hand a good novel to my grandma where the cybersecurity is realistic and tell her, hey, grandma, this is what I do.
You know, sort of.
Fair enough, fair enough.
All right, well, Rick Howard, he is the host of CSO Perspectives over on CyberWire Pro.
And we've got advertiser supported episodes that are being put out there as well.
Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Betsy Carmelite.
She's a senior associate at Booz Allen Hamilton.
Betsy, always great to have you back.
You know, one of the things that's really moved along as we've all been experiencing a lot of the lockdowns with COVID-19 is the
explosion of telehealth. I know for me and some of my family members, we've really been taking
advantage of and enjoying the ability to connect with our medical professionals remotely. There
are a lot of conveniences there, but I suppose the cyber criminals have also taken notice of this.
I suppose the cyber criminals have also taken notice of this.
They're not holding back either.
No, the premise here around this concern is that massive shift at scale to a remote delivery model brought on by the global health crisis.
And that's that rapid expansion of U.S. telehealth services, especially in 2020.
And we think it's unlikely to contract even years after the pandemic clears. There will be a permanence to telehealth given its convenience.
We also believe this will change the way cyber criminals target health data at scale. And I'd
like to touch on some of the characteristics of telehealth platforms and infrastructures.
on some of the characteristics of telehealth platforms and infrastructures, we know that telehealth uses electronic information and telecommunications technologies to remotely
provide clinical healthcare, patient and professional health-related education,
public health and administration services. This is also how medical collaboration is happening
among hospitals, rapidly treating COVID patients
or discussing transplant surgeries, for example. Some of the core technologies used in these
services are video conferencing, store and forward imaging, streaming media, and these are typically
accessible via the internet, including wired and wireless communications. With telemedicine,
including wired and wireless communications. With telemedicine, this typically includes clinical care, treatment of chronic conditions, medication management, specialist consultations. It can be
considered a subset within broader telehealth services. Notably, both telemedicine and
telehealth share similar technology, infrastructure, and weaknesses. And we're looking at once disparate databases used
for billing and patient data now being aggregated and also platforms for patient provider collaboration
and communication. One of the data points to bring this into really practical focus is prior to the public health emergency. In a given week, 13,000 Medicare recipients used
fee-for-service telehealth. By the last week of April 2020, that increased to 1.7 million recipients.
So lots of data and infrastructure to exploit. Wow. Yeah. I did not expect that degree of growth. So what specifically are you expecting and experiencing the cyber criminals to be targeting here?
to perhaps not a new cybercrime focus, but a renewed focus at scale with an emphasis on stealing patient data primarily for monetary benefit.
And the theft of patient or hospital data can enable cybercrime in a few ways.
First, it can enable billing fraud over the phone using stolen information
to demand payment for physician-ordered medical devices
or fake medical
debt collection, or cybercriminals compare stolen patient numbers with falsified provider data to
submit fraudulent claims with insurers. It also enables ransomware operators who prey on hospitals
and medical providers, hoping that the threat of encrypted patient data
motivates that payment. Telemedicine will also be a significant target for attackers
looking to gain from the value of critical data stored on managed service providers and local
cloud instances. We saw a few companies like GE Health, Google, and Microsoft launched cloud-based systems for medical device management and telehealth services in the last year.
And finally, we see it targeting remote patient monitoring devices.
These are RPM devices.
Traditionally, providers deploy patient monitoring systems in a medical facility, but RPM systems are deployed at a patient's home.
in a medical facility, but RPM systems are deployed at a patient's home, providers can use device data to treat acute conditions and chronic illness, but these devices must maintain
the confidentiality, integrity, and availability of patient data to ensure patient safety.
Telehealth security is really a patient safety issue with potentially catastrophic risks for data vulnerabilities and device failures.
How do you see us facing this potential onslaught here?
I mean, are the proper tools and techniques in place to make sure that people are safe?
in place to make sure that people are safe? I think this last year has shown us that the rise in the need for security is essential to make this a successful long-term platform
for clinicians and patients. We offer a few recommendations for those in the healthcare
industry, really at this transformative
point in the clinician to patient experience.
First, looking at the telehealth strategy and architecture with this rapid rise of the
technology implementation, often there's a lack of clinical and technical integration.
So healthcare systems should develop or refine an enterprise telehealth strategy
with security considerations built into every layer of the telehealth ecosystem,
from cybersecurity infrastructure to the supply chain, software, endpoint provisioning, etc.
Companies also really need to evaluate third-party vendor security. Healthcare is highly regulated as an industry, and there are multiple standards in place to protect patients and healthcare.
The health crisis has really introduced a load of new vendors with less experience navigating complex healthcare security regulations, and there are organizations like the National Consortium of Telehealth Resource Centers and the American Medical Association who provide checklists with security and privacy considerations for reviewing vendors.
Also, at a tactical level, firms need to evaluate the vendors' security controls, intrusion systems, and policies
on accidental disclosure of data.
And finally, organizations should implement
user authentication.
We've talked a lot about the value of patient data today.
Robust user authentication measures
are a necessity to ensure patient IDs
and personally identifiable information stay secure.
All right. Well, Betsy Carmelite, thanks for joining us.
Thank you, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment called Security, huh?
I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. Thank you. is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Bharut Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Ivan,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.