CyberWire Daily - iOS zero-days, reconsidered. Hacking during a pandemic. An old campaign connected with the ShadowBrokers comes to light. Advice on web shells. Astroturfing and influence.
Episode Date: April 24, 2020An update on those iOS zero-days: they may not be as serious as assumed. Calls to take biomedical facilities off the hacking target list. Nazar and the ShadowBrokers. NSA and ASD issue joint advice on... web shell malware. A report on astroturfing and influence operations. Joker’s Stash lays out more stolen cards. And Nintendo reports a problem with a legacy system. Michael Sechrist from BAH on the increase in IT/OT convergence, guest is Terence Jackson from Thycotic on HIPAA, telemedicine and the new normal of data regulation. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_24.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An update on those iOS zero days.
Calls to take biomedical facilities off the hacking target list.
Nazar and the Shadow Brokers, NSA and ASD issue joint advice on web shell malware,
a report on astroturfing and influence operations,
Joker's stash lays out more stolen cards,
Michael Seacrest from BAH on the increase in IT-OT convergence,
our guest is Terrence Jackson from Thycotic on HIPAA, telemedicine, and the new normal of data regulation.
And Nintendo reports a problem with a legacy system.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, April 24th, 2020.
ZDNet reports that Apple has disputed the seriousness of the vulnerabilities
ZecOps claimed it discovered when it saw them being exploited in the wild.
It's the exploitation in the wild that Apple takes particular exception to.
Cupertino says it found no indications that the zero days pose any real threat to users.
Apple does acknowledge the zero days and says they will be fixed in the next iOS release.
Some researchers think ZecOps may have observed malformed emails and not malicious exploitation
of iOS bugs. ZecOps says it intends to release more information on its discovery.
In the meantime, Naked Security suggests that whatever else the bugs might be,
they don't seem to be directly exploitable, and so any risk is probably low.
China says that biomedical organizations should be off-limits to hacking.
The Wuhan Institute of Virology is among organizations receiving the attention of hackers.
Employees' email accounts have been compromised, the South China Morning Post reports.
The Level 4 research facility has been the subject of repeated speculation
that COVID-19 accidentally escaped from the labs there and did not originate in the city's wet markets.
The speculation is surely a matter of legitimate inquiry,
especially given Beijing's less-than-transparent record during the pandemic.
But in some fringe quarters, such speculation has reached the level of subjective certainty, which is pretty clearly approaching chemtrail territory.
describing their recent look at APT32 has prompted a call from Beijing, as Reuters says,
urging all nations to condemn any attack
on an organization involved in working against the pandemic.
There's surely substantial international sentiment
for placing biomedical facilities in a protected category
off limits to cyber attack
the way the laws of armed conflict
prohibit most deliberate attacks against hospitals.
It's not clear, however, that APT32, a threat actor associated with the Vietnamese government,
is engaged in destructive or disruptive attacks.
FireEye concluded the APT has been conducting intrusion campaigns against Chinese targets
involved with responding to the pandemic, especially China's Ministry of Emergency Management
and the local government of Wuhan. These seem to be more in the nature of espionage.
Vietnam has denied any involvement, telling Reuters that the accusations are baseless.
An arguably more menacing threat to hospitals is playing out in the Czech Republic,
which continues to look toward Russia as the source of recent cyber incidents
in the nation's medical facilities.
Tension between Prague and Moscow continues,
Radio Free Europe Radio Liberty reports.
Removal of a Prague statue of Soviet Marshal Konev,
who led the army group that drove through Czechoslovakia in 1945,
but who also crushed the Hungarian Revolution of 1956 and was instrumental
in erecting the Berlin Wall, has given offense to Moscow. So has renaming the street on which
Russia's embassy is located in Prague in honor of former Russian Deputy Prime Minister Boris Nemstov.
The inveterate critic of President Putin was murdered outside the Kremlin in 2015.
The inveterate critic of President Putin was murdered outside the Kremlin in 2015.
Moscow regards both acts as provocations.
On the Czech side, there's widespread outrage over cyber operations,
reconnaissance and battle space preparation for the most part, that affected health care facilities during the current pandemic.
These activities increasingly look like the work of Russian operators.
These activities increasingly look like the work of Russian operators.
A researcher associated with Johns Hopkins University's School of Advanced International Studies reports finding a previously unremarked campaign, NAZAR,
that used tools the shadow brokers are believed to have obtained from the U.S. National Security Agency
and then leaked to threat actors.
The name of the operations is a Farsi word, and there's Farsi text associated
with the operation, but attribution remains murky. It would be premature to call Nazar an Iranian
operation. The U.S. National Security Agency and the Australian Signals Directorate have issued
joint guidance on detecting and preventing web shell malware. Why take up web shells? As the agencies
explain, web shells provide attackers with persistent access to a compromised network
using communication channels disguised to blend in with legitimate traffic.
Web shell malware is a long-standing pervasive threat that continues to evade many security
tools. The public guidance is another instance of Five Eyes intelligence
services undertaking public outreach on cybersecurity. Domain tools this morning
published their own study of how the domains apparently devoted to the cause of reopening
normal life in the U.S. came to be and who registered them. Many of the sites, a number
of them with Second Amendment themes, appear to Domain Tools to have been established by Aaron Doerr,
a consultant who advises political movements on advocacy and organization.
Their use of a small set of common templates seemed to derive from another political consultancy,
One Click Politics, which further raised suspicion that the apparently local,
ostensibly grassroots sites were in fact AstroTurf.
Domain Tools emphasized in a conversation with us that one common feature on the AstroTurf sites is a prominent and functioning donation button.
This suggests to them that a non-trivial goal of the operation is making money.
Domain Tools also suggested two areas that merit some attention.
First, deep fakes have been generally associated with faked audio or video content.
Domain Tools points out that one of the problems of astroturfing and influence operations generally
is the production of useful content, at scale.
Sometimes this is done through plagiarism or repurposing.
Sometimes, and this is something Domain Tools noticed in connection with Mr. Doerr's operation,
by having some loans to Conovite crank out a number of bylined pieces.
Using the same byline does tend to blow the gaff, but it happens.
Domain Tools suggests that deep learning tools can be adapted to rapidly produce good enough written content in the service of influence.
tools can be adapted to rapidly produce good enough written content in the service of influence. This could involve impersonation of real persons, or simply generate articles that could be
attributed to various sock puppets.
Second, while most of the astroturf seems based domestically in the United States, there
are indications that a few of them may have infrastructure in Hong Kong.
That's curious and deserves further investigation.
Remember Joker's stash?
They're back.
The carding market is offering a fresh batch of stolen paycard data.
The goods this time are mostly cards stolen from U.S. and South Korean users,
Bank Info Security says.
And finally, Nintendo has confirmed that hackers gained access to about 160,000 player
accounts, according to ZDNet. The attackers are thought to have abused a legacy login system,
Nintendo Network ID, NNID, that remains in use to manage old Wii U or Nintendo 3DS accounts.
What the hackers have done with the caper seems to indicate that petty minds
are behind the whole thing.
A lot of them are buying up
Fortnite in-game currency.
We know, we know,
in-game currency can be traded
for things of real value,
used to launder illicit cash,
and so on.
But really,
Fortnite.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
My guest today is Terrence Jackson.
He's Chief Information Security and Privacy Officer at Thycotic,
a provider of privileged access management tools.
Our conversation highlights the interesting times we find ourselves in
when it comes to HIPAA,
telemedicine, and the new normal of data regulation. We find ourselves today in, I call it,
data privacy soup. Right now, we have at least 20 states that have drafted or are in the process of drafting their own unique data privacy legislation.
And that is honestly at the point now where it's almost untenable for the average business to keep up.
I mean, every day there's a nuance.
You know, most recently, obviously, it was CCPA.
Most recently, obviously, it was CCPA.
And due to the COVID-19, certain parts of that, they were trying to delay the enforcement were just going over what's going on in Europe in regards to GDPR. And it, in fact, still is, you know, enforced.
And, you know, you have companies attempting to scan employees, or you did before everything was pretty much shut down.
But we're trying to scan employees' foreheads when they were coming in to work to scan their temperatures.
And that actually crossed some data privacy boundaries specifically in Europe.
You know, where's that data going?
What are you going to do with it?
What's the collection purpose of it, which is a big tenet of GDPR?
You're only supposed to collect data that's absolutely needed.
So was that a needed piece of data to the employer? And the coworkers probably say, you know, maybe, but in the grand scheme of things,
probably not long term.
And then if you do get a reading, then what?
So it's just a lot of different things happening right now.
It's interesting times.
Yeah.
Yeah.
Yesterday I was speaking with someone who was one of the folks who was instrumental back when they were putting together HIPAA.
And he was saying that the folks he's been talking to when it comes to HIPAA right now, that with all this telemedicine things and, you know, the need to be flexible with the way that patients are being treated, that basically the folks who enforce HIPAA put out the word that, you know, we're not changing any of the regulations, but we are going to change enforcement. You know, we're not going to go after you for some of the things we would have gone after you for, given this extraordinary
situation. Absolutely. And, you know, you bring up telemedicine that has seen exponential
increases in the past couple of weeks due to the social isolation,
self-quarantine, and even some of the smaller practices where I can see this possibly becoming
an issue post-COVID-19 that aren't necessarily set up for telemedicine, but now are fielding phone calls from patients without the ability to really
verify who they're talking to on the other end. So I see a potential there for, you know,
exploit of medical information. And a lot of the, I guess, the independent practitioners don't have a lot of the security controls in place to verify, you know, who they're talking to is, in fact, the patient.
But then on the other end, what is the receptionist or the nurse doing with that information once they, you know, take it online?
Are they writing it down in a notepad?
You know, what's happening to the notepad. So it's just a lot of things that are happening due to the circumstances that we're in right now
that I don't think a lot of the current laws were really enforced with pandemic in mind.
This is our new normal for the, you know, for the next month or two. We really don't know. But just making sure
that the people who need data can get access to it without fear of being penalized by a regulator
needs to come into account going forward when these laws are crafted. And I'm a fan for a federal or national level privacy law
as long as it has some sort of, you know, oversight with private industry to help craft it.
The proper SMEs are in the room and it's not done in, you know, a bubble.
That's Terrence Jackson from Thycotic.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Michael Sechrist.
He's the chief technologist at Booz Allen Hamilton.
Michael, it's great to have you back.
to have you back. I wanted to touch today on some of the issues that are on your mind when it comes to the increase in convergence, when it comes to IT and OT and these transformations we're seeing
with OT itself. What sort of things can you share with us today? Hey, thanks for having me back.
So in terms of the OT, the rise of OT, I mean, this is something that's been on the radar
for many, many years. MITRE recently put out, obviously, the ICS or the Industrial Control
Security ATAC framework, which basically gives you kind of a lay of the land of how potential
attackers are going to use certain vectors to get into these kind of sensitive networks and
operational technology
environments. So we've got the OT as something that we're generally seeing clients wanting to
expand coverage for, that they make sure that that's kind of wrapped up in any contract or
sort of focus when we're not just kind of talking about IT operations, IT networks anymore. It's
really that convergence we're seeing on both sides and
making sure that when we're thinking about even ATAC frameworks and how we're looking at threats,
that we're looking at both IT and OT in addition to the other frameworks that are out there like
mobile. But OT is certainly something that we're seeing as one of the key ways that clients are coming for managed services.
Now, it's my perception, and tell me if this is correct, that sometimes there can be challenges
in getting those two sides of the house, the IT folks and the OT folks, to communicate effectively?
That's correct. When you think of OT, you think of almost, first off, you've got different
risk profiles, different risk tolerances on both sides of the equation in terms of IT
and OT.
And how we were talking before about COVID and about the kind of the infection and how
that kind of would affect connectivity and availability.
Availability is always an enormous
concern for operational technology. OT environments are extremely sensitive. They typically have fewer
remote access points, ways to enter that environment. And they keep it that way because
the availability, the needs are much, much higher. So when you think about an availability potential attack or some
sort of strain on availability in a network, it becomes very important as to how you're going to
continue to secure those environments in a way that also protects your employees.
You've got potentially, you know, when you think about even deploying a patch, a lot of times you might have to fly some in, some specialist from an OT vendor, and put them on site to actually physically go into the data center, physically go into some part of your production facilities and upgrade those devices.
limitations on travel these days, given the limitations now on essentially getting into these environments, can that be done? Do we have the employees? Are we willing to kind of put
someone at risk to do that patch upgrade and get on site these days? That's a much different
conversation and not one that can be taken just within the kind of CISO realm. Yeah. And I suppose
a real possibility that the availability of those folks, the number
of people who are available to do those things could become a challenge. Yeah, certainly. And
it's not just kind of a challenge to their essential well-being. It's a challenge just
even physically. Can I actually fly to the location? Can I actually get into the
office space today? Can I get into the sensitive part of the facility? You've got a lot of different
kind of mechanics and machinations that you didn't have prior that you do now under kind of like a
COVID-19 response. And you also have a sense of, you don't have a kind of a timeline as to the
duration you might have to do this or kind of a timeline as to the duration you
might have to do this or kind of the limitations as we move forward in this environment. I also
think about the difficulty of breach containment and of forensics. You know, doing these environments,
you cannot, if you have a potentially infected or suspicious, you have a kind of suspicions of an infection on
an OT device, there's likely no way you're going to be able to send that in the mail,
you know, to move that remotely to get, you know, evaluated from a forensics perspective.
And that's another challenge that CISOs should, that have to kind of consider today.
That's another challenge that CISOs should have to kind of consider today.
Yeah, it really is kind of a new reality as folks are recalibrating the various levels of risk that this brings.
Yeah, that's correct.
Ironically, we've seen some of attackers realize the severity of their actions as well. It was interesting to see the Mays ransomware team offering discounts for decrypting previously infected devices through their ransomware for trying to reach out and helping delete leaked data that the ransomware
had collected and not target medical organizations. So you've kind of seen at times a, a,
you know,
a change of heart,
even among attackers,
given kind of the severity of what we're seeing in the physical world,
which is,
you know,
it's a,
it's not necessarily a Hallmark movie story from attackers perspective,
but it is something that is slightly positive.
Right.
Right.
Yeah.
All right.
Well,
Michael Sechrist, as always,
thanks for joining us.
Thank you so much.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity
leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll
save you time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire
podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're
co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.