CyberWire Daily - Malware versus air-gapped systems. Ransomware against utilities and hospitals. Lessons for cybersecurity from the pandemic response. Outlaw blues.
Episode Date: May 15, 2020More malware designed for air-gapped systems. A British utility sustains a ransomware attack. The US Cyberspace Solarium Commission sees lessons in the pandemic for cybersecurity. Contact-tracing tech...nologies take a step back,maybe a step or two forward. Rob Lee from Dragos comparing the state of ICS security around the world, our guest is Ian Pitt from LogMeIn on lessons learned working remotely during COVID-19. Criminals increase ransomware attacks on hospitals, and swap templates to impersonate government relief agencies. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/newsletters/daily-briefing/9/95 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.S. Cyberspace Solarium Commission sees lessons in the pandemic for cybersecurity.
Contact tracing technologies take a step back, maybe a step or two forward.
Robert M. Lee surveys ICS security around the world.
Our guest is Ian Pitt from LogMeIn with lessons learned while working remotely during COVID-19.
And criminals increase ransomware attacks on hospitals and swap templates to impersonate government relief agencies.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, May 15, 2020.
Two more malware strains targeting air-gapped systems have joined the Ramsey malware ESET described Wednesday.
Trend Micro has announced its discovery of USBFerry,
a tool the Tropic Trooper threat actor is using against Philippine and Taiwanese military targets.
Tropic Trooper, also known as Keyboy, is probably a Chinese government unit.
And Kaspersky has found Komp Fun active against European diplomatic organizations.
The researchers attribute it to the Turla APT, a Russian state-sponsored operation.
The functionality that gives all three tools the ability to work against air-gapped systems
is neither particularly spooky nor exotic.
It's the way they move malware and data between targeted systems and removable storage media.
Eventually, somebody plugs something in.
The British electrical utility, Alexaun, yesterday disclosed that its internal IT systems and laptops
had been affected by an unspecified cyber attack.
ZDNet thinks it looks like a ransomware attack,
perhaps enabled by
Alexon's use of an outdated and unpatched pulse-secure VPN. In any case, as The Guardian
reports, the lights stay on. Transmission remains unaffected. Apparently, only business systems were
affected. A quick note to avoid confusion on the part of American listeners. The British utility is Alexon, not as a few media reports have written, Exelon,
which is an American power company and indeed the corporate parent of our own local Baltimore Gas and Electric.
The U.S. Cyberspace Solarium Commission, whose report led with an introductory work of fiction
that imagined Washington laid low by a massive cyber attack against infrastructure,
the Capitol, reduced to a hellscape that could be safely viewed from no closer than Reston, sees lessons in preparation from the pandemic.
The co-chairs of the commission, Senator Angus King, independent of Maine, and Representative Mike Gallagher, Republican from Wisconsin's 8th,
are ready to talk to Congress as the COVID-19 emergency
begins to abate, and they hope, according to the Washington Post, that legislators get the lesson
that it's important to prepare for a disaster before it hits. Senator King told the Post,
quote, I think COVID has taken public attention away from cybersecurity, but for policymakers,
it's underlined the importance of having a comprehensive strategy in place and really strengthen the case for the actions we
recommend. We're in the middle of a crisis that has shaken people to say we can't go back to
business as usual, end quote. And there are some signs that Congress may be willing to listen,
at least a little. Two of the commission's recommendations, creation of a national lead
for cybersecurity in the White House
with a significant budget and staff,
and both planning and spelling out clearly the consequences adversaries will face
should they mount a serious cyber attack against the U.S.,
appear to have gained traction with lawmakers over the past month.
That second recommendation is reinforced by the emergence
of a more hawkish consensus about China that's emerged during the pandemic.
The Post quotes Representative Gallagher on both points.
Quote,
You look back on the 9-11 Commission and you realize how much good work was being done before the attack, but it was all siloed at different agencies.
We want someone who's in charge and coordinating efforts across the government, forcing discussions across agencies about different scenarios and how we can prepare for an attack.
He also said, I think if nothing else, when the dust settles on coronavirus, it will harden the hawkish consensus on China and add energy to this effort to wean ourselves off our dependency on certain things produced in China.
End quote.
wean ourselves off our dependency on certain things produced in China, end quote.
The Cyberspace Solarium Commission is expected to release, by the end of this month,
a follow-on report summarizing the lessons it's drawn from the COVID-19 emergency.
The mild-looking Senator King seems an unlikely counterpart of the Thing from the Fantastic Four,
but he appears to have adapted the Thing's battle cry to cyberspace.
Put down them hankies, it's clobberin' time.
At the end of a week in which British NHSX's contact tracing system faced skepticism about both its legality and its efficacy, NHS gets some good news from the pilot being conducted
on the Isle of Wight. The Telegraph reports that more than half the people there with smartphones have downloaded the app.
50% has generally been regarded as representing the floor of adoption rates
that might actually make a difference in controlling the spread of the disease.
The Telegraph also has an overview of the various technical adjuncts to traditional quarantine
and contact tracing various nations have tried.
The approaches fall on a spectrum between people's willingness to volunteer and intrusiveness.
Bluetooth-based exposure notification to GPS-based movement tracking,
thermal cameras in public places to nearly ubiquitous facial recognition surveillance, and so on.
There are also questions about the amounts of public resistance to tracing and tracking
authorities can expect. A Washington Post University of Maryland poll taken at the end of
April concluded that most Americans would be either unable or unwilling to install contact
tracing apps voluntarily, and if most of the non-compliant don't fall into the unwilling
category, then we don't know Arkansas. Finally, can we all agree that
criminals don't in fact have the common good at heart? Still think there's public-spirited honor
among thieves? Well, consider this. The Wall Street Journal reports that Europol has warned
of criminals increasing the rate of ransomware attacks against hospitals providing urgent care
during the pandemic. This is as economically rational as it is morally depraved.
The hospitals are more needed than ever,
and the reliability and availability of their data are more important than ever,
which the criminals calculate will make them all the more likely to pay a hefty ransom.
The underworld is also paying attention to how it crafts its fish bait.
Proofpoint has found a number of templates in circulation
that help criminals craft more convincing spoofs of government messages,
especially messages involving the emergency relief programs,
so many of those in economic trouble find themselves hoping to use for a leg up out of their difficulties.
The templates are most often used in credential harvesting scams.
Robin Hoods,
honor among thieves, how fooey is Woody Woodpecker would say, and Woody Woodpecker knows.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
My guest today is Ian Pitt, Chief Information Officer and Senior Vice President at LogMeIn.
Today is Ian Pitt, Chief Information Officer and Senior Vice President at LogMeIn.
He brings us insights on what folks in the password management and authentication business have learned during this global shift toward working remotely during COVID-19.
Yeah, as the CIO for a global company that also does collaboration tools,
I get to look at two sides of the situation, both getting 4,000 people
home in a company that had a heavy office dependency, but also set up to work from home
periodically to actually move people back full time, and then keeping the lights on for millions
of our customers. Looking at both sides of the coin, we've got our own internal team
members of which that's 4,000 people around the world and then millions of our customers. So the
initial focus was absolutely to get all the team members in a spot where they were safe, isolated,
adhering to any state or local regulations, making sure that they could help keep the company afloat
because we're also supporting millions of external customers and if our team members aren't healthy then that's going to detract from the
external crowd. So very quickly we had to move the remaining of the 4,000 people, get them set up,
give them guidance on what to take with them and how to set themselves up at home and help them
in that transition.
After that, then we started looking at the production capacity, and it became clear that many other customers were doing exactly the same as us, and our traffic went off the charts.
We had to stand up additional capacity in a very short space of time to make sure we
were offering a quality service to people around the world.
It seems as though we're in for perhaps another few months of this ahead of us.
Do you have any tips or advice for folks in terms of keeping vigilant throughout this?
Yeah, there's a whole bunch of standard things people should be doing anyway,
but perhaps it's always good to remind them.
bunch of standard things people should be doing anyway, but perhaps it's always good to remind them. And that's looking at security as being multi-level from the devices you're using, your
home network. Some people have gone out and bought new routers, new firewalls to get ready for the
long haul. It wouldn't be unheard of for people to forget to change those passwords, either on the
network access or the device itself. So we do constantly remind people
that no matter what your stance is in the office,
you have to take it to the next level at home.
So password quality, make sure your devices are secure,
make sure you don't have people eavesdropping.
A challenge can be in high-density populations.
There's always people looking to ride on top of existing traffic. And so make sure that your encryption keys are nice and strong.
What about tracking the emotional component of this? You know, I think it's realistic and
reasonable to expect that everyone might not be at their best, which means that they might not be capable of being as vigilant as they
would otherwise be. How do you integrate that reality into an organization as large as yours?
We got the technology under control pretty quickly based on what we do as a company,
which gave us the opportunity to actually start looking at people's well-being. And to be honest, most of our conversations now with HR, our chief of staff, our general counsel,
myself, the group of people that we formed for a business continuity program,
spend a lot of time thinking about the well-being of the team members.
In terms of keeping everyone sharp, it comes down to encouraging people to actually step away
from the desk periodically it's too easy when you're sitting at home to get to your desk at
seven in the morning and start working and all of a sudden the sun's gone down again at the other
end of the day we are making sure that people actually step away either for an hour actually
sit down take coffee somewhere,
sit down with your family,
have a real lunch rather than just on the go.
And the company is also encouraging people
just to have a complete downtime day.
No laptops, no computers.
And we're finding that is starting
to really work wonders with the team.
And I think it's important for other companies
to do the same.
Otherwise, the team members are going to get burned for other companies to do the same. Otherwise,
the team members are going to get burned out. And that's where errors come in. And that's where the bad guys get an edge into the organization. That's Ian Pitt from LogMeIn. Don't forget,
you can catch an extended version of our interview when you sign up for CyberWire Pro.
You can do that on our website. Thank you. fault-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos.
Rob, it's always great to have you back. I wanted to get your insights on the state of ICS security around the world.
In other words, as we travel around the world to different nations, to different continents,
how much variability is there
when it comes to different organizations
and their ability, the state of things,
their ability to defend themselves?
Where do we stand?
Yeah, oh man, asking the question right out front,
we're like, Rob, would you like to make angry all the people around the world
that are about to be called number two?
Yeah, great, great, thanks man.
I would appreciate these softball questions.
I'm here for you.
Yeah, absolutely.
Here's my candid point of view.
And I mean this with all due respect.
I feel like Ricky Bobby.
All due respect to all those that are about to get upset.
But here is my perception and experience
with different industries and different geos.
And I do think it's important to also break out
the different industries in ICS
across those different geos.
So here's how I kind of view it.
I view there to be kind of this waterfall
where there's the leading and then there's
a little bit behind per industry
and then there's the leading and a little bit behind per geo,
and they kind of overlap nicely.
So when I look at who is the most mature ICS industry NGO overall,
I would say the electric sector of the United States.
They've had very significant regulations for years,
which regulation is not security,
but it's put a lot of focus on it since 2005 timeframe, 2004 timeframe when you had the
major incidents and looking at being able to take security a little bit more seriously.
And I think even the White House was communicating to the sector, PDD 63 back in 1998, like, hey,
you got to get ahead of this. Electric sector, United States by far.
The thing I will say about that, though, and this is true for everybody,
is the status of the industry today was essentially doing the IT security controls
that made sense, or I don't know if it makes sense,
but didn't break the ICS over in the operations environment.
So the status of everyone around the world has been,
copy and paste the IT security controls out of frameworks, GRC,
standards, regulation, et cetera, and use them in operations.
And that was good, and we were all doing the right thing
with what we understood of the threats.
These last couple of years, we have had an increasingly keen understanding
of how the threats operate in the industrial networks.
And the IT security controls don't work in the same way.
And many of them aren't effective
against the techniques we see.
So I would say we're all behind the curve,
but not because people have been doing things inappropriately.
It's just because we now know more and now we understand the next phase of challenges we have.
So that being said, I would say the industry-wise, I generally see electric in number one.
Oil and gas kind of comes in number two in most places.
After that, I would actually say probably more along the lines of like rail would be there,
which is kind of surprising, I think.
A lot of people don't think about rail as ICS in general,
but they have tons of it,
and they are starting to take it more seriously.
After that, probably food and beverage manufacturing,
getting into probably below that
other types of manufacturing.
Below that, probably organizations like mining.
Below that, you start to get into your other types of operations environments.
Just as a general, we don't have enough data
and there's a lot of stuff going on like water and similar.
We know that there's not a ton going on,
but it's also not too fair to critique it
because we don't have a lot of the same insights
that we have in the same other industries.
So that's kind of a lot of the same insights that we have in the same other industries.
That's kind of the flow of the industries.
Now there are individual companies that have by and far blown past that.
So it's not saying every company is the same, but just as a general industry.
I think that there's something to be said about the community in each one of those industries and being connected together.
On geos, so take that waterfall of industries
and apply it to every geo.
I would say North America, especially in the US,
this is a very American thing for me to say anyways,
but your US industry is definitely forward-leaning
and trying to take things as seriously as they can.
So that's the first one.
I would say the second is,
and it's hard to go regions now,
it's probably more appropriate to go countries,
but I would say the second is some of the countries in the GCC
or the Gulf Coast countries, they're very keenly aware of the risks
and they're trying to take it very seriously as well.
So they're trying to put a lot of focus on it.
Then probably after that might be Australia.
And then after Australia, I would think some countries in Europe,
but not Europe overall.
Then there are some countries in Asia, like Singapore,
is trying to do a lot around this topic.
And they've talked broadly about having an OT security strategy for the country
and published that document.
And then everybody trickles after that.
Now I think the surprising thing there is people would normally expect it to be
U.S., then Europe, then kind of everybody else.
And it's just not.
I think it's U.S., some countries in GCC, Australia, some countries in Europe,
the rest of the countries in GCC, the rest of the countries in Europe,
and then kind of everybody else.
You are either in a country that, and this is so biased by the way,
but just here's my two cents.
You're either in a country that, and this is so biased by the way, but just here's my two cents. You're either in a country that has an intelligence community
that has focused on this for decades.
So this would be like your Five Eyes countries,
like Canada, UK, US, Australia, New Zealand.
And so they had a lot of people that kind of understood the challenge
and then moved into private sector and brought with them some of that expertise.
Or you were getting punched in the face a lot.
And you look at the GCC, they know who their adversaries are.
And so they're developing this keen expertise, and they have more opportunity to develop
expertise than probably any other country in the world right now.
And so I see some of those countries and some of those companies in those countries rising
to the occasion.
Then there's kind of everyone else going, well, how much does this impact us?
What is the real risk?
I visit with a number of European companies, like, ah, we just really care about resiliency.
Who cares about the threat?
And it's like, dude, do you know you're really close to Ukraine?
And that's where a lot of this is happening.
And I think it's that kind of, hey guys, you need to take it seriously.
And in some of those countries, they understand the impacts and the threats
and can name them and take it very, very seriously.
As always, interesting insights. Thanks for sharing them.
Robert M. Lee, thanks for joining us.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart
speaker too. The CyberWire podcast is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.