CyberWire Daily - MediSecure data breach hits Aussie healthcare.
Episode Date: May 17, 2024Australia warns of a large-scale ransomware data breach. The justice department charges five with helping North Korean IT workers evade sanctions. The FCC wants to beef up BGP. Antidot is a new Androi...d banking trojan. The SEC enhances disclosure obligations. Researchers uncover vulnerabilities in GE ultrasound devices. A Baltimore neo-nazi pleads guilty to conspiring to take down an electrical grid. On our Solution Spotlight: N2K’s Simone Petrella speaks with Alicja Cade, Director in Google Cloud's Office of the CISO, about the CISO role, board communication, and cyber workforce development. “Tanks” for the warm water, but you can keep the vulnerabilities. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Solution Spotlight: N2K’s Simone Petrella speaks with Alicja Cade, Director in Google Cloud's Office of the CISO, about the CISO role, board communication, and cyber workforce development. Simone and Alicja spoke at the 2024 RSA Conference. Selected Reading Australian government warns of 'large-scale ransomware data breach' (The Record) US exposes scheme enabling North Korean IT workers to bypass sanctions (Help Net Security) FCC proposes BGP security measures (Network World) BGP: What is border gateway protocol, and how does it work? (Network World) New 'Antidot' Android Trojan Allows Cybercriminals to Hack Devices, Steal Data (SecurityWeek) SEC beefs up data privacy rules (Investment Executive) GE Ultrasound Gear Riddled With Bugs, Open to Ransomware & Data Theft (DarkReading) Baltimore County woman pleads guilty to conspiring with neo-Nazi leader to attack energy grid (The Baltimore banner) How I upgraded my water heater and discovered how bad smart home security can be (Ars Technica) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Australia warns of a large-scale ransomware data breach.
The Justice Department charges five with helping North Korean IT workers evade sanctions.
The FCC wants to beef up BGP.
Antidot is a new Android banking trojan.
The SEC enhances disclosure obligations.
Researchers uncover vulnerabilities in GE ultrasound devices.
A Baltimore neo-Nazi pleads guilty to conspiring to take down an electrical grid.
On our Solutions Spotlight, N2K's Simone Petrella speaks with Alicia Cade, director in Google Cloud's office of the CISO, about the CISO role, board communication, and cyber workforce development.
And tanks for the warm water, but you can keep the vulnerabilities.
It's Friday, May 17th, 2024.
I'm Dave Bittner, and I'm back with your CyberWire Intel briefing.
Thanks for joining us here today. Happy Friday. It is great to have you with us.
The Australian government has issued a warning about a large-scale ransomware data breach impacting healthcare data disclosed by prescription company MediSecure. The breach,
affecting personal and health information, is believed to have originated from a third-party
vendor. MetaSecure emphasized transparency and promised updates on its website. This incident
recalls the October 2022 ransomware attack on MetaBank, which led to the publication of
sensitive healthcare for 480,000 individuals on the dark web, prompting significant cybersecurity reforms
in Australia. The National Cybersecurity Coordinator and the Federal Police are
investigating the MediSecure breach, with limited details currently available.
Cybersecurity Minister Claire O'Neill confirmed she had been briefed and stressed the importance
of avoiding speculation to support the ongoing response efforts.
The U.S. Justice Department has charged a U.S. woman and a Ukrainian man, along with three unidentified foreign nationals,
for helping North Korean IT workers secure remote jobs at U.S. companies using false identities.
This scheme involved defrauding over 300 companies,
including several Fortune 500 firms,
by using U.S. payment platforms and proxies
to disguise the workers' locations.
The operation generated at least $6.8 million
for North Korea from October 2020 through 2023.
The U.S. State Department is offering up to $5 million
for information disrupting the financial mechanisms
supporting North Korea
or identifying the three foreign nationals involved.
The FBI has also issued a warning
to help companies avoid hiring North Korean IT workers
posing as freelancers.
FCC Chairwoman Jessica Rosenworcel proposed requiring
ISPs to submit confidential reports on securing the Border Gateway Protocol, BGP, a critical
internet routing system. The proposal aims to protect against national security threats by
bad actors exploiting BGP vulnerabilities. The FCC's interest
in BGP security heightened in 2022 due to threats from Russian hackers. BGP hijacks can lead to data
theft, extortion, espionage, and disrupted transactions. The proposal includes implementing original validation and RPKI to ensure route legitimacy.
Major ISPs would need to develop and report BGP security plans and submit public quarterly progress updates.
The FCC will vote on this proposal in June.
Experts say enhancing BGP security is crucial for national security, communication, and commerce.
Threat intelligence firm Cyble has identified a new Android banking trojan, Antidot,
which steals user credentials and conversations while also spying on them.
Disguised as a Google Play update, Antidot uses overlay attacks to collect credentials.
Its capabilities include remote control via VNC, keylogging, screen recording, forwarding calls,
collecting contacts and SMS messages, and performing USSD requests.
The malware tricks users into granting permissions by displaying a fake Google Play update page
in their language. Antidot then communicates with a command and control server to execute
various tasks like unlocking devices, making calls, and initiating VNC to control the device.
It uses WebView to show phishing pages and capture credentials through overlay attacks,
targeting banking and cryptocurrency apps.
Sybil highlights Antidot's advanced features and stealthy operations aimed at evading detection.
The SEC has unanimously adopted new rules to enhance financial firms' obligations to warn investors about privacy breaches.
firm's obligations to warn investors about privacy breaches. Updating regulations from 2000,
the amendments require broker-dealers, investment companies, registered advisors, and transfer agents to develop policies for detecting, responding to, and recovering from data breaches.
Firms must now notify customers if their personal information has likely been exposed.
Firms must now notify customers if their personal information has likely been exposed.
SEC Chair Gary Gensler emphasized the need for these updates to protect investors' financial data. The rule changes take effect 60 days after publication, with larger firms having 18 months and smaller firms 24 months to comply.
four months to comply. Researchers from Nozomi Networks discovered 11 security vulnerabilities in GE Healthcare's Vivid Ultrasound products and two related software programs, with severities
ranging from 5.7 to 9.6 on the CVSS scale. Issues include missing encryption and hard-coded
credentials. Some vulnerabilities could lead to remote code execution with full privileges,
though the most severe cases require physical access, which reduces risk.
However, physical access is feasible in hospitals and clinics.
For instance, the Vivid T9 system's GUI could be bypassed to gain administrative privileges and execute arbitrary code,
while the EchoPack software could be compromised using hard-coded credentials.
Patches and mitigations are available on GE Healthcare's product security portal.
Sarah Beth Klendaniel, age 36, pleaded guilty to conspiring with neo-Nazi leader Brandon Russell to destroy electrical substations around Baltimore, aiming to cause massive destruction.
Klendaniel, who planned the attack with Russell, called it a plot that would completely lay this city to waste.
She admitted to charges of conspiracy to damage an energy facility and illegal firearm possession.
The government will recommend a sentence of up to 18 years.
The FBI described Russell's group, Adam Woffin Division,
as a racially motivated extremist organization.
Glenn Daniel, who has a terminal illness,
sought to target five substations to create a cascading power failure. extremist organization. Glenn Daniel, who has a terminal illness,
sought to target five substations to create a cascading power failure.
Authorities found firearms and ammunition at her home,
despite her being prohibited from possessing them
due to past felony convictions.
Russell's trial is set for July 9th.
Coming up after the break, our own Simone Petrella speaks with Alicia
Cade, Director in Google Cloud's
Office of the CISO, talking about
the CISO role, board communication
and cyber workforce development.
Stay with us. sweaty. We could go skating. Too icy. We could book a vacation. Like somewhere hot. Yeah, with pools.
And a spa. And endless snacks. Yes, yes, yes. With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter. Visit Transat.com or contact your Marlin travel
professional for details. Conditions apply. Air Transat. Travel moves us.
apply. Air Transat. Travel moves us. Do you know the status of your compliance controls right now?
Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Simone Petrella is our N2K CyberWire president,
and at the recent RSA conference in San Francisco, Simone Petrella is our N2K CyberWire president,
and at the recent RSA conference in San Francisco,
she caught up with Alicia Cade,
director in Google Cloud's Office of the CISO.
Here's their conversation.
Thank you for joining, Alicia. It's so good to have you.
Thank you for having me.
How's the conference going for you so far?
It's been busy, as always.
It's my fourth time I've been here as a CISO, as a consultant, and now, of course, as a Google Cloud representation. Well, I feel like Google Cloud is
everywhere, so literally and figuratively, so well done. Now, I know one of the things from
your background, and you have been on the industry side, you've been on the vendor side. And I know one of the things that you have focused a lot on is how, you know,
CISOs in today's world can really, what are some of those challenges that they're facing?
And what are some of the things you're learning or you're kind of in the conversations
that you're having with colleagues today?
What's some of your advice to those CISOs?
I think definitely CISO's role has always been seen for quite some time,
although it's a relatively new profession, right?
It has been seen as 24 by 7,
has been seen especially in regulated sectors
and the regulatory focus, very much so,
and has been seen as a distributed,
let's say, an owner of a very distributed risk
because cyber risk is present throughout the business.
It's people, technology and processes, of course.
And that risk is very often actually owned
by the business divisions, by CIOs and CTOs, and yet the CISOs are accountable
for it. So it's also a role where you have to have great relationships, robust relationships
within the business, and the role, the success of which really depends on those relationships,
but also, therefore, on the culture within the company.
So lots of pressures from being technical experts, of course,
and making sure that your technology, security technology,
is robust and helps you and processes as well and skilled team.
And it helps you detect the risk, of course, and address the risk proactively.
And on the other hand, relationship experts as well.
And my advice to CISOs would be to make sure
that you do focus on those relationships as well.
You probably have a very capable team.
You probably have tools, and as we can see in RSA,
there's plenty of tools and shiny toys available.
But think about the business.
Think about building relationships
with your board members as well
who will help you drive the right security culture.
And think about before we buy all these tools,
and maybe that's also for the CIOs and CTOs,
that we think about the business strategy.
How can they help us actually achieve the business strategy,
our goals, and let's think about organization
and then perhaps technology.
That's a theme that I've heard over the last few years.
And I grew up in the cybersecurity industry myself.
And with everyone that wanted to find a technical solution
and as the CISO role has gotten elevated,
the last couple of years,
we've finally started to focus on this notion
that being a CISO is you have to be as connected
to the context of the business that you're in
as much as you are just protecting any asset
or any attack surface from cybersecurity threats.
And that business context,
I think is something that
is new to a lot of folks in these leadership roles who have maybe grown up in more of the
technical tracks of cybersecurity. Absolutely. And I think that context,
the need for that context becomes very pronounced, I think, when the companies
embark on digital transformation journey,
because that's where it comes out.
What are we trying to achieve here?
And if we're not focused on strategy,
and if CISO doesn't also think about that strategy,
perhaps the solutions, cybersecurity solutions implemented,
or even take it broader from the CIO perspective,
technology solutions implemented won't be relevant.
Right.
It will be kind of lift and shift mode and back to square one.
And the other context when it comes up
is, of course, in a touchwood incident situation.
To be really ready for the business to respond to cyber incidents,
there is, of course, capability of the cybersecurity teams
that's needed, but also the business has to be ready.
People need to know how to operate when the system is out
because your cybersecurity will focus on that resolution.
But the business representatives and operations
need to know how to operate without.
And for how long can we survive without?
So that connectivity is very, very necessary to the successful recovery.
Yeah. And you mentioned earlier about, you know, you come in and it's really about people, process and technology.
But we're at this expo, we're at this conference that has so many shiny new tools and toys.
I have always felt, tell me if you disagree,
that we over-index on the technology a lot of times
and we kind of neglect some of the process,
but particularly the people.
Is that something that you have found throughout your career
or do you think we're doing an okay job?
I always said throughout my career
that I'm a bit of a jam in the sandwich.
I like that, I'm going to use that.
Technology layer, and jam comes from the UK, of course.
There is the technology layer,
and of course there's the business layer,
and you do have to gel that.
Yes, we are in this context in the RSI, right?
It's a huge market of technology solutions. But I think what's
really uplifting, you also see solutions which help to understand the risk. You know, there is
a goal somewhere in there in making sure people have, the companies have better visibility of
the surface. And it's also interesting because some of those solutions,
of course, they focus on cybersecurity,
but perhaps can be then taken the ideas
and kind of applied to the broader operational risk perspective as well.
So maybe there is also that trend.
And I think as, you know, the years have progressed
since my kind of beginning of my CISO career,
there is a
bigger interest from the boards and from the business as well on really understanding the
cyber risk, especially with technological progress, right?
The cloud and also with AI as well.
No longer people, the organization sees it as a black box.
They really want to understand what are the right questions to ask
to understand the risk as well.
Yeah, what recommendations or what advice would you give
for CISOs who are now having to present
and are finding themselves in front of the board
more than they had in the past?
And sometimes the board doesn't know
what questions to ask yet.
And so we kind of put ourselves in this disconnect
where we want to show them we're doing great things,
but we don't want their eyes to glaze over
when they look at a stoplight chart
full of all these metrics and controls
that mean nothing to them.
Like, what's the balance?
So interesting you ask that
because we've been driving
what we call the Board Insights Initiative.
We have a Board Insights Hub
where we publish
three times a year board perspective and we interview board members as well
and CISOs to get their views on that board CISO
interactions. And I would say that there isn't
this holy grail of the best ever CISO metrics report
that you can bring to the board.
I think what is important is that
the boards understand CISOs
and the CISOs understand boards.
And it's not about show and
tell meeting, one-off meeting.
It's about building relationships
with each other. So the biggest
recommendation for
both parties would be really connect. Connect outside
of the meeting. Get to know each other. Get to know in an open way of the challenges from the
CISO perspective and also what are the concerns of the board members because then the conversation
in the board meeting will be completely different. It won't be about that PowerPoint slide and those numbers.
It will start from a different foot of the understanding.
Yeah.
It all comes down to human relationships.
We can have so many tools or so many metrics.
Absolutely.
Yeah, you got to build that relationship with the business.
Well, Alicia, thank you so much for joining us today.
I hope you enjoy the rest of the week.
And I guess if there are any other questions,
is there anything else that you wanted to chat about,
either what you're doing with Google Cloud,
some initiatives you're excited about,
anything on that front?
Definitely part of my job, of course,
it's financial services and the engagement
with the financial services CISOs.
But more broadly, I also drive the CISO advocacy for Google Cloud.
So we engage with all CISOs, whether they are our customers or not,
and we're building the community
because I also think that in this tough job climate,
it's so important that there is the information sharing
between the CISOs.
There is that platform where peers to peers can share experience. It's so important that there is the information sharing between the CISOs.
There is that platform where peers to peers can share experience.
And whether this is through the community, let's say, events and connecting points, but also through collaboration through sector organizations.
So we really appreciate and deeply engage with ISACs.
And for example, we were one of the first critical service providers to join financial security ISACs.
So really proud of the fact that now as a next CISO, I can be connecting with CISOs and making sure that we all lift the burden and the cyber risk profile of the sectors.
Yeah, incredible.
Well, thank you so much for sharing.
Appreciate your time and enjoy the rest of your week.
Thank you so much.
Great to meet you.
Thank you.
That's N2K CyberWire's Simone Petrella
speaking with Alicia Cade from Google Cloud.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And finally, our home automation desk shares a story about a homeowner's quest for hot water
that took an unexpected turn. When Ars Technica senior technology reporter Kevin Purdy and his
wife moved into a new house, they found a Rinnai tankless water heater installed. These heaters
are energy efficient, but take their sweet time to deliver hot water.
One day, while trying to solve the issue of slow hot water, he discovered a Wi-Fi module
magnetically stuck to the back of the heater. Installing the module, he found he could control
the heater with an app, triggering the recirculation feature to get hot water faster.
triggering the recirculation feature to get hot water faster.
This seemed like a win, but the app was clunky and required him to pull out his phone every time he wanted hot water.
Being a home automation enthusiast,
he dug deeper and found an unofficial Renai component that allowed for more advanced control.
He could now set the heater to recirculate on a schedule triggered by various conditions.
Everything was working great until he discovered a serious security flaw in the system.
Turns out, with just an email address, anyone could control the water heater. This meant a
bad actor could potentially make the water scalding hot or continuously recirculate, wasting energy and water.
He collaborated with other tech enthusiasts to verify the issue and prepared a security advisory
for Rinnai. Despite the serious nature of the flaw, the company was slow to respond.
Eventually, Rinnai updated their authentication system and released a new app, but the experience left Kevin Purdy wary
of relying too heavily on smart devices. Throughout this process, he realized the
challenges of DIY tech solutions. Companies might issue DMCA notices or legal threats against those
who create unofficial integrations, even if they improve functionality. He also found a supportive community of like-minded individuals
who shared his passion for smarter, more efficient home automation.
In the end, he successfully automated his water heater
using open-source tools and a bit of ingenuity.
Now he enjoys hot water on demand without the hassle of waiting.
It was a winding journey filled with surprises,
but it ended with a warm and satisfying result.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
After reporting on
the international law enforcement takedown of Breach Forum yesterday, we have a special edition
podcast this weekend about the 10th anniversary of the first indictment against the PLA. It features
my conversation with Dave Hickton, the former U.S. attorney who signed that indictment. Watch for it
on your Cyber Wire Daily podcast feed this Sunday.
Be sure to check out this weekend's Research Saturday
and my conversation with Hossein Yavarzadeh
from the University of California, San Diego.
We're discussing his work on Pathfinder,
high-resolution control flow attacks exploiting the conditional branch predictor.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that
keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show,
please share a rating and review in your podcast app. Please also fill out the survey in the show
notes or send an email to cyberwire at n2k.com. We're privileged that
N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in
the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence
and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment,
your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode was
produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot
Peltzman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilpie is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.