CyberWire Daily - Naval Gazing around the South China Sea, and other disinformation. LokiBot is back in a big way. Darknet merchants busted. Cyber rioting along the Blue Nile.
Episode Date: September 23, 2020Facebook takes down coordinated inauthenticity. A ransomware-involved death is attributed to DoppelPaymer. CISA and the FBI warn of coming election disinformation. LokiBot is back in a big way. Operat...ion DisrupTor collars a hundred-seventy Darknet contraband merchants. Joe Carrigan comments on the botched ransomware attack in Germany that led to a woman's death. Our guest is Matt Davey from 1Password on why single sign on isn’t a silver bullet for enterprise security. And patriotic hacktivism flares along the Blue Nile. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/185 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Facebook takes down coordinated inauthenticity.
A ransomware-involved death is attributed to Doppelpamer.
CISA and the FBI warn of coming election disinformation.
LokiBot is back in a big way.
Operation Disruptor collars 170 darknet contraband merchants.
Joe Kerrigan comments on that botched ransomware attack in Germany that led to a woman's death.
Our guest is Matt Davey from 1Password on why single sign-on isn't a silver bullet for enterprise security
and patriotic hacktivism flares along the Blue Nile.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 23, 2020.
Facebook has taken down a Chinese disinformation network that sought to engage public opinion in the U.S. and even more so in the Philippines.
They also took down a Philippine-based network that may have some connection to the government in Manila.
as involving 155 Facebook accounts, 11 pages, 9 groups, and 7 Instagram accounts connected to the Chinese activity, and 57 accounts, 31 pages, and 20 Instagram accounts
for the activity in the Philippines.
Grafica calls the Chinese campaign Operation Naval Gazing,
and that's N-A-V-A-L like the Academy in Annapolis,
because it has to do with navies
and supporting Beijing's expansive territorial claims
in the South China Sea.
The campaign is noteworthy for its use of AI
to generate photos for account profiles.
Expect to see more of this in future inauthenticity.
It's also worth noting that while the provenance
of Operation Naval Gazing
seems clearly to have been Chinese,
the precise connection to the government in Beijing remains obscure.
The Aachener Seitzung reports that investigators have identified
the ransomware implicated in a woman's death in Nordrhein-Westfalen.
It was Doppelpamer.
The victim died when University Hospital Düsseldorf
had to divert her ambulance to another facility because its own admission systems had been
rendered unavailable. Newsweek observes that Doppelpamer, a fork of evil corpse Bitpamer
ransomware, is associated with the Russian cyber underworld, and German prosecutors are accordingly looking east.
Their investigation is focused on negligent homicide,
and to make that case, the prosecutors will have to establish
that the woman had a chance of survival had she been treated in Dusseldorf.
That's not yet known.
The Doppelpamer infestation is said to have affected 30 servers at the hospital and to have gained entrance months ago, possibly in late 2019, by exploiting a now-patched Citrix VPN vulnerability.
It appears that the gang's target may have been the Heinrich Heine University itself and not the university's hospital.
The ransom note was addressed to the university.
hospital. The ransom note was addressed to the university. The New York Times says Dusseldorf police responded to the gang's ransom note to explain that they'd hit a hospital. At that point,
the attackers stopped the attack and turned over a decryption key and then stopped responding.
Much about the story remains unclear. The pattern in hospitals affected by ransomware
has been they've found workarounds to continue
emergency services even when admin systems and medical records were down, and that they've
deferred elective and non-urgent care. But so many critical systems are now networked that a
comprehensive enough crash might cause so much confusion and chaos that a hospital might go on
diversion, with emergency responders told to divert patients to other facilities.
It may be that something along those lines went on in Dusseldorf.
Presumably more information will become available as the story develops.
CISA and the FBI warn that foreign disinformation can be expected to call results of U.S. elections into question.
The alert's central
point involved the likelihood of foreign espionage services seeking to use any delays in counting or
certifying votes as an opportunity to instill doubt. The agencies warn, quote, state and local
officials typically require several days to weeks to certify elections' final results in order to ensure every
legally cast vote is accurately counted. The increased use of mail-in ballots due to COVID-19
protocols could leave officials with incomplete results on election night. Foreign actors and
cybercriminals could exploit the time required to certify and announce elections' results
by disseminating disinformation that includes reports of voter suppression,
cyberattacks targeting election infrastructure, voter or ballot fraud,
and other problems intended to convince the public of the election's illegitimacy.
CISA has also warned of a resurgence in information-stealing LokiBot.
The current surge began in July.
LokiBot uses a keylogger for credential theft
and for extracting other information from affected desktops.
It can also be used to install a backdoor that can be used for further attacks.
The malware affects Windows and Android systems.
It's commonly distributed by phishing, smishing, or water-holing attacks.
It's commonly distributed by phishing, smishing, or water-holing attacks.
The U.S. Justice Department yesterday announced the success of Operation Disruptor,
an international dragnet that's collared 170 darknet contraband merchants who'd been hawking their wares in such disreputable souks as AlphaBay, Dream, Wall Street, Nightmare, Empire, White House, Deep Sea, and Dark Market.
119 arrests were made in the United States, with two more made in Canada on American warrants.
42 people were arrested in Germany, eight in the Netherlands, four in the United Kingdom,
three in Austria, and one in Sweden. The lead law enforcement agencies were the U.S. Federal
Bureau of Investigation and
Europol, but it was a big multinational operation. The individual agencies are too numerous to
mention, but they included organizations in Austria, Cyprus, Germany, Canada, Portugal,
the Netherlands, Sweden, the United Kingdom, and Australia. The operation was called Disrupt Tor, as we noted, and that is a pun, Disrupt Tor.
Tor, of course, is not necessarily or even typically nefarious, but one effect of this
enforcement action is to disabuse criminals of the notion that Tor is a kind of safe haven or
cloak of invisibility. So the Justice Department press release is not so much a word to the wise as it
is a word to the wise guys. And finally, lest anyone forget that regional rivalries can be
as serious as great power competition and far more hair-triggered, foreign policy reminds us
that Egypt and Ethiopia are engaged in a protracted squabble over Nile water rights that's being fought so far
largely in cyberspace. The foot soldiers of this conflict are largely patriotic hacktivists,
so the confrontation may be closer to cyber riot than cyber war. The dispute between the two
countries centers on the Grand Ethiopian Renaissance Dam, which Ethiopia sees as a key
development of national infrastructure and Egypt sees as a key development of national infrastructure
and Egypt sees as a threat to its own water supply and its ancient connection to the Nile River.
Cyber attacks began in late June with Egyptian hacktivists of the Cyber Horus group
taking down and defacing a number of Ethiopian government websites.
Ethiopian social media influencers followed with taunting
as the reservoir began filling in July. While the ongoing exchanges in cyberspace don't appear to
have been government-directed, that could change. Government action may be difficult to discern.
Both Cairo and Addis Ababa have shown some ability to co-opt or inspire hacktivism,
and both can be expected to remain interested
in achieving and maintaining plausible deniability.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home. Black
Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
One Password recently released results of a survey looking at single sign-on and shadow IT,
highlighting apps being used within an organization that fall outside of the scope of single sign-on.
Matt Davey is chief experience optimist at 1Password.
The creation of a bunch of these reports always starts around kind of us trying to tell a story about the current situation.
kind of us trying to tell a story about the current situation.
And I think what it always turns into is us finding something really interesting and new that we hadn't expected.
So with this one, for example, it was all around the time
and how IT professionals are spending their time,
especially in the identity and access management area,
and what those people spend their time doing.
How we as a password manager can help with that as well.
Well, lay it out for us.
What's the reality here that folks out there are dealing with?
There were some good points and some bad points.
What we looked at is over the course of a year,
people actually spend a full month of work
on tasks that are repetitive and mundane.
You know, resetting passwords is a huge time suck for these people.
This impacts kind of productivity and everything.
It can't be a nice thing, really.
It also looked at things like shadow IT
and how working from home has impacted that as well.
When it comes to resetting passwords,
is that something that people are hesitant to automate
because of the security implications there?
I think there's a bunch of reasons
why you wouldn't want to install any extra thing
that can go wrong in that process.
I think really just having an underlying solution for that.
And we believe that that's an enterprise password manager.
There's one thing of telling someone
to remember a password
and then having to reset it every month.
And then there's another thing of, you know,
being able to trust that person with their own security.
Well, let's go through some of the other details
that you all discovered here.
What were some of the interesting things
that stood out to you?
So, as I mentioned, there are good points to this as well.
Prior to conducting our research, we actually feared that people would be more relaxed at
home and more likely to slip up on kind of normal security behavior.
But we were really pleasantly surprised to find out that only 20% of workers don't follow
the company's security policy.
And we asked that kind of at all times.
You know, with that 20%, it doesn't come from a place of malice.
Actually, 49% of people cite productivity
as their top reason for circumventing IT's rules.
I know I have been guilty of that at times.
And I'm sure a lot of people have as well.
You know, always in the kind of air of I just need it done now rather than reviewed.
But yeah, I think we can get around that.
Not with, oh, I just need it now.
But, you know, I understand the process and I understand how long it will take.
That's Matt Davey from 1Password.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And joining me once again is Joe Kerrigan.
He is from the Johns Hopkins University Information Security Institute,
but perhaps more important than that,
he is my co-host over on the Hacking Humans podcast.
Joe, it's great to have you back.
Hi, Dave.
Got an interesting, well, this is commentary by a friend of the show, Graham Cluley, who most of you probably know from Smashing Security
and his writing on cybersecurity issues.
He's commenting on a story that the Associated Press published.
The title of his article is Hospital Patient Dies Following Botched Ransomware Attack.
What's going on here, Joe?
So apparently what happened is these cyber criminals targeted Heinrich Hine University.
And instead of getting their ransomware into Heinrich Hine,
they got their ransomware into Heinrich Hein, they got their ransomware
into Dusseldorf University Clinic, which is affiliated with Heinrich Hein University,
but it is not the same thing. And as a result, 30 servers at the clinic were encrypted, and
the hospital began diverting patients, emergency patients, to other hospitals.
And one of those patients was diverted to a hospital that was 20 miles away, and she did not survive, according to this.
And that time could have made a difference.
Absolutely, that time could have made a difference.
Now, funny that this is from Graham Cluley because about a year ago, Graham Cluley sat in on the show for me because I had a very similar event with my wife where she was taken to the hospital. And if she
was not in the hospital when what happened happened, she would not have survived. And
if she was redirected to a different hospital, or if we were in an area where a hospital is not as
close as one is to our house, she probably would not have survived this incident. This is,
hospital is not as close as one is to our house, she probably would not have survived this incident. This is, these cyber criminals have murdered this woman, in my opinion. The police contacted
the cyber criminals and said, your ransomware has gone into a hospital, not into a university,
at which point in time, the cyber criminals said, oh, here are the keys, bye. And that was it.
Right, right. They must be, they must be wetting themselves oh crap yeah
i don't know if the cyber criminals know that they killed somebody but the german police are
investigating the hackers on suspicion of quote negligent manslaughter so absolute unintended
consequences is something that got out of hand yep uh. Obviously, they didn't set out to cause anyone's death.
Right.
You know, by direct or indirect action,
but that's what happened.
Absolutely.
I wonder too, Joe, I mean,
what are your thoughts on this?
Because obviously, you work at Johns Hopkins University.
Absolutely.
Which Johns Hopkins is also a highly respected hospital.
It is.
So this sort of thing, I could imagine happening to your home organization.
Yeah.
People try to do it every single day.
We have one person who is in charge of the information security for all the organizations outside of the Applied Physics Laboratory.
And that is the CISO of the organization. And he is responsible for security at the university and the hospital
and all the different schools as well as Kennedy Krieger.
So all these different organizations fall under his purview.
And I think that's important to have is some kind of unified security vision
that allows an organization like Hopkins to provide the kind of security
and to see the movement of this kind of data around the networks.
This particular case in Dusseldorf may not be as clear cut because these two organizations,
the university and the hospital, are affiliated, but they are not under the same organizational
structure like Johns Hopkins University and Johns Hopkins Hospital are.
Right, right.
University and Johns Hopkins Hospital are. Right, right. Well, I mean, it's certainly a tragic outcome here of, I suppose, you know, people say with things like ransomware, oh, what's the real
harm? You know, someone gets their files locked, maybe there's financial loss, oh, people have
insurance and so forth. I think this takes it to another level and points out that even, I mean,
in this case, it seems accidental that the ransomware
folks, they accidentally hit the wrong target. And as a result of that, directly or indirectly,
someone lost their life. Yeah. Graham says at the very end of this, he says, I'd like to think that
someone might read about this case and think again about committing an attack. I would like to think
that too. I don't know that
this is going to have much impact on ransomware attacks. Well, and we've seen ransomware folks go
directly at healthcare organizations. Absolutely. That is their target. And it's because of this
sort of thing, because lives are on the line. Exactly. We've seen them go after a lot of
smaller healthcare systems. And a lot of times these guys pay up because the life is more important.
Right, right.
All right.
Well, again, this is over on Graham Cluley's website.
It's titled Hospital Patient Dies
Following Botched Ransomware Attack.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave. And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time, keep you informed,
and it's stronger than those bargain brands.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
at the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.