CyberWire Daily - Oxford lab studying the COVID-19 virus is hacked. Zoom impersonation campaign. Senators would’ve liked to have heard from Amazon about Solorigate. NSA likes zero trust. NIST IoT guidelines.
Episode Date: February 26, 2021Oxford biology lab hacked. A Zoom impersonation phishing campaign afflicts targets in the EU. Senators disappointed in Amazon’s decision not to appear at this week’s SolarWinds hearing. NSA advoca...tes adopting zero trust principles. CISA issues alerts on industrial control systems. The US Department of Homeland Security describes increases to its cybersecurity grant programs. Dinah Davis examines how healthcare is being targeted by ransomware. Our guest is Michael Hamilton from CI Security on the Public Infrastructure Security Cyber Education System. And NIST’s draft IoT security standards are still open for comment. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/38 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An Oxford biology lab has been hacked.
A Zoom impersonation phishing campaign afflicts targets in the EU.
Senators are disappointed in Amazon's decision not to appear at this week's SolarWinds hearing.
NSA advocates adopting zero-trust principles.
CISA issues alerts on industrial control systems.
The U.S. Department of Homeland Security describes increases to its cybersecurity grant programs.
Dinah Davis examines how healthcare is being targeted by ransomware.
Our guest is Michael Hamilton from CI Security
on the Public Infrastructure Security Cyber Education System.
And NIST's draft IoT security standards are still open for comment,
but you better act fast.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, February 26, 2021. Oxford University confirmed yesterday that its Division of Structural Biology, a prominent lab working on understanding COVID-19, had been accessed by unauthorized parties.
The Division of Structural Biology, familiarly Strubeye,
is not the Oxford unit that's been working with
AstraZeneca on a COVID vaccine. That work has been going on at the Oxford Vaccine Group and
Jenner Institute. Instead, Strubeye's research has concentrated on understanding the virus's
mechanisms of action, more basic research that would certainly usefully inform development of vaccines and other therapies.
Forbes says the intruders accessed machines used to prepare biochemical samples.
It's unclear what they were after, and the screenshots of the criminals' posts seen by Forbes
makes it almost appear that the hackers were counting coup by showing off the access they'd gained. The screenshots seemed to show access to control interfaces
with an implied ability to control lab equipment pressure gauges.
While the screenshots showed more evidence of capability for sabotage
than they did signs of stolen data,
it seems reasonable to speculate that the threat actor is a criminal group
offering stolen biomedical data for sale
to nation-state intelligence services. Hold Security provided Forbes with screenshots of
sites on which the attackers were seeking to drum up interest in their wares. Oxford has been
understandably tight-lipped about the details of the incident, which it's reported to the
Information Commissioner's Office. The National Cybersecurity Center has the matter under investigation.
Security firm Great Horn has identified a Zoom-based phishing impersonation campaign
currently active in the European Union. It's a credential harvesting campaign,
and its phishing emails enjoy some success despite their poor idiomatic control
of written English. The criminals have taken some care to make their URLs look like the now
familiar links legitimate Zoom users have grown accustomed to, and it seems that the look of the
URL has been a shiny enough bit of fish bait to get the victims to bite. Of the publicly stated good government well-intentioned
bits of consensus to emerge from this week's hearings before the U.S. Senate Select Committee
on Intelligence, the one that seems to have assumed the highest profile is the importance
of information sharing. It was not only recommended as a means of preventing other
similar supply chain attacks,
but also introduced an exculpation by SolarWinds,
which said it wished it had been afforded sufficient liability protection
to enable it to share more without fear of being sued.
Microsoft, FireEye, and, of course, SolarWinds all offered testimony.
Amazon declined, and the Wall Street Journal reports that there was
some bipartisan disapproval of the company's failure to appear. Amazon was invited to testify,
and the senators believed that the company, which wasn't itself compromised but whose cloud
infrastructure was used by the threat actors, could have had valuable insights to contribute.
Amazon is said to have shared relevant information privately,
but the committee thinks a public airing of the circumstances
under which the cyber espionage was accomplished could have been valuable.
There's no particular suggestion that Amazon was negligent,
and indeed several experts have observed that it's effectively impossible
to prevent that sort of abuse of a cloud service,
but the committee is considering compelling testimony at future hearings.
NSA has published a cybersecurity information document
that urges cybersecurity professionals to adopt a zero-trust security model.
A system engineered according to zero-trust principles
can better position them to secure sensitive data, systems, and services.
NSA calls out three zero-trust guiding principles.
First, never trust, always verify.
Second, assume breach.
And third, verify explicitly.
And four design principles, which would be define mission outcomes, architect from the inside out,
determine who or what needs access to the data, assets, applications, and services
to create access control policies,
and inspect and log all traffic before acting.
Making this work, Fort Meade cautions,
will require persistent adherence to the mindset
and comparable attention to the model's application.
CISA yesterday issued four advisories on industrial control systems,
ProSoft Technology ICX35, FATEC FV Designer,
Perfect OpenVPN Client, and Rockwell Automation Logics Controllers.
Clarity quietly disclosed a cryptographic flaw in the last
mentioned Rockwell PLCs to the manufacturer last year. Now that Rockwell has fixed the vulnerability,
Clarity has provided details. An attacker could have discovered a secret cryptographic key
used to verify communication between the PLC and its engineering station. This could permit
an attacker to mimic a workstation
and manipulate manufacturing processes.
The U.S. Department of Homeland Security has increased grant funding
for state and local cybersecurity preparedness programs.
DHS Secretary Mayorkas explained,
With today's grant awards, I am also directing additional grant funding to support cybersecurity efforts.
As we have seen in recent events, attacks to our cyber networks can have devastating effects.
Accordingly, I have required that SHSP and UASI recipients spend at least 7.5% of their grant awards to enhance their cybersecurity posture.
With this funding, state and local grant recipients can conduct cybersecurity risk assessments,
strengthen their.gov internet domains, improve the cybersecurity of their critical infrastructure, and conduct additional cybersecurity training and planning.
End quote.
And finally, NIST, the U.S. National Institute of Standards and Technology,
has extended its deadline for comments on four draft documents
that outline a set of Internet of Things security standards.
The documents include three NIST interagency internal reports,
and the fourth is a special publication.
So comment if you got them, but don't lollygag and act soon.
The newly extended deadline expires today.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you
know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Michael Hamilton is founder and CISO of CI Security.
He's also the former CISO of the City of Seattle.
He joins us today to discuss Pisces, the public infrastructure security cyber education system.
We perform security monitoring of small local governments at no charge in return for using the data that we collect as real-time curriculum for
five universities. So how do you measure success in terms of the small cities and towns that you're
serving here? When this information comes back to them, Are you seeing it? Is it actionable? It is. And so they're very appreciative of the
fact that they are being brought into the loop. And as I'm looking at tickets right now, I see one,
two, three, four cities that probably need contact. And I've already contacted a county
this morning. You know, a lot of this stuff is false
positives and the students are learning. So, you know, we have someone that adjudicates whether or
not a customer needs to be contacted and an event escalated. We are telling the customers things
about their networks that they don't know. For example, there is one jurisdiction here in
Washington state that is really getting pounded by somebody.
And so, you know, we've given them instructions on, you know, network blocks, things to check
in their own logs, et cetera, et cetera. But to your question, really the success metric
are the people getting hired because our intent is to make sure that we have a much stronger bench
in our state, Washington state.
Colorado will probably be the next one
to start up a Pisces chapter.
We've talked to folks in Texas,
Oklahoma, and South Carolina.
And in fact, one of the universities
that is teaching the Pisces curriculum
is Alabama A&M,
which is one of our historically black
colleges and universities.
And we are intent on making sure that we do a better job of getting into the rest of the HBCUs
and turning brothers and sisters into analysts. And interestingly, just broad vision kind of thing,
you don't need to live near the building anymore to work for the company.
And what we have found is, and what the universities have told us is, when we graduate our students, we really want them to stay in the local economy.
Well, this also provides that mechanism because to a great extent, you know, technical roles are able to work remotely.
great extent, you know, technical roles are able to work remotely. And as we've worked with auditors to design security controls, you know, for the commercial side of the business, right, because
my business, CI security, we do this commercial monitoring, right? Set that aside. But we've talked
to our auditors and said, hey, you know, if we have following controls in place, do they have to be in
this sock we spent $100,000 on? They said no.
So what this means is, applied more broadly, this is a way to get folks in not only underserved communities in terms of minority and people of color, but in places where there are no technical
jobs in the middle of Kansas. And if that's what your quality of life is as
defined by you, knock yourself out, man. Go live there. Make this kind of salary and squirt that
into local economy. So in a larger sense, this is one of the tools that we have in the United States
of kind of moving the chess pieces around so that everything isn't all concentrated in the Bay Area
and Seattle., you know.
It really sounds like you're on to a win-win here.
Like, everybody benefits from this. It's an untapped, or I guess these small cities and towns are an area that might be, I don't know,
too small for a lot of companies to want to take the time to invest in supporting.
Yep.
Yep.
And, you know, and again, you know, they can't afford it, you know.
Right, right.
But here's the thing.
I mean, counties, counties run 911.
Only counties run 911.
They also do elections, you know.
And frankly, there's a lot of IT involved in both of those things.
And frankly, there's a lot of IT involved in both of those things.
And the fact that they can't afford the kind of controls that their larger brethren in some of these larger jurisdictions can doesn't mean they're any less critical.
So, yeah, it is a win-win because the infrastructure protection and, in fact, helping these folks with their networks. You know, I had somebody make a DNS change
in their firewall that solved a bunch of problems for them.
So, you know, there is value to be gained here.
Keeping it free for the small jurisdictions
is a real goal.
And that's why we have to get to, you know,
a sustainable business model here.
You know, we just got our nonprofit status,
so that will change something.
But yeah, it's
win-win. And as we move into our next objective, which is to making sure that students midway
through their scholastic career can go out and intern with the local jurisdictions that we're
monitoring so that they actually get some, you know, boots on the ground experience too.
And, you know,
we also want to talk to the American Hospital Association about doing the
same thing, you know,
potentially getting them interns so that could, you know,
they're on especially rural hospitals are on the financial ropes too.
They need help.
So, you know, this is all about doing public good,
but longer term it's solving this problem that we have in the United States that everybody thinks they want to solve by creating the next new gizmo to sell you.
You know, we know we got to make people.
So we're going to make people.
That's Michael Hamilton from CI Security.
You can learn more about Pisces at their website, Pisces-NW.org.
There is a lot more to our interview.
Don't forget to go listen to extended versions of this
and many other interviews at CyberWire Pro.
It's on our website, thecyberwire.com.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And I'm pleased to be joined once again by Dinah Davis.
She is the VP of R&D for Arctic Wolf.
Dinah, it is always great to have you back.
You know, we are seeing this sort of relentless onslaught of ransomware, and a lot of these folks are focusing on healthcare.
I want to touch base with you on that particular element of this. Where do we find ourselves today?
What do you think? Yeah, it's pretty intense. You know, October alone saw a 71% increase in ransomware attacks against the healthcare sector in the US.
So that's pretty intense.
Right.
Why healthcare in particular?
What puts the big target on their back?
Yeah.
So I think they're a little bit easier to target for a couple reasons.
they're a little bit easier to target for a couple of reasons.
One, they feel like the attackers feel like healthcare is more likely to pay because of the life and death situation that the ransom causes, right?
You ransom all those life support machines and they need to get those back up
because they're actually looking at, you know, people's lives here.
So that's one.
Two, they're often running equipment that's older
and harder to upgrade, right? Running specialized systems. And historically, hospitals have probably
had a low amount of funding for their IT staff and updating things. So their IT team is often
stretched thin, and that makes them a bigger target, right? So you know, a bigger, a bigger target. Right.
So that, that's one of, that's, I think a big reason. And then I think on top of that with
COVID, the hospitals are even more stressed and like these nasty attackers think this is even a
better opportunity. I think it's pretty despicable, but this is what they're doing. And then in early November, like it was already kind of bad.
And then in early November, the FBI issued this warning against more ransomware attacks coming on U.S. hospitals.
And so this was like, we were like, oh, my gosh, at Arctic Wolf.
And so we, you know, we were able to put in a
lots of extra monitoring in place for our health care people um and helping them to go and upgrade
their systems like so really working hard with them to say okay patch patch patch patch here
because the most important thing here is that you have the least amount of risk we can handle, and then we will watch for the rest of it.
So I guess the big question then becomes, you know, like, how do they prevent this, right?
Yeah, I mean, it's such a, it's a huge attack surface.
And as you say, they're serving a critical mission there.
Yeah, absolutely.
So, okay, you're in the healthcare industry.
What can you do
to prevent from being ransomed? So one, ensure you have good security practices and security
training. Remember that for ransomware to get in, you only need one person to click a bad link.
So the more training you do, the more you empower your employees to understand what they're doing, the better you're going to be.
You should have a security team doing 24 by 7 monitoring.
Whether you're going to build that yourself or you're going to hire it, you really have to be watching all the time.
And then, of course, you know, patch, patch, patch, patch, patch, patch all the things.
Well, when you say monitoring, what specifically are we talking about here? What does that mean?
Yeah. So you want to be watching like the network traffic flow coming in and out of your hospitals.
You want to monitor, you really want to monitor stuff that's happening on your email software. So, you know, are people
adding new accounts? Who's adding it? Are they setting up email forwarding rules? That is a big
attack vector right now. Set up an email, compromise somebody's account, set up an email
forwarding rule to watch for certain types of messages and then be able to craft a really nice
phishing message back, right? To get money or to install something else, right? So you want to
not only monitor your physical network, you want to monitor your cloud network as well, right? So
your Office 365, if you have anything running in Amazon or in Google Cloud, all of that kind of
stuff, you want to have endpoints installed on your laptop so that we can monitor anything that's
happening on those. Any kind of flow traffic intrusion places is where you want to be monitoring.
places where you want to be monitoring.
Yeah.
Yeah, it's so critical.
You know, it's funny.
My colleague, Joe Kerrigan, is at Johns Hopkins.
And of course, he's at the university, but they're also famous for having a world-class hospital.
And he makes the point often that if security is going to get in the way
of a doctor being able to do something they need to do to do health care, security is going to take a backseat to that.
And that is, it is appropriate, but it is also a challenge.
Yeah, absolutely.
And, you know, it's hard, right? You probably, you know, one of the big things that we also, you know, say is have a good backup plan.
Okay, so put in as much as you can to try and prevent things from happening.
But it's likely something's going to happen.
So do you have a good response plan?
One, do you have good backup so you can recover really quickly,
whether you pay the ransom or not?
Two, run through mock scenarios with company leadership
so they know what to do when it happens.
So what happens if all of your stuff in your hospital,
everything goes offline?
What are you going to do?
If you have a plan for that, you're going to have minimal impact, right?
I mean, there'll be impact, but it'll be minimal.
Don't be the least secure hospital.
Right.
I know it's a little bit silly, but it is true.
Don't, you know, even if you can only do a few things,
do those things, right?
Yeah.
It will help you.
I don't have to outrun the bear.
I only have to outrun you.
Right, exactly.
That's exactly it.
Yeah, yeah.
All right.
Well, Dinah Davis, always a pleasure.
Thanks so much for joining us.
No problem.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
You deserve it, too. Listen for us on your Alexa smart speaker.
Be sure to take some time this weekend and check out our episode of Research Saturday.
This week, I speak with Maritz Lucas from Intel 471. We're going to be discussing the current
state of China's cybercrime underground. That's Research Saturday.
Do check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and
technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe
Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here next week. Thank you. AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.