CyberWire Daily - Prankers on Zoom, with convincing video. Emotet takedown. US response to SolarWinds reviewed. Cancer therapy disrupted by attack on cloud provider. Oscar phishing.
Episode Date: April 26, 2021Zoom prankers deceive European members of parliament with a deepfake video call. A password manager is compromised. Europol took a good whack at Emotet yesterday, removing the botnet’s malware from ...infected machines. US response to the Holiday Bear campaign receives cautious good reviews. A cyberattack interferes with cancer treatments. Caleb Barlow from CynergisTek on emergency notification systems. Rick Howard previews the latest CSO Perspectives podcast focused on the healthcare vertical. And movie-themed phishbait chummed the waters around yesterday’s Oscars. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/79 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Zoom prankers deceive European members of parliament with a deepfake video call.
A password manager is compromised.
Europol took a good whack at Emotet yesterday, removing the botnet's malware from infected machines.
The U.S. response to the Holiday Bear campaign receives cautious good reviews.
A cyber attack interferes with cancer treatments.
Caleb Barlow from Synergistech on emergency notification systems. Rick Howard previews the latest CSO Perspectives podcast focused on the healthcare vertical.
And movie-themed fish bait chummed the waters around yesterday's Oscars.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 26, 2021.
Someone impersonating a spokesman for imprisoned Russian opposition figure Alexander Navalny conducted Zoom meetings with European Parliament members.
The sessions featured what The Guardian and NL Times called a deepfake video call
purporting to be Navalny associate Leonid Volkov,
which Volkov himself said looked pretty convincing.
Speculation about responsibility for
the incident has focused on Vovan and Lexis, two well-known Russian prank callers, prankers,
as such nuisance humorists are known. The incident is of course troubling for coming at a time when
Navalny is imprisoned and on a life-threatening hunger strike. And it's worth noting that relatively senior political officials
were taken in by the scam.
But to place it in perspective, this is more shock jock stuff
than it is a spore of a new and devilishly nefarious approach to disinformation.
Technically, it's a cut above the kind of jerk
who would call the live news coverage to holler
Baba Booey during the slow-motion chase of O.J. Simpson's Bronco
down the 405 in Los Angeles, but let's keep it in perspective.
The lesson is that video that appears genuine in a live call need not be,
and that some authentication beyond look and feel is necessary.
But we already knew that.
It's even become a trope in gag insurance commercials
where there's a guy videoconferencing with his emu colleague and so forth.
At any rate, on balance, not very funny.
And Vovan and Lexis themselves aren't novices, we note.
They pranked, to name just three, Sir Elton John,
the Duke of Sussex, and Senator Bernie Sanders.
But many of their targets have been critics of the Russian regime.
Mr. Putin himself has not been pranked and seems unlikely to be.
A widely used password manager, ClickStudio's Password State, has sustained a cyber attack.
The Australian company has warned its customers to reset their passwords.
TechCrunch reports that ClickStudio's confirmed to customers that the attackers had compromised Password State's software update feature
and that their goal was the obvious one of stealing users' passwords.
Europol yesterday took another step toward further disabling the Emotet botnet
when a time-activated.dll removed Emotet's enabling
malware from victim machines. SC Magazine notes the operation's similarity to the FBI's recent
removal of malicious web shells from compromised Microsoft Exchange server instances. The active
removal represents the final stage in taking down Emotet. After initial takedown operation,
European authorities pushed a new configuration to machines actively infected with Emotet.
Bleeping Computer takes the occasion as an opportunity to review the activities of TA-542,
also known as Mummy Spider, the criminal organization behind Emotet.
the criminal organization behind Emotet.
Quote,
TA-542's attacks usually led to full network compromise and the deployment of ransomware payloads on all infected systems.
End quote.
Its toolkit includes more than Emotet.
The gang delivered Proloc or Egregor by Qbot
and Ryuk and Conti by Trickbot.
Yesterday's action is being widely hailed as one that may permanently
disable Emotet, but botnets have risen from the dead in the past, and so the optimism should be
of a cautious variety. But congratulations to Europol and German authorities, and we wish them
further good hunting. The Washington Post reports that security experts generally approve the U.S.
response to Russia's SolarWinds exploitation campaign, but U.S. Deputy National Security
Advisor Ann Neuberger in a CNN interview cautioned against expecting too much. The Russians almost
surely remain active inside U.S. networks. As far as any long-term effect on Russian policy and behavior,
Neuberger said, quote, we'll know when we see a change with regards to Russia's broad use of
cyber to achieve national objectives, and that's something that will take time. To really shape a
country's use of cyber, you have to shape the calculus they use on the value and the cost.
The SVR is a sophisticated, persistent actor.
They play a role as part of Russia's intelligence collection,
as part of their malign influence mission,
and we know that to shape that calculus is not going to be one action.
End quote.
A cyber attack against Electa,
a firm whose software is used to operate linear accelerators used in cancer treatment,
has taken the firm offline and disrupted cancer care at a number of U.S. hospitals.
Affected hospitals are moving patients to other facilities as they scramble to keep up the treatments, WTNH reports.
The incident is being described as a data breach, and in the course of remediating the incident,
Electa found it necessary to stop access to its cloud data storage.
Online fraud follows current events,
and the Academy Awards yesterday provided cybercriminals
an opportunity to dangle lures baited with Oscar material
before prospective victims, ThreatPost says.
Some of the fish bait involved showing trailers of nominated
films and then inviting victims to register with a pay card to see the whole performance.
Of course, the film didn't run, but the hoods did debit the victims' pay cards.
Other scams used more conventional fish bait. Our Cinema Desk has nothing to say about any of
this year's nominations. They've been passive-aggressive like
that since the Academy snubbed Sharknado The Fourth Awakens back in 2016. But we hear that
the most commonly abused movie titles were first Judas and the Black Messiah in the lead with 27%
of the malware Kaspersky researchers found, followed by Prom young woman at 27%, and trial of the Chicago 7, associated with 21%
of the malicious files. We close today with some sad news for the information security community.
Dan Kaminsky, a well-known white hat hacker famous for his description of DNS cache poisoning,
and long a fixture at DEF CON and Black Hat, has passed away
over the weekend at the age of 42, the cause of death being complications of diabetes. Security
Week and The Register, among others, ran obituaries. The Register's piece communicates how highly he was
esteemed and how well he was liked within the InfoSec community. Our sincere condolences go
to his colleagues at Human Security, formerly White Ops, and especially to his family.
May they receive comfort and consolation. Thank you. challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is the CyberWire's Chief Security Officer and Chief Analyst,
Rick Howard. Rick, great to have you back. Thanks, Dave.
So for this season of CSO Perspectives, you are talking about strategies and tactics for different verticals.
And last week, you did the financial vertical.
What's in store for us this week?
For the pro side, this episode was a real treat for me to put together.
We're talking about the healthcare vertical this week.
And the Cyber Wire just happens to have two members of the Health ISAC that are regulars at our hash table discussions.
Have you met them before, Dave?
It's Denise Anderson and Errol Weiss.
Have you talked to them before?
I don't know.
It doesn't ring a bell off the top of my head, but I talk to a lot of people, Rick.
Yes, you do.
Could be.
Could be.
I apologize in advance if I have.
Please forgive me.
But let's move on, Rick.
What are you all talking about?
Never ask a question you don't know the answer for.
That's for a host on podcast.
Well, yes, Rick.
I've spoken to both of them, and they were delightful.
How's that?
Perfect.
Okay.
So Denise Anderson is the HealthISAC president and CEO,
and Errol Weiss is the Health ISAC chief security officer.
And what most people don't know about these two is that they were original contributors to the entire ISAC movement that started back in 1999.
President Clinton signed a presidential directive back then that created the ISACs, and that stands for Information Sharing and Analysis Centers,
And that stands for Information Sharing and Analysis Centers and created some 16 critical infrastructure verticals like healthcare, finance, energy, and a bunch more.
The one ISAC that got themselves organized quickly and eventually became the model for everybody else was the financial ISAC.
And Denise was employee number two when they stood it up.
I mean, how about that?
And Errol was one of the original founding bank member volunteers.
So when the Health ISAC decided to up their game a few years ago,
they wisely chose Denise to be the CEO.
And one of her first moves was to hire Errol as her chief security officer.
Oh, wow.
All right.
Well, look forward to that conversation for sure. Now, that is over on the pro side where all of the cool kids are.
What about on the free side of the house on standard CyberWire?
Anything over there?
Yeah, and as we talked about this last week,
we're releasing episodes of Season 1 of CSO Perspectives
at the same time that we're releasing Season 5 episodes on the pro side.
And, you know, we wanted to give folks a chance to get a taste of the pro side
before they committed their money to it.
Last week on the free side, we talked about,
say it with me, sassy.
Come on, David, say it with me.
Sassy, yeah, sassy.
And this week we're tackling artificial intelligence
and how it's often mentioned in the same breath
as machine learning, which, you know,
you and I have talked about this.
This is one of my biggest pet peeve no-nos.
Oh, yeah.
You are not alone in that one, my friend.
I mean, that is a bugaboo throughout the industry.
So with that said, though, machine learning techniques have become standard security vendor best practices in certain narrow data domains like SIMS, EDR, XDR, and malware identification.
All right. So there's something for everyone there. Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant. And joining me once again is Caleb Barlow.
He is the CEO at Synergist Tech.
Caleb, it's always great to have you back.
Today we are talking about emergency notification systems
and the importance of them.
What do you got to share with us today? Well, Dave, we've often talked and the importance of them. What do you got to share with us today?
Well, Dave, we've often talked about the importance of assembling your team quickly
in the event of a security incident of magnitude, right? And what I like to call this, and this is
definitely Caleb's speak, you're not going to find this in any book, but I like to call this
the duty to convene, right? How do you convene your team in a hurry? So, you know, kind of simply put,
it's how do you get your entire team together, including supporting staff, legal, incident
responders, business line owners, et cetera, at 3 a.m. on Christmas Eve? And how do you do it in a
way that they're actually going to show up, right? So- While the network's down.
Yes, exactly. While the network's down and Slack doesn't work
and blah, blah, blah.
So there are actually great tools out there for doing this.
Oftentimes, and what I find a lot of people are using,
are the same tools you'd use
for communicating emergencies to students,
whether that's like an active shooter event or a snow day.
You can organize these tools by group.
They will go through and,
you know, call, page, call different phones until they reach somebody. And then that person can say,
you know, press one if you're responding, press two if, you know, if this is the wrong number
type of thing, right? Well, you know, immediately who's showing up to your, you know, virtual crisis
call or whatever, what department they're in,
and you also know who's not coming
so you know where you've got gaps.
I think these are really critical systems to have in place.
And there's some interesting techniques we've learned
on how to get these systems organized.
Okay, what can you share with us?
Well, first of all, one of the concepts,
and this kind of comes from the military,
is this concept of a warning order.
You know, a lot of times when an incident is unfolding
in the early days of, you know,
in the early hours of an incident,
you know, you don't really know if a thing is a thing yet.
Like it's starting to look bad,
but you don't really know how bad is it.
You know, and oftentimes that can be things like,
let's say there's a major vulnerability
that's just hitting the wire and you don't yet know if your systems are infected or worse yet,
is this like one of those vulnerabilities where we're all going to be up for the next 24 hours
patching systems and issuing press releases? Or is this kind of a mundane thing and it's just
getting a lot of airtime because somebody's making a big deal out of it? One of the concepts
that can be really helpful is this idea of a warning order,
where you're not telling your team to convene,
but what you're doing is using your emergency notification system to say,
hey, something's up.
We may need to convene the team in the next, you know, six, eight, 12 hours.
Keep your phone with you.
It can be an unbelievably powerful tool because you're not
kind of pressing the big red button, but you're giving everybody a little bit of awareness that
something's up and we may need to all assemble as a team. It also gives researchers time to dig in
and figure out, you know, what's going on and if the team actually does need to assemble.
What about the importance of having all this stuff printed on paper?
Because I'm thinking the system goes down, the phones aren't working, just backup copies
of all this stuff.
Where do you think I keep my runbooks, Dave?
You have a shelf?
No, in my underwear drawer.
That's where they're supposed to be.
Of course.
How silly of me. Yes, I stand corrected. Seriously, though, you my underwear drawer. That's where they're supposed to be. Of course, how silly of me.
Yes, I stand corrected.
Seriously though, you're absolutely right.
If your runbooks and plans aren't printed out
or on some external system, and here's the other thing,
the place you're going to go convene,
whether that's a WebEx or a Zoom or a conference call,
it also needs to be off of your network.
I can't tell you how many runbooks I look at.
And first of all, to find out the crisis plan,
go to our SharePoint repository, you know, held on premise.
And, you know, let's use the corporate, you know,
the corporate voicemail system for letting everybody know
that's just not going to work, right?
So I think you've got to do that.
A good system really should work across, you know,
multiple media, office, phone, cellular, text message.
I would also, and this is probably for the, you know, this is kind of the advanced class, but this stuff is not expensive.
If you're a critical infrastructure provider, considering getting something called a GETS card, which is the Global Emergency Telecommunications Service.
It's run by the
department of Homeland security. It kind of pairs with something called wireless priority service.
And what this does is in the event of a nine one, you know, a nine 11 style incident,
it allows you to get access to the phone system, even if it's flooded.
You know, and it's just, it's literally a little wallet card you carry around in your pocket.
They don't charge you for it unless you use it. And of course, if you use it, you don't care what
you're caught, what it costs you. I'm also a big fan of satellite phones, especially if you've got,
if you have large critical laboratories or development labs in foreign countries,
you know, particularly areas where you may have unrest or, you know, you may have cyber incidents
or you may even have weather incidents.
The great thing about a sat phone is you can get immediate ground truth.
They don't cost much to own one.
They cost a fortune if you use them.
But again, if it's an emergency, you're using it, you don't care.
But the great insurance to have around.
I remember one bank of mine that was a customer.
And this is the extreme, but it gives you an idea. This particular bank moved gazillions of dollars a day.
Their issue was if one of their data centers went down,
they needed ground truth immediately. It didn't mean they had backups and redundancy,
but they needed to know what was going on. Was this a case of
the power went down for two minutes and the generator had trouble restarting and it's going to be back in
10 minutes? Or is this a situation where, you know, no, the data center's gone and you need
to move operations somewhere else? They actually deployed Ford Explorers near their data centers
about an hour away at employees' homes, full of communications gear, satellite phones, runbooks,
internet connections that were wireless, all as insurance
in that if one of these data centers went down, they had
something mobile that could get ground truth back to headquarters in under an hour.
Again, that's the extreme case, but these are some of the things we've got to think
through. For a smaller company, maybe it's as simple as just having a printout in your underwear drawer of everybody's cell phone number.
Right, right.
Yeah, but the time to be thinking about this is not when you're in the midst of the crisis, right?
No, that would be, as they say, too late.
All right.
Well, Caleb Barlow, thanks for joining us. stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the
Grumpy Old Geeks podcast where I contribute to a regular segment called Security, Ha! I join Jason
and Brian on their show for a lively discussion of the latest security news every week. You can
find Grumpy Old Geeks where all the fine podcasts are listed and check out the Recorded Future
podcast, which I also host. The subject there is threat intelligence. And every week we talk to Thank you. technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.