CyberWire Daily - Ransomware attack hits a French hospital. Lessons for the fifth domain from six months of hybrid war. Deepfake scams have arrived. Threat actors prepare to exploit Hikvision camera vulnerability.
Episode Date: August 24, 2022A medical center near Paris comes under ransomware attack, and refuses to pay up. Lessons for the fifth domain from six months of hybrid war. Deepfake scams appear to have arrived. Deepen Desai from Z...scaler with introduction to our audience. Dave Bittner sits down with Gil Hoffer, CTO and Co-founder of Salto to discuss “Who Hacked Slack?.” And Threat actors prepare to exploit Hikvision camera vulnerability. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/163 Selected reading. Cyber attackers disrupt services at French hospital, demand $10 million ransom (France 24) French hospital hit by $10M ransomware attack, sends patients elsewhere (BleepingComputer) DECLENCHEMENT DU PLAN BLANC DIMANCHE 21 AOUT 2022 (CHSF - Centre Hospitalier Sud Francilien) Ukraine at D+181: Independence Day and six months of war. (CyberWire) Six months, twenty-three lessons: What the world has learned from Russia’s war in Ukraine (Atlantic Council) Hackers Used Deepfake of Binance CCO to Perform Exchange Listing Scams (Bitcoin News) Hackers Use Deepfakes of Binance Exec to Scam Multiple Crypto Projects (Gizmodo) Binance's CEO said thousands of people are falsely claiming to be his employees on LinkedIn. Experts warn it's an example of the platform's growing problem with fake accounts. (Business Insider) Twitter’s Ex-Security Head Files Whistleblower Complaint (Wall Street Journal) Twitter is vulnerable to Russian and Chinese influence, whistleblower says (CNN) Over 80,000 exploitable Hikvision cameras exposed online (BleepingComputer) Experts warn of widespread exploitation involving Hikvision cameras (The Record by Recorded Future) Hikvision Surveillance Cameras Vulnerabilities (CYFIRMA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A medical center in Paris comes under ransomware attack and refuses to pay up.
Lessons for the fifth domain from six months of hybrid war.
Deepfake scams appear to have arrived.
Deep into Psy from Zscaler with an introduction to our audience.
Dave Bittner sits down with Gil Hoffer, CTO and co-founder of Salto, to discuss who hacked Slack.
And threat actors prepare to exploit Hikvision camera vulnerability.
From the CyberWire studios at DataTribe, I'm Trey Hester filling in for Dave Bittner with your CyberWire summary for Wednesday, August 24, 2022. The Saint-Trois-Hospitalier Sud-Francilier sustained a ransomware attack
that has disrupted services and forced diversion of patients to other healthcare facilities.
CHSF, a large 1,000-bed hospital between 28 kilometers from downtown Paris,
says the attack affected a range of systems,
including patient admissions, medical records, and especially medical imaging.
France 24 reports that the ransomware gang has demanded $10 million
for restoration of the hospital systems, which CHSF has refused to pay.
The attack is thought to be the work of either RagnarLocker or LockBit 3.0,
especially since responsibility for the investigation has gone to the National
Gendarmerie's Cyber Unit, which would handle this sort of international cybercrime.
Bleeping Computer cites local researchers who think the attack is more consistent
with LockBit 3.0's
operation. An attack on a hospital, especially one that puts patients at some risk, would amount to
a violation of the ransomware-as-a-service market's humanitarian code, if, that is,
one takes such criminal avowals of social responsibility seriously. We don't.
Today marks the 31st anniversary of Ukrainian independence from the Soviet Union,
and it also marks the sixth month of Russia's war against Ukraine.
As Ukraine braces for renewed Russian strikes against its cities,
the Atlantic Council has published a set of lessons to be learned
from half a year of Russia's war against Ukraine.
Some of them have particular relevance to cybersecurity.
1. Lesson for wartime strategic communications.
Influence operations are a day-in, day-out job.
Russia has not succeeded in influence operations, but Ukraine has,
largely because it is tamped down on disinformation and coordinated in authenticity.
2. Lesson for hybrid war.
Don't ignore the fundamentals.
Conventional military failures, particularly in tactics and logistics, have marked the Russian invasion.
It's also been marked by intelligence and influence operations failures.
3. Lessons for would-be invaders.
You can't hide preparations for a full-scale invasion.
Intelligence is now a commodity.
Open sources now show collection and analytic capabilities
that formerly would have been possessed only by advanced nation-states.
Russian official media themselves pretty clearly telegraphed Moscow's intentions,
as did social media posts from ordinary Russian soldiers and citizens.
Armies have yet to come to grips with the OPSEC challenges of social media.
4. Lesson for Cybersecurity
The private sector should play a critical military operational role in cyberspace.
Ukraine has proved surprisingly resilient in the face of hostile Russian cyber operations,
and this has been due to a large part to its own preparations,
shaped by lessons learned from more than a decade of hostile Russian gray zone operations.
But Russia's invasion of Ukraine has generated a new role for the private sector,
which is engaging in direct
cyber combat against Russian cyber attacks and in support of Ukraine's military and governmental
functions. While Ukraine has its own capable cyber defenders, who, for example, stopped an attack
against the Ukrainian electric grid, those efforts have been complemented by private sector firms
that have worked with Kyiv both by helping to identify and disable malware and taking additional actions to create a much more defensible Ukrainian cyberspace. Both Microsoft and Cisco
have published reports detailing defensive cyber operations and European cybersecurity firms,
such as the Slovakian firm ESET, who have also been engaged. Ukraine's cybersecurity defense
has additionally been enhanced through the use of Starlink terminals and the transfer of Ukrainian governmental functions to cyber clouds outside of Ukraine.
The actions that these private companies have undertaken foreshadow the critical role such
firms will play in future 21st century conflicts. And five, lesson for U.S. homeland security.
Ignoring the home front is a serious mistake. The inherently deniable and ambiguous character of cyber conflict
tend to spread its effects beyond the immediate theater of operations.
The U.S. got off to a good start, but emphasis may have failed in recent months.
More needs to be done by DHS and others to get the American people to understand and better resist
the Russian hybrid warfare campaigns that promote divisive propaganda and social media manipulation. Russia's hybrid warfare strategy, which uses disinformation even
more than cyberattacks, seems designed to wear down Western democracy's opposition to Russia's
aggression. Acting on this final lesson, we note, is perhaps easier said than done.
Disinformation can be difficult to counter, especially since the obvious moves against it
are difficult to contend with in any society that values freedom of speech.
Bitcoin.com reports that scammers used an AI hologram as a deepfake impersonation of cryptocurrency exchange Binance's chief communications officer Patrick Hillman in scam Zoom video calls with representatives of various cryptocurrency projects. Hillman, blogging about the experience last week, said he became aware of the scam when
he received messages from the targets, thanking him for taking the time to meet with them in calls
he in fact never attended. Quote, it turns out that a sophisticated hacking team used previous
news interviews and TV appearances over the years to create a deep fake of me.
End quote.
It's not just deep fakes on Zoom either.
A more conventional impersonation is also troubling Binance.
Business Insider reports that Chengpeng Zhao, the CEO of cryptocurrency exchange Binance, tweeted that, quote,
LinkedIn has 7,000 profiles of Binance employees, of which only 50 or so are real, end quote.
Reports of fake accounts are by no means confined to Twitter.
Twitter, we know in passing, continues to receive a great deal of media and regulatory attention
in the wake of its former security executive's public airing of his complaints
about the platform's general security posture, including its alleged toleration of bots.
platform's general security posture, including its alleged toleration of bots.
And finally, Cyferma researchers report that Hikvision networked cameras are susceptible to exploitation of command injection vulnerability.
Exploitation could enable attackers to enroll cameras as bots in distributed denial-of-service
attacks.
It could also afford threat actors the opportunity to pivot to other, more sensitive portions of the networks the cameras connect with.
Various criminal groups are exchanging information on the vulnerable systems in underground fora.
Quote,
CyPherma researchers have observed in the sample analyzed multiple instances of hackers looking to collaborate on exploiting HikeVision cameras using the command injection vulnerability CVE-2021-36260 globally.
Specifically, in the Russian forums, we have observed leaked credentials of HeikVision camera products available for sale.
These can be leveraged by hackers to gain access to the devices and further exploit the path of attack to target an organization's environment.
End quote. The report mentions the possibility of exploitation for geopolitical purposes,
which suggests a potential nation-state or privateering threat.
Paul Bischoff, privacy advocate for Comparatech,
wrote to explain some of the difficulties involved in security devices like networked cameras.
Quote, IoT devices like cameras aren't always as easy or straightforward to secure
as an app on your phone. Updates are not automatic. Users need to manually download and install them,
and many users might never get the message. End quote. These devices also don't give users the
sorts of cues a smartphone, for example, does. Quote, furthermore, IoT devices might not give
any indication that they are
unsecured or out of date, whereas your phone will alert you when an update is available and likely
install it automatically the next time you reboot. IoT devices do not offer such conveniences.
Hackers can easily find devices running vulnerable firmware or software using an IoT search engine
like Shodan. From there, they can
hijack the devices to enlist them as part of a botnet, mine cryptocurrency, or launch further
attacks through the camera's network. In this case, the problem is exacerbated by the fact that
Hikvision's cameras come with one of a few predetermined passwords out of the box, and many
users don't change these default passwords. End quote.
So, unlike your phone, an unpatched camera, like so many other humble IoT devices, will just suffer in silence if it's unpatched.
Please, do remember to change your default passwords.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
It is not uncommon for modern companies to employ dozens, if not hundreds, of business applications to help
streamline the things they do. Every one of those apps has the potential to serve as a gateway for
bad actors to access your data. Gil Hoffer is CTO and co-founder of Salto, an organization looking
to centralize the management of software-as-a-service applications. Any business today is using a very large collection
of business applications in order to run their business.
Anything from Salesforce to run the sales processes
to NetSuite for finance,
to Jira for engineering task management,
to Slack for collaboration, etc., etc.
So you'll have anything from a few tens
to many hundreds of those business applications,
which are basically these highly distributed
back office system for a modern company.
And in order for those companies
to actually utilize those business applications,
they need to customize or configure
or extend all of those business applications or platforms to fit their actual business needs.
And the thing is that those platforms tend to be highly customizable in many cases,
which makes it very easy to make mistakes.
And as you well know, such configuration mistakes, we know them for tens of years from infrastructure.
They create a very significant attack surface
for systems. And exactly the same happens
with those business applications. You can very easily configure
a wrong rule that would open
all kinds of access,
for example, on the permission side.
You can create, and we saw it with some of our customers,
you can miscreate some kind of an automation or trigger,
let's say, in your support system,
and start sending data of one customer
to another customer by email,
just because you did like a wrong configuration
of those business applications.
So we believe that right now we're still on relatively early days
with using those systems.
They're still lacking a lot of controls,
still lacking a lot of methodologies and tools in order to properly manage those in a predictable and secure way.
It's interesting because I think many organizations see the utilities in these kinds of tools and they really do help run the business.
the business. Is the notion here that it's not so much that they're insecure out of the box, it's just that the fact that they are customizable can lead to errors?
Yeah, definitely. Well, you know, if we look at infrastructure, let's say servers or databases,
et cetera, usually when we introduce the vulnerabilities, these are in customizations that we
make, in code that we write, in configuration changes that we make. And it's exactly the same
here. Let's say if we look at NetSuite, for example. So you can actually extend NetSuite and
it actually serves like a web server. You can add API endpoints that can receive traffic from the internet even,
if that's how you configure it. Now, this is a highly sensitive financial system
that you can add code to. You control permissions and roles, etc. And if you make a mistake, you can very easily expose your organization to some very severe risks.
And we are seeing organizations today realizing that this is a problem, the way that they manage their business applications, in terms of quality, in terms of security, in terms of predictability, just being able to know when
will they release something. And they are trying to adapt and adopt better best practices and
better tools and better methodologies for doing that. And so what are your recommendations here?
Is this a matter of putting procedures in place or is there more to it than that?
Is this a matter of putting procedures in place, or is there more to it than that?
So part of it is procedures, but in many cases, it's also, first of all, it's around state of mind, right? Because if, let's say, the person is managing your Zendesk, your main customer support tool,
tool. If he thinks of himself as mostly an admin, he goes into, does something, is not aware of the actual implication of the changes that he's doing, about the risks that he might be exposing his
organization to, then we're not really going to make any kind of headway here. So it starts with
awareness and understanding that those systems are crucial.
They're a critical part of any modern business and changes in their configuration can have a real negative and positive, obviously, impact on those organizations.
Then when we realize that, then we need to deal with processes.
So having the right methodologies in place, procedures, etc.
As well as tools and tooling. And there are ways today,
some emerging ways to actually
use tools which are more similar to
let's say the infrastructure is code type of tools from, let's say, Terraform, these kind of
tools from infrastructure. You can actually use stuff like that also for managing your business applications configuration.
Salto is one of those tools, but there are other ways you can do that.
And once you start using these kind of tools, then you can actually start utilizing, let's
say, Git, you know, to version control your changes.
You can introduce peer reviews,
code reviews to those changes.
And there are also some more advanced organizations,
especially with Salesforce, some with NetSuite,
actually went all the way in
and implemented a full-blown CICD pipeline
with security checks, with full visibility,
with great automation around all the changes that they make.
So I would say that it starts with awareness,
continues with procedures and processes,
and which would require tooling in many cases.
That's Gil Hoffer from Salto. Thank you. cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant.
And it is my pleasure to welcome to the show Deepan Desai. He is the Chief Information Security Officer and also VP of Security Research and Operations at Zscaler.
Deepen, great to have you here on the Cyber Wire.
Thank you, Dave, for having me.
So I want to take this opportunity to first of all welcome you.
We're going to be talking regularly, you and I, here as part of our partner segments that we do here.
But I wanted to take this opportunity to introduce you to our audience,
allow you to share a little bit about yourself for folks who may not have been introduced to you.
Great. No, I'm happy to do that.
So as you mentioned, I'm the global CISO and head of security research here at Zscaler.
I've been with Zscaler for a little over eight years. My primary
responsibilities involve running the global security research operations, as well as working
with our product groups to ensure that our platforms and services are secure. I've been
involved in the field of cybersecurity for the past 17, 18 years now. Prior to Zscaler, I was in security leadership
roles at Dell SonicWall. Throughout the last almost two decades, my journey in the field of
cybersecurity has involved towards doing threat research, looking at how the threat landscape has evolved, but at the same time also build newer detection technologies
to combat that evolving threat landscape.
What is your day-to-day like these days with your colleagues there at Zscaler?
My day-to-day operation, obviously the primary focus is to make sure
we're keeping our customers secure as well as our platform secure.
It's divided between keeping an eye on things
that are of interest from the coverage perspective.
We have these daily briefings.
Our goal is to make sure we're on top of the newer threats.
Then there is also the whole SOC aspect where we're looking at what is being observed in our own infrastructure, in our own global operations in terms of threat activity, attempted attacks, and how we're able to mitigate those.
Do you have any particular areas of interest, things that draw your attention?
Yeah, I'm really interested in, so as part of my role, I also get to talk to a lot of security
leaders around the globe. And I'm really passionate about helping many of these organizations drive
the digital transformation that we're all experiencing.
It's fundamentally driven by the whole zero trust architecture initiative.
That's one thing that I'm really passionate about,
where helping these organizations go through that journey,
improve their security posture in order to be in the best possible security posture
to defend against ransomware threats, supply chain attacks,
things that we're seeing today as part of our daily tracking activity.
Where do you suppose we stand today when it comes to the adoption of Zero Trust?
Where are we on that journey?
It's still ongoing. I would say we are in a much better situation than
pre-pandemic. Pandemic did have a role to play.
If you look at the whole journey, the whole digital transformation journey,
I see three major areas. One is application transformation,
where the apps are moving from your internal networks
to public cloud.
That's the app transformation piece.
There's network transformation piece
where the old way of doing things was hub and spoke.
Now everyone wants direct path to the internet.
So that's a network transformation piece
because your apps are living on the internet
and there are SaaS applications,
the first piece I mentioned.
And the third piece
is the security transformation
where, again, the goal is
you don't want to use
the old castle-in-mode technology
where you're bringing in traffic
at a central point,
a choke point,
to perform security inspection.
Instead, you need
that zero-trust architecture
where all your user traffic is subjected to consistent security policy.
So if you combine all of those three things, that's basically the digital transformation that needs to happen for the majority of the organizations if they want to safeguard against the modern attacks that we see.
All right. Well, welcome to the Cyber Wire, Deepan.
Always a pleasure to speak with you.
Deepan Desai, thanks for joining us.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technology.
Our amazing Cyber Wire team is Elliot Peltzman, Brandon Karp, Eliana White,
Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Harold Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Trey Hester filling
in for Dave Bittner.
Thanks for listening.
See you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.