CyberWire Daily - Ransomware hits US, French companies. ISPs as combat support arms. Lawful intercept gone rogue? Lazarus Group is back and in GitHub. China’s security laws and security risks.
Episode Date: October 15, 2019Ransomware hits companies in France and the US. A Finnish energy company sustains a suspicious IT incident. Turkey jams social media as it rolls tanks against the Kurds. Pegasus spyware said to be in ...use against Moroccan activists. Silent Librarian is still making noise. The Lazarus Group is back with a malign crypto-trading app. China tightens its cyber laws, and the EU privately warns itself that, yes, companies like Huawei are a security risk. Joe Carrigan from JHU ISI, responding to a listener question about training new employees. Carole Theriault interviews Dirk Schrader from Greenbone Networks on the security of medical data. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/October/CyberWire_2019_10_15.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ransomware hits companies in France and the U.S.
A Finnish energy company sustains a suspicious IT incident.
Turkey jams social media as it rolls tanks against the Kurds.
Pegasus spyware is said to be in use against Moroccan activists.
Silent librarian is still making noise.
The Lazarus Group is back with a malign crypto trading app.
China tightens its cyber laws.
And the EU privately warns itself that, yes, companies like Huawei are a security risk.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 15, 2019.
In incidents that give point to recent Europol and FBI warnings about the ransomware threat, two major companies, one in the U.S. and the other in France,
have sustained significant ransomware attacks.
Connecticut-based shipping and postage metering company Pitney Bowes
disclosed yesterday morning that it had sustained a serious ransomware attack.
The company believes that customer data were not compromised
and that the consequence of the attack will be
confined to service disruptions. Group M6, the largest media company headquartered in the
Parisian suburbs, also disclosed an attack over the weekend and L'Express calls it ransomware.
Group M6 programming continued, but some business and customer contact functions were degraded.
There's no evidence so far that the attacks are connected.
In neither case has the ransomware strain or a threat actor been publicly identified.
Another major company, Finland's Neste Oil,
that country's principal oil and gas producer and alternative energy company,
sustained an incident late Friday that disrupted operations.
It's unclear at this time whether Neste was the victim of a cyberattack or simply suffered
an IT glitch, but the incident does look suspicious and will bear watching.
Turkish authorities have interdicted social media along the Syrian border in support of
an offensive against Kurdish forces, Wired reports.
Facebook, Instagram, Twitter and WhatsApp were blocked for about 48 hours.
Social media have served as significant command and control channels for insurgents around the world.
The Turkish attacks, conducted on the ground by conventional heavy forces,
occur as the U.S. announced pullouts of troops from northern Syria.
The U.S. has condemned the attacks, which Turkey maintains are legitimate self-defense
against the threat of Kurdish insurgency, and has imposed a range of sanctions against Ankara.
It is, of course, the tanks and infantry that drew the sanctions, not the ISP's takedown of social media,
but conventional operations in Syria can be expected to be accompanied by
cyber operations. Moroccan authorities appear to be using Pegasus spyware, a tool produced by NSO
Group, to monitor dissidents. Ars Technica reports that two prominent Moroccan human rights activists
received SMS messages that sought to induce them to download Pegasus onto their devices.
received SMS messages that sought to induce them to download Pegasus onto their devices.
NSO Group told Ars that, as is the case with any lawful intercept product,
it's possible that Pegasus can be misused,
and that NSO Group is investigating the incident with a view to taking appropriate action.
NSO Group has been criticized for making its tools available to governments they might have foreseen would abuse them. It's undeniably true that software like Pegasus has legitimate and even life-saving uses, but critics say that NSO Group's products seem to be particularly likely to fall into the
hands of repressive or irresponsible governments. German company Greenbone Networks recently
conducted research examining the exposure of medical imaging data online.
The Cyber Wire's Carol Theriault files this story.
With me today is Dirk Schrader, a cyber resilience architect at Greenbone Networks.
Now I've asked Dirk onto the show to share his recent findings from a Green Room report.
So health providers around the world store medical images, so things like x-rays and
scans and the like, and a lot of them use the same protocol.
This is known as DECOM or digital imaging and communications in medicine.
And this makes it easy for surgeons or consultants or diabeticians or any medical professional
to access the files.
Dirk, thank you so much for making time to come on the show today. So let me guess, you led this research to see if there was any issues in how the data was stored,
and you found out that everything was tip-top and there was no problems at all, I imagine.
Well, thanks for having me here today. First of all, no, it's not all in good shape. The details we found are really concerning.
So we've analyzed about 2,300 systems, found that 590 of them are completely unprotected and connected to the internet, which is a major mistake in itself.
There was no password or encryption or anything.
Think of it like being connected to a browser, just that the browser is specialized to view medical images.
Right.
No protection at all.
So this is kind of concerning for people like me, because obviously this is incredibly sensitive information.
Tell me, were there PII involved as well as the images?
Yes, there were.
We've seen names, date of birth, date of examination, reasons for examinations.
We have had access to images related to that exam.
Sometimes the patient data was sort of identified by social security numbers.
There was lots of personal identifiable information in it.
of personal identifiable information in it, yes.
Oof. We have informed ProPublica and the German TV broadcaster about our findings
just because of the massive scale of the problem.
Right.
Plus it was important to have media coverage to alert people about the problem
and in the same way to contact the authorities in the various countries to resolve the problem.
So this problem is rather huge.
How can you inform everyone to take a look at how their medical data is being stored
and what they should do to make it safer?
Yeah, exactly. That's the point.
So what I read from your report is you found something like 24 million data records
that were improperly protected and stored.
Yes.
And that's huge.
That includes 700 million images related to that 24 million patient records, and 400 million
of them were actually accessible.
Really, click on them and you see them.
Wow.
Now tell me, who's the worst country?
The worst country, let's say the top five are US, Brazil, India, Turkey and South Africa.
US is up in the top five?
Yes.
Why do you think that is?
I mean, it's always going on about how cyber resilient they are as a nation.
Were you surprised by that?
Actually not, because in preparation for this research, we did another research asking
critical national infrastructure providers about their approach to cyber resilience.
And we found out that only one third globally said, oh, we consider ourselves cyber resilience.
And the other two thirds are considering themselves not to be cyber resilient.
I know, but you know, there are seriously huge laws out there.
There's HIPAA, there's GDPR.
Do you think they've taken your alert seriously?
Or do you see changes being made?
We do see changes being made.
We do see, on the other hand, also countries not reacting at all, at least from what we can see.
I'm not sure about the internal progressing there.
For me, the most important thing here to highlight is we are so much focused on attacks that we forget to look at ourselves and our capabilities to withstand, to be resilient.
The scary thing that occurs to me here is if someone nefarious got their hands on this data, it would be an exquisite way to get information from a social engineering or phishing point of view. Yeah, definitely. Whether you have a spine problem, whether you have had x-rays or CTs,
MRTs for cancers, which can be inferred from the data because a certain circumstance in your personal life and use that against you. Can I just say, I am very happy you guys
invested in this research because I,
and I'm sure everyone else out there, want this fixed ASAP. You've been listening to
Dirk Schrader from Greenbone. Again, thank you for coming on the show.
Thank you for having me. This was Carol Theriault for the Cyber Wire.
Proofpoint has issued another report on Silent Librarian, the Iranian threat group also tracked as Cobalt Dickens and TA-407.
Silent Librarian, associated with Iran's Mabna Institute, targets universities through phishing campaigns that make heavy use of spoofed university brands and library-themed phish bait.
The objective appears to be intellectual property theft.
fish bait. The objective appears to be intellectual property theft. Silent Librarian fishes for its prospects with emails telling the recipients that they need to renew their library privileges,
return overdue material, and so on. North Korea's Lazarus Group has renewed its deployment of an
Apple backdoor against cryptocurrency exchanges. Malware Hunter team alerted researchers to the
activity Friday. It was further examined
by researcher Patrick Wardle, who sees the malware as a variant of the Apple juice operation
Kaspersky described in August. In this round, the Lazarus Group is again using a front company,
JMT Trading, to upload malicious code to GitHub. The back door is embedded in code that purports
to be an innocent
cryptocurrency trading app. Trade if you must, speculators, but please do so with appropriate
caution. Evidently feeling confident and frisky after having dunked on the NBA last week,
Beijing has enacted a range of laws that give the government super-user access to devices in the
country and that mandate extensive data sharing from companies who wish to do business in China.
The famously privacy-sensitive Apple, known for pointing out, while looking across Silicon
Valley at Google, that if you're not paying for the product, you are the product, has
itself been providing data on users in China to Tencent, a Chinese conglomerate that's about as remote
from the Chinese government as Huawei.
Speaking of Huawei, the European Commission last week
released a public report that, while not saying it in so many words,
was nonetheless read as a warning about Huawei.
The Wall Street Journal has now broken the story
that there was a second non-public warning
circulated among European governments that was more direct and less ambiguous. The most striking part of the
account is the reported inference that there's no easy technical fix or vetting that's likely
to mitigate the risk. A source told the journal, quote, these vulnerabilities are not ones which
can be remedied by making small technical changes, but are strategic and lasting in nature. isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host on the Hacking Humans podcast.
Great to have you back, Joe.
It's good to be back, Dave.
Joe, we got a letter from a listener that I wanted to share
because I know this is something that's near and dear to your heart.
The letter goes like this.
He says, hi, Dave.
Here's a big picture issue I'd like to just throw out there to you.
Years ago, I thought I wanted to weld for a living.
After doing it for a few years, I realized most well-paying and secure jobs required extensive travel and several years away from home and family.
So I decided to go back
to school and earn my associates in cybersecurity. Now I see the cybersecurity industry making the
same mistake the welding industry has made. Very few companies want to hire people like me who are
inexperienced but ambitious. Most jobs under an entry-level search require a bachelor's degree
and at least five years of experience.
My main point is this. If companies want to secure their own future, they need to begin investing now in more raw talent. It's okay for them to ask for experienced professionals.
I realize some jobs truly require years of experience. But start hiring more new people
and invest in them. Don't just ask for the best people because eventually, with the way it's
heading, the future's best won't be very good. We need experience to get a job, but need a job to
get experience. I don't mean to rant, Dave. It just makes me disappointed to see this happening
to such a large and important industry. I'm not just sad for me. I'm sad for what I know the
future will look like unless companies change their view of this issue. Joe, your response?
Go on.
Exacerbated.
Dave, this is an issue that is near and dear to my heart.
You are 100% correct about this.
And not only that, but it's something that really, really gets my dander up, let's say.
All right.
All right.
Entry level in cybersecurity is not five years of experience.
Someone with five years of experience in cybersecurity is not even considering your entry level position.
You need to change what you're looking for.
What you're looking for is smart people who can learn quickly and who work well in teams.
That's what you're looking for in cybersecurity entry level positions.
and who work well in teams.
That's what you're looking for in cybersecurity entry-level positions.
You're not looking for people with CISSP's, which I have seen even recently.
Nobody with a CISSP is looking at a job that pays less than six figures.
You're going to have to accept that as a fact.
Why do you think we see this so much?
In other words, what are they – it seems to me like there's some gaming of the system or attempt to game the system going on here.
Do you think they're just putting it out there trying to find someone who's willing to be underpaid? Yeah, I think that they're trying
to... It's one of three things. It's like you're suggesting, greed.
They're trying to get the best person for the lowest amount of money.
Nothing wrong with that, I suppose, if you're running a business.
Right.
But let me explain something to you again.
I mean, this is interesting information.
Yeah.
There are 300,000 open security positions in the United States right now.
Okay.
And I can't remember where I got this information from, but I just researched it just a couple
days ago.
I'm speaking off the top of my head.
There are 700,000 people working in the field right now.
That means that close to one-third of the jobs in this industry are not filled.
And the people that are here in these positions right now are not going to fill them.
All you're doing is looking for these experienced people you're poaching from other positions.
Right, you're just shuffling people around.
You're shuffling people around.
We need to get new people into these positions.
We need to get new people like this listener who's taken the initiative, gone out and gotten
an associate's degree in cybersecurity.
This guy is an ideal candidate for an entry-level position.
So why, in an industry that is, I would hazard to say, cash-rich. Why not invest in the new talent?
Why not invest in your company?
Right.
Why not?
So the green is the first one.
I think ignorance is the second reason this happens.
All right.
People just don't make the effort to understand what is an entry-level position in cybersecurity.
They think, oh, an entry-level position at working in the loading dock is five
years of experience. Therefore, an entry-level position working in cybersecurity is five years
of experience. No, no, that's not the case. You're dealing with two completely different
sets of skills. Okay. Right. And the other one I think is, is fear. People are afraid to hire
new people. You're going to have to get over that fear and hire new people. Hire new people and help grow their skills and understand that part of your team is going
to have to consist of absolute newbies in this field and that they're going to have
to be part of your team of security people.
Companies are just going to have to make the investment in new people and that's just the
way it is.
And if you're really not willing to make the investment,
then be prepared to have that position unfilled for a very long time.
Just get used to it.
And when your boss asks you, why don't you have that position filled,
you should tell them, it's because I don't understand how to fill that position
and I'm not good at doing my job.
I can tell, Joe, this is something that you feel strongly about.
It is something that irritates me all the time.
I hear this from so many people.
This is not the first time I've heard this complaint.
I've gotten some certification.
I've gotten an associate's degree.
I'm ready to get into the field.
I'm ready to start working.
I'm ready to get my hands dirty.
But nobody will hire me.
Why won't people hire these people?
And yet they're out there hearing that people can't fill the positions.
Right.
And yet we're hearing there's 300,000 open positions in this country alone, globally 1.8 million.
And we can't fill the positions because you're not willing to hire the right people.
That's why.
Take a chance.
Yep.
Take a chance.
Roll the dice.
Yep.
All right.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant. CyberWire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.