CyberWire Daily - Ransomware incidents: worse than feared. And some of them pose a threat to patient safety. A Fancy Bear sighting? Glitch suspends trading in Tokyo.
Episode Date: October 1, 2020Two ransomware incidents now seem worse than originally believed. Hacking hospitals raises concerns for patient safety. It appears Fancy Bear was the group that hacked the US Federal agency CISA warne...d about recently. Chris Novak from Verizon considers whether investigations should be performed under attorney client privilege and if that privilege will hold. Alex Mosher from MobileIron explains how yours truly got phished. With Cookies. And interruptions to trading on Japan’s exchanges seem to be due to technical problems, and not to cyberattack. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/191 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Two ransomware incidents now seem worse than originally believed.
Hacking hospitals raises concerns for patient safety.
It appears Fancy Bear was the group that hacked the U.S. federal agency CISA warned about recently.
Chris Novak from Verizon considers whether investigations should be performed under attorney-client privilege,
and if that privilege will hold.
Alex Mosher from Mobile Iron explains how yours truly got fished with cookies.
Mosher from Mobile Iron explains how yours truly got fished with cookies and interruptions to trading on Japan's exchanges seem to be due to technical problems and not to cyber attack.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 1st, 2020.
Two ransomware incidents are looking worse than initially anticipated.
CMA-CGM had disclosed Monday
that a ransomware infestation had hit its IT systems, with operations in the Asia-Pacific
region most heavily affected. The container shipping giant's early announcements about
the incident tended to describe it as an inconvenience that the company was working
through without undue disruption of operations. It now appears, however, that data was compromised.
The company updated its disclosure yesterday, Splash 24-7 reports,
telling customers, quote,
we suspect a data breach and are doing everything possible
to assess its potential volume and nature, end quote.
Customers are raising eyebrows over what some are criticizing as a laggard
acknowledgement that the issue was a ransomware attack and not just an internal glitch.
Still, on the plus side, the cargo seems to have kept moving.
And the ransomware attack against Blackbaud and its widely used donor relations management
platform has made its effects felt through a widening circle of customers. Those effects are now known to be more serious than had been hoped.
According to Computing, Blackbaud has determined that the attackers accessed financially sensitive
information. A Form 8K the company filed with the U.S. Securities and Exchange Commission says,
in part, quote, after July 16th, further forensic
investigation found that for some of the notified customers, the cyber criminal may have accessed
some unencrypted fields intended for bank account information, social security numbers, usernames,
and or passwords. In most cases, fields intended for sensitive information were encrypted and not
accessible. These new findings do not apply to all
customers who are involved in the security incident. Customers who we believe are using
these fields for such information are being contacted the week of September 27, 2020,
and are being provided with additional support. So again, universities, hospitals, not-for-profits,
look to your financial information, or rather to your donors' financial information.
There's another undropped shoe in the Blackbaud case that's worth taking note of.
The company paid the ransom in exchange for the criminal's promise to destroy any data they'd taken.
We leave it as an exercise for the listener to assess how much stock should be placed in that promise.
As Universal Health Systems works to remediate the effects of the Raiuk ransomware attack it sustained this week,
the Wall Street Journal argues persuasively that ransomware as such has grown in aggressiveness and sophistication
and that it increasingly represents a threat to patient safety.
and sophistication and that it increasingly represents a threat to patient safety.
About 250 of Universal Health System's facilities in the U.S. were affected to some extent by the attack.
There have been no known repetitions of the sad death of a patient who died when the ambulance carrying her had to be diverted from Dusseldorf's Uni Clinic to a more distant facility.
The Dusseldorf Hospital was undergoing a Doppelpamer ransomware attack
that hit on September 10th and temporarily disrupted its ability to accept emergency patients.
Do the criminals care?
Well, maybe.
Doppelpamer interrupted its attack when German police emailed them that they were killing people.
But on the other hand,
they didn't really stick around to help the hospital fix the problem. Digital Shadows has
taken a look at what goes into the formation of a criminal community, and while the participants
all seem recognizably human, with concerns, insecurities, ambitions, the whole nine emotional yards, the criminal fora, aren't places for moral rigorists.
So sorry, no Robin Hoods.
The cyber hoods are thoroughly 21st century types.
The hoods, they want what they want, and they'll go after the targets
whom they think are likely to be willing and able to pay.
Insofar as they mean well, when such thoughts cross their minds,
they don't seem to do much more than rise to the low threshold of slacktivism.
Put on a t-shirt that says ally, maybe,
or apply a bumper sticker that says you break for small animals,
whether you do or not.
Self-congratulation tarted up as categorical imperative,
but when it comes to actually hurting someone,
well, the criminals want to be paid.
Tough luck. So, hospitals, look to your defenses.
More is emerging on the cyber attack the U.S. Cybersecurity and Infrastructure Security Agency
last week said a foreign actor mounted against an unnamed U.S. federal agency. Which agency was hit in the cyber espionage incident remains publicly unknown,
but Wired reports the perpetrator looks like Fancy Bear, Russia's GRU.
CISA didn't name Fancy Bear, also known as APT28,
but they do outline a step-by-step set of techniques that map fairly closely to an approach that researchers at industry
cybersecurity firm Dragos earlier this year ascribed to the GRU. The techniques are also
consistent with those Microsoft attributed to Fancy Bear in September. In any case, as a matter
of sheer a priori probability, it should surprise no one that Fancy Bear has emerged from the aquarium to
snuffle at a U.S. federal agency. The BBC says a technical glitch has caused Japan's stock
exchanges to suspend trading. The Japan Exchange Group told the BBC that trading shut down after
a backup system failed to kick in after a hardware malfunction. The exchanges hope to be back
up tomorrow. They say that no cyber attack was implicated in this week's system failure.
May the exchanges recover on time.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Not long ago, a package showed up here at CyberWire Intergalactic Headquarters,
addressed to me from security company MobileIron.
Inside was a box of delicious cookies.
But not just any cookies.
These cookies had QR codes printed on them.
Alex Mosher is Global VP of Solutions at MobileIron.
So you had, obviously, the cookies.
And then on each of the cookies, we went ahead and put a QR code.
And the reason that we did that is, as we've certainly seen as a result of the pandemic going on,
a lot of contactless interaction with various systems.
You go back to a restaurant, oftentimes the menu is on a QR code,
or you get a receipt or a bill and you're using a QR code, or you're checking out at a service or
maybe even an online system, maybe even folks that used to bill you in person, now maybe they're
sending you an email and that has an embedded QR code in it. So QR codes have become really
relevant in our lives and certainly, I think,
amplified as part of the whole pandemic that we've been going through and managing through.
So what we did was we took a box of great cookies, something everybody would, as you mentioned,
love to have, and we put a QR code on it, incentivizing you to hopefully your curiosity,
get the best of you and get you to go ahead and scan that QR code.
Now, the gotcha point with our QR code was it directed you to a site that very easily could
have been a phishing site or a malicious site of sorts just to kind of get you thinking about,
whoa, I don't even think about when I go to those examples I gave before the restaurant,
the bill, wherever it might be. And I just maybe
blindly scan things like QR codes with my mobile device because it's so easy to do and it makes
life certainly much simpler, especially in the current times.
You know, one thing that struck me in my own experience with the cookies that you all sent
out was that, you know, I think it's the default in iOS that when you have your camera app open
and it sees a QR code,
it automatically sort of triggers it
and it says, hey, do you want me to open this?
You can disable that,
but I could take issue with that itself.
Yeah, no, absolutely.
And if you think about it,
there are legitimate good sources.
It certainly makes life a whole lot more convenient.
Right? If you imagine today with the challenges and think about the communication platforms we
have, the ability to quickly just communicate with all kinds of people on platforms like SMS
and iMessage and WhatsApp and the sort. So because these systems are so great and they benefit us so
greatly, it's what really puts them at such easy target
from a hacker's perspective, because they know that you're doing things in quick, real time.
You're not really paying super close attention to what's happening. You're there at that location,
you get the cookie, you scan it, you're thinking something good is the result,
and only to find out that something bad has happened at the end of the day.
Again, you don't have to go even far back in history.
I'll reference again that Twitter attack.
A lot of this was sort of done that same way,
using systems that were put in place to make life easier and more convenient.
We focused more on the convenient side than we did the security side.
You really have to find a balance between the two.
That's Alex Mosher from Mobile Iron.
These are delicious cookies.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Thank you. And joining me once again is Chris Novak.
He's the director of the Verizon Threat Research Advisory Center.
Chris, it's always great to have you back.
I wanted to touch today about investigations and where we are when it comes to attorney-client privilege these days.
There's been some recent developments that have made this a little more interesting, yes?
That is absolutely true and maybe even an understatement, yes.
Definitely an exciting topic of the day.
Well, go on.
Leon, explain for us where do we stand right now?
Yeah, sure. So I think, you know, one of the challenges we often see is that organizations will typically approach incident response or a breach investigation typically from a technical perspective.
You know, the IT team or the IT security team may know exactly how they plan to attack the problem and what tools they're going to use and their technical playbooks.
But oftentimes we'll forget the other stakeholders, right?
And there's, you know, HR, there's PR, crisis communications, but then there's usually a biggie in there, legal.
And a lot of times organizations will either forget or engage legal maybe just a little bit too late,
or their inside counsel may not necessarily have a lot of experience in the areas of data privacy, data security,
and the various regulations that may sometimes go along with that, as well as, you know, how would this work if we wanted to do an investigation under
attorney-client privilege such that, you know, that legal entity, whether it be inside counsel
or outside counsel, can properly guide them through their investigation and what obligations
they may have and, you know, also help them as it relates to potential litigation down the road. Is it ever a situation where when folks are in
the midst of this and they're thinking about to what degree they should engage with their
in-house legal department, you know, it's easier to apologize and get permission kind of thing,
where if we engage these attorneys, they're going to throw a pair of virtual handcuffs on us and limit our ability to be nimble.
Yeah, so I mean the thing that I would always recommend, and this is the reason why we do a lot of tabletops and wargaming and things like that before an incident occurs, is to bring those stakeholders into the fold so that you're not just relying on technical playbooks,
but you've got stakeholder playbooks for everybody.
So you know the questions legal is going to ask.
You're going to know the kinds of answers you're probably going to give.
And if there's any, quote, handcuffs they're going to put,
you're going to know what that's going to look like and why.
And if you can work together, those problems usually are less of an issue, right?
And in that case, at least you're playing on the same team
and legal knows what their obligations and responsibilities are,
and so does the technical folks.
Where do opinions stand these days in terms of that attorney-client privilege actually holding?
So I'd say there's, you know, some recent court activity that has happened that has, you
know, kind of maybe caused everybody to kind of look at things from a side-eye perspective to
figure out, whoa, has the way we've been doing this working? And what I would say is that I think,
you know, and I'm not a lawyer, maybe just play one on TV, but, you know, we sometimes joke at
Verizon that we have more lawyers sometimes than some law firms do.
Um, but, but we look at a lot of the data privacy and a lot of the, the, the data sovereignty
laws to try to understand how things work.
And then also understand, Hey, you know, when there's a breach, there's almost always going
to be some element of potential litigation and how you prepare for that.
And I think the, the attorney client work product doctrine and attorney client privilege,
I think very much still holds true today.
But I think the challenges that we've seen where it's kind of deteriorated in the past has been in circumstances where maybe it wasn't necessarily applied correctly.
And so this goes back to that kind of tabletop wargaming kind of aspect where you bring all those stakeholders into the fold for practice
sessions so we can understand how to do it. Because, for example, if you try to apply,
you know, attorney-client work product doctrine or privilege after the fact, you're probably going
to be challenged on it. It's going to be questionable as to whether or not legal was
really guiding something if legal wasn't really involved from the beginning.
You know, in some of the conversations you and I have had,
you've really emphasized the value of having these tabletop exercises.
Can you give us some insights there?
I mean, how is that time well spent for the organization?
Yeah, I'd say that it's probably one of the most valuable things,
and thankfully we've seen a dramatic uptick in organizations actually doing it.
If we roll back the clock a handful of years, it was something that it was almost like pulling teeth to try to encourage organizations to practice for a breach.
And that's, you know, you kind of think of the older days where, you know, people kind of thought, well, it's probably not going to happen to me.
It's almost always going to happen to someone else.
happen to me. It's almost always going to happen to someone else. And then they've seen, I think,
enough breaches happen where they go, you know what, we should probably know how to deal with this if it happens or when it happens to us. And so absolutely time well spent. Typically,
we encourage you to bring all the stakeholders in. So bring representation from legal, HR, PR,
crisis communications, the board. If there's regulators, we've even seen some organizations who've said,
hey, we really want to impress our regulators. And we feel like having a good relationship with
them as opposed to maybe what some would see as an adversarial relationship would be beneficial.
So we've even seen some of them bring in their regulators to those exercises just so that
everyone can go through the motions together. And one of the best things about it is when an incident does happen,
then it's like you're running through a script that you've all practiced.
You know what roles everybody plays,
and everybody can do them much better and more comfortably.
And then generally, the outcome is more positive
because you're not trying to figure out what to do in the middle of a crisis,
which I think is the time most people would agree is that's the bad time to figure it out, right?
That's why we do fire drills, right?
To make sure that when the actual fire happens, we all know the routines
and we've got fire marshals to help make sure we all go out the right places
and nobody goes down the elevator, all those kinds of things.
That's the analogy that I would draw to the tabletop exercise for a cyber event is, you
know, do your fire drills and be prepared.
You're much more likely to have a successful or a more mitigated outcome.
All right.
Well, Chris Novak, thanks so much for joining us.
Always a pleasure.
Thank you. And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time, keep you informed, it'll make you kiss a little longer, hold hands a little longer, hold tight a little longer.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.