CyberWire Daily - Ransomware versus shipping, hospitals, and schools. Cyberattacks’ growing sophistication. An interim rule enables implementation of the US Defense Department’s CMMC program.
Episode Date: September 29, 2020Three (count ‘em) three big ransomware attacks are in progress. One of them has moved into its doxing phase. Microsoft resolves authentication problems that briefly disrupted services yesterday. Tra...cking trends in cyberattacks--the sophistication seems to lie in the execution. The US Defense Department now has an interim rule implementing its CMMC program. Ben Yelin describes the extensive use of facial recognition software by the LAPD. Our guest is Christy Wyatt from Absolute on their Endpoint Resilience report. And why do hackers hack? To a large extent it seems they do so...because they can. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/189 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Three, count them, three big ransomware attacks are in progress.
One of them has moved into its doxing phase.
Microsoft resolves authentication problems that briefly disrupted services yesterday.
Tracking trends in cyber attacks.
The sophistication seems to lie in the execution.
The U.S. Defense Department now has an interim rule implementing its CMMC program.
Ben Yellen describes the extensive use of facial recognition software by the LAPD.
Our guest is Christy Wyatt from Absolute on their Endpoint Resiliency Report.
And why do hackers hack?
To a large extent, it seems they do so because they can.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, September 19th, 2020.
There have been some major ransomware attacks that developed over the weekend and whose effects are continuing.
Two of the biggest appear to have hit businesses as opposed to operational systems,
and the third one has, as now is customary, made a threat to release sensitive personal information. The French container shipping giant CMA-CGMSA disclosed yesterday it was
dealing with a cyber attack on two of its subsidiaries in the Asia-Pacific region.
The Lodestar says the company is working through the attack, its business as usual as far as moving
cargo is concerned, and the company is in the process of remediating disruptions to its IT systems.
The company's own disclosures said they closed off external access to its systems
as it was containing the ransomware.
They described the attack as affecting peripheral servers.
Sources tell Le Monde Informatique that the attack was a Ragnar Locker ransomware infestation.
In any case, copies of what appear to be the ransom note are signed by Ragnar Locker,
and they follow that gang's customary pattern,
offering, for example, to decrypt two files for free as evidence of good faith,
or whatever the criminal equivalent of good faith might be.
There's been no indication so far that CMA intends to pay the ransom.
The second big attack was on a large healthcare system that operates facilities in both the U.S.
and the U.K., although the disruptions appear to be confined to operations in several U.S. states.
Universal Health Systems, UHS, is the victim, sustaining a cyber attack that NBC calls one of the largest of its kind.
Bleeping Computer reports that it's a riot ransomware attack.
Fierce Healthcare says that while the affected hospitals are reverting to manual backups,
while their IT systems are unavailable, they are nonetheless being forced to divert ambulances and reschedule surgeries.
nonetheless being forced to divert ambulances and reschedule surgeries.
A brief disclosure UHS issued yesterday said that patients were safe, that no patient or employee data appears to have been accessed, copied, or misused.
Many outlets, ThreatPost and Wired among them,
are drawing the obvious comparison between the UHS attack
and the ransomware incident earlier this month in Dusseldorf
that forced an ambulance
diversion that cost a patient her life. There are no such lethal consequences of the UHS incident
so far at any rate, and reversion to manual systems appears to have enabled the hospitals
to continue their operations, albeit in an impeded fashion. But the disruption is widespread and, to say the least, inconvenient.
The Russian mob behind Raiyuk is known for big-game hunting,
that is, going after large corporations and other institutions with deep pockets.
They have shown themselves to be indifferent to public safety,
whatever Robin Hood and compassionate pieties they may have woofed during the pandemic.
whatever Robin Hood and compassionate pieties they may have woofed during the pandemic.
And a third ransomware attack has turned sour after the victims refused to pay the extortionists.
The Wall Street Journal reports that Clark County School District in Nevada,
that's the county where Las Vegas is located, it has about 320,000 students,
well, they declined to pay, and that the criminals retaliated by releasing social security numbers, grades, and other personal information. The attack appeared to
have begun on August 27th when the district noticed anomalies in its IT systems. The attackers warned
the district on September 14th that they would begin releasing information if they weren't paid,
and now they seem to be making good on their threat.
One brief disruption yesterday seems to have been unrelated to any attack.
Microsoft yesterday suffered outages to Office 365 and the Azure cloud.
Redmond resolved the problem,
which it characterized as an authentication issue, after a few hours, ZDNet reports.
Microsoft's Digital Defense report concludes that
attackers have markedly increased their sophistication over the past year.
The sophistication seems to lie more in improved execution of such well-known techniques
as target identification, indirect approach, and credential stuffing
than in the deployment of exotic
technical novelties. Pick the targets, go after the softer ones that enable you to get at the
harder ones, and make effective use of well-known tactics, techniques, and procedures. This can be
seen in the way foreign intelligence services interested in, for example, the U.S. elections,
are prospecting relatively soft targets among non-governmental organizations and think tanks.
Microsoft highlights four major trends.
Last year, they blocked more than 13 billion, with a B, malicious and suspicious emails.
More than a billion of those carried URLs set up for the explicit purpose
of launching a phishing credential attack.
The most common reason they were called in for incident response between last October and this July was, unsurprisingly, ransomware.
Nation-state espionage services have been occupied with reconnaissance, credential harvesting, malware, and VPN exploits.
And finally, IoT threats are growing and evolving. The first half of this year saw a 35% increase in IoT attack volume over the same period of 2019.
The U.S. Office of Management and Budget has approved an interim rule requiring defense contractor compliance with NIST Special Publication 800-171. The standards in SP 800-171 deal with protection of controlled unclassified information,
something defense contractors handle a lot of. The interim rule implements the Defense Department's
Cybersecurity Maturity Model Certification Program. One of the major changes the interim rule brings
is that the Department of Defense will now be able to audit contractor cybersecurity
itself. Hitherto, contractors have been expected to self-certify compliance, but now external
government audits will be possible. The interim rule takes effect in 60 days, and it's open for
comment through the end of November. The program itself remains a work in progress, with a number
of unanswered questions and a projected phase-in period of five years.
And finally, why do hackers hack?
Well, the motives are varied, but a big explanation seems to be,
a Finbold study concludes, that they do it because they can.
It's the philosopher John Rawls' Aristotelian principle,
or what the old ethologists called when studying animal behavior,
funksi onslust, the pleasure any of us,
whether a man, a woman, dog, or cat,
gets from doing the stuff we're able to do.
And for the spies and the crooks,
well, right, they want information and money.
But they also probably do it because they can.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of technology. Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges
faster with agents,
winning with purpose,
and showing the world
what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Christy Wyatt is president and CEO at Absolute Software, a provider of endpoint security.
They recently published a
report highlighting their insights on endpoint resilience. Christy Wyatt joins us with their
findings. So this is the second. We did our inaugural report about a year ago where we,
because of our position embedded in a half a billion devices, we have a lot of visibility
over those devices that are activated. And as we
were sort of watching COVID unfold, but also watching the state of security as COVID was
unfolding, we like to publish that data so customers can really use it to benchmark themselves
and to sort of check their strategies and see what others might be doing that might be helpful for
them. Well, let's go through some of the findings together.
What were some of the key things that stood out to you?
In this past report, in the past State of the Endpoint report,
I think one of the biggest things that we've been tracking over the past year
has really been the resiliency of security controls on endpoint devices.
By that, we mean we measure not just how many security applications or controls you have
protecting your device, but how well they're working. Are they installed? Are they running?
Have they gone offline? And so some of the things we noticed this year versus last year is that
we've continued to see the number of security controls on these devices increase, but we've
also seen the rate of decay stay constant, meaning that these controls continue to fall offline.
And during this year, a year where every device is off the network and at home with your employees, it's a very bad year to not have your security running when you need it the most.
Well, given the information that you've gathered here, what are your recommendations?
How do organizations do a better job of getting on top of this?
We think right now,
especially given what's going on around us,
we're sort of in a new modernization
of endpoint computing.
You know, these kinds of events
force you to reevaluate your architecture
and say, do I have all of the pieces I need?
And so today, what's most important
is that you know where
every single asset is because it's not in the building. You know, you need to think about what
are the strategies for these security applications. A lot of the security applications that we've
come to rely on have an assumption that you're connected to the corporate network,
either because you're in the building or because you're at home connected via VPN.
And then the third
piece that we talk about all the time is resiliency. So how do we uniquely heal things? So there's a
variety of different things you can do when something's gone wrong. You can notify the
administrator. You can throw a flag. Of course, we know that the folks that are looking for these
kinds of warning signs are being drowned and inundated with signals, especially since everybody went home.
We know that help desks are struggling.
So sending a signal or sending a red flag is not necessarily going to be helpful.
So these things are going to fail.
These things are going to go offline.
It is natural like any other living, breathing thing.
You know, an endpoint, you can kind of view it as something that's always in a constant,
ever-changing state, like a living, breathing thing, you know, an endpoint, you can kind of view it as something that's always in a constant ever-changing state, like a living breathing thing. So you need to have a way of
fixing things and then learning after the fact. What did I just fix and why did I need to fix it
in the first place? And then you can make better decisions in IT. That's Christy Wyatt from
Absolute Software. Thank you. with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen. He's from the University of Maryland Center for Health
and Homeland Security and also my co-host over on the Caveat podcast.
Ben, always great to have you back.
Good to be with you again, Dave.
Interesting article.
This is from the LA Times, written by Kevin Rector and Richard Winton.
The article is titled,
Despite past denials, LAPD has used facial recognition software 30,000 times in the last decade.
Records show.
What's going on here, Ben?
So the Los Angeles Police Department had previously denied using facial recognition software entirely,
or at least they denied having records related to facial recognition.
But this article, through its investigation,
discovered that they had used facial recognition technology
nearly 30,000 times since 2009.
So I think what they were saying to press
prior to this article and this study being released
was technically true.
They did not maintain the records,
but they have access to a regional database
maintained by the Los Angeles County Sheriff's Department.
And through that database, they were able to, or Los Angeles Police Department officers were able to access facial recognition records over nearly 30,000 times over the past 11 years.
This is an extremely effective law enforcement tool, at least it is theoretically.
If you have victims of crimes who are not willing to confront criminal defendants in court,
oftentimes the best way to identify those criminal defendants is through something like facial
recognition software. If you have a security camera that caught somebody's face and you match
it up to a mugshot or a driver's license record,
that is going to be very compelling evidence in a court of law. But, you know, there are always
privacy concerns, and there are particularly transparency concerns when, you know, it takes
a Los Angeles Times expose to discover the extent to which this technology is being used.
to discover the extent to which this technology is being used.
Yeah, it seems to me like there's a big gap between no use and 30,000 times.
How is the LAPD trying to thread that needle?
So he said the assistant chief of police of Los Angeles is a guy by the name of Horace Frank, claimed as part of this article
that it is no secret that the Los Angeles Police Department uses this technology. He said they're
not trying to hide anything. This is directly in contrast to recent denials from the department
itself, including two in the past year where they claimed to not have access to facial recognition records.
The discrepancy is explained
in kind of the most pathetic way possible,
which is they were simply mistakes.
We did not mean to conceal the fact
that we're using this technology.
It just sort of happened.
That seems to be the explanation that they came up with.
My guess is there is some gray area in terms of maintaining records and accessing records.
And it seems to be true that they did not maintain those records, but through this regional collaborative through the Los Angeles County Sheriff's Office, they were able to access these records.
And I think that distinction might be meaningful from the department's perspective, but at least from the public's perspective, it's probably rather useless.
The public now knows that no matter who's actually storing these records, they've been used up to
30,000 times in the country's second largest local police department. Now, California has led the way when it's come to many privacy laws.
Could this article here, these revelations from the LA Times, could this be ammunition for those who are looking to bolster those arguments?
So there are some legal protections as it relates to facial recognition technology.
There are some legal protections as it relates to facial recognition technology.
There was a memo written by the Los Angeles Police Department's Office of Constitutional Policing and Policy.
Always good to have one of those offices.
That sets facial recognition usage policies within the department.
So it said that the technology shall not be utilized to establish any database or create suspect identification books.
It has to be based on particular information.
It can't be used as a general identification tool when there's no investigative purpose or the sole source of identification for a subject's identity.
I think these are very helpful protections because we know that facial recognition software is not fail-proof and it introduces its own biases.
And we've seen cases where people have been falsely accused based on facial recognition technology.
So it's good to have these protections in place.
But it's always a question of enforcement.
If the department was not aware enough to admit
that they were obtaining these records 30,000 times
over the last 11 years,
it's going to create a trust issue as to whether they're complying with these department regulations.
Yeah, I mean, I guess this notion that the LAPD can follow these rules internally,
but then when it's convenient, walk across the street to their good friends at the L.A. Sheriff's Department and make use of their system.
You know, you can imagine why people would call foul on that.
Yeah.
I mean, I think it was a misleading way to respond to press inquiries about this.
You can see why they did it.
I mean, because it's such an effective investigative tool,
you don't want to use that as a tool.
You also don't want to cause controversy
among the public that you're trying to protect.
So you can certainly understand
that from their perspective, but it was
a little bit evasive
to glom onto this distinction between
storing the records and
collecting the records.
I think that's something that they have to be held to account for.
All right, interesting story from the LA Times.
Again, it's titled,
Despite Past Denials, LAPD Has Used Facial Recognition Software
30,000 Times in the Last Decade, Record Show.
Ben Yellen, thanks for joining us.
Thank you. all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity
leaders who want to stay abreast of this rapidly
evolving field, sign up for CyberWire
Pro. It'll save you time
and keep you informed, and it lets your
fingers do the walking. Listen
for us on your Alexa smart speaker, too.
The CyberWire podcast
is proudly produced in Maryland out of the
startup studios of DataTribe, where they're
co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.