CyberWire Daily - Sandworm is out and about, so patch already. Steganography used in attacks on industrial targets. An Executive Order on Preventing Online Censorship. Breaches, ransomware, and lessons.
Episode Date: May 29, 2020NSA warns that the GRU’s Sandworm outfit has been actively exploiting a known vulnerability in Exim. Someone is attacking industrial targets in Japan and Europe using steganography and other evasive... tactics. NTT Communications is breached, and Michigan State University sustains a ransomware attack. Ben Yelin unpacks the President’s executive order aimed at social media companies. Our guest is Vik Arora of the Hospital for Special Surgery on protecting health care organizations during COVID-19. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/104 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
NSA warns the GRU's sandworm outfit has been actively exploiting a known vulnerability in Exim.
Someone is attacking industrial targets in Japan and Europe using steganography and other evasive tactics.
NTT Communications is breached and Michigan State University sustains a ransomware attack.
Ben Yellen unpacks the president's executive order aimed at social media companies.
Our guest is Vic Arora of the Hospital for Special Surgery
on protecting healthcare organizations during COVID-19.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 29, 2020.
The U.S. National Security Agency warned yesterday that Russia's GRU continues to exploit the Exim male vulnerability, CVE-2019-10149.
NSA identifies the Russian unit involved as specifically belonging to GRU's Main Center for Special Technologies, the group commonly known as Sandworm.
The vulnerability was disclosed and patched in June of last year,
and NSA advises users to apply it.
This provides another object lesson in the importance of keeping software up to date.
The GRU has been exploiting the bug since August 2019.
It also provides another example of the ways in which the historically reticent NSA has become increasingly engaged in providing public warnings and advice on cybersecurity.
Kaspersky outlines a campaign against industrial targets in Japan, Italy, Germany, and the UK.
The specific goals of the campaign are unknown, although Kaspersky says they've observed destructive activity and extraction of data.
The attackers use steganography in the data extraction process,
that is, they hide code in an image. This and other aspects of the campaign make the attacks
difficult to detect and block. Yesterday, U.S. President Trump signed an executive order on
preventing online censorship, intended to address ways in which social media are applying selective censorship that is harming our national discourse.
It addresses Section 230 of the Communications Decency Act,
which affords civil liability protection to online service providers
that act as neutral platforms as opposed to editors.
The Secretary of Commerce will lead a petition for rulemaking to clarify Section 230.
of Commerce will lead a petition for rulemaking to clarify Section 230. Federal agencies will evaluate spending on platforms that engage in viewpoint discrimination, and the Federal Trade
Commission will investigate unfair trade practices related to content moderation. Among the points
that stand out in the order are its observation that the protections in Section 230 were designed
narrowly to provide certain protection for minors.
It also emphasizes the Act's provision that restrictions on content be done in good faith.
And it asks the Federal Trade Commission to take a close look at social media companies' outsourcing of content moderation to third parties
that themselves arguably engage in viewpoint discrimination.
The order is widely viewed as a response to the President's recent experiences with Twitter, that themselves arguably engage in viewpoint discrimination.
The order is widely viewed as a response to the president's recent experiences with Twitter.
At issue is the difficult question of what counts as a neutral supplier of a service and what counts as being a publisher with responsibility for content.
Thus, should Facebook, Instagram, and Twitter be treated like sellers of newsprint
or like newspapers, like a of newsprint or like newspapers,
like a telephone company, or like a television station?
We'll hear more on the executive order from our guest, Ben Yellen,
of the University of Maryland Center for Health and Homeland Security, a little later in the show.
Several data breaches and ransomware incidents are being reported.
NTT Communications, the Tokyo-based telecommunications
service provider giant, has disclosed that one of its servers was breached. A relatively small
number of customers is so far thought to be affected, a little more than 600. The attack
began in a Singapore cloud server from where the attackers moved to an internal server and then to an NTT Active Directory server from which the data was
taken. The criminal proprietors of NetWalker ransomware have also been active. They've hit
Michigan State University and given the administration until next Thursday to pony up
the ransom. If the university doesn't come up with the ransom, the amount of which isn't yet
publicly known, the extortionists will release the
sensitive data they've stolen. To show that they're in earnest, the gang has posted images of directories,
a passport scan, and financial documents, leaping computer reports. ZDNet notes that NetWalker has
recently been used against the Australian logistics company Toll Group and the Australian city of VICE.
Netwalker is a ransomware-as-a-service operation that's actively recruiting new affiliates.
And finally, what have people been learning with respect to cybersecurity during the pandemic emergency? As far as we can see, we're learning a great deal about improvisation under pressure,
and we're also learning that we can live without,
or at least work without. We've been following the COVID pandemic since the Cyber Wire,
like many other businesses in our area, moved to remote work on March 16th. This was, of course,
consistent with shelter-in-place guidance from public health authorities. Maryland relaxes some
of its public health guidelines today, and this seems a good point at which to take stock
of how the emergency has affected the cybersecurity sector.
While the pandemic and its effects are far from over,
its consequences for cybersecurity now seem clear enough
for us to suggest some lessons we might draw from the experience.
And it also seems to be the right time to roll our coverage
of COVID-19-related news into our ordinary coverage of cybersecurity.
We conclude this series with today's story.
If there's one overarching observation to be made about the pandemic and its effects on cybersecurity,
it's that improvisation under pressure creates unexpected challenges, risks, and opportunities.
We'll have a final wrap-up Monday with our planned final daily update on COVID-19
and its effects on the cybersecurity community.
Until then, enjoy the weekend.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
My guest today is Vic Arora,
Chief Information Security Officer of the Hospital for Special Surgery in New York.
He shares his insights on protecting
a healthcare facility in the midst of COVID-19. So HSS is an orthopedics and rheumatology hospital
with presence in New York metropolitan area, Colorado, and Florida. We've been ranked number
one in orthopedics for 10 straight years. We're also the official hospital for New York Giants, Mets, and a few others,
along with being a top teaching hospital
with a well-respected orthopedic residency program.
In terms of my role at HSS,
I'm responsible for cybersecurity and risk management,
basically making sure that the digital transformation
at the hospital is done securely.
We remain compliant with HIPAA and other regulations.
And at the same time, we're able to take advantage of various innovations out there in technology in a secure and safe manner while making sure that we deliver better care on an ongoing basis.
Can you give us some insights?
What sort of threat activities have you seen during the pandemic?
sort of threat activities have you seen during the pandemic? Yeah, so for the past six weeks, we've been in a state of heightened awareness and four things kind of bubble up for me and my team.
The first and foremost is a significant increase in COVID-19 related phishing attacks. To give you
some numbers, we see about 10 to 15,000 daily phishing email attacks on the organization.
They range from stimulus plans, paycheck programs, WHO and CDC advisories, or protective equipment.
The second thing which I think most of us are seeing is we have almost a thousand percent
increase in work from home within the organization from prior to crisis
to now. And that has led to a significant recon of our public facing environment.
We've seen an uptick in exploitation of VPN infrastructure, as well as attacks on personal
home routers. Some users have reported it to us, and then we've seen an uptick in those reports.
The third thing is, what I'd like to say is on the fly,
IT engineering where consumer grade tools
like Doodle for scheduling or WhatsApp
or other collaboration tools,
people find them quick and easy to use.
And sometimes they end up deploying those
for corporate needs and managing risk around that
has been challenging.
And the
last but not the least is the supply chain risks. Because of obvious constraints, we've had to
onboard some new vendors relatively quickly and making sure that they are
secure and they align with all the best practices has been challenging.
What is your approach in terms of balancing those risks when it comes to you have those urgent needs, you have those business needs, but at the same time, you've got to manage security?
Yeah, so before I get into the tactical things that we've done, maybe I'll talk a little bit about what has allowed us to do it or get through the crisis or at least come this far.
or at least come this far. The first and foremost is that we're able to draw
inspiration from the frontline healthcare workers,
not just at HSS, but across the world.
And everybody in IT and cybersecurity
very much appreciates the opportunity
to support them in any manner.
We find that very humbling.
So that has allowed us to get inspired by them
and deliver the best cybersecurity that we can.
The second is HSS is a place where we attribute culture inspired by them and deliver the best cybersecurity that we can.
The second is HSS is a place where we attribute culture to our reputation and results all
the time.
So there has been an amazing job at the leadership level where they came up with new principles
to handle the crisis, namely protecting our staff, protecting the organization, and protecting
the society.
So that allowed us to align all the
activities to those principles and defer or cancel any non-COVID related priorities. So we were able
to focus all in a very harmonious manner. So the third thing is empathy. On a personal note, I have
a two-year-old daughter and a six-year-old boy. The babysitter is no longer available, so we had
to ask our in-laws for help.
Managing work from home, homeschooling our son and managing daily routines has been challenging.
And we had a few false starts,
but then we found our rhythm.
So I think it's important to be cognizant
that our teams are going through similar challenges.
The crisis is not organizational.
It's also a personal crisis.
So being aware of that
and allowing the team to work
at any times that work for them has helped us to kind of earn their commitment and support.
That's Vic Arora, Chief Information Security Officer at the Hospital for Special Surgery.
If you'd like to hear an extended version of this interview,
check out our website, thecyberwire.com, and sign up for CyberWire Pro.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security, also my co-host over on the Caveat podcast.
my co-host over on the Caveat podcast.
Ben, we fired up the bat signal this morning to get you back on the line here right away
because I want to get your help
unpacking this executive order
that the president signed yesterday on Thursday
coming at social media
and Section 230 of the Communications Decency Act.
Unpack what's going on here for us, my friend.
Oh, where to begin, Dave?
Where to begin?
So I got a chance to read the executive order, and listeners who don't want to hear a lot of legalese and analysis of the Communications Decency Act in Section 230 is this executive order is relatively toothless.
I think it misinterprets a lot of legal precedents.
It won't have much of an impact.
It's largely a distraction.
much of an impact. It's largely a distraction, but it is certainly an example of the president willing to use the power of the federal government to at least threaten and intimidate social media
companies whom he feels are being biased against him. And it's also part of an escalating war
between particularly Twitter and the president. And we've seen that over the past couple of days as they've flagged a couple of his tweets,
one of them with a little note saying that it was based on false and misleading information,
and then one overnight where they said that his tweet could have been interpreted as a
call for violence.
So I think that's just very important context.
So for those of you who do want the
legalese, I'll get a little bit into the executive order itself, if that's okay with you, Dave.
Please, please.
So a couple of things. The executive order first kind of starts by stating general principles.
These social networks should have the goal of neutrality and maintaining robust debate. limited license to inject what they determined to be political biases into their content
restrictions and terms of services. So this is problematic for a couple of reasons.
For one, they talk about that perhaps Twitter could actually be liable under Section 230
because they are the creator of content.
So they're talking about the instances when Twitter puts those little notices on the president's tweets.
They're saying, well, those types of notices, because Twitter is actually creating that content,
that does not fall under Section 230.
That narrowly is true.
These platforms are only shielded from liability as it relates to what users post on them,
not their own content. But the government, through an executive order, cannot ban Twitter
from putting its own commentary on particular tweets. That would be a very clear violation
of the First Amendment. And it would also get into areas of compelled speech, which the Supreme
Court looks very disfavorably upon. As the executive
order continues, just a couple of other things that stuck out to me. One, it asks the Commerce
Department, specifically the NTIA, to petition the FCC to develop regulations to interpret Section
230 according to how the president wants it interpreted in this executive order. So that can't really happen. For one, it's up to the courts to interpret what Section 230
means. It's not up to the executive branch. And just as importantly, the FCC does not have the
authority to regulate these types of platforms. Courts have explicitly rejected giving the FCC the authority to issue these
regulations. The executive order also calls on the FTC, which does have a little bit more of
a regulatory role. They've called on them to issue their own regulations. The FTC can enforce actions
to protect against unfair trade practices.
But that can happen as it relates to antitrust.
It can't really happen as it relates to what we're talking about here with Section 230.
Then there are a couple of things that fall into provisions that don't necessarily carry that much force in terms of the force of law, but are still nonetheless concerning. So the executive order empowers the attorney general to convene a working group with
state attorneys general. And that working group is allowed to report users on these platforms
that are posting problematic content. And that goes undefined in the executive order,
but I think it's something that certainly raised a lot of eyebrows.
And then lastly, the executive order talks about how if Twitter does not change their practices to comply with the guidelines set out here,
then the federal government should at least consider ceasing advertising on Twitter or any other platform. So the bottom line is it's, I think, a relatively
poorly drafted and largely toothless effort to cut away at Section 230. If there really was
a groundswell of opposition to 230, if we really, as a society, wanted to change the law to remove the shield of liability for the moderation of content on these platforms.
That would be something that Congress would have to do.
That's not something generally that the president is able to do through executive order.
So what happens next?
The president has put this out there.
How does it make its way through determining what actually
happens? So that's a great question. I mean, so much of this, the process that he's describing
is not a process that's actually going to lead anywhere. You know, it's like telling somebody
directions to a room in a house that doesn't have anything in it. So, you know, it's instructing the NTIA to propose
new rules and regulations consistent with this executive order to the FCC. But as I said,
the FCC does not have authority over that. So the FCC has no obligation to accept or reject
whatever the NTIA or the Department of Commerce presents it. So I don't really see how that's going to be productive for anyone.
I think that just sort of leads to a dead end.
This executive action order doesn't create any new cause of action for any particular users.
You know, the one tangible effect it might have is we'll see what this working group does,
led by the attorney general.
They might recommend more concrete enforcement actions. But until that happens,
you know, there really is no realistic endgame here on policy changes. It's just, I think,
we can largely say it's a political document. It doesn't really carry much in terms of the force of law.
All right. Well, Ben Yellen, thanks for joining us and providing some clarity.
Thank you very much. Have a good day.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.