CyberWire Daily - The persistence of ransomware. Exposure notifications and contact tracing. Doxing and conspiracy theories. More notes on the underworld.
Episode Date: April 30, 2020Ransomware not only encrypts and steals data, but establishes persistence as well. Apple and Google roll out their exposure notification API. GCHQ will help secure Britain’s centralized contact trac...ing system. A conspiracy-minded motive for doxing. Criminal markets and criminal enterprises continue to mimic legitimate ones. And a new wrinkle in mobile ransomware. Rob Lee from Dragos with insights on a recent ransomware incident shutting down a gas pipeline, guest is Drex DeFord from Drexio on Cybersecurity in Healthcare amid COVID-19. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_30.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ransomware not only encrypts and steals data, but establishes persistence as well.
Apple and Google roll
out their exposure notification API. GCHQ will help secure Britain's centralized contact tracing
system. A conspiracy-minded motive for doxing. Criminal markets and criminal enterprises
continue to mimic legitimate ones. Robert M. Lee shares insights on a recent ransomware
incident shutting down a gas pipeline. Our guest is Drex DeFord from Drexio on cybersecurity and healthcare amid COVID-19.
And a new wrinkle in mobile ransomware.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for April 30th, 2020.
It's now a commonplace to say that ransomware gangs threaten to dox their victims as well as render their data encrypted and inaccessible.
A report this week from Microsoft's Microsoft Threat Protection Intelligence team concludes that it's not just the gangs who make the threats that are stealing the data.
Even the criminals who don't threaten to steal information are doing it anyway. The data represent another revenue stream.
The report also concludes that ransomware attackers don't necessarily leave a victim's networks even after the victim has paid. Instead, they maintain persistence as long as possible,
the better to position themselves for subsequent attacks. Again, there's a revenue potential there.
Apple and Google have released their first developer-focused version of their jointly
developed Exposure Notification API, TechCrunch Reports.
Exposure Notification has replaced Contact Tracing, and that's probably a more accurate
description given the system's decentralized design.
The beta version allows developers to tailor alerts to specific exposure criteria, probably a more accurate description given the system's decentralized design.
The beta version allows developers to tailor alerts to specific exposure criteria,
including proximity and duration, and it allows users to toggle their alerts on or off.
Users may also opt in to sharing a COVID-19 diagnosis anonymously.
The Electronic Frontier Foundation has expressed concerns, ThreatPost says,
that the exposure notification system suffers from a security vulnerability.
There's no reliable way, the EFF warns, of ensuring that the devices sending proximity warnings are in fact the devices they're supposed to be,
and that trolling can't effectively be ruled out.
There are other problems with false positives that don't require bad actors' involvement.
To take some of the examples the EFF considers,
two cars with windows rolled up passing side by side in traffic,
a patient near a nurse in full protective gear,
two people kissing.
All those look about the same to Bluetooth.
As the UK's National Health Service proceeds with plans for a centralized contact tracing system,
the government's communications headquarters, GCHQ,
will receive such access to the NHS system as it requires to ensure the system's integrity and security.
Computing and others quote GCHQ as saying that it has no interest in acquiring personal health data and that the agency's interest is solely the security of NHS systems.
ZDNet reports that more than 170 privacy and information security researchers in the UK have signed an open letter about NHSX's development of a centralized COVID-19 contact tracing system.
The signatories urge the health benefits of a digital solution be analyzed in depth by specialists from all relevant academic disciplines
and sufficiently proven to be of value to justify the dangers involved.
They have three questions.
First, they'd like some reasonable assurance that any contact tracing system
wouldn't actually work as intended to help control the pandemic.
Second, while politely expressing their appreciation for NHS's commitment to transparency,
they ask for assurances that anonymized data won't be de-anonymized
to associate individuals with the information being collected.
And third, they're concerned that the system might be adapted to other purposes
and retained even after it had served its purpose and the UK has emerged from the pandemic.
No mission creep, please.
Drex DeFord is founder and CEO of Drexio, a healthcare IT consultancy.
I caught up with him recently for his perspective on cybersecurity in healthcare amid COVID-19.
I think that, you know, kind of the underlying theme for me around cybersecurity, given everything that's happening right now, is that, you know, being in a hurry can be a recipe for disaster in general and certainly now.
So we see a lot of health systems doing things like onboarding temporary staff and offboarding temporary staff.
All of that assumes that you're making proper access to systems and moving people and access around.
And, you know, some larger health systems have identity and access management tools.
A lot of them do this process manually.
I would just say, you know, there's that kind of stuff.
There's certainly a ton of work from home.
They have ramped up dramatically when it comes to telehealth and telemedicine.
And while all of that is absolutely terrific and really good stuff for healthcare and patients
and families, when you do those kinds of things in a hurry, when you build out that kind of
infrastructure in a hurry, sometimes you can make mistakes. And so those are the things I worry about for healthcare right now.
So is this really an example of how pre-planning for events like these, eventualities like these,
are really going to pay off when you're faced with a situation like this?
I think the organizations, you know, we have in healthcare, especially in hospitals,
we have a credentialing organization called the Joint Commission. And the Joint Commission
requires health systems to do regular sort of disaster drills. I think organizations that have
spent time thinking about pandemics and doing drills around those kinds of scenarios probably
are in a better situation because of the experience that they've built up. But realistically,
no one has experienced anything like this and no one's been able to drill for something like this.
This goes on for a very long time and most of those exercises are set up for a short period
of time. They run maybe a day or a couple of days, and then the exercise is over.
This is obviously much more long-term and so has been much more of a challenge for health systems.
Do you have any sense for what things are going to look like on the other side of this?
Any lessons that the cybersecurity folks in healthcare are going to take away from this?
Boy, two big things, I would say, absolutely. Given the kind of ramp up that we've had with
telehealth and telemedicine, we are at a state in really just a few weeks where a lot of the work
that CIOs and health systems have tried to do over the past several years has come to fruition. So I think
the reality that health systems, some health systems who did maybe a few dozen telemedicine
visits in a week before all of this and now do hundreds a day, it's going to be hard to go
backward on that. And the other thing is work from home. I think work from home was a challenge
in the beginning. It's only been a few
weeks. I think it's still a challenge for a lot of people. But realistically, by the time this is
over, we're going to have a lot of folks that have built new habits around working from home.
They're going to be really comfortable with working from home. And so cybersecurity professionals and
organizations in general are going to have to deal with, I think,
a new environment where we're going to rethink who can work from home and what kind of benefits we
get from that work-from-home scenario. That's Drex DeFord from Drexio.
Bitdefender has taken a look at cyber criminals' activity during the pandemic and concluded that
all of the warnings about cybercrime, as good and widely received as they've been, really haven't produced much of a reduction.
They saw a five-fold increase in COVID-19-themed cyberattacks during March,
and they think it likely that when April's returns are in, they'll see a comparable rise.
A lot of the crime is conventional fraud and phishing,
with clickbait that appeals to the victim's fears about the coronavirus.
But the New York Police Department is seeing a more repellent form of criminal extortion.
Some hoods, the Daily Beast reports, are threatening to infect victims' families with COVID-19 should the victims fail to pay protection.
The threat is empty, and the NYPD wants everyone to recognize it as a bluff.
With that in mind, one might turn to a Digital Shadows report
on the apparently softer, more human side of the criminal underworld,
Charitable Endeavors on Cybercriminal Forums.
There's some chatter, probably posted with a mixture of cunning, idleness,
and a very small dollop of sincerity,
that urges participants in criminal
fora to engage in charity, diverting some of their take to the care of widows and orphans,
and to other good causes. The chatter is interesting because it shows another way in
which criminal markets mimic legitimate ones, not only with customer service, competitive pricing,
and other features of commerce, but even with gestures towards social
responsibility and even philanthropy. Some of the criminals are having none of it, sensibly
pointing out that the sort of crime they're engaged in is by its very nature immoral. Others
seem to worry about making a kind of expiation for their crimes. At least that's what they say.
So, an interesting light on a corner of the criminal
market. But don't build too many hopes on the Robin Hood urge. Remember how those promises
to leave hospitals alone worked out. And finally, bogus scareware threats have been around for
years. These usually tell users that some law enforcement organization, usually the FBI,
has found the users to be up
to no good, and that the users must pay a fine to avoid further trouble. The scare is usually
delivered by email or displayed in a browser. But CyberScoop says there's a new wrinkle.
Ransomware is encrypting Android devices and delivering a note impersonating the FBI.
The Bureau is offering decryption once the fine is paid, or so says the
hoods. Most of the victims have been in Eastern Europe, and the ransomware itself has been traded
in Russian-speaking criminal markets. Needless to say, the Bureau doesn't collect fines this way.
and joining me once again is robert m lee he is the ceo at dragos uh rob always great to have you back uh we saw this story come by about a ransomware attack that calling all sellers
salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation
isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be. Let's create the
agent-first future together. Head to salesforce.com slash careers to learn more.
Visit salesforce.com slash careers to learn more. on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Had hit a gas pipeline facility.
DHS had published some information about it.
I wanted to get your insights.
What do you think's going on here?
Yeah, absolutely. This one was a bit confusing for folks in the way that it was handled. Nobody
did anything inappropriate, but just comms are always difficult around things like this,
especially in a wide community. So the pipeline disruption did occur, so it absolutely shut down
the ability for it to operate fully for two days is what it was being reported as due to ransomware.
And this is not uncommon, and there are a lot more of these ransomware cases
that are impacting industrial operations than ever gets made public.
It's just these companies usually have a lot of focus on trying to recover correctly.
So the reality, though, the reason it was kind of confusing,
is the Coast Guard already came out and talked about this
at the end of last year.
So at the end of last year, Coast Guard came out and said,
hey, there was a disruption to the pipeline,
and here was the impact, and here's some details that we can share.
And then DHS came out in February
and published on a cyber attack on a pipeline.
What the two government entities didn't say,
which became obvious later, was that it was the same event. And so I think because of the delay in reporting on the DHS side,
which is again understandable, I think there was a lot of confusion
thinking that these were two separate events.
And when we look at it, it was also a little bit confusing.
I had to explain this in my SANS class of folks,
where DHS and their CISA agency,
the Cybersecurity and Infrastructure Security Agency,
have sat on stage, have talked in front of Congress,
have had these conversations around,
we don't do incident response.
If you are out in the community,
you should first call and make sure you have plans.
We're not your incident response team.
And then the report launches and it says,
CISA did incident response to this pipeline facility.
And it's like, well hold on now, what does that actually mean?
And everyone's being honest about it,
it just comes down to what you define as incident response.
So for private sector companies, you're still expected
to have your own plan, to have your own teams,
to work with your outsourced providers if you're outsourcing
any level of incident response,
which most folks do have an incident response plan with some external vendor.
You're supposed to do all that.
And you should also look to be able to include your government partners
when you find reasonable to include the CSA,
as they have both the responsibility as well as a number of tools at their disposal.
And what they define as incident response is really being available to you
to provide any insight
of what's happening in the larger community,
to go and be in person
with you and provide any
counseling they can or kind of guidance.
But they're not getting hands on keyboard,
they're not doing collection,
they're not doing that type of work.
So what the private sector would define as instant response
and what the government would define as instant response
is a little bit mismatched here, which made it a little bit more confusing.
So do I think it's fair to call both incident response? Absolutely.
It just comes down to if you're an infrastructure provider, you should really spell out roles and responsibilities in the incident to all parties involved, whether they're government or not. And on the government side, I would suggest that
agencies work together to make sure that there's consistent reporting so that we don't potentially
flavor one event as if it's two. And honestly, with no offense to any specific government agency,
the right place to report these things out is the DHS. That is their singular role as being
able to be the central organizing authority. And the
CSA is very well positioned with great expertise inside that organization to be able to be that
central communications authority around what the government is working on.
Now, help me understand here, because I would say my understanding is that in most cases with
ransomware, the ransomware has been able to get to the business systems
of organizations like this.
But in this case, it was able to hit the control systems.
First of all, is my perception correct
that that's usually the way things go,
that people are generally doing a good job
protecting those operational systems?
So I think both of those things can be true.
So are folks putting a lot of resources today
into segmenting their operations technology environment?
Absolutely.
However, not a lot is being done,
it's getting better,
but not a lot is being done widely
on monitoring and understanding
what's happening in the operations environment.
One of the things that we normally highlight to folks
is that you may have segmented correctly your IT environment,
even though we do find the ability to move into those environments pretty regularly.
One of our year-in-review reports highlighted that over 70% of the time
we could traverse from the IT into the OT networks.
It's just you have to be able to for what you're running in business.
But the thing that most people don't normally
immediately fully understand is that those operations environments
are also connected to maintenance personnel,
original equipment manufacturers, vendors, supply chain, etc.,
remotely, and shared network access.
So just doing things in the IT network
doesn't prohibit things coming into the OT anyway.
So without saying that folks aren't taking it seriously, because they do,
I will say that we are definitely not where we would want to be
in operations technology security today, although the trend line is
definitely aggressively moving in the right direction.
And I think it is also not necessarily true that these things normally just happen
in the IT networks. There have been dozens of cases where ransomware has been on the operations side of the house
across the world in the last year.
All right. Well, Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too. Thank you. Thanks for listening.
We'll see you back here tomorrow. Thank you. Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.