CyberWire Daily - Update on threats to Czech infrastructure. Relief funds looted. PoetRAT vs. ICS. CISA updates essential workforce guidelines. Data breaches. Zoom-bombing.
Episode Date: April 20, 2020A wave of attacks against hospitals and infrastructure in the Czech Republic seems to have been largely unsuccessful, but more may be on their way. German relief funds earmarked for small business are... looted by cybercrooks. PoetRAT is active against ICS targets in Azerbaijan. CISA updates its Guidance on the Essential Critical Infrastructure Workforce. Breaches at Cognizant, Aptoide, and Webkinz World. And more Zoom-bombing. David Dufour from Webroot on AI and machine learning, guest is Kelly White of Mastercard’s RiskRecon on how one of their healthcare customers is tracking COVID-19 infections. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_20.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A wave of attacks against hospitals and infrastructure in the Czech Republic
seems to have been largely unsuccessful, but more may be on their way.
German relief funds earmarked for small businesses
are looted by cyber crooks.
HoetRat is active against ICS targets in Azerbaijan.
CISA updates its guidance
on the essential critical infrastructure workforce.
Reaches at Cognizant, Aptoid, and Webkinz World.
David DeFore from WebRoot on AI and machine learning.
Our guest, Kelly White of MasterCard's Risk Recon,
shares how one of their healthcare customers is tracking COVID-19 infections.
And more Zoom bombing.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, April 20, 2020.
Prague airport authorities said Saturday that they had successfully stopped several attempted attacks on their networks.
The airport told Reuters, quote,
Attempted attacks on webpages of the airport were detected in preparatory phases.
That prevented their spreading and all
further phases that could have followed and potentially harmed the company.
Prague Airport, like most others, is operating a drastically reduced flight schedule,
so the consequences of any intermediate disruption may have been low in any case.
The attempt against the airport's networks is being mentioned by Politico and others,
in conjunction with last Thursday's warning by the Czech Republic's cybersecurity agency
that sophisticated but unspecified actors were preparing a campaign against medical facilities,
probably with a view to interfering with delivery of health care during the COVID-19 emergency.
But any relationship to that potential campaign is unclear.
Karlovy Vary Regional Medical Center did report Saturday that it had parried an attempted cyber attack
and several other hospitals are said to have also undergone unsuccessful hacking attempts on Friday.
Again, it's unclear whether these are part of the predicted campaign
or whether they represent something closer to the ordinary background noise
brought to prominence by a heightened state of alert. campaign or whether they represent something closer to the ordinary background noise brought
to prominence by a heightened state of alert. The signs of an impending cyber attack that
could degrade healthcare delivery during the pandemic is in general being taken seriously.
The U.S. State Department offered a strongly worded expression of support to the Czech Republic,
and the Czech foreign minister tweeted his appreciation of this and other Allied statements. He's also looking forward to finding out who's behind the incipient attacks.
There does appear to be some sort of campaign in the offing, and Czech authorities think it's
advanced at least to the battle space preparation phase. The German Lant of Nordrhein-Westfalen has lost somewhere between 31.5 and 100 million euros
in misdirected emergency relief payments, ZDNet reports.
Germany's Lendor are roughly equivalent to a U.S. state or a Canadian province.
As the Land's Ministry for Economy, Innovation, Digitization and Energy
prepared to distribute coronavirus relief checks last month,
criminals were already in the starting blocks, as newspaper Handelsblatt put it, digitization and energy prepared to distribute coronavirus relief checks last month,
criminals were already in the starting blocks, as newspaper Handelsblatt put it,
ready with a convincingly spoofed version of the ministry's genuine relief application portal.
They used this to harvest enough personal details of people who were struggling economically because of the pandemic to enable them to apply for relief on their behalf.
Data were harvested for somewhere between 3,500 and 4,000 potential applicants,
and relief payments were routed to the thieves' bank accounts.
Nordrhein-Westfalen has halted payments until it can sort the mess out.
Some media outlets in Germany think the extent of the fraud may, in fact,
turn out to be greater than is presently known.
think the extent of the fraud may in fact turn out to be greater than is presently known.
Cisco's Talos unit reported late last week that it had discovered a threat actor,
Poet Rat, so-called because of references to William Shakespeare in the Code,
and because Shakespeare, of course, was a poet,
working against public and private targets in Azerbaijan.
The campaign, for which no attribution has been offered,
is particularly interested in industrial control systems.
Organizations are using clever combinations of publicly available and privately held data,
along with tools to combine, analyze, and visualize the effects of the coronavirus.
I recently spoke with Kelly White, founder and CEO of Risk Recon, a MasterCard company, on how one healthcare insurance organization is tracking COVID-19 infections. a blended approach to supply chain risk management, where they have all of the disciplines
under one umbrella, are using data in very interesting ways to understand and manage
through potential supply chain disruptions. Now, as we look down at COVID-19, and this was going
back, you know, several weeks ago, when it was just very, when COVID-19 was very early in its stages in the United States.
One of our customers that operates a blended supply chain risk management team, they took the data from Johns Hopkins University's coronavirus data stream that provides the geolocation information down to the county
level and laid that out on a map. And then they took the risk recon data regarding where their
suppliers hosts are geolocated. And by laying the two on top of each other, they could see, well, do my suppliers have
operations centers in areas of infectious disease risk? And so in terms of those organizations being
able to plan their risk, their appetite for risk, or do their forward-looking planning. I mean, I imagine this
overlaying these two bits of information, that can inform how they make decisions going forward.
Yeah. So you look at the problem that they're facing and every organization's facing on the
supply chain risk management side as well. Let's say they have a hundred suppliers and
how is this going to play out? Which ones do we
need to pay attention to now? And how does that change going forward day by day? And so that they
can triage, you know, they don't have the resources to address all of it at once, but if they identify
some highly critical suppliers, you know, based on their business relationship and intersect that
with, oh, wow, they're in a really high risk area that can give them some early insight and has
given them early insight into, okay, well, we need to come up with, you know, alternative plans to
shore up potential disruption here and there. And so through the data, by doing this, they've been able to get an earlier head start
in managing supply chain disruption risk.
Yeah.
Can you give us some insights in terms of being able to use the data
from your platform and combine it with these other more open source types of data?
How do you accomplish that level of interoperability?
How do you open up the data you're providing for these clever uses? Yeah, so the data from
sources that Risk Recon provides, of course, along with the Johns Hopkins coronavirus data stream,
or even the National Weather Service's data stream around natural
disasters and so forth. These include geolocation attributes along with each data point. And so
from our system, from the Johns Hopkins system, you can download this data and load it into Tableau,
which has Tableau and other mapping software that has geolocation-aware capabilities to deal with latitude and longitude coordinates that are embedded in the data.
And it makes it easy to create a visualization. some distance math, for example, between, you know, a supplier's operations center and, you know, the touchdown point of a hurricane or, in this case, you know, where we see a strong uptick in coronavirus infections.
That's Kelly White from Risk Recon.
On Friday, the U.S. Cybersecurity and Infrastructure Security Agency, CISA,
released version 3.0 of its guidance on the essential critical infrastructure workforce.
Among other tweaks, version 3 clears up some confusions over employees versus contractors, and it adds language emphasizing the importance of IT workers.
Bleeping Computer reports that the major IT services provider Cognizant was hit by a Maze
ransomware attack on Friday.
The company is working to contain the damage and restore normal operations.
Maze now routinely steals data to give it additional leverage over its victims, and
this can be expected to be the case with the Cognizant attack.
Bleeping Computer says the Maze gang denied involvement, but Cognizant has said publicly
that the malware used against it was Maze.
Forbes reports that the large third-party Android app store Aptoid has been breached.
According to ZDNet, the hacker who released what appeared to be 20 million user records
claims to have another 19 million more in reserve.
Aptoid says it's investigating and that it's taken steps to contain any breach.
Webkinz World, an online game that toy maker Gans maintains as an adjunct to its line of plush toys,
was hacked earlier this month.
ZDNet has confirmed that the data leaked are usernames and encrypted passwords for some 23 million users.
The attackers are believed to have gained unauthorized access to the data
by exploiting an SQL injection vulnerability in one of Webkinz World's web forms.
And finally, Zoom bombing remains a thing.
The Indiana Election Commission had an online meeting disrupted Friday
by saucy video of someone spending a little time with themselves. One hopes that this form of
dim-witted digital vandalism, the content most often used is curiously described as adult,
will soon be thwarted by improvements to Zoom's platform and more operator familiarity with the telework tool.
So if you're curious for details, the Indianapolis Star has the skinny.
It seems that Zoom may have been more laggard than suspected in clearing up security problems
before its explosive growth during the period of social distancing.
The New York Times reports that Dropbox found numerous security and privacy problems with Zoom
and pushed the telework service to fix them, but with indifferent results.
Nonetheless, telework services have become essential to the remote work that businesses are attempting
as they seek to work through the conditions governments are imposing during the pandemic emergency.
This dependency has drawn criminals to telework as fish bait.
Proofpoint over the weekend described ways in which cyber criminals are using various come-ons
in their attempts to harvest credentials
for services like Zoom and Cisco WebEx.
These attempts are social engineering.
They're not exploiting vulnerabilities
in the platforms themselves.
They're just conning people into oversharing.
Calling all sellers.
Salesforce is hiring
account executives
to join us
on the cutting edge
of technology.
Here, innovation
isn't a buzzword.
It's a way of life.
You'll be solving
customer challenges
faster with agents,
winning with purpose,
and showing the world
what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it
comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by David DeFore.
He's the Vice President of Cybersecurity and Engineering at WebRoot.
David, always great to have you back.
You all recently did some surveying
and got some insights when it comes to some attitudes
about artificial intelligence and machine learning.
You gathered some interesting insights here.
What can you share with us?
Well, yeah, I think, you know, David, a few years back,
AI, ML were all the rage.
Still pretty prevalent.
People talk about it.
It's the future.
But I think there was a spike in the hype.
But believe it or not, we're still seeing a lot of folks using it in different ways
and at varying levels of success. Right.
At WebRoot, we've been using it since, you know, the later 2000s. We started implementing ML
specifically around 2008, 2009. So it's really near and dear to our heart and we feel pretty
good about the way we do it. But we found 96% of cybersecurity programs claim to use AI and ML in some form. And they probably are
doing it. They've probably used some type of packaged solution that is doing it. The question
becomes how valuable is it and things of that nature. Right. So on top of that, as we talk to
people who buy it, 54% of people who are buying products feel like the vendors are just saying they're
using it and they don't really know why they're using it or how it's helping them. So it's an
interesting dynamic that people are saying they're using it, it's in the tools, but people don't
really know what it's doing for them. And what's ironic is those same vendors, 94% of them want to
know that there's AI and ML in there. But again, 54% of
them don't know why they want to know it's in there. It just makes them feel good, I guess.
I don't even know how that correlates to anything else I've ever heard where almost 100% of people
want something in something, but half of them don't know why they want it. Yeah. Yeah. It's
almost like the marketing folks have succeeded in generating desire for this thing.
We know from the messaging that it's probably a good thing, certainly not a bad thing, right?
What's the downside, right?
Might as well have it.
Well, and I think that's the great point, and is what is the downside?
And I think a lot of times, just like anything, you know, buyer beware.
If you think all AI or all ML is created the same, you're going to be sorely mistaken.
And so what is it doing for you?
And I would actually, again, being very, very pro-AI, pro-ML, I love this stuff, to have a team here working for me, and we've been doing it for over a decade now, I really truly say to people, why do you care if it has AI or ML in it?
And, you know, I even, I talked to the salespeople, I'll talk to partners, I'll even talk to customers
and they're like, well, it just makes me feel better to know technologically you're advanced
enough to have it in there. And I said, well, let's say you had three products and you compared
them all and you didn't know if they had AI or ML,
you thought they all did, wouldn't you buy the product that's protecting you the best?
And so I say to people, don't evaluate a product based on what they say is in it.
Buy a product based on how it's performing in your specific environment. Because one solution
might perform better for you. And then your buddy in a different industry, a different solution
might perform better for them.
They're really unique circumstances.
Focus more on what it's doing for you
and how well it's protecting you
and not what it says on the box.
That sounds simple, David,
but we're falling away from that.
Do you find it, for example, trade shows,
do people, when they come up
and they're asking you about products,
when it comes to AI and ML, are the questions that they're asking, are there folks coming up and asking really in-depth, informed questions about this stuff these days?
They are not.
You know, truly, it stops at the level of, you know, do you have AI?
Oh, how do you use it?
Oh, you use it to scan for files.
Oh, you use it to look for threats. Oh, you use it to look for threats.
You know, that's easy to say. Seriously, David, all joking aside, we could spend an hour in a webinar, download a productized AI tool and stand up a model inside of an hour and say, hey, we now
have a product that does AI. And people don't understand what becomes specific.
And this is fun when somebody comes up and they're like, are you using neural networks?
Are you doing deep learning?
Are you using TensorFlow?
You know, you can tell by the level of questioning.
And we're just not seeing it that deep.
People really are hung up on, are you using AI and ML?
And how in terms of for file scanning, for scanning for phishing sites.
But they're not digging underneath of what that really means in terms of the technology.
All right.
Interesting insights.
David DeFore, thanks for joining us.
Great being here as always, David.
Thank you. of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.