CyberWire Daily - Warnings on healthcare attacks and espionage campaigns. Post-patching issues in VPNs. COVID-19 phishing. Contact tracing, for lungs and minds. Telework notes.
Episode Date: April 17, 2020Czech intelligence warns of an impending cyber campaign against hospitals. The US Defense Department alerts contractors that Electric Panda is back, and after their data. Pulse Secure VPN’s post- pa...tching issues. Google blocks COVID-19 phishing emails. Apple and Google work on tracing physical contact, but Facebook is tracing contact with misinformation. Zoom offers some fixes, gets banned in India, and receives a mashnote from Larry Ellison. And notes on HIPAA and CMMC. Johannes Ullrich from SANS on exposed RDP servers while we work from home, guest is Tia Hopkins from eSentire on STEM/cybersecurity education. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_17.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Check intelligence warns of an impending cyber campaign against hospitals.
The U.S. Defense Department alerts contractors that Electric Panda is back
and after their data. Secure Pulse VPNs post-patching issues. Google blocks COVID-19
phishing emails. Apple and Google work on tracing physical contact, but Facebook is tracing contact
with misinformation. Johannes Ulrich from the SANS Technology Institute explains exposed RDP
servers while we work from home. And our guest is Tia Hopkins from eSentire.
She talks STEM and cybersecurity education.
Zoom offers some fixes, gets banned in India, and receives a mash note from Larry Ellison.
And notes on HIPAA and CMMC.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 17, 2020.
The Czech cybersecurity agency Nukib told its allies yesterday, according to Reuters, that it expects a major campaign against hospitals to begin soon, possibly as early as today.
It's expected to be a destructive attack.
The information we have available has led us to a reasonable fear of a real threat of serious
cyberattacks on major targets in the Czech Republic, especially on healthcare systems,
Nukib said. It's not clear who's behind the attack, and it seems that Czech authorities
are unsure of the attribution themselves,
but officials speaking on background told Reuters that it was a serious and advanced adversary.
Battlespace preparation in the form of a spearfishing campaign has been in progress for several weeks.
Politico reports that the U.S. Defense Counterintelligence and Security Agency
this week warned contractors in a bulletin that it had
detected renewed activity by the Chinese government's Electric Panda Group. The memorandum
Politico obtained said that nearly 600 inbound and outbound connections from highly likely Electric
Panda cyber threat actors targeting 38 cleared contractor facilities, including those specializing
in healthcare technology,
had been detected since the beginning of February. Electric Panda has been active since 2016 at least, and its interest in healthcare technology seems to represent a shift driven by the current
pandemic. A similar shift in interest has been observed in Electric Panda's sister threat group,
Pirate Panda, but in that case it's a shift in fish bait, not in targeting.
CISA warns that the Pulse Secure Virtual Private Network
remains vulnerable to certain forms of exploitation
even after its most recent patch has been applied.
The vulnerability the patch addressed, CVE-2019-11510,
is an arbitrary file reading issue.
CISA includes in its advisory a tool to detect indicators of compromise and suggestions for mitigating risk of exploitation.
Japan's CERT has issued similar warnings.
The problem, ZDNet explains, is that attackers were able to exploit the vulnerability to
extract Active Directory credentials, and they've since used these to get into organizations'
internal networks even after patches have
been applied.
VentureBeat reports that Google is blocking some 18 million malicious coronavirus-themed
emails daily.
The company explained in its Google Cloud blog the measures it's put in place to help
secure Gmail users during the current pandemic.
The company's Advanced Protection Program has been adjusted to adapt to the new style of threat,
and G Suite's phishing and malware controls are enabled by default.
Google's own explanations of how to combat phishing emphasize training and education
as much as they do technical filtering. It's unreasonable to expect technical filtering,
no matter how advanced,
to fully cope with social engineering. That threat plays on people's beliefs and desires.
The threat actors are after figurative hearts and literal minds, after all.
Email is just the avenue of approach. Apple and Google are proceeding with their
work on technology for contact tracing, and ESET has a quick overview
of how Apple's mobility trends reports are working out. But their system, designed in the first
instance for U.S. domestic use, may have difficulty attracting enough opt-ins to be effective.
A report from the Sinclair Broadcasting Group quotes experts who doubt that Americans are
likely to sign on in sufficient numbers to attain the 75% threshold generally
thought to be the point at which such contact tracing tools become valuable. The perception
that people generally have become skeptical about big tech's privacy record seems to contribute to
the pessimistic conclusion. Facebook yesterday announced its intention to introduce a kind of
misinformational contact tracing. It will be coupled with a kind of online rumor control
Facebook is calling Get the Facts,
and by the introduction of some straight dope about the virus
in the news feeds of users who've interacted with dubious content.
It will work like this.
Quote,
We're going to start showing messages in news feed
to people who have liked, reacted, or commented
on harmful misinformation about COVID-19 that we have since removed. These messages will connect people to COVID-19 myths
debunked by the WHO, including ones we've removed from our platform for leading to imminent physical
harm. We want to connect people who may have interacted with harmful misinformation about the
virus with the truth from authoritative sources in case they see or hear these claims again off of Facebook.
People will start seeing these messages in the coming weeks.
The system depends upon Facebook's large troop of fact-checkers, and it's unavoidably
a time-consuming process to execute at scale.
A study by the content-mod moderation-friendly advocacy group Avaz
generally had good things to say about Facebook's work against misinformation,
but found it took about 22 days, on the average, for correction to catch up with suspect reporting.
The new security measures and processes teleconferencing company Zoom has introduced
seem to be drawing good reviews, as far as they go. There's one new
feature that Bleeping Computer describes that will enable users to report Zoom bombing. But as
Security Week points out, Zoom hasn't convinced all users. The government of India has joined
those who banned Zoom from their remote meetings. A new problem has also surfaced for Zoom. CNET
writes that a researcher found a vulnerability that could allow Zoom videos to persist in
the cloud even after the users had deleted them.
Zoom did receive a strong note of confidence from the IT sector, however.
CRN reports that Oracle's Larry Ellison, more often known for his critical takes on
other companies than for sending them fan letters, called Zoom an essential service
for Oracle.
And finally, we have two quick notes on U.S. privacy and cybersecurity law and policy during the pandemic emergency.
An op-ed in Law 360 cautions against assuming that the privacy protections in HIPAA,
the Health Insurance Portability and Accountability Act of 1996,
somehow go away during a public health emergency.
They don't.
Prudent organizations will lawyer up before they get too frisky with health care data,
no matter how public-spirited their mood and motives may be.
And the Department of Defense has been telling contractors that the Cybersecurity Maturity Model Certification, CMMC program, would not be delayed by the pandemic. That may be true insofar
as the policy's effective date is concerned, but the CMMC audits themselves will probably in fact
be delayed. FCW reports that Katie Arrington, CISO at the Office of the Undersecretary of Defense
for Acquisition, who had been prominent among those who said the program would become effective as scheduled,
said yesterday that the first audits could be delayed for up to a month.
FCW goes on to say that, quote,
Arrington suggested that auditors would wear masks and employ social distancing practices to complete their duties and that company representatives present during the audit would respect each other's personal space.
So should we all.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning
with purpose, and showing the world what AI was meant to be. Let's create the agent-first future
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
My guest today is Tia Hopkins. She's Vice President of Global Solutions Engineering
at eSentire. Our conversation focuses on her insights with regard to the importance of STEM
in education and preparing that next generation for success in the field.
From an educational perspective, I think more applied versus theoretical education would be
helpful. And then on the other side of that, just getting more folks interested in the field and
feeling comfortable with their ability to succeed. I know a lot of STEM focuses on coding,
but cybersecurity itself doesn't necessarily have to start there. You know a lot of STEM focuses on coding, but cybersecurity itself doesn't necessarily have
to start there. You know, personally, my background is in networking, spoken to individuals who have
very strong background in like endpoint security and things like that. And all of those things
really don't touch on coding at all. Yeah, it's interesting to me. I've heard
more and more people saying that they're looking to folks who have specialties in other disciplines, things like music, you know, because there's the ability to collaborate, the ability to solve problems, to think through things in real time.
All of those skills can be applied to the needs we have in cybersecurity.
That's an interesting one. Music specifically, I've not heard that one, but I do agree with it in theory that it does require more than just the ability to think technically. In order to be able to thwart a hacker, you have to be able to think like a hacker and hackers are very creative.
You know, if you think about social engineering that has really not a lot of it doesn't have a lot of technical requirements. I'll phrase it that way. You know, you could just have a great personality and get people to want to open up to you and you can pretty much get anything you want.
Right. So that that's one angle of it. But definitely being able to think outside the box or point to the collaboration and just being creative in general, all critical to being successful in this field.
What about opening up that pipeline from the get-go,
those young students coming up to let them know
that there's a possibility for them in this field?
I'm thinking specifically of young women coming up
who may not feel encouraged along the way.
I agree with that 100 percent.
I mean, in general, I think we could do a bit better at shining a light on cybersecurity as an opportunity.
You know, STEM is pretty broad.
You know, it's technical.
It's non-technical.
You know, you have engineers out there and that's technical, but it's not necessarily technology related in the way of,
you know, something like cybersecurity or DevOps or something like that. So I think unpacking STEM
a bit would be helpful. But definitely introducing these things to an audience at a younger age,
specifically girls and helping young ladies and young girls understand that, one, they can be
successful in technology and specific to cybersecurity.
Again, back to my point, it's not all around, you know,
coding because you see a lot of programs like, you know,
girls who code and coding camps and things like that. And that's great.
But I find that that could lead to girls feeling like if they don't start
there or if they don't have a mind for,
for coding or that's not something that they're interested in,
maybe STEM is not for them.
So just overall, a better job of representation of what the possibilities are and having conversations with young girls like, hey, what do you like to do every day?
How do you think your brain works? What do you think you would enjoy doing as a career?
and kind of working backwards from there and figuring out the things that may or may not align to the types of personalities of these young girls that we're talking to,
rather than, you know, maybe making them feel like they have to fit into a box, whether that's on purpose or not. What about from the other direction, the folks who are doing the hiring in organizations?
Do you have any suggestions for them to make sure that they're looking at a broad range of folks for these jobs?
So I personally, you know, I'm a hiring manager.
So when I speak to my recruiters, I push on them to bring me, you know, diverse applicants.
You know, wherever you've been typically fishing, go somewhere else.
You know, I reach out to my personal networks, professional networks. I'm involved
in a lot of organizations that are driving more women toward technology in general and organizations
that are trying to drive more women toward cybersecurity. The challenge is, as wide as
we try to cast that net, there's just not a lot of applicants coming through. And I don't know
if that's a lack of interest, a lack of perceived ability to be successful. And that all goes back to my point of representation.
I think we need more women specifically that are successful in the field to show themselves and
encourage women and say, yeah, you can be successful here. And here's what my journey
looked like. And it wasn't pretty, but here I am today and it's okay to fall. And, you know, all those
things that make it real and relatable for women. Yeah. I mean, you touch on that notion of
mentorship, which I think is so critical. How do you do that yourself? What sort of things
have you done along the way to make sure you're being a mentor to folks who might need that little
extra boost? Sure. So I'm a member of a number of
organizations as a mentor. So I'm a career mentor with Cyberary. I'm a mentor with Built by Girls.
I'm a member of a minority-focused cybersecurity consortium, and they have a specific focus on
mentoring women as well. So I do some, I guess you could say organized mentorships through
programs, but just based on, you know, the things that I'm doing, like posting on social media and
doing interviews like this, I have a lot of individuals that reach out to me with questions
and ask for, you know, my feedback on what they should be looking into, types of schools that
they should be going to as well. So just outside doing more organized mentorship, I try to make myself as available as possible
because part of the challenge with knowing what to do or where to go is just being confident
that you're taking the right path.
It can be difficult to navigate such a broad field.
Even when you break technology down into the cybersecurity space, there's lots of different
paths that you can go. You know, it's not cheap to get education or certification. So people want
to make sure they're doing the right thing. So I always try to make myself available to give
my feedback based on my personal experience and research, of course, because everyone's
story is going to be different. Our thanks to Tia Hopkins from eSentire for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Johannes Ulrich. He's the Dean of Research at the SANS Technology Institute. He's also host of the ISC Stormcast podcast. Johannes, it's always great to have you
back. We want to touch today on some issues that you all are tracking here when
it comes to this newly expanded work from home situation and RDP servers. What are you all
tracking here? Yeah, so, you know, everybody has now to work from home, has to administer
their systems from home. And a lot of companies apparently, you know know weren't quite ready for this and of course
at this point it's also kind of difficult for example to quickly buy like you know a vpn
server anything like that now at the end of march shodan released a report where they noted that
the number of rdp servers that are exposed to the internet increased.
They had to revise this a little bit, but still, the final result was, yes, the number
increased.
No real surprise here, because this is a little bit the cheap and easy way to expose your
system for remote administration.
Problem with RDP, of course, is it's also one of the top targets that the bad guys are scanning for.
We are monitoring with our D.Shield sensor network sort of what the bad guys are scanning for. And
RDP is always sort of in the top 10 of the ports being scanned. So I went back a little bit and
checked, did this increase as well? And what we noted was that in March,
the bad guys were spending quite a bit more resources
scanning for RDP.
Like, it's noisy data because RDP is always so busy,
but certainly something that is notable.
And of course, RDP stands for Remote Desktop Protocol.
What are some of the recommendations you have then?
I mean, this is a necessity.
People find themselves in this situation.
What are some of the basics for making sure they're doing it right?
Yeah, so the number one way how these RDP services are being attacked is weak passwords.
So definitely make sure you set up a strong password.
Secondly, there have been a number of vulnerabilities in RDP over the years.
So definitely make sure that the systems that you are exposing are up to date.
If possible, if you have some kind of firewall and such in front of these RDP servers,
make sure that you limit the IP addresses that they can be accessed from. Now, this, of course,
can be a little bit tricky in the work from home situation where you may not necessarily have like
a static IP address at home, but maybe you can limit it to like a couple of subnets that your
ISP tends to use. If you have a couple of administrators,
maybe set up each administrator's home IP address
and hope you don't all change the same day.
So there are a couple of sort of workarounds.
I'm talking about here sort of little dirty tricks kind of
because apparently you can't really do too much.
Of course, the problem is at this point, you are already working from home.
So the last thing you probably want to have happen is lose access to these RDP servers while you're making these changes.
Yeah.
What part in all of this could a VPN play?
Where does that fit into this?
A VPN is certainly the best way to solve this problem where you set up VPN access to your network, you authenticate to the
VPN. Let's hope you're using strong authentication there as well. And then via the VPN, you're
connecting to these RDP servers. Problem with VPNs, of course, is they take a little bit of time to
set up. They may need you to buy some equipment depending on what you already have one issue we have actually seen
is that the companies sort of run out of bandwidth on their vpns and also ports like the problem is
if everybody works all of a sudden through the vpn you now don't really have the ip addresses
you need for the vpn and then you're dealing you're dealing with fairly large NAT issues.
In particular, if you're using cloud service,
let's say Office 365 and such,
through this VPN,
the problem then is that for each user,
you need about 100 or so ports.
So you very easily actually run out of TCP ports there.
Again, we're talking about dirty solutions here in the end,
but you may want to set up things
where maybe the Office 365 traffic
is not routed through the VPN.
You hope that HTTPS and so does its job,
but there are no great solutions
if you have to do it very quickly.
That's the thing.
It's something you probably should have planned
a little bit ahead of time. Right, right. There's that old. It's something you probably should have planned a little bit.
Right, right. There's that old saying about hindsight, right? Yeah, like late January, we actually published a little blog post about how to get ready for the
upcoming pandemic. It hasn't really gotten a lot of traction back in January, but that would have
been the time. Right, right. All right. Well, Johannes Ulrich, thanks for joining us.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.