The CyberWire Daily Podcast 3.17.20
Ep 1046 | 3.17.20

Cyberattack on US HHS probably a minor probe. Disinformation about COVID-19 continues to serve as both phishbait and disruption. US prosecutors move to stop prosecution Concord Management.

Transcript

Dave Bittner: [00:00:03] The cyberattack on the U.S. Department of Health and Homeland Services seems now to have been a minor incident. Disinformation about COVID-19 and measures to contain the pandemic continue to serve as both phishbait and disruption. And U.S. prosecutors move to stop prosecution of a Russian influence shop fingered by the Mueller investigation. 

Dave Bittner: [00:00:30]  It's time to take a moment to tell you about our sponsor Recorded Future, the real-time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web to give cybersecurity analysts unmatched insights into emerging threats. We read their dailies at the CyberWire, and you can, too. Sign up for Recorded Future's Cyber Daily email to get the top trending technical indicators crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, much more. Subscribe today and stay ahead of the cyberattacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security. Subscribe today and stay ahead of cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and it's on the money. And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud to protect the latest, like containers; to empower your change-makers, like developers; and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. 

Dave Bittner: [00:01:55]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 17, 2020. 

Dave Bittner: [00:02:04]  The widely reported cyberattack on the U.S. Department of Health and Human Services, Bloomberg reported yesterday morning, now seems less serious than early reports made it out to be. Bloomberg quoted a statement by U.S. National Security Council spokesman John Ullyot, who said, quote, "we are aware of a cyber incident related to the Health and Human Services computer networks, and the federal government is investigating this incident thoroughly. HHS and federal government cybersecurity professionals are continuously monitoring and taking appropriate actions to secure our federal networks," end quote. 

Dave Bittner: [00:02:39]  The New York Times reports the incident appears to have been an opportunistic and relatively crude probing of the department's networks for vulnerabilities. There was speculation that the incident represented a state-sponsored attack, but it looks more like the sort of preparatory distributed denial-of-service attack organizations see all the time. DDoS attacks, if that's what the incident turns out to be, are commodity operations that many people could mount, as Vox observes. 

Dave Bittner: [00:03:08]  And people have jumped to conclusions about DDoS before, as some historical reflection will show. Remember Mirai, the IoT worm that clogged the internet along the U.S. Eastern Seaboard and elsewhere for several hours back in September of 2016? It was widely believed at the time - and not by crazies but by well-informed and serious people - to be a Russian demonstration - Moscow's shot across Washington's bow, intended to show the smug Yankees that their infrastructure could be held at risk, which, in a way, we suppose, it did. But it wasn't the Russians at all. By January of 2017, Krebs on Security had tracked down the principal mastermind, a self-described passionate entrepreneur who was running some kind of Minecraft-themed click scheme from his dorms at Rutgers. 

Dave Bittner: [00:03:58]  In the case of the HHS incident, it seems there's not much to worry about. A Department of Homeland Security source told The Washington Post's Ellen Nakashima that on a scale of 1 to 10, it's about a 2. 

Dave Bittner: [00:04:12]  As is usually the case with widespread crises, criminals seek to take advantage of fear, uncertainty and doubt. Proofpoint reports that TA505, the Russian-speaking criminal gang Microsoft calls Evil Corp and others know as Graceful Spider, is back with a ransomware downloader it's using against targets in the U.S. health care, manufacturing and pharmaceutical sectors. TA505 is best known for Locky ransomware and the Dridex banking Trojan. The phishbait is coronavirus-themed. And another criminal group, TA564, is doing much the same against Canadian citizens, in this case spoofing the Public Health Agency of Canada. 

Dave Bittner: [00:04:54]  Neither campaign's spam is particularly well-crafted or convincing, bearing as it does the usage errors and eccentric capitalization that have long been the familiar stigmata of the Russian mob. But they've been successful. Their secret is volume. The troll farmers of St. Petersburg are a lot more fluent and high-spirited, but then they can afford to be. They're working on the government's dime. 

Dave Bittner: [00:05:18]  There's also some disinformation circulating that attributes COVID-19 to 5G networks, CNET reports. The reason the virus emerged in Wuhan, the influencers say and various Russian state outlets suggest, is because there are, of course, so many 5G towers around Wuhan. You won't swallow that one, but some people do - like influencers and those whom they influence. This particular rumor is marginally less plausible than, say, chemtrails, if you're keeping score at home. 

Dave Bittner: [00:05:52]  There are a handful of people in the cybersecurity world who need no introduction, and it's fair to say Kevin Mitnick is among them. Depending on your point of view, he's either famous, infamous or perhaps notorious for his use of social engineering in his younger days, activities that found him at odds with both telecommunications companies and law enforcement. These days, he runs his own consulting firm and serves as the chief hacking officer at security awareness company KnowBe4. Kevin Mitnick and I sat down together at the RSA Conference. 

Kevin Mitnick: [00:06:25]  I still see that we have the same problems that we did last year. I see ransomware is getting much worse, not in how prolific it is but the new types of attacks - like, for example, a threat actor compromises MSP. They get enough data from the MSP, they could access internal networks of their clients - the MSP's clients. They basically deploy ransomware into the MSP after they've compromised their clients and exfilled data. 

Dave Bittner: [00:06:52]  Right. 

Kevin Mitnick: [00:06:52]  And now the game is strange. It's not the - hey, we'll give you your data back if you give us some money via bitcoin or other cryptocurrency, but tell you what. We're going to expose your clients' data publicly unless you pay us - right? - after wiping their data, of course. So then it becomes, you know, what company out there, what MSP can - you'd be right - you'd be out of business, right? 

Dave Bittner: [00:07:17]  Yeah. 

Kevin Mitnick: [00:07:17]  You got a bunch of your clients and all their data is going to expose, you're going to pay, you know? I mean, you'd be nuts not to. You're going to decide to pay or just go out of business, because calling the FBI and the Secret Service will be - probably be, largely, a waste of time because they'll get involved and do their investigation, but that's after the damage is done. 

Dave Bittner: [00:07:34]  When you were coming up and you were, you know, first exploring all of these things and many of the, you know, the exploits that you are famous for, do you suppose you - back then, could you have imagined what we have today - the types of attacks that we're seeing, the way that cybersecurity and cyber itself is in every part of the world when - did you have that vision back then for where things might be heading? 

Kevin Mitnick: [00:07:59]  Well, I had the vision for self-driving cars. 

Dave Bittner: [00:08:01]  OK. 

Kevin Mitnick: [00:08:01]  But I did not, you know, have the vision. I remember telling my dad about - that's going to be, you know, maybe in his - not in his lifetime, but my lifetime... 

Dave Bittner: [00:08:08]  Yeah. 

Kevin Mitnick: [00:08:09]  ...Where cars are going to be automated. And I remember driving down the 405 freeway - and this is in LA, part of California - and I was explaining how the system would work with cameras and all this. And this was when I was probably 10. 

0:08:20:(LAUGHTER) 

Kevin Mitnick: [00:08:20]  And now here - now I'm a lot older, and - but as far as the hacking and seeing where social engineering was going into ransomware, you know, at the time I was doing this when I was a teenager and young adult, no. 

Dave Bittner: [00:08:31]  Yeah. 

Kevin Mitnick: [00:08:32]  You know, because back then, I was using dial-up. The internet wasn't even born. It was the ARPANET. 

Dave Bittner: [00:08:37]  Right. 

Kevin Mitnick: [00:08:38]  So this is, you know, 1995 and prior, so the computers weren't a household name like today. You know, not everyone had their, you know, their iPhone... 

Dave Bittner: [00:08:49]  Right. 

Kevin Mitnick: [00:08:49]  ...Or other device that they carry in their pocket with - all the time. It was a different world. I always thought, though, when I testified at Congress in 2000 - Joseph Lieberman and Frank Thompson (ph) - Fred Thompson - I'm sorry - invited me to testify for Congress, and I warned them back in 2000 - March of 2000 - that social engineering is here and now and a way in not only to private sector, but public sector networks and systems, and it will probably be here for a long time unless you start doing - you know, unless you start educating the masses. I was going for mass education, like public service announcements on television and stuff to educate the everyday person, not people here at RSA. They should know better. 

Dave Bittner: [00:09:31]  Right. 

Kevin Mitnick: [00:09:31]  But, yeah. And they never did it, of course. And, you know, here we are today, 2020. This was in 2000. So 20 years later, nothing has changed. 

Dave Bittner: [00:09:40]  Wow. 

Kevin Mitnick: [00:09:40]  Yeah. 

Dave Bittner: [00:09:42]  Are you optimistic for the future? Do you feel as though people have sat up and are taking note that they're starting to put the things in place to get ahead of these things? 

Kevin Mitnick: [00:09:51]  Yeah, like I look at new technologies that are coming on the market, like passwordless authentication. 

Dave Bittner: [00:09:57]  Yeah. 

Kevin Mitnick: [00:09:57]  Right? So a lot of phishing attacks - if you go from the - not the pre-text, phone call side but from the phishing side, a lot of those attacks are what we call credential harvesting attacks. So it's not to get a malicious payload onto the victim's endpoint; it's to get the credentials. So in those types of attacks of, you know, people adopt, companies adopt these passwordless technologies, then there's no passwords to steal. Yeah, you just see these scams happening all the time. So I really think - I'm really a true believer that education is key. 

Dave Bittner: [00:10:29]  That's Kevin Mitnick from KnowBe4. 

Dave Bittner: [00:10:33]  The U.S. National Security Council warns that foreign influence operations are also using fear of coronavirus to push the line that the U.S. is under a national lockdown that's tantamount to a martial law - black helicopters and the whole nine yards. Because corroborative detail gives artistic verisimilitude to an otherwise bald and unconvincing narrative, the specific authority for the coming national jackboot is the Stafford Act. So stock up on canned goods, batteries, pistol ammunition, dog chow for the indispensably rowdy dog - or, actually, don't, because, of course, the Stafford Act, under which the president declared a state of emergency, has nothing to do with national quarantines or martial law. It's a law that facilitates federal delivery of assistance to the states and to others during times of emergency. 

Dave Bittner: [00:11:25]  Mother Jones and U.S. News, two publications that tend to see the news from markedly different perspectives, have both reported on the false news, and they reach much the same conclusion. It's, of course, bogus. Much of the disinformation is being disseminated by email, text, WhatsApp and TikTok, The Washington Post writes, noting that these are harder to track than similar campaigns over Twitter or Facebook would be. Much of the messaging is delivered as an image file, which also makes them more difficult to screen. Text messages may be an unusually convincing way of disseminating false rumors. Graham Brookie, who directs the Atlantic Council's Digital Forensic Research Lab, told The Washington Post that text messages are effective persuaders because of their homey familiarity. It's the same technology friends and families use to stay in touch, so the news reported by text just strikes people as sounding right. 

Dave Bittner: [00:12:20]  Some of the disinformation is probably state-run, like the Chinese claims we discussed yesterday that COVID-19 started in the U.S. Army, but much of it is, no doubt, spontaneously generated, and it's certainly not confined to the U.S. A great deal of fake news about mobs, rioting and panic are circulating elsewhere, too, particularly in Europe. 

Dave Bittner: [00:12:43]  And finally, the U.S. Justice Department has decided not to continue its prosecution of Concord Management and Consulting, a company which, despite its old-fashioned, American-sounding name, is a Russian firm which does no business in the U.S. The company had been indicted for influence operations as a result of special counsel Mueller's investigation of Russian operations during the U.S. 2016 elections. The Washington Post reports that prosecutors cited a, quote, "change in the balance of the government's proof due to a classification determination," end quote, in their filing for dismissal. This led them to conclude that proceeding would no longer be in the interest of either justice or national security. The prosecutor's filing essentially argues that Concord would use discovery and the trial itself to further its own ends and that the company was essentially beyond the reach of U.S. punitive measures. 

Dave Bittner: [00:13:44]  And now a word from our sponsor LookingGlass Cyber. Organizations have been playing a dangerous game of cyber Jenga, stacking disparate security tools, point solutions and boxes one on top of the other, hoping to improve their security posture. This convoluted and overloaded security stack can't hold up in today's microsegmented, borderless and distributed networks. As the enterprise network grows, organizations need a flexible protection around their unique network ecosystems. By weaving security into the investments your organization has already made, formerly disjointed tools can communicate with one another to disrupt and distract the adversary without revealing your defenses. With a software-based approach to unifying your security stack, security teams can easily scale their protection to fit their needs with one integrated software solution requiring no specialty hardware. Meet the Aeonik Security Fabric. Learn more at lookingglasscyber.com. That's lookingglasscyber.com. And we thank LookingGlass Cyber for sponsoring our show. 

Dave Bittner: [00:14:57]  And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security. But more importantly, he's my co-host on the "Caveat" podcast, which if you have not yet checked out, what are you waiting for? It's great. 

Ben Yelin: [00:15:09]  It really is great. 

Dave Bittner: [00:15:09]  (Laughter). 

Ben Yelin: [00:15:10]  You should check it out. 

Dave Bittner: [00:15:11]  Ben, article we're going to talk about today - this comes from The Hill, written by Maggie Miller and Nathaniel Weixel. And it's "HHS Introduces New Rules to Give Patients More Control Over Their Health Data." What's going on here? 

Ben Yelin: [00:15:25]  So the Department of Health and Human Services has finalized two new rules that are going to be put in the Federal Register and will have the force of law. One of the rules was issued by the department's Office of the National Coordinator for Health Information Technology, ONC, and one was written by CMS, the Centers for Medicare and Medicaid Services... 

Dave Bittner: [00:15:47]  OK. 

Ben Yelin: [00:15:47]  ...Led by Seema Verma. So the first rule, the ONC rule, implements portions of the 2016 21st Century Cures Act. It requires health providers to allow patients to electronically access their own data, and the patients would not have to pay to access their own data. And it puts into place some security protocols so that that data is protected. The CMS rule ensures the exchange of health information between providers by making sure that those exchanges are secure, that they comply with cybersecurity best practices. And then it requires third-party groups to provide information on their data privacy policies before information is shared with them, although I'll note that those third-party groups are not subject to those rather stringent cybersecurity regulations. 

Ben Yelin: [00:16:38]  And the fact that those third-party vendors have not been included in the enforcement of this rule has concerned probably the key interest group, you know, who really has a stake in this, and that's the American Hospital Association. They said that the rule did not go far enough - these rules didn't go far enough to protect patient data because, you know, oftentimes - and I think we've mentioned on our podcast and perhaps on CyberWire as well - these third-party developers aren't as secure and are not subject to these same regulations. So if your doctor's office is using some sort of third-party vendor, there have been instances where those vendors have been selling anonymized information, private health information, even though it is anonymized... 

Dave Bittner: [00:17:21]  Right. 

Ben Yelin: [00:17:22]  ...For profit to other companies. 

Dave Bittner: [00:17:23]  Yeah. 

Ben Yelin: [00:17:24]  So I think that's the large basis of concern here. 

Dave Bittner: [00:17:28]  Yeah, it's interesting to me that you'll be able to access your information electronically. I remember not long ago, I had reached out to my general practitioner about some information I was hoping to get. And I asked, could they just email it to me? And they said, no, for security reasons, we don't email things. However, we could fax it to you. 

Ben Yelin: [00:17:47]  Oh, the old fax machine comes back. 

Dave Bittner: [00:17:49]  Oh, that's what I replied. I said, I'm sorry. I left my fax machine in 1995. 

Ben Yelin: [00:17:53]  Yeah, exactly. 

Dave Bittner: [00:17:55]  (Laughter) So I think... 

Ben Yelin: [00:17:56]  How do those things work, anyway? 

Dave Bittner: [00:17:58]  I don't know. It has something to do with a landline. It's all very ancient. 

Ben Yelin: [00:18:03]  It is, yeah. 

Dave Bittner: [00:18:05]  But - so good to see, I suppose, some pressure to get them to catch up with that, 'cause access to your information, I think, is key for consumers of this sort of thing. It's good to be able to have access to that information. 

Ben Yelin: [00:18:18]  Right. 

Dave Bittner: [00:18:19]  But interesting that the American Hospital Association thinks that this isn't enough. 

Ben Yelin: [00:18:23]  Yeah. And I think, largely, that's due to the third-party application issue. I think there is broader agreement among all stakeholders that overall, the intent of these rules is a wise one. And that's to both protect consumer data and give consumers a secure portal to review their own health information and, you know, provide things like price transparencies. You can log in to your personalized system, see how much your procedures have cost... 

Dave Bittner: [00:18:50]  Right. 

Ben Yelin: [00:18:51]  ...See how much insurance will cover. So I think it'll have a major effect downstream for health care consumers, which, you know, eventually will be all of us. 

Dave Bittner: [00:19:00]  Right, right, right. All right, well, it's an interesting development. Ben Yelin, thanks for joining us. 

Ben Yelin: [00:19:05]  Thank you. 

Dave Bittner: [00:19:11]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:19:29]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:41]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team - working from home - is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Take care of yourself. Take care of each other. And stay safe. Thanks for listening. We'll see you back here tomorrow.