The CyberWire Daily Podcast 4.20.20
Ep 1070 | 4.20.20

Update on threats to Czech infrastructure. Relief funds looted. PoetRAT vs. ICS. CISA updates essential workforce guidelines. Data breaches. Zoom-bombing.


Dave Bittner: [00:00:05] A wave of attacks against hospitals and infrastructure in the Czech Republic seems to have been largely unsuccessful, but more may be on their way. German relief funds earmarked for small business are looted by cybercrooks. PoetRAT is active against ICS targets in Azerbaijan. CISA updates its Guidance on the Essential Critical Infrastructure Workforce. Breaches at Cognizant, Aptoide and Webkinz World. David Dufour from Webroot on AI and machine learning. Our guest, Kelly White of Mastercard's RiskRecon, shares how one of their health care customers is tracking COVID-19 infections. And more Zoombombing. 

Dave Bittner: [00:00:49]  And now a word from our sponsor ExtraHop, securing modern business with network detection and response. Security and IT teams are under more pressure than ever. Any workforce that can go remote has done so almost overnight. That means more stress on critical systems and more potentially unsecured IoT devices on corporate networks and an urgent need to see and respond to threats as quickly as possible. ExtraHop helps organizations like Wizards of the Coast detect threats up to 95% faster and respond 60% more efficiently. As chief architect and information security officer Dan McDaniel put it, there's no other company that aligns to supporting the DevOps model, the speed and the lack of friction than ExtraHop. See how it works in the full product demo free online at That's And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to 

Dave Bittner: [00:02:12]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 20, 2020. 

Dave Bittner: [00:02:21]  Prague Airport authorities said Saturday that they had successfully stopped several attempted attacks on their networks. The airport told Reuters, quote, "attempted attacks on webpages of the airport were detected in preparatory phases. That prevented their spreading and all further phases that could've followed and potentially harmed the company," end quote. Prague Airport, like most others, is operating a drastically reduced flight schedule, so the consequences of any intermediate disruption may have been low in any case. 

Dave Bittner: [00:02:51]  The attempt against the airport's networks is being mentioned, by Politico and others, in conjunction with last Thursday's warning by the Czech Republic's cybersecurity agency that sophisticated but unspecified actors were preparing a campaign against medical facilities, probably with a view to interfering with delivery of health care during the COVID-19 emergency, but any relationship to that potential campaign is unclear. Karlovy Vary's regional medical center did report Saturday that it had parried an attempted cyberattack, and several other hospitals are said to have also undergone unsuccessful hacking attempts on Friday. Again, it's unclear whether these are part of the predicted campaign or whether they represent something closer to the ordinary background noise, brought to prominence by a heightened state of alert. 

Dave Bittner: [00:03:39]  The signs of an impending cyberattack that could degrade health care delivery during the pandemic is in general being taken seriously. The U.S. State Department offered a strongly worded expression of support to the Czech Republic, and the Czech foreign minister tweeted his appreciation of this and other allied statements. He's also looking forward to finding out who's behind the incipient attacks. There does appear to be some sort of campaign in the offing, and Czech authorities think it's advanced at least to the battlespace preparation phase. 

Dave Bittner: [00:04:11]  The German Land of Nordrhein-Westfalen has lost somewhere between 31.5 million and 100 million euros in misdirected emergency relief payments, ZDNet reports. Germany's Lander are roughly equivalent to a U.S. state or a Canadian province. As the Land's Ministry for Economy, Innovation, Digitization and Energy (ph) prepared to distribute coronavirus relief checks last month, criminals were already in the starting blocks, as newspaper Handelsblatt put it, ready with a convincingly spoofed version of the ministry's genuine relief application portal. They used this to harvest enough personal details of people who were struggling economically because of the pandemic to enable them to apply for relief on their behalf. Data were harvested for somewhere between 3,500 and 4,000 potential applicants, and relief payments were routed to the thieves' bank accounts. Nordrhein-Westfalen has halted payments until it can sort the mess out. Some media outlets in Germany think the extent of the fraud may, in fact, turn out to be greater than is presently known. 

Dave Bittner: [00:05:17]  Cisco's Talos unit reported late last week that it had discovered a threat actor, PoetRAT - so-called because of references to William Shakespeare in the code and because Shakespeare, of course, was a poet - working against public and private targets in Azerbaijan. The campaign, for which no attribution has been offered, is particularly interested in industrial control systems. 

Dave Bittner: [00:05:41]  Organizations are using clever combinations of publicly available and privately held data, along with tools, to combine, analyze and visualize the effects of the coronavirus. I recently spoke with Kelly White, founder and CEO of RiskRecon, a Mastercard company, on how one health care insurance organization is tracking COVID-19 infections. 

Kelly White: [00:06:04]  We've seen events over the last few years in which organizations that actually have a blended approach to supply chain risk management, where they have all of the disciplines under one umbrella, are using data in very interesting ways to understand and manage through potential supply chain disruptions. 

Kelly White: [00:06:28]  Now, as we look down at COVID-19, and this was going back, you know, several weeks ago, when it was just very - when COVID-19 was very early in its stages in the United States. One of our customers that operates a blended supply chain risk management team - they took the data from Johns Hopkins University's coronavirus data stream that provides the geolocation information down to the county level and laid that out on a map. And then they took the RiskRecon data regarding where their suppliers' hosts are geolocated. And by laying the two on top of each other, they could see, well, do my suppliers have operations centers in areas of, you know, infectious disease risk? 

Dave Bittner: [00:07:26]  So in terms of those organizations being able to plan their risk, their appetite for risk or do their forward-looking planning, I mean, I imagine that this - overlaying these two bits of information - that can inform how they make decisions going forward. 

Kelly White: [00:07:43]  Yeah. So you look at the problem that, you know, they're facing, and every organization is facing, on the supply chain risk management side as well. Let's say they have a hundred suppliers. And, you know, how is this going to play out? Which ones do we need to pay attention to now? And how does that change going forward day by day? And so that they can triage - you know, they don't have the resources to address all of it at once, but if they identify some highly critical suppliers, you know, based on their business relationship and intersect that with, oh, wow, they're in a really high-risk area, that can give them some early insight and has given them early insight into, OK, what we need to come up with - you know, alternative plans to shore up potential disruption here and there. And so through the data, by doing this, they've been able to get an earlier head start in managing supply chain disruption risk. 

Dave Bittner: [00:08:42]  Yeah. Can you give us some insights in terms of being able to use the data from your platform and combine it with these other more open-source types of data? How do you accomplish that level of interoperability? How do you open up the data you're providing for these clever uses? 

Kelly White: [00:09:03]  Yeah. So the data from sources that RiskRecon provides, of course, along with, you know, the Johns Hopkins coronavirus data stream or even the National Weather Service's data stream around natural disasters and so forth - these include geolocation attributes along with each data point. And so from our system, from the Johns Hopkins system, you can download this data and load it into Tableau, which has - Tableau and other mapping software that has geolocation-aware capabilities to deal with the latitude and longitude coordinates that are embedded in the data. And it makes it easy to create a visualization. It makes it easy to do some distance analysis, some distance math, for example, between, you know, a supplier's operations center and, you know, the touchdown point of a hurricane or, in this case, you know, where we see a strong uptick in coronavirus infections 

Dave Bittner: [00:10:10]  That's Kelly White from RiskRecon. 

Dave Bittner: [00:10:13]  On Friday, the U.S. Cybersecurity and Infrastructure Security Agency, CISA, released version 3.0 of its Guidance on the Essential Critical Infrastructure Workforce. Among other tweaks, version 3 clears up some confusions over employees versus contractors, and it adds language emphasizing the importance of IT workers. 

Dave Bittner: [00:10:34]  BleepingComputer reports that the major IT services provider Cognizant was hit by a Maze ransomware attack on Friday. The company is working to contain the damage and restore normal operations. Maze now routinely steals data to give it additional leverage over its victims, and this can be expected to be the case with the Cognizant attack. BleepingComputer says the Maze gang denied involvement, but Cognizant has said publicly that the malware used against it was Maze. 

Dave Bittner: [00:11:03]  Forbes reports that the large third-party Android app store Aptoide has been breached. According to ZDNet, the hacker, who released what appear to be 20 million user records, claims to have another 19 million more in reserve. Aptoide says it's investigating and that it's taken steps to contain any breach. 

Dave Bittner: [00:11:23]  Webkinz World, an online game that toymaker Ganz maintains as an adjunct to its line of plush toys, was hacked earlier this month. ZDNet has confirmed that the data leaked are usernames and encrypted passwords for some 23 million users. The attackers are believed to have gained unauthorized access to the data by exploiting an SQL injection vulnerability in one of Webkinz World's web forms. 

Dave Bittner: [00:11:49]  And finally, Zoombombing remains a thing. The Indiana Election Commission had an online meeting disrupted Friday by saucy video of someone spending a little time with themselves. One hopes that this form of dim-witted digital vandalism - the content most often used is curiously described as adult - will soon be thwarted by improvements to Zoom's platform and more operator familiarity with the telework tool. So if you're curious for details, the Indianapolis Star has the skinny. 

Dave Bittner: [00:12:21]  It seems that Zoom may have been more laggard than suspected in clearing up security problems before its explosive growth during the period of social distancing. The New York Times reports that Dropbox found numerous security and privacy problems with Zoom and pushed the telework service to fix them, but with indifferent results. 

Dave Bittner: [00:12:39]  Nonetheless, telework services have become essential to the remote work that businesses are attempting as they seek to work through the conditions governments are imposing during the pandemic emergency. This dependency has drawn criminals to telework as phishbait. Proofpoint over the weekend described ways in which cybercriminals are using various come-ons in their attempts to harvest credentials for services like Zoom and Cisco Webex. These attempts are social engineering. They're not exploiting vulnerabilities in the platforms themselves. They're just conning people into oversharing. 

Dave Bittner: [00:13:18]  And now a word from our sponsor KnowBe4. Email is still the No. 1 attack vector the bad guys use, with a whopping 91% of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization in an on-demand webinar by Roger A. Grimes, KnowBe4's data-driven defense evangelist. Roger walks you through 10 incredible ways you can be hacked by email and how to stop the bad guys. And he also shares a hacking demo by KnowBe4's chief hacking officer Kevin Mitnick. So check out the 10 incredible ways, where you'll learn how silent malware launch, remote password hash capture and rogue rules work, why rogue documents, establishing fake relationships and compromising a user's ethics are so effective, details behind clickjacking and web beacons and how to defend against all of these. Go to and watch the webinar. That's And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:14:31]  And I'm pleased to be joined once again by David Dufour. He's the vice president of cybersecurity and engineering at Webroot. David, always great to have you back. You all recently did some surveying and got some insights when it comes to some attitudes about artificial intelligence and machine learning. You gathered up some interesting insights here. What can you share with us? 

David Dufour: [00:14:53]  Well, yeah. I think you know, David, a few years back, AI/ML were all the rage - still pretty prevalent. People talk about it. It's the future. But I think there was a spike in the hype. But believe it or not, we're still seeing a lot of folks using it in different ways at varying levels of success. 

Dave Bittner: [00:15:11]  Right. 

David Dufour: [00:15:12]  At Webroot, we've been using it since, you know, the later 2000s. We started implementing ML specifically around 2008, 2009. So it's really near and dear to our heart, and we feel pretty good about the way we do it. 

David Dufour: [00:15:25]  But we found 96% of cybersecurity programs claim to use AI and ML in some form. And, you know, they probably are doing it. They've probably used some type of packaged solution that is doing it. The question becomes, how valuable is it, and things of that nature. 

Dave Bittner: [00:15:40]  Right. 

David Dufour: [00:15:41]  So on top of that, as we talked to people who buy it, 54% of people who are buying products feel like the vendors are just saying they're using it, and they don't really know why they're using it or how it's helping them. So it's an interesting dynamic that, you know, people are saying they're using it. It's in the tools, but people don't really know what it's doing for them. And what's ironic is those same vendors - 94% of them want to know that there's AI and ML in there, but, again, 54% of them don't know why they want to know it's in there. It just makes them feel good, I guess. I don't even know, you know, how that correlates to anything else I've ever heard, where almost a hundred percent of people want something in something, but half of them don't know why they want it. 

Dave Bittner: [00:16:24]  Yeah, yeah. It's almost like the marketing folks have succeeded in generating desire for this thing. What - we know from the messaging that it's probably a good thing, certainly not a bad thing, right? What's the downside, right? Might as well have it. 

David Dufour: [00:16:40]  Well, and I think that's the great point is what is the downside? And I think a lot of times, just like anything, you know, buyer beware. If you think all AI or all ML is created the same, you're going to be sorely mistaken. And so what is it doing for you? And I would actually, again, being very, very pro-AI, pro-ML - I love this stuff. To have a team here working for me, and we've been doing it for over a decade now, I really, truly say to people, why do you care if it has AI or ML in it? And, you know, I even - I talk to the salespeople. I'll talk to partners. I'll even talk to customers. And they're like, well, it just makes me feel better to know, technologically, you're advanced enough to have it in there. And I said, well, let's say you had three products and you compared them all and you didn't know if they had AI or ML. You thought they all did. Wouldn't you buy the product that's protecting you the best? And so I say to people, don't evaluate a product based on what they say is in it. Buy a product based on how it's performing in your specific environment, 'cause one solution might perform better for you. And then, you know, your buddy in a different industry, a different solution might perform better for them. They're really unique circumstances. Focus more on what it's doing for you and how well it's protecting you and not what it says on the box. So that sounds simple, David, but we're falling away from that. 

Dave Bittner: [00:18:02]  Do you find at, for example, trade shows, do people, when they come up and they're asking you about products, are - when it comes to AI and ML, are the questions that they're asking - are there folks coming up and asking really in-depth, informed questions about this stuff these days? 

David Dufour: [00:18:20]  They are not. You know, truly, it stops at the level of, you know, what - do you have AI? And, oh, how do you use it? Oh, you use it to scan for files. Oh, you use it to look for threats. You know, that's easy to say. I - seriously, David, all joking aside, we could spend an hour in a webinar, download a productized AI tool and stand up a model inside of an hour and say, hey, we now have a product that does AI. And people don't understand what becomes specific, and this is fun when somebody comes up and they're like, are you using neural networks? Are you doing deep learning? Are you using TensorFlow? You know, you can tell by the level of questioning, and we're just not seeing it that deep. People really are hung up on, are you using AI and ML, and how, in terms of for file scanning, for scanning for phishing sites. But they're not digging underneath of what that really means in terms of the technology. 

Dave Bittner: [00:19:17]  All right. Interesting insights. David Dufour, thanks for joining us. 

David Dufour: [00:19:21]  Great being here, as always, David. 

Dave Bittner: [00:19:27]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:19:47]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at 

Dave Bittner: [00:19:59]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.