iOS zero-days, reconsidered. Hacking during a pandemic. An old campaign connected with the ShadowBrokers comes to light. Advice on web shells. Astroturfing and influence.
Dave Bittner: [00:00:04] An update on those iOS zero-days. Calls to take biomedical facilities off the hacking target list. Nazar and the Shadow Brokers. NSA and ASD issue joint advice on web shell malware. A report on astroturfing and influence operations. Joker's Stash lays out more stolen cards. Michael Sechrist from BAH on the increase in IT-OT convergence. Our guest is Terence Jackson from Thycotic on HIPAA, telemedicine and the new normal of data regulation. And Nintendo reports a problem with a legacy system.
Dave Bittner: [00:00:45] And now a word from our sponsor, ExtraHop, securing modern business with network detection and response. Security and IT teams are under more pressure than ever. Any workforce that can go remote has done so almost overnight. That means more stress on critical systems and more potentially unsecured IoT devices on corporate networks and an urgent need to see and respond to threats as quickly as possible. ExtraHop helps organizations like Wizards of the Coast detect threats up to 95% faster and respond 60% more efficiently. As chief architect and information security officer Dan McDaniel put it, there's no other company that aligns to supporting the DevOps model, the speed and the lack of friction than ExtraHop. See how it works in the full product demo free online at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:02:08] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 24, 2020.
Dave Bittner: [00:02:14] ZDNet reports that Apple has disputed the seriousness of the vulnerabilities ZecOps claimed it discovered when it saw them being exploited in the wild. It's the exploitation in the wild that Apple takes particular exception to. Cupertino says it found no indications that the zero-days pose any real threat to users. Apple does acknowledge the zero-days and says they will be fixed in the next iOS release.
Dave Bittner: [00:02:43] Some researchers think ZecOps may have observed malformed emails and not malicious exploitation of iOS bugs. ZecOps says it intends to release more information on its discovery. In the meantime, Naked Security suggests that whatever else the bugs might be, they don't seem to be directly exploitable, and so any risk is probably low.
Dave Bittner: [00:03:05] China says that biomedical organizations should be off-limits to hacking. The Wuhan Institute of Virology is among organizations receiving the attention of hackers. Employees' email accounts have been compromised, the South China Morning Post reports. The level 4 research facility has been the subject of repeated speculation that COVID-19 accidentally escaped from the labs there and did not originate in the city's wet markets. The speculation is surely a matter of legitimate inquiry, especially given Beijing's less-than-transparent record during the pandemic, but in some fringe quarters, such speculation has reached the level of subjective certainty, which is pretty clearly approaching chemtrail territory.
Dave Bittner: [00:03:48] But it's FireEye's midweek report describing their recent look at APT32 that has prompted a call from Beijing, as Reuters says, urging all nations to condemn any attack on an organization involved in working against the pandemic. There's surely substantial international sentiment for placing biomedical facilities in a protected category, off-limits to cyberattack the way the laws of armed conflict prohibit most deliberate attacks against hospitals.
Dave Bittner: [00:04:16] It's not clear, however, that APT32, a threat actor associated with the Vietnamese government, is engaged in destructive or disruptive attacks. FireEye concluded the APT has been conducting intrusion campaigns against Chinese targets involved with responding to the pandemic, especially China's Ministry of Emergency Management and the local government of Wuhan. These seem to be more in the nature of espionage. Vietnam has denied any involvement, telling Reuters that the accusations are baseless.
Dave Bittner: [00:04:48] An arguably more menacing threat to hospitals is playing out in the Czech Republic, which continues to look toward Russia as the source of recent cyber incidents in the nation's medical facilities. Tension between Prague and Moscow continues, Radio Free Europe/Radio Liberty reports. Removal of a Prague statue of Soviet Marshal Konev, who led the army group that drove through Czechoslovakia in 1945 but who also crushed the Hungarian revolution of 1956 and was instrumental in erecting the Berlin Wall, has given offense to Moscow. So has renaming the street on which Russia's Embassy is located in Prague in honor of former Russian Deputy Prime Minister Boris Nemtsov. The inveterate critic of President Putin was murdered outside the Kremlin in 2015. Moscow regards both acts as provocations.
Dave Bittner: [00:05:40] On the Czech side, there's widespread outrage over cyber operations - reconnaissance and battlespace preparation, for the most part - that affected health care facilities during the current pandemic. These activities increasingly look like the work of Russian operators.
Dave Bittner: [00:05:56] A researcher associated with the Johns Hopkins University School of Advanced International Studies reports finding a previously unremarked campaign, Nazar, that used tools the Shadow Brokers are believed to have obtained from the U.S. National Security Agency and then leaked to threat actors. The name of the operations is a Farsi word, and there's Farsi text associated with the operation, but attribution remains murky. It would be premature to call Nazar an Iranian operation.
Dave Bittner: [00:06:26] The U.S. National Security Agency and the Australian Signals Directorate have issued joint guidance on detecting and preventing web shell malware. Why take up web shells? As the agencies explain, web shells provide attackers with persistent access to a compromised network using communication channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools. The public guidance is another instance of Five Eyes' intelligence services undertaking public outreach on cybersecurity.
Dave Bittner: [00:07:01] DomainTools this morning published their own study of how the domains apparently devoted to the cause of reopening normal life in the U.S. came to be and who registered them. Many of the sites, a number of them with Second Amendment themes, appear to DomainTools to have been established by Aaron Dorr, a consultant who advises political movements on advocacy and organization. Their use of a small set of common templates seemed to derive from another political consultancy, One Click Politics, which further raised suspicion that the apparently local, ostensibly grassroots sites were, in fact, astroturf. DomainTools emphasized in a conversation with us that one common feature on the astroturfed sites is a prominent and functioning donation button. This suggests to them that a nontrivial goal of the operation is making money.
Dave Bittner: [00:07:52] DomainTools also suggested two areas that merit some attention. First, deepfakes have been generally associated with faked audio or video content. DomainTools points out that one of the problems of astroturfing and influence operations generally is the production of useful content at scale. Sometimes, this is done through plagiarism or repurposing, sometimes - and this is something DomainTools noticed in connection with Mr. Dorr's operation - by having some lone Stakhanovite crank out a number of bylined pieces. Using the same byline does tend to blow the gaff, but it happens. DomainTools suggests that deep-learning tools can be adapted to rapidly produce good-enough written content in the service of influence. This could involve impersonation of real persons or simply generate articles that could be attributed to various sock puppets. Second, while most of the astroturf seems based domestically in the United States, there are indications that a few of them may have infrastructure in Hong Kong. That's curious and deserves further investigation.
Dave Bittner: [00:08:58] Remember Joker's Stash? They're back. The carding market is offering a fresh batch of stolen pay card data. The goods this time are mostly cards stolen from U.S. and South Korean users, BankInfoSecurity says.
Dave Bittner: [00:09:13] And, finally, Nintendo has confirmed that hackers gained access to about 160,000 player accounts, according to ZDNet. The attackers are thought to have abused a legacy login system, Nintendo Network ID, NNID, that remains in use to manage old Wii U or Nintendo 3DS accounts. What the hackers have done with the caper seems to indicate that petty minds are behind the whole thing. A lot of them are buying up Fortnite in-game currency. We know. We know. In-game currency can be traded for things of real value, used to launder illicit cash and so on. But really, Fortnite?
Dave Bittner: [00:10:03] And now a word from our sponsor, KnowBe4. Email is still the No. 1 attack vector the bad guys use, with a whopping 91% of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization in an on-demand webinar by Roger A. Grimes, KnowBe4's data-driven defense evangelist. Roger walks you through 10 incredible ways you can be hacked by email and how to stop the bad guys. And he also shares a hacking demo by KnowBe4's chief hacking officer Kevin Mitnick. So check out the 10 incredible ways, where you'll learn how silent malware launch, remote password hash capture and rogue rules work, why rogue documents, establishing fake relationships and compromising a user's ethics are so effective, details behind clickjacking and web beacons and how to defend against all of these. Go to knowbe4.com/10ways and watch the webinar. That's knowbe4.com/10ways. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:11:16] My guest today is Terence Jackson. He's chief information security and privacy officer at Thycotic, a provider of privileged access management tools. Our conversation highlights the interesting times we find ourselves in when it comes to HIPAA, telemedicine and the new normal of data regulation.
Terence Jackson: [00:11:35] We find ourselves today in - I call it data privacy soup. Right now, we have at least 20 states that have drafted or are in the process of drafting their own unique data privacy legislation. And that is, honestly, at the point now where it's almost untenable for the average business to keep up. I mean, every day, there's a nuance. You know, most recently, obviously, it was - what? - CCPA. And due to the COVID-19, certain parts of that they were trying to get, you know, to delay the enforcement of it because of what's going on with, you know, health and the need to share data...
Dave Bittner: [00:12:24] Right.
Terence Jackson: [00:12:24] ...Between companies now. And even with GDPR, I was on a briefing call with one of our privacy vendors, and they were just going over what's going on, like, in Europe in regards to GDPR in fact still is, you know, enforced. And, you know, you have companies attempting to scan employees - or you did before everything was pretty much shut down.
Dave Bittner: [00:12:55] Right.
Terence Jackson: [00:12:55] But we're trying to scan employees - foreheads when they were coming in to work - to, you know, scan their temperatures. And that actually crossed some data privacy boundaries, specifically in Europe. You know, where's that data going? What are you going to do with it? What's the collection purpose of it? Which is a big tenet of GDPR. You're only supposed to collect data that's absolutely needed. So was that a needed piece of data?
Dave Bittner: [00:13:21] Yeah.
Terence Jackson: [00:13:21] To the employer and their co-workers, probably say, you know, maybe. But in the grand scheme of things, probably not long term. And then if you do get a reading, then what? So it's just a lot of different things happening right now. It's interesting times.
Dave Bittner: [00:13:38] Yeah. Yeah. You know, yesterday I was speaking with someone who was one of the folks who was instrumental back when they were putting together HIPAA. And he was saying that the folks he's been talking to when it comes to HIPAA right now that with all of this telemedicine things and, you know, the need to be flexible with the way that patients are being treated, that basically the folks who enforce HIPAA put out the word that, you know, we're not changing any of their regulations, but we are going to change enforcement. You know, here - we're not going to go after you for some of the things we would have gone after you for given this extraordinary situation.
Terence Jackson: [00:14:19] Absolutely. And, you know, you bring up telemedicine. That is - has seen the exponential increases in the past couple of weeks due to the, you know, social isolation, self-quarantine. And even some of these smaller practices, where I can see this possibly becoming an issue post-COVID-19 that aren't necessarily set up for telemedicine but now are fielding phone calls from patients without the ability to really verify who they are talking to on the other end.
Terence Jackson: [00:14:56] So I see a potential there for, you know, exploit of medical information. And a lot of the - I guess the independent practitioners don't have a lot of the security controls in place to verify, you know, who you're talking to is in fact the patient. But then on the other end, what is the receptionist or the nurse doing with that information once they, you know, take it online? Are they writing it down, you know, notepad? You know, what's happening to the notepad? So it's just a lot of things that are happening due to the circumstances that we're in right now that I don't think a lot of the current laws were really enforced with pandemic in mind.
Terence Jackson: [00:15:46] This is our new normal for the, you know, for the next month or two. We really don't know. But just making sure that the people who need data can get access to it without fear of being penalized by a regulator needs to come into account going forward when these laws are crafted. And I'm a fan for a federal or national-level privacy law as long as it has some sort of, you know, oversight with private industry to help craft it, the proper SMBs are in the room and is not done in, you know, a bubble.
Dave Bittner: [00:16:28] That's Terrence Jackson from Thycotic.
Dave Bittner: [00:16:36] And now a word from our sponsor, BlackCloak. Oh, come on. It's not like anybody actually needs this anymore. I mean, executives in their personal lives? They're doing great. They all have advanced malware detection on all their devices. They're using dual-factor authentication everywhere. Their home networks are rock-solid secure. And they never ever use a weak password. As for their families, little Luke and Leia and their significant other? Well, they're pillars in the cybersecurity community, right? Right? Right? Right? Right? You're right. I was dreaming there for a minute. The fact is executives and their families are targets. And at home, they have no cybersecurity team to back them up. Instead of hacking the company with millions of dollars' worth of cyber controls, hackers have turned their attention to the executives' home network and devices which have little to no protection. BlackCloak closes this gap in your company's protection. With their unique solution, the cybersecurity professionals of BlackCloak are able to protect your executives and their families from hacking, financial loss and private exposure. Mitigate these risks that could lead to a corporate data breach or reputational loss. Protect your company by protecting your executives. To learn more and partner with BlackCloak, visit blackcloak.io. That's blackcloak.io. And we thank BlackCloak for sponsoring our show.
Dave Bittner: [00:18:04] And joining me once again is Michael Sechrist. He's the chief technologist at Booz Allen Hamilton. Michael, it's great to have you back. I wanted to touch today on some of the issues that are on your mind when it comes to the increase in convergence when it comes to IT and OT and these transformations we're seeing with OT itself. What sort of things can you share with us today?
Michael Sechrist: [00:18:29] Hey, thanks for having me back. So in terms of the OT, the rise of OT, I mean, this is something that's been on the radar for many, many years. Mitre recently put out, obviously, the ICS or the Industrial Controls Security ATT&CK framework, which basically gives you kind of a lay of the land of how potential attackers are going to use certain vectors to get into these kind of sensitive networks and operational technology environments.
Michael Sechrist: [00:18:56] So we've got the OT, something that we're generally seeing clients wanting to expand coverage for, that they make sure that that's kind of wrapped up in any contract or sort of focus when we're not just kind of talking about IT operations, IT networks anymore. It's really that convergence we're seeing on both sides. And making sure that when we're thinking about even ATT&CK frameworks and how we're looking at threats, that we're looking at both IT and OT in addition to the other frameworks that are out there like Mobile (ph). But OT is certainly something that we're seeing as one of the key ways that clients are coming for, like, managed services.
Dave Bittner: [00:19:36] Now, it's my perception - and tell me if this is correct - that sometimes there can be challenges in getting those two sides of the house the IT folks in the OT folks to communicate effectively.
Michael Sechrist: [00:19:50] That's correct. You know, when you think of OT, you think of almost - first off, you've got different risk profiles, different risk tolerances on both sides of the equation in terms of IT and OT. And how we were talking before about COVID and about the - kind of infection and how that kind of would affect connectivity and availability. Availability is always a enormous concern for operational technology. OT environments are extremely sensitive. They typically have fewer remote access points, ways to enter that environment. And they keep it that way because the availability, the needs are much, much higher. So when you think about an availability potential attack or some sort of strain on availability in a network, it becomes very important as to how you're going to continue to secure those environments in a way that also protects your employees. You've got potentially - you know, when you think about even deploying a patch - right? - a lot of times you might have to put - fly in some specialists from an OT vendor and put them on site to actually physically go into the data center, physically go into some part of your production facilities and upgrade those devices. Given the limitations on travel these days, given the limitations now on essentially, you know, getting into these environments, can that be done? You know, can - do we have the employees? Are we willing to kind of put someone at risk to do that patch upgrade and get onsite these days? That's a much different conversation and not one that can be taken just within the kind of CISO realm.
Dave Bittner: [00:21:32] Yeah. And I suppose a real possibility that the availability of those folks, the number of people who are available to do those things could become a challenge.
Michael Sechrist: [00:21:43] Certainly. And it's not just kind of a challenge to their essential well-being. It's a challenge just even physically, can I actually fly to the location? Can I actually get into the office space today? Can I get into the sensitive part of the facility? You've got a lot different kind of mechanics and machinations that you didn't have prior that you do now under kind of like a COVID-19 response. And you also have a sense of - you don't have a kind of a timeline as to the duration you might have to do this or kind of the limitations as we move forward in this environment.
Michael Sechrist: [00:22:20] I also think about the difficulty of breach containment and of forensics. You know, during these environments, you cannot - if you have a potentially infected or suspicious - you have kind of suspicions of an infection on an OT device, there's likely no way you're going to be able to send that in the mail, you know, to move that remotely to get, you know, evaluated from a forensics perspective. And that's another challenge that CISOs should - that have to kind of consider today.
Dave Bittner: [00:22:55] Yeah. It really is kind of a new reality is folks are recalibrating the various levels of risk that this brings.
Michael Sechrist: [00:23:06] Yeah. That's correct. Ironically, we've seen some of attackers, you know, realize the severity of their actions as well. It was interesting to see the Maze ransomware team offering discounts for decrypting previously infected devices through their ransomware, trying to reach out and helping delete leaked data that the ransomware had collected and not target medical organizations. So you've kind of seen at times a, you know, a change of heart even among attackers, given kind of the severity of what we're seeing in the physical world. Which is, you know, it's not necessarily a Hallmark movie story from a attacker's perspective, but it is something that is slightly positive.
Dave Bittner: [00:23:52] Right. Right. Yeah. All right. Well, Michael Sechrist, as always, thanks for joining us.
Michael Sechrist: [00:23:56] Thank you so much.
Dave Bittner: [00:24:02] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: [00:24:21] Don't miss Research Saturday this week, where I'll be speaking with Mayank Varia from Boston University on privacy preserving COVID-19 tracing solutions. It's a good one.
Dave Bittner: [00:24:31] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:24:43] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building building the next generation of cybersecurity teams and technologies.
Dave Bittner: [00:24:51] Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here next week.