The persistence of ransomware. Exposure notifications and contact tracing. Doxing and conspiracy theories. More notes on the underworld.
Dave Bittner: [00:00:05] Ransomware not only encrypts and steals data but establishes persistence as well. Apple and Google roll out their exposure notification API. GCHQ will help secure Britain's centralized contact-tracing system. A conspiracy-minded motive for doxing. Criminal markets and criminal enterprises continue to mimic legitimate ones. Robert M.. Lee shares insights on a recent ransomware incident shutting down a gas pipeline. Our guest is Drex DeFord from Drexio on cybersecurity in health care amid COVID-19. And a new wrinkle in mobile ransomware.
Dave Bittner: [00:00:45] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily, and if it helps us, we're confident it will help you, too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:37] Funding for this CyberWire podcast is made possible in part by McAfee - security built natively in the cloud for the cloud to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:02:09] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for April 30, 2020.
Dave Bittner: [00:02:09] It's now a commonplace to say that ransomware gangs threaten to dox their victims as well as render their data encrypted and inaccessible. A report this week from Microsoft's Microsoft Threat Protection Intelligence Team concludes that it's not just the gangs who make the threats that are stealing the data. Even the criminals who don't threaten to steal information are doing it anyway. The data represent another revenue stream. The report also concludes that ransomware attackers don't necessarily leave a victim's networks, even after the victim has paid. Instead, they maintain persistence as long as possible, the better to position themselves for subsequent attacks. Again, there's a revenue potential there.
Dave Bittner: [00:02:51] Apple and Google have released their first developer-focused version of their jointly developed exposure notification API, TechCrunch reports. Exposure notification has replaced contact tracing, and that's probably a more accurate description, given the system's decentralized design. The beta version allows developers to tailor alerts to specific exposure criteria, including proximity and duration, and it allows users to toggle their alerts on or off. Users may also opt into sharing a COVID-19 diagnosis anonymously.
Dave Bittner: [00:03:25] The Electronic Frontier Foundation has expressed concerns, Threatpost says, that the exposure notification system suffers from a security vulnerability. There is no reliable way, the EFF, warns of ensuring that the devices sending proximity warnings are, in fact, the devices they're supposed to be and that trolling can't effectively be ruled out. There are other problems with false positives that don't require bad actors' involvement - to take some of the examples the EFF considers, two cars with windows rolled up passing side by side in traffic, a patient near a nurse in full protective gear, two people kissing. All those look about the same to Bluetooth.
Dave Bittner: [00:04:07] As the U.K.'s National Health Service proceeds with plans for a centralized contact-tracing system, the Government Communications Headquarters, GCHQ, will receive such access to the NHS system as it requires to ensure the system's integrity and security. Computing and others quote GCHQ as saying that it has no interest in acquiring personal health data and that the agency's interest is solely the security of NHS systems.
Dave Bittner: [00:04:35] ZDNet reports that more than 170 privacy and information security researchers in the U.K. have signed an open letter about NHSX's development of a centralized COVID-19 contact-tracing system. The signatories urged the health benefits of a digital solution be analyzed in depth by specialists from all relevant academic disciplines and sufficiently proven to be of value to justify the dangers involved.
Dave Bittner: [00:05:01] They have three questions. First, they'd like some reasonable assurance that any contact-tracing system would actually work as intended to help control the pandemic. Second, while politely expressing their appreciation for NHS's commitment to transparency, they ask for assurances that anonymized data won't be deanonymized to associate individuals with the information being collected. And third, they're concerned that the system might be adapted to other purposes and retained even after it had served its purpose and the U.K. has emerged from the pandemic - no mission creep, please.
Dave Bittner: [00:05:37] Drex DeFord is founder and CEO of Drexio, a health care IT consultancy. I caught up with him recently for his perspective on cybersecurity in health care amid COVID-19.
Drex Deford: [00:05:50] I think that, you know, kind of the underlying theme for me around cybersecurity given everything that's happening right now is that, you know, being in a hurry can be a recipe for disaster in general and certainly now. So we see a lot of health systems doing things like onboarding temporary staff and off-boarding temporary staff, and all of that assumes that you're making proper access to systems and moving people and access around and, you know, some larger health systems have identity and access management tools. A lot of them do this process manually.
Drex Deford: [00:06:23] I would just say, you know, there's that kind of stuff. There's certainly a ton of work from home they have ramped up dramatically when it comes to telehealth and telemedicine. And while all of that is absolutely terrific and really good stuff for health care and patients and families, when you do those kinds of things in a hurry, when you build out that kind of infrastructure in a hurry, sometimes you can make mistakes. And so those are the things I worry about for health care right now.
Dave Bittner: [00:06:52] So is this really an example of how preplanning for events like these, eventualities like these, are really going to pay off when you're faced with a situation like this?
Drex Deford: [00:07:04] I think the organizations, you know - we have in health care, especially in hospitals - we have a credentialing organization called the Joint Commission. And the Joint Commission requires health systems to do regular sort of disaster drills. I think organizations that have spent time thinking about pandemics and doing drills around those kinds of scenarios probably are in a better situation because of the experience that they've built up.
Drex Deford: [00:07:35] But realistically, no one has experienced anything like this, and no one's been able to drill for something like this. This goes on for a very long time, and most of those exercises are set up for a shorter period of time. They run maybe a day or a couple of days, and then the exercise is over. This is, obviously, much more long-term and so has been much more of a challenge for health systems.
Dave Bittner: [00:07:58] Do you have any sense for what things are going to look like on the other side of this? Any lessons that the cybersecurity folks in health care are going to take away from this?
Drex Deford: [00:08:07] Boy, two big things I would say absolutely - given the kind of ramp-up that we've had with telehealth and telemedicine, we are at a state in really just a few weeks where a lot of the work that CIOs and health systems have tried to do over the past several years has come to fruition. So I think the reality that health systems - some health systems who did maybe a few dozen telemedicine visits in a week before all of this and now do hundreds a day - it's going to be hard to go backward on that.
Drex Deford: [00:08:42] And the other thing is work from home. I think work from home is - was a challenge in the beginning. It's only been a few weeks. I think it's still a challenge for a lot of people. But realistically, by the time this is over, we're going to have a lot of folks that have built new habits around working from home. They're going to be really comfortable with working from home. And so cybersecurity professionals and organizations in general are going to have to deal with, I think, a new environment where we're going to rethink who can work from home and what kind of benefits we get from that work-from-home scenario.
Dave Bittner: [00:09:16] That's Drex DeFord from Drexio.
Dave Bittner: [00:09:20] BitDefender has taken a look at cybercriminals' activity during the pandemic and concluded that all of the warnings about cybercrime, as good and widely received as they've been, really haven't produced much of a reduction. They saw a fivefold increase in COVID-19-themed cyberattacks during March, and they think it likely that when April's returns are in, they'll see a comparable rise. A lot of the crime is conventional fraud and phishing with clickbait that appeals to the victims' fears about the coronavirus. But the New York Police Department is seeing a more repellent form of criminal extortion. Some hoods, The Daily Beast reports, are threatening to infect victims' families with COVID-19 should the victims fail to pay protection. The threat is empty, and the NYPD wants everyone to recognize it as a bluff.
Dave Bittner: [00:10:09] With that in mind, one might turn to a Digital Shadows report on the apparently softer, more human side of the criminal underworld - charitable endeavors on cybercriminal forums. There's some chatter, probably posted with a mixture of cunning, idleness and a very small dollop of sincerity, that urges participants in criminal fora to engage in charity, diverting some of their take to the care of widows and orphans and to other good causes. The chatter is interesting because it shows another way in which criminal markets mimic legitimate ones, not only with customer service, competitive pricing and other features of commerce but even with gestures towards social responsibility and even philanthropy.
Dave Bittner: [00:10:52] Some of the criminals are having none of it, sensibly pointing out that the sort of crime they're engaged in is, by its very nature, immoral. Others seem to worry about making a kind of expiation for their crimes - at least, that's what they say. So an interesting light on a corner of the criminal market - but don't build too many hopes on the Robin Hood urge. Remember how those promises to leave hospitals alone worked out.
Dave Bittner: [00:11:18] And finally, bogus scareware threats have been around for years. These usually tell users that some law enforcement organization, usually the FBI, has found the users to be up to no good and that the users must pay a fine to avoid further trouble. The scare is usually delivered by email or displayed in a browser. But CyberScoop says there's a new wrinkle. Ransomware is encrypting Android devices and delivering a note impersonating the FBI. The Bureau is offering decryption once the fine is paid, or so says the hoods. Most of the victims have been in Eastern Europe, and the ransomware itself has been traded in Russian-speaking criminal markets. Needless to say, the Bureau doesn't collect fines this way.
Dave Bittner: [00:12:09] And now a word from our sponsor, LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless strong security with LastPass. Security is essential for a remote workforce. LastPass Identity helps make stronger security seamless through integrated single-sign-on, password management and multifactor authentication. LastPass Identity enables remote teams to increase security. LastPass can help prevent against the uptick in cyberattacks targeting remote workers through biometric authentication across apps, workstations and VPNs for an additional layer of security across all critical devices. It can help manage user access. Regardless of where or how employees need access, LastPass ensures employees always have secure access to their work applications through single-sign-on and password management. It helps your employees securely share. LastPass enables remote employees to securely share passwords across teams in order to securely collaborate and stay on top of critical projects. And it helps maintain control. LastPass enables IT to remain in complete control over which employees are accessing which resources no matter where they're working from. With LastPass Identity, you can keep your remote workforce secure and connected. Visit lastpass.com to learn more. That's lastpass.com. And we thank LastPass for sponsoring our show.
Dave Bittner: [00:13:51] And joining me once again is Robert M.. Lee. He is the CEO at Dragos. Rob, always great to have you back. We saw this story come by about a ransomware attack that had hit a gas pipeline facility. DHS had published some information about it. I wanted to get your insights. What do you think's going on here?
Robert M. Lee: [00:14:11] Yeah, absolutely. This one was a bit confusing for folks in the way that it was handled. Nobody did anything inappropriate, but just coms are always difficult around things like this, especially to a wide community. So the pipeline disruption did occur. So it shut - absolutely shut down the ability for it to operate fully for - two days is what it was being reported as due to ransomware. And this is not uncommon, and there are a lot more of these ransomware cases that are impacting industrial operations than ever gets made public. It's just these companies usually have a lot of focus on trying to recover correctly.
Robert M. Lee: [00:14:46] So the reality, though, the reason it was kind of confusing is the Coast Guard already came out and talked about this at the end of last year. So the end of last year, Coast Guard came out and said, hey; there was a disruption in the pipeline, and here is the impact. And, you know, here's some details that we can share. And then DHS came out in February and published on a cyberattack on a pipeline. What the two government entities didn't say, which became obvious later, was that it was the same event. And so I think because of the delay in reporting on the DHS side - which is, again, understandable - I think there was a lot of confusion thinking that these were two separate events.
Robert M. Lee: [00:15:25] And when we look at it, it was also a little bit confusing - I had to explain this in my SANS class to folks - where DHS and their CISA agency, the Cybersecurity and Infrastructure Security Agency, have said onstage, have talked in front of Congress, have had these conversations around we don't do instant response. Like, if you are out in the community, you should first call and make sure you have plans. Like, we're not your instant response team. And then the report launches, and it says, CISA did instant response to this pipeline facility, and it's like, well, hold on now. What does that actually mean? And it really - I mean, everyone's being honest about it. It just comes down to, like, what you define as instant response.
Robert M. Lee: [00:16:02] So for private sector companies, you're still expected to have your own plan, to have your own teams, to work with your outsource providers if you're outsourcing any level of instant response, which - most folks do have an instant response plan with some external vendor. You're supposed to do all that. And you should also look to be able to include your government partners when you find reasonable to include the CISA, as they have both the responsibility as well as a number of tools at their disposal. And what they define as instant response is really being available to you to provide any insight of what's happening in the larger community, to go and be in person with you and provide any counseling they can or kind of guidance, but they're not getting hands-on-keyboard. They're not doing collection. They're not doing that type of work. So what the private sector would define as instant response and what the government would define as instant response is a little bit mismatched here, which made it a little bit more confusing.
Robert M. Lee: [00:16:54] So do I think it's fair to call both instant response? Absolutely. It just comes down to - if you are an infrastructure provider, you should really spell out roles and responsibilities in the incident to all parties involved, whether they're government or not. And on the government side, I would suggest that, you know, agencies work together to make sure that there's consistent reporting so that we don't potentially flavor one event as if it's two. And, honestly, with no offense to any specific government agency, the right place to report these things out is the DHS. Like, that is - their singular role is being able to be the central organizing authority, and the CISA is very well-positioned with great expertise inside that organization to be able to be that central communications authority around what the government is working on.
Dave Bittner: [00:17:43] Now, help me understand here because I would say my understanding is that in most cases with ransomware, the ransomware has been able to get to the business systems of organizations like this. But in this case, it was able to hit the control systems. Is - first of all, is my perception correct that that's usually the way things go - that people are generally doing a good job protecting those operational systems?
Robert M. Lee: [00:18:07] So I think both of those things can be true. So...
Dave Bittner: [00:18:10] OK.
Robert M. Lee: [00:18:10] Are folks putting a lot of resources today into segmenting their operations technology environment? Absolutely. However, not a lot is being done. It's getting better, but not a lot is being done widely on monitoring and understanding what's happening in the operations environment. And so one of the things that we normally highlight to folks is that you may have segmented correctly your IT environment, even though we do find the ability to move into those environments pretty regularly. One of our year in review reports highlighted that over 70% of the time, we could traverse from the IT into the OT network. It's like - it's just you have to be able to for what you're running in business.
Robert M. Lee: [00:18:49] But the thing that most people don't normally immediately fully understand is that those operations environments are also connected to maintenance personnel, original equipment manufacturers, vendors, supply chain, et cetera remotely and shared network access. So just doing things in the IT network doesn't prohibit things coming into the OT anyway. So without saying that folks aren't taking it seriously - because they do - I will say that we are definitely not where we would want to be in operations technology security today, although the trend line is definitely aggressively moving in the right direction. And I think it is also not necessarily true that these things normally just happen in the IT networks. There have been dozens of cases where ransomware has been on the operations side of the house across the world or in the last year.
Dave Bittner: [00:19:40] All right. Well, Robert M.. Lee, thanks for joining us.
Dave Bittner: [00:19:47] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIt, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:18] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.