Malware versus air-gapped systems. Ransomware against utilities and hospitals. Lessons for cybersecurity from the pandemic response. Outlaw blues.
Dave Bittner: [00:00:03] More malware designed for air-gapped systems. A British utility sustains a ransomware attack. The U.S. Cyberspace Solarium Commission sees lessons in the pandemic for cybersecurity. Contact-tracing technologies take a step back, maybe a step or two forward. Robert M. Lee surveys ICS security around the world. Our guest is Ian Pitt from LogMeIn with lessons learned while working remotely during COVID-19. And criminals increase ransomware attacks on hospitals and swap templates to impersonate government relief agencies.
Dave Bittner: [00:00:41] And now a word from our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms," everything you need to know about security, orchestration, automation and response. The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR, and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:01:50] Funding for this CyberWire podcast is made possible in part by McAfee - security built natively in the cloud for the cloud, to protect the latest like containers, to empower your change-makers like developers, and to enable business accelerators like your team's. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:02:13] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 15, 2020.
Dave Bittner: [00:02:22] Two more malware strains targeting air-gapped systems have joined the Ramsay malware ESET described Wednesday. Trend Micro has announced its discovery of USBFerry, a tool the Tropic Trooper threat actor is using against Philippine and Taiwanese military targets. Tropic Trooper, also known as KeyBoy, is probably a Chinese government unit. And Kaspersky has found COMPfun active against European diplomatic organizations. The researchers attribute it to the Turla APT, a Russian state-sponsored operation. The functionality that gives all three tools the ability to work against air-gapped systems is neither particularly spooky nor exotic - it's the way they move malware and data between targeted systems and removable storage media. Eventually, somebody plugs something in.
Dave Bittner: [00:03:12] The British electrical utility Elexon yesterday disclosed that its internal IT systems and laptops had been affected by an unspecified cyberattack. ZDNet thinks it looks like a ransomware attack, perhaps enabled by Elexon's use of an outdated and unpacked Pulse Secure VPN. In any case, as The Guardian reports, the lights stay on. Transmission remains unaffected. Apparently only business systems were affected.
Dave Bittner: [00:03:39] A quick note to avoid confusion on the part of American listeners. The British utility is "Elexon," not, as a few media reports have written, "Excelon," which is an American power company, and indeed, the corporate parent of our own local Baltimore Gas and Electric.
Dave Bittner: [00:03:56] The US Cyberspace Solarium Commission, whose report led with an introductory work of fiction that imagined Washington laid low by a massive cyberattack against infrastructure, the Capitol reduced to a hell escape that could be safely viewed from no closer than Reston, sees lessons in preparation from the pandemic. The co-chairs of the commission, Senator Angus King, Independent of Maine, and Representative Mike Gallagher, Republican from Wisconsin's 8th, are ready to talk to Congress as the COVID-19 emergency begins to abate. And they hope, according to The Washington Post, that legislators get the lesson that it's important to prepare for a disaster before it hits. Senator King told The Post, quote, "I think COVID has taken public attention away from cybersecurity, but for policymakers, it's underlined the importance of having a comprehensive strategy in place and really strengthened the case for the actions we recommend. We're in the middle of a crisis that has shaken people to say we can't go back to business as usual," end quote. And there are some signs that Congress may be willing to listen, at least a little. Two of the commission's recommendations - creation of a national lead for cybersecurity in the White House, with a significant budget and staff - and both planning and spelling out clearly the consequences adversaries will face should they mount a serious cyberattack against the US, appear to have gained traction with lawmakers over the past month.
Dave Bittner: [00:05:19] That second recommendation is reinforced by the emergence of a more hawkish consensus about China that's emerged during the pandemic. The Post quotes representative Gallagher on both points. Quote, "you look back on the 9/11 Commission, and you realize how much good work was being done before the attack. But it was all siloed at different agencies. We want someone who's in charge and coordinating efforts across the government, forcing discussions across agencies about different scenarios in how we can prepare for an attack." He also said, "I think, if nothing else, when the dust settles on coronavirus, it will harden the hawkish consensus on China and add energy to this effort to wean ourselves off our dependency on certain things produced in China," end quote.
Dave Bittner: [00:06:05] The Cyberspace Solarium Commission is expected to release by the end of this month a follow-on report summarizing the lessons it's drawn from the COVID-19 emergency. The mild-looking Senator King seems an unlikely counterpart of The Thing from the Fantastic Four, but he appears to have adapted The Thing's battle cry to cyberspace. Put down them hankies; it's clobbering time.
Dave Bittner: [00:06:29] At the end of a week in which British NHSX's is contact tracing system faced skepticism about both its legality and its efficacy, NHS gets some good news from the pilot being conducted on the Isle of Wight. The Telegraph reports that more than half the people there with smartphones have downloaded the app. Fifty percent has generally been regarded as representing the floor of adoption rates that might actually make a difference in controlling the spread of the disease.
Dave Bittner: [00:06:56] The Telegraph also has an overview of the various technical adjuncts to traditional quarantine and contact tracing various nations have tried. The approaches fall on a spectrum between people's willingness to volunteer and intrusiveness - Bluetooth-based exposure notification to GPS-based movement tracking, thermal cameras in public places to nearly ubiquitous facial recognition surveillance and so on.
Dave Bittner: [00:07:21] There are also questions about the amounts of public resistance to tracing and tracking authorities can expect. A Washington Post-University of Maryland poll taken at the end of April concluded that most Americans would be either unable or unwilling to install contact tracing apps voluntarily, and if most of the noncompliant don't fall into the unwilling category, then we don't know Arkansas.
Dave Bittner: [00:07:44] Finally, can we all agree that criminals don't, in fact, have the common good at heart? Still think there's public-spirited honor among thieves? Well, consider this - The Wall Street Journal reports that Europol has warned of criminals increasing the rate of ransomware attacks against hospitals providing urgent care during the pandemic. This is as economically rational as it is morally depraved. The hospitals are more needed than ever, and the reliability and availability of their data are more important than ever, which the criminals calculate will make them all the more likely to pay a hefty ransom.
Dave Bittner: [00:08:19] The underworld is also paying attention to how it crafts its phishbait. Proofpoint has found a number of templates in circulation that help criminals craft more convincing spoofs of government messages, especially messages involving the emergency relief programs so many of those in economic trouble find themselves hoping to use for a leg up out of their difficulties. The templates are most often used in credential harvesting scams. Robin Hoods? Honor among thieves? Ah, phooey, as Woody Woodpecker would say. And Woody Woodpecker knows.
Dave Bittner: [00:08:59] And now a word from our sponsor, LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless strong security with LastPass. Security is essential for a remote workforce. LastPass Identity helps make stronger security seamless through integrated single sign-on, password management and multifactor authentication. LastPass Identity enables remote teams to increase security. LastPass can help prevent against the uptick in cyberattacks targeting remote workers through biometric authentication across apps, workstations and VPNs for an additional layer of security across all critical devices. It can help manage user access. Regardless of where or how employees need access, LastPass ensures employees always have secure access to their work applications through single sign-on and password management. It helps your employees securely share. LastPass enables remote employees to securely share passwords across teams in order to securely collaborate and stay on top of critical projects. And it helps maintain control. LastPass enables IT to remain in complete control over which employees are accessing which resources, no matter where they're working from. With LastPass Identity, you can keep your remote workforce secure and connected. Visit lastpass.com to learn more. That's lastpass.com. And we thank LastPass for sponsoring our show.
Dave Bittner: [00:10:41] My guest today is Ian Pitt, chief information officer and senior vice president at LogMeIn. He brings us insights on what folks in the password management and authentication business have learned during this global shift toward working remotely during COVID-19.
Ian Pitt: [00:10:58] Yeah, as the CIO for a global company that also does collaboration tools, I get to look at two sides of the situation, both getting 4,000 people home in a company that had a heavy office dependency but also set up to work from home periodically, to actually move people back full time and then keeping the lights on for millions of our customers. Looking at both sides of the coin, we've got our own internal team members of which that's 4,000 people around the world and then millions of our customers.
Ian Pitt: [00:11:32] So the initial focus was absolutely to get all the team members in a spot where they were safe, isolated, adhering to any state or local regulations, making sure that they could help keep the company afloat because we're also supporting millions of external customers, and if our team members aren't healthy, then that's going to detract from the external crowd. So very quickly we had to move the remaining of the 4,000 people, get them set up, give them guidance on what to take with them and how to set themselves up at home and help them in that transition.
Ian Pitt: [00:12:08] After that, then we started looking at the production capacity, and it became clear that many other customers were doing exactly the same as us, and our traffic channel went off the charts. We had to stand up additional capacity in a very short space of time to make sure we're offering a quality service to people around the world.
Dave Bittner: [00:12:26] It seems as though we're in for perhaps another few months of this ahead of us. Do you have any tips or advice for folks to - in terms of keeping vigilant throughout this?
Ian Pitt: [00:12:41] Yeah. There's a whole bunch of standard things people should be doing anyway. But perhaps it's always good to remind them, and that's looking at security as being multilevel, from the devices you're using, your home network. Some people have gone out and bought new routers, new firewalls to get ready for the long haul. It wouldn't be unheard of for people to forget to change those passwords, either on the network access or the device itself. So we do constantly remind people that no matter what your stance is in the office, you have to take it to the next level at home - so password quality, make sure your devices are secure, make sure you don't have people eavesdropping. A challenge can be in high-density populations, there's always people looking to ride on top of existing traffic, and so make sure that you're encryption keys are nice and strong.
Dave Bittner: [00:13:34] What about tracking the emotional component of this? You know, it's - I think it's realistic and reasonable to expect that everyone might not be at their best, which means that they might not be capable of being as vigilant as they would otherwise be. How do you integrate that reality into an organization as large as yours?
Ian Pitt: [00:13:57] We got the technology under control pretty quickly based on what we do as a company, which gave us the opportunity to actually start looking at people's well-being. And to be honest, most of our conversations now with HR, our chief of staff, our general counsel, myself - the group of people that we formed for a business continuity program - spent a lot of time thinking about the well-being of the team members. In terms of the - keeping everyone sharp, it's - it comes down to encouraging people to actually step away from the desk periodically. It's too easy when you're sitting at home to get to your desk at 7 in the morning and start working. And all of a sudden, the sun's gone down again at the other end of the day. We are making sure that people actually step away, either for an hour, actually sit down, take coffee somewhere. Sit down with your family. Have a real lunch rather than just on the go. And the company is also encouraging people just to have a complete downtime day - no laptops, no computers. And we're finding that is starting to really work wonders with the team. And I think it's important for the companies to do the same, otherwise the team members are going to get burned out. And that's where errors come in. And that's where the bad guys get an edge into the organization.
Dave Bittner: [00:15:15] That's Ian Pitt from LogMeIn. Don't forget, you can catch an extended version of our interview when you sign up for CyberWire Pro. You can do that on our website.
Dave Bittner: [00:15:29] And now a word from our sponsor, BlackCloak. Securing your company's data, intellectual property and reputation is job No. 1. But you have a big gap. You can only secure your executives' computers and devices that are part of the corporate network. You can't control the cybersecurity or privacy of their homes, devices, personal accounts or other family members. Attackers know this and, especially in these trying times, are actively exploiting the soft underbelly of the company by targeting your executives' digital lives. BlackCloak's cybersecurity platform solves your coverage problem. Their trusted team actively protects all personal devices, accounts, homes and family members so that a breach on the personal side doesn't take down your company. In fact, over 37% of BlackCloak customers have an intrusion discovered during their onboarding. Onboard your executive team in under a week. Protect your company by protecting your executives. To learn more and partner with BlackCloak, visit blackcloak.io. That's blackcloak.io. And we thank BlackCloak for sponsoring our show.
Dave Bittner: [00:16:46] And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, it's always great to have you back. I wanted to get your insights on the state of ICS security around the world. In other words, as we travel around the world to different nations, to different continents, how much variability is there when it comes to different organizations and their ability - the state of things, their ability to defend themselves? Where do we stand?
Robert M. Lee: [00:17:17] Yeah. Oh, man. Asking the question right out in front of everything. Like, Rob, would you like to make angry all the people around the world that are about to be called number 2? Yeah. Great. Great. Thanks, man. I always appreciate these softball questions.
Dave Bittner: [00:17:27] (Laughter) Sure thing. I'm here for you.
Robert M. Lee: [00:17:27] Yeah, absolutely. So here's my candid point of view. And I mean this with all due respect. I feel like Ricky Bobby. All due respect, you know, to all those that are about to get upset. But here is my perception and experience with different industries and different GOs. And I do think it is important also break out the different industries in ICS across those different GOs. So here's how I kind of view it. I view there to be kind of this waterfall where there's the leading and then there's a little bit behind per industry and then there's the leading and a little bit behind per GO. And they kind of overlap nicely. So when I look at who is the most mature ICS industry and GO overall, I would say the electric sector in the United States. And they've had very significant regulations for years, which regulation is not security, but it's put a lot of focus on it since, you know, 2005 timeframe, 2004 timeframe when you had the major incidents and looking at being able to take security a little bit more seriously.
Robert M. Lee: [00:18:32] And I think even the White House was communicating in the sector PDD 63 back in 1998. Like, hey, you got to get ahead of this - electric sector of the United States by far. The thing I will say about that, though - and this is true for everybody - is the status of the industry today was essentially doing the IT security controls that made sense or - honestly, it makes sense - but didn't break the ICS over in the operations environment. So the status of everyone around the world has been copy and paste the IT security controls out of frameworks - GRC, standards, regulation, etc. - and use them in operations. And that was good. And we were all doing the right thing with what we understood of the threats.
Robert M. Lee: [00:19:17] These last couple of years, we have had an increasingly keen understanding of how these threats operate in the industrial networks. And the IT security controls don't work in the same way, and many of them aren't effective against the techniques we see. So I would say we're all behind the curve but not because people have been doing things and appropriately; it's just because we now know more, and now we understand the next phase of challenges we have.
Robert M. Lee: [00:19:46] So that being said, I would say the - industrywise, I generally see electric in No. 1. You know, oil and gas kind of comes in No. 2 in most places. After that, I would actually say, probably, more along the lines of, like, rail would be there, which is kind of surprising, I think. A lot of people don't think about rail as ICS in general, but they have tons of it, and they are starting to take it more seriously. After that, probably food and beverage manufacturing. Getting in to probably below that - other types of manufacturing. Below that, probably organizations like mining. Below that, you start to get into your other types of operations environments, just as a general - we don't have enough data, and there's a lot of stuff going on, like water and similar. So it's - we know that there's not a ton going on, but it's also not too fair to critique it because we don't have a lot of the same insights that we have in, say, other industries. So that's kind of the flow of the industries.
Robert M. Lee: [00:20:42] Now, there are individual companies that have, by and far, blown past that. So it's not saying, like, every company is the same - but just as a general industry. I mean, I think that there's something to be said about the community in each one of those industries and being connected together. On geos - so take that waterfall of industries and apply it to every geo. I would say North America, especially in the U.S. - this is a very American thing for me to say anyways, but your U.S. industry is definitely forward-leaning...
Dave Bittner: [00:21:11] (Laughter).
Robert M. Lee: [00:21:11] ...And trying to take things as seriously as they can. So that's the first one. I would say the second is - and it's hard to go regions now; it's probably more appropriate to go countries. But I would say the second is some of the countries in the GCC, or the Gulf Coast countries. They're very keenly aware of the risks, and they're trying to take it very seriously as well, and so they're trying to put a lot of focus on it. Then probably after that, it might be, like, Australia. And then after Australia, I would think some countries in Europe but not Europe overall. Then there are some countries in Asia - like, Singapore is trying to do a lot around this topic, and they've talked broadly about having, like, an OT security strategy for the country and publish that document. And then sort of everybody trickles after that.
Robert M. Lee: [00:21:58] Now, I think the surprising thing there is people would normally expect it to be U.S., then Europe, then kind of everybody else, and it's just not. I think it's U.S., some countries in the GCC, Australia, some countries in Europe, the rest of the countries in GCC, the rest of the countries in Europe and then kind of everybody else.
Robert M. Lee: [00:22:15] You are either in a country that - and this is so biased, by the way, just here's my 2 cents. You're either in a country that has an intelligence community that has focused on this for decades. So this will be, like, your Five Eyes countries, like Canada, U.K., U.S., Australia, New Zealand. And so they had a lot of people that kind of understood the challenge and then moved into the private sector and brought with them some of that expertise, or you were getting punched in the face a lot. And then you look in, like, the GCC, like, they know who their adversaries are, and so they're developing this keen expertise. And they have more opportunity to develop expertise than probably any other country in the world right now. And so they're - I see some of those countries and some of those companies in those countries, like, rising to the occasion.
Robert M. Lee: [00:23:00] Then there's kind of everyone else going, well, how much does this impact us? What is the real risk? You know, I visit with a number of European companies - like, ah, we just really care about resiliency. Like, who cares about, like, the threat. And it's like, dude, do you know you're really close to Ukraine, and that's (laughter), like, where a lot of this is happening? And I think it's...
Dave Bittner: [00:23:16] Right.
Robert M. Lee: [00:23:16] ...That kind of - hey, guys, you need to take it seriously. And in some of those countries, they understand the impacts and the threats and can name them and take it very, very seriously.
Dave Bittner: [00:23:27] Yeah. All right. Well, as always, interesting insights. Thanks for sharing them. Robert M. Lee, thanks for joining us.
Dave Bittner: [00:23:39] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed, help you sleep at night. Listen for us on your Alexa smart speaker, too. Don't miss Research Saturday over the weekend, where I speak with Phil Neray from CyberX. We're going to be talking about Gangnam Industrial Style, an APT campaign that targets Korean industrial companies. That's Research Saturday. Check it out.
Dave Bittner: [00:24:12] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:24:24] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theariault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.