The CyberWire Daily Podcast 5.18.20
Ep 1090 | 5.18.20

Supercomputers as cryptomining rigs. UK grid operator recovers from hack. EU Parliament data exposure. REvil ransomware gang promises dirty laundry. US-China conflict. Catphishing.

Transcript

Dave Bittner: [00:00:03] European supercomputers were hacked by cryptominers. UK electrical power distributor recovers from its cyberattack. A database containing personal data related to the EU Parliament is found exposed. REvil says it's got the celebrity goods but has yet to show its hand. The U.S. and China move into a new round of trade and security conflict. Justin Harvey shares insights on how companies are adjusting to the new remote working environment and the impacts to their security posture. Our guest is Ehsan Foroughi from Security Compass on compliance issues. And catphishing with some pretty implausible impersonations of U.S. Army generals.

Dave Bittner: [00:00:47] And now a word from our sponsor ExtraHop, securing modern business with network detection and response. Security and IT teams are under more pressure than ever. Any workforce that can go remote has done so almost overnight. That means more stress on critical systems, more potentially unsecured IoT devices on corporate networks and an urgent need to see and respond to threats as quickly as possible. ExtraHop helps organizations like Wizards of the Coast detect threats up to 95% faster and respond 60% more efficiently. As chief architect and information security officer Dan McDaniel put it, quote, "There's no other company that aligns to supporting the DevOps model, the speed and the lack of friction than ExtraHop." See how it works in the full product demo free online at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.

Dave Bittner: [00:02:14] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 18, 2020.

Dave Bittner: [00:02:23] The motivation behind the attacks on European supercomputers first discovered in an incident at the UK's ARCHER National Supercomputing Service is now clearer. The attackers were cryptojacking, ZDNet reports. ARCHER has been updating its status regularly. Der Spiegel has reported attacks at six facilities in Germany. Last Thursday, the Leibniz Supercomputer Centre (ph) of the Bavarian Academy of Sciences and Humanities also closed outside access to its systems. TU Dresden took the same action for its Taurus system. On Saturday, Switzerland disclosed a similar incident at CCSC. The European Grid Infrastructure Computer Security Incident Response Team confirmed that the intruders were seeking to use the supercomputers as cryptomining rigs.

Dave Bittner: [00:03:12]  Elexon, on a middleman in the UK's electrical grid, continues to recover from the cyberattack it sustained last week. Industry Week, while noting that the incident did not compromise power distribution, argues that the attack should place infrastructure operators on alert. 

Dave Bittner: [00:03:31]  The European Parliament told Politico Saturday that a database holding information belonging to some 1,200 elected officials and their staff members, along with another 15,000 other accounts of EU affairs professionals, was found exposed to the Internet. The database belonged to the European People's Party. And the system that held it, while operating under the EU's Parliament's europarl.eu domain, wasn't hosted by the Parliament itself. The exposure was discovered by researchers at Shadowmap, and EU Today writes that this raises questions about the Parliament's own security. 

Dave Bittner: [00:04:08]  The FBI pointed out that the extortion attempt the REvil ransomware gang made against the boutique celebrity law firm Grubman Shire Meiselas & Sacks may amount to an act of cyberterrorism and that paying terrorists ransom can be a violation of federal law. That angered the gang, Forbes reports, and the hoods released a lot of anodyne and generic emails purporting to be a foretaste of the dirty laundry they have on President Trump. The dump didn't prove that they had much of anything. The emails weren't by President Trump, who's not a client of Grubman Shire Meiselas & Sacks, and they appeared to include mere mentions of his name and uses of the verb to trump. 

Dave Bittner: [00:04:50]  The path of compliance can be a tricky one to walk, with a patchwork of state regulations here in the US, California's CCPS and, of course, the reigning global champion GDPR. Ehsan Foroughi is VP of products and application security firm Security Compass. 

Ehsan Foroughi: [00:05:09]  To be honest, I see ourselves in an increasingly steep curve of more and more regulations being introduced. The technology landscape is getting more complex, and the regulatory bodies are trying to keep up - alas, a bit behind. But there are new regulations being introduced left and right. And doers, engineers, the business people are having a bit of a challenge keeping up with all these regulations. 

Dave Bittner: [00:05:40]  And I suppose, I mean, it's fair to say these regulations are coming from somewhere. There is a hunger for them. People want to have the protections that they provide. But of course, that provides regulatory burdens on the business owners. 

Ehsan Foroughi: [00:05:53]  It is true. The challenge with that is that everything is getting connected. It's no longer the case that only we are limited to certain software on the Internet. Even the power generation systems, industrial control systems, our homes are all being connected to the Internet. With connectivity, there are new concerns. There are privacy concerns. There are data protection concerns. And regulatory bodies are trying to do their best to keep up. 

Ehsan Foroughi: [00:06:24]  I know businesses look at these compliance and regulations as a challenge, but they're also kind of a necessary evil, right? It's hard to protect the public interest, specifically in a competitive landscape where people that can cut corners and get ahead could win in the market for a short time before something bad happens to their clients and their public. So the regulatory bodies step in, try to put this in. But it also increases the cost for the manufacturers, for the business owners. 

Dave Bittner: [00:07:03]  Where do you come down on the notion that what we really need here is a federal regulation that will supersede the ones being made by the states? 

Ehsan Foroughi: [00:07:13]  Well, like in any kind of situation, you start by having some states that are forward-thinking. Take California. They are leading the way into starting a law there. And the federal government will start taking a step behind them. And then it comes down to, can they consolidate into a national and international level of standard? This is where the critical role is on the compliance bodies like National Institute of Standards and Technology - NIST - to come out with a good compliance standard that is balanced, that keeps the interests of both sides - of the public side and the business side in mind, something that can take traction. And if the traction is there, I don't think the states would be inclined to have their own version of compliances more and more. 

Dave Bittner: [00:08:14]  Yeah. That's really interesting. It's, you know, an investment in your future (laughter). You - pay me now, or pay me later. 

Ehsan Foroughi: [00:08:21]  Yes. It's paying small installments now or pay in a big chunk later on. 

Dave Bittner: [00:08:28]  That's Ehsan Foroughi from Security Compass. 

Dave Bittner: [00:08:32]  The US Commerce Department's announcement late last week that it would extend licensing requirements to semiconductors made abroad but with US technology is clearly aimed at companies on the Entity List, notably Huawei and ZTE. The decision will, among other things, affect the company's ability to import chips made in Taiwan by TSMC. It's also been coldly received by Beijing, Reuters and others report. Global Times, a Chinese government news outlet, quotes a source to the effect that "China will take forceful countermeasures to protect its own legitimate rights." 

Dave Bittner: [00:09:08]  Qualcomm, Cisco and Apple - and possibly Boeing, as well - are among the US companies Beijing suggests will bear the brunt of what Global Times characterizes as a counterattack. They all face placement on an unreliable entity list and close scrutiny under applicable Chinese cybersecurity and anti-monopoly laws. Global Times, to quote them again, blames the US measures for dragging Washington and Beijing into a "tech Cold War." 

Dave Bittner: [00:09:37]  And finally, who knows more about matters of the heart than the United States Army? No one, friend. That's who. But sorry, ladies. We hate to tell you it's not General Nakasone flirting with you by email from a US Cyber Command outpost in Syria. As CyberScoop points out, you're being catfished. It's especially poetic that the phishbait that initiated this whole business was chatter about the musical "Hamilton," perhaps including an appreciation of the Aaron Burr aria - love doesn't discriminate between the sinners and the saints. It takes and it takes and it takes, and we keep loving anyway." 

Dave Bittner: [00:10:15]  Anywho, somehow this involved well-intentioned social media correspondence with another catfish who claimed to be General Steve Lyons, head of US Transportation Command. The faux general recommended that his correspondent, a woman identified only as Susan, spin the wheel of fortune and reach out to his colleague, US Cyber Command Commanding General Paul Nakasone who, the catfish said, was deployed to Syria, going on patrols and doing a lot of paperwork. He was a lonely widower in need of companionship. 

Dave Bittner: [00:10:47]  For the record, General Nakasone is not a widower in Syria. He's happily married and busily employed at Fort Meade, Md. The paperwork part - OK. But the rest of it? It's just a bunch of hooey. The US Army's Criminal Investigation Command shared a list of red flags with Business Insider, the sorts of things you can take as signs you're looking for love in all the wrong places. 

Dave Bittner: [00:11:11]  So when you get that email from a US Army general, madame, you are to consider - a general officer will not be a member of an internet dating site. That seems right. Soldiers are not charged money or taxes to secure communications or leave. Yep, yep - check. Soldiers do not need permission to get married. Who knew? We all know now. Deployed soldiers do not find large sums of money and do not need your help to get that money out of the country. Check and double check. 

Dave Bittner: [00:11:43]  One can sense the weariness behind Criminal Investigation Command's words. Look. We get it. The heart has its reasons which reasons know not. But come on, heart, think for a minute. Susan did. She recognized that the whole thing seemed kind of weird. She wasn't in the market for a date in any case. It should be unnecessary to say this, but it's probably not - neither general had anything to do with this nonsense. It's just some inartistic bozo looking for a quick online score. 

Dave Bittner: [00:12:14]  Now, we're just spitballing here, but we imagine CIC's red flags would be wavable with any other military organization in the world - the People's Liberation Army Navy, the Royal Army Veterinary Corps, the Republican Guard, even - heaven forfend - the United States Space Force. You get the picture. 

Dave Bittner: [00:12:39]  A quick reminder that you can access extended versions of many of our interviews when you subscribe to CyberWire Pro. My interview with author Thomas Rid, for example, covers a lot of ground we simply didn't have time to include in the daily podcast. You can check that out and find out about all of the benefits of CyberWire Pro at our website thecyberwire.com. 

Dave Bittner: [00:13:01]  And now a word from our sponsor Thycotic. Thycotic protects companies from cyberattacks by developing innovative technologies that secure privileged accounts across the modern enterprise. Thycotic recently partnered with Cybrary to conduct a global survey of IT professionals, focusing on how organizations are implementing least privilege. Their new survey report shows overprivileged users are still a big challenge for IT professionals. The report reveals important insights for anyone planning or already down the path with their own least-privileged security program. From the survey, they found that even though least privilege is a top or urgent priority, most organizations struggle with complexity and user complaints when implementing a least privilege security strategy. Go to thycotic.com/cyberwire to download the report now and get more details about the survey results, the key takeaways and recommendations for how to ensure success in your least privilege implementation. Again, that's thycotic.com/cyberwire to download this special report on the state of least privilege. And we thank Thycotic for sponsoring our show. 

Dave Bittner: [00:14:16]  And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, always great to have you back. I wanted to check in with you on some of the things that you're seeing and tracking when it comes to these adjustments folks have made working remotely and how that's affecting their security. 

Justin Harvey: [00:14:33]  Yeah. We're seeing all of these enterprises out in the world and not just in North America. They're all pivoting to remote work for their employees, and there is an impact to their cybersecurity posture by them making that move. And we're also seeing more adversaries that are kind of switching their game up. And really, for high-profile targets and high-value victims out there in enterprises, we're seeing that adversaries are trying to track them down and get to their home machines. And the reason that we're seeing that is that more and more employees are working from home, and not everyone has a laptop. Some of them actually have - use their home workstations, and they install their VPN client. They install their email client on there. And essentially, what happens is it makes - it essentially extends the surface - the attack surface of the enterprise to cover the home as well. And the net effect of that is that you'll see more and more adversaries - or we've seen more and more adversaries that are targeting home users of enterprise employees in order to find an easier soft target, if you will. 

Dave Bittner: [00:15:48]  Now, I was thinking about you and your team because you and I have talked about how, when you would go and do incident response, that you would travel. And you guys had, you know, big - you had racks of hardware that you would - you know, flight cases that you would pack up and go and, you know, descend upon a situation and make order out of chaos. How has that changed given this environment where you can't just drop in on people and even things like flights aren't happening? 

Justin Harvey: [00:16:16]  Well, what's lucky for us is that we are able to do most of the work that we do remotely. In cases where we do need to take a physical forensic image of a machine or a device, then we can leverage the client that we're working with and give them instructions. You need to go down into this cubicle. You need to put this USB drive in and so on. But we still have obligations out there. We do have retainers for some very large institutions. And if something were to go wrong, we may need to send employees onsite. But we talked as a global team at the beginning of this pandemic, and many people volunteered to travel or to put themselves in harm's way if it was for a good cause. So if there are any interruptions to our supply chain, if there are any attacks versus health care and health systems or the systems that are being utilized to develop or deliver life-saving processes, then, myself included, we are all volunteering to show up onsite and to fight the bad guys. But luckily, we haven't had any of those cases come in that have required us to travel. 

Dave Bittner: [00:17:34]  Have you seen any shift in the pace of things, either up and down, of things speeding up or slowing down? 

Justin Harvey: [00:17:41]  Absolutely. We are seeing a heck of a lot more ransomware cases out there and not just your typical I'm browsing an email and I clicked the wrong link and then I have ransomware. That's more of a commodity-type operation. It's a drive-by, if you will. We're seeing less of those, and we're seeing more adversaries that are using advanced techniques to breach the perimeter, establish a beachhead and then move laterally in order to privilege escalation and then deliver their ransomware setup from the ground up to be delivered and kind of custom set up. And we're seeing about a 40% increase since the beginning of this pandemic on those types of targeted ransomware attacks. 

Dave Bittner: [00:18:30]  Wow. Wow. Yeah, that's - I mean, that's a real number, right? 

Justin Harvey: [00:18:35]  Yeah, it's - the trick here is that many enterprises are not used to having all of their workforce work remotely. And there are a lot of changes that need to happen to a security operations center to think about that remote mindset. Imagine if, one day, all of your employees were in the office and working, and you knew exactly where everything was. And then the next day, none of them are there. They're all out in the wild. And so there's a lot of things like - you need to focus on privileged access, control points, VPN terminations and focus on those sort of control points that are not normally used as much. Now they're the main vehicle for employees to get into your enterprise. And monitoring posture needs to shift as well. 

Dave Bittner: [00:19:25]  All right. Well, Justin Harvey, thanks for joining us. 

Justin Harvey: [00:19:27]  Thank you. 

Dave Bittner: [00:19:33]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed, and it'll help you with your posture. Listen for us on your Alexa smart speaker, too. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:20:05]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. See you back here tomorrow.