Criminal markets and the criminals who shop there. Elections may be safe and secure, but influence operations seem here to stay. TikTok’s state of play. Indictments and extraditions.
Elliott Peltzman: Cerberus is available for free. The Empire Market's old and betrayed customers are probably looking for another marketplace where English is spoken. And it seems the Russian mob is selling access to North Korea's Lazarus Group. NSA thinks U.S. elections will be safe and secure, but that influence operations are probably here to stay. Betsy Carmelite from Booz Allen Hamilton on medical device security. Our guest is Jonathan Langer from Medigate on lessons to help clinical and IT leaders at institutions heavily affected by COVID-19. Two Iranians are indicted for espionage and theft. And more evidence allegedly surfaces of Huawei's role in sanctions evasion.
Elliott Peltzman: From the CyberWire studios at DataTribe, I'm Elliott Peltzman, in for Dave Bittner, with your CyberWire summary for Thursday, September 17, 2020.
Elliott Peltzman: Some notes from the criminal underground have surfaced at midweek. First, Kaspersky researchers say that the proprietors of Cerberus malware, having made an attempt to auction it off on a dark web block, have now simply released its source code, Cerberus v2, for free to Russophone hacking communities. ZDNet points out that Cerberus had earlier this year been on offer in the form of malware-as-a-service but that the developers attempted to auction it off in July. They'd set initial bids at $50,000 and hoped to raise $100,000. Those attempts were unsuccessful - no takers - and so the source has now simply been dumped. The reasons for the free release are unclear.
Elliott Peltzman: When the auction was announced, the people hawking Cerberus said they were putting it on the block due to a lack of time and because the team has broken up. That team would have been the group that developed and maintained the malware. What this means is that defenders should expect to see more Cerberus attacks using the last version released and that some attackers who've picked up the code will probably try their hand at developing evolved versions.
Elliott Peltzman: Second, now that the Empire Market has fallen in an exit scam, its proprietors departing for parts unknown with users' cash, where are the criminals to go to trade their altcoins for drugs, guns and so forth? Security firm Digital Shadows this morning released its review of the Empire's possible successors in the criminal contraband market. The researchers conclude that Empire's disappointed members are likely to turn to another Anglophone marketplace, which will probably end up fleecing them, too.
Elliott Peltzman: Digital shadows notes that there are a number of relatively stable and well-established Russian-language dark web sites where contraband is traded. Why don't the English-speakers simply move over to one of those? Well, for one thing, the Russophones tend to find the Anglophones somewhat tiresome. They treat the English-speakers rudely.
Elliott Peltzman: And for another thing, the Anglophones have trouble communicating in Russian. The English-speakers we're talking about there are probably - let's be honest - for the most part, largely Americans. You know that someone who speaks several languages is called polylingual and someone who speaks two languages is bilingual. What do you call someone who speaks one language? Ha, American. That one always kills me. Prego. Danke schoen. I'll be here all week. Anyways, expect one of the smaller English-speaking markets to fill Empire's ecological niche, and expect them to eventually scam their customers, too.
Elliott Peltzman: And third, Dark Reading reports that researchers at security firm Intel 471 have concluded that there's a connection between Russian cybercriminals and the North Korean government's Lazarus Group. Pyongyang has long been interested in redressing its sanctions-induced financial shortfalls, and the Lazarus Group has served that objective with financially motivated hacking. The basis for Intel 471's conclusion is the Lazarus Group's access to financial services organizations that was evidently purchased from Russian gangs who've used TrickBot to establish themselves in the targets.
Elliott Peltzman: There was a lot of speculation yesterday that the U.S. administration would probably welcome ByteDance's proposal to establish the U.S. TikTok operations as an independent company, with Oracle taking a minority share. That speculation seems now to be premature. The Wall Street Journal reports that U.S. Treasury Secretary Mnuchin and other officials have signaled that a minority stake by an American company in TikTok won't be enough to allay security concerns.
Elliott Peltzman: Darktrace tells CNBC, all of the political woofing about TikTok shouldn't obscure the general need for the greater transparency about what companies do with the data they collect. And it would be a bad thing should companies entangled with questionable data handling come to believe that, from a cost-benefit point of view, it's better to spend your money on lobbying than on security.
Elliott Peltzman: As the U.S. elections approach, General Paul Nakasone, NSA director and commander of the U.S. Cyber Command, said that he's confident those elections will be safe and secure. The organizations he leads have made election security a priority. MeriTalk says General Nakasone explained at yesterday's Intelligence & National Security Summit that their approach has had three main areas of emphasis, which he phrased as questions.
Elliott Peltzman: First, how do we generate incredible insights on our adversaries? Second, how do we share information and intelligence with the lead of our nation's elections security, which is DHS and also FBI? And the last piece - how do we impose outcomes on any adversary that attempts to interfere with our democratic processes?
Elliott Peltzman: Again, he's confident that they have these areas under control. But influence operations, General Nakasone said, are the great disrupter, and they're here to stay. CyberScoop quotes him as saying, quote, "We've seen it now in our democratic processes. I think we're going to see it in our diplomatic processes. We're going to see it in warfare. We're going to see it sowing civil distrust in different countries," end quote.
Elliott Peltzman: Foreign Affairs has a long essay in its current issue on how Russian influence operations have evolved since 2016. In general, direct troll farming, while it hasn't gone away, has fallen from its former position of prominence. It's the sort of inauthentic behavior that's just grown too easy to detect. Instead, the operators have done other things, from the low-level grift of persuading people to rent their social media accounts through the establishment of plausible front organizations to the hiring of cynics or useful idiots to write for them. While Russia has been the leader, other governments have shown themselves willing to learn from the best. And state-run online influence campaigns are likely to become, the essayist argues, a permanent feature of future democratic elections. China, Iran and Venezuela have already shown their ability to adapt some Russian methods to their own purposes. They haven't been dull pupils, but their positive objectives are inherently more difficult to achieve than the negative, disruptive goals Moscow's interested in.
Elliott Peltzman: The U.S. attorney for the District of New Jersey has indicted two Iranian nationals, Hooman Heidarian and Mehdi Farhadi, on charges of conspiracy to commit fraud and related activity - computer fraud, unauthorized access to protected computers, computer fraud, unauthorized damage to protected computers, conspiracy to commit wire fraud, access device fraud and aggravated identity theft. The allegations describe an increasingly common pattern - a mix of state-directed espionage and privately profitable crime as a hacker's side hustle.
Elliott Peltzman: And finally, Reuters reports that connections have surfaced between Huawei executives and an obscure Hong Kong-based company Skycom that's at the center of U.S. investigation and evasion of sanctions against Iran. Huawei's CFO, Meng Wanzhou, currently faces extradition to the U.S. in a Vancouver court. Reuters thinks the disclosures of closer Huawei ties to Skycom are likely to lend support to the U.S. case for her extradition from Canada.
Elliott Peltzman: Jonathan Langer and his team at Medigate have been diligently working to protect hospitals along the East Coast and New York City during COVID-19. We'll hear now from his recent conversation with Dave about lessons they've learned.
Jonathan Langer: Well, health care organizations, naturally, are in a very - let's say a very challenging situation right now, given the pandemic. I think, on the one hand, the challenges addressing the concern around the pandemic, treating people the way they should be to the best of their ability and, to that end, expanding some of the facilities, moving the medical devices from location to location, moving physicians, of course, there is a huge challenge there. The other challenge is, of course, at the same time, just like other enterprises are doing is - or, I guess, was - setting up a remote networking capability to allow the unessential workers to continue to support the enterprise. Doing those two at once, that's quite a heavy lift, the way that I'm seeing things.
Dave Bittner: Well, take us through some of those specific challenges. I mean, what sort of things are you and your team tracking?
Jonathan Langer: So what we're doing right now, what we're tracking is - I think, in high level, I would say that the security concerns that health care organizations had before the pandemic have, in fact, been, I think, even heightened, given the pandemic. Everyone is more focused on medical devices, on their assets over the network, finding them, using them, protecting them. The other piece that we're hearing more - and this is where we're addressing this challenge as well - is that they're saying security is important. But now more than ever, operational efficiency is also important. So what we're trying to do is to use our technology to address security, of course. That's the bare minimum. But at the same time, also harnessing the capabilities of the technology to actually provide operational efficiency and I'd say fleet - medical device fleet optimization as well for the enterprise. So it's security that naturally is bringing in technology. But at the same time, the entire enterprise is benefiting from it. That's what we're trying to cater to these days.
Dave Bittner: And what are some of the practical ways that they're able to do that? What sort of things can they put in place?
Jonathan Langer: So to me, the first step in this process is inventory, right? You have to have good network visibility and proper inventory in order to understand, just from a security perspective, what you need to handle. Based on that, you can assess risk and prioritize your assets and really start a security program. But what we realized, which I think this is a very interesting notion these days, is that this technology with regard to inventory can also give you key insights in terms of the usability of the devices, the utilization of the devices and if you're good and you have the right health care focus, perhaps also prescriptive recommendations as to how to manage these devices to the most efficient way so that you get more out of them and actually save funds. And that's the challenge, that full circle that we're trying to do from security all the way back to operational efficiency and back to security.
Elliott Peltzman: That's Jonathan Langer from Medigate.
Dave Bittner: And I am pleased to be joined once again by Betsy Carmelite. She is a senior associate at Booz Allen Hamilton. Betsy, it's always great to have you back. I wanted to touch today on medical device security and some of the things that you and your team have been looking at in that area. What do you have to share with us today?
Betsy Carmelite: Sure. To jump in, I think, you know, if you're looking at kind of current day, especially during our COVID-19 environment, and you're looking at threats to medical devices, let's say, in a hospital setting, this can really stir up some nightmare type of situations in your mind. For example, if critical patient information becomes unavailable as a result of a cyberattack, that would then have an impact on how a doctor can treat that patient. Also, if a device such as a CT scanner were to go down, ER doctors lose critical capabilities to select treatment for, let's say, a stroke patient. And we've also seen an increase in the exploitation and phishing campaigns and threats to federal agencies, with health care being a key target.
Dave Bittner: Why are they targeting health care? What's the draw there from the threat actors?
Betsy Carmelite: Sure. So cybercriminals really continue to target medical and life science devices and organizations because there is a profit to be gained there. We're seeing, you know, clinical labs with devices involved in COVID-19 research and testing targeted. Major hospitals are experiencing ransomware. You know, we've seen the recent reports of ransomware targeting a medical ventilator manufacturer. And really these cybercriminals are looking for ways to monetize and gain revenue. They believe they - these organizations have the best chances of paying the ransom because every victim is really measured by their estimated revenue and who is likely to pay the largest amount.
Dave Bittner: Yeah. And obviously, I mean, the hospitals - places like that are literally dealing with life-and-death situations.
Betsy Carmelite: Right. Right. And they're also looking at organizations and companies that might share compromised infrastructure accounts or vendors. This is why we've really seen a rise in attacks on health care entities over the years and more recently. That health care data just has a high value on the black market, could possibly include all of the patients' PII.
Dave Bittner: Now, what sort of advice do you have for folks who are operating on the medical side of things - any words of wisdom?
Betsy Carmelite: Sure. We've been looking at this fairly closely for the last year or so. We really think that the medical device and broader health care ecosystem needs to transform across - stakeholder collaboration is really needed to do this. So we're looking at regulators, health care delivery organizations, manufacturers. They all need to play a role in this together. Secondly, we're seeing that medical device manufacturers have adopted processes for vulnerability disclosure and coordinating that together. And that's all with an endgame to promote patient safety and the security of medical devices. So that level of information sharing, also inclusive of disclosing the existence of vulnerabilities and with mitigation plans, is key to really minimizing the impact of security vulnerabilities, both for patients, organizations and for the privacy of the data that could be at risk.
Dave Bittner: Do you suppose that everything we're going through and have gone through with the COVID pandemic is going to leave us stronger on the other side of this? When the pandemic is, you know, in the rearview mirror, are medical organizations, having been through this experience - will they be in a better place security-wise?
Betsy Carmelite: I think medical device organizations can seize this opportunity to work to address cybersecurity not just in a defensive posture but looking at it as security by design. So they can take this opportunity to look at security through the product lifecycle, which includes during the design phase, the development phase, through to end of life so that they're able to secure those devices at every stage and have the flexibility to work that - those security architectures into the devices. And I think it will probably also prepare them to have business continuity plans, backup protection and disaster recovery processes more solidly in place as well.
Dave Bittner: All right. Well, Betsy Carmelite, thanks for joining us.
Betsy Carmelite: Thank you.
Elliott Peltzman: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Elliott Peltzman: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Dave Bittner. And I'm Elliott Peltzman. Thanks for listening.