The CyberWire Daily Podcast 9.18.20
Ep 1176 | 9.18.20

Sunday looks like sanction day for WeChat and TikTok. Grayfly and Blackfly (and APT41). Maze hides payloads in VMs. Ransomware is implicated in a death. Google Play housecleaning. Fox, chickencoop.

Transcript

Dave Bittner: The U.S. Commerce Department announces a clampdown on TikTok and WeChat, which begins Sunday. An overview of the Grayfly and Blackfly units of APT41. Maze begins delivering payloads inside a VM. A ransomware attack on a Dusseldorf hospital is implicated in the death of a patient. Google wants less stalkerware and misrepresentation in the Play store. Caleb Barlow from Cynergistek on the Military's CMMC program. Our guest, Galina Antova from Claroty, highlights the importance of secure remote access in industrial systems during times of crisis. And an alleged fox was allegedly guarding the henhouse.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 18, 2020. 

Dave Bittner: The U.S. Department of Commerce this morning announced that most transactions with WeChat and TikTok will be banned, effective Sunday. Commerce explained the decision as follows. Quote, "while the threats posed by WeChat and TikTok are not identical, they are similar. Each collects vast swaths of data from users, including network activity, location data and browsing and search histories. Each is an active participant in China's civil-military fusion and is subject to mandatory cooperation with the intelligence services of the CCP. This combination results in the use of WeChat and TikTok creating unacceptable risks to our national security," end quote. The action was taken pursuant to Executive Orders 13942 and 13943. 

Dave Bittner: Seeking Alpha reports that TikTok is looking to rally allies among rival social platforms to challenge the coming U.S. ban? And whatever Washington ultimately decides about a TikTok spinoff, The Wall Street Journal notes that any such arrangement would require Beijing's approval, too. 

Dave Bittner: Symantec Enterprise takes the opportunity offered by U.S. indictments to publish an overview of China's APT41, which it tracks is having two subgroups - Grayfly and Blackfly. Grayfly is known for compromising its victims through public-facing web servers and for using variants of the Barlaiy/POISONPLUG and Crosswalk/ProxIP malware in its attacks. Grayfly casts a fairly wide net, but it's generally been interested in the food, financial services, health care, hospitality, manufacturing, telecoms and government sectors. Three of the men named in the U.S. indictment, Symantec says, were involved with what appear to be Grayfly operations. 

Dave Bittner: Blackfly, for its part, tends to use PlugX/Fast, Winnti/Pasteboy, and Shadowpad malware. The crew is best known for hitting the gaming industry, but Symantec has also seen it attacking the semiconductor, telecoms, materials manufacturing, pharmaceutical, media and advertising, hospitality, natural resources, fintech and food sectors. The two Malaysian nationals named in the indictment are apparently associated with Blackfly. The remaining two Chinese nationals indicted? They're accused of coordinating activities between the two groups. 

Dave Bittner: Researchers at Sophos describe how Maze operators have begun distributing the ransomware payload inside a virtual machine, which renders it more difficult to detect. The Ragnar Locker gang began using the tactic earlier this year, and Maze is willing to learn from its criminal competition. 

Dave Bittner: An attack at a major German hospital brought down internal systems and forced a woman in need of emergency care to travel 20 miles to another city in the first documented ransomware related fatality, Bleeping Computer and ABC News report. According to the AP, the patient died during transport to another hospital when the ransomware attack rendered emergency services at Uniklinik Dusseldorf unavailable. The hackers exploited a known and patchable Citrix ADC vulnerability, apparently intending to target an affiliated university and when contacted about their mistake, quit the attack. Which gang hit the hospital is unclear, but the hospital says it's remediating the attack. 

Dave Bittner: Ransomware groups like Maze, DoppelPaymer, Nefilim, and CLOP have said they don't target hospitals, but such promises have sometimes proven hollow. And in any case, the gangs' aim isn't always perfect, either. Over 700 U.S. health care facilities were hit last year, and despite the criminals' pious assurances early in the COVID-19 outbreak that they would avoid attacking the health care sector, hospitals and biomedical institutes became popular targets during the pandemic. 

Dave Bittner: Given the extent to which hospitals depend upon networked medical information to organize and deliver care, many have thought that a ransomware-implicated death was only a matter of time. And now, unfortunately, that time has come. 

Dave Bittner: Google has announced more stringent policies against stalkerware and misrepresentation for Google Play. Threatpost points out that rules are designed to rule out various designer dodges but also allow exemptions for parental monitoring apps. 

Dave Bittner: And so how's this for irony? The U.S. Securities and Exchange Commission yesterday announced that the co-founder of a cyberfraud prevention company has been arrested and charged with - what else? - fraud. Adam Rogas, the co-founder and former CEO of Las Vegas-based NS8, is alleged to have misled investors through false financial statements and led them to believe that his company was a growing software-as-a-service provider and that it was a solid investment. As the SEC puts it, quote, "from at least 2018 through June 2020, Rogas altered NS8's bank statements to show millions of dollars in payments from customers. Rogas allegedly sent the falsified bank statements and revenue figures on a monthly basis to NS8's finance department, which used them to prepare NS8's financial statements. In at least two securities offerings, NS8 and Rogas apparently provided investors and prospective investors the false financial statements, showing millions of dollars in revenue and assets and other information incorporating the falsified revenue figures. SEC S.E.C. alleges that as a result of Rogas's fraud, NS8 raised approximately $123 in 2019 and 2020 and that Rogas ultimately pocketed at least $17.5 million of investor funds," end quote. 

Dave Bittner: NS8 has posted a statement about the matter on their website. Quote, "The government investigation and an internal investigation into this conduct are ongoing. At this time, no one else has been charged, and the company is cooperating fully with federal investigators. The NS8 board of directors has learned that much of the company's revenue and customer information had been fabricated by Mr. Rogas. These events created significant cash flow issues for the company and required a significant downsizing, impacting all of its employees. The remaining NS8 leadership and board of directors is working to determine financial options for the company and its stakeholders going forward," end quote. 

Dave Bittner: The office of the U.S. attorney for the Southern District of New York described Mr. Rogas as the proverbial fox guarding the henhouse and says he faces one count of securities fraud, which carries a maximum sentence of 20 years in prison, one count of fraud in the offer or sale of securities, which carries a maximum sentence of five years in prison, and one count of wire fraud, which carries a maximum sentence of 20 years in prison. As always, do remember that persons charged are entitled to the presumption of innocence and that sentences, if any, are imposed by the judge. 

Dave Bittner: This far into the pandemic and the resulting shift to remote work, it's fair to say most organizations have settled into a new routine and have made appropriate security adjustments. But what about industrial systems? Our guest is Galina Antova from Claroty, and she joins us with insights on the importance of secure remote access in industrial systems during times of crisis. 

Galina Antova: Industrial systems - we typically refer to them as operational technology components and networks. And those are actually the networks that run the world's infrastructure. So very commonly found in things such as manufacturing, in oil and gas but also in everything from data centers to buildings - so really quite prevalent around the infrastructure of the world. Traditionally, those systems have been air-gapped, you know, 10, 15 years ago. And then as they started getting networked, we started seeing more and more exposure, more and more risks associated with them. And what's really interesting is because they stay in the field for such a long time, there are a lot of legacy systems with a life cycle of 25, 35 years. 

Galina Antova: So if you compare the state of those operational technology networks to the traditional IT networks, there's probably a gap of about 20, 25 years. And the fact that there's a lot of legacy industrial infrastructure out there is what really makes them challenging to protect. Now, as you can imagine, remote access is hard on its own in IT networks. It is that much harder when it comes to operational technology networks because any changes within the configuration in how those industrial networks are accessed could result in a potential additional attack vector. And what the COVID crisis kind of showed this thing really accelerate is that those are the type of infrastructure changes that need to be thought through in advance. 

Dave Bittner: Yeah. Well, I mean, let's dig into that. What are some of the things that you've been tracking as we've gone into this mode of reacting to the COVID pandemic? 

Galina Antova: So first of all, in terms of that particular part of the network, the operational technology networks, as I mentioned, even today, they are treated with a - they have a different risk profile, obviously, because intrusions in those networks have much more severe consequences than just data privacy, et cetera, on the IT side of the house. And so when it comes to giving direct secure access - remote access to those networks, that has been traditionally a challenge and something that security professionals have not really been willing to go into the same extent as they have to the IT networks. 

Galina Antova: Now, of course, the COVID crisis necessitated that some of the personnel, some of the engineers are off-site. And so the choice was either completely shut down production or have some form of a secure remote access that allows you to at least continue partially operating with limited staff on-site. 

Dave Bittner: So what are your recommendations for organizations to get on top of this? If they know that secure remote access is something they need, what are the options that are out there for them? 

Galina Antova: So first of all, it's not either-or. It's not security or connectivity. There are very well-documented ways in which you could have remote access solutions that are also very secure. Of course, technology is one step. 

Galina Antova: It's really important to also have a process that supplements that, you know, so that people are not doing things like, you know, sharing passwords or sharing accounts, which was something that, unfortunately, is still somewhat common when it comes to engineering within operational technology networks. 

Galina Antova: So having good cyber hygiene, implementing the right technology and just following the right governance process - those are the basic steps to follow. 

Galina Antova: The current crisis has also revealed - beyond kind of the operational topics, has really revealed the - a challenge and an opportunity when it comes to the role that the CSOs and CIOs play as they're presenting those technology agendas to the board, right? And the reason I mention that is during the COVID crisis, we saw, obviously, the board of directors getting involved very frequently into overseeing the changes that were happening, obviously because it was a crisis situation. 

Galina Antova: But one of the things that I've observed in my career, and especially in the last few years, dealing with operational technology is that that technology agenda is not always very well represented at the board level, right? 

Galina Antova: So many different reasons for that. A lot of the boards have only experts with finance backgrounds. And I think this is really where the CSOs specifically could have a stronger voice because they could be advocates not just for, you know, spending money for the sake of spending money for security. Usually, security is seen only as an expense. But really, in this case, COVID showed us that security - cybersecurity and implementing it right could enable those digital transformation projects that then become a competitive advantage. 

Galina Antova: So I think that that was one kind of very strong agenda and a conversation that took place during the crisis. And I fully expect that this continues to be the case after the crisis because, again, companies feel that this could be something that helps them along the way and it's not just a cost expenditure. 

Dave Bittner: That's Galina Antova from Claroty. 

Dave Bittner: And joining me once again is Caleb Barlow. He is the CEO at CynergisTek. Caleb, always great to have you back. I wanted to touch today on the CMMC program that we've been seeing from the military and some of the broader implications that could have for folks. 

Dave Bittner: First of all, let me ask you to give us a little backstory here. What are we talking about? 

Caleb Barlow: So this is the Cybersecurity Maturity Model Certification, or CMMC. It is being driven by a woman named Katie Arrington. And Katie is the CISO for the assistant secretary for defense acquisition. She was actually on your show a few weeks back. 

Dave Bittner: Yep. 

Caleb Barlow: Now, the basic use case here is in the, you know, sensitive, confidential but not classified space of military procurement. The U.S. is losing about 600 billion a year in exfiltration, data theft and R&D losses to adversaries. 

Caleb Barlow: Now, this could be everybody from a manufacturer that makes a part for a fighter jet - you know, one downstream part as a subcontractor - to, like, the folks that mow the lawn at a military base or the caterer. And remember; the folks that mow the lawn - well, they need to know the layout of a military base. 

Dave Bittner: Right. 

Caleb Barlow: The folks that make the food - well, they need to know troop movements. So it's not necessarily classified data they have access to, but they still have access to a whole lot of sensitive data, and the government wants to secure that. 

Caleb Barlow: Now, here's why I find this fascinating, Dave. This is the first time we've actually seen somebody get aggressive about forcing some level of control. Now, we have lots of different regulations out there - you know, everything from, you know, frankly, HIPAA, GDPR, CCPA. You know, whether you're on the security or the privacy side, all of these things talk about, you know, security requirements. But usually, they use very fungible language, like best practices or best in class, that - you know, and maybe they refer to a framework, but rarely do you ever see someone actually score your performance. And that's what's going to happen here with CMMC. 

Dave Bittner: And so how does this trickle down to the rest of us? 

Caleb Barlow: Well, OK, so you're not a military contractor. You're probably wondering, well, why do I care about this? 

Dave Bittner: Yeah. 

Caleb Barlow: Well, I think you care a lot about it because it's actually, in my opinion, a great model and approach of how to do this. 

Caleb Barlow: So first of all, it's all based on NIST, and we all know and love - and, frankly, many of the people that probably listen to this podcast contributed to the development of the NIST Cybersecurity Framework. So it starts there as kind of the base fundamentals. You know, and then there are a series of controls that are added on top of that. But, you know, if you look at the controls, you're all going to have a lot of familiarity with them. 

Caleb Barlow: But the difference in this case is it requires a third-party assessor to go in and assess this. You can't self-assess anymore. So that's the first major change. 

Caleb Barlow: Now, you know, and other industries do require assessments. For example, health care - you have to understand your risk, but it doesn't have to be done by a third party. But the big difference in this case is the rating you get - the grade, if you will - of your maturity. 

Caleb Barlow: So this isn't so much a performance rating; it's, where are you on the maturity curve? If you're not able to reach a certain level of maturity, there are some contracts you can't bid on, or you might - if you already have them, you might lose them in the future. And that is a major shift. 

Caleb Barlow: And I think if the U.S. military can do this, there's a lot of other industries that are likely to follow a very similar model. And it's well laid out. It's well thought through. And I think it's something we all need to pay attention to. 

Dave Bittner: So is this something where you could see - other verticals could say, hey, we're taking the lead here, and we're going to adopt this; we're going to make a few tweaks here, but overall, we think this is a good framework for us to use moving forward? 

Caleb Barlow: Well, think of a major bank that has, you know, hundreds of downstream vendors that support it. Vendor - you know, this could certainly come in in vendor management, where, you know, the state of the art of vendor management today is getting somebody to try to pen test a company from the outside. It's not very telling what their real security posture is. 

Caleb Barlow: You could see this come into play in insurance underwriting, right? I mean, you know, today, insurance underwriting is a - is kind of a bit of a black art when it comes to your cybersecurity posture. You could definitely see procedures like this come into play there, or also future regulatory standards, whether they're government-based or nongovernment-based. 

Caleb Barlow: You know, there are 52 different breach disclosure laws in the United States, and none of them really, at least in my opinion, get very specific on what types of security provisions you have in place. And this is the first time we've really seen someone articulate a vision that probably will work. 

Dave Bittner: So it could be the new sort of gold standard, something for other folks to aim for? 

Caleb Barlow: Oh, I think there's no question that this will be the new gold standard. And it sets a bar that we haven't seen in any other industry. 

Dave Bittner: All right. Well, Caleb Barlow, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed, and it rocks around the clock. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Don't miss this weekend's "Research Saturday," where I speak with Matt Olney from Cisco Talos on their report "What to Expect When You're Electing." That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.