Dave Bittner: Two ransomware incidents now seem worse than originally believed. Hacking hospitals raises concerns for patient safety. It appears Fancy Bear was the group that hacked the U.S. federal agency CISA warned about recently. Chris Novak from Verizon considers whether investigations should be performed under attorney-client privilege and if that privilege will hold. Alex Mosher from MobileIron explains how yours truly got phished with cookies. And interruptions to trading on Japan's exchanges seem to be due to technical problems and not to a cyberattack.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, Oct. 1, 2020.
Dave Bittner: Two ransomware incidents are looking worse than initially anticipated. CMA CGM had disclosed Monday that a ransomware infestation had hit its IT systems, with operations in the Asia-Pacific region most heavily affected. The container-shipping giant's early announcements about the incident tended to describe it as an inconvenience that the company was working through without undue disruption of operations. It now appears, however, that data was compromised. The company updated its disclosure yesterday, Splash 24/7 reports, telling customers, quote, "We suspect a data breach and are doing everything possible to assess its potential volume and nature," end quote. Customers are raising eyebrows over what some are criticizing as a laggard acknowledgement that the issue was a ransomware attack and not just an internal glitch. Still, on the plus side, the cargo seems to have kept moving.
Dave Bittner: And the ransomware attack against Blackbaud and its widely used donor relations management platform has made its effects felt through a widening circle of customers. Those effects are now known to be more serious than had been hoped. According to Computing, Blackbaud has determined that the attackers accessed financially sensitive information. A Form 8-K the company filed with the U.S. Securities and Exchange Commission says in part, quote, "after July 16, further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, Social Security numbers, usernames and/or passwords. In most cases, fields intended for sensitive information were encrypted and not accessible. These new findings do not apply to all customers who are involved in the security incident. Customers who we believe are using these fields for such information are being contacted the week of Sept. 27, 2020, and are being provided with additional support," end quote. So, again, universities, hospitals, not-for-profits, look to your financial information or, rather, to your donors' financial information.
Dave Bittner: There's another undropped shoe in the Blackbaud case that's worth taking note of. The company paid the ransom in exchange for the criminals' promise to destroy any data they'd taken. We leave it as an exercise for the listener to assess how much stock should be placed in that promise.
Dave Bittner: As Universal Health Systems works to remediate the effects of the Ryuk ransomware attack it sustained this week, The Wall Street Journal argues persuasively that ransomware as such has grown in aggressiveness and sophistication and that it increasingly represents a threat to patient safety. About 250 of Universal Health Systems' facilities in the U.S. were affected to some extent by the attack. There have been no known repetitions of the sad death of a patient who died when the ambulance carrying her had to be diverted from Dusseldorf's Uniklinik to a more distant facility. The Dusseldorf hospital was undergoing a DoppelPaymer ransomware attack that hit on September 10 and temporarily disrupted its ability to accept emergency patients.
Dave Bittner: Do the criminals care? Well, maybe. DoppelPaymer interrupted its attack when German police emailed them that they were killing people, but on the other hand, they didn't really stick around to help the hospital fix the problem. Digital Shadows has taken a look at what goes into the formation of a criminal community. And while the participants all seem recognizably human with concerns, insecurities, ambitions, the whole nine emotional yards, the criminal fora aren't places for moral rigorists. So sorry - no Robin Hoods.
Dave Bittner: The cyberhoods are thoroughly 21st century types. The hoods, they want what they want. And they'll go after the targets whom they think are likely to be willing and able to pay. Insofar as they mean well, when such thoughts cross their minds, they don't seem to do much more than rise to the low threshold of slacktivism - put on a T-shirt that says ally, maybe, or apply a bumper sticker that says you brake for small animals whether you do or not - self-congratulation tarted up as categorical imperative. But when it comes to actually hurting someone, well, the criminals want to be paid. Tough luck. So, hospitals, look to your defenses.
Dave Bittner: More is emerging on the cyberattack the U.S. Cybersecurity and Infrastructure Security Agency last week said a foreign actor mounted against an unnamed U.S. federal agency. Which agency was hit in the cyberespionage incident remains publicly unknown, but WIRED reports the perpetrator looks like Fancy Bear, Russia's GRU. CISA didn't name Fancy Bear, also known as APT28, but they do outline a step-by-step set of techniques that map fairly closely to an approach that researchers at industry cybersecurity firm Dragos earlier this year ascribed to the GRU. The techniques are also consistent with those Microsoft attributed to Fancy Bear in September. In any case, as a matter of sheer a priori probability, it should surprise no one that Fancy Bear has emerged from the aquarium to snuffle at a U.S. federal agency.
Dave Bittner: The BBC says a technical glitch has caused Japan's stock exchanges to suspend trading. The Japan Exchange Group told the BBC that trading shut down after a backup system failed to kick in after a hardware malfunction. The exchanges hope to be back up tomorrow. They say that no cyberattack was implicated in this week's system failure. May the exchanges recover on time.
Dave Bittner: Not long ago, a package showed up here at CyberWire intergalactic headquarters addressed to me from security company MobileIron. Inside was a box of delicious cookies but not just any cookies. These cookies had QR codes printed on them. Alex Mosher is global VP of solutions at MobileIron.
Alex Mosher: So you have, obviously, the cookies. And then on each of the cookies, we went ahead and put a QR code. And the reason that we did that is as - you know, we've certainly seen as a result of the pandemic going on a lot of contactless interaction with various systems. Go back to a restaurant; oftentimes, the menu is on a QR code. Or you get a receipt or a bill, and you're using a QR code or you're checking out at a service or maybe even an online system. Maybe even folks that used to bill you in person - now maybe they're sending you an email, and that has an embedded QR code in it.
Alex Mosher: So QR codes have become really relevant in our lives and certainly, I think, amplified as part of the whole pandemic that we've been going through and managing through. So what we did was we took a box of great cookies, something everybody would, as you mentioned, love to have. And we put a QR code on them, incentivizing you to - hopefully, your curiosity get the best of you...
Dave Bittner: Yes.
Alex Mosher: ...And get you to go ahead and scan that QR code. Now, the gotcha point with our QR code was it directed you to a site that very easily could have been a phishing site or a malicious site of sorts just to kind of get you thinking about, whoa, I don't even think about when I go to those examples I gave before - the restaurant, the bill, wherever it might be. And I just maybe blindly scan things like QR codes with my mobile device because it's so easy to do and it makes life certainly much simpler, especially in the current times.
Dave Bittner: Yeah. You know, one thing that struck me in my own experience with the cookies that you all sent out was that, you know, I think it's the default in iOS that when you have your camera app open and it sees a QR code, it automatically sort of triggers it. And it...
Alex Mosher: Yeah.
Dave Bittner: ...Says, hey; do you want me to open this? You can disable that. But, you know, that's a - there's - I can take issue with that itself.
Alex Mosher: Yeah, no, absolutely. And if you think about it, there are legitimate good sources. Like, it certainly makes life a whole lot more convenient, right? Could you imagine today with the challenges and think about, you know, the communication platforms we have, the ability to quickly just communicate with all kinds of people on platforms like SMS and iMessage and WhatsApp and the sort? So because these systems are so great and they benefit us so greatly, it's what really puts them at such easy target from a hacker's perspective because they know that you're doing things in quick, real time. You're not really paying super-close attention to what's happening. You're there at that location. You get the cookie and scan it. You're thinking something good is the result and - only to find out that, you know, something bad has happened at the end of the day. And, again, you don't have to go even far back in history.
Alex Mosher: And I'll reference again that Twitter attack. A lot of this was sort of done that same way - using systems that were put in place to make life easier and more convenient. We focused more on the convenience side than we did the security side. You really have to find a balance between the two.
Dave Bittner: That's Alex Mosher from MobileIron. These are delicious cookies.
Dave Bittner: And joining me once again is Chris Novak. He's the director of the Verizon Threat Research Advisory Center. Chris, it's always great to have you back. I wanted to touch today about investigations and where we are when it comes to attorney-client privilege these days. There's been some recent developments that have made this a little more interesting, yes?
Chris Novak: That is absolutely true and maybe even an understatement, yes - definitely an exciting topic of the day.
Dave Bittner: Well, go on. Lay it - explain for us. Where do we stand right now?
Chris Novak: Yeah, sure. So I think, you know, one of the challenges we often see is that organizations will typically approach incident response or a breach investigation typically from a technical perspective, you know? The IT team or the IT security team may know exactly how they plan to attack the problem and what tools they're going to use and their technical playbooks but oftentimes will forget the other stakeholders, right? And there's, you know, HR. There's PR, crisis communications.
Chris Novak: But then there's usually a biggie in there - legal. And a lot of times organizations will either forget or engage legal, you know, maybe just a little bit too late, or their inside counsel may not necessarily have a lot of experience in the areas of data privacy, data security and the various regulations that may sometimes go along with that as well as - you know, how would this work if we wanted to do an investigation under attorney-client privilege such that, you know, that legal entity, whether it be inside counsel or outside counsel, can properly guide them through their investigation and what obligations they may have and, you know, also help them as it relates to potential litigation down the road?
Dave Bittner: Is it ever a situation where - when folks are in the midst of this and they're thinking about to what degree they should engage with their in-house legal department, you know, it's easier to apologize and get permission kind of thing where - if we engage these attorneys, they're going to throw a pair of virtual handcuffs on us and limit our ability to be nimble.
Chris Novak: Yeah. So, I mean, the thing that I would always recommend - and this is the reason why we do a lot of tabletops and wargaming and things like that before an incident occurs - is to bring those stakeholders into the fold so that you're not just relying on technical playbooks but you've got stakeholder playbooks for everybody. So you know the questions legal's going to ask. You're going to know the kinds of answers you're probably going to give. And if there's any, quote, "handcuffs" they're going to put, you're going to know what that's going to look like and why. And if you can work together, those problems usually are less of an issue, right? And at that case, at least you're playing on the same team. And legal knows what their obligations and responsibilities are, and so does the technical folks.
Dave Bittner: Where do opinions stand these days in terms of that attorney-client privilege actually holding?
Chris Novak: So I'd say there's, you know, some recent court activity that has happened that has, you know, kind of maybe caused everybody to kind of look at things from a side-eye perspective to figure out, whoa (laughter), has the way we've been doing this working? And what I would say is that I think, you know - and I'm not a lawyer, maybe just play one on TV. But, you know, we sometimes joke at Verizon that we have more lawyers sometimes than some law firms do.
Dave Bittner: (Laughter).
Chris Novak: But we look at a lot of the data privacy and a lot of the data sovereignty laws to try to understand how things work and then also understand, hey; you know, when there's a breach, there's almost always going to be some element of potential litigation and how you prepare for that. And I think the attorney-client work product doctrine and attorney-client privilege, I think, very much still holds true today. But I think the challenges that we've seen where it's kind of deteriorated in the past has been in circumstances where maybe it wasn't necessarily applied correctly.
Chris Novak: And so this goes back to that kind of tabletop, wargaming kind of aspect, where you bring all those stakeholders into the fold for practice sessions so we can understand how to do it because, for example, if you try to apply, you know, attorney-client work product doctrine or privilege after the fact, you're probably going to be challenged on it. It's going to be questionable as to whether or not legal was really guiding something if legal wasn't really involved from the beginning.
Dave Bittner: You know, in some of the conversations you and I have had, you've really emphasized the value of having these tabletop exercises. Can you give us some insights there? I mean, how is that time well-spent for the organization?
Chris Novak: Yeah, I'd say that it's probably one of the most valuable things. And thankfully, we've seen a dramatic uptick in organizations actually doing it. If we roll back the clock a handful of years, it was something that - it was almost like pulling teeth to try to encourage organizations to practice for a breach. And that's - you know, you kind of think of the older days, where, you know, people kind of thought, well, it's probably not going to happen to me. It's almost always going to happen to someone else. And then they've seen, I think, enough breaches happen where they go, you know what? We should probably know how to deal with this if it happens or when it happens to us.
Chris Novak: And so absolutely time well-spent - typically, we encourage you to bring all the stakeholders in. So bring representation from legal, HR, PR, crisis communications, the board. If there's regulators, we've even seen some organizations who've said, hey; we really want to impress our regulators. And we feel like having a good relationship with them as opposed to maybe what some would see as an adversarial relationship would be beneficial.
Chris Novak: So we've even seen some of them bring in their regulators to those exercises just so that everyone can go through the motions together. And one of the best things about it is when an incident does happen, then it's like you're running through a script that you've all practiced. You know what roles everybody plays, and everybody can do them much better and more comfortably. And then generally, the outcome is more positive because you're not trying to figure out what to do in the middle of a crisis, which I think is the time most people would agree is - that's the bad time to figure it out, right? That's why we do fire drills - right? - to make sure...
Dave Bittner: Yeah.
Chris Novak: ...That when the actual fire happens, we all know the routines, and we've got fire marshals to help make sure we all go out the right places and nobody goes down the elevator - all those kinds of things. That's the analogy that I would draw to the tabletop exercise for a cyber event - is, you know, do your fire drills, and be prepared. You're much more likely to have a successful or a more mitigated outcome.
Dave Bittner: All right. Well, Chris Novak, thanks so much for joining us.
Chris Novak: Always a pleasure. Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed. It'll make you kiss a little longer, hold hands a little longer, hold tight a little longer. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.