The CyberWire Daily Podcast 11.5.20
Ep 1209 | 11.5.20

CISA’s happy but still wary. Election-themed criminal malspam. New ransomware goes after VMs. Why it makes no sense to trust extortionists.

Transcript

Dave Bittner: CISA declares a modest but satisfying victory for election security but cautions that it's not over yet. Criminal gangs are using election-themed phishbait in malspam campaigns. A new strain of ransomware attacks virtual machines. Robert M. Lee from Dragos on the impact climate change could have on ICS security. Our guest is Kelly White of RiskRecon on health care organizations managing risk across extensive third-party relationships. And if you wondered if the criminals who offered to securely destroy the data they stole if the victims paid the ransom, well, signs point to no.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 5, 2020. 

Dave Bittner: Now that voting in the U.S. elections has closed, the U.S. Cybersecurity and Infrastructure Security Agency has announced that it detected no evidence that any foreign adversary succeeded in either preventing citizens from voting or changing vote tallies. CISA credits good preparation, good interagency collaboration and a sound whole-of-nation approach with the successful defense of the election against foreign meddling. 

Dave Bittner: The voting may be over, but counting, litigation and certification remain in full flood. CISA expects continuing attempts to interfere with certification and, of course, to conduct malign influence campaigns. CISA's rumor control site, cisa.gov/rumorcontrol, will remain a useful resource through the coming months. 

Dave Bittner: Just because state adversaries didn't show up all that much on Tuesday hasn't discouraged the criminals, of course. There's no sign of respite from criminal scams using election-themed come-ons to distribute malspam by exploiting uncertainty over the outcome of the vote. Malwarebytes describes how the gang that runs the QBot banking Trojan has taken a page from Emotet's playbook, delivering its malicious emails as thread replies to make them less obvious to defenses. Emotet, by the way, continues, BankInfo Security notes, an unwelcome renaissance after its temporary eclipse. 

Dave Bittner: QBot's payload is carried in an attached zip file with the phishbait name ElectionInterference. In the attachment is an Excel spreadsheet crafted to look like a secure DocuSign file. The marks are invited to enable macros to decrypt the document. Once enabled, the QBot Trojan calls home to its command-and-control server for instructions. It harvests and exfiltrates data from the infected machine. It also collects emails from the victim that the QBot marsters can make use of in subsequent malspam campaigns. World events are the best lure, Malwarebytes concludes. And right now, such lures are likely to include election interference, vote fraud, voter suppression and so on. Caveat lector, and don't click. And don't enable macros when some dodgy file of dubious provenance invites you to do so. 

Dave Bittner: BleepingComputer reports on a new strain of ransomware, RegretLocker, that's now being analyzed by several threat researchers. It's got a simple old-school way of communicating its ransom note - no fancy Tor portal, no bombastic gasconade, just a simple email saying, Hello, friend. All your files are encrypted. If you want to restore them, please email us. RegretLocker was first noticed in October, and it's still operating on a relatively small scale. It will, however, bear watching for some of its advanced features. It encrypts virtual hard drives and closes open files for encryption. RegretLocker gets around the challenge of encrypting a large VM disk by mounting a virtual disk file and individually encrypting each file. 

Dave Bittner: Coveware's third-quarter ransomware report describes Maze's retirement and Ryuk resurgence. It also explains why paying ransomware operators to delete stolen data is, as KrebsOnSecurity puts it, bonkers. 

Dave Bittner: The trend of ransomware stealing files and threatening to dox the victims in addition to simply encrypting data and rendering them unavailable began in late 2019 and gained steam over 2020. It's now practically routine. At this point, any ransomware infestation ought to be presumed to be a data breach, as well, until proven otherwise. 

Dave Bittner: The reason the gangs do it is clear enough. It gives them additional leverage over the victim, not just pay up or you won't regain access to your data - that's often reduced to the level of a nuisance with regular, effective backup. Instead, it's now pay up and you'll not only get your data back, but you'll be spared the economic damage and embarrassment of having your files displayed for all to see on the Internet. And recently, as seen in the case of the Finnish psychotherapeutic clinic Vaastamo, the extortionists threatened to release data of patients or, in other cases, data belonging to customers and even customers of customers. Third and fourth parties are at risk, too. 

Dave Bittner: Some victims of this form of attack have sought to reassure the third parties that they've secured their data at risk by paying the ransom and that the extortionists have given assurances that they've deleted all the stolen data. One might think, on a priori grounds alone, that the word of a criminal would amount to a foundation of sand. Still, some victims have built their hopes for recovery on exactly such a foundation. But there's even more reason to mistrust the crooks' word. Of course, they're lying, and Coveware has the evidence to prove it. Here's the sorry track record of criminal honor, broken down by ransomware strain. 

Dave Bittner: Sodinokibi - victims that paid were re-extorted weeks later with threats to post the same data set. Maze, Sekhmet, Egregor - which are related groups - data posted on a leak site accidentally or willfully before the client understood there was data taken; Netwalker - data posted of companies that had paid for it not to be leaked; Mespinoza - data posted of companies that had paid for it not to be leaked; and Conti, fake files are shown as proof of deletion. So better not to be hit in the first place. But if you are, alas, paying for the extortionists' goodwill isn't going to get you very far. 

Dave Bittner: Kelly White is the co-founder and CEO of RiskRecon, a cybersecurity ratings company that provides third-party security risk management. He joins us with insights on health care organizations managing their risk across the internet-exposed assets and across extensive third-party relationships. 

Kelly White: When you look at 12 or so industries that we do broad benchmarks of cyber risk management performance against, health care has the third-highest rate of critical severity issues in their internet-facing systems. You only find higher rates or worse cybersecurity risk performance in the sectors of, you know, government/public administration and education. And for context, finance - no surprise - leads everyone in the quality of their risk management program. 

Dave Bittner: So what do you suppose that they need to do? I mean, what sort of steps can they take looking forward to be in a better place with this? 

Kelly White: I don't think there's any shortcuts for doing cybersecurity risk management well. It comes from the top down, the tone that the executive team sets within the organization and setting a high priority around the importance of cybersecurity risk management, privacy and so forth. And that gets instantiated in the funding and the resources that they bring to bear to solve that problem. And as an organization executes on that year over year, things get better over time. 

Kelly White: When you look at the ecosystem of health care, where you have pharmaceutical companies or hospitals, for example, engaging partners, sharing sensitive data with them, working with health care tech companies and so forth. That third-party risk management team inside the organization at these - you know, maybe call them these apex customers that can influence and drive the entire supply chains to improve their cybersecurity - it's very important that they properly exercise that strength to drive the supply chain into the right direction and, in this case, to improve cybersecurity. 

Kelly White: Finance has been at third-party risk management, on average, if you look at the industry, for about 12 years. It's about half that or less for health care companies. So as these companies raise the importance of good cybersecurity and cybersecurity hygiene to their supply chain of partners, then they, in turn, respond, and the bar is raised. 

Dave Bittner: Yeah, that's an interesting insight. 

Kelly White: You know, I think - and we see this trend as we do these studies across different industries in our risk surface reports - that the larger organizations are much better at managing cybersecurity. 

Kelly White: Now, what can you take away from this? And it's - again, it's consistent across fields, across industries that we study, that as health care organizations are selecting partners, they should be paying attention to the size of that organization. Are they a brand-new health care startup company, or have they been more established? And that should serve as a very strong indicator that, you know, if it's a much smaller organization, there's going to be a lot more work for them to do in order to address risk that no doubt will be higher there than if they choose a more established partner. 

Dave Bittner: That's Kelly White from RiskRecon. 

Dave Bittner: And it's my pleasure to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, it's always great to have you back. You know, looking at all these reports about the fires out in the western part of the United States and how that has affected things like the delivery of electrical power and, indeed, some electrical service being disconnected because - or, whatever, shut down temporarily because of the risk of starting fires, got me thinking about climate change ICS security and is there any sort of overlap there? And I thought I'd check in with you to see what insights you had to share. 

Robert M Lee: Sure. So it's a really good and kind of provocative question in the sense that I don't think we have a lot of experience with it as a community. But it's a good kind of forward-thinking, what's-going-to-happen kind of question. And my take on it is, the changing views of our global climate and the support of climate science that we just obviously have to make changes is changing the way that companies operate, and it's highly changing the energy portfolio and the diverse nature of that portfolio. 

Robert M Lee: As an example, we've seen way more natural gas in the United States than fossil fuels historically, just moving forward from trying to change that portfolio. But it also relates to the underpinnings of the technology itself, where we're starting to see more diversified energy resources and distributed energy resources. We're starting to see bigger discussions for storage and different ways to do storage around the electric system instead of maybe just one larger electric system and then, you know, the distribution of it. We're starting to see oil and gas companies explicitly come out and say, we are going to start investing heavily in renewables. 

Robert M Lee: OK. So we know all of that is taking place. Well, what's the impact? Well, you're moving away from these much larger, almost castle-and-moat-style, you know, protecting of the industrial control environments to much more highly, you know, diversified and smaller sites. And that complexity, in some ways benefits the defenders at first. Of - yeah, we've got a much more complex system. It'd be harder for adversaries to figure out. But once adversaries figure it out, there's also a hyperscalability that then comes when we're deploying a lot of kind of cookie cutter-style industrial control environments. You know, one wind turbine is fairly similar to another. 

Robert M Lee: So, you know, to kind of summarize it up and not turn this into a thesis statement, I'll say that the nature of our industrial control networks and kind of the digital transformation that is taking place around them is pushing an access to them and a scalability to them that adversaries can take advantage of pretty quickly. And so the necessity for doing things like OT-specific cybersecurity then gets really mission-critical even more so than before. And as a result of climate change and the discussions around it, you're going to see a massively increased attack service, and you're going to see a massively increased sort of capability by the adversary, if you will, to understand those systems. 

Robert M Lee: And I guess I'll sort of maybe make that a little more tangible. If I want to go out and buy a GE Cimplicity SCADA system for a high-power, high-energy site, you know, it's going to cost me hundreds of thousands of dollars potentially to get everything set up and configured, done correctly. Then I got to have the expertise to do it. Then I got to develop the expertise to learn how to attack, and then there's operations to support it. There's so much goes into it. If I've got, you know, decently available, smaller form factor, cheaper control systems deployed at a renewable site and I've got a thousand of those sites around the world that I can potentially target and learn from before ever going after any of my intended targets and they might all be connected up through VPNs or cloud resources or similar, we start getting into a different era for what the adversaries can do. 

Dave Bittner: Is there a factor here of the fact that change can lead to uncertainty? I'm thinking, you know, you probably have decades of experience with institutional knowledge - I'm thinking particularly on the OT side - of someone - of folks knowing how to run coal-fired power plants or natural gas, you know, those sorts of things that have been around for decades. As we transition to emerging technologies, does not having that institutional knowledge around, is that a risk itself? 

Robert M Lee: Absolutely. One of the greatest defenses we have in industrial environments is system expertise. And so the the adversaries have to gain it, and the defenders should already have it. Start changing out the components, start having an overreliance on, you know, original equipment manufacturers and vendors more so than internal staff, you lose that expertise. And then whatever the adversaries gain in expertise is automatically more than you have, which makes it harder to identify the attacks, harder to be resilient against them, harder to really just even think about the scenarios that you might want to defend against. So in no way trying to be doom and gloom - but the validation of your statement, the plant of the future, if you will, has a lot more automation, a lot more cloud resources and analytics, a lot more connectivity and a lot less people. 

Robert M Lee: And in some ways, that's the direction we got to go. And in some ways, that's actually really, really good. There's going to be secondary and tertiary benefits of that that are really wonderful for companies and communities alike, creating higher-paying jobs for the actual maintenance required for those. But to your point, as you take that expertise out, you've got to compensate with something to reduce the risk as it relates to security. So I usually talk about OT security to CEOs and boards explicitly on the discussion of compensating controls, that this this thing isn't new because the threats are new. The reality is the threats have been around, but now they are getting more sophisticated and aggressive on this topic. But your changing landscape is especially new. It's not an IT-OT invergence discussion. It's kind of a digital transformation and cyberthreat, you know, kind of convergence, if you will. And that is driving a necessity to have those compensating controls. 

Dave Bittner: All right. Well, Robert M. Lee, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Just follow your nose. It always knows. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire our podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.