The CyberWire Daily Podcast 2.26.21
Ep 1278 | 2.26.21

Oxford lab studying the COVID-19 virus is hacked. Zoom impersonation campaign. Senators would’ve liked to have heard from Amazon about Solorigate. NSA likes zero trust. NIST IoT guidelines.

Transcript

Dave Bittner: An Oxford biology lab has been hacked. A Zoom impersonation phishing campaign afflicts targets in the EU. Senators are disappointed in Amazon's decision not to appear at this week's SolarWinds hearing. NSA advocates adopting zero trust principles. CISA issues alerts on industrial control systems. The US Department of Homeland Security describes increases to its cybersecurity grant programs. Dinah Davis examines how health care is being targeted by ransomware. Our guest is Michael Hamilton from CI Security on the Public Infrastructure Security Cyber Education System. And NIST's draft IoT security standards are still open for comment, but you better act fast.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, February 26, 2021.

Dave Bittner: Oxford University confirmed yesterday that its Division of Structural Biology, a prominent lab working on understanding COVID-19, had been accessed by unauthorized parties. The Division of Structural Biology, familiarly Strubi, is not the Oxford unit that's been working with AstraZeneca on a COVID vaccine. That work has been going on at the Oxford Vaccine Group and Jenner Institute. Instead, Strubi's research has concentrated on understanding the virus' mechanisms of action, more basic research that would certainly usefully inform development of vaccines and other therapies. 

Dave Bittner: Forbes says the intruders accessed machines used to prepare biochemical samples. It's unclear what they were after, and the screenshots of the criminals' post seen by Forbes makes it almost appear that the hackers were counting coup by showing off the access they'd gained. The screenshots seem to show access to control interfaces with an implied ability to control lab equipment pressure gauges. 

Dave Bittner: While the screenshots showed more evidence of capability for sabotage than they did signs of stolen data, it seems reasonable to speculate that the threat actor is a criminal group offering stolen biomedical data for sale to nation-state intelligence services. Holds Security provided Forbes with screenshots of sites on which the attackers were seeking to drum up interest in their wares. Oxford has been understandably tight-lipped about the details of the incident, which it's reported to the Information Commissioner's Office. The National Cybersecurity Center has the matter under investigation. 

Dave Bittner: Security firm GreatHorn has identified a Zoom-based phishing impersonation campaign currently active in the European Union. It's a credential-harvesting campaign, and it's phishing emails enjoy some success despite their poor idiomatic control of written English. The criminals have taken some care to make their URLs look like the now-familiar links legitimate Zoom users have grown accustomed to, and it seems that the look of the URL has been a shiny enough bit of phishbait to get the victims to bite. 

Dave Bittner: Of the publicly stated good-government, well-intentioned bits of consensus to emerge from this week's hearings before the U.S. Senate Select Committee on Intelligence, the one that seems to have assumed the highest profile is the importance of information sharing. It was not only recommended as a means of preventing other similar supply chain attacks but also introduced in exculpation by SolarWinds, which said it wished it had been afforded sufficient liability protection to enable it to share more without fear of being sued. Microsoft, FireEye and, of course, SolarWinds all offered testimony. Amazon declined, and The Wall Street Journal reports that there was some bipartisan disapproval of the company's failure to appear. Amazon was invited to testify, and the senators believed that the company, which wasn't itself compromised but whose cloud infrastructure was used by the threat actors, could have had valuable insights to contribute. Amazon is said to have shared relevant information privately, but the committee thinks a public airing of the circumstances, under which the cyberespionage was accomplished, could have been valuable. There's no particular suggestion that Amazon was negligent, and indeed several experts have observed that it's effectively impossible to prevent that sort of abuse of a cloud service, but the committee is considering compelling testimony at future hearings. 

Dave Bittner: NSA has published a Cybersecurity Information document that urges cybersecurity professionals to adopt a zero trust security model. A system engineered according to zero trust principles can better position them to secure sensitive data, systems and services. NSA calls out three zero trust guiding principles - first, never trust, always verify; second, assume breach; and third, verify explicitly - and four design principles, which would be define mission outcomes, architect from the inside out, determine who or what needs access to the data, assets, applications and services to create access control policies, and inspect and log all traffic before acting. Making this work, Fort Meade cautions, will require persistent adherence to the mindset and comparable attention to the model's application. 

Dave Bittner: CISA yesterday issued four advisories on industrial control systems: ProSoft Technology ICX35, Fatek FvDesigner, PerFact OpenVPN-Client, and Rockwell Automation Logix Controllers. Claroty quietly disclosed a cryptographic flaw in the last-mentioned Rockwell PLCs to the manufacturer last year. Now that Rockwell has fixed the vulnerability, Claroty has provided details: an attacker could have discovered a secret cryptographic key used to verify communication between the PLC and its engineering station. This could permit an attacker to mimic a workstation and manipulate manufacturing processes. 

Dave Bittner: The US Department of Homeland Security has increased grant funding for state and local cybersecurity preparedness programs. DHS Secretary Mayorkas explained, quote, "with today's grant awards, I am also directing additional grant funding to support cybersecurity efforts. As we have seen in recent events, attacks to our cyber networks can have devastating effects. Accordingly, I have required that SHSP and UASI recipients spend at least 7.5% of their grant awards to enhance their cybersecurity posture. With this funding, state and local grant recipients can conduct cybersecurity risk assessments, strengthen their dot-gov internet domains, improve the cybersecurity of their critical infrastructure and conduct additional cybersecurity training and planning," end quote. 

Dave Bittner: And finally, NIST - the US National Institute of Standards and Technology - has extended its deadline for comments on four draft documents that outline a set of Internet of Things security standards. The documents include three NIST Interagency/Internal Reports and the fourth is a special publication. So comment if you've got them, but don't lollygag, and act soon. The newly extended deadline expires today. 

Dave Bittner: Michael Hamilton is founder and CISO of CI Security. He's also the former CISO of the city of Seattle. He joins us today to discuss PISCES - the Public Infrastructure Security Cyber Education System. 

Michael Hamilton: We perform security monitoring of small local governments at no charge in return for using the data that we collect as real-time curriculum for five universities. 

Dave Bittner: So how do you measure success in terms of the small cities and towns that you're serving here? When this information comes back to them, are you seeing it - are they - is it actionable? 

Michael Hamilton: It is. And so they are very appreciative of the fact that they are being brought into the loop. And as I'm looking at tickets right now, I see one, two, three, four cities that probably need contact. And I've already contacted a county this morning. You know, a lot of this stuff is false positives and the students are learning, so, you know, we have someone that adjudicates whether or not a customer needs to be contacted and an event escalated. We are telling the customers things about their networks that they don't know. For example, there is one jurisdiction here in Washington state that is really getting pounded by somebody. And so, you know, we've given them instructions on, you know, network blocks, things to check in their own logs, et cetera, et cetera. 

Michael Hamilton: But to your question, really the success metric are the people getting hired because our intent is to make sure that we have a much stronger bench in our state, Washington state. Colorado will probably be the next one to start up a PISCES chapter. We've talked to folks in Texas, Oklahoma and South Carolina. And in fact, one of the universities that is teaching the PISCES curriculum is Alabama A&M, which is one of our historically Black colleges and universities. And we are intent on making sure that we do a better job of getting into the rest of the HBCUs and turning brothers and sisters into analysts. 

Michael Hamilton: And interestingly, you know, in just broad vision kind of thing, you know, you don't need to live near the building anymore to work for the company. And what we have found is and what the universities have told us is, when we graduate our students, we really want them to stay in the local economy. Well, this also provides that mechanism because, to a great extent, you know, technical roles are able to work remotely. And as we've worked with auditors to design security controls, you know, for the commercial side of the business - right? - because my business, CI security, we do this commercial monitoring, right? Set that aside. But we've talked to our auditors and said, hey, you know, if we have the following controls in place, do they have to be in this SOC we spent $100,000 on? They said no. So what this means is, applied more broadly, this is a way to get folks in not only underserved communities in terms of, you know, minority and people of color but in places where there are no technical jobs in the middle of Kansas. And if that's what your quality of life is as defined by you, knock yourself out, man. Go live there, make, you know, this kind of salary and squirt that into local economy. So in a larger sense, this is one of the tools that we have in the United States of kind of moving the chess pieces around so that everything isn't all concentrated in, you know, the Bay Area and Seattle and - you know? 

Dave Bittner: It really sounds like you've - you're onto a win-win here. Like, there's - everybody benefits from this. It's an untapped - or it's - I guess these small cities and towns are an area that might be, I don't know, too small for a lot of companies to want to take the time to... 

Michael Hamilton: That's exactly right. 

Dave Bittner: ...Invest in supporting. Yeah. 

Michael Hamilton: Yep. And you know - and, again, you know, they can't afford it, you know? 

Dave Bittner: Right. Right. 

Michael Hamilton: But here's the thing. I mean, counties run 9-11. Only counties run 9-11. They also do elections, you know? And frankly, there's a lot of IT involved in both of those things. And, you know, the fact that they can't afford the kind of controls that, you know, their larger brethren in some of these larger jurisdictions can doesn't mean they're any less critical. So, yeah, it is a win-win because the infrastructure protection and, you know, in fact, you know, helping these folks with their networks - you know, I had somebody make a DNS change in their firewall that solved a bunch of problems for them. 

Michael Hamilton: So, you know, there is value to be gained here. Keeping it free for the smaller jurisdictions is a real goal, and that's why we have to get to, you know, a sustainable business model here. You know, we just got our nonprofit status, so that will change something. But yeah, it's win-win. And as we move into our next objective, which is to making sure that students midway through their scholastic career can go out and intern with the local jurisdictions that we're monitoring so that they actually get some, you know, boots on the ground experience, too - and, you know, we also want to talk to the American Hospital Association about doing the same thing, you know, potentially getting them interns so that, you know, they're - especially rural hospitals are on the financial ropes, too. They need help. 

Michael Hamilton: So, you know, this is all about doing public good, but longer term, it's solving this problem that we have in the United States that everybody thinks they want to solve by creating the next new gizmo to sell you. You know, no. We've got to make people, so we're going to make people. 

Dave Bittner: That's Michael Hamilton from CI Security. You can learn more about PISCES at their website, pisces-nw.org. There is a lot more to our interview. Don't forget to go listen to extended versions of this and many other interviews at CyberWire Pro. It's on our website, thecyberwire.com. 

Dave Bittner: And I'm pleased to be joined once again by Dinah Davis. She is the VP of R&D for Arctic Wolf. Dinah, it is always great to have you back. You know, we are seeing this sort of relentless onslaught of ransomware, and a lot of these folks are focusing on health care. I want to touch base with you on that particular element of this. Where do we find ourselves today? What do you think? 

Dinah Davis: Yeah, it's pretty intense. You know, October alone saw a 71% increase in ransomware attacks against the health care sector in the U.S. So that's pretty intense. 

Dave Bittner: Right. Why health care in particular? What puts the big target on their back? 

Dinah Davis: Yeah. So I think, you know, they are a little bit easier to target for a couple reasons. One, they feel like - the attackers feel like health care is more likely to pay because of the life-and-death situation that the ransom causes, right? You ransom all those life support machines, and they need to get those back up because they're actually looking at, you know, people's lives here. So that's one. 

Dinah Davis: Two, they're often running equipment that's older and harder to upgrade - right? - running specialized systems. And historically, hospitals have probably had a low amount of funding for their IT staff and updating things. So their I team is often stretched thin, and that makes them, you know, a bigger target, right? So that's one - that's, I think, a big reason. 

Dinah Davis: And then I think on top of that, with COVID, the hospitals are even more stressed. And, like, these nasty attackers think this is even a better opportunity. I think it's pretty despicable, but this is what they're doing. 

Dave Bittner: Yeah. 

Dinah Davis: And then in early November - like, it was already kind of bad. And then in early November, the FBI issued this warning against more ransomware attacks coming on U.S. hospitals. And so this was like - we were like, oh, my gosh, at Arctic Wolf. And so we - you know, we were able to put in a lot of extra monitoring in place for our health care people and helping them to go and upgrade their systems - like, so really working hard with them to say, OK, patch, patch, patch, patch here because the most important thing here is that you have the least amount of risk we can handle, and then we will watch for the rest of it. So I guess the big question then becomes, you know, like, how do they prevent this, right (laughter)? 

Dave Bittner: Yeah. I mean, it's such a - it's a huge attack surface. And as you say, it's - they're serving a critical mission there. 

Dinah Davis: Yeah, absolutely. So, OK, you're in the health care industry. What can you do to prevent from being ransomed? So, one, ensure you have good security practices and security training. Remember that for ransomware to get in, you only need one person to click a bad link. So the more training you do, the more you empower your employees to understand what they're doing, the better you're going to be. 

Dinah Davis: You should have a security team doing 24-by-7 monitoring. Whether you're going to build that yourself or you're going to hire it, you really have to be watching all the time. And then of course, you know, patch, patch, patch, patch, patch. Patch all the things (laughter). 

Dave Bittner: Well, when you say monitoring, what specifically are we talking about here? What does that mean? 

Dinah Davis: Yeah, so you want to be watching, like, the network traffic flow coming in and out of your hospitals. You want to monitor - you really want to monitor stuff that's happening on your email software. So, you know, are people adding new accounts? Who's adding it? Are they setting up email forwarding rules? That is a big attack vector right now. Set up an email - compromise somebody's account, set up an email forwarding rule to watch for certain types of messages, and then be able to craft a really nice phishing message back - right? - to get money or to install something else, right? 

Dinah Davis: So you want to not only monitor your - like, your physical network. You want to monitor your cloud network as well - right? - so your Office 365, if you have anything running in Amazon or in Google Cloud, all of that kind of stuff. You want to have endpoints installed on your laptop so that we can monitor anything that's happening on those. Any kind of low-traffic intrusion places is where you want to be monitoring. 

Dave Bittner: Yeah. Yeah, it's so critical. You know, it's funny, my colleague, Joe Carrigan, is at Johns Hopkins. And of course, he's at the university, but they're also famous for having a world-class hospital. And he makes the point often that if security is going to get in the way of a doctor being able to do something they need to do to to do health care, security is going to take a backseat to that. And that is - it is appropriate, but it is also a challenge. 

Dinah Davis: Yeah, absolutely. And you know, it's hard, right? You probably - you know, one of the big things that we also, you know, say, is have a good backup plan, OK? So put in as much as you can to try and prevent things from happening, but it's likely something's going to happen. So do you have a good response plan? One, do you have good backup so you can recover really quickly whether you pay the ransom or not? Two, run through mock scenarios with company leadership so they know what to do when it happens. So what happens if all of your stuff in your hospital - everything goes off line? What are you going to do? If you have a plan for that, you're going to have minimal impact, right? I mean, there'll be impact, but it'll be minimal. Don't be the least secure hospital (laughter). 

Dave Bittner: Right (laughter). Right. 

Dinah Davis: I know it's a little bit silly, but it is true. Don't - you know, even if you can only do a few things, do those things, right? It will help you. 

Dave Bittner: I don't have to outrun the bear. I only have to outrun you. 

Dinah Davis: Right, exactly. 

(LAUGHTER) 

Dinah Davis: That's exactly it. 

Dave Bittner: Yeah. Yeah. All right. Well, Dinah Davis, always a pleasure. Thanks so much for joining us. 

Dinah Davis: No problem. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. You deserve it, too. Listen for us on your Alexa smart speaker. 

Dave Bittner: Be sure to take some time this weekend and check out our episode of "Research Saturday." This week, I speak with Maurits Lucas from Intel 471. We're going to be discussing the current state of China's cybercrime underground. That's "Research Saturday." Do check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.