Prankers on Zoom, with convincing video. Emotet takedown. US response to SolarWinds reviewed. Cancer therapy disrupted by attack on cloud provider. Oscar phishing.
Dave Bittner: Zoom prankers deceive European members of Parliament with a deepfake video call. A password manager is compromised. Europol took a good whack at Emotet yesterday, removing the botnet's malware from infected machines. The U.S. response to the Holiday Bear campaign receives cautious good reviews. A cyberattack interferes with cancer treatments. Caleb Barlow from CynergisTek on emergency notification systems. Rick Howard previews the latest "CSO Perspectives" podcast focused on the health care vertical. And movie-themed phish bait chummed the waters around yesterday's Oscars.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Monday, April 26, 2021. Someone impersonating a spokesman for imprisoned Russian opposition figure Alexander Navalny conducted Zoom meetings with European Parliament members. The sessions featured what The Guardian and NL Times called a deepfake video call purporting to be Navalny associate Leonid Volkov, which Volkov himself said looked pretty convincing. Speculation about responsibility for the incident has focused on Vovan and Lexus, two well-known Russian prank callers, prankers, as such nuisance humorists are known. The incident is, of course, troubling for coming at a time when Navalny is imprisoned and on a life-threatening hunger strike. And it's worth noting that relatively senior political officials were taken in by the scam. But to place it in perspective, this is more shock-jock stuff than it is a spoor of a new and devilishly nefarious approach to disinformation. Technically, it's a cut above the kind of jerk who would call the live news coverage to holler Baba Booey during the slow-motion chase of O.J. Simpson's Bronco down the 405 in Los Angeles. But let's keep it in perspective. The lesson is that video that appears genuine in a live call need not be and that some authentication beyond look and feel is necessary. But we already knew that. It's even become a trope in gag insurance commercials, where there's a guy video conferencing with his emu colleague and so forth. At any rate, on balance, not very funny. And Vovan and Lexus themselves aren't novices, we note. They pranked, to name just three, Sir Elton John, the Duke of Sussex and Senator Bernie Sanders. But many of their targets have been critics of the Russian regime. Mr. Putin himself has not been pranked and seems unlikely to be.
Dave Bittner: A widely used password manager, Click Studios' Passwordstate, has sustained a cyberattack. The Australian company has warned its customers to reset their passwords. TechCrunch reports that Click Studios confirmed to customers that the attackers had compromised Passwordstate's software update feature and that their goal was the obvious one of stealing users' passwords.
Dave Bittner: Europol yesterday took another step toward further disabling the Emotet botnet when a time-activated .dll removed Emotet's enabling malware from victim machines. SC magazine notes the operation's similarity to the FBI's recent removal of malicious Web shells from compromised Microsoft Exchange Server instances. The active removal represents the final stage in taking down Emotet. After initial takedown operation, European authorities pushed a new configuration to machines actively infected with Emotet. BleepingComputer takes the occasion as an opportunity to review the activities of TA542, also known as Mummy Spider, the criminal organization behind Emotet. Quote, "TA542's attacks usually led to full-network compromise and the deployment of ransomware payloads on all infected systems," end quote. Its toolkit includes more than Emotet. The gang delivered ProLock or Egregor by QBot and Ryuk and Conti by Trickbot. Yesterday's action is being widely hailed as one that may permanently disable Emotet. But botnets have risen from the dead in the past, and so the optimism should be of a cautious variety. But congratulations to Europol and German authorities, and we wish them further good hunting.
Dave Bittner: The Washington Post reports that security experts generally approve the U.S. response to Russia's SolarWinds exploitation campaign. But US Deputy National Security Adviser Anne Neuberger in a CNN interview cautioned against expecting too much. The Russians almost surely remain active inside US networks. As far as any long-term effect on Russian policy and behavior, Neuberger said, quote, "we'll know when we see a change with regards to Russia's broad use of cyber to achieve national objectives, and that's something that will take time. To really shape a country's use of cyber, you have to shape the calculus they use on the value and the cost. The SVR is a sophisticated, persistent actor. They play a role as part of Russia's intelligence collection as part of their malign influence mission. And we know that to shape that calculus is not going to be one action," end quote.
Dave Bittner: A cyberattack against Elekta, a firm whose software is used to operate linear accelerators used in cancer treatment, has taken the firm offline and disrupted cancer care at a number of U.S. hospitals. Affected hospitals are moving patients to other facilities as they scramble to keep up the treatments, WTNH reports. The incident is being described as a data breach, and in the course of remediating the incident, Elekta found it necessary to stop access to its cloud data storage.
Dave Bittner: Online fraud follows current events, and the Academy Awards yesterday provided cybercriminals an opportunity to dangle lures baited with Oscar material before prospective victims, Threatpost says. Some of the phishbait involved showing trailers of nominated films and then inviting victims to register with a pay card to see the whole performance. Of course, the film didn't run, but the hoods did debit the victims' pay cards.
Dave Bittner: Other scams used more conventional phishbait. Our cinema desk has nothing to say about any of this year's nominations - they've been passive-aggressive like that since the Academy snubbed "Sharknado: The 4th Awakens" back in 2016 - but we hear that the most commonly abused movie titles were, first, "Judas and the Black Messiah" in the lead with 27% of the malware Kaspersky researchers found, followed by "Promising Young Woman" at 27% and "Trial of the Chicago 7" associated with 21% of the malicious files.
Dave Bittner: We close today with some sad news for the information security community. Dan Kaminsky, a well-known white-hat hacker famous for his description of DNS cache poisoning and long a fixture at DEFCON and Black Hat, has passed away over the weekend at the age of 42, the cause of death being complications of diabetes. SecurityWeek and the Register, among others, ran obituaries. The Register's piece communicates how highly he was esteemed and how well he was liked within the infosec community. Our sincere condolences go to his colleagues at HUMAN Security, formerly White Ops, and especially to his family. May they receive comfort and consolation.
Dave Bittner: And joining me once again is the CyberWire's chief security officer and chief analyst, Rick Howard. Rick, great to have you back.
Rick Howard: Thanks, Dave.
Dave Bittner: So for this season of CSO Perspectives, you are talking about strategies and tactics for different verticals. And last week, you did the financial vertical. What's in store for us this week?
Rick Howard: For the Pro side, this episode was a real treat for me to put together. We're talking about the health care vertical this week. And the CyberWire just happens to have two members of the Health-ISAC that are regulars at our Hash Table discussions. Have you talked - have you met them before, Dave? It's Denise Anderson and Errol Weiss. Have you talked to them before?
Dave Bittner: I don't know. It doesn't ring a bell off the top of my head, but who - I talk to a lot of people, right (laughter)?
Rick Howard: Yes, you do (laughter).
Dave Bittner: So could be, could be (laughter).
Rick Howard: So...
Dave Bittner: I apologize in advance if I have (laughter). Please forgive me. But let's move on, Rick. What are you all talking about (laughter)?
Rick Howard: Never ask a question you don't know the answer for. That's the - for hosts on podcasts (laughter).
Dave Bittner: Right. Why yes. Yes, Rick. I've spoken to both of them, and they were delightful.
Rick Howard: (Laughter).
Dave Bittner: How's that?
Rick Howard: It's perfect (laughter).
Dave Bittner: OK.
Rick Howard: So Denise Anderson is the Health-ISAC president and CEO. And Errol Weiss is the Health-ISAC chief security officer. And what most people don't know about these two is that they were original contributors to the entire ISAC movement that started back in 1999. President Clinton signed a presidential directive back then that created the ISACs - and that stands for Information Sharing and Analysis Centers - and created some 16 critical infrastructure verticals like health care, finance, energy and a bunch more. The one ISAC that got themselves organized quickly and eventually became the model for everybody else was the financial ISAC. And Denise was Employee No. 2 when they stood it up. I mean, how about that? And Errol was one of the original founding bank member volunteers. So when the Health-ISAC decided to up their game a few years ago, they wisely chose Denise to be the CEO. And one of her first moves was to hire Errol as her chief security officer.
Dave Bittner: Oh, wow. All right. Well, I look forward to that conversation for sure. Now, that is over on the Pro side, where all of the cool kids are. What about on the free side of the house, on standard CyberWire - anything over there?
Rick Howard: Yeah. And as we - we talked about this last week. We're releasing episodes of Season 1 of "CSO Perspectives" at the same time that we're releasing Season 5 episodes on the Pro side. And, you know, we wanted to give folks a chance to get a taste of the Pro side before they committed their money to it. Last week on the free side, we talked about - say it with me - SASE. Come on, Dave, say it with me.
Dave Bittner: SASE, SASE - yeah, SASE.
Rick Howard: And this week, we're tackling artificial intelligence and hot it's often mentioned in the same breath as machine learning, which, you know - you and I have talked about. This is one of my biggest pet peeve no-nos I (unintelligible).
Dave Bittner: Oh, yeah. You are not alone in that one, my friend, there. I mean, that is a bugaboo throughout the industry.
Rick Howard: So with that said, though, machine learning techniques have been - become standard security vendor best practices in certain narrow data domains like SIEMs, EDR, XDR and malware identification.
Dave Bittner: All right. So there's something for everyone there. Rick Howard, thanks for joining us.
Rick Howard: Thank you, sir.
Dave Bittner: And joining me once again is Caleb Barlow. He is the CEO at CynergisTek. Caleb, it's always great to have you back. Today, we are talking about emergency notification systems and the importance of them. What do you got to share with us today?
Caleb Barlow: Well, Dave, we've often talked about the importance of assembling your team quickly in the event of a security incident of magnitude. You know, and what I like to call this - and this is definitely Caleb speak; you're not going to find this in any book - but I like to call this the duty to convene. How do you convene your team in a hurry? So kind of simply put, it's how do you get your entire team together, including supporting staff, legal incident responders, business line owners, et cetera, at 3 a.m. on Christmas Eve? And how do you do it in a way that they're actually going to show up?
Dave Bittner: (Laughter) While the network's down.
Caleb Barlow: Yes. Exactly. While the network's down and Slack doesn't work and, you know, blah, blah, blah. So, you know, there are actually great tools out there for doing this. Oftentimes - and what I find a lot of people are using - are the same tools you'd use for communicating emergencies to students, whether that's like an active shooter event or a snow day. You know, you can organize these tools by group. They will go through and, you know, call, page, call different phones until they reach somebody. And then that person can say, you know, press one if you're responding, press two if this is the wrong number type of thing. Right? Well, you know immediately who's showing up to your, you know, virtual crisis call or whatever, what department they're in. And you also know who's not coming. So you know where you've got gaps. I think these are really critical systems to have in place. And there's some interesting techniques we've learned on how to get these systems organized.
Dave Bittner: OK. Well, can you share with us?
Caleb Barlow: Well, first of all, one of the concepts - and this kind of comes from the military - is this concept of a warning order. You know, a lot of times when an incident is unfolding in the early days of - in the early hours of an incident, you know, you don't really know if a thing is a thing yet. Like, it's starting to look bad, but you don't really know how bad is it. You know, and oftentimes, that can be things like - let's say there's a major vulnerability that's just hitting the wire, and you don't yet know if your systems are infected or, worse yet, is this like one of those vulnerabilities where we're all going to be up for the next 24 hours patching systems and issuing press releases? Or is this kind of a mundane thing, and it's just getting, you know, a lot of air time because somebody is making a big deal out of it?
Caleb Barlow: One of the concepts that can be really helpful is this idea of a warning order where you're not telling your team to convene, but what you're doing is using your emergency notification system to say, hey, something's up. We may need to convene the team in the next, you know, six, eight, 12 hours - keep your phone with you. It can be an unbelievably powerful tool because you're not kind of pressing the big red button, but you're giving everybody a little bit of awareness that something's up and we may need to all assemble as a team. It also gives researchers time to dig in and figure out what's going on and if the team actually does need to assemble.
Dave Bittner: What about the importance of having all this stuff, like, printed on paper - 'cause I'm thinking, you know, the system goes down, the phones aren't working, just backup copies of all this stuff?
Caleb Barlow: Where do you think I keep my runbooks, Dave?
Dave Bittner: (Laughter) You have a shelf?
Caleb Barlow: No, in my underwear drawer - that's where they're supposed to be.
Dave Bittner: Of course. How silly of me. Yes, I stand corrected. Go on (laughter).
Caleb Barlow: Seriously, though. You're absolutely right. If your runbooks and plans aren't printed out or on some external system - and here's the other thing. The place you're going to go convene, whether that's a Webex or a Zoom or a conference call, it also needs to be off of your network. Like, I can't tell you how many runbooks I look at. And first of all, to find out the crisis plan, go to our SharePoint repository, held on premise. And, you know, let's use the corporate voicemail system for letting everybody know. That's just not going to work. Right? So I think you've got to do that. A good system really should work across multiple media - office, phone, cellular, text message.
Caleb Barlow: I would also - and this is probably for the - this is kind of the advanced class, but this stuff is not expensive - if you're a critical infrastructure provider, considering getting something called a GETS card, which is the Global Emergency Telecommunication Service. It's run by the Department of Homeland Security. It kind of pairs with something called wireless priority service. And what this does is in the event of a 9/11-style incident, it allows you to get access to the phone system even if it's flooded. And it's just - it's literally a little wallet card you carry around in your pocket. They don't charge you for it unless you use it. And of course, if you use it, you don't care what you - what it costs you.
Caleb Barlow: I'm also a big fan of satellite phones, especially if you've got - if you have large critical laboratories or development labs in foreign countries, particularly areas where you may have unrest or, you know, you may have cyber incidents or you may even have weather incidents, the great thing about a satphone is you can get immediate ground truth. They don't cost much to own one. They cost a fortune if you use them. But again, if it's an emergency and you're using it, you don't care. But they're great insurance to have around.
Caleb Barlow: You know, I remember one bank of mine that was a customer - and this is the extreme, but it gives you an idea. This particular bank moved, you know, gazillions of dollars a day. And, you know, their issue was if one of their data centers went down, they needed ground truth immediately. And it didn't mean - they had backups and redundancy, but they needed to know what was going on. You know, was this a case of, you know, the power went down for two minutes and the generator had trouble restarting and it's going to be back in 10 minutes, or is this a situation where, no, the data center's gone and you need to move operations somewhere else?
Caleb Barlow: They actually deployed Ford Explorers in near their data centers about an hour away at employees' homes full of communications gear - satellite phones, runbooks, internet connections, you know, that were wireless - all as insurance in that if one of these data centers went down, they had something mobile that could get ground truth back to headquarters in under an hour. Again, that's the extreme case. But these are some of the things we've got to think through. And, you know, for a smaller company, maybe it's as simple as just having a printout in your underwear drawer of everybody's cellphone number.
Dave Bittner: Right, right. Yeah. But the time to be thinking about this is not when you're in the midst of the crisis, right?
Caleb Barlow: No, that would be, as they say, too late, Dave.
Dave Bittner: (Laughter) Right. Well, Caleb Barlow, thanks for joining us.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha! I join Jason and Brian on their show for a lively discussion of the latest security news every week you can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.