Data exposure reported in the Philippines. FISA targets down during the pandemic. Babuk changes its focus. New variant of the Buer loader in the wild. US Justice Department reviews its cyber strategy.
Dave Bittner: Possible data exposure at the Philippines' Office of the Solicitor General. In the U.S., FISA surveillance targets dropped during 2020's pandemic. The Babuk gang says it's giving up encryption to concentrate on doxing. A new version of the Buer Loader is out in the wild. Rick Howard looks at security in the energy sector. Betsy Carmelite from Booz Allen Hamilton on telemedicine security concerns. And the U.S. Justice Department undertakes a review of its cybersecurity policies and strategy. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 3, 2021.
Dave Bittner: London-based security outfit TurgenSec says that the Philippines' Office of the Solicitor General left about 345,000 documents exposed to the internet, GMA News Online reports. Philippine authorities are investigating.
Dave Bittner: TurgenSec says the data was exposed for about two months and that it appears to have been accessed by a third party. The company says it disclosed the exposure to Philippine authorities on March 1 and March 24. The exposure was closed on April 24.
Dave Bittner: According to TurgenSec, data exposed includes hundreds of thousands of files ranging from documents generated in the day to day running of the solicitor general of the Philippines to staff training documents, internal passwords and policies, staffing payment information, information on financial processes and activities including audits and several hundred files titled with presumably sensitive keywords such as private, confidential, witness and password. The exposure, the company says, appears to have been a matter of database misconfiguration.
Dave Bittner: The AP says that the number of surveillance warrants issued in the U.S. under the Foreign Intelligence Surveillance Act fell off sharply during 2020. A report on FISA surveillance, part of the intelligence community's annual Statistical Transparency Report issued Friday by the Office of the Director of National Intelligence, attributes the decline in large part to the effects of the COVID-19 pandemic. The New York Times reports that the report listed just 451 targets of wiretaps and search warrants under FISA last year.
Dave Bittner: The report notes that many factors contributed to the statistical shifts and fluctuations that show up in this annual assessment, but that in this case, quote, "ODNI assesses that in calendar year 2020, the impact of the COVID-19 pandemic likely influenced target behavior, which in turn may have impacted some of the numbers reported for that year," end quote. So the pandemic affected those being watched more than it did the watchers.
Dave Bittner: The Babuk ransomware gang says, according to the Record, that it intends to give up ransomware attacks after its current caper directed against the Washington, D.C., Metropolitan Police. This is not due to an attack of conscience, however, nor to any newfound sense of public spirit or civility. It's just that Babuk has found it easier to simply steal documents and extort money by threatening their release. So online extortion, which began by encrypting data to deny it to their owners and move to a double extortion by not only encrypting information but also threatening to make it public, may be moving to a third doxing-only stage. In any case, paying ransom seems to be making less sense than ever before. Forbes reports that 92% of victims who pay don't get their files back. So this part of the bandit economy seems to have eaten its own business model. No more golden eggs from this particular well-cooked goose.
Dave Bittner: Researchers at security firm Proofpoint have found a new form of the Buer loader. Buer is commodity malware traded widely in criminal markets. It's distributed by email and permits its criminal users to install further malware packages on its victims' devices. It's a first-stage loader for additional payloads, Proofpoint says, including Cobalt Strike and multiple ransomware strains, as well as possibly providing victim access to other threat actors in the underground marketplace. The emails represent themselves as shipping documents from logistics company DHL. They are, of course, spoofed emails, and the attachments that carry the Buer payload are malicious Microsoft Word or Excel files. Proofpoint expects the campaign to continue.
Dave Bittner: The Washington Post reports that the U.S. Justice Department has begun a 120-day review of its cybersecurity policies. Prompted by the SolarWinds incident, which many see as a bellwether of future attack trends, the department's review is intended to examine ways Justice might better deter and defend against cyberattacks. Deputy Attorney General Lisa Monaco said Friday, quote, "e need to rethink and really assess. Are we using the most effective strategies against this kind of new evolution, this pivot point that I think we're at today in the cyber threat? There is no time to lose on what can we be doing better working with our partners across borders to address these threats."
Dave Bittner: The Justice Department's efforts against ransomware have received considerable attention recently, but the review will extend beyond that particular problem. Justice has also adopted a more aggressive stance toward cybercrime - participating, for example, in an international effort to take down the Emotet botnet. That interest in international cooperation seems likely to continue. According to the Record, the department plans to hire a liaison prosecutor who will be expected to train and develop skills for prosecutors, police and judges, including through case-based mentoring on transnational organized cybercrime cases to identify gaps in existing laws, advise legislative bodies on the enactment of effective legislation and amendment of existing laws to increase enforcement efficacy and to build capacity within the law enforcement agencies to combat transnational organized cybercrime. It's not a new post, but the position has been vacant since December. Whoever's hired for the job - good hunting.
Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, always great to have you back.
Rick Howard: Hey, Dave.
Dave Bittner: So for this season of "CSO Perspectives," you've been covering some of the key critical infrastructure verticals - things like finance and health care - to see if anything makes them unique in terms of strategy and tactics. What do you have for us this week?
Rick Howard: Yeah, so thanks for that. On the pro side, we're talking about the energy vertical this week. And we've invited some of our favorite guests to the hash table to get their views. We have Helen Patton, the committee chair to the Cybersecurity Canon project, and also, she's the advisory CISO for Duo Security at Cisco. That's a title. OK?
Rick Howard: And we have my friend Steve Winterfeld, the Akamai advisory CISO. And both of those folks are regulars for our hash table discussions. But also, we have a special guest this week - Mark Sachs, currently the deputy director of Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security, and they pretty much had every letter in the alphabet for that title, OK? But in a previous life, he was the chief security officer of the NERC for three years - that's the North American Electric Reliability Corporation. And at the same time, he had oversight of the E-ISAC, the Electricity Information Sharing and Analysis Center. So he fits right in to the energy discussions.
Dave Bittner: Yeah, I mean, that is a - that is quite the mix of cybersecurity personalities.
Rick Howard: (Laughter).
Dave Bittner: I'm guessing not everybody agreed on everything. How'd that go for you?
Rick Howard: Well, you got that right. There was a major disagreement about whether or not the energy vertical would move completely over to a cloud-delivered, infrastructure-as-code kind of environment the way that all the other verticals seem to be moving towards. Now, no spoilers here, but I bet...
Dave Bittner: (Laughter).
Rick Howard: ...You can guess who is the guy that was against that idea.
Dave Bittner: Hmm.
Rick Howard: Hint, hint. It might be the NERC guy. I'm just saying.
Dave Bittner: All right. So "CSO Perspectives" - is this something that is reserved for the cool kids over - who have CyberWire Pro subscriptions? Or what's going on over on the ad-supported side this week?
Rick Howard: Well, you know, Dave, we've been talking the last couple of weeks about the release of "CSO Prospectives" episodes from season one to the public for free. Now, these have ads. And if you're like me, you avoid ads like the plague.
Rick Howard: And that is one of the main...
Dave Bittner: Now, Rick...
Rick Howard: I know. We have to make money somehow, right?
Dave Bittner: (Laughter) Right, right.
Rick Howard: But it's one of the main reasons you want to subscribe to CW Pro. You get all the CyberWire content without the ads, right?
Dave Bittner: Right, yeah.
Rick Howard: But for this week on the free side, we're doing a bit of an indulgence for me, OK? Instead of tackling some thorny cybersecurity issue, we're talking about my four favorite cybersecurity novels. And I have some very specific criteria for what makes a good book in this genre.
Dave Bittner: Yeah, I - you know, I'm actually glad to hear it because so many novels that I've read that have some sort of cybersecurity element - and I'd say this extends even to pop TV and movies - they have sort of what I call a "Harry Potter" version of cyber, which is...
Rick Howard: (Laughter).
Dave Bittner: You know, they don't really explain what's happening, but somehow, magically and mystically, they're able to break into highly classified government buildings. You know, they say things like magnify, you know...
Rick Howard: And, we're in.
Dave Bittner: ...I'm in. Right, right, right.
Rick Howard: I think we may have watched the same shows.
Dave Bittner: Yeah. I mean, it's all good fun. But, of course, it's not terribly realistic.
Rick Howard: Well, I'm totally with you on that, all right? I want to be able to hand a good novel to my grandma where the cybersecurity is realistic and tell her, hey, grandma, this is what I do, you know, sort of.
Dave Bittner: Fair enough, fair enough. All right. Well, Rick Howard - he is the host of "CSO Perspectives" over on CyberWire Pro. And we've got advertiser-supported episodes that are being put out there, as well. Rick Howard, thanks for joining us.
Rick Howard: Thank you, sir.
Dave Bittner: And joining me once again is Betsy Carmelite. She's a senior associate at Booz Allen Hamilton. Betsy, always great to have you back. You know, one of the things that's really moved along as we've all been experiencing a lot of the lockdown through COVID-19 is the explosion of telehealth. You know, I know for - me and some of my family members have really been taking advantage of and enjoying the ability to connect with our medical professionals remotely. It's - there are a lot of conveniences there. But I suppose the cybercriminals have also taken notice of this. They're not holding back, either.
Betsy Carmelite: No, the premise here around this concern is that massive shift at scale to a remote delivery model brought on by the global health crisis. And that's that rapid expansion of U.S. telehealth services, especially in 2020. And we think it's unlikely to contract even years after the pandemic clears. There will be a permanence to telehealth, given its convenience. We also believe this will change the way cybercriminals target health data at scale. And I'd like to touch on some of the characteristics of telehealth platforms and infrastructures. We know that telehealth uses electronic information and telecommunications technologies to remotely provide clinical health care, patient and professional health-related education, public health and administration services. This is also how medical collaboration is happening among hospitals - rapidly treating COVID patients or discussing transplant surgeries, for example.
Betsy Carmelite: Some of the core technologies used in these services are video conferencing, store-and-forward, imaging, streaming media. And these are typically accessible to the internet, including wired and wireless communications. With telemedicine, this typically includes clinical care, treatment of chronic conditions, medication management, specialist consultations. It can be considered a subset within broader telehealth services. Notably, both telemedicine and telehealth share similar technology, infrastructure and weaknesses. And we're looking at once-disparate databases used for billing and patient data now being aggregated and also platforms for patient-provider collaboration and communication. One of the data points to bring this into really practical focus is prior to the public health emergency, in a given week, 13,000 Medicare recipients used fee-for-service telehealth. By the last week of April 2020, that increased to 1.7 million recipients. So...
Dave Bittner: Wow.
Betsy Carmelite: ...Lots of data and infrastructure to exploit.
Dave Bittner: Wow. Yeah, I had no - I - that (laughter). I did not expect that degree of growth. So what specifically are you expecting or - and experiencing the cybercriminals to be targeting here?
Betsy Carmelite: We believe mass adoption of this technology opens doors to perhaps not a new cybercrime focus, but a renewed focus at scale with an emphasis on stealing patient data, primarily for monetary benefit. And the theft of patient or hospital data can enable cybercrime in a few ways. First, it can enable billing fraud over the phone, using stolen information to demand payment for physician-ordered medical devices or fake medical debt collection. Or cybercriminals can pair stolen patient numbers with falsified provider data to submit fraudulent claims with insurers.
Betsy Carmelite: It also enables ransomware operators who prey on hospitals and medical providers, hoping that the threat of encrypted patient data motivates that payment. Telemedicine will also be a significant target for attackers looking to gain from the value of critical data stored on managed service providers and local cloud instances. We saw a few companies like GE Health, Google and Microsoft launch cloud-based systems for medical device management and telehealth services in the last year.
Betsy Carmelite: And finally, we see it targeting remote patient monitoring devices. These are R.P.M. devices. Traditionally, providers deploy patient monitoring systems at a medical facility, but R.P.M. systems are deployed at a patient's home. Providers can use device data to treat acute conditions and chronic illness, but these devices must maintain the confidentiality, integrity and availability of patient data to ensure patient safety. Telehealth security is really a patient safety issue with potentially catastrophic risks for data vulnerabilities and device failures.
Dave Bittner: How do you see us facing this potential onslaught here? I mean, are the proper tools and techniques in place to make sure that people are safe?
Betsy Carmelite: I think this last year has shown us that the rise and the need for security is essential to make this a successful long-term platform for clinicians and patients. We offer a few recommendations for those in the health care industry really at this transformative point in the clinician to patient experience. First, looking at the telehealth strategy and architecture with this rapid rise of the technology implementation, often there's a lack of clinical and technical integration. So health care systems should develop or refine an enterprise telehealth strategy with security considerations built into every layer of the telehealth ecosystem, from cybersecurity infrastructure to the supply chain, software and point provisioning, et cetera.
Betsy Carmelite: Companies also really need to evaluate third-party vendor security. Health care is highly regulated as an industry, and there are multiple standards in place to protect patients in health care. The health crisis has really introduced a load of new vendors with less experience navigating complex health care security regulations. And there are organizations like the National Consortium of Telehealth Resource Centers and the American Medical Association who provide checklists with security and privacy considerations for reviewing vendors. Also, at a tactical level, firms need to evaluate the vendors' security controls, intrusion systems and policies on accidental disclosure of data. And finally, organizations should implement user authentication. We've talked a lot about the value of patient data today. Robust user authentication measures are a necessity to ensure patient IDs and personally identifiable information stay secure.
Dave Bittner: All right. Well, Betsy Carmelite, thanks for joining us.
Betsy Carmelite: Thank you, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha! I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.