The CyberWire Daily Podcast 8.24.22
Ep 1648 | 8.24.22

Ransomware attack hits a French hospital. Lessons for the fifth domain from six months of hybrid war. Deepfake scams have arrived. Threat actors prepare to exploit Hikvision camera vulnerability.


Tre Hester: A medical center in Paris comes under ransomware attack and refuses to pay up. Lessons for the fifth domain from six months of hybrid war. Deepfake scams appear to have arrived. Deepen Desai from Zscaler with an introduction to our audience. Dave Bittner sits down with Gil Hoffer, CTO and co-founder of Salto, to discuss who hacked Slack. And threat actors prepare to exploit Hikvision camera vulnerability.

Tre Hester: From the CyberWire studios at DataTribe, I'm Tre Hester, filling in for Dave Bittner, with your CyberWire summary for Wednesday, August 24, 2022. 

Medical center near Paris comes under ransomware attack.

Tre Hester: The Centre Hospitalier Sud Francilien sustained a ransomware attack that has disrupted services and forced diversion of patients to other health care facilities. CHSF, a large 1,000-bed hospital between 28 kilometers from downtown Paris, says the attack affected a range of systems, including patient admissions, medical records and especially medical imaging. France 24 reports that the ransomware gang has demanded $10 million for restoration of the hospital systems, which CHSF has refused to pay. The attack is thought to be the work of either Ragnar Locker or LockBit 3.0, especially since responsibility for the investigation has gone to the national Gendarmerie's cyber unit, which would handle this sort of international cybercrime. BleepingComputer cites local researchers who think the attack is more consistent with LockBit 3.0's operation. An attack on a hospital, especially one that puts patients at some risk, would amount to a violation of the ransomware-as-a-service market's humanitarian code. If, that is, one takes such criminal avowals of social responsibility seriously. We don't. 

Lessons for the fifth domain from six months of hybrid war.

Tre Hester: Today marks the 31st anniversary of Ukrainian independence from the Soviet Union, and it also marks the sixth month of Russia's war against Ukraine. As Ukraine braces for renewed Russian strikes against its cities, the Atlantic Council has published a  set of lessons to be learned from half a year of Russia's war against Ukraine. Some of them have particular relevance to cybersecurity. One, lesson for wartime strategic communications - influence operations are a day-in, day-out job. Russia has not succeeded in influence operations, but Ukraine has, largely because it has tamped down on disinformation and coordinated inauthenticity. Two, lesson for hybrid war - don't ignore the fundamentals. Conventional military failures, particularly in tactics and logistics, have marked the Russian invasion. It's also been marked by intelligence and influence operations failures. Three, lessons for would-be invaders - you can't hide preparations for a full-scale invasion. Intelligence is now a commodity. Open sources now show collection and analytic capabilities that formerly would have been possessed only by advanced nation-states. Russian official media themselves pretty clearly telegraphed Moscow's intentions, as did social media posts from ordinary Russian soldiers and citizens. Armies have yet to come to grips with the OPSEC challenges of social media. 

Tre Hester: Four, lesson for cybersecurity - the private sector should play a critical military operational role in cyberspace. Ukraine has proved surprisingly resilient in the face of hostile Russian cyber operations, and this has been due to a large part to its own preparations, shaped by lessons learned from more than a decade of hostile Russian gray zone operations. But Russia's invasion of Ukraine has generated a new role for the private sector, which is engaging in direct cyber combat against Russian cyberattacks and in support of Ukraine's military and governmental functions. While Ukraine has its own capable cyber defenders who, for example, stopped an attack against the Ukrainian electric grid, those efforts have been complemented by private sector firms that have worked with Kyiv, both by helping to identify and disable malware and taking additional actions to create a much more defensible Ukrainian cyberspace. Both Microsoft and Cisco have published reports detailing defensive cyber operations and European cybersecurity firms, such as the Slovakian firm ESET, who have also been engaged. Ukraine’s cybersecurity defense has additionally been enhanced through the use of Starlink terminals and the transfer of Ukrainian governmental functions to cyber clouds outside Ukraine. The actions that these private companies have undertaken foreshadow the critical role such firms will play in future 21st century conflicts. 

Tre Hester: And five, lesson for U.S. Homeland Security - ignoring the home front is a serious mistake. The inherently deniable and ambiguous character of cyber conflict tend to spread its effects beyond the immediate theater of operations. The U.S. got off to a good start, but emphasis may have failed in recent months. More needs to be done by DHS and others to get the American people to understand and better resist the Russian hybrid warfare campaigns that promote divisive propaganda and social media manipulation. Russia's hybrid warfare strategy, which uses disinformation even more than cyberattacks, seems designed to wear down Western democracies' opposition to Russia's aggression. Acting on this final lesson, we note, is perhaps easier said than done. Disinformation can be difficult to counter, especially since the obvious moves against it are difficult to contend with in any society that values freedom of speech. 

Deepfake scams appear to have arrived.

Tre Hester: reports that scammers used an AI hologram as a deepfake impersonation of cryptocurrency exchange Binance's chief communications officer, Patrick Hillmann, in scam Zoom video calls with representatives of various cryptocurrency projects. Hillmann, blogging about the experience last week, said he became aware of the scam when he received messages from the targets thanking him for taking the time to meet with them and calls he, in fact, never attended. Quote, "it turns out that a sophisticated hacking team used previous news interviews and TV appearances over the years to create a deepfake of me," end quote. It's not just deepfakes on Zoom, either. A more conventional impersonation is also troubling Binance. Business Insider reports that Changpeng Zhao, the CEO of cryptocurrency exchange Binance, tweeted that, quote, "LinkedIn has 7,000 profiles of Binance employees, of which only 50 or so are real," end quote. 

Tre Hester: Reports of fake accounts are by no means confined to Twitter. Twitter, we know in passing, continues to receive a great deal of media and regulatory attention in the wake of its former security executive's public airing of his complaints about the platform's general security posture, including its alleged toleration of bots. 

Threat actors prepare to exploit Hikvision camera vulnerability.

Tre Hester: And finally, CYFIRMA researchers report that Hikvision networked cameras are susceptible to exploitation of command-injection vulnerability. Exploitation could enable attackers to enroll cameras as bots in distributed-denial-of-service attacks. It could also afford threat actors the opportunity to pivot to other, more sensitive portions of the networks the cameras connect with. Various criminal groups are exchanging information on the vulnerable systems in underground fora. Quote, "CYFIRMA researchers have observed in the sample analyzed multiple instances of hackers looking to collaborate on exploiting Hikvision cameras using the command-injection vulnerability CVE-2021-36260 globally. Specifically, in the Russian forums, we have observed leaked credentials of Hikvision camera products available for sale. These can be leveraged by hackers to gain access to the devices and further exploit the path of attack to target an organization's environment," end quote. The report mentions the possibility of exploitation for geopolitical purposes, which suggests a potential nation-state or privateering threat. 

Tre Hester: Paul Bischoff, privacy advocate for Comparitech, wrote to explain some of the difficulties involved in security devices like networked cameras. Quote, "IoT devices like cameras aren't always as easy or straightforward to secure as an app on your phone. Updates are not automatic. Users need to manually download and install them. And many users might never get the message," end quote. These devices also don't give users the sorts of cues a smartphone, for example, does. Quote, "furthermore, IoT devices might not give any indication that they are unsecured or out of date, whereas your phone will alert you when an update is available and likely install it automatically the next time you reboot. IoT devices do not offer such conveniences. Hackers can easily find devices running vulnerable firmware or software using an IoT search engine like Shodan. From there, they can hijack the devices to enlist them as part of a botnet, mine cryptocurrency or launch further attacks through the camera's network. In this case, the problem is exacerbated by the fact that Hikvision's cameras come with one of a few predetermined passwords out of the box. And many users don't change these default passwords," end quote. So unlike your phone, an unpatched camera, like so many other humble IoT devices will just suffer in silence if it's unpatched. Please, do remember to change your default passwords. 

Dave Bittner: It is not uncommon for modern companies to employ dozens, if not hundreds, of business applications to help streamline the things they do. Every one of those apps has the potential to serve as a gateway for bad actors to access your data. Gil Hoffer is CTO and co-founder of Salto, an organization looking to centralize the management of software-as-a-service applications. 

Gil Hoffer: Any business today is using a very large collection of business applications in order to run their business - anything from Salesforce to run the sales processes, to NetSuite for finance, to JIRA for engineering task management, to Slack for collaboration, etc., etc. So you'll have anything from a few tens to many hundreds of those business applications, which are basically the highly distributed back-office system for a modern company. And in order for those companies to actually utilize those business applications, they need to customize or configure or extend all of those business applications or platforms to fit their actual business needs. And the thing is that those platforms tend to be highly customizable in many cases, which makes it very easy to make mistakes. And as you well know, such configuration mistakes - we know them for tens of years from infrastructure - they create a very, very significant attack surface for systems. And exactly the same happens with those business applications. You can very easily configure a wrong rule that would open all kind of access. For example, on the permissions side, you can create - and we saw it with some of our customers - you can miscreate some kind of an automation or trigger - lets in our support system and start send - data of one customer to another customer by email just because you did, like, a wrong configuration of those business applications. So we believe that right now we're still on a relatively early days in those - with using those systems. They're still lacking a lot of controls, still lacking a lot of methodologies and tools in order to properly manage those in a predictable and secure way. 

Dave Bittner: And it's interesting because, you know, I think many organizations see the utilities in these kinds of tools. And they really do help run the business. Is the notion here that it's not so much that they're insecure out of the box? It's just that the fact that they are customizable can lead to errors. 

Gil Hoffer: Yeah, definitely. Well, you know, if we look at infrastructure, let's say, servers or databases, etc., usually when we introduce the vulnerabilities, these are in customizations that we make in code that we write and configuration changes that we make. And it's exactly the same here. Let's say, if we look at NetSuite, for example - so you can actually extend NetSuite, and it actually serves like a web server. You can add API endpoints that can receive traffic from the internet, even, if that's how you can figure it. Now, this is a highly sensitive financial system that you can add code to. You control permissions and roles, etc. And if you make a mistake, you can very easily expose your organization to some very severe risks. And we are seeing organizations today realizing that this is a problem - the way that they manage their business applications, in terms of quality, in terms of security, in terms of predictability, just being able to know when will they release something. And they are trying to adapt and adopt better best practices and better tools and better methodologies for doing that. 

Dave Bittner: And so what are your recommendations here? I mean, is this a matter of putting procedures in place, or is there more to it than that? 

Gil Hoffer: So part of it is procedures, but in many cases, it's also - first of all, it's around state of mind, right? - because if, let's say, the person is managing your Zendesk, your main customer support tool. If he thinks of himself as mostly an admin, he goes into - does something, is not aware of the actual implication of the changes that it's doing, about the risk that he might be exposing the organization to, then we're not really going to make any kind of headway here. So it starts with awareness and understanding that those systems are crucial. They're a critical part of any modern business, and changes in their configuration can have a real negative and positive - obviously - impact on those organizations. Then when we realize that, then we need to deal with processes - so having the right methodology in place, procedures, etc., as well as tools and tooling. 

Gil Hoffer: And there are ways today, some emerging ways to actually use tools which are more similar to - let's say, the infrastructure as code type of tools from, let's say, Terraform, these kind of tools for infrastructure - you can actually use stuff like that also for managing your business applications configuration. And Salto with one of those tools, but there are other ways you can do that. And once you start using these kind of tools, then you can actually start utilizing, let's say, Git, you know, to version control your changes. You can introduce peer reviews, code reviews to those changes. And there are also some more advanced organizations, especially with Salesforce, some with NetSuite. I actually went all the way in and implemented a full-blown CI/CD pipeline with security checks, with full visibility, with great automation around all the changes that they make. So I would say that it starts with awareness, continues with procedures and processes, and which would require tooling in many cases. 

Dave Bittner: That's Gil Hoffer from Salto. 

Dave Bittner: And it is my pleasure to welcome to the show Deepen Desai. He is the chief information security officer and also VP of security research and operations at Zscaler. Deepen, great to have you here on the CyberWire. 

Deepen Desai: Thank you, Dave, for having me. 

Dave Bittner: So I want to take this opportunity to, first of all, welcome you. We're going to be talking regularly, you and I, here as part of our partners segments that we do here. But I wanted to take this opportunity to introduce you to our audience, allow you to share a little bit about yourself for folks who may not have been introduced to you. 

Deepen Desai: Great. No, I'm happy to do that. So as you mentioned, I'm the global CISO and head of security researcher at Zscaler. I've been with Zscaler for a little over eight years. My primary responsibilities involve running the global security research operations, as well as working with our product groups to ensure that our platforms and services are secure. I've been involved in the field of cybersecurity for the past 17, 18 years now. And prior to Zscaler, I was in security leadership roles at Dell SonicWall. So throughout last almost two decades, my journey in the field of cybersecurity has involved towards doing threat research, looking at how the threat landscape has evolved, but at the same time also build newer detection technologies to combat that evolving threat landscape. 

Dave Bittner: And what is your day-to-day like these days with your colleagues there at Zscaler? 

Deepen Desai: Yeah, my day-to-day operation, obviously, the primary focus is to make sure we're keeping our customers secure as well as our platform secure. So it's sort of divided between, you know, keeping an eye on things that are of interest from the coverage perspective. So we have these daily briefings. Our goal is to make sure, you know, we're on top of newer threats. And then there is also the whole SOC aspect where we're looking at what is being observed in our own infrastructure, in our own global operations in terms of threat activity, attempted attacks and how we're able to mitigate those. 

Dave Bittner: Do you have any particular areas of interest, you know, things that draw your attention? 

Deepen Desai: Yeah, I'm really interested in, you know, so as part of my role, I also get to talk to a lot of security leaders around the globe. And I'm really passionate about helping many of these organizations drive the digital transformation that we're all experiencing. And it's fundamentally driven by the whole zero-trust architecture initiative. And that's one thing that I'm really passionate about. We're helping these organizations go through that journey, improve their security posture in order to be in the best possible security posture to defend against ransomware threats, supply chain attacks, things that we're seeing today as part of our daily tracking activity. 

Dave Bittner: Where do you suppose we stand today when it comes to the adoption of zero trust? Where are we on that journey? 

Deepen Desai: It's still ongoing. I would say we are in much better situation than pre-pandemic. Pandemic did have a role to play. If you look at the whole journey, the whole digital transformation journey, I see three major areas. One is application transformation, where the apps are moving from your internal networks to public cloud. And that's the app transformation piece. There is a network transformation piece, where the old way of doing things was hub and spoke. Now everyone wants direct path to the internet. And so that's the network transformation piece because your apps are living on the internet, and these are - there are SAS applications, the first piece I mentioned. And the third piece is the security transformation, where again, the goal is you don't want to use the old castle and - technology where you're bringing in traffic at a central point, a choke point to perform security inspection. Instead, you need that zero-trust architecture where all your user traffic is subjected to consistent security policy. So if you combine all of those three things, that's basically the digital transformation that needs to happen for majority of the organisations if they want to safeguard against the modern attacks that we see. 

Dave Bittner: All right. Well, welcome to the CyberWire, Deepen. And always a pleasure to speak with you. Deepen Desai, thanks for joining us. 

Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Tre Hester, filling in for Dave Bittner. Thanks for listening. See you back here tomorrow.