Ransomware hits US, French companies. ISPs as combat support arms. Lawful intercept gone rogue? Lazarus Group is back and in GitHub. China’s security laws and security risks.
Dave Bittner: [00:00:03] Ransomware hits companies in France and the U.S. A Finnish energy company sustains a suspicious IT incident. Turkey jammed social media as it rolls tanks against the Kurds. Pegasus spyware is said to be in use against Moroccan activists. Silent Librarian is still making noise. The Lazarus Group is back with a malign crypto-trading app. China tightens its cyber laws, and the EU privately warns itself that, yes, companies like Huawei are a security risk.
Dave Bittner: [00:00:38] And now a word from our sponsor LookingGlass Cyber. Organizations have been playing a dangerous game of cyber-Jenga, stacking disparate security tools, point solutions and boxes one on top of the other, hoping to improve their security posture. Its convoluted and overloaded security stack can't hold up in today's micro-segmented, borderless and distributed networks. As the enterprise network grows, organizations need a flexible protection around their unique network ecosystems. By weaving security into the investments your organization has already made, formerly disjointed tools can communicate with one another to disrupt and distract the adversary without revealing your defenses. With a software-based approach to unifying your security stack, security teams can easily scale that protection to fit their needs with one integrated software solution requiring no specialty hardware. Meet the Aeonik Security Fabric. Learn more at lookingglasscyber.com. That's lookingglasscyber.com, and we thank LookingGlass Cyber for sponsoring our show.
Dave Bittner: [00:01:47] Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:09] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 15, 2019. In incidents that give point to recent Europol and FBI warnings about the ransomware threat, two major companies - one in the U.S. and the other in France - have sustained significant ransomware attacks. Connecticut-based shipping and postage metering company Pitney Bowes disclosed yesterday morning that it had sustained a serious ransomware attack. The company believes that customer data were not compromised and that the consequence of the attack will be confined to service disruptions. Group M6, the largest media company headquartered in the Parisian suburbs, also disclosed an attack over the weekend, and L'Express calls it ransomware. Group M6 programming continued, but some business and customer contact functions were degraded. There's no evidence so far that the attacks are connected. In neither case has the ransomware strain or a threat actor been publicly identified. Another major company, Finland's Neste Oil, that country's principal oil and gas producer and alternative energy company, sustained an incident late Friday that disrupted operations. It's unclear at this time whether Neste was the victim of a cyberattack or simply suffered an IT glitch, but the incident does look suspicious and will bear watching. Turkish authorities have interdicted social media along the Syrian border in support of an offensive against Kurdish forces, WIRED reports. Facebook, Instagram, Twitter and WhatsApp were blocked for about 48 hours. Social media have served as significant command and control channels for insurgents around the world. The Turkish attacks, conducted on the ground by conventional heavy forces, occur as the U.S. announced pullouts of troops from northern Syria. The U.S. has condemned the attacks, which Turkey maintains are legitimate self-defense against the threat of Kurdish insurgency, and has imposed a range of sanctions against Ankara. It is, of course, the tanks and infantry that drew the sanctions, not the ISP's takedown of social media, but conventional operations in Syria can be expected to be accompanied by cyber operations. Moroccan authorities appear to be using Pegasus spyware, a tool produced by NSO Group to monitor dissidents. Ars Technica reports that two prominent Moroccan human rights activists received SMS messages that sought to induce them to download Pegasus onto their devices. An SO group told Ars that as is the case with any lawful intercept product, it's possible that Pegasus can be misused and that NSO Group is investigating the incident with a view to taking appropriate action. NSO Group has been criticized for making its tools available to governments they might have foreseen would abuse them. It's undeniably true that software like Pegasus has legitimate and even lifesaving uses, but critics say that NSO Group's products seem to be particularly likely to fall into the hands of repressive or irresponsible governments. German company Greenbone Networks recently conducted research examining the exposure of medical imaging data online. The CyberWire's Carole Theriault files this story.
Carole Theriault: [00:05:31] With me today is Dirk Schrader, a cyber resilience architect at Greenbone Networks. Now, I've asked Dirk onto the show to share his recent findings from a Greenbone report. So health providers around the world store medical images - so things like X-rays and scans and the like - and a lot of them use the same protocol. This is known as DICOM, or digital imaging in communications and medicine, and this makes it easy for surgeons or consultants or diagnosticians or any medical professional to access the files. Dirk, thank you so much for making time to come on the show today. So let me guess. You led this research to see if there was any issues in how the data was stored, and you found out that everything was tiptop and there was no problems at all, I imagine.
Dirk Schrader: [00:06:14] Well, thanks for having me here today. First of all, no. It's not all in good shape. The details we found are really concerning, so we've analyzed about 2,300 systems and found that 590 of them are completely unprotected and connected to the internet, which is a major mistake in itself.
Carole Theriault: [00:06:36] There was no password or encryption or anything.
Dirk Schrader: [00:06:39] Think of it like being connected to a browser, just that the browser is specialized to view medical images.
Carole Theriault: [00:06:45] Right.
Dirk Schrader: [00:06:46] No protection at all.
Carole Theriault: [00:06:48] So this is kind of concerning for people like me because obviously, this is incredibly sensitive information. Tell me were there PII involved, as well as the images?
Dirk Schrader: [00:06:59] Yes, there were. We've seen names, date of birth, date of examination, reasons for examinations. We have had access to images related to that exam. Sometimes the patient data was sort of identified by Social Security numbers. There was lots of personal identifiable information in it, yes.
Carole Theriault: [00:07:22] Oof (ph).
Dirk Schrader: [00:07:23] We have informed ProPublica and the German TV broadcaster about our findings just because of the massive scale of the problem.
Carole Theriault: [00:07:33] Right.
Dirk Schrader: [00:07:33] Plus, it was important to have media coverage to alert people about the problem and, in the same way, to contact the authorities in the various countries to resolve the problem.
Carole Theriault: [00:07:45] So this problem is rather huge. How can you inform everyone to take a look at how their medical data is being stored and what they should do to make it safer?
Dirk Schrader: [00:07:54] Exactly, exactly. That's the point.
Carole Theriault: [00:07:57] So what I read from your report is you found something like 24 million data records that were improperly protected and stored.
Dirk Schrader: [00:08:05] Yes.
Carole Theriault: [00:08:06] And that's huge.
Dirk Schrader: [00:08:07] That includes 700 million images related to that 24 million patient records, and 400 million of them were actually accessible. Really, click on them and you see them.
Carole Theriault: [00:08:18] Wow. Now tell me who is the worst country?
Dirk Schrader: [00:08:20] The worst country? Let's say the top five are U.S., Brazil, India, Turkey and South Africa.
Carole Theriault: [00:08:27] U.S. is up in the top five?
Dirk Schrader: [00:08:29] Yes.
Carole Theriault: [00:08:29] Why do you think that is? I mean, it - always going on about how cyber resilient they are as a nation. Were you surprised by that?
Dirk Schrader: [00:08:36] Actually not because, in preparation for this research, we did another research asking critical national infrastructure providers about their approach to cyber resilience. And we found out that only one-third globally said, oh, we consider ourselves cyber resilient, and the other two-thirds are considering themselves not to be cyber resilient.
Carole Theriault: [00:08:58] I know. But, you know, there are seriously huge laws out there. There's HIPAA. There's GDPR. Do you think they've taken your alert seriously? Do you see changes being made?
Dirk Schrader: [00:09:08] We do see changes being made. We do see, on the other hand, also, countries not reacting at all, at least from what we can see. I'm not sure about the internal progressing there. For me, the most important thing here to highlight is we are so much focused on attacks that we forget to look at ourselves and our capabilities to withstand, to be resilient.
Carole Theriault: [00:09:32] You know, the scary thing that occurs to me here is if someone nefarious got their hands on this data, it would be an exquisite way to get information from a social engineering or phishing point of view.
Dirk Schrader: [00:09:42] Yeah, definitely. Whether you have a spying problem, whether we have had X-rays or CTs, MRTs for cancers, which can be inferred from the data because - a certain circumstance in your personal life and use that against you.
Carole Theriault: [00:10:00] Can I just say, I am very happy you guys invested in this research because I - and I'm sure everyone else out there - want this fixed ASAP. You've been listening to Dirk Schrader from Greenbone. Again, thank you for coming on the show.
Dirk Schrader: [00:10:15] Thank you for having me.
Carole Theriault: [00:10:16] This was Carole Theriault for the CyberWire.
Dave Bittner: [00:10:19] Proofpoint has issued another report on Silent Librarian, the Iranian threat group, also tracked as Cobalt Dickens and TA407. Silent Librarian, associated with Iran's Mabna Institute, targets universities through phishing campaigns that make heavy use of spoofed university brands and library-themed phishbait. The objective appears to be intellectual property theft. Silent Librarian phishes for its prospects with emails telling their recipients that they need to renew their library privileges, return overdue material and so on.
Dave Bittner: [00:10:54] North Korea's Lazarus Group has renewed its deployment of an Apple backdoor against cryptocurrency exchanges. Malwarehunter Team alerted researchers to the activity Friday. It was further examined by researcher Patrick Wardle, who sees the malware as a variant of the AppleJeus operation Kaspersky described in August. In this round, the Lazarus Group is again using a front company, JT Trading, to upload malicious code to GitHub. The backdoor is embedded in code that purports to be an innocent cryptocurrency trading app. Trade if you must, speculators, but please do so with appropriate caution.
Dave Bittner: [00:11:32] Evidently feeling confident and frisky after having dunked on the NBA last week, Beijing has enacted a range of laws that give the government superuser access to devices in the country and that mandate extensive data sharing from companies who wish to do business in China. The famously privacy-sensitive Apple - known for pointing out, while looking across Silicon Valley at Google, that if you're not paying for the product, you are the product - has itself been providing data on users in China to Tencent, a Chinese conglomerate that's about as remote from the Chinese government as Huawei.
Dave Bittner: [00:12:08] Speaking of Huawei, the European Commission last week released a public report that, while not saying it in so many words, was nonetheless read as a warning about Huawei. The Wall Street Journal has now broken the story that there was a second, nonpublic warning circulated among European governments that was more direct and less ambiguous. The most striking part of the account is the reported inference that there's no easy technical fix or vetting that's likely to mitigate the risk. A source told the Journal, quote, "these vulnerabilities are not ones which can be remedied by making small technical changes but are strategic and lasting in nature."
Dave Bittner: [00:12:50] And now a word from our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book "SOAR Platforms: Everything You Need To Know About Security, Orchestration, Automation, And Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:14:04] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the "Hacking Humans" podcast. Great to have you back, Joe.
Joe Carrigan: [00:14:13] It's good to be back, Dave.
Dave Bittner: [00:14:14] Joe, we got a letter from a listener that I wanted to share because I know this is something that's near and dear to your heart. The letter goes like this. He says, hi, Dave. Here's a big-picture issue I'd like to just throw out there to you. Years ago, I thought I wanted to weld for a living. After doing it for a few years, I realized most well-paying and secure jobs required extensive travel and several years away from home and family. So I decided to go back to school and earn my associate's in cybersecurity. Now I see the cybersecurity industry making the same mistake the welding industry has made - very few companies want to hire people like me who are inexperienced but ambitious. Most jobs under an entry-level search require a bachelor's degree and at least five years of experience.
Dave Bittner: [00:14:59] My main point is this - if companies want to secure their own future, they need to begin investing now in more raw talent. It's OK for them to ask for experienced professionals. I realize some jobs truly require years of experience. But start hiring more new people and invest in them. Don't just ask for the best people because, eventually, with the way it's heading, the future's best won't be very good. You need experience to get a job but need a job to get experience. I don't mean to rant, Dave. It just makes me disappointed to see this happening to such a large and important industry. I'm not just sad for me; I'm sad for what I know the future will look like unless companies change their view of this issue. Joe, your response? Go on (laughter).
Joe Carrigan: [00:15:41] Exacerbated sigh. Dave, this is an issue that is near and dear to my heart. You're 100% correct about this. And not only that, but it's something that really, really gets my dander up, let's say.
Dave Bittner: [00:15:53] All right.
Joe Carrigan: [00:15:53] All right? Entry level in cybersecurity is not five years of experience. Someone with five years of experience in cybersecurity is not even considering your entry-level position. You need to change what you're looking for. What you're looking for is smart people who can learn quickly and who work well in teams. That's what you're looking for in cybersecurity entry-level positions. You're not looking for people with CISSPs, which I have seen even recently. Nobody with a CISSP is looking at a job that pays less than six figures. You're going to have to accept that as a fact.
Dave Bittner: [00:16:31] Why do you think we see this so much? In other words, what are they - it seems to me like there's some gaming of the system or attempt to game the system going on here. Do you think they're just putting it out there, trying to find someone who's willing to be underpaid?
Joe Carrigan: [00:16:47] Yeah. I think that they're trying to - it's one of three things. It's, like you're suggesting, greed, right? They're trying to get the best person for the lowest amount of money.
Dave Bittner: [00:16:57] Right. Nothing wrong with that, I suppose. You're running a business. That's business.
Joe Carrigan: [00:16:59] Right. But let me explain something to you again - I mean, this is interesting information.
Dave Bittner: [00:17:04] Yeah.
Joe Carrigan: [00:17:05] There are 300,000 open security positions in the United States right now.
Dave Bittner: [00:17:10] OK.
Joe Carrigan: [00:17:11] And I can't remember where I got this information from, but I just researched it just a couple of days ago. I'm speaking off the top of my head.
Dave Bittner: [00:17:16] Yeah.
Joe Carrigan: [00:17:17] There are 700,000 people working in the field right now. That means that close to one-third of the jobs in this industry are not filled. And the people that are here in these positions right now are not going to fill them. All you're doing is looking for these experienced people. You're poaching from other positions.
Dave Bittner: [00:17:35] Right. You're just shuffling people around.
Joe Carrigan: [00:17:37] Shuffling people around. We need to get new people into these positions. We need to get new people, like this listener, who's taken the initiative, gone out and gotten an associate's degree in cybersecurity. This guy is an ideal candidate for an entry-level position.
Dave Bittner: [00:17:50] So why - in an industry that is, I would hazard to say, cash rich...
Joe Carrigan: [00:17:56] Right.
Dave Bittner: [00:17:56] ...Why not invest in the new talent? Why not invest in those - invest in your company? Why not?
Joe Carrigan: [00:18:05] Right. So greed is the first one. I think ignorance is the second reason this happens.
Dave Bittner: [00:18:10] All right.
Joe Carrigan: [00:18:10] People just don't make the effort to understand what is an entry-level position in cybersecurity. They think, oh, an entry-level position at working in the loading dock is five years of experience; therefore, an entry-level position working in cybersecurity is five years of experience. No. No, that's not the case. You're dealing with two completely different sets of skills.
Dave Bittner: [00:18:28] OK.
Joe Carrigan: [00:18:29] Right? And the other one, I think, is fear. People are afraid to hire new people. You're going to have to get over that fear and hire new people. Hire new people, and help grow their skills, and understand that part of your team is going to have to consist of absolute newbies in this field, and that they're going to have to be part of your team of security people. Companies are just going to have to make the investment in new people, and that's just the way it is. And if you're really not willing to make the investment, then be prepared to have that position unfilled for a very long time.
Dave Bittner: [00:19:02] (Laughter).
Joe Carrigan: [00:19:03] Just get used to - and when your boss asks you, why don't you have that position filled? You should tell them, it's because I don't understand how to fill that position, and I'm not good at doing my job.
Dave Bittner: [00:19:13] I can tell, Joe, you're - this is something that you feel strongly about.
Joe Carrigan: [00:19:16] It is something that irritates me all the - I hear this from so many people. This is not the first time I've heard this complaint. I've gotten some certification. I've gotten an associate's degree. I'm ready to get into the field. I'm ready to start working. I'm ready to get my hands dirty, but nobody will hire me.
Dave Bittner: [00:19:32] Right.
Joe Carrigan: [00:19:32] Why won't people hire these people? We have...
Dave Bittner: [00:19:35] And yet they're out there hearing that people can't fill the positions.
Joe Carrigan: [00:19:39] Right.
Dave Bittner: [00:19:39] They're complaining and whining...
Joe Carrigan: [00:19:40] And yet we're hearing there's 300,000 open positions in this country alone.
Dave Bittner: [00:19:43] Right, right.
Joe Carrigan: [00:19:43] Globally, 1.8 million. And we can't fill the positions. Because you're not willing to hire the right people - that's why.
Dave Bittner: [00:19:50] Take a chance.
Joe Carrigan: [00:19:50] Yep, take a chance.
Dave Bittner: [00:19:51] Roll the dice.
Joe Carrigan: [00:19:52] Yep.
Dave Bittner: [00:19:52] (Laughter) All right. Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:19:55] It's my pleasure, Dave.
Dave Bittner: [00:20:00] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leaving insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:13] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.