Waiting for hackers; contact tracing; businesses hanging on.
the cyberwire logo40 days ago

News for the cybersecurity community during the COVID-19 emergency: Monday, April 20th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.

Waiting for hackers; contact tracing; businesses hanging on.

Update on Czech warnings of imminent cyberattack.

Prague Airport authorities said Saturday that they had successfully stopped several attempted attacks on their networks. The airport told Reuters, “Attempted attacks on web pages of the airport were detected in preparatory phases. That prevented their spreading and all further phases that could have followed and potentially harm the company.” Prague Airport, like most others, is operating a drastically reduced flight schedule, so the consequences of any intermediate disruption would have been low in any case.

The attempt against the airport's networks is being mentioned, by POLITICO and others, in conjunction with last Thursday's warning by the Czech Republic's NÚKIB cybersecurity agency that sophisticated but unspecified actors were preparing a campaign against medical facilities, probably with a view to impeding delivery of healthcare during the COVID-19 emergency, but any relationship to that potential campaign is unclear. Karlovy Vary's regional medical center did report Saturday that it had parried an attempted cyberattack, and several other hospitals are said to have also undergone unsuccessful hacking attempts on Friday. Again, it's unclear whether these are part of the predicted campaign or whether they represent something closer to the ordinary background noise, brought to prominence by a heightened state of alert.

The signs of an impending cyberattack that could degrade healthcare delivery during the pandemic is in general being taken seriously. The US State Department offered a strongly worded expression of support to the Czech Republic, and Czech Foreign Minister Petříček tweeted his appreciation of this and other allied statements. He's also looking forward to finding out who's behind the incipient attacks. There does appear to be some sort of campaign in the offing, and Czech authorities think it's advanced at least to the battlespace preparation phase.

While this particular threat may not yet have fully materialized, hospitals continue, as the Washington Post reports, to be favored targets of hackers. The more essential the service, the higher the value of the data, especially with respect to those data's integrity and availability.

The Pan-European Privacy-Preserving Proximity Tracer.

Or PEPP-PT for short. It's a Bluetooth-based proximity tracking system whose development the European Commission is pushing. Some national authorities, notably those in Italy, are on the verge of deploying early versions. But the New Statesman reports that the project has drawn strong criticism from privacy advocates for both its centralized architecture and what critics allege is a lack of transparency in the system's development and intended capabilities. Many privacy hawks see PEPP-PT as presenting an almost irresistible temptation to security services who would wish to turn it to other uses. At issue, as the Register puts it, are questions about where the data should reside.

Some of the strongest criticism has come from those working on a rival system, DP3T, which takes a decentralized approach, and which claims to be more privacy friendly than PEPP-PT. Decentralized approaches have themselves drawn criticism—the system under development in the US by Apple and Google is decentralized, and it's attracted its fair share of suspicion and scrutiny. An essay in WIRED argues that the Silicon Valley approach is likely to be effective, and that it could be implemented with due safeguards for privacy and civil liberties. An opinion piece in Foreign Affairs maintains that Taiwan, Singapore, and South Korea have all successfully contained COVID-19 with the aid of such technical tools, and that their policies, suitably modified to provide more effective protections against potential abuse, could be adopted elsewhere.

Other approaches to proximity tracing.

Governments' motivation to deploy contact tracing is clear enough. It's seen as an indispensable emergency public health measure, as the Washington Post observes, and contact tracing has long been used to help contain epidemics.

Australia is in the process of implementing a version of Singapore's TraceTogether system. ZDNet reports that the government has sought to reassure citizens by insisting that the app tracks only proximity, and offers no particular insight into what you might be doing in proximity to someone else. Buying drugs? Buying a newspaper? Chatting about the weather? TraceTogether doesn't care: it's all about how close you come to a potential source of infection. Government Services Minister Stuart Robert (and the drug dealer example is the Minister's) explains it this way: downloading the app will be good for Australia. The sooner it's done, the sooner everyone can "get back to the footy [that is, football] and get back to the beach." It's just the automation of contact tracing that's now done by hand:

"It's not about surveillance, it's not about tracking, there's no geolocation. All we're doing is digitising a current manual process. Could you imagine having to try and get hold of CCTV footage off Woolies to try and work out who the 90-year old lady behind you is? Within minutes, state health has got the information they need to rapidly call other Australians. And think about if you were in the line behind someone else, who'd been tested positive, you'd want state health to call you quickly as well?"

Some of the systems under consideration elsewhere, notably those being mulled by Apple and Google, would depend upon voluntary opt-in. (WIRED has an overview of how some aspects of the tech under development in Silicon Valley, in particular the social distancing maps, are expected to work.) For such a system to work, a study published recently in Science suggests that about 60% of the population would have to volunteer. As CNET points out, that level of voluntary participation may be difficult to achieve.

Some of the apps under consideration by governments have already stumbled with respect to privacy. One of seven apps the Netherlands' government is evaluating for possible use, COVID19 Alert, has already leaked, a bit, RTL Nieuws reports. The application's source code was posted for evaluation and was found to contain user data that originated in another application. Those included full names, email addresses, and hashed passwords for about two-hundred users. ZDNet quotes industry sources who call the incident "amateurish." Ilia Kolochenko, Founder & CEO of ImmuniWeb, is more tolerant, albeit in a world-weary sort of way. As data breaches go, this one he pointed out in emailed comments is pretty small. 

“This is a regrettable human mistake and a visible lack of internal security controls that is, however, pardonable amid unprecedented uncertainty, urgency and lack of resources amid the COVID-19 crisis. The number of PII records accidentally exposed is a drop in the ocean compared to most of recent data breaches and security incidents. This story serves as a good reminder that even during a crisis, well-thought out security planning, and consistent and holistically enforced security procedures are essential."

Emergency relief funds fall to fraud artists.

The German Land (roughly equivalent to a US state or a Canadian province) of Nordrhein-Westfalen has lost somewhere between €31.5 million ($34.25 million) and €100 million ($109 million) in misdirected emergency relief payments, ZDNet reports. As the Land's Ministry for Economy, Innovation, Digitization, and Energy prepared to distribute coronavirus relief checks last month, criminals were already "in the starting blocks," as Handelsblatt puts it, ready with a convincingly spoofed version of the Ministry's genuine relief application portal. They used this to harvest enough personal details of people who were struggling economically because of the pandemic to enable them to apply for relief on their behalf. Data were harvested for somewhere between 3500 and 4000 potential applicants, and relief payments were routed to the thieves' bank accounts. Nordrhein-Westfalen has halted payments until it can sort the mess out.

Handelsblatt thinks the extent of the fraud may be greater than what's so far been discovered. The Ministry says that it's processed more than 380,000 applications for aid, over 360,000 of which had been approved by last Wednesday. Small business relief has been the focus of the program. The amounts involved aren't trivial: companies with up to five employees can apply for €9,000, those with up to ten employees can request €15,000, and businesses with up to fifty employees can apply for €25,000.

The press has been raking the government of Nordrhein-Westfalen over the coals for its failure to put anything approaching an adequate identification program in place. The Land offered a kind of defense that should give other government agencies pause during a widespread emergency: the very urgency of delivering relief moved the Land to opt for a seamless, online process that accepted some risk in order to deliver aid quickly.

Other Länder (but not all of them) have been quick to point out that they're much better prepared than their colleagues in Düsseldorf. Tagesschau summarizes their comments. Some are more reassuring than others. Rheinland-Pfalz has taken unspecified steps to "keep fraud and abuse low." Mecklenburg-Vorpommern has gone old-school for security—they're only processing applications received by snail mail. Bremen, Hessen, and Thüringen all say they've been verifying applicants' identity even at the expense of some delay in processing payments. Hamburg says it's seen no signs of fraud, but their reassurance ("we use a different system from Nordrhein-Westfalen") seems thin. Berlin also seems to be whistling in the dark: they put their application site up so quickly, they say, that the criminals didn't have enough time to spoof it. Haste is not normally reckoned to be a good background against which to build a secure system. Schleswig-Holstein's Finance Minister drew the lesson "that we have to take a close look even in these difficult times when everything is happening quickly," with which one must agree (and hope that Kiel is indeed taking that close look).

A criminal investigation is in progress. The inquiry is still in its early stages, but signs point to a gang operating cross-border from, or at least through, Slovakia. The authorities in Nordrhein-Westfalen say that whoever was behind the fraud was a sophisticated operator well-acquainted with the dark web, but this seems to carry an element of self-exculpation. The scam looks like the sort of thing that happens every year with, for example, fraudulent income tax returns. It appears likely that, if it weren't for the extraordinary pressures of the emergency, Düsseldorf would have taken more protective measures and seen the fraud coming.

Germany is far from alone in seeing its relief efforts targeted by cybercriminals. The Jerusalem Post says that, according to researchers at Check Point, it's a global problem: government emergency aid programs inevitably draw fraud attempts. Many of those attempts can be expected to follow the same pattern: phishing, with victims directed to a spoofed site where their information is harvested to enable the scammers to file false claims and redirect public funds into the criminals' accounts.

Arranging business survival during the state of emergency. 

Public relief funds are available not only in Germany, but in most other countries as well. The UK's treasury has announced a £1.25 billion rescue program for startups under which the Government will offer businesses convertible loans of up to £250 million, the Telegraph reports. Another piece in the Telegraph writes that the move to deliver aid to startups gained urgency from a March 18th letter to VCs from industry groups. The letter warned that "thousands" of early-stage firms were in danger of collapse.

Various forms of private relief are also on offer, in addition to the public aid programs established in many countries. There have been many reports of services being offered for free or at sharply reduced rates. Some of these are surely loss-leaders and marketing moves, but they may be no less welcome for that.

Other forms of private-sector relief have a more complex record, as one would expect. Bloomberg says that Big Tech, or at least the cloud services part of Big Tech, has shown a mixed willingness to help startups and other small business customers by restructuring payment schedules during the pandemic emergency. Microsoft and Google have been giving some customers more time to pay their bills, and Amazon is advising customers on other ways of reducing the cost of its services, but some small businesses believe their requests that the big vendors work with them have been coldly received.

The Wall Street Journal sees the pandemic as a quick yank into corporate adulthood for startups accustomed to good economic times and relatively plentiful venture capital. It's difficult to accurately quantify much of the pain, but the Journal quotes one such attempt: "About 250 U.S. startups laid off a total of nearly 25,000 workers, according to layoffs.fyi, a website that has sprung up to track the carnage but can’t capture all of them." Some founders of startups have concluded that the ready availability of venture capital enabled them to stay private longer, and that scrutiny by VCs tended to be less rigorous than the scrutiny of equities markets, which led too many startups to assume that problems could be addressed by throwing venture capital at them.

As for venture capital itself, Crunchbase's look at the first quarter of 2020 shows a slowdown in funding correlated with the generally depressive effects of COVID-19. The market has certainly not collapsed, and VCs continue to close rounds, but there are signs of a downward trend. For all that, US VCs are investing in publicly traded companies at rates not seen since 2008, providing infusions of cash into hard-pressed firms. The Wall Street Journal writes that private investments in public equity (PIPEs) had by April 13th totaled $4.3 billion for the year to date.

And startups are also finding that they may have to think of themselves as small businesses, at least if they've looked to the US Commerce Department's Small Business Administration for emergency help in making payroll. Congress passed the $2 trillion Coronavirus Aid, Relief, and Economic Security (CARES) Act on March 27, and it included $349 billion in loans for small businesses. Called the "Paycheck Protection Program," it's administered by the Small Business Administration, with commercial banks processing the loans. The Small Business Administration will forgive the loans if they're used to keep all employees paid for eight weeks.

Some small but well-known tech enterprises have been forced to shed staff. The Tor Project has found it necessary to lay off thirteen of its thirty-five staffers.

The Silicon Valley Business Journal observes that tech startups have been ambivalent about seeking help from that quarter, and Fast Company thinks it's seen signs that many tech startups are morally conflicted about taking money that's really meant for coffee houses, laundries, barbershops, bakeries, auto repair shops, and the like, "lifestyle businesses" that aren't, and don't aspire to be, investment-worthy. That may well be true in some cases, but there were also concerns (unfounded, Forbes says, and based on a misinterpretation of the relevant law) that VC-backed startups would have to "affiliate" with their sister portfolio companies, and that this would render them ineligible for emergency loans. This isn't the case, and startups generally are eligible for aid.

From the other side, CNBC reports that some in Washington worried that bailing out venture-backed starts in Santa Clara County would be a bad look at a time when Main Street was struggling to keep its jobs. In any case, the dilemma is at least temporarily overcome by events. The Small Business Administration opened for applications on April 3rd, and by April 16th, last Thursday morning, the Payroll Protection Program had already loaned all $349 billion it was allocated under the CARES Act. Congress is thought likely to appropriate more, according to the Washington Business Journal, but for now at least the coffers are empty.

Governments below the national level are offering aid to distressed small business. The German Länder are offering assistance, as we saw above. So are US states. And some local governments are doing the same: Arlington, Virginia, for example, is putting together an assistance program, as the Washington Business Journal reports.

CISA updates critical infrastructure workforce guidance.

On Friday the US Cybersecurity and Infrastructure Security Agency (CISA) released version 3.0 of its Guidance on the Essential Critical Infrastructure Workforce. An email from the agency summarized the changes:

"Several updates were made to the Healthcare/Public Health category, clarifying worker categories related to health care, public and environmental health, emergency medical services, and aligning related job functions. In all worker categories, references to 'employees' or 'contractors' were changed to 'workers.' Other additions include:

  • "Updated language focused on sustained access and freedom of movement;
  • "A reference to the Centers for Disease Control (CDC) guidance on safety for critical infrastructure workers;
  • "Language noting the essential role of workers focused on information technology and operational technology;
  • "Clearer guidance that sick workers should avoid the job site;
  • "A reference to the U.S. Coast Guard (USCG) Marine Safety Information Bulletin on essential maritime workers;
  • "Clarified language to include vehicle manufactures; judges and lawyers supporting the judicial system; agricultural jobs; transportation-specific education."

UK's Ministry of Defence relaxes cybersecurity certification standards.

Britain's Ministry of Defence has advised contractors that, "Due to travel restrictions resulting from the COVID-19 (Coronavirus), organisations seeking to renew or obtain Cyber Essentials Plus (CE+) certification may be unable to do so." As an interim measure, industry should follow these procedures:

"Organisations obtaining or renewing CE+ for a future contract will need to provide a Cyber Implementation Plan. This should inform Defence that the supplier is committed to seeking CE+ but cannot do so due to travel restrictions resulting from COVID-19.

"In the meantime, the supplier should acquire (or confirm that they will by contract let) acquire the basic level of Cyber Essentials.

"Organisations obtaining or renewing CE+ for existing contracts must advise both the relevant Project Team and Commercial Team of the situation.

"This situation must be reviewed on a monthly basis. Organisations must resume efforts to acquire CE+ certification once the COVID-19 lockdown is over in a timeframe agreed with the MOD Project or Commercial Team."

The Register has some background on the Cyber Essentials program, and on the certifying organization, Malvern-based IASME.

Another economic consequence of the pandemic: at least one nation-state is trying to buy low.

Foreign Policy reports that China is showing a strong interest in buying controlling interests in Western tech companies while their market caps are depressed due to COVID-19. The holding company China Reform's attempt to take advantage of investment in British tech firm Imagination is seen as a bellwether. A Defense News op-ed decries "predatory investing," which it argues is an application of an old maxim: "loot a house while it's on fire."

Telework and its discontents.

Zoom-bombing remains a thing: the Indiana Election Commission had an online meeting disrupted Friday by saucy video of someone spending a little time with themselves. One hopes that this form of dim-witted digital vandalism (the content most often used is curiously described as "adult") will soon be thwarted by improvements to Zoom's platform and more operator familiarity with the telework tool. If you're curious about details, the Indianapolis Star has the skinny.

It seems that Zoom may have been more laggard than suspected in clearing up security problems before its explosive growth during the period of social distancing. The New York Times reports that Dropbox found numerous security and privacy problems with Zoom and pushed the telework service to fix them, but with indifferent results.

Nonetheless telework services have become essential to the remote work that businesses are attempting as they seek to work through the conditions governments are imposing during the pandemic emergency. This dependency has drawn criminals to telework as phishbait. Proofpoint over the weekend described ways in which cyber criminals are using various come-ons in their attempts to harvest credentials for services like Zoom and Cisco WebEx. These attempts are human engineering. They're not exploiting vulnerabilities in the platforms themselves.

Ransomware continues to flourish during the pandemic.

Several cybersecurity firms have seen a spike in ransomware attacks delivered by COVID-19 themed phishing attacks. VMware Carbon Black last week said that such attacks in March increased by 148% over February levels, and Check Point drew attention to ransomware gangs' tendency, first observed in November, to combine data encryption with data theft. Chris Rothe, co-founder and chief product officer at threat detection and response shop Red Canary commented to us via email on how ransomware has evolved. There are market forces at work in the criminal underground.

“Attackers want to get paid so they are looking for whatever possible leverage they can find. Combining the business shutdown impacts of encrypting files through ransomware with the threat of data being leaked publicly increases urgency and reduces options for the victim.

"The scheme described in this research also highlights the increase in sophistication of attacker tools. Whereas historically malware tended to be fairly single purpose and disposable, modern malware much more resembles an attacker operating system with many different services and tools for accomplishing a wide range of attacks. An analogy would be the simple operating that is in your microwave which has a single purpose - heat your food - versus the sophisticated operating system on your laptop which plays sound, plays video, creates files, communicates with the internet. When an attacker compromises a computer with modern, modular malware they now have a slew of tools at their fingertips. They can execute a ransomware attack while at the same time traversing the network and exfiltrating data. This allows them to combine attacks and increase the likelihood of accomplishing their objectives.”

Rothe sees ransomware as having evolved through these phases since it emerged seven years ago:  

  • "Phase 1 - 2013 (Cyptolocker, Cryptowall, Locky, TelsaCrypt and others) - attacker tries to just ransom high value targets (e.g. get the CEO's laptop) and charge large ransoms in hopes there was unrecoverable data so the company had no choice but to pay."
  • "Phase 1a - 2016ish (SamSam, others) - attacker does the same thing as above but tries to spread to as many computers in a high-value target company to extort a larger ransom."
  • "Phase 2 - 2017 (WannaCry, NotPetya, etc.) - commoditization/scaleout of ransomware. Less targeting, attempting to get small ransoms from a huge number of individuals and companies."
  • "Phase 3 - 2018 (Emotet/Trickbot/Ryuk trifecta, Maze) - combination of tactics in 1/1a with more traditional data stealing/extortion tactics. Ransoms go up a lot because of the compound damage of business being offline with data theft."

Phase 4, whatever form that will take, is still emerging. Red Canary points out that the phases overlap: one still sees old school Phase 1 and 2 attacks even as Phase 3 gets into full swing.

Other notes from the underground.

Cybercriminals continue to take advantage of the opportunities the vastly expanded remote work attack surface provides them, and they continue to find opportunities for fraud driven by public fear of COVID-19. But the pandemic is also affecting the black markets normally devoted to contraband (drugs, weapons, etc.). Engineering & Technology sees a growing underground market for protective masks (many of them genuine) and coronavirus test kits (mostly bogus). These are often offered by the same actors who normally traffic in contraband. Some of this is simple opportunism, but in many cases it seems to show that the dealers themselves are under some economic pressure. A lot of their clientele has cut back on its drug purchases, for one thing, and selling virus-themed stuff is one of way the dealers can stay connected to their customers, holding their trade until things start looking up.