ISMG Editors: FBI Claws Back Crypto Ransoms to North KoreansAlso: Rise in Maui Ransomware Targeting Healthcare; Navigating Zero Trust Debate Mathew J. Schwartz (euroinfosec) • July 22, 2022
In the latest weekly update, three editors at Information Security Media Group discuss important cybersecurity issues, including the sharp rise in Maui ransomware attacks, the FBI seizing cryptocurrency ransom payments worth $500,000 from North Korean attackers and advice for CISOs navigating the zero trust debate.
The editors - Cal Harrison, editorial director; Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity; and Mathew Schwartz, executive editor, DataBreachToday & Europe - discuss:
- The sharp rise in attacks attributed to North Korean affiliates wielding Maui ransomware, especially targeting the healthcare sector;
- Efforts by law enforcement to track and claw back cryptocurrency paid as ransoms to ransomware-wielding attackers;
- Navigating the great zero trust debate: how the "never trust, always verify" methodology has become a buzzword of epic proportions but nevertheless immense potential.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the July 8 edition discussing the status of the software bill of materials or SBOM and the July 15 edition analyzing whether a recent attack on a steelmaker in Iran indicates a sudden increase in the danger posed by online attacks to industrial environments.
Mathew Schwartz: Hi, I'm Mathew Schwartz with Information Security Media Group. And welcome to our latest ISMG Editors' Panel, where I'm joined by other ISMG editors to discuss the hot cybersecurity news of the day. And this week, it's my pleasure to welcome Marianne Kolbasuk McGee, the executive editor who's in charge of ISMG's healthcare coverage, and also for his debut at Editors’ Panel, Cal Harrison, our editorial director. Cal, Marianne, great to have you here today.
Marianne McGee: Thanks, Matt.
Cal Harrison: Thanks, Matt. Good to see you.
Schwartz: So, where are we hailing from? Marianne?
McGee: I'm in the Boston Common on a trip into Boston a couple of weekends ago with my husband, haven't been in the city there for a while, but it was nice weather.
Schwartz: What to do about something in Boston?
McGee: We didn't see that. But yeah, you never know what you're going to catch. We can take these photos.
Schwartz: The urban density. So, it's throwing stuff up for you? I suspect a slight opposite on the urban density front as we go to you, Cal. Where are you hailing from here?
Harrison: Totally different from Boston. I am at downtown Ridgeway South Carolina population 300. And behind me is the world's smallest police station. That's one of our best-known attractions. It used to be a well house for the horses back in the 1890s, and it was remodeled during the Great Depression using federal money to create a one-room police station. And this is where they would lock up the drunks on Saturday night, so that they could haul them to the county jail in the morning and there was one police officer who would monitor things on Main Street and stay warm by the cookstove inside amid the cold weather. I thought this was appropriate because this speaks to a simpler time and law enforcement. Things are a lot more complex these days, not only for the frontline police officers, but all of the people in cybersecurity investigation.
Schwartz: Things are a lot more complex, crazy cybercrime cross borders, which we're going to get into in a moment. I am at a beach in Scotland. It's been warm here in the UK. I know it doesn't look like a beach. But this made a nice backdrop, some grass at the edge of the North Sea by the dunes. But to your point, Cal, federal money, policing, how fast it seems things have changed. That brings me to the first story I'd like to discuss today, which is: Marianne, I know you've been covering the feds, having seized about $500,000 worth of cryptocurrency, earned by attackers wielding Maui ransomware, who have been hitting or had hit healthcare organizations and other businesses. What's the latest?
McGee: As you said, that's absolutely so. During a speech at Fordham University this week, the Justice Department's Deputy Attorney General Lisa Monaco disclosed that its DOJ recently seized a half million dollars in payments that were made to North-Korean-government-backed hackers involved in Maui ransomware attacks on at least two US healthcare entities as well as several other organizations. Monaco said that the attack victims included a Kansas Medical Center and a Colorado Healthcare Provider, neither of which she identified by name. But a couple of weeks ago, the FBI, US Treasury Department and CISA issued a joint advisory to the healthcare sector about Maui threats. And Maui's ransomware gets its name from the name of the executable file used to maliciously encrypt victims' files. The DOJ says that in the May 2021 attack on the Kansas Medical center, North Korean cyber actors encrypted the hospitals, servers used to store patient data, and to also operate critical equipment. The attackers left a note demanding a ransom and they threatened to double that ransom within 48 hours, Monaco said. The hospital's leadership made the difficult choice, as many hospital leadership teams do these days, to pay about $100,000 in Bitcoin to the attackers, because without access to the patient data, the medical centers, doctors, and nurses would have been severely hampered in providing critical care, the DOJ notes, but the hospital also notified the FBI, which then worked with federal prosecutors to investigate the attack. And that's when they discovered that the incident involved Maui — the ransomware variant that they had not seen until then. Investigators traced the ransomware payments that were made by Kansas through the blockchain, and then the FBI identified China-based money launderers, which they say regularly assist North Korean hackers to cash out ransom payments into fiat currency. Meanwhile, a recent study by security firm Sophos found that healthcare is the sector most likely to pay a ransom. The average pit ransom paid by healthcare victims was $197,000, according to Sophos, and that was the lowest among all the sectors examined. Healthcare sector entities are often willing to pay attackers in hopes that their IT systems and data won't be inaccessible for long, being that clinicians heavily rely on the data and systems for patient care. But as we've seen in other industries, many hospitals are getting better in terms of having backups ready to go in case of a ransomware incident. So, cybercriminals are now shifting heavily to attacks that also involve data exfiltration, demanding ransoms in exchange for not publicly releasing stolen information. And I'm sure this is something you've seen all the time too, Matt, with your reporting another industries.
Schwartz: Here in the UK, we had an alert from the lead cybersecurity agency and the government, and also from the privacy watchdog saying, if you pay because attackers have promised to not leak stolen data in return for a ransom payment, we're not going to look upon you any more favorably, if you weren't doing what you should have been doing. So, you might pay to try to clean up the mess, we don't care if you screwed something up. It's the message there. But so many interesting points from this, the fact that it is still a business decision, whether or not you want to pay or not pay, as long as you're not paying a sanctioned entity. I don't know if we might soon see Maui added to the sanctions entities list because it does trace to North Korea. Fascinating though, that the North Koreans have been getting into ransomware. It seems they'll do anything that generates a profit. But for a long time, the thinking was the profits weren't good enough. But it seems, more recently, with the alerts that we've been seeing from CISA and others that the North Koreans are getting into ransomware.
McGee: It seems that way. The Chinese, Russians, Iranians involved have also been threats to healthcare. But with Maui, alert that was issued a few weeks ago. That's one of the first ones, at least in recent times, that had to do with North Korean hackers.
Schwartz: Another big takeaway for me here too is the hospital, or the FBI, it had paid the ransom. And we saw that also with Colonial Pipeline in May 2021. This is something authorities have been urging victims to do. If they do choose to pay, they'll let the FBI know and preferably as quickly as possible, because, as you noted in the example that you sketched out, they were able to trace this on the blockchain. Everyone thinks it's anonymous, but it's a public ledger. And sometimes they can put the pieces together, follow it to the money launderers and sometimes get the money back or get better intelligence on these activities. So, the next victim can get the money back, shut down these wallets. So, there's a huge case there, for even when the victims do pay, making sure they alert law enforcement so that law enforcement can potentially help them still.
McGee: Matt, I think the feds are pushing for that transparency, whether you pay or you don't pay, which was a breach reporting rule, with critical infrastructure entities being required to report if they did pay a ransom to federal authorities within X number of hours. And if they got hit but didn't pay, they still have to report it within another short amount of time. So, the feds want this information, regardless of whether you've paid or not, I think it helps them to try to trace down where these attacks are coming from.
Schwartz: And triangulate what's happening. There's a March law that got passed in the States. But a lot of the detail about who's critical infrastructure, who has to notify authorities, is still getting worked out, hopefully, they'll get to the point where at least people are required to say, if they've paid, possibly privately to the government, possibly that information will be made public, but it would help the FBI chase some of these groups.
Harrison: And something Marianne had pointed out to me yesterday is that these hospitals are under a huge potential liability for patients that could be affected and die as a result of ransomware.
McGee: That's one of the theories that you have these systems down and patients are not getting the care that they need. It does affect the medical devices, some of them are life supporting. There's been at least one lawsuit so far, a malpractice lawsuit tied to a ransomware attack at an Alabama hospital a few years ago, where a baby eventually died of complications because the baby was born during this ransomware attack. So, there's a lot of research going into this too about the impact of ransomware attacks on patient care, even in the longer term, the impact on patients that might have been at a hospital that had some disruption during the time that they were there, how do they fare once they leave the hospital? Do they survive? Do they have other illnesses or other problems? So, that's something that's really being looked at carefully.
Schwartz: Not just the initial attack disrupting things, but the knock-on effects, these hack disrupting things to disrupt patient care, like attackers preferring healthcare because healthcare can hardly afford to suffer or experience downtime. This is an astute move by criminals at the expense of the rest of us. Everything ransomware seems to be at the expense of the rest of us.
Schwartz: Same old. Ransomware is always a hot topic. Lots going on here. Lots of criminal innovation. Thank you, Marianne, for that update. Another hot topic, and I saw this at the RSA Conference last month in San Francisco, is zero trust. And Cal, I know that you've been putting together a special report into zero trust. What do you think? High degree of buzz these days?
Harrison: Yes, it is. It is buzzword compliant, with almost all of the vendors at RSA — and if you go out on Google and type in zero trust solutions, you'll get pages and pages, 60 plus vendors are offering zero trust solutions today. And the thing that's amazing is a couple of years ago, most people were saying zero trust? It's a buzzword, is it real? Are people going to invest the amount of money that it's going to take. And, the big change happened about a year ago when President Biden passed the executive order, requiring the federal government to adopt a zero trust architecture. And there's been a bit of movement since then, and at RSA, almost everybody in the booth area had their own zero trust solutions. I think we did 150 interviews, a good chunk of those people were talking about zero trust in those interviews.
Schwartz: No, it was a huge topic. And we talked to John Kindervag, the creator and founder of the zero trust concept. And I know one of the things he was emphasizing was yes, it's been around for a while, but with COVID-19 and remote working and the rush to the cloud, the rush to digitization by so many organizations, the concept has been embraced. But then, I did note that if you ask someone what is zero trust, what does it mean to you? At a basic level, it's an approach where all users and applications need to be continuously authenticated and authorized and validated. I don't know if you would agree with that base definition, because I heard some variation on what you should or shouldn't be doing, if you were calling yourself zero trust compliant. Or maybe compliance is even the wrong word.
Harrison: And it comes down to the architecture as Kindervag and others pointed out that it's not something you can plug and play, you can't get a zero trust solution off the shelf, plug it into your system, and expect it to give you the assurance that you just described, and I think what you were saying is exactly right, it's the concept is least privilege, and constantly authenticating the user, the application, and the device, and this is causing a huge disruption. So, that's why we're seeing this rush to zero trust, because it's potentially disrupting, you know, all of the traditional network and VPN vendors, who had built a whole industry around the trust model, which is you get in the network, you're authenticated. And that means your trusted zero trust deals with the reality that you may not be who you say you are, once you get into the network. That's primarily what's happening.
Schwartz: You could be on-premises, you could be in the cloud, how does that handshake or handoff or constant validation happen, there's a ton of nuance there.
Harrison: And what we're seeing on the vendor community is that for example, at RSA, the folks at Zscaler were pointing out that they have a policy decision engine, which can be accessed through a software as a service, so that you can outsource that portion of the zero trust architecture to them, but you also need to plug in identity and access management and endpoint protection and data loss prevention to make it a working model. But at the same conference, Palo Alto Networks, which is a bastion of network defense suppliers, announced their zero trust network access 2.0 and they're saying that they have a fully functioning platform with all of the components that you need in order to get to be zero trust compliant. The problem that Kindervag and folks, his associate from Forrester, Chase Cunningham, point out is that there isn't a platform per se that you can plug in and start using. You need to build the zero trust architecture from scratch. And Kindervag provided a five-step implementation model, starting with identifying, what you're trying to protect, what your attack surface is, mapping the transaction flows that will get through that attack surface to your data and applications, building the architecture itself, fine tuning that. And then, continuously monitoring the safety of your systems — users and data. So, it's not an overnight thing, something that he was saying, people need to start working on now, in order to have something that's adequate in the next three to five years, for example.
Schwartz: Unique to every environment as well, because what you have in terms of infrastructure, precisely what you want to do with it is going to vary depending on the organization itself. And I know healthcare has also been at least dipping its toes into the zero trust fervor. Have you been seeing much on this front, Marianne?
McGee: We finished our healthcare conference in New York last week. And zero trust was a little bit of a buzz there as well, especially in the context of the pandemic, and all the changes that that brought in terms of telemedicine and remote workers and temporary people being brought in to help with the surges, remote monitoring devices, medical devices, there's always a lot going on in healthcare, anyway. And the pandemic added to that pile of pressures. But zero trust, there's some since I was in healthcare that have been working on this for a while and then I think others are watching to see what other organizations are doing in terms of those infrastructures and that approach. But it's something that the healthcare sector is, if they're not actively trying something, they're keeping their eye on that.
Harrison: A couple of things of note, from Chase Cunningham, who, as a zero trust expert, along with Kindervag is, he points out that the industry so far has done a good job on identity and access management, there's some good solutions out there, the policy decision engine that they've made some great strides. Because that's going to be important if you think about it to continuously authenticate users. It's not a big pain to be able to access your applications and data, because you don't want to implement something that's going to slow everybody down and cause a roadblock. One thing that he mentioned, which I think is noteworthy, is that the other piece is on the data security side that you need to make sure that you have a solution that's going to protect indiscriminate access to data that it needs to be tied to a policy and the current data loss protection tools that we've been using for years are not up to snuff, you're going to have to be looking at a new solution for that. The other footnote from Chase, which I thought was interesting, was he points out that he personally could build a zero trust solution today using open-source software. And he said that it's not for the faint of heart, though, you obviously would have to have a lot of skills and special coding, and you'd be responsible for keeping the integration up and making sure that your open-source software can't be hacked. But I thought it was an interesting point is, you could build zero trust today. And it wouldn't cost you a penny and he wouldn't have to go through a software vendor, but these many software vendors will give you a different point of view. And there is some value to the fact that they're continuously updating their products and making sure that they're viable. Other big players in this field would be the systems integrators, the folks who will make sure that there's operability and integration between these various software tools, assuming they use multiple vendors, and then also on the horizon or the managed services providers, because this is a big headache. This is talking about re-architecting your entire enterprise security, environment. So, at some point, especially a large global organization may be too complex. And you might say, "I'm going to hand this off to let it be somebody else's headache." A lot of opportunities are being created by this team.
Schwartz: A lot of opportunities for systems integrators or software developers, for consultants to help people get over the finish line, or with these projects, you keep getting over the finish line adding capabilities. Fascinating stuff. Big buzzword. Interested to see if it will be the buzzword at RSA 2023. Everybody, stay tuned. So, Cal, thanks for that overview of the latest on zero trust. And so, as the Editors' Panel draws to a close, my final bonus question — we'd like to do something to just shake things out at the end here — would be to ask each of you, is there a quirky, I know zero trust can be quirky, I know ransomware can be quirky, but is there an especially quirky story on the cybersecurity front that either of you have been tracking recently?
McGee: Sure, if you want to pick up on that ransomware theme, I would say the ongoing investigation, which is also being done on the side here by our colleague, Jeremy Kirk - shout out to Jeremy on his Ransomware Files podcast. He's been digging into the infamous Dr. Zagala, Venezuelan cardiologist, who has been charged by US prosecutors of creating and selling ransomware that's been used in many attacks on organizations across the world. So, a doctor doing this, it's astounding to me, but it's an interesting story.
Schwartz: Extra unusual. Yeah, with the allegedly evil Dr. Ransomware. What about you, Cal?
Harrison: I've been tracking the Honda key fob hack, which went public several weeks ago, fairly unknown. Researcher Kevin2600 finally published a report, saying that he was able to use off-the-shelf hardware in order to capture the code going from the key fob to a number of Honda models, several different models from 2012 all the way up to 2022, he was able to demonstrate how he could hack into the system and unlock the doors and start the car. If you think about it, it is the thing of movies, where the evil corporation will hack into somebody's car, and grab control of the steering wheel and drive off.
Schwartz: You see that the robber dressed all in black with a little black box, and they press the button and the car goes tik tik.
Harrison: But what's neat about it, because this has been shown to happen in the past, this is the first big one that's come up, I'd say in more modern vehicles. But the thing that's quirky about this is that the researcher contacted Honda, tried to report the vulnerability, and they refer to him to the customer service line to like, report a problem with a seatbelt or something like that.
Schwartz: Marianne could give you an hour's long dissertation on that, probably.
Harrison: He couldn't get through to anybody to report the vulnerability. So, he finally goes live with it. And they call Honda and Honda says, this is completely unsubstantiated, the test was not performed correctly, this couldn't happen. And then, in the meantime, several other people took the same methodology and hacked into their own Honda and published it online. So, Honda came out last week and said, yes, it is a vulnerability. They have a rolling code system in their key fob that is supposed to prevent this, but they were not able to prevent it. And there is a CV on this, but the other interesting thing is that there's no fix, there's no patch for it. So, I'm not sure what Honda's going to do. They finally did come clean.
Schwartz: Maybe get away with some lawsuits, if history is any guide. Thank you, Cal. Sounds like unwelcome news for Honda. No doubt we'll be tracking that story as they attempt to get their act together with it. Quirky story for me quickly. There is an arrest recently in Thailand and as documented by the Bangkok Post, there was a gentleman who has apparently confessed he was stealing phones from the Banana IT shops. And he's been called a Robin Hood man in underpants because he would apparently only wear his underwear when he broke into shops, because it made him feel normal is what he said. But the wrinkle here is he would steal these phones and give them to the poor. And the police have been trying to track him for years. But because he wasn't functioning as a reseller, or a chokepoint, he was giving these phones away. They couldn't figure it out. But eventually, they got some CCTV and they tracked it back and he said the reason he targeted Banana IT shops was because he liked bananas and the color yellow. So, there's a quirky cybercrime story to help seal off what's been an in-depth, occasionally quirky, and always entertaining series of vignettes from the both of you. So, thank you very much, Marianne and Cal, for your insights this week on our Editors' Panel.
McGee: My pleasure.
Harrison: You're welcome. Good to talk to you, Matt.
Schwartz: Thank you for joining us. I'm Matthew Schwartz with ISMG. We'll catch you next time.