With help from Eric Geller and Martin Matishak
Editor’s Note: Morning Cybersecurity is a free version of POLITICO Pro Cybersecurity’s morning newsletter, which is delivered to our subscribers each morning at 6 a.m. The POLITICO Pro platform combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— The president of RSA said in an interview that everyone needs to consider future cyber risks brought on by Covid-19.
— An industry group said the U.S. needs to invest in IT to prep for the next pandemic, too.
— A state-sponsored cyber weapon has been adapted to attack U.S. universities, researchers said in a report out this morning.
HAPPY FRIDAY and welcome to Morning Cybersecurity! Good to see that Big Poppa isn’t always sad. Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
WHAT COMES AFTER? — The world needs to start preparing now for the cyber risks of a post-coronavirus world, RSA President Rohit Ghai told MC in an interview Thursday. “If during the pandemic we’ve allowed a lot of our workers to access data from their home environments, is that going to be the new normal going forward?” he said to your host. “As such, how should our data governance need to evolve? There’s going to be a lot of that kind of activity.”
Telehealth is another frontier, Ghai said. “We have regulations in place today that are too tied to the existing way that workers provide health care,” he said. “We need more flexible models in terms of how health care is going to be provided in the future.” One example of that needed flexibility in action, according to Ghai: Department of Health and Human Services leniency on enforcing health privacy rules for those seeking in good faith to provide telehealth.
PREPPING FOR THE NEXT PANDEMIC — The U.S. must make serious investments in IT modernization if it hopes to improve how it battles future pandemics, a major trade group said Thursday. Reliance on old technologies and systems “are complicating the complex response effort” to the coronavirus pandemic, Jon Pawlow, ITI’s senior director for government affairs, wrote in a blog post. “The resulting inefficiencies, limited adaptability, and comparatively poor resiliency have all had a profound and constraining effect on government’s ability to provide services to the public at a time when they are most needed.”
Future Covid-19 relief bills should include funding for all levels of government to invest in areas like secure cloud computing, IT infrastructure to bolster telework and increased digital services to users, according to Pawlow. He noted the Technology Modernization Fund “has shown considerable promise at helping to support IT modernization” and “targeted appropriations to individual agencies’ technology infrastructure, a renewed emphasis on IT innovation, security, and investment for the future will help to more rapidly equip the federal government to meet the challenges of today and tomorrow.”
LEAVE THOSE KIDS ALONE — A remote access Trojan usually associated with Chinese government backed hackers, Hupigon, is being used against U.S. university faculty and students in a mid-size email campaign, Proofpoint said today. The campaign sent out 150,000 messages, nearly half of which targeted the education sector. “This latest campaign shows how tools developed by nation state threat actors can sometimes overlap with those used by commodity crimeware actors,” said Sherrod DeGrippo, senior director of threat research. “This campaign is also notable for the social savvy it shows the attackers possess in directing online dating lures with visually attractive pictures to university students and faculty.”
ABOUT THAT SMALL BIZ INCIDENT — Leaders of congressional small-business committees are demanding answers on how the Small Business Administration is reckoning with the exposure of emergency loan applicants’ sensitive information. “SBA must immediately provide a complete accounting of this incident, including: a summary of information about the data breach and how the breach occurred; the number of individuals and firms that may have been affected; when SBA notified those individuals and firms possibly affected; the period of time information was compromised; and what steps SBA has taken to ensure that applicant information is secure going forward,” Senate small business panel Chairman Mark Rubio (R-Fla.), ranking member Ben Cardin of Maryland and House Small Business Chairwoman Nydia Velázquez (D-N.Y.) wrote in a letter on Thursday.
TURNING YOUR FILES TO STONE — Organizations need to be ready to defend themselves from an especially virulent family of ransomware called MedusaLocker, Cisco’s Talos threat intelligence team said Thursday. Unlike most other ransomware, MedusaLocker can spread to mapped network drives; force Windows to connect to disconnected network drives so it can encrypt those, too; and find other potential victims on a network by abusing Internet Control Message Protocol, or ICMP, messages. If MedusaLocker discovers other computers on a network, it uses Server Message Block Protocol to map their shared folders and encrypt any files in them. “Ransomware developers continue to add functionality that enables them to maximize the damage they can inflict upon corporate networks,” wrote Talos’ Edmund Brumaghin, “in an effort to increase the likelihood of receiving a ransom payment from victims.”
MedusaLocker has popped up in ransomware incidents since last year, and it hasn’t changed much since then, according to Talos’ new report on the malware. The developers changed the file extension that MedusaLocker uses when it encrypts files and tweaked the appearance of the ransom message.
INTO THE SARLACC PIT WITH YOU — ESET said Thursday that it disrupted a botnet of 35,000 devices that has been mining cryptocurrency but also had more dangerous potential. Most of the devices affected by the VictoryGate botnet were in Latin America, which had been active since at least May. The botnet drained infected devices’ resources and hid files stored on USB drives when connected to an infected machine. ESET warned that despite its sinkholing, the botnet could continue circulating but wouldn’t be able to be more disruptive.
So far, it’s only been used for mining. “However, given that the botmaster was able to issue commands to the nodes to download and execute new secondary payloads at any given time, this could have changed at some point,” ESET wrote. “This posed a considerable risk, given that we’ve identified compromised network traffic that stems from the public sector and from organizations in the private sector, including financial institutions.”
CLEANING DEMO SOUGHT — Free Speech for the People asked major voting machine vendors on Thursday to produce demonstration videos on how to sanitize their machines, and have outside parties vet current instructions. “Your cleaning guidelines, and the guidelines produced by other manufacturers, are a useful starting point, but these guidelines must be made subject to robust review to ensure effectiveness in light of the pandemic and the particular risks and challenges of killing the novel coronavirus,” the group wrote. “And you must be transparent about the costs and time that it will take to properly sanitize the machines, and the risk that such processes may pose to voters and poll workers.”
MicroVote executive Bernie Hirsch answered that the company was working with election officials during the pandemic, but that ultimately it’s the states’ responsibility to clean machines. Replied Courtney Hostetler, counsel for Free Speech for the People: “It is shameful that electronic voting machine vendors are refusing to meet their obligations of providing safe and secure voting machines. It’s critical that election officials undertake a rigorous review of these machines and their safety before the upcoming elections.” Clear Ballot also responded to The Hill, saying it stood ready to aid local governments.
SOLIDIFYING AUGUST PLANS — Black Hat and DEF CON conference leaders this week shared their thoughts on whether they’ll have in-person events, but it might already be a moot point because of industry skepticism about attending. Jeff Moss, founder of DEF CON, said he would decide by May 15 whether to hold the conference in Las Vegas in August. Steve Wylie, general manager of Black Hat, said the conference was proceeding cautiously as though it would have a live event in August, but was “developing robust digital options” in lieu.
But a plethora of cyber names said in a Twitter thread they were almost certain not to attend. “If DEF CON / BH happens this year without some miracle panacea (due to say, Vegas opening against all expert warnings) I pledge to not attend,” said Lesley Carhart, principal threat analyst at Dragos’ Threat Operations Center, a sentiment others seconded. “This is in *no way* a reflection of my opinion of any of the staff or volunteers. I worry they’ll be pressured to run in an unsafe way.”
TWEET OF THE DAY — Hope he asks to see some identification.
— POLITICO: “Short-term losses shouldn’t block promising startups from using a federal lending program designed to help small businesses survive the coronavirus pandemic, a bipartisan group of lawmakers told the Federal Reserve and Treasury Department today.”
— Citizen Lab’s John Scott-Railton offered some observations about the latest in the WhatsApp court feud with NSO Group.
— Reuters: Vietnam denied that it hacked China for coronavirus information.
— Inside Cybersecurity: “Election Assistance Commission to tackle cyber-based initiatives on registration databases, e-poll books.”
— Motherboard: Instacart sent a cease and desist order to a website that lets users snag delivery slots.
— The Markup: Facebook will no longer let advertisers target users interested in pseudoscience.
— Engadget: Israel isn’t using phone tracking to enforce Covid-19 quarantines anymore.
— The New York Times: Cyber criminals are seeking to scam people out of their stimulus funds.
That’s all for today.
Stay in touch with the whole team: Eric Geller ([email protected], @ericgeller); Bob King ([email protected], @bkingdc); Martin Matishak ([email protected], @martinmatishak); and Tim Starks ([email protected], @timstarks).