In cyber news this fortnight we take a closer look at the recent attacks within Australian health facilities including the Eastern Health hack and how the Victorian State Government is taking action to become cyber resilient in the sector. We also dive into the ransomware attack blamed for Federal Group's casino pokies outage, the zero-day vulnerabilities in SonicWall’s Email Security product, and how President Biden’s administration plan to strengthen the cybersecurity of their power grid.
The Get Cyber Resilient Show Episode #51 Transcript
Daniel McDermott: Hello. And welcome back to the Get Cyber Resilient Show. episode 51, all up, which is fantastic. great milestone to hit the 50-last week, and, uh ... and continuing. my name's Daniel McDermott. I'll be your host for today. And joined by our resident experts Garrett O'Hara and Bradley Sing. [inaudible 00:00:24] Good to see you.
Garrett O'Hara: Good to see you too, Dan. Looking forward to today's conversation.
Daniel McDermott: Yeah. Congratulations on, uh ... on your work, on getting to 50. It's, uh ... it's a- a great milestone. And, continuing to build the audience and hopefully, delivering value, each and every week.
Garrett O'Hara: Definitely. you know, one of those ones that sneaks around, a little bit like age, you know, that- that day-
Daniel McDermott: [laughs]
Garrett O'Hara: ... where you have your 40th birthday. And my 50th is- is slowly approaching. But it's definitely that feeling of, you know, when you look back, you're like, "Oh my god, how did, you know, we- we manage to get 50 episodes?" I ... and I like to think that they're good. So yeah, looking forward to the- the next 50.
Daniel McDermott: Yeah. Terrific. And, uh ... and today's episode is obviously focusing on recent news and activities in the ... in the world of cybersecurity. And, uh ... and, Brad, you've certainly done your homework on what's been happening in the industry as of late as well.
Bradley Sing: Certainly. Certainly. And again, congrats on the big 5-0. I wasn't sure if we were talking about episode numbers or something else there. [laughing] But congratulations Gar and Dan on that. [laughing]
Daniel McDermott: let's kick off today's, review with, uh- having a look at what's been happening locally around, I guess, the reporting of cyber incidents, and in particular around the health sector. this has been a constant, I guess, theme throughout many of the episodes that we've reviewed over the last year, looking at how vulnerable the health sector is, how many times they've been targeted. and it comes up, you know, quite often in the news. And now a recent report from, the ACSC has shown that it- it really has been a spike in activity. we've seen it go up from 90 reported incidents in, 2019 to 166 last year. just at the time where that industry is at its most vulnerable and under the most pressure that it's ever been before.
Um, so we've spoken about, you know, the way that attackers go about really taking people's vulnerabilities and- and pushing it to the nth degree. And it's really coming true in terms of what's been reported and what's come out of these reports lately, Brad. And, I think it would be great to get your insights on- on what's been happening and- and how this sector, is now looking at, you know, getting government support and- and being able to respond effectively to this as well.
Bradley Sing: Yeah. Certainly, Dan. I think a lot of sectors have been hit differently over the past year. health is one ... has- has- has been one which has been under a lot of focus, both from a, I guess, you know, dealing with- with the global pandemic, but also from a security perspective as well. it's a really interesting report. It covers ... It's a health snapshot, if you will, of the past kind of, uh ... from the start of 2020 to the end of 2020, in terms of different types of threats and reporting and trends and observations.
Um, interestingly enough, if you look at the amount of reports, in April, it had the highest amount. So going back to April last year, in 2020, they had 7- 70 reports. The next closest was 17 reports. So I guess if we think about, you know, in terms of time of ... times of when we see a lot of activity, that was smack bang at the start of, you know, lockdowns and- and COVID-19.
Daniel McDermott: And I think it's an interesting sector to look at, Gar, in terms of, you know, like why is there such an increase in, I guess, in targeting around, uh ... around- around healthcare? And, I guess, you know, what can they be doing to- to look at, you know, helping strengthen some of these vulnerabilities that seem to be, you know, exploited, far too often?
Garrett O'Hara: Yeah. Look, from conversations with, uh ... with folks in that particular industry, so healthcare, look, I think there's a few things at play here, the value of the information that healthcare organizations maintain. So PHI is clearly, clearly valuable, more valuable than credit card information and, you know, more valuable than, many of the sorts of data that attackers will go after. And I think you combine that with the- the fact that these are generally organizations that are critical. And by that I mean if they go down, if they get hit by ransomware, it is much more difficult for them to say, "Hey, we're not gonna," you know, "We're not gonna pay the ransom," if potentially people's lives are at risk.
So the attackers, I suppose, know that they've just got much more leverage, with these kind of organizations than they would with, you know, a shoe store, for example. And it's ... You know, I'm probably personally much less worried about not being able to buy new sneakers than I am if I'm, you know, sitting in an ICU. You know, clearly, there's different things at stake.
Um, strangely enough, the healthcare sector, and I think this is a global comment, tends to have tremendous downward pressure on budgets. And that's because it's so tightly linked to- to governments. Governments are always trying to cut costs. And, what you see then is that there isn't the budget available to keep systems up to date to have the latest greatest OS, operating systems or, security kind of, architecture in play. And, also you get these disparate, systems, if you think about healthcare where they- they have MRI machines, things that are forced to be running legacy operating systems because they need to- to, be certified by the- the sort of TGI locally. So there's- there's all these complicating factors that make, healthcare, unfortunately, just a really, really ripe target.
Daniel McDermott: And do you see then that notion of like all of these in- inputs into- into the system itself, that there is a bit of a supply chain, I guess, issue as well, that it's like, you know, it's not just the hospital or the endpoint itself. It is definitely, you know, I guess everybody that's sort of contributing and- and being part of that- that entire industry and that supply throughout.
Garrett O'Hara: I- I- I do, is the short answer. But I think it's- it's a weird one where there's sort of a forced problem with the supply chain because of how, devices are certified. So, you know, if I'm ... if I'm, you know, ACME, Inc., selling MRI machines or x-rays or, you know, all the- the cool, technology that's now available for healthcare, it's- it's such a strange one where the certification forces bad security because to re-certify, if they upgrade the operating system, they have to go through a massively complex, certification process. And don't get me wrong, we need to certify medical equipment. Right? That's- [laughs] that's- that's pretty obvious. And I hope that [laughing] never stops. but I think, you know, it's ... to me, it's a symptom of broader problems when it comes to supply chain and how there's a leg.
And you know, we've talked about this, the three of us, before, how there's a lag in government policy, there's a lag in organization policy, quite often, whe ... that doesn't reflect the current requirements for good cybersecurity. like- like a really good example of that is, some of the certifications for security force you to change passwords. And that- that now is understood to be not good practice. You know, it's understood that you choose a really, really good strong pass phrase that you don't have to change every, you know, two, three months. Because when you force people to change a password, they do the- the thing we all joke about, which is just add a two-dig- digit number at the end and, you know, change that number every time you're forced to, you know, have a new password. But you choose a bad password and then just increment.
Anyway, , you know, I'm kinda going off tangent here. But, you know, ultimately, I think you're right, Dan. I think there's- there's supply chain issues and also other issues, that, having spoken to people in this industry, some of the people operating in- in there, no pun intended, are excellent doctors but not necessarily, um ... not necessarily cybersecurity experts, which is the same for finance, same for HR, same- same for lots of different things. but I've- I've heard stories of, and this maybe sounds funny, but like things like x-rays being shared via WhatsApp, you know, as a ... as a kind of interesting example where without maybe understanding the implications of that, you know, people are using the systems that they can to share information to collaborate to get their jobs done. And I just think the stakes are probably a bit higher when it comes to healthcare.
Daniel McDermott: Indeed. And, Brad, we've seen, an example recently, at least in health, with a ... with a very strange message appearing on- on the screen in the hospital, sort of saying like, you know, someone could be eavesdropping on you right now. this is a man-in-the-middle attack. It- it's quite a- a, uh ... a bizarre message and a way to sort of, I guess, almost be sending a message, [laughs] that, you know, somebody's got control of the systems.
Bradley Sing: Yeah. I- I assume it's a ... So it's a fascinating screenshot. I assume it's like a bedside medical table or something. But the- the idea is at the top it says, "Is it possible that someone is doing something nasty?!" So typical kind of, I guess, you know, kind of ransomware attempt or try ... scare attempt as well. look, it- it is an attack recently which we've seen, I guess, a hospital app in kind of the- the suburbs within Melbourne.
Um, the interesting thing about this, I guess, also, unfortunately, like, you know, I think last year we saw the first death related towards ransomware and cybersecurity as well. And unfortunately, I feel like this- this shares a- a similar theme. interestingly, also some of the points Gar covered just then like pretty much kind of highlight the main takeaways that were kind of in- in that health sector report. Like they called out things like, there are numerous non-heath related targets, so things Like supply chain, non-traditional entities.
Um, couple of other interesting things we haven't talked about. So they mentioned vaccine research and development, intellectual property, is a potential big focus. And, I think as of just, quite recently, the, uh ... it was announced that they're gonna manufacture the mRNA, vaccine in Victoria, which is a huge step forward in terms of, I guess, our local development and all of the, other countries around our area as well.
So, you know, I guess, as we modernize and become more high tech and nationalize manufacturing to a degree in a way, I think that paints a bigger, uh- target on our back. And I think Australia's done great research in many fields with health and- and quite often I think lauded around the world. But, you know, potentially that also does, paint a bigger target on our back as well.
Daniel McDermott: Indeed. And I guess, moving to a- a positive of this is- is the government response in Victoria, looking to supply some funding. Gar, you mentioned the fact that, you know, these organizations are often under financial pressure and downward pressure. so it's at least good to see some- some funding earmarked to really help out and hopefully be able to make a difference.
Garrett O'Hara: Yeah, I totally agree, Dan. The ... I think so many of our issues, when it comes to healthcare, to- to most, of our, you know, call it critical infrastructure, those- those kind of things, a lot of it can be solved through just resourcing, you know, being able to afford the- the, improvements, you know, the upgrade in- in sort of back end systems, front end systems, awareness training, and then also potentially hiring people. that's ... you know, that's a- a thing we've talked on the show before, the ... the value of talents and how sometimes, you know, government, agencies and I would say healthcare agencies, don't have the money to pay sometimes for, you know, the world class talents that could help them solve a lot of these cybersecurity problems.
Um, the people I know who work in healthcare are incredibly, incredibly talented. and I think they're kind of maybe almost drawn to it as a vocation sometimes, you know, because I- I suspect the amount of pressure they're under to deliver, really good ad comms in a very, very, meaningful industry. you know, that's not a ... not a small thing.
Daniel McDermott: Indeed. So Brad, we saw ... seen that it's a 30 million-dollar investment, into- into the sector itself. So hopefully that, uh ... that helps move things forward.
Bradley Sing: Just- just on that as well, like, you know, if we kind of look back over the past two- two to three years, there has been a string of ransomware attacks and disruption against like the healthcare industry. And, I think this funding is great. Like it's Victorian or state based. But, you know, some of those, [laughs] what we're describing, again, like a lot of those attacks have been kind of against some of those Victoria-based hospitals. So hopefully this- this helps them refresh their other systems.
Um, on a side note, it also looks like it's gonna potentially ... they're gonna potentially offer support for the rollout of wi-fi at the bedside. So, uh- yeah, much- much nicer than just a television, I guess.
Daniel McDermott: [laughs] Indeed. And, moving on to, a- a recent attack, one that's not in an industry that's obviously as critical. But, down in Tasmania we've seen that, the- the casino operator has been, fallen victim to a ... to a ransomware cyber attack as well. Brad, what can you tell us about what's happening in- in Tasi to, uh ... to the ... not to the pokies, I hope. That's for sure.
Bradley Sing: [laughs] Well, look, it was to the pokies. So it was a ransomware attack targeting, Tas- Tasmania's lone casino operator, so, you know, Federal Group down there, or- or the Wrest Point Casino. it's an interesting one. Like we hear about ransomware disruption from time to time. I think, from- from a tourism and economy perspective, like, you know, there's been a lot of focus of getting Tasmania open. I'm going down there shortly myself as well. And I know that the- the, uh ... you know, the casino is- is usually a stopping point for a lot of people. The attack itself though is a bit interesting. So from what we understand, like it was ... we've heard that, it was common knowledge amongst casino workers that a ransom, ware attack had occurred. there were some messages apparently on different screens asking for payment. I'm not sure if they were on the pokies themselves. A few, former employees did report to the AirBC that, they believe that historic credit card details may have been stored in the booking system, and they could've been compromised as well.
So I mean, look, in terms of, I guess, potential loss, I mean, [laughs] we don't know how much money potentially, goes through casino hands, but in terms of disruption to a business, like the dollar value of having a casino or- or one machine off per day to a business is absolutely huge. So I think we have seen in- in the past, you know, a few different incidences of- of, you know, kind of gambling and- and that ... those industries being hit and targeted, because, you know, there's obviously a lot of money in the up time and the ... you know, the resilience around them.
Garrett O'Hara: Yeah. There was that, sort of infamous story now, isn't there, of the casino, I think it was in the U.S., getting popped through- [laughs] through their fish tank. 'Cause they had a- a, you know, an- an internet connected IoT sensor feeding system. And the attackers used that to get into the casino and pull that 10 gig of data, which they- they then sort of ... I- I don't know what happened from there, but I think everyone just focused on the fact that it was a fish tank that was the way in.
Daniel McDermott: [laughs] But Brad, I guess it's not just the- the- the casino side and that itself. But, I guess they do run, you know, hotels and that type of thing as part of these places as well. So, I guess, whether any data has been compromised in terms of, you know, actual personal data as well, in terms of people staying there, and whether anything like even credit card details and those sort of things have been, compromised as part of the attack at all.
Bradley Sing: Yeah. Like there is a suggestion that- that, you know, credit card details were potentially compromised. And they did say hotel booking system. And you gotta think as well, you know, it's a ... They're a decent sized organization for Tasmania as well, probably one of the largest employers there for- for the local economy. So there's that.
Um, part of me also wonders. Like we- we always talk about these breeches, ransomware, credit cards being stolen. What does everyone do with this stuff, right? It has to be fraud. It has to be identity theft. it just keeps happening and happening.
Daniel McDermott: Yeah. Sadly, big business, right? And, continuing to obviously, pay the bills for somebody somewhere because, it continues to occur.
Moving forward on one of the things that, has been reported as well is- is- is another, zero-day exploit, sort of reported by FireEye and Mandiant, against, a company called SonicWall, and, some of their, systems, I guess, being compromised. Brad, what can you tell us about this, in terms of what's happened and- and what their vulnerability looks like? And- and, have we been able to move forward in terms of actually having, I guess, a, uh ... a patch and, um ... and update in place as well?
Bradley Sing: Yes, certainly. So, look, Mandiant, [inaudible 00:16:09] FireEye, first reported this as a zero day. There is a patch now [inaudible 00:16:14] responsible disclosure process, with SonicWall. So if anyone is using SonicWall's email security appliance, I definitely recommend you read the bulletins and [inaudible 00:16:23] the patch. if we're gonna have a look at it at a high level, there's kind of three main CVEs, all which were effectively published, the highest one scoring a 9.4. And I'm hoping Gar can shed a bit of light in terms of, you know, why potentially something could score so high.
Um, but the main three were around, the first one being unauthorized administration/account creation. the second one being post-authentication arbitrary file upload. And the third one being applied post-authentication arbitrary file read. So administration, you know, create/write details, the ability to upload stuff.
Um, interesting thing in terms of the potential attack vector. It may be because of that, Apache. So the web server was bundled in with the installation. but interestingly enough also, it looks like the hackers tried to delete logs on their way out, which is quite a common hallmark we've seen in some of the more sophisticated attacks recently.
Garrett O'Hara: Yeah. The- the- the SonicWall are having- having a bit of a bad run. I think in January, their ... I think it was their SSL VPNs, also had some- some problems, which was also reported. But, you know, there's no comment on- on SonicWall. I think this stuff is just happening more and more where, you know, we're seeing kind of vendors, being targeted, you know, as- as evidenced in- in December. but yeah, I mean, to- to your point, Brad, like a- a score of 9.4 is pretty- pretty high. you know, that- that scoring systems kind of combine metrics across, you know, easily exploitable, and then the kind of ... the downstream effects of the- the exploit. So yeah, when you see anything above a nine, it tends to be stuff that people pay attention to.
Bradley Sing: And I guess like does this start to create more of an argument for cloud? Like just because like, you know, this is another kind of on-premise technology which has been popped. Like ... And the way to obviously prevent it ... prevent yourself from being compromised as well is to follow the patches. But if you move more of these services just towards, you know, kind of managed SAS services, does it decrease that risk? Or by the same token, I almost think it'd give you a bit less control.
Garrett O'Hara: Yeah. The answer's probably somewhere in the middle, I suspect. I think there's some intrinsic- intrinsically good things that come from clouds. And that is the- the focus on security. There tends to be a huge budget behind most sort of cloud providers, you know, to- to do security well. and they have so much at stake that the investment in technology and processes and people to support good security I think is ... you can do more, at scale than you probably can as an individual. And to your point, Brad, it- it's the common arguments or reason many people will go to SAS, not just the productivity and sort of cost savings, but the security uptick tends to happen with moving to the cloud because you don't have to have, you know, Bob and the security team remember to apply the latest security patches or do any of the testing that's required, you know, in theory, assuming you're talking about, you know, certainly software as a service. that-
Bradley Sing: And this is like a- a big key kind of, like, you know, core kind of email security solution. But like we saw Accellion like being a ... you know, a rather, I guess, small-ish, file-sharing system or- or- or platform. Like if I was an IT admin, I'd be looking at ... IT manager rather, I'd be looking at all these breaches of different vendors and thinking, jeez, what do I have on premise which needs patching? You know? Which one's gonna happen next? Like how can I mitigate that and decrease that- that pull? Because I kept hearing about it in the news.
Garrett O'Hara: Yeah. And then it ... I mean, sometimes it's the cost of change. And that's the- the reality, where you may understand on paper, okay, we've got a lower risk if we go to the cloud, but, you know, there's a data migration project that happens from, you know, an on-prem file storage to something in the cloud. And, you know, it's ... The ... It's not a zero cost change. And I think that sometimes is the little hurdle or sometimes the big hurdle that the organizations need to get over. But to your point, Brad, like at some point, you need to make that decision and do it, because the longer you wait, potentially the worse the problem gets and the harder it is to actually make- make that change ultimately.
Daniel McDermott: And in episode 49 when we were, last together, we did look at, the water system in the U.S. And in particular, we looked at the Kansas attack that happened. and it's interesting, back over in the U.S., the Biden government are making some noise and announcements around protecting the power grids and really looking at how do they strengthen resilience around the- the power supply, fearing that they are under ... you know, under this constant attack themselves in terms of the nation, and obviously looking at how do they strengthen their critical infrastructure.
Bradley Sing: Yeah. So there's a couple things here. But first of all, it's a ... it's a 100-day spr- sprint, I believe, [laughs] from the U.S. government. I didn't know the U.S. government were- were doing sprints when it came to thing like ... things like such as cyber. But think it's fantastic. there were some comments that cybersecurity and- and probably, I guess, the resilience around infrastructure was left out of the- the big infrastructure bill, which just happened in America. So I think this is a ... you know, kind of a- a good reassurance that there is funding going to that direction.
Um, I think it's kind of interesting as well if we think of, [laughs] I mean, you know, America's track record with things like, the power grids. Like, you know, they- they potentially were involved in Stuxnet, you know, being offensive hackers, when it comes to- to stably ... to stabilizing, a nation's internet. but it just shows, I think, you know, the- the importance of it. Right? Like I mean, as we start to move towards more modern, electric vehicles, more elec- electronics in our, you know, general lives, and even Bitcoin, I believe, uses more energy now than a small nation, like we're gonna need more electricity. And it just is as important. So I think, you know, great direction from the, uh ... the Biden administration. And kinda parallels what we're hearing and starting to see from the critical infrastructure bill over here.
Garrett O'Hara: Yeah. Totally. It feels like a shift in the zeitgeist, 'cause I think that's the reality. Like this stuff has been happening in the backgrounds. But the ... I think the- the perception and the notion of cyber war, you know, it's- it's gone from movies to it's now happening. we've seen it. We've seen proxy wars happening around the world. We've seen things like, you know, Ukrainian power taken out in very targeted attacks. But, it- it's a new world. I don't know. I mean, my- my sense of it is the last 12 months feels different. You know, the stakes have been raised. I don't know if it was our prime minister getting out there and scaring everybody with, you know, the sustained attack on Australia. But, you know, it- it feels like, to me, it's just become front and center.
Um, and then that's being reflected, as Bradley's said, in the ... you know, the- the critical infrastructure bill, the rethinking of what does it mean to secure a nation. you know, what's the collaboration between, different countries internationally to secure ... you know, co-secure each other? and some of the stuff that's happened out of NATO, right, I mean, oh, that's years ago, but, you know, the- the idea that, you know, NATO members will back a country that is under attack. And- and it feels like cyber attacks are starting to veer more towards the- the serious side, where the potential for even physical ret- retribution. And that's actually happened, hasn't it? correct me if I'm wrong, but I feel like Israel has actually taken out, a- a physical site where they knew hackers were operating from. I mean, it's sort of an aggressive country.
So, you know, this stuff is becoming more and more real. and I think the stuff you're seeing from Biden but also locally here, we ... you know, we talked about that in the last episode. Incredibly important. You know, we really need to get it right. And when you read through the- the critical infrastructure bill, so much of it is just good practice. You know, it's not revolutionary. It's not incredibly sophisticated. A lot of it is, "Hey, let's just do good security. Let's do good cyber resilience." And, you know, you almost think, "Well, why- why haven't we always done that?"
Daniel McDermott: Yeah. And- and you're right. We're only moments away from, the first set of rules being announced for the critical infrastructure bill focused on the energy sector, as being the first one as well. So be interesting to see, if they've taken anything from the U.S. approach, and, um ... and what's gonna be applied here. And, yeah, we're all, I think, looking forward to seeing what the rules actually do say, and how we actually drive towards, you know, that sort of compliance and higher- higher order in terms of, cyber resilience as well. So definitely, look out for that. It should be, hitting any day soon. And, um ... and definitely something that we'll keep across and be able to, inform the audience of as well as it moves forward.
Just in terms of wrapping up today's episode, a quick warning of a little, um- advertisement. But, the ... Many of the things that were spoken about over the year and that, have come through in a recent, report by Mimecast called State of Email Security. and we look in Australia, and we see that 64% of the respondents to- to the survey have been hit by ransomware in the last year. and that's up from 48% the year before. So these things where it does seem more prominent, it is hitting the news more regularly, there is greater awareness of it, is- is absolutely real. Right?
Um, and we see the ACSC report that we mentioned earlier. we see this report. It's a constant theme. And the attack vectors are rising all the time. So, do ... to learn more, do look out for, that report, and be able to, access that and see what's happening globally, and in particular what's happening in our region, and the impact that we're seeing from cyber attacks, in terms of in terms of Australia and New Zealand as well.
In terms of looking forward, Gar, for episode 52 next week, what do you have in store for us?
Garrett O'Hara: So we got Lee Weiner, who's the Chief Innovation Officer over at Rapid7. he's gonna be the next kind of interview off the, uh ... off the [inaudible 00:25:48] off the ranks, I think is what they- they say over here. cracking interview. Lee is an awesome guy. And I've known him for a couple of decades now. really, really good, uh ... good guy. Very clever, forward-thinking. And it's in his title, right? Innovation officer. So, you know, a lot of, future-looking in terms of the world of SIEM/SOAR and some of the stuff that Rapid7 are doing. not product pitch. It's not sales. It's- it's really just kind of, you know, industry focused and- and looking at where ... yeah, where does the world go in terms of, yeah, using SIEM/SOAR to kind of get ahead of and respond quickly to- to threats.
Daniel McDermott: Terrific. Well, looking forward to learning from Lee on, some of those global innovations that are coming. so yeah, really looking forward to that.
Well, thank you again, Gar and Brad, for- for today's episode. And, um ... and we'll be back in touch again shortly.