ISMG Editors: Analyzing the Twilio BreachAlso: Supply Chain Attack on NHS; Sanction of Crypto Mixer
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including the breach of customer engagement platform Twilio, a cyberattack on the U.K.'s NHS that has reignited concerns about supply chain security in the healthcare sector, and the U.S. Treasury clamping down on shady cryptocurrency mixers.
The panelists - David Perera, editorial director, ISMG news; Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday & Europe; and Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity - discuss:
- How customer engagement platform Twilio suffered a data breach after multiple employees were tricked into providing their login credentials to attackers;
- Critical lessons for healthcare organizations after the U.K.'s National Health Service experienced outages resulting from a cyberattack on a third-party vendor;
- The Department of the Treasury's sanction of Tornado Cash, an online service that criminals use to hide stolen cryptocurrency.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the July 29 Privacy Special edition with Lisa Sotto and the Aug. 5 edition on midsized businesses being the new frontier for ransomware demands.
Anna Delaney: Hello, this is the ISMG Editors' Panel. Thank you for joining us. I am Anna Delaney and this is a weekly discussion of what's happening in the world of data and information security. And this week, I'm delighted to be joined by Marianne Kolbasuk McGee, executive editor for HealthcareInfoSecurity, Mathew Schwartz, executive editor for DataBreachToday and Europe, and welcoming for the first time, editorial director for ISMG news, David Perera. Dave, welcome. Thanks for joining us.
David Perera: Thank you so much. My pleasure.
Delaney: And it's wonderful to see you all. So, Matt, why don't you start us off? Where are you today?
Mathew Schwartz: I am at the edge of the ocean here. This is over in Broughty Ferry, which is near Dundee at the North Sea. So, it's an arty take. There's a little boundary marker at the edge of the water here at low tide. So it's really beautiful. Lots of sand and wind because we're in Scotland, always lovely to have a wander around the coast.
Delaney: Very beautiful, indeed. Very moody, mysterious. Marianne, you're outdoors as well. Tell us?
Marianne McGee: Yeah, I am in the Boston Common. My husband and I went there a few weeks ago on one of the rare occasions this summer where the heat index was not 150 degrees. We spent the day walking around. It's been a hot summer.
Delaney: Yes, indeed, even in the UK. So, Dave, stunning sight behind you. Tell us more?
Perera: Thanks. It's a nighttime picture of Rosslyn taking from a park in Washington, DC. So we're looking at the Potomac River and all the skyscrapers on the Virginia side of the metro DC region. So, Washington DC has a little quirk in that is the buildings inside the city have a height restriction. So, all of the big skyscrapers, relatively speaking, can't be in the city. So you're just on the other side of the river in Virginia, where the height restrictions are not in effect.
Delaney: That is a good fact. I've got to say. They'll always get around that rule. And I'm in Valencia. This was taken a few months ago, back when it was very cold, but I'm feeling warm and summery. So, I thought it'd be a good shot to show you the city full of lemon and orange trees, which complement the old architecture. So Matt, you're brandishing your data breach sword today. What happened with Twilio this week?
Schwartz: I get to return to my data breach routes, one of our core ISMG sites. Ransomware has been competing for my hearts. But there's been a big bad breach story yet again. We have a company called Twilio, which is a customer engagement platform. For breach purposes, that's alarming because it works with thousands of companies, which work with thousands of end users. And because it's engaging with these customers, it keeps a lot of the communications and information not just on Twilio's customers but of other customers of Twilio's customers. So you could see from a breach standpoint why this would be a juicy target. Now, I'm not trying to name and shame here. But it's interesting to look at the breach report that Twilio put out on Sunday. They discovered this attack on Thursday. It's not clear to me that Twilio discovered it itself. They didn't want to give me any more information beyond what they put out saying that the investigation is ongoing. I'll get to why we think that maybe Twilio didn't discover it itself. But fascinating to look at the particulars and I think anytime a breach or an attack comes to light, organizations should be studying this. Again, not to cast blame or aspersions, but to say, "Could we fall for the same thing?" What happened here? It was a phishing attack, unusually via SMS messages. Employees received to their phone numbers an SMS message that said, "Your password's expired. This is the IT department contacting you. You need to click this link and reset your password right away." The link led to a phishing page using a lookalike domain. I don't remember what it is, but Twilio/ITdepartment.com or something. And at that lookalike domain, it looked like the login screen, where they would enter their password and also their one-time code. Apparently, enough users entered their password and their one-time code and the attackers were able, probably in real time, to take this information and to log in as if they were the user. So this is notable because you think about multifactor authentication making it hopefully impossible for attackers to log in. So what do they do? They trick people into giving them the multifactor authentication code in real time and the attackers use it before it expires to log in. So, fascinating that people fell for something sent via SMS. And the coda to this story is that Cloudflare says that it too was targeted and that three of its employees also fell victim, also fell for this SMS message that says, "Alert: your Cloudflare schedule has been updated. Please tap Cloudflare/okta.com to view your changes." Users did this. They entered their password, they entered their one-time code. Cloudflare says it got lucky though. It doesn't use one-time codes in the way that Twilio does. They've issued, instead, a Cloudflare security key and there are certain restrictions on the security key on how it can be used. So they got lucky. Talk about defense in depth, they had another piece of depth that foiled this attack. So, memo to CISOs: Look at Twilio's report on this, look at Cloudflare's report on this and how they almost fell victim too, and generate some takeaways to make sure that if you get hit tomorrow, you can't fall victim to the same attack.
Delaney: And Matt, do you think it would have been a different story for Cloudflare had they relied on this one-time password authentication?
Schwartz: Definitely. And they're clear about that. And they're not blaming anybody either. They said, "Luckily for us, we don't use these kinds of one-time passwords that are generated, for example, by an authentication app." We all use them. They got 30 or 60 seconds before they expire, or the one-time codes that get sent via text message. Any of those, the attackers would have been in. And then another code into the coda is Cloudflare says the attacker has also pushed remote access software to end users so that if they had installed this package - it wasn't advertised as malware - probably branded as IT department needs immediate access to your system, installed this remote viewing software for us, then the attackers would have had another way to get in, Cloudflare says, "Three users didn't install this". And there's other controls and checks they have in place. They have a service that looks for fake domain names registered in Cloudflare's name. It says the service works great, but there's a lag time between when it gets registered and when the alert goes off. And the attacker struck in that lag time, they registered it and they attacked right away before this other check and balance could be brought in. So, a fascinating well-planned attack. I don't think Twilio is going to be the only organization that's fallen victim. Twilio said this was part of a bigger campaign. I expect we're going to see much more than just Cloudflare saying they were targeted too.
Delaney: And this could potentially get messy with fines, GDPR perhaps. How would you rate Twilio's response because you're very good at assessing how they communicate with the customers, how they communicate to the wider world? What score would you give them?
Schwartz: I don't want to score. I will say in Twilio's favor, they came out quickly. They learned of the attack on Thursday, possibly from Cloudflare, and they put out their breach notification on Sunday. So, most of the time, you see organizations take a little bit longer. We're going to see what happens. I asked Twilio if they informed EU authorities, if any Europeans' personal information was exposed in this attack, they declined to comment. So, I suspect that there was GDPR-covered data in this. So, I think this is going to get real messy, not just for Twilio.
Delaney: Wait to see what happens next. Thank you, Matt. Fascinating coverage. Marianne, you've been covering an institution in the UK this week: The National Health Service. Tell us more on what's been happening.
McGee: Or the NHS recently. It first experienced an outage of its IT, certain applications but predominantly on its 111 service, which, among other things, helps individuals set up appointments for urgent care and for other assistance. The outage was caused by a cyberattack on one of NHS's key IT and services vendors advanced. And as a result, NHS 111 call handlers had to resort to pen and paper and other manual processes to help individuals seeking care, which resulted in some delays and backlogs. But that incident highlighted the trend that it's not just this year, it's been going on for years, but it seems to be getting worse this year in terms of vendor incidents that affect healthcare entities. In the US, business associates that handle HIPAA-protected health information have been implicated in some of the largest breaches so far this year, including hacking incidents involving Eye Care Leaders, which is a cloud-based electronic health records vendor, MCG Health, which is a company that provides clinical guidelines to healthcare entities and also Professional Finance Company, which is an accounts receivable services firm. Combined, those incidents in the US have, just with those three, affected hundreds of healthcare entities and millions of their patients. And we've seen other big vendor breaches in the past. We've seen a big hacking incident on a medical debt collection agency a few years back that affected dozens of healthcare entities and millions of patients. We saw a ransomware incident a few years ago on a fundraising software vendor Blackboard, which affected dozens of healthcare entities as well as coins and other sectors such as education. So, the range of compromises that can happen involving the assortment of different third parties that provide services to healthcare entities is astounding and seems to be growing. And one of the reasons is that these vendors handle a lot of different clients' patients' data, which makes them attractive targets for cybercrime, such as ransomware and extortion of other kinds. But in the healthcare sector, these entities deal with such a wide range of specialty vendors that this potential target seem to be growing. For instance, just with medical devices, healthcare entities may be dealing with hundreds of different third parties who supplied specialized services and equipment, often the services are also reliant on cloud. So, it's putting not only patient data privacy at risk, it's also putting patient safety at risk. And experts are saying that these incidents are a good reminder to these healthcare sector entities that rely heavily on business associates and other vendors that they need to obtain assurances from these third parties that these companies are doing what they said they should be doing, or not, and also verify that these third parties have security practices and protocols in place that not only protect patient data, but also can give an alert real fast to these healthcare entities that are affected. But also from a regulatory standpoint, for HIPAA-covered entities, it's critical that healthcare entities have these business associate agreements in place and that their third parties also have business. So, associated agreements with their subcontractors because this could also translate to regulatory problems down the line. As I said, these incidents are good reminders that the third parties that are putting healthcare entities and their patients data at risk just seem to be growing.
Delaney: That's a huge problem. I think one of the experts you interviewed in a recent article highlighted the importance for healthcare organizations to know their vendors and partners. What's your advice to healthcare organizations to know the not knowing part, because as you said, the chain is big?
McGee: That's true because you have different departments within healthcare organizations that they might be doing business with a supplier that was handling protected health information, but the IT people might not be aware of this, the security people might not be aware of this. And we're not talking about dozens, we're talking about thousands of vendors that provide services to healthcare entities, everything from the medical equipment to the hFax, to the cafeteria, the billing, the diagnostic experts offshore, there's so many places where things could go wrong. And a lot of these breaches, a small handful are rapid representation of things that go wrong.
Delaney: As our previous story, the story continues, doesn't it? Thanks so much, Marianne. So Dave, it seems that cryptocurrencies or at least the illicit use of them, illicit cryptoactivity, is keeping the US Treasury very busy these days.
Perera: US Treasury, US Justice. There's been a crackdown on illicit uses of cryptocurrency over the past month. The newest example of which was sanctions levied by the Department of Treasury, Office of Foreign Asset Control, sanctions on Tornado Cash, which is a cryptocurrency mixer. It's putatively for privacy reasons. If you have currency and you want some more privacy on some of the transactions you're doing on the blockchain, you can send it to a mixer in which your cash, your cryptocurrency is mixed with other cryptocurrency and randomly spat out to a destination wallet. In reality, one of the biggest users of at least Tornado Cash and other cryptocurrency mixtures are criminals who are trying to obfuscate the trail of their stolen currency. And not the least of which, among the cyber criminals ranks, is North Korea, which has just fallen in love with stealing cryptocurrency because they figured out that it's a fairly easy way to fuel their weapons of mass destruction program. North Korea has a history of just cybertheft but robbing banks, say the SWIFT system, as it did a few years ago, is a complex and multi-tiered affair. It requires a lot of work and coordination across the globe, whereas just exploiting some of these poorly secured cryptocurrency bridges or other platforms is a relatively easy thing for them to do. So, the Treasury Department decided that there was too much illicit use of this cryptocurrency mixer Tornado Cash, and it put it under a sanction, which means that no US person can legally do business with it. Now, there has been some backlash by people in the cryptocurrency world saying that mixers are neutral tools and Treasury shouldn't be in the business of sanctioning a tool that can be used for privacy or for criminal purposes but Treasury's perspective and the perspective of other people that I've spoken with is that the extent to which Tornado Cash was facilitating illicit transactions was too large to ignore. And you can have a cryptocurrency mixer that still takes steps to try to prevent transactions from reaching known wallets associated with illicit actors. So it's not so much that the tool is neutral, it is that the tool was being allowed to be used to illegal ends.
Delaney: And, Dave, do we know how much of an inconvenience this will be to the criminals - removing Tornado Cash?
Perera: To be determined. As one person I spoke with said, maybe a run-of-the-mill criminal will be avoiding Tornado Cash because they know that the eyes of the US government are on what's going on with Tornado Cash. Maybe North Korean cyber criminals will test the waters to see if they can get away with shoveling large amounts of stolen cryptocurrency through the mixer and see what happens if they try.
Delaney: ISMG speaks with our good friend, Ari Redbord from TRM Labs, who calls this the largest, most impactful action to date in cryptoland. Do you agree? It seems like the US Treasury is taking more of an aggressive approach.
Perera: Yes, there are lots of firsts to be had when it comes to the US government enforcing rules like anti-money laundering, anti-insider trading, a whole raft of regulations and rules that apply to criminal activity in the normal securities world to the cryptocurrency world. So, indeed, it was a significant action. But on the other hand, we're in a green field of law enforcement action against cryptocurrency in which there's going to be a lot of firsts for the foreseeable future.
Delaney: For sure. Thanks, Dave. So finally, is there a tweet or thread, or LinkedIn posts that you've recently come across that you found particularly informative or interesting?
Schwartz: Definitely. I'll jump in here. There was a little story the other day about how a chess robot had grabbed and broken the finger of a seven-year-old opponent. And there was a wonderful observation by a security researcher, an offensive security researcher I followed for years - you see him speak at major events - Rob Graham of Errata Security. And his response was, "We need more ethics in AI to teach robots that this is not acceptable behavior that even though they can win chess games with physical violence, they should not."
Delaney: Very good. I like that. Dave?
Perera: Let me just say one thing piggybacking on what Matt said. And that is, I recall reading a book about AI in which there was an AI program, it was trying to optimize the landing of aircraft on aircraft carriers. And the AI figured out that the best way to get an aircraft carrier in airplane to make contact with an aircraft carrier was to crash them.
Delaney: Lesson learned. What did you come across, Dave?
Perera: What did I come across? I come across an interesting New York Times article, talking about how occupied areas of Ukraine, the internet connectivity is being redirected away from Kyiv to Moscow, where things like controls on content can be imposed. So it's a reminder to me that the internet today - it never was just a neutral carrier of information. But it highlights for me how urgent it is for authorities and power figures to grab control of the internet, even as that same authority is busy invading its neighbor.
Delaney: Thanks for that. Marianne?
McGee: I'm not one particular post. But I've noticed a trend on LinkedIn this year. A lot of healthcare CISOs, I would say CIOs too, for that matter, I've known for years or have been aware of for years, they've been changing jobs, many of them leaving healthcare, going to other sectors. So, I don't know if that's a trend. It's just something I happen to notice. But, it would make sense to some extent that the healthcare sector has been under assault with COVID. But now also, with all the cyberattacks and breaches and I think maybe at some point, these people were saying, "I'll try my hand somewhere else." There's a demand for this talent in all sectors, including healthcare.
Delaney: That's depressing as well, losing all that talent, but hopefully, more will come through. So I came across Rachel Tobac's tweets, I thought they were interesting on the Twilio Cloudflare incident, and she's breaking down the attackers' motives and prevention strategies, as well as our great colleague, Mathew Schwartz, articles on them as well.
Schwartz: Plenty to go around.
Delaney: Plenty. Thank you very much, Marianne, Matt and Dave, thanks for taking part in this. This party. And thank you so much for watching.