H-ISAC Hacking Healthcare 11-13-19 - Health-ISAC - Health Information Sharing and Analysis Center

TLP White: In this edition of Hacking Healthcare, we explore insider threats and the various ways they can negatively impact organizations. First, we analyze how the convergence of geopolitics and insider threats have led GitLab to consider banning individuals of certain nationalities from critical positions. Next, we brief you on how an insider threat at Trend Micro led to tailored scam attacks against their customers. Finally, we examine the case of two Twitter employees charged with spying for the Saudi Arabian government.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

1. GitLab Considers Bans for Russian and Chinese Support Positions.

The Internet is often lauded for its ability to effectively erase the geographic distance between willing collaborators. The ability to find and employ talented individuals regardless of location is a frequent boon, but geopolitical tensions are beginning to have very real consequences for businesses that take advantage of that ability. Last week, GitLab, a DevOps tool used by over 100,000 companies worldwide, was forced to acknowledge that they may ban Chinese and Russian nationals from two support positions that oversee customer data over fears they may steal intellectual property and trade secrets.[i]

GitLab reported several weeks ago they were considering not only banning new hires from China and Russia, but also banning anyone working in the affected support positions from moving to those countries. While the ban affects only two support positions that require full access to customer data, GitLab is concerned about the potential for creating a “second class of citizens on certain teams who cannot take part in 100% of their responsibilities.”[ii] GitLab’s potential ban comes after several of its enterprise-level customers signaled their concern about China and Russia’s previous attempts to infiltrate western organizations and companies. It is also an acknowledgement that citizens of those countries may be at greater risk of coercion from state intelligence services.[iii]

2. Insider Threat at Trend Micro Leads to Scam Attacks.

An enterprise data security and cybersecurity solutions company, Trend Micro, announced last week that roughly 70,000 of its customers were affected by an insider threat.[iv] Trend Micro reported in a blog post that a security incident “resulted in the unauthorized disclosure of some personal data of an isolated number of customers of our consumer product.”[v] Trend Micro believes all the affected customers have been notified, but they are continuing to investigate the scope of the incident.

The incident is believed to have occurred last August when Trend Micro customers reported that they were being targeted by scam support calls. Trend Micro promptly began an internal investigation that revealed evidence that an employee “used fraudulent means to gain access to a customer support database that contained names, email addresses, Trend Micro support ticket numbers, and in some instances telephone numbers.”^[vi] This data was then sold to an unknown malicious actor.

While Trend Micro was quick to “reassure [their] business and government customers that [their] investigations have shown no indication that the criminal has accessed any enterprise customer data,” this response fails to wholly capture the potential damage that could occur through successful phishing attacks resulting from the stolen data. Phishing attacks are already among the most successful methods of compromise for malicious actors, but they become even more dangerous when the attack is tailored by making use of inside information from a trusted vendor.

One method of mitigation for these types of attacks is to ensure that your organization knows and follows proper procedures for communicating with vendors and third party partners. As an example, Trend Micro has a policy of never making unsolicited calls to customers and they encourage customers to report such activity. By ensuring the use of established procedures such as these, companies can lessen the risk of falling for tailored phishing attacks that use inside information.

3. Twitter’s Saudi Spies.

Last week, Security Affairs reported that two former Twitter employees had been charged with spying for the Saudi Arabian government in a case brought before U.S. District Court for the Northern District of California.[vii] The indictment alleges that they acted as foreign agents without notifying the attorney general, and destroyed, altered, or falsified records in a federal investigation.[viii] One of the individuals has since been arrested by the FBI.

According to the court filing, the two were recruited by the Saudi government in 2014 and continued their work until they left Twitter in 2015. During that time they allegedly gathered “non-public information of Twitter accounts associated with known prominent critics of the Kingdom of Saudi Arabia and the Royal Family.”[ix] Security Affairs reports that the two gained “unauthorized access to information associated with some profiles, including email addresses, devices used… and other [information] that can be used to geo-locate a user such as IP addresses and phone numbers.”[x]

Social media has long been a favorite target of foreign governments to spread their tailored narratives and misinformation, so the infiltration of social media organizations by foreign governments looking to silence dissent shouldn’t come as a surprise. However, the seriousness of the potential consequences stemming from this type of insider threat cannot be overstated. Authoritarian states have shown themselves to be more than willing to violently target dissidents, and geolocation data can very easily put lives at risk.