CyberWire Daily - A conclusion on the xDedic Marketplace investigation.
Episode Date: January 8, 2024The DOJ concludes its xDedic Marketplace investigation. A cyberattack shuts down a major mortgage lender. The Swiss Air Force suffers third party breach. An update on SilverRAT. The Space Force emphas...izes collaboration for effective cyber growth. The DOE announces cyber resilience funding. Merck reaches a settlement on NotPetya. NIST warns of AI threats. Our guest is Dragos CEO Robert M. Lee, with a look at intellectual property theft in manufacturing. And Chump Change fines for big tech. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, we are joined by Robert M. Lee, founder and CEO of Dragos, to discuss intellectual property theft in manufacturing. Selected Reading AsyncRAT campaign targets US infrastructure. (CyberWire) 19 Individuals Worldwide Charged In Transnational Cybercrime Investigation Of The xDedic Marketplace (US Department of Justice) Space Force is crafting in-house cyber teams but sees need for closer work with USCYBERCOM (Nextgov/FCW) Energy Department has cyber threats to infrastructure in mind with $70 million funding offer (FedScoop) Swiss Air Force documents exposed via cyber attack on third party (BeyondMachines.net) Major IT, Crypto Firms Exposed to Supply Chain Compromise via New Class of CI/CD Attack (SecurityWeek) Merck settles with insurers who denied $700 million NotPetya claim (The Record) Syrian Threat Group Peddles Destructive SilverRAT (DarkReading) NIST Warns of Security and Privacy Risks from Rapid AI System Deployment (The Hacker News) Mortgage firm loanDepot cyberattack impacts IT systems, payment portal (BleepingComputer) Big Tech has already made enough money in 2024 to pay all its 2023 fines (Proton) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The DOJ concludes its exudetic marketplace investigation.
A cyber attack shuts down a major mortgage lender.
The Swiss Air Force suffers third-party breach.
An update on Silver Rat.
The Space Force emphasizes collaboration for effective cyber growth.
The DOE announces cyber resilience funding.
Merck reaches a settlement on NotPetya.
NIST warns of AI threats. Our guest is Dragos CEO Robert M. Lee
with a look at intellectual property theft in manufacturing.
And chump change fines for big tech.
It's Monday, January 8th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing. United States Attorney Roger B. Handberg announced the conclusion of an investigation into Exdedic Marketplace,
a dark website selling illegal access to servers and personal data globally, including over 150,000 in the U.S.
The site facilitated tax fraud, ransomware, and other crimes, operating through a complex
international network and using cryptocurrency to maintain anonymity. In January 2019, U.S.
authorities, in collaboration with international law enforcement, seized Exdedic's domain and
dismantled its infrastructure. Post-takedown, the U.S. Attorney's Office
charged individuals at all operational levels of ex-dedic, including administrators, sellers,
and buyers. Seventeen defendants have been charged or extradited to the U.S., with many being foreign
nationals from non-extraditing countries, which of course complicates the legal process.
non-extraditing countries, which of course complicates the legal process.
The investigation was a combined effort of various U.S. and international agencies.
Loan Depot, a major U.S. mortgage lender, was hit by a cyber attack leading to the shutdown of its IT systems and disruption of online payments and customer services.
The company, servicing loans worth over $140 billion,
responded to customer queries on ex-Twitter about the outage, confirming the incident and their
efforts to restore operations with the help of law enforcement and forensic experts.
While the exact nature of the attack remains unclear, the potential for ransomware suggests risks of stolen corporate
and customer data. Following a previous data breach in August 2022, Lone Depot customers
are reminded to be vigilant for phishing and identity theft. The Swiss Air Force suffered
a significant data breach after U.S.-based Ultra Intelligence and Communications was compromised.
a breach after U.S.-based Ultra Intelligence and Communications was compromised. The Alf V.
Hacker Group claimed responsibility, leaking 30 gigabytes of sensitive data, including Swiss military and intelligence documents, after a failed ransom demand. The leak, which is now
on the darknet, reveals encrypted communication technologies and deals, notably with the Swiss Department of Defense and RUAG.
Although the Swiss Federal Department of Defense assured that operational systems remain secure,
the full impact of the breach affecting organizations including the FBI and NATO is yet to be determined,
raising concerns about the exploitation of disclosed vulnerabilities.
concerns about the exploitation of disclosed vulnerabilities.
Continuing with supply chain news, a researcher from security firm Praetorian has identified a significant vulnerability in public GitHub repositories using self-hosted GitHub Actions
runners, which can be exploited for high-impact supply chain attacks. Researcher Adnan Khan says
attackers can inject malicious code
into these repositories via fork-pull requests,
potentially gaining persistent access
and compromising sensitive processes.
This vulnerability was demonstrated
when a researcher gained access
to GitHub's own Runner Images repository,
highlighting the risks.
Tens of thousands of repositories, including those of major tech companies, are vulnerable.
While researchers have reported this issue and GitHub has begun mitigation,
organizations are urged to require approval for all outside contributions
to safeguard against these attacks.
Dark Reading reports on SilverRat,
a remote-access Trojan with links to Turkey and Syria,
which enables control over compromised Windows systems
and reportedly plans an update for Android devices.
Developed by a group known as Anonymous Arabic,
it's sophisticated malware used for keylogging,
ransomware attacks, and can delete
system restore points. SilverRat's first version, leaked in October, featured customizable command
and control options, antivirus bypasses, and delayed payload execution. The developers,
operating under aliases DangerousSilver and MonsterMC, engage in malware-as-a-service and cybercrime
activities on platforms like Telegram and other online forums. Middle Eastern cybercrime markets,
traditionally led by state-backed groups, now see a rise in homegrown entities like Anonymous
Arabic. Cyber threat analysts note varying technical sophistication among Middle
Eastern hacking groups and a trend of young hackers transitioning from game hacks to more
serious cyber crimes, highlighting the need for programs to redirect youth from cyber criminal
activities. The U.S. Space Force continues to grow their in-house cyber capabilities,
but in the meantime plan to continue their collaborative partnership with U.S. Space Force continues to grow their in-house cyber capabilities, but in the meantime, plan to continue their collaborative partnership with U.S. Cyber
Command. For more on this story, here's Maria Vermasas, host of our T-minus Daily Space podcast.
The U.S. Space Force is taking cyber threats in space seriously and making moves to work closer with the U.S. Cyber Command, otherwise known as U.S. Cybercom.
Despite the concerted effort to protect assets in orbit, there are currently no guardians stationed at U.S. Cybercom, a situation that the service says it hopes to rectify in the coming years.
Space Force has reportedly had conversations about establishing a service component to U.S.
cybercom, but nothing formal has been announced at this time.
That's T-Minus host Maria Vermasas. Be sure to subscribe to the T-Minus Space Daily wherever
you get your favorite podcasts. Turning toward critical infrastructure, the Department of Energy is dedicating $70 million
to research and development of technologies to protect delivery infrastructure from cyber
threats and physical hazards. Managed by the Office of Cybersecurity, Energy Security,
and Emergency Response, the All Hazards Energy Resilience Initiative seeks proposals, particularly for operational technology, focusing on creating a zero-trust architecture in electrical, oil, and natural gas environments.
With the complexity of networks increasing, the DOE aims to modernize security to defend against emerging threats.
against emerging threats. Awards of up to $5 million will be granted to universities,
tribal nations, and companies for solutions to secure critical energy infrastructure.
The initiative recognizes the growing vulnerability of energy systems to cyber attacks,
emphasizing the need to maintain operational capability even when compromised. The research is informed by current threats,
considering various potential entry vectors into the sector.
Pharmaceutical giant Merck has settled with insurers over a disputed $700 million claim
following the NotPetya cyberattack in 2017. Initially denied coverage due to an acts of war clause, Merck's legal battle
highlighted the challenge of defining such acts in the realm of cyber warfare. A New Jersey court
ruled in favor of Merck, noting the unchanged language and policies despite the evolving
cyberthread landscape. The settlement was reached just before the case escalated to the New Jersey Supreme
Court. This case and others like it have prompted the insurance industry, including Lloyd's of
London, to clarify exclusions for state-backed cyber attacks in their policies. The U.S. National
Institute of Standards and Technology, NIST, has released a publication highlighting the privacy and security risks associated with the growing use of AI systems like ChatGPT.
These systems are vulnerable to adversarial manipulation of training data, model vulnerabilities, and malicious interactions that can lead to sensitive data exfiltration.
data exfiltration. AI technologies face threats like corrupted training data, software security flaws, data model poisoning, supply chain weaknesses, and prompt injection attacks.
NIST classifies the attacks as evasion, poisoning, privacy, and abuse attacks, which can significantly
impact the system's integrity and privacy. The agency emphasizes the current lack of robust defenses
and urges the tech community
to develop better mitigation strategies,
warning against oversimplified solutions
for these complex security challenges.
Coming up after the break, Robert M. Lee, founder and CEO of Dragos,
talks about intellectual property theft in manufacturing. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Robert M. Lee.
He is the CEO at Dragos. Rob, some of your colleagues
there at Dragos recently put out a report on intellectual property theft in manufacturing.
I thought that might be a good topic for you and I to touch on here today.
What are your insights here when it comes to this?
Yeah, I mean, when you look at manufacturing, obviously, there's a lot of intellectual
property there. Now, every company to some measure has intellectual property, no matter if they really recognize
what it is as much.
But if you're in business, there is something that makes you special.
And when you look at manufacturing, there's multiple facets to that intellectual property.
Some of that intellectual property is what people classically think of, like the recipe
or the makeup of the product lines or any sort of secret sauce that they're putting
into it,
right? Like from food to body armor to manufactured steel, there's something there
that's intellectual property usually along that recipe-ish pattern. But there's also,
and sometimes more importantly so, intellectual property and how you're achieving those outputs.
In other words, how are you building the physical process
and the engineering and the instrumentation
of that control system environment
to take lower quality inputs and make higher quality outputs?
Because in manufacturing, margins can be razor thin.
So if I have a better way of making something,
that can be a competitive advantage
in the orders of billions of dollars
and define whether that company is going to stay in business or not.
So what we see is a lot of focus has gone into intellectual property theft over the years. But as expected, a lot of that has been, most of that has been placed on the IT
portion of the networks. Let's do enterprise IT security to protect intellectual property.
Well, a lot of the intellectual property is your operation inside the house, the manufacturing
lines, the recipes, et cetera.
That's not just sitting around an email server,
usually in your enterprise.
So being inside the operations technology networks,
these industrial control environments,
being able to identify these threats,
their methods, et cetera,
and being able to stop them there is hypercritical,
especially as we become a digitally transformed
kind of industry where integrators and OEMs and contractors
and everybody else has access to that side of the house.
And so long story short,
what we are seeing is a consistency in threat groups
targeting manufacturing for one of four purposes.
One would be the intellectual property theft
that we're talking about with recipes and similar.
One is the intellectual property theft
of the actual operations itself. One is just criminal. Just because they're hyperconnected,
there's a lot of ransomware groups that are hitting manufacturing. And if they take down
the operations side of the house, the company is likely to pay more and pay faster because that's
where they're generating revenue. And then the last thing we see but less of is the more
pre-positioning aspect where maybe it could turn into something destructive eventually, but the type of information that the adversaries are stealing is not very clearly
defined into one of the previous categories. And so you don't want to come out and make an
assessment of this means that no, no, no, we're just saying it doesn't cleanly fit into the first
three categories. And the type of information that's being stolen tends to be more for
disruptive or destructive capabilities. Probably, and this is an espionage for probably one of the best case studies
that's happened in a long, long time.
Very interesting is that the U.S. government
apparently got wind of, got access to,
I don't know the sources of the methods,
but the U.S. government ended up finding a foreign state actor
that was developing exploits against unknown
Rockwell automation control,
like unknown Rockwell automation vulnerabilities in the Rockwell controllers.
And those type of controllers are in electric and gas as well,
with a very, very popular manufacturing.
And so it looked more flavor towards manufacturing.
So the U.S. government uses their sources and methods
to go find adversary capabilities before the adversaries launched it.
They brought in Rockwell, who was there to partner
and work with them and help them understand
what the vulnerabilities do and get patches out
and mitigation advice for their devices.
And they brought us in as well as a couple others
and we were able to actually create detections
and help flesh those out, loaded into Neighborhood Keeper,
one of our collected defense tools to see
if it was already in the wild across all of our customers,
and bring all this to the forefront for the community behind the scenes,
and then launch it publicly.
Let's just think about that for a second.
In terms of the manufacturing industry, a state actor was going to go after it to a significant number of level,
at the automation level, that the US government was even able to take it very seriously and catch wind of it. And we as a community were able to work together collectively to get a win
before the adversary even launched our attacks. We always talk about stuff like that, but it
rarely, rarely happens. Well, help me understand here, you talked about intellectual property
and access on the OT side. And I guess I'd never really pondered the notion that if I have access to your OT side,
just being able to see how you have things wired up and hosed up
is going to give me insights on perhaps some of the secret sauce.
Well, that and the instrumentation data and similar.
So it's not just the wiring of it, though that can matter a lot.
I mean, the engineering drawings definitely are part of stealing an electrical property.
But if I've got your data historian that shows me a record of every temperature change and
pressure change and similar of the entire physical process, and then I know your automation about how
you set it up, I can really go rip it off. If I just have a recipe, there's still the,
great, how do you make the cake? But if I've got an understanding
of how you're doing it to a very efficient level, even if I don't have the recipe, I can go use
your process to be very efficient in whatever I'm doing. Maybe I can even do it better with
my own recipe. So long story short, there's probably more, but there's at least two kind
of clearly defined categories of intellectual property in these environments. And the best
place to get at them and protect them
is in the operations environment where they exist.
I've got to take the recipe.
I'm being shorthand here.
It's not just like this one master recipe,
but I've got to take the recipe of sorts
and load it into the automation environment.
So those project files and the data
and the engineering workstations
that have all that information,
it's right there for you about what we're trying to make.
And then again, data store ends,
new machine interfaces and engineering drawings and everything else is, here's how we're
making it. Combine those two things together and you can rip off any company in the world.
Yeah. All right. Well, Robert M. Lee is CEO at Dragos. Rob, thanks so much for joining us. Thank you. security solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed
to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca. And finally, Richie Koch on the Proton blog points out that in 2023, big tech companies like Alphabet, Amazon, Apple, Meta, and Microsoft were fined just over $3 billion for legal violations.
However, their immense revenues allowed them to earn enough
within a week of 2024 to cover these fines,
demonstrating how minor such penalties are for these tech giants.
Despite consecutive years of multi-billion dollar fines,
these companies often delay payments,
viewing fines merely as a cost of doing business.
The current punitive measures fail to deter their rule-bending behavior,
underscoring the need for more impactful regulatory actions
to address privacy breaches and antitrust issues
in the rapidly evolving digital landscape.
The fines are so insignificant compared to their earnings
that they hardly affect the company's operations
or prompt significant changes in their corporate governance. As my CyberWire colleague Rick Howard
likes to point out, if we want tech companies to take these sorts of fines seriously, we need to
hit them in a way that goes farther than simply making them dig through the couch cushions for
loose change. And that's the Cyber Wire. For links to all of today's stories,
check out our daily briefing at thecyberwire.com. Don't forget to check out the Grumpy Old Geeks
podcast, where I contribute to a regular segment on Jason and Brian's show every week. You can find
Grumpy Old Geeks where all the fine podcasts are listed. We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. We're privileged that N2K and podcasts like the Cyber
Wire are part of the daily intelligence routine of many of the most influential leaders and
operators in the public and private sector, as well as the critical security teams supporting the Fortune 500
and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com. This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman. Our executive producers are
Jennifer Iben and Brandon Karp. Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.