CyberWire Daily - A threat to release stolen proprietary data. The C2C market: division of labor and loss-leading marketing ploys. Misconfigured Salesforce Communities. Sanctions-induced headwinds for Huawei.
Episode Date: August 10, 2021RansomEXX threatens to release stolen proprietary data. Some looks at the C2C market, the criminal division of labor, and a splashy carder marketing ploy. Misconfigured Salesforce Communities expose o...rganizational data. Our guest is Ron Brash from Verve International on a CISA advisory regarding GE ICS equipment. Ben Yelin on the proposed U.S. Bureau of Cyber Statistics. Huawei faces sanctions-induced headwinds. Mexico’s investigation of Pegasus abuse continues, but so far without arrests or resignations. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/153 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ransom EXX threatens to release stolen proprietary data.
Some looks at the C2C market, the criminal division of labor, and a splashy Carter marketing ploy.
Misconfigured Salesforce communities expose organizational data.
Our guest is Ron Brash from Verve International on a CISA advisory regarding GE ICS equipment.
Ben Yellen on the proposed U.S. Bureau of Cyber Statistics.
Huawei faces sanctions-induced headwinds.
Mexico's investigation of Pegasus abuse continues,
but so far without arrests or resignations.
From the Cyber Wire studios at DataTribe, I'm Elliot Peltzman, filling in for Dave Bittner, with your Cyber Wire summary for Tuesday, August 10th, 2021.
The Ransom EXX gang, recently active against targets in many countries,
is threatening to leak sensitive information it stole during its ongoing extortion of hardware manufacturer Gigabyte.
Computing reports.
The data are claimed to be proprietary, with many of them under nondisclosure agreements.
The data are claimed to be proprietary, with many of them under non-disclosure agreements.
The attack caused Gigabyte to shut down some of its operations last week.
Bleeping Computer saw the ransom note, which said, in part, We have downloaded 112 gigabytes of your files and we are ready to publish it.
Many of them are under NDA.
it. Many of them are under NDA. End quote. Screenshots of four documents said to be under an NDA were provided to show that the thieves had the goods they claimed.
A study by the Cyber Intelligence Shop at Insights sketches the criminal-to-criminal market
and why it exists in the first place. Truly vertical integration is as rare in the underworld
as it is in legitimate markets. No gang is likely to be able to do it all, hence the emergence of
affiliate programs, initial access brokers, and so on. Insight's white paper says, quote,
These underground criminal websites are key enablers for both buyers and sellers.
On one hand, they enable buyers with
fewer skills or resources to obtain raw materials, with which to construct criminal enterprises,
including malware, other malicious tools, illicit infrastructure, and compromised data, accounts,
and payment card details. This accessibility lowers barriers to entry into the criminal ecosystem for actors who might otherwise lack necessary skills or resources, but have the money to make investments.
On the other hand, these websites enable actors with more skills and resources to monetize the fruits of their labor, and convert their attacks or other malicious activities into profits.
and convert their attacks or other malicious activities into profits.
End quote.
The criminal-to-criminal fora are polyglot, but the Russophone sites appear to be the leaders.
Insights writes, quote,
The Russian-language forums tend to have the most unique and sophisticated offerings,
and often display higher standards of professionalism.
English-language forums include not only North American and other native Anglophone criminals,
but also non-native speakers of English from around the world, including former British colonies.
Other language-specific forums serve geographically concentrated communities, such as the Romanian speakers of Romania and Moldavia and the Portuguese speakers of Brazil,
both of which are also significant hubs for cybercrime.
Forums also exist in other widely spoken languages, such as Spanish and German.
The initial access brokers form a thriving subsector of the criminal economy,
and buying access makes economic sense to the criminal
gangs who are the purchasers. The C2C marketplace also sees a range of marketing ploys. All World
Cards, a relative newcomer to the carding market, the underworld market where paycard information
is traded, is seeking to make a name for itself by dumping about a million stolen cards online.
Bleeping Computer reports that Livorno-based security firm D3Lab
has looked at the dump and believes about half of the cards are current and valid,
which is an unusually high fraction for any card or offering.
And security company Cyble told Bleeping Computer that the data on offer includes credit card numbers,
expiration dates, CVVs, names, countries, states, cities, addresses, zip codes for each credit card,
and email addresses or phone numbers. The criminal buyers of card or services seem to have been
favorably impressed by the marketing ploy, and so all-world
cards will probably bear watching. To Interpol, Europol, the FBI, and other law enforcement
authorities, we simply say, good hunting. Security firm Varonis has found exposed
Salesforce communities accessible to the internet. The exposures are the result of misconfigurations.
The data at risk includes such things as customer lists, support cases, and employee email addresses.
If such a misconfiguration is detected and exploited, what would the consequences be?
Varonis says,
At a minimum, a malicious actor could exploit this
misconfiguration to perform recon for a spear phishing campaign. At worst, they could steal
sensitive information about the business, its operations, clients, and partners, end quote.
There's also the possibility of lateral motion from the Salesforce account into other services
that the organization has integrated from the Salesforce account into other services that the organization
has integrated with their Salesforce account. The U.S. continues its efforts to persuade
friendly governments to avoid Huawei-manufactured equipment. Reuters describes a recent U.S.
approach to Brazil, during which the U.S. observed that Huawei's supply chain difficulties
would end up with it leaving Brazil's telecommunications infrastructure high and dry. Those supply chain difficulties,
of course, have been induced by worldwide concern over the security risks Huawei equipment may carry
with them. And, of course, due to U.S. sanctions that have restricted Huawei's access to the
technology it needs to develop and produce its products.
China's embassy in Brazil has protested what it characterized as American smears and coercion.
The state-run media outlet Global Times says the embassy put it this way,
quote,
We express strong discontent and vehement objection to overviews of how Apple's child protection initiatives
have prompted a resurgence in the crypto wars.
We'll have more notes on the current
engagement in this afternoon's pro-policy briefing. Mexican prosecutors continue to
investigate their country's corner of the NSO scandal, seeking to determine who authorized
using Pegasus intercept tools against ordinary citizens and government critics. Reuters reports that so far there's no joy, they've come up with no arrests and prompted no firings.
Watchdog organizations have been critical of the investigation's progress,
complaining that the office conducting the probe is effectively itself implicated in the use of Pegasus.
The investigators point out that it's a difficult and complicated investigation.
Ricardo Sanchez Perez de la Pozo,
head of the Special Prosecutor for Crimes Against Freedom of Expression,
defending his investigative team,
said they were close to bringing the first case to court.
He told Reuters,
to court. He told Reuters, quote, this is a really complex investigation. It has advanced significantly, end quote. Mexico was the first significant international Pegasus customer,
spending $160 million on the intercept tool since 2011. And finally, a quick reminder that it's
Patch Tuesday. Expect fixes to be issued throughout the day.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Ron Brash is Director of Cybersecurity Insights at Verve Industrial Protection.
I caught up with him recently for his reaction to a CISA advisory regarding ICS equipment from General Electric.
So today we're going to be talking about this new SISA advisory regarding the GEICS equipment.
Can we start off with just some high-level stuff here?
Can you give us a little brief overview of what we're talking about?
Sure.
So, I mean, there was, I think, four different organizations involved here.
There was Idaho National Labs.
There was SCADA-X. There was, and when I say Idaho National Labs, there was SCADAx,
there was... And when I say Idaho National Labs, it's like the Citrix program.
And then you have Geometric. And obviously, there's a lot of people that went into... A lot
of thinking that went into making this collection of vulnerabilities. But actually, what it does is
it affects a large number of products that share very similar firmware to each other that accounts for a big
portion of the energy industry's relays. But they're not just limited to the energy industry
because you can make energy anywhere or you run a turbine or a generator. And so these type of
devices, these protective relays are used all over the place, not just for, you know, for example,
in windmills or next to a coal turbine, but they're used even, you know, for heating the water in a mine in a remote
area.
It's not your typical GE product demographic, but that could be a potential use case of
it.
So there's a bunch of vulnerabilities there that affect what largely looks like third
party components, right?
There's things with, you know, the ciphers that are used for communication over SSH, for example.
You also have issues with the web server that's running on the device
and how it parses traffic.
And then there's other functionalities such as what we call first-tier OEM software
that can push firmware to the device, and there's no integrity checking upon it.
And then there's also some bootloader problems there too.
So there's a whole gamut of vulnerabilities in this release.
And so what are the opportunities for folks to mitigate the issues here?
Well, the good news is that GE did the right thing and said,
hey, we do provide firmware updates, right?
That's a great step by a vendor.
Unfortunately, instead of just saying, hey, we're going to analyze the product, you should move to a newer one,
the updates don't apply to all of the firmware of all of these devices.
So there's 14 different CPU revisions for this device, which would make sense.
It's lived a long time. It's over many different products.
There's just different hardware inside of each of them.
And there's only firmware really available
for four of those 14 different CPUs.
Now, I'd say all of the fixes are unique, right?
There's different versions of firmware for all of them.
But there is some gaps there.
So if I were to say, go update your devices
when it's appropriate, that works if you can.
But if you can't, right, you want to make sure
that you've,
you know, you've locked down the devices
to a set of least functionality
or at least principle features
that are available to the device.
So an example,
if you have the option
of turning off the web server, do it, right?
Like if you're not using it,
that would make sense.
You know, the bootloader vulnerabilities,
you know, watch for weird things at startups, right?
Prevent them from physical access. The vulnerability for that one was actually a bit misquoted, not one I can speak
to much more. But the other ones, you know, limit access to them, make sure they're on isolated
networks, make sure the system speaking to them are speaking to them in a secure manner and are
secure themselves. You know, it's your general boilerplate cybersecurity remediation strategies.
But in particular, because these devices are used in critical infrastructure and in very critical in function type situations, we really need to engineer up the risks by doing all of the things that I just mentioned.
And to what degree will the folks who are working with this particular type of equipment be aware that, first of all, they're working with this kind of equipment and that potentially they have an issue here?
Well, probably one of the first indicators that you'd have this device, I mean, assuming that you knew nothing about your inventory of assets out there in the field.
One of the things that they'll probably do is to look through, hey, which OEM software tools that we have, right? So that could be the Enter Vista series.
And for each of these products, they have their own installers.
But you want to find out what you're using and where it's being used from.
So they're probably going to say, okay, we know we got some GE relays out back.
Hey, let's pull up the specs or log into the technician laptop or something and say,
see if that OEM software is there.
If you see it there, chances are then you know that you have at least one of these devices out there in the field.
So that would give you a good indicator of, you know, okay, I have a problem.
Let's go figure out how many devices I have.
The other thing is many of these devices are in their most insecure deployment schema, if you will.
There's a bunch of reasons for that.
Part of it's integrators didn't harden them.
The customer didn't require it.
These options are there, but no one used it
because it had some sort of idiosyncrasy
where it didn't work under a certain situation.
There's plenty there for a vendor to get started,
even without a firmware update.
And then what they want to do is to make sure
that those devices are secure within their premises
and also within their particular network zones as well.
How do you see things playing out as we go forward in terms of this being an ongoing issue?
This will absolutely be an ongoing issue.
Vulnerabilities will continue to be created, right?
Well, I mean, not created, discovered is probably a better term.
And in that case, what you need to do is to think
about a consequence, you know, engineer of the risk, consequence-based engineering, right? To
quote Andy Bachman and INL. You're going to have to think more about that. You're going to have to
think that almost all embedded devices are vulnerable. So what do I do to get that risk
down to a level that I'm comfortable with? And to do that, you'll have to think about compensating controls right off the bat and try to really limit the connections to these devices.
One option might be people will say, well, let's not have any Ethernet functionality. Let's go back
to the old analog and serial ways. There's a reason why we got away from that. And so I don't
see that as a particularly good option. But one option could be for asset owners
to start leveraging more of the secure deployment guidelines
that are produced by vendors and forcing their integrators,
forcing the persons that are installing this gear
to actually adhere to them and actually testing
whether or not someone actually did the work, right?
Instead of just saying they did so.
I think that there'll be more focus on that
of secure deployments moving forward.
But a lot of these devices are legacy devices or legacy deployments.
And so we're just, you know, we're doing cleanup at the moment.
That's Ron Brash from Verve Industrial Protection.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
Interesting article. This is from the folks over at Federal News Network.
This one's written by Jory Heckman, and it's titled,
National Cyber Director, Bureau of Cyber Statistics Needed to Understand the Threat Landscape.
What's going on here, Ben?
So this article leads off with a great hook.
I did not know about this historical fact. But in the early days of the U.S. Post Office, when Benjamin Franklin was Postmaster General,
he gave local postmen at the time a task to jot down the local weather conditions,
mail them back to headquarters on a postcard so that they could aggregate information.
Because Benjamin Franklin rightly realized that weather in one area didn't exist in a vacuum.
And you could understand more about the meteorological conditions in this country
by collecting a wide array of data.
To circle that back to something that's relevant to us,
what the National Cyber Director, Chris Inglis, said at a recent meeting
is that we need to engage in a similar sort of effort as it
relates to cyber threats. We need to know, in his words, which way the winds are blowing.
So his idea is to stand up what would be called a Bureau of Cyber Statistics. This would require
an act of Congress. It would be housed within the Department of Homeland Security. And they
would be tasked with collecting, analyzing, and publishing data on cybersecurity, cybercrime, and threats.
You know, one thing that's interesting to me is these are the type of statistics that have been so valuable to us in a pandemic.
We've been collecting them in the public health realm.
Obviously, we haven't been doing a good enough job collecting that data.
But to get a full understanding of, to get a full threat
assessment, what are the conditions out there? What are the variants of concern that are going to
increase infections? What are problem areas of the country where we're seeing surges in
hospitalizations? We have, through the CDC, set up a centralized system where we can collect data
from states and localities, local hospital systems,
to understand the threat landscape. And right now, we don't have that in the cyber world.
So this is not only an idea that's been pushed by Director Inglis, but it was also originally
proposed in the Solarium Commission report, which is interesting because one of the other
recommendations of the Solarium Commission report was to create the job that Mr. Inglis himself now holds.
So Congress certainly has taken to heart some of those recommendations in the Solarium Commission report.
And I think it would be wise of them to take this recommendation as well.
You know, I've heard some folks compare this sort of thing to aviation, where if you have an incident, you're obligated to report
that incident, and then there will be an investigation. Could we see a similar sort
of effort? I mean, could something like that be rolled into this organization?
Yeah, I mean, I think that's what the idea is here, is you're collecting disparate information
on individual circumstances and trying to aggregate it so that you get a better picture of the threat landscape.
And we see that in law enforcement tools that are used at the local level,
where you're collecting information on the location of crime, high crime,
certain characteristics of neighborhoods that lead to more violent crime.
Now, obviously, we can question the accuracy of those tools.
But the idea is each piece of disparate information is not collected in a vacuum.
You have to have some sort of central location where it's stored and analyzed so that you
can identify the next threat potentially before it comes to pass.
I guess what I'm getting at, though, is also the obligation to report.
I guess what I'm getting at, though, is also the obligation to report. We hear folks are reticent to report ransomware incidences, for example, because they don't want the bad PR that could come be as politically tenable. I still think creating
this Bureau of Cyber Statistics
would be valuable, even if there wasn't
a legal obligation to report.
Because a lot of entities would still
voluntarily report.
If they're less concerned about their own
liability, or if they're
sure they're not going to be held
liable, or they're not going to suffer
reputational damage from being the victim of a cyber attack. They may see value in a broader effort to,
you know, aggregate information and try and protect our networks for the future.
So I think it can still work even in the absence of mandatory reporting. And I think the article
makes that clear. We're not always going to collect every piece of relevant reporting. And I think the article makes that clear. We're not always going to collect
every piece of relevant data.
The more data we can aggregate, the better.
So, you know, I think as long as we recognize
that this is going to be an imperfect system,
I don't think that should stop us
from setting up a system that would perform that role.
All right.
Well, again, the article is from the Federal News
Network. It's titled National Cyber Director, Bureau of Cyber Statistics Needed to Understand
Threat Landscape. Ben Yellen, thanks for joining us. Thank you. Breaking news happens anywhere, anytime. Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It will save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technology.
Our amazing Cyber Wire team is Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilby, and I'm Elliot Peltzman filling in for Dave Bittner. Thanks for listening. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.