CyberWire Daily - A US EO addresses EU data privacy concerns. China’s favorite CVEs. Election security and credit risk. COVID phishbait. Notes from the hybrid war, including some really motivated draft evaders.
Episode Date: October 7, 2022A US Executive Order outlines US-EU data-sharing privacy safeguards. CISA, NSA, and the FBI list the top vulnerabilities currently being exploited by China. A look at election security and credit risk... to US states. COVID-19-themed social engineering continues. Robert M. Lee from Dragos on securing the food and beverage industry. Carole Theriault interviews Joel Hollenbeck from Check Point Software on threat actors phishing school board meetings. Notes from the hybrid war: Killnet and US state government sites, the prospects of deterrence in cyberspace, and, finally, maybe the most motivated draft evaders in military history. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/194 Selected reading. FACT SHEET: President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework (The White House) Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors (CISA) Government credit risk associated with election risk (CyberWire) Exploiting COVID-19: how threat actors hijacked a pandemic (Proofpoint) Ukraine at D+125: Abandoned tanks and discontented hawks. (CyberWire) Department Press Briefing – October 6, 2022 - United States Department of State (United States Department of State) 2 Russians fleeing military service reach remote Alaska island (Military Times) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A U.S. executive order outlines U.S. and EU data-sharing privacy safeguards.
CISA, NSA, and the FBI list the top vulnerabilities currently being exploited by China.
A look at election security and credit risk to U.S. states.
COVID-19-themed social engineering continues.
Robert M. Lee from Dragos on securing the food and beverage industry.
Robert M. Lee from Dragos on securing the food and beverage industry.
Carol Terrio interviews Joel Hollenbeck from Checkpoint Software on threat actors fishing school board meetings.
And notes from the hybrid war.
HillNet and U.S. state government sites.
The prospects of deterrence in cyberspace.
And finally, maybe the most motivated draft evaders in military history.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, October 7th, 2022.
An executive order signed this morning by U.S. Presidentuards the U.S. undertakes to put in place
pursuant to the agreement reached with the European Union in March of this year. The
executive order specifically addresses European concerns about U.S. signals intelligence and other
intelligence activities. It reassures the EU that the U.S. will conduct SIGINT only in pursuit of defined national security objectives
and that U.S. SIGINT will be conducted with due respect for the privacy of individuals, whatever their citizenship.
It also undertakes to establish safeguards and mechanisms to resolve any concerns or disputes over data handling and compliance.
to resolve any concerns or disputes over data handling and compliance.
NSA, CISA, and the FBI have issued a joint advisory on the top vulnerabilities being targeted by Chinese state-sponsored threat actors.
The full list of vulnerabilities, including recommended mitigations, can be found in the report.
Most of the CVEs can be solved by applying patches or updating to the
latest version, and the alert also offers advice on configuring certain products to mitigate risks.
It's working-level advice. It won't hold the interest of political scientists and international
relations experts interested in Beijing's goals, motives, and policies, but there's more than enough there to keep CISOs,
SOCs, IT personnel, and the C-suites and boards they work for informed and busy.
Reading it is time well spent. Moody's Investor Service released a report
detailing election risks as they relate to cyber risk. The service discusses how local
governments are more exposed to credit risks
as there's a shift from core services to election security and calls on state and federal funding to
mitigate risk. National security officials are preparing for increased risk of cyber attacks
and influence from threat actors who seek to erode confidence in election infrastructure in the U.S.
who seek to erode confidence in election infrastructure in the U.S.
Election interference can cause hindrances in policymaking,
as focuses can be on political and social tensions and disrupting institutions' stability.
Differences in voting technologies across the country,
as there's no central election management system, change and affect cyber risk and exposure.
management system change and affect cyber risk and exposure.
Widescale interference at the federal level won't happen due to a lack of centralized election management, but local and state governments remain the focus of risk.
Election-related cyber attacks would also be bad for local governments as well, because
that would require a shift from costs only allotted to operate the elections and not for a whole cyber response.
So that would be a negative financial move.
Proofpoint has released research detailing how threat actors
took advantage of the COVID-19 pandemic for personal gain.
The report highlights how threat actors are creatures of opportunity,
acting when a threat is of relevance to their audience.
In this case, threat actors could cast a wide net, as COVID-19 was relevant to the entire world.
It was noted that the pandemic also provided a good background for any type of cybercrime.
The pandemic was also a big change in both personal and business-related matters,
and so social engineering tactics were found to target both.
CyberScoop has an update on how U.S. states,
particularly Colorado, Kentucky, and Mississippi,
are recovering from the DDoS attacks that took some sites offline briefly this Wednesday.
The incidents seem, for the most part, to have been quickly contained,
but that hasn't inhibited
Killnet, in an Osmanian mood, from calling its action USA Offline. Some of the group's website
defacements have displayed the Statue of Liberty in front of a mushroom cloud, the scene emblazoned
with the motto F-NATO. We're a family show, so they didn't really just say F, but you get the picture.
It's low-grade vandalism.
Killnet is generally held to be a criminal group closely aligned with Russian government interests.
The Five Eyes Joint Advisory of April 20, 2020 assessed them as much, stating,
According to open-source reporting, Killnet released a video pledging support to Russia.
Killnet claimed credit for carrying out a DDoS attack against a U.S. airport in March 2022
in response to U.S. material support for Ukraine.
As a purely criminal group, Killnet would have to be assessed as a fizzle.
They're unlikely to be making a living from DDoS and website defacements.
They're unlikely to be making a living from DDoS and website defacements,
but their operations make sense if they're functioning as an auxiliary of Russian intelligence services.
Ambassador-at-large for cyberspace and digital policy Nate Fick,
the first official to hold the new U.S. State Department post, was sworn in on October 4th.
Yesterday, he addressed journalists on, among other matters,
the current state of Russian cyber operations in the war against Ukraine.
He advocated extending deterrence across the cyber domain and is encouraged by the NATO unity he sees in this respect.
He thinks deterrence seems to have inhibited Russian cyber attacks outside Ukraine.
With Ukraine itself, he credited effective defense and close public-private cooperation
with limiting the damage of Russian cyber ops.
The idea of extending deterrence into the cyber domain is an important one
across many facets of American foreign policy, including Russia's war in Ukraine.
I think that the degree of unity of purpose across the NATO
alliance that we're seeing is encouraging. Cyber deterrence is a part of that. And to some extent,
it's working, right? We haven't seen a ton of lateral escalation using cyber means outside Ukraine by the Russians. Inside Ukraine is one of the interesting success
stories of early days is the effectiveness of public-private partnerships on the ground with
software vendors that have, in some cases, hundreds of millions of systems deployed in Ukraine and the
feedback loop between them and the U.S. government on things like threat intelligence sharing
and then pushing patches out to systems.
I lived this on the other side of the table in the private sector for a long time,
and I'm not accustomed to seeing it work as smoothly and quickly as it is right now.
That's Ambassador-at-Large for Cyberspace and Digital Policy, Nate Fick.
And finally, if you'll permit us a moment to talk about the kinetic world,
Russia's partial mobilization has proved widely unpopular
with the men whom it seeks to sweep back into the ranks.
Estimates of the number who fled the country range from a low of 300,000
to a high of 700,000.
We, of course, don't know the true figure.
Probably no one does.
But it's certainly more than the Kremlin would wish. Two reluctant soldiers deserve some kind of recognition,
however. They turned up at a beach on St. Lawrence Island, Alaska, after crossing the Bering Strait
in a small boat, and they asked for, and received, asylum in the U.S. It's not clear how far they traveled across one of the nastiest stretches of water on the planet,
but it's at least 36 miles from Siberia's Chukotka Peninsula.
The Telegraph says they may have traveled about 300 miles in their crossing to Alaska.
That's some motivated voting.
Oh, and we're sure everyone is sending appropriate thoughts
in the direction of
President Putin on the occasion of his 70th birthday. We hear the celebrations have been muted.
Coming up after the break, Robert M. Lee from Dragos on securing the food and beverage industry.
Carol Terrio interviews Joel Hollenbeck from Checkpoint Software on Threat Actors Fishing School Board meetings.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
There have been recent reports of threat actors fishing school board meetings.
Our UK correspondent, Carol Terrio,
spoke with Joel Hollenbeck from Checkpoint Software
on the issue.
She files this report.
So today we are chatting with Joel Hollenbeck.
He is head of engineering at Checkpoint.
And we are talking about how local community
and school board meetings have yet another threat vector to watch out for. So
thank you so much for coming on the show, Joe. Yeah, thank you for having me this morning, Carol.
Maybe we could start by you setting the scene for us. What's been going on out there?
In our threat research efforts around email phishing attempts, explicitly, we discovered,
you know, a new methodology that the threat actors are using.
The latest one that we're seeing is that they're taking advantage of the recent interest in school
board meetings. Folks are getting more involved in local politics, specifically around school
board meetings. This is led in from the lead up to the pandemic and the response to COVID.
But because of the interest in that, the threat actors are following there.
And they are attempting to fish people that are interested in these meetings
by sending specifically crafted invitations that have malicious intent. And they're having
great success in doing so. So maybe I want to join my local school board and I've been looking out for an invitation to
get on there. Maybe I've been waiting for that. And what happens? So I get a kind of spoofed email
type thing? Yeah, that's precisely what happens. The threat actors in this case are sending out
spoofed emails, again, that have malicious attachments involved in them.
Much like many of the other spoofing attempts or brand impersonation attempts that we see by the threat actors out there using this human hacking approach, they're attempting
to fool the viewer of that email or that message or that communication into believing that
it comes from an authoritative, legitimate source. In doing so,
you know, they're attempting to get under your risk radar, right? They're trying,
you know, you trust it for a second because it looks legitimate. Therefore, I don't have to have
my guard up when I click a link or I open up attachment. This is coming from the school bar,
right? So I'm going to open this up. Yeah. So listeners here now are forewarned, right?
In this case, I'm guessing forewarned is forearmed.
Is there anything that people can do to prevent becoming a victim of one of these?
How do you watch out for it?
Well, there's a number of things.
First of all, you advise everybody to have an extremely healthy level of skepticism,
if not downright cynicism, when it comes to
cybersecurity issues. Make sure that you know who it is that you're talking to. Make sure that
somebody else doesn't have control of the account. Avoid clicking on links and opening up attachments.
Like, for example, if you, you know, maybe you, you know, we're all human, right? We do have needs,
right? We're going to do some shopping for Valentine's Day.
Well, don't click on the link for, you know, the Build-A-Bear link that you may have gotten
in the email.
Instead, you know, go to your search engine and use one of the links there because a link
that you get via email, even though you may believe it's from that legitimate source or
even from a friend, doesn't mean that that link isn't going to be malicious.
So I think that going directly to the source reduces some of that risk.
And the other part of it is not just being skeptical and using methodologies to avoid opening up these things that are potentially malicious.
up these things that are potentially malicious, the more we're individually educated about the means and methods that the threat actors use, the better prepared we are and the less
skeptical we have to be.
And it turns more into education.
You could be aware of the vectors that they use and the techniques that they use and how
they roll through these like a Rolodex and they constantly mix and match them and use the same tools
over and over again and realize that regardless of how they're doing it, they're going after
something that's going to create an emotional response, something that's going to cause
the viewer of this message or the receiver of this message to have some sort
of an urgent response to it.
And that's how they get under the radar.
They get to the user and they get them to do something that just is a brief second where
they feel like they have to do something urgently or it's emotional and that it reduces your
logic train in your brain.
You click on that link,
you open up that attachment and they got you. Sage advice. This was Joel Holenbeck,
head of engineering at Checkpoint. Thanks for being on the show.
Thank you very much. And this was Carol Theriault for the Cyber Wire. And I'm pleased to be joined once again by Robert M. Lee.
He is the CEO at Dragos.
Rob, it's always great to welcome you back to the show.
It strikes me that perhaps an area of critical infrastructure that doesn't
get some of the attention of what I would call the more flashy things is food and beverage security,
which of course is critical to all of our survival. What is the status of things when
it comes to food and beverage? So when we look at manufacturing at large to include food and
beverage manufacturing, I would say that at one point in time, there was a lot of thought process put into those companies
and the security teams did good with whatever they had.
I'm not saying, by any measure, manufacturing and food and beverage is not exactly at the top of spend
and similar for global community.
So let's not try to sugarcoat it, but those teams busted their tails to do what they could,
which usually had a lot to do with segmentation.
Firewalling things off, getting that segmentation.
Which, honestly, is where a lot of industrial was.
However, manufacturing, especially food and beverage,
more so than most industries digitized earlier.
So they started taking advantage of that industry 4.0, digital transformation,
call it whatever buzzword you want.
They started taking advantage of that journey earlier than a big electric company or similar.
And so you started to see remote connectivity and digital assets and similar
a lot more in those environments.
What all that means is we massively increased the risk with digitization
and connectivity at a time that adversaries were targeting industrial systems specifically
without adapting the actual security portfolio much beyond segmentation, maybe some targeted
patching. And so what's happening is most food and beverage companies at a board level are becoming hyper-aware of this.
I see board members and CEOs that are better informed on the cyber risk to manufacturing
than some of the CIOs and CISOs I sit down with. It's fast in terms of its development.
And the reason for that is there's a significant number of incidents that are happening because
of that digitization and connectivity.
And in every single one of the cases,
the top two findings is, number one,
the executives have a much rosier view of their OT security program than reality.
And number two is they didn't actually have
the data collection tooling deployed in the first place
to actually get to root cause analysis,
the data that they would need for the incident,
or questions they would have, regulatory questions, etc.
So their board members are sitting on other companies' boards that are going through these
incidents and all the problems that come with them a lot more than is being discussed publicly.
And they're driving those discussions on the other boards they sit on.
That's kind of what's happening.
And as a result, we're starting to see a lot of discussions about,
cool, how do we do OT security?
How do we get in those environments, et cetera?
But there's still a lot of legacy challenges,
and it's not a technology challenge.
Usually it's a cultural challenge,
where maybe the manufacturing, the way that they do it,
is each plant has their own budget
and any security expenditures comes out of that budget,
including the bonus structure that's going to go to your plant manager.
And so you have some of these incentives that are misaligned
with what you're trying to accomplish as a corporate risk and corporate governance.
So a lot of those food and beverage manufacturers
are starting to have conversations about how do we centralize the budget for that security, even if the implementation is local, so that we can
incentivize the right risk reduction across our company? And how do we get more insights in the
challenges that we're facing other than board members sitting on one board talking to another
board? What realistically are the perils that these folks face here? I mean, obviously, you know, you've got things like ransomware, shutting down production lines.
Are there risks of, you know, bad food being sent out?
People, safety issues?
Yeah, absolutely.
So there's a broad range of things that can happen.
But I usually like to focus the conversation on what things have happened, right?
I don't want to, well, one day these three state actors could team up and play volleyball and come after you.
And it's like, let's not happen.
Let's dial down the hype.
I'm glad that there's good research about what could happen.
But when you're at the place that we are in the community,
let's focus on what has happened, cover down the knowns,
then we can get to that.
And so on those knowns, if you will,
the number one for that industry for sure is ransomware.
It's happening way more often than is the public.
I still see people on social media and stuff every now and then, like, we did it, guys!
We lowered ransomware with all these changes.
No, people just stopped talking to you.
It's still pretty hot out there.
That's the number one.
But I would say on that, the realization that it doesn't have to go through IT is one that is the big realization for them.
There's a lot of legacy mindsets around,
oh, well, here's our ERP or the SAP system for scheduling.
Yeah, if it gets hit, we go down.
And of course, our IT network goes down
and we lose the ability to sell and do the production.
It's like, well, not only that, though,
but you also have shared AD infrastructure,
Active Directory now, from IP to OT,
and that's getting compromised and populating
like a highway of death down into OT.
Or you have your digitization,
which is not only cloud access, but integrators,
OEMs, and they're getting hit directly
and hitting directly into the OT.
And so the idea that ransomware is important
in manufacturing is a no-kidding kind of statement,
but ransomware-specific and starting in OT
is the one that they're starting to grapple with and understand.
The second thing we see quite a bit of is intellectual property theft
from state adversaries, but it's not intellectual property theft
on things like recipes.
It's not like, hey, what's the secret sauce of that new cereal?
That's not the discussion.
The discussion about intellectual property theft
and industrial usually, it can't be recipes,
but usually it's how did you integrate an environment?
How did you build this environment?
What vendors did you choose?
What physical parameters did you put in place?
What control and instrumentation did you do
so that you could take cheap quality inputs
and make high quality repeatable outputs?
The industrial espionage is almost the ICS itself, not some recipe.
And then the third thing we see quite a bit of is mostly around accidents and things happening,
unintentional issues, or random malware stuff.
But what it is, is people don't have the visibility
in their environment to know how things are configured.
And the growing industrial automation complexity
in these environments is making it where individual engineers
and operators can't really troubleshoot things as well anymore
or get to root cause analysis.
So some of the security tools and things like visibility
and network monitoring are providing as much resilience value
as they are security value,
which is a really good conversation.
The fourth that we don't see a lot of,
but I am worried about, is the one you hit on.
We have seen safety-related targeting attacks.
We've seen those incidents.
I cannot stand in front of you and say
that I've seen it in a way that is something
that I think was intentional in food and beverage.
But I am worried about, once we get through those known scenarios,
that is immediately where I'd focus people because of the safety impact.
And there's a lot of these producers that it's not just things like cereal or whatever.
There's beverage producers that you may know for certain soda products
that actually make a lot of milk in certain countries
or other things that are more perishable and important to the local ecosystem.
And there's a lot of safety concern around the production of those facilities.
All right. Well, interesting insights as always.
Robert M. Lee, thanks for joining us.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday
and my conversation with Jen Miller-Osborne
from Palo Alto Network's Unit 42.
We're discussing their recent work.
Russian APT-29 hackers use online storage services,
Dropbox and Google Drive.
That's Research Saturday.
Check it out.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of Data Tribe, where they're co-building the next generation Check it out. Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Catherine Murphy, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.