CyberWire Daily - An ICS update from CISA. Ransomware notes: LockBit, Clop, and ESXiArgs. Vulnerability in Toyota’s GSPIMS. Two new Russian cyberespionage efforts hit Ukraine. And a direction for US privacy policy.
Episode Date: February 8, 2023CISA releases an ICS security advisory affecting a smart facility system. LockBit threatens to release Royal Mail data tomorrow. Cl0p ransomware expands to Linux-based systems. A vulnerability is iden...tified in Toyota's GSPIMS. There’s an ESXiArgs update: new trackers and mitigation tools are available. Russia is running two new cyberespionage campaigns against Ukraine. Our guest is Roya Gordon from Nozomi Networks discusses the ICS Threat Landscape. And The Washington Post’s Tim Starks provides analysis on last night’s State of the Union. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/26 Selected reading. CISA Releases One Industrial Control Systems Advisory (CISA) LockBit group threatens to publish stolen Royal Mail data tomorrow (Computing) Cl0p Ransomware Targets Linux Systems with Flawed Encryption | Decryptor Available (SentinelOne) Hacking into Toyota’s global supplier management network (Eaton Works) Researcher breaches Toyota supplier portal with info on 14,000 partners (BleepingComputer) Vulnerability Provided Access to Toyota Supplier Management Network (SecurityWeek) CISA Releases ESXiArgs Ransomware Recovery Script (CISA) ESXiArgs Ransomware Campaign Targets VMWare ESXi Vulnerability (SecurityScorecard) Graphiron: New Russian Information Stealing Malware Deployed Against Ukraine (Symantec) Remcos software deployed in spying attempt on Ukraine’s government, CERT says (The Record from Recorded Future News) The State of the Union was light on cybersecurity (Washington Post) Biden calls for action on privacy rights in State of the Union (CyberScoop) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA releases an ICS security advisory affecting a smart facility system.
LockBit threatens to release Royal Mail data tomorrow.
Flop ransomware expands to Linux-based systems.
A vulnerability is identified in Toyota's GS PIMS.
There's an ESXi ARGS update.
New trackers and mitigation tools are available.
Russia is running two new cyber espionage campaigns against Ukraine.
Our guest is Roya Gordon from Nozomi Networks
to discuss the ICS threat landscape.
And The Washington Post's Tim Starks provides analysis
on last night's State of the Union.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 8th, 2023. We begin with a quick note for operators. The U.S. Cybersecurity and Infrastructure Security Agency has released an industrial control system advisory for N-Ocean Smart Server,
which is mostly used in smart buildings, smart city, and smart factory settings. Users
should check their systems for vulnerable instances and apply the necessary updates
and mitigations in accordance with the vendor's instructions. According to Computing, the LockBit
ransomware gang has run out of patience. The gang says it will release the data it took from the Royal Mail tomorrow if its ransom
demands aren't met by then. Reuters reports that Royal Mail doesn't believe the stolen data
contains any sensitive financial or personal information, which may be why the Royal Mail
has so far hung tough on paying the ransom. Sentinel-1 reports that the operators of the
CLOP ransomware have expanded their scope
of their operation to include Linux systems. The executable and linkable format variant, that's
ELF, is out and active in the wild. There's good news as well, however. The ELF executable contains
a flawed encryption algorithm, making it possible to decrypt locked files
without paying the ransom. And Bravo's Sentinel-1, which has made the free decryptor available.
Security researcher Eatonworks claims the ability to breach Toyota's Global Supplier
Preparation Information Management System, GS-PIMS, which the company uses to manage its global supply chain,
bleeping computer reports. Eatonworks explains that any user could be logged into just by knowing
their email, completely bypassing the various corporate login flows, and they were able to
gain full access to internal Toyota projects, documents, and user accounts, including user accounts of
Toyota's external partners and suppliers. The researcher found that the user service would
generate a JSON web token after simply entering an email address with no password. JWTs are session
tokens used to validate authenticated users. They logged in by guessing a Toyota employee's corporate email address,
then used this access to discover employees with more access.
Eatonworks eventually gained full control over more than 14,000 users,
as well as access to thousands of confidential documents.
Eatonworks responsibly disclosed this issue to Toyota,
and it was patched in November 2022.
They note that they weren't offered a bug bounty for their efforts.
We've heard a lot over the past week or so about the old, and we stress,
patched issue in VMware's ESXi product, and the news continues to come.
product, and the news continues to come. CISA and Security Scorecard have both developed tools to mitigate and track attacks by ESI ARGs ransomware. CISA has released a script that
can, in some cases, rebuild virtual machines from flat files and recover data encrypted by ESXI ARGs.
Bleeping Computer explains that the ransomware failed to encrypt flat files
where the data for virtual disks are stored.
CISA itself advised that the script was prepared
on the basis of work by third-party researchers.
Security Scorecard has published a report
looking at potentially vulnerable ESXi servers
and cases in which these servers have recently communicated with malicious IP addresses.
They state,
The IP address that appears most likely to reflect an attempt by a ransomware group
to exploit this vulnerability is 161.47.17.28.
They add that it not only appeared in all three of the ESXi traffic samples collected in response to the recent advisories,
but also appeared in multiple previous strike team ransomware investigations.
So continue to check your systems and update them as appropriate.
Turning to Russia's war against Ukraine,
researchers at Symantec have discovered a new Russian
infostealer deployed against targets in Ukraine. They state, the Nodaria Espionage Group, also
known as UAC-0056, is using a new piece of information-stealing malware against targets
in Ukraine. The malware, infostealer.graphiron, is written in Go and is designed to harvest a wide range of information from the infected computer,
including system information, credentials, screenshots, and files.
In addition to being called UAC-0056, Nodaria has also been known as Saint Bear, UNC-2589, and TA-471.
UNC-2589 and TA-471. Symantec doesn't link Nodaria with any specific Russian intelligence or security service, but they do say it's been active at least since March of 2021.
Nodaria has specialized in collecting against Ukrainian organizations, with possibly some work
against Georgia and Kyrgyzstan, so call it an organization that's been active against the former Soviet republics of the near abroad.
Its most prominent action has so far been the Whispergate wiper attack that hit Ukraine in January 2022.
Nodaria's typical attack technique begins with spear phishing emails that deliver a range of malicious payloads to the targets.
Wherever Nodaria fits into the Russian services organization charts, Symantec thinks the group's
range and level of activity probably makes it one of the key players in Russia's ongoing cyber
campaigns against Ukraine. CERT-UA has issued a warning that Russian cyber espionage operators are using the legitimate remote management tool Remcos
to establish a remote surveillance presence in its target's systems.
It's a phishing expedition that casts a broad net with a mass distribution of emails,
supposedly from JSC-UKR telecom, with the subject raising the threat of a court claim against the recipient
and an attached RAR file that is surely up to no good. CERT-UA attributes the activity to a
threat actor it tracks as UAC-0050. And finally, last night, U.S. President Biden delivered the
annual State of the Union address before both houses of Congress,
members of the Supreme Court, and everyone else in the galleries, as well as those watching on TV or from, like any passing Chinese spy balloons.
Connoisseurs of the presidential address genre found it surprisingly light on cybersecurity,
but there were some points made that suggest the likely direction
of U.S. cyber policy over the coming year. The president singled out, in particular,
the challenge of enhancing online privacy and the importance of protecting children from
exploitation by big tech. The president said, there should be clear and strict limits on the
ability to collect, use, transfer, and maintain our personal data,
especially for sensitive data such as geolocation and health information, and the burden must fall
on companies, not consumers, to minimize how much information they collect. The speech augurs
continued tough scrutiny for big tech, and President Biden named the target as such,
Tech, and President Biden named the target as such, asking Congress to pass bipartisan legislation to stop big tech from collecting personal data on kids and teenagers online, ban targeted
advertising to children, and impose stricter limits on the personal data these companies
collect on all of us. So, U.S. regulatory policy may assume a more prescriptive form in 2023.
Stay tuned for my conversation with Tim Starks from The Washington Post Cybersecurity 202 and his analysis of the speech.
Coming up after the break, our guest is Roya Gordon from Nozomi Networks discussing the ICS threat landscape. The Washington Post's Tim Starks provides analysis on last night's State of the Union.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Nozomi Networks recently published an OT-IoT security report titled A Deep Look Into the I do want to talk about a new part of the report that we added that hasn't been in any of our reports, and I think it's a big game changer. So, of course, we talk about the overall threat landscape.
We talk about some statistics from our honeypots, you know, what they've collected from malicious IoT botnets.
We talk about ICS cert advisories, and we do analysis on those.
But what we're sharing now that we haven't shared before are insights into our customer environments. So, you know,
Nozomi Networks is technology that secures OT and IoT. And to kind of see what are the types
of alerts our customers are getting? What are the types of intrusions? What are the types of
malware that's targeting these environments? I think that's very beneficial for other critical infrastructure organizations to know. And yeah, that's kind of like the most exciting part about
this report because again, we've never shared this and now we're able to, obviously, these are
customers that volunteer for us to share this information anonymously. But again, I think that's
the best part of this report.
Well, let's go through some of the details there. What are some of the things that your
customers have been tracking? Yep. So there's a lot of different
types of alerting that can go on in an IT, OT environment. And we try to catch all of them,
right? Because maybe not everything is indicative of a cyber attack.
So there's alerts on clear text passwords, weak passwords. These are things we like to alert
customers on because this is how threat actors access environment. So if they get in and they're
stealing information, if you have clear text passwords or weak passwords, they could use this to their advantage. But there's other types of alerts like TCP SYN flood, you know, and that's where the threat actor will
flood a server with connection requests. That's indicative of a denial of service attack.
There's different types of man in the middle attack alerts, UDP flood, which is essentially the same thing, anomalous packets. So while there are
possibly alerts that could be just legitimate employee error, that coupled with other alerts
could be indicative of there's some malicious intent going on here. So we have all of the numbers over the past six months. So you can kind of put it into
perspective of for OT environments, how many of these types of alerts organizations are seeing.
And I think people can look at this and say, hey, it looks like there's a lot of man in the middle
attacks on critical infrastructure, or this TCP SYN flood thing is a pretty big deal. Let's see how we can remediate that.
So that's just one type of information that we shared. The other one is most commonly detected
malware categories. And this is where we get into Trojans and remote access tools and DDoS malware? And are they targeting IT, IoT, and OT?
And that gets pretty interesting. And, you know, we have those numbers in our report as well.
Are there any items here that were particularly surprising or unexpected that you were able to
uncover? In the threat landscape part, you know, we talk about, we talk about attacks on transportation and healthcare, but I think the biggest trend that stood out is hacktivists are now launching disruptive cyber attacks.
So I've been in this field for a while, and every time we would look into disruptive attacks, the first threat actor we would look at would be nation state.
disruptive attacks, the first threat actor we would look at would be nation state.
You know, they're acting on the behalf of Russia, China, you know, Iran. And then we noticed that ransomware threat actors, you know, financially motivated threat actors, they were launching
disruptive attacks. And even though the motives are different, you know, the impact is the same.
So a ransomware threat actor, they don't really care. They just want money while a nation state threat actor is acting on the behalf of another country.
But now we're noticing that hacktivists who traditionally did like data breaches and
denial of service attacks, they're getting on the train of causing disruptive attacks on critical
infrastructure. And I've seen that more now in 2022 than I have in previous years.
And there's a couple of reasons for this. I've been getting asked this, like, well,
why are hacktivists changing their tactics? Well, the availability of tools on the dark web,
you know, so you no longer have to be super technical. You can just purchase network access
and then purchase wiper malware and deploy
it. And it's pretty easy. It's easily accessible. But the other reason is because these types of
attacks make a bigger statement in the media. And that's what hacktivists want. They want awareness
for their cause, awareness of why they're doing it. And if they're disrupting a train system,
obviously that's going to get them the media coverage that they're looking for. So
kind of bracing myself to kind of see what these hacktivists do in 2023.
Well, based on the information that you've gathered here, what are your recommendations
for organizations to best defend themselves? Yep. So I always tell people, everyone, you know, when it comes to
critical infrastructure, they want some super secret sauce recommendations. And a lot of the
times it's like, no, things that you should have already been doing to secure your IT,
you just got to keep doing that. If you look at a history of a lot of disruptive attacks,
it was threat actors stole credentials
because no one was monitoring if the employee was still working at the company or not or
still needed that access.
So, you know, access controls or not changing default passwords and default credentials,
which that's another part of the report where we actually have a list of credentials
that malicious threat actors are using to access IoT devices. So make sure you're changing that.
Make sure that you're keeping up with patching. And of course, we know it's difficult in OT
environments to do that, but there's a lot of workarounds that you can implement while waiting
for a patch day.
But again, it's important to patch.
It's important to check logs.
There are some tactics that these threat actors are using that's kind of living off the land. So they're using techniques that's going to kind of blend in with normal activity to where you may not get an alert.
But if you're checking logs,
then maybe you'll notice something is off.
So, you know, there's a lot, obviously, threat intelligence.
You have to know what IOCs you should be tracking,
what's associated with malicious activity.
So there's a lot of things that organizations can do
to protect themselves from these threats.
That's Roya Gordon from Nozomi Networks.
The research is titled
A Deep Look into the ICS Threat Landscape.
You can find a link in our show notes.
And joining me once again is Tim Starks. He is the author of the Cybersecurity 202 over at the Washington Post.
Tim, it's always great to welcome you back to the show.
Good we do this.
So last night was the State of the Union from President Biden.
Always a chance for him to roll out plans and aspirations for the coming year. Before we dig into some of the cyber stuff that did or did not happen, what was your overall
take on the State of the Union? You know, if we're just talking about the generalities of it,
it was a pretty passionate speech by some standards of the ones that I've seen over the
years. And there was a little bit more call and response than we've seen in past years. I mean,
others have pointed it out that it wasn't that long ago that someone could get censured on the
House floor for having called the president a liar during a State of the Union, and now it's
kind of the norm.
So it was a pretty substantial speech and pretty well delivered, I thought.
He's obviously taken a lot of criticism over the years for his age and how he stammers
in places.
There was some of that, but for the most part, it seemed like a pretty solid speech to me.
Yeah, I would agree.
It seems and overall seems to be getting fairly solid marks.
So let's dig into the cybersecurity aspects here.
What was said and what was not?
Yeah, so he did not directly use the word cyber.
One of the things that was an interesting feature that my Washington Post colleagues was words that that biden has spoken in speeches that no president had before
and he was the first to use the word cyber security but if you go back a little further
um you know there were other presidents who have talked about cyber this time he did not use that
phrase he used it and used it in 2021 he did not talk about cyber in 2022 either. So from that standpoint, there were some
folk who were disappointed on all sides of the political spectrum that he didn't go directly at
that. The fact of the matter, though, is that some of these things that are, you know, I use the
phrase cyber adjacent a lot. Data privacy is, you know, it's kind of cybersecurity. As one of the
people I spoke to pointed out,
when you're talking about the things that Biden said about not collecting massive amounts of information
or not keeping it for very long,
that poses a cybersecurity risk when you have that material
because that creates a target for hackers.
So that was one example.
Obviously, the kids' privacy was an emphasis,
but he also talked about general privacy issues. I suppose if you wanted to stretch even a little further, you could point to the
mentions he had of identity theft as it pertained to COVID-19 checks, and then a little bit of China,
we're going to stand up for our sovereignty, which was largely a reference to the spy balloon,
but you could, like I said, stretch it and say that was somewhat cybersecurity related.
Yeah, it was interesting to me that the emphasis on protecting the privacy of children, I mean,
I suppose when it comes to political rhetoric, that's a kind of a, it's a layup, you know,
protect our kids.
And so to come at it from that angle, I guess not surprising, but at the same time, interesting emphasis.
It is. I think if you, you know, as someone who often has blinders on for cyber only in the news,
sometimes I don't read about a lot of other things that are going on in the world,
but I have read a good amount of, you know, a good amount about and talk to people occasionally
about, you know, this kids online privacy issue. And it's been a long-running problem where Congress has been wanting to revisit it
and hasn't quite been able to get over the finish line on some things.
So it's in the news a fair amount.
Certainly when you hear about the debates about TikTok,
one of the big levers on that is people worrying about what that is going to do to the minds of children
so if you're talking about privacy
if you're talking about it from the perspective of the right
there's obviously been a lot of discussion about
this idea that pedophiles are widespread
and that there's the grooming issue
then you also can look at it from the perspective of the debate over encryption.
One of the things that people have been concerned about is the spread of,
I'm trying to remember the modern terminology, child exploitation materials.
Right, CSAM.
Yeah, child sexual, yeah.
Yeah, I think that's the right, I might have said it wrong.
But that phrasing is something that I think people on both sides of the aisle are concerned about.
But then when you get into encryption and the big social media platforms wanting to not make a lot of what they're, they want to protect the privacy of their people.
And it raises this kind of twin privacy debate where you're getting into, well, if you have too much encryption, then the privacy, the things that are happening to children, the government can't get at it.
And then, of course, you have the other side, which is saying if we don't have encryption, then we're opening the door to too much government intervention on everything, not just the children's issue.
As I was listening to the speech and, again, the things that he didn't say, the fact that cyber was not really front and center, I wonder if that's a little bit of a, not necessarily
so much as a wake-up call, but a reminder to properly calibrate ourselves when it comes
to folks who are in the cyber world,
that when it comes to these dinner table conversations,
that perhaps these issues aren't as front as center to most folks
as we sometimes think they are.
I think that's certainly possible.
One of the things I was talking to people about earlier this week
with the Chinese spy balloon, that this thing, however capable it was, has not been able probably to snag a fraction of the information about U.S. citizens that Chinese hackers have over the years.
And there's a different way that people tend to look at cyber versus the way they look at things that are more physically, obviously, tangible.
But what's interesting, I think I was looking at a poll that the Chamber of Commerce did not that long ago where they were talking to people about digital issues.
And number one was cybersecurity, and number two was privacy. So it sometimes can be hard to get a sense of calibrating what is truly important to people versus what we perceive as important to people versus what we perceive as understandable and relatable.
And I think that's all in the mix of what happened here.
One of the people I spoke to for the story said, the State of the Union is something of a performance.
And if you're not of the mind that you're reaching an audience that is very concerned about an issue, then you're not going to perform that song.
So we didn't get the cybersecurity song this time.
Maybe that is one of the reasons.
Yeah.
All right.
Well, Tim Starks is author of the Cybersecurity 202 at The Washington Post.
Tim, thanks so much for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.