CyberWire Daily - BEC gets into bulk food theft. BlackCat ransomware update. Epic Games’ settlement with FTC. InfraGard data taken down. More on the hybrid war. And Twitter asks for the voice of the people.
Episode Date: December 19, 2022BEC takes aim at physical goods (including food). BlackCat ransomware activity increases. Epic Games settles an FTC regulatory case. The InfraGard database was pulled from a dark web auction site. CIS...A releases forty-one ICS advisories. Rick Howard interviews author Andy Greenberg. Rob Boyce from Accenture examines holiday cyber threats. The growing value of open source intelligence. Twitter says vox populi, vox dei. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/241 Selected reading. FBI, FDA OCI, and USDA Release Joint Cybersecurity Advisory Regarding Business Email Compromise Schemes Used to Steal Food (CISA) Colombian energy supplier EPM hit by BlackCat ransomware attack (BleepingComputer) Events D.C. data published online in apparent ransomware attack (Washington Post) Fortnite Video Game Maker Epic Games to Pay More Than Half a Billion Dollars over FTC Allegations of Privacy Violations and Unwanted Charges (Federal Trade Commission) Hacker Halts Sale of FBI's High-Profile InfraGard Database (HackRead) CISA Releases Forty-One Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency) Russia’s Wartime Cyber Operations in Ukraine: Military Impacts, Influences, and Implications (Carnegie Endowment for International Peace) How open-source intelligence has shaped the Russia-Ukraine war (GOV.UK) Front-line video makes Ukrainian combat some of history’s most watched (Washington Post) Elon Musk Polls Twitter Users, Asking Whether He Should Step Down (Wall Street Journal) Musk asks: Should I stay as CEO? (Computing) Elon Musk’s Twitter Poll Shows Users Want Him to Step Down (Wall Street Journal) Elon Musk’s Twitter poll: 10 million say he should step down (the Guardian) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
BEC takes aim at physical goods, including food.
Black Cat ransomware activity increases.
Epic Games settles an FTC regulatory case.
The InfraGard database was pulled from a dark web auction site.
CISA releases 41 ICS advisories.
Rick Howard interviews author Andy Greenberg.
Rob Boyce from Accenture examines holiday cyber threats,
the growing value of open source intelligence,
and Twitter says, Vox Populi, Vox Dei.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Monday, December 19th, 2022. The FBI, the FDA, USDA have issued a joint cybersecurity advisory warning of BEC.
And for those of you playing acronym BINGO, congratulations on your win.
But seriously, these are business email compromise attacks designed to steal food shipments.
attacks designed to steal food shipments. Threat actors are impersonating real food and agriculture companies to order hundreds of thousands of dollars worth of food and ingredients.
The report says, while BEC is most commonly used to steal money, in cases like this,
criminals spoof emails and domains to impersonate employees of legitimate companies to order food
products. The victim
company fulfills the order and ships the goods, but the criminals do not pay for the products.
Criminals may repackage stolen products for individual sale without regard for food safety
regulations and sanitation practices, risking contamination or omitting necessary information
about ingredients, allergens, or expiration dates.
Counterfeit goods of lesser quality can damage a company's reputation.
In one incident that took place as far back as February of this year,
scammers posed as four different companies and stole nearly $600,000 worth of whole milk powder
and non-fat dry milk from a food manufacturer.
The Black Cat Alf V ransomware group is showing some increased activity lately,
including an attack on a Colombian energy supplier and the release of data from DC's
official convention and sports authority. Bleeping Computer reports that EPM, an energy company in Colombia,
fell victim to a ransomware attack orchestrated by the Black Cat ransomware group last Monday.
The attack took the supplier's online services down and disrupted company operations.
How much data was stolen from one of Colombia's largest public energy, water, and gas providers remains unclear as of the posting of the article.
public energy, water, and gas providers remains unclear as of the posting of the article.
Security researcher Germán Fernández notes that just over 40 devices were listed on the X-Matter tool of the threat actors, discovered via a malware analysis site.
Following an October cyber attack on Events DC in October, the Black Cat Ransomware Group
published what they claim is approximately 80
gigabytes of data from the Convention and Sports Authority on Thursday, the Washington Post
reports. The released data, which the ransomware group claims are internal events D.C. files,
include incident and injury reports filed by customers impacted by the breach,
contracts, board minutes, bank statements,
and tax forms for employees, city plans, and arena security. The documents have not been
confirmed to be genuine by Events DC. The U.S. Federal Trade Commission announced this morning
that Epic Games, publisher of the popular Fortnite game, among others, has agreed to pay a total of $520 million in relief over allegations the company violated the Children's Online Privacy Protection Act
and deployed design tricks known as dark patterns to dupe millions of players into making unintentional purchases.
purchases. $275 million of the total settles the accusation that Epic Games violated COPPA by collecting children's personal information without verifiable consent from a parent.
The remaining $245 million in the settlement will take the form of refunds to customers
over allegations that Epic Games used dark pattern deceptive tactics to induce customers to make in-game purchases.
Epic Games, in its own response to the settlement,
focused on what it intended to do about the practices that caused the problem in the first place.
It offered advice to developers about the hazards that attend attempts to streamline the checkout process.
The hacker who posted data stolen from InfraGard, a public-private cyber intelligence service led by the U.S. FBI, has removed it from the breached forums market where they'd been offered for sale.
And in what appears to be the result of startling moral awakening, the hacker also stated that all the email addresses present in the database were emailed to Troy Hunt so that he could add them to his website, Have I Been Pwned? The data stolen had included full names, email addresses, employment details, industry of employment, social media user IDs, and more.
industry of employment, social media user IDs, and more.
At the end of last week, CISA released 41 industrial control system advisories.
One involves a process system.
The other 40 address issues in Siemens control products.
The Carnegie Endowment for International Peace has published another paper, this one titled Russia's Wartime Cyber Operations in
Ukraine, Military Impacts, Influences, and Implications. It assesses the surprising
shortfalls of Russian performance in cyberspace before and during the current war. The study
refers to offensive cyber operations as cyber fires, not unreasonably given the way electronic attack has historically
been managed by fire support coordinators, at least in U.S. doctrine. Some of the conclusions
are Russian cyber fires, disruptive or destructive attacks, may have contributed modestly to Moscow's
initial invasion, but since then they have inflicted negligible damage on Ukrainian targets.
Cyberfires have neither added meaningfully to Russia's kinetic firepower nor performed
special functions distinct from those of kinetic weapons. Intelligence collection, not fires,
has likely been the main focus of Russia's wartime cyber operations in Ukraine,
yet this too has yielded little military benefit.
While many factors have constrained Moscow's cyber effectiveness,
perhaps the most important are inadequate Russian cyber capacity,
weaknesses in Russia's non-cyber institutions,
and exceptional defensive efforts by Ukraine and its partners.
As the war continues, Russian intelligence collection
probably represents the greatest ongoing cyber risk to Ukraine. The study also offers advice
for other countries facing hybrid war in the future, Russian or otherwise. The short message
is probably best summed up as offensive cyber operations are hard, but don't drop your guard and keep your shields up.
Open source intelligence, OSINT, isn't new.
General Hockenhull, commander of the UK's Strategic Command, told the Royal United Services Institute,
but it's certainly risen to prominence during Russia's war against Ukraine.
Commercial satellites and the overhead imagery they provide
have had considerable effect on collection
and the intelligence developed therefrom.
Online networks have made it easy for civilians in and around the war zone
to report combat information about Russian forces.
The Washington Post offers a similar discussion.
Their reporting focused on the ubiquity of video. The war against
Ukraine has become, in the opinion of experts the Post consulted, one of the most visually
documented wars in history. And finally, over the weekend, Elon Musk put up a poll asking whether he
should continue to run Twitter. Should I step down as head of Twitter, Mr. Musk tweeted yesterday,
I will abide by the results of this poll. Early reporting by Bloomberg based on Mr. Musk's Twitter
feed itself suggests that the ayes are having it. The poll followed an earlier announcement of a new
Twitter policy banning accounts created solely to promote other social media platforms. That proved unpopular and was soon rescinded,
and Mr. Musk committed to holding votes among Twitter users
before enacting other major policies, stating,
Going forward, there will be a vote for major policy changes.
My apologies. Won't happen again.
The Wall Street Journal, also reporting on the poll returns,
mentions Mr. Musk's ruminations to the effect that if he were to go, there might be no one else willing to take the job.
Maybe he's right.
We have little to add by the way of commentary to the ongoing saga of Twitter and its adjustment to new ownership,
except to say that it reminds us more and more
of the literary classic Clarissa,
with Mr. Musk as the eponymous heroine,
the Internet as whole,
playing the part of Robert Lovelace.
Or perhaps we've got it backwards,
and the Internet is Clarissa,
and Mr. Musk is Lovelace.
Discuss amongst yourselves.
Coming up after the break, Rick Howard interviews author Andy Greenberg. Rob Boyce from Accenture examines holiday cyber threats. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. IO.
It's always my pleasure to welcome back to the show, Rick Howard.
He is the CyberWire's own chief security officer, also our chief analyst.
Rick, welcome back and happy holidays, my friend.
Happy holidays.
Here we are at the end of the year.
That's right. It is the end of 2022. Where did it go? I would say I have to start learning to write 2023 on my checks, but I can't
remember the last time I wrote a check. That was the only way I would remember it because I wrote
those things. Now I don't do that anymore, right? Yeah, yeah. I have to say it at the start of every podcast, so I'm going to
be re-recording that a lot the first couple weeks of January. So you and your interns down in the
Sanctum Sanctorum have prepared a special treat for all of your CSO Perspectives listeners. What
do you have in store for us? So Dave, both you and I are giant fans of Andy Greenberg. He's the
senior writer at Wired Magazine. You've
interviewed him a couple of times, right? Yeah. Oh, yeah. Yeah. Always a good interview. Absolutely.
And he's authored several fantastic cybersecurity books, one of them, Sandworm, about the Russian
attacks against Ukraine from 2014 to 2017. That's a Cybersecurity Canon Hall of Fame winner.
Yeah, great book. I think that's, I know that's one of the books that I interviewed Andy about.
And, you know, it seems especially pertinent in light of all the activity in that area of the world these days.
Yeah, exactly.
Well, Greenberg's written a new book, all right, that's called Tracers in the Dark,
The Global Hunt for the Crime Lords of Cryptocurrency.
That is a fantastic title,
by the way. And it just came out, and I have to say, Dave, it's the best cybercrime book that
I've read in over a decade. And I got to interview Andy about it. He came on one of our shows the
first time, so it's fantastic. It's about how an academic researcher, a Silicon Valley entrepreneur, and an IRS investigator, and a bunch more people, they use this new technique called blockchain analysis to track down dark web criminals and arrest them.
Here's a clip from the show.
This is the end of the Silk Road story, but really just the beginning of the story of the book, because that was when Tigran realized that Bitcoin can be traced.
of the book because that was when Tigran realized that Bitcoin
can be traced and he had just proved
somebody's guilt through cryptocurrency
tracing for the first time in the history
of law enforcement. And not
only that, but he soon
followed another thread of
kind of loose thread of
missing Bitcoins from the Silk Road
to show that they had been taken by
another corrupt agent, a
Secret Service agent,
who worked in the same Baltimore office as Karl Mark Forst.
That was Sean Bridges.
And the two of them were both corrupt agents,
both investigating the Silk Road and simultaneously trying to enrich themselves from that investigation.
Anyway, they were just taking whatever dirty Bitcoins they could.
And both of them had thought that those Bitcoins would be untraceable,
so they could never be caught. And Tigran caught them both, and they both went to prison.
So did I catch that right? The IRS agent, Tigran, caught two law enforcement officers acting badly
on the dark web and put them in jail? I know he did. You couldn't, if I was writing this down
and making it up in a novel, people say, oh, that's unrealistic. Not one, two law enforcement officials, right? And those are
just two small stories in the book and it's packed with full of amazing things. So I highly recommend
it. And you can hear my interview with Andy on CSO Perspectives Pro this week. All right. Well,
that is on the pro side. How about on the public feed this week?
So, the Sanctum interns have unvaulted another pro episode for the public to listen to. This one is from the last episode of season nine. It's called Security Infrastructure as Code.
And we cover the history of software development from the old waterfall model in the 1980s,
to agile development in the 2000s, to the DevOps movement in the 2010s,
and finally to the DevSecOps resurgence starting around 2016.
Yeah, it's my impression that we've made significant progress here in the last few years in regards to DevSecOps, right?
Well, I would say that some security practitioners have inserted themselves into
the CICD, that's Continuous Integration, Continuous Delivery Pipeline, you know,
for things like linear regression testing and OWASP rules. But we as a community have done
virtually nothing to automate the tasks that we typically might see in the SOC, you know,
things like zero trust monitoring, intrusion kill chain control deployments,
resilience maintenance, and risk forecasting. So, we have a ways to go here.
Well, before I let you go, what is the phrase of the week over on your WordNotes podcast?
The phrase of the week, I love just saying it that way, is ransomware. It's everything you ever...
Ransomware. I'm sorry. I'm sorry. Ransomware? I don't think I'm familiar with that, Rick.
Ransomware. It's this new fangled term. It's brand I'm sorry, ransomware? I don't think I'm familiar with that, Rick. Ransomware.
It's this new fangled term.
It's brand new.
What is ransomware?
It's brand new on the Gartner hype cycle.
So we've never heard it before.
So we're going to talk about everything you've ever wanted to know about the evolution of ransomware.
And we have a fantastic nerd clip from my favorite hacker TV show, Mr. Robot.
All right. Well, we will look forward
to all of that. Rick Howard is the
host of the CSO Perspectives podcast.
Rick, thanks for joining us.
And joining me once again is Robert Boyce.
He is the global lead for cyber resilience and also an advisory board member at Accenture.
Rob, it's always great to welcome you back to the show.
I can't believe I'm saying this already,
but the holidays are upon us.
And with that, there are all kinds of folks
who are looking to take advantage of perhaps
folks being away or being distracted by the holidays. I want to touch base with you on that.
What sorts of things are you tracking as we head into this season? Yeah, I did. And thanks for
having me back. You know, I think, you know, holidays are interesting for me. And in my role,
you know, I always call it holiday vigilance instead of holiday spirit
because we're always expecting the worst to happen at this time of year.
So we're always on guard.
I find it fascinating, always fascinating,
just on how innovative and how much ingenuity our threat actors have
when it comes to things like fraud.
We've just gone through COVID and now in a recession,
so there's so many opportunities while now entering the holidays, of course.
There's so many opportunities for threat actors to take advantage of consumers and organizations.
And fraud seems to be one of the biggest things that are going on around the
holiday time. A few things that I find really fascinating, and again, to me, even my team
giving me this research, I even thought, wow, I never thought some of these are actually happening
in place. But there's a couple of things that stand out to me. One is around what we call the refund service offering. So this is interesting
where we have a threat actor purchase a bunch of things online from a number of different
retailers, and then a different threat actor going back to those retailers and trying to refund the
money through social engineering. And it's very well coordinated.
So the threat actors will post in a dark wood forum,
basically saying, listen, if you are able to buy something from these,
say, eight different retailers, let me know,
give me the information about the purchase,
and I will go ahead and get a refund there
through different social techniques,
social engineering techniques that they employ. And for that, they keep about 40% of whatever is
refunded. So it's really, yeah, it's quite fascinating that this happens. And what we've
seen so far in the chatter already this year is that more requests than ever have been started to
go back and forth between the individuals or the threat actors offering these services.
So we're already seeing an uptick in that behavior now.
Do you suppose that that uptick is a response to global financial conditions or just a continuation that they're finding that these things work?
Yeah, I think it's a little bit of both. You know, I think when, since,
since COVID really the, the, I think online shopping has been, you know,
the number one priority for most consumers.
And so we're seeing a lot more of the activity taking place that they can,
you know, that they, that they can use to target for this type of activity.
But I also just think that it's proven to work. And, you know, that they can use to target for this type of activity. But I also just think that
it's proven to work. And, you know, it's just, again, just similar to ransomware,
it's a very viable business for them. In terms of the retailers themselves trying to defend
themselves against this, I mean, you mentioned that a big component of this is social engineering,
and I suppose any retailer expects a certain amount of loss just to keep customers happy.
Is that what the bad guys are focusing in on here?
Yeah, and I think in the time of year is no coincidence when the retailers are receiving probably the highest volume of calls that they're going to have throughout the year.
calls that they're going to have throughout the year. And so I think the, I wouldn't say that their guard is down, but I just think the volume of calls that they're getting, both legitimate and
illegitimate, is very hard to keep the same level of structured response that they may have in the
slower times of the year. So I think that's a big part of it as well. So is the message here one of
vigilance or are there also some technical measures people can put in place?
I think this is vigilance and training.
So this is when we're always saying the people are the weakest link.
I find that a lot of the holiday attack scenarios are very much around individuals, around people focused on them, focused on social engineering. So it's really just making sure that you follow the standard advice for phishing emails,
the standard advice for the smishing that you get from text messages.
There is definitely a time of year if you're ever going to be more vigilant with messages that you're getting and you want to validate and verify the sector is real and the requests are real is definitely during the holidays.
Yeah. Well, good advice as always. Rob Boyce, thanks for joining us. Thank you. fault-deny approach can keep your company safe and compliant.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the
Grumpy Old Geeks podcast where I contribute to a regular segment called Security Huff. I join Jason
and Brian on their show for a lively discussion of the latest security news every week. You can
find Grumpy Old Geeks where all the fine podcasts are listed. The Cyber Wire podcast is a production
of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Guru Prakash, Liz Ervin, Rachel Gelfand,
Tim Nodar, Joe Kerrigan, Pearl Terrio,
Maria Vermasis, Ben Yellen, Nick Bilecki, Millie Lardy, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.