CyberWire Daily - Buckworm APT’s specialized tools. Cyberattack against Johnson Controls. Oversight panel reports on Section 702. Cyber in election security, and in the US industrial base. Hacktivism versus Russia.
Episode Date: September 28, 2023The Budworm APT's bespoke tools. Johnson Controls sustains a cyberattack. The US Privacy and Civil Liberties Oversight Board reports on Section 702. The looming government shutdown and cyber risk. Cyb...ersecurity in the US industrial base. X cuts back content moderation capabilities. In our Industry Voices segment, Nicholas Kathmann from LogicGate describes the struggle when facing low cost attacks. Sam Crowther from Kasada shares his team's findings on Stolen Auto Accounts. And Ukrainian hacktivists target Russian airline check-in systems. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/186 Selected reading. Budworm: APT Group Uses Updated Custom Tool in Attacks on Government and Telecoms Org (Symantec Enterprise Blogs) Johnson Controls reports data breach after severe ransomware attack (BeyondMachines) Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (U.S. Privacy and Civil Liberties Oversight Board) Split privacy board urges big changes to Section 702 surveillance law (Washington Post) Democrats fear cyberattacks as government shutdown looms (Nextgov.com) Aprio Releases U.S. National Manufacturing Survey, Highlighting the Need for Improved Operational Excellence, Digitization and Cybersecurity Practices (Aprio) Musk's X disabled feature for reporting electoral misinformation - researcher (Reuters) Musk’s X Cuts Half of Election Integrity Team After Promising to Expand It (The Information) Aeroflot, other airlines’ flights delayed over DDoS attack (Cybernews) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Budworm APT's bespoke tools,
Johnson Controls sustains a cyber attack.
The U.S. Privacy and Civil Liberties Oversight Board reports on Section 702,
the looming government shutdown and cyber risk.
Cyber security in the U.S. industrial base.
The platform formerly known as Twitter cuts back on content moderation capabilities.
In our Industry Voices segment,
Nicholas Kathman from LogicGate describes the struggle when facing low-cost attacks.
Sam Crowther from Quesada shares his team's findings on stolen auto accounts.
And Ukrainian hacktivists target Russian airline check-in systems.
I'm Dave Bittner with your CyberWire Intel briefing for Thursday, September
28th, 2023. Semantex says that the Budworm APT,
tracked by others as Emissary Panda or APT27,
in August 2023 used a new version of its SIS update backdoor to target a Middle Eastern
telecommunications organization and an Asian government. The researchers note,
the targeting of a telecommunications company and government also point to the motivation behind
the campaign being intelligence gathering, which is the motivation that generally drives budworm activity.
That budworm continues to use a known malware, SysUpdate, alongside techniques it is known to
favor, such as DLL sideloading using an application it has used for this purpose before, indicate that
the group isn't too concerned about having this activity associated with it if it is discovered.
The report doesn't offer an attribution, but government and telecommunications organizations
are common targets for cyber espionage. Building automation company Johnson Controls
International has sustained a major ransomware attack that's affected the operations of several of the company's subsidiaries,
Bleeping Computer reports.
The attackers have encrypted the company's VMware servers
and claim to have stolen more than 27 terabytes of corporate data.
Bleeping Computer cites a source as saying
that the attackers are demanding a $51 million ransom.
Johnson Controls confirmed a cybersecurity incident in an 8K
filing with the SEC and stated that they are actively evaluating the extent of the information
that was compromised and are implementing their incident management and protection plan to address
the incident's impact. While many of the company's applications are still functional, it has had to
employ workarounds for certain operations to minimize disruptions and maintain customer service.
The incident has resulted in disruptions to some of the company's business operations, and the disruption is anticipated to persist.
A divided Privacy and Civil Liberties Oversight Board has reported its recommendations concerning Section 702 of the Foreign Intelligence Surveillance Act.
Section 702 has been controversial for what critics see
as its potential for abusive surveillance of U.S. citizens.
Intelligence and law enforcement agencies defend the law as an essential authority for collection,
especially collection against terrorist organizations.
The first seven recommendations in the report are calls for congressional action, codifying specifically the 12 legitimate objectives for signals intelligence collection under Executive Order 14086. 086. They also recommend that Congress introduce more definition and clarity into Section 702,
drawing sharper lines over what's permissible and what's impermissible. The remaining 12
recommendations concern procedures executive agencies might adopt. Most of these involve
increased transparency and controls to ensure that querying in particular doesn't run afoul
of protections against unreasonable search. It also includes calls for replacing manual
review of material collected with new secure automated procedures. And the report also
recommends that intelligence and law enforcement agencies improve their measurement of the outcomes
of surveillance. Did they actually
achieve operational goals beyond the collection itself? NextGov outlines the potential cybersecurity
implications of a U.S. government shutdown, noting that around 80 percent of employees at CISA would
be furloughed during a shutdown. Representative Chantelle Brown, a Democrat of Ohio, compared the effects
of a government shutdown to those of a ransomware attack, saying it would be dangerous, destructive,
and disastrous. Brown added that a shutdown would undercut organizations and state and local
governments that are relying on federal funds to prevent crippling ransomware attacks.
Representative Nancy Mace, a Republican of South
Carolina, countered that the White House could choose to designate CISA employees as essential
workers in the event of a shutdown. So, if there is a shutdown, and that remains a big if since
there's always the possibility of an 11th hourhour continuing resolution before Federal Fiscal New Year's Day on October 1st,
there will be some degradation of federal services.
Oprio has released the results of a survey looking at cybersecurity in the manufacturing industry,
finding that nearly two-thirds of manufacturers experienced unauthorized access
to their companies' networks and data in the past year.
The survey also found that fewer than half of companies surveyed report having a cybersecurity policy,
and only 36% have enhanced IT security.
Aprio adds,
Manufacturers can leverage digital tools to achieve competitive advantage
by sharing information across functions and with supply chain partners to improve productivity
and respond in real time to operational problems.
But most companies are not utilizing this.
In fact, 39% of surveyed manufacturers are using 5G networks
and only 21% are using edge computing.
X, the platform formerly known as Twitter, has disabled a feature for
reporting election misinformation, Reuters reports. The information says X has also cut half of its
election integrity team, including the team's head, Aaron Rodericks. X owner Elon Musk said in a post
that the team was undermining election integrity.
The Hill notes that X said last month that it was expanding its election safety team to focus on combating manipulation, surfacing inauthentic accounts, and closely monitoring the platform for emerging threats.
Social media in general, and X, formerly Twitter in particular, have been used to establish and amplify disinformation during elections.
The U.S. elections in November 2024 are expected to receive a great deal of attention from foreign disinformation operators, especially Russian.
Several Russian airlines warned customers to expect difficulties at the gates.
Cyber news described the issue as a distributed denial-of-service attack.
The IT Army of Ukraine, a cyber-auxiliary group operated on behalf of Ukraine, claimed responsibility, stating,
While you're sipping your artisanal latte, our noble neighbors to the north are stuck in queues trying to book flights.
Well done,
IT Army. The attack was over in a matter of hours, and service is now said to be returning to normal.
Coming up after the break, Nicholas Kaufman from LogicGate describes the struggle when facing low-cost attacks.
Sam Crowther from Casada shares his team's findings on stolen auto accounts.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Attackers enjoy the advantage of inexpensive, readily available tools to help them do their deeds, which means a relatively
low investment for them, but a steady barrage of things to deal with for defenders.
In this sponsored Industry Voices segment, I speak with Nicholas Kathman, CISO of Risk and
Compliance Management Platform provider LogicGate, on the struggles organizations face with low-cost attacks.
So phishing attempts is a prime example of this. It costs next to nothing, or in many cases free,
to send a phishing email. But the companies, the victims, are spending a lot of money on
anti-phishing technology and different types, different email filtering capabilities and user awareness
training to try to protect against that free attack. And how do we differentiate between
something that is merely a nuisance and something that is truly potentially dangerous?
I mean, I would say if you design your systems correctly, and I call it embrace the incident, you're going to have incidents.
Things are going to get through.
If your systems are designed properly, your security architecture is designed properly, IAM roles are designed properly, almost anything becomes a nuisance.
So if you don't have all that stuff in place.
We used to call it the Cadbury effect a long time ago.
I think there's a different term for it now, but the hard shell GUI center.
Once you get into an organization, everything's just wide open and unlocked.
Every, you know, successful phishing attempt turns into a major incident or a major issue.
Whereas if everything's properly locked down, you're using MFA, you're using, you know, device trust, you know, you have your admin accounts separated from your normal user accounts,
things like that.
You have different trust boundaries around different applications,
and you've embraced more of the zero-trust type of architecture approach.
Somebody simply getting the username and password for your system, or even a username and password and an MFA token,
the blast radius is much smaller.
And that really just becomes a nuisance at that point.
You're just resetting passwords and tokens.
Well, let's come at it from the other direction then.
I mean, what are your recommendations
for folks to best come at this?
What are some of the strategies
you think folks should put in place?
So I think a lot of it would start with really
just going through attack simulations.
So what would happen if this did happen and kind of, you know, almost tabletop it, but
do more of a realistic tabletop.
So a phishing attempt happened against a finance user.
Okay.
So you can either, you know, have your security team or your IT team or somebody knowledgeable
within there created as a finance user,
and now go look around and see what they have access to.
What can they actually do?
Or you can pay pen test firms to do this for you as well.
And really just figure out what do they have access to that they shouldn't have had access
to and start to restrict these things down.
And then go to the next scenario and just keep working down the list of scenarios of
different attack types that can be used against you and then just systematically destroy the,
you know, it's in the, in risk you can go through and you can reduce the risk of it happening or
reduce the likelihood, or you can reduce the impact. My, what I would say here is what I
recommend here is use the free technology, the free
mechanisms, the free security controls built into your office suite, your file sharing suite,
your website, to reduce the impact as much as humanly possible. Yeah. Can we dig into that a
little bit? I mean, how do you recommend that folks set their priorities here? Everybody has
a limited amount of time and
limited amount of resources. What's a wise way for folks to calibrate how they come at this specific
problem? So a big thing is just getting security involved early on in the project or any project
that's coming up. So once, you know, I always said, if you bring in a security architect after
the solution is already created, now the security architect is coming in proverbially calling the baby ugly.
It's already there.
There's already a timeline.
It's usually like you get the call for a half an hour meeting to approve a solution a week before it's set to go live.
This is where all the mistakes happen. If you bring in security architecture, if you bring
in the security and compliance and privacy teams from the very beginning, during project inception,
we're going to roll out new application XYZ, but we don't know what that looks like yet. We don't
have any diagrams. We haven't written any code. That's when you can really start to get ahead of
the problems before they become problems. And so really it's just getting ahead,
making sure that from the very beginning,
security, compliance, privacy are all stakeholders at the table
and can start bringing in the requirements
and making sure that everybody who,
the implementers of the technology and the application owners
and all of the stakeholders understand really what's required
so they can keep that in mind and be educated
throughout the entire project lifecycle. What about communications with the powers that be?
Folks like the board of directors, making sure that they're informed and on board with the plans
here. Yep. So I mean, this is going to be where setting clear guidelines, clear goalposts for the different application owners is going to be really important.
So everybody's seen organizations where there's, I call it the paper tiger, there's policies and procedures that the compliance team knows inside and out, and that they use to pass attestations and compliance things.
But if you ask any of the end users, even if they've signed off that they follow those policies,
they probably can't state more than one control.
So this is really making sure that when you're designing these policies,
these procedures, these standards, these guidelines,
that you do have technical stakeholders reviewing it.
You do have leadership reviewing it as well,
so that by the time you go to get it approved, everybody's aware of every line that's in there and that it's not, and that, you know,
people understand what their requirements are and they've seen it and they know exactly where to get
that, you know, that standard or that guideline that says, this is what we should be doing.
That's the first step is just making sure that you're socializing all of your policies,
all of your standards, you know, in advance,
far in advance of actually making them, you know, final and in, in, in Bruce. But then once you're
there, that becomes the guideline and just making sure that you have a way to measure projects and,
you know, different applications against that guideline. And anytime they're, they're not
meeting that guideline, that becomes findings. It goes into a risk register.
And then that goes up into the summary reports that you're bringing up to the board in terms of this department and their projects, their applications have introduced these amount of risks for not meeting the standards.
And then let it from there, they make the decision of, do we accept this or do we go back and say, no, you need to fix this?
That's Nicholas Kathman, Chief Information Security Officer at LogicGate.
Bot management firm Casada recently published a report outlining their discovery of nearly 15,000 stolen automotive customer accounts for sale online,
with credentials being sold for as little as $2 on Telegram.
Sam Crowther is CEO at Casada.
Sam Crowther is CEO at Casada.
Our threat research team found evidence that some criminal syndicates had been launching credential stuffing attacks against large, particularly US-based auto manufacturers,
and selling the compromised accounts, which contained obviously the VIN numbers, the makes and models of the
vehicles, the PII of the owners within some of their Telegram communities. And it was at a scale
that was quite alarming to go from zero to where they landed. So it raised just massive
red flags on our side. And we figured this is absolutely something we need to talk more about.
Well, what kind of scale are we talking about here?
How many stolen accounts did you all track?
So the initial two waves, there was about 15,000 U.S. accounts
for these cars that came up for sale.
Well, let's talk about the information that was taken here and why it matters for folks.
I mean, I think people are kind of used to getting reports that some of their information
has been compromised, their name, their address, maybe something like that.
But I think it's fair to say most of us don't think about things like the VINs of our cars.
I completely agree, right?
And when you buy a car from a manufacturer, particularly modern ones,
and you sign up for the account to manage your servicing or even manage the vehicle remotely,
you never really think too much about what's going into it and the sort of access and information that it has.
Well, let's talk about some of the things that folks can do with a VIN here.
What are the risks?
Something known as car cloning, where criminals can take stolen VIN numbers
and use it to create replica tags so that you may get pulled over
when you're driving your car in Maryland, right?
And the police are like, hey, we've, you know, we've got a warrant for this or whatever it
is when you get pulled over.
And it's actually because someone else who committed a crime who's duped your car's
information has done it, you know, somewhere else in the state, right?
Which is really, really problematic.
There's also the potential for basically the duplication of ownership papers. So someone could own your car from the government's eyes. It's pretty concerning.
And when you couple that with the information around where the individuals live, how to contact
them, it can start to become a really scary form of identity fraud. How so? How would folks use this information
specifically? You can leverage all the contact and VIN information. It's also possible to take
out loans, for example, against the car, like additional cash out, which I guess is the ultimate goal for almost any identity theft,
is money from the banks that's tied to someone else. What's really interesting, though, on the
actual seller's side is how popular and how cheap, seemingly, these accounts were. Normally,
to get your hands on enough information to properly commit identity
fraud, it's going to cost you $500 to $1,000, whereas you look at some of these automotive
accounts and you can pay as little as $2 and you basically have all the information you need to get
started. What are your recommendations for folks to protect themselves against this sort of thing?
So look, the number one would be, and I know
it's said over and over again, but unique passwords, particularly on systems like this. I know it's
probably not something many of us think about being overly sensitive, but the reality is it's
actually quite important for us to protect it. So making sure that, you know, access to that account is, you know, 2FA where it can be,
it's a strong password. And then, you know, if you can disable certain functionality or you can
avoid having some of these accounts entirely, maybe if it's not going to, you know, impede
your user experience, it may be best to do so, right? In a lot of cases, most people don't need
these accounts. Most of the cars attached to these were old, from what we could see,
and there was no app to control them remotely for these older models.
So there was really no big value add, yet they'd sort of been driven to sign up by the manufacturer.
Is there any responsibility from the car manufacturers here?
I mean, have they chimed in on any of their attempts to secure this kind of thing?
Huge responsibility. This is ultimately their problem. If this happened
in any other industry where the information was as sensitive, there would be outrage. Like imagine
if, you know, the MyChart accounts you have for your medical information had the same problem.
The impact would be pretty material.
And functionally, this is very sensitive PII.
So we've reached out and tried to notify the manufacturers.
One has engaged.
The others have remained silent.
The one that's engaged has been really good and proactive about actually properly digging in and looking at what went wrong
and how to address it, which is great to see.
Yeah.
Where do you suppose we're headed here?
I mean, could you see regulations coming
that could help tie these sorts of things down better?
General security rules and regulations around liability
is something that will help here, right?
The world is so
fast-paced, and particularly if you take the case of auto manufacturers who've been ripped out of
the stone age very, very quickly. There's just so many different unique cases and data sets and data
types to deal with, but, you know, laws around, hey, what is acceptable for an organization to
lose when it comes to customer data, right? How many accounts can be compromised
before there are some, you know, whether it's like criminal or other sorts of charges brought
against the company. That's really where this needs to go. And if you look at other countries,
they're starting to move there, right? Like actually, my home country of Australia has
recently implemented some new laws around liability if organizations are shown to be negligent.
And the penalties are really severe, right? Similar to what you'd see in the European Union.
I really think that's the best way to do it. Because right now, the equation these companies
make is, what's the chance we get caught? How much is it going to cost us if we get caught?
We're fine to accept that risk without actually really considering what the impact to their customers is. That's Sam Crowther from Casada.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500
and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original
music by Elliot Peltzman. The show
was written by our editorial staff.
Our executive editor is Peter Kilby
and I'm Dave Bittner. Thanks for
listening. We'll see you back here
tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.