CyberWire Daily - Carding Mafia hacked by other criminals. Gangland extortion. Section 230 reform. Director NSA talks about cyber defense, especially foreign attacks staged domestically. Propaganda. Hacktivism.
Episode Date: March 26, 2021Criminal-on-criminal cyber crime. Ransomware hits European and North American businesses. Big Tech goes (virtually) to Capitol Hill to talk disinformation and Section 230. The head or NSA and US Cyber... Command discusses election security and cyber defense with the Senate Armed Services Committee. Russia complains of a US assault on Russia’s “civilizational pillars.” Accenture’s Josh Ray shares his thoughts on securing the supply chain. Our guest is Sergio Caltagirone from Dragos on their 2020 ICS/OT Cybersecurity Year in Review. And there appears to be a minor resurgence of hacktivism. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/58 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Criminal on criminal cybercrime.
Ransomware hits European and North American businesses.
Big tech goes virtually to Capitol Hill to talk disinformation and Section 230.
The head of NSA and U.S. Cyber Command discuss election security and cyber defense with the Senate Armed Services Committee.
Russia complains of a U.S. assault on Russia's civilizational pillars.
Accenture's Josh Ray shares his thoughts on securing the supply chain.
Our guest is Sergio Caltagirone from Dragos on their 2020 ICS-OT cybersecurity year in review.
And there appears to be a minor resurgence of hacktivism.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, March 26, 2021. Criminal on criminal crime hit the carding mafia,
an underworld forum in which paycard data is shared, sold, and traded, Vice reports.
According to Have I Been Pwned, these stolen records included email addresses,
IP addresses, usernames, and hashed passwords for nearly 300,000 people.
The record writes that Babook Ransomware has hit the PDI Group, an Ohio-based supplier of material handling equipment to the U.S. and other militaries. Babook's operators claim to have
obtained some 700 gigabytes of files from PDI's internal networks. The stolen data appears to be mostly corporate intellectual property,
which the gang threatens to post online if they're not paid.
Also in the record is an account of a major data breach in the Netherlands.
RDC, a company that provides car maintenance and garage services,
disclosed that it had been breached.
The personal information
of more than 7 million car owners is now being offered for sale in a forum that caters to
cybercriminals. Big Tech, social media division, had a day on Capitol Hill yesterday. Quartz reports
that Facebook's Mark Zuckerberg asked the House for Section 230 reforms as a necessary step toward enabling social media to control disinformation.
Computing quotes him as saying, quote,
Congress should consider making platforms intermediary liability protection for certain types of unlawful content conditional on companies' ability to meet best practice to combat the spread of this content, end quote.
Google CEO Sundar Pichai and Twitter's boss Jack Dorsey also testified.
Both emphasized all that their platforms were doing to restrain and moderate disinformation and incitement. They did not join Mr. Zuckerberg's call for Section 230 reform, which suggests that in the industry, Facebook is on its own.
General Nakasone, director of the NSA and head of U.S. Cyber Command, yesterday told the Senate
Armed Services Committee that adversaries increasingly use U.S. infrastructure to conduct
their attacks, recognizing that domestic communications constitute a legal blind spot for U.S. intelligence collection,
according to Breaking Defense.
NSA, by law and policy, doesn't monitor U.S. networks.
Nakasone told the committee, quote,
We should understand what our adversaries are doing.
They are no longer launching attacks from different parts in the world.
They understand that they can come into the U.S., use our infrastructure,
and there's a blind spot for us not being able to see them, end quote. It's not necessarily NSA
that should be looking at cyber operations conducted from inside domestic infrastructure.
It's just that someone should, and that whoever does, needs the technology and authority to cope
with a nation-state adversary. Nakasone said,
quote, what I'm identifying right now is that our adversaries understand that they can come into the
U.S. and rapidly utilize an ISP, come up and do their activities, and then come down before a
warrant can be issued, before we can actually have surveillance by a civilian authority here within the U.S. That's the
challenge that we have right now, end quote. General Nakasone also told the committee,
C4ISRNet writes, that CyberCom conducted more than two dozen missions to counter hostile foreign
activity against the 2020 U.S. elections, quote, over the past year, I emphasize the importance of defending the election
against foreign interference. The U.S. Cyber Command conducted more than two dozen operations
to get ahead of foreign threats before they interfered or influenced our elections in 2020.
End quote. He didn't specify the adversaries, nor did he go into detail about the nature of
the operations Cybercom conducted.
Nakasone cited three lessons learned from recent experience.
First, Cyber Command needs to be ready to act.
Quote, threats can arise rapidly and opportunities can be fleeting. Our ability to operate successfully in cyberspace is a function of streamlined processes,
mission readiness, and the trust of our various mission
partners. Second, keeping Cyber Command and NSA under the same leadership brings significant
benefits. The closeness brings the speed, agility, and flexible responses necessary to readiness.
And third, intelligence sharing with domestic and international partners is vital to successful defense.
A senior advisor to Russia's defense minister described U.S. policy as one of waging a psychological war against Russia
that aims to destabilize the country's civilizational pillars, Reuters reports.
Andrei Ilnitsky, who advises Defense Minister Sergei Shogu,
said in a television interview, quote, a new type of warfare is starting to appear. I call it,
for the sake of argument, mental war. It's when the aim of this warfare is the destruction of
the enemy's understanding of civilizational pillars, end quote. His account of the U.S. target list is interesting.
It includes President Putin personally, the institution of the presidency itself,
the Russian army, Russian youth, and the Russian Orthodox Church.
He said the United States was also using economic and informational measures
in attempts to undermine Putin, the presidency, the army,
the Russian Orthodox Church, and Russian youth. Subsequently asked for comment, a government
spokesman, Dmitry Peskov, concurred. He said, quote, a deliberate policy to contain and keep
Russia down is being pursued. It is absolutely constant and visible to the naked eye, end quote.
And finally, Reuters points, with an appearance of sober, measured alarm,
to a reappearance of hacktivism on the threat landscape.
Hacktivists have for some time been the junior member of the threat triad, well behind nation-states and criminals.
Indeed, with the long goodbye of Anonymous and LulzSec over the past decade as
they go into the big sleep of co-option by security services or recruitment into cyber gangs, it's
grown easy to disregard hacktivism as a serious threat. They're still not nearly as big a threat
as either spies or gangs, but hacktivists have recently grown friskier. Three recent incidents, Reuters says, show that hacktivism is being taken more seriously.
There are, first, the collection of riot videos from the Alternative Social Network parlor,
second, disclosure of the Myanmar junta's surveillance apparat,
and finally, the exposure of data from Verkada-networked security cameras.
The Verkada hacknetworked security cameras.
The Verkada hack prompted a U.S. federal indictment of one Tilly Cotman,
a hacktivist living in Lucerne, Switzerland,
who claimed a desire to expose the Orwellian reach of their surveillance state by direct action against security cameras used by corporations,
and also by schools, houses of worship, mom-and-pop stores, and so on.
Acting U.S. attorney Tessa Gorman sniffed, quote,
wrapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft, and fraud, end quote.
And her view is representative of prevailing opinion at the Justice Department.
opinion at the Justice Department. And Anonymous itself has surfaced, putting in appearances on behalf of BLM protests and against police departments. As an anarchist collective,
it's of course difficult to identify Anonymous, but at least in a rough and ready way, it appears
it's back. An old Anonymous hand, Aubrey Cottle, has returned in action against QAnon, the conspiracy-minded group.
QAnon's reported attempt to hijack the anonymous brand on behalf of its own causes
seems to have energized OG Anonymous.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, Thank you. off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives
are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Researchers at ICS security firm Dragos recently published their 2020 ICS security year in review.
It's the topic of this week's Research Saturday podcast with my guest,
Dragos Vice President of Threat Intelligence, Sergio Caltagirone.
Here's a preview of our conversation.
We've been doing this report for three years now.
Obviously, Dragos has been around this report for three years now. Obviously,
Dragos has been around for four and a half years. And, you know, really one thing we've always looked at is other vendors and other members of the community who have been able to put together
real data points about cybersecurity. And I think that we all, you know, in this space,
we all have all of these anecdotes about stuff happening. And that's great, but anecdotes don't make good policy.
And I think that's true almost everywhere.
And what Dragos really wanted to do was say, hey, look, ICS and operational technology,
the systems that run our power, our water, our food manufacturing plants,
and they keep us safe and healthy, and they produce drugs in pharmaceutical factories and so forth.
Like, we need data about that too. It's not just about email systems being compromised or,
you know, web browsers or, you know, zero days affecting, you know, your, you know, Zoom or
whatever. You know, it's really about, you know, how are we doing in the industrial sector
specifically? Because it is a very unique one. And so every year now we've done a report and it's
a bear, man. I got to tell you, it's one of the hardest things I do because it takes so much work
to really pull apart. After a whole years of work, it's hard to pull apart and step back
after you're like, you fight fires every day and you step back and you're like, okay, what really
happened this last year? Of course, 2020 being unique in that we have all these other global events that have been placed on top of us as well.
And so, you know, it was really a good opportunity to step back and ask the question, what's changed?
But more importantly also, I think that's important, is what hasn't changed and what needs to change?
And so that's why we put this together and we really try to make it data driven. In terms of how we take action based on the information that you all have gathered here, to what degree are we behind?
Is this a Manhattan Project kind of thing where we've got to get all hands on deck and work on this?
on deck and work on this? Or is there a more deliberate sort of, you know, rational kind of slow thing where we can plan and say, okay, you know, over the next X number of years,
we are going to get to this point as a nation? Yeah, that's a great question. And I want also
to recognize that this isn't a U.S. problem, right? That this affects, you know, 7 billion
people worldwide
who use industrial control systems
for reliable power and clean water and so forth.
So, you know, this is a global issue.
And when attackers attack a system in, say, India,
and they affect an industrial control system there,
they're learning how they attack
industrial control systems elsewhere.
So you see that very traditional
threat proliferation problem. And so that's why we treat this as a, you know, we very much treat
this as a global issue. I think what we've seen is especially with, say, the water treatment
facility in Oldsmar, Florida, and with other incidents that happened last year and over the
last couple of years, I think we're seeing increased urgency.
Four years ago, Dave, when I think you and I first talked, this was very much a, hey, things aren't bad, you know, not bad yet.
They're going to get worse.
We can kind of see that.
You know, we have time.
I think that that clock is running out on us.
And I think that we're not getting better fast enough.
And I think the answer is that we better fast enough. And I think the answer
is that we are getting left behind. We had the opportunities, you know, four or five years ago
to get better when we knew this was going to be a problem. And I think that we're not yet seeing
the amount of acceleration to protect these environments that we should have. And my concern
is that this is slowly turning from a, hey, you know, we can do
this, it can be methodical, it can be improved, we can get better. And I've got to say over the
next three to four years, this is going to turn into a Manhattan project. And this is the, this
is, we are in a very important situation where we know what we need to do. There is no question that
water treatment plants need to be protected. The answer is going to be, what do we do about it? And the answer is, it's coming, right? It's here,
and it's going to come even more. It's going to come more often. So the answer is we need,
first of all, Dave, the answer is visibility, visibility, visibility. I've hit it several
times in this podcast so far. If you can't see it, you can't protect it. And so with
that 90% statistic of most organizations don't even have the basic data to protect themselves,
we have to start there. And if we don't start there, when we have an old SMAR, we're going to
get stuck in the same situation of something bad happened, but we don't entirely know what or how
or when or so forth. And we need to get better at doing that. And that is our first step to understanding the adversaries
and then to lay the foundation of greater defensive action
as we move forth.
Well, I mean, big picture take-homes,
what do you hope people walk away with
after they've read the report?
One is that there should be public pressure generally
on public policymakers to improve the cybersecurity systems of public utilities.
That has to be a critical element of what we do.
In addition to that, private entities need to recognize the raw data here and say, okay, if we have a major incident, in 90% of the cases, we will have no idea what
just happened. And that is not okay if you want to be able to bring a plant back up online safely.
And so I think both from a market pressure, from downtimes and industrial operations,
stoppages and so forth, and disruptions, all the way back to the public utilities need to
be protected,
or we need to have reliable and safe electricity and drinking water, and so forth. I think we need
pressure on both sides to make industrial systems better. And so I think that there's a role for
everybody. There's a role for people reading this report and listening to you who are like,
I've never touched or I don't even know about industrial systems. Well, you know what?
Call your public utility commission and say, what are we doing about this?
Right?
Talk to your legislators.
Talk to your local governments.
Talk to people who have control over this happening for your communities.
You don't want to be in Oldsmar, Florida.
And in addition to that, the company leaders who are listening to this need to start looking at the data and say, wow, we have an industrial environment and this is coming at us like a freight train.
We should probably do something about it now.
So I think there's something in this report for everyone to take away and do something.
That's Sergio Caltagirone from Dragos.
Don't miss the rest of our conversation.
It's on Research Saturday this weekend. Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And I'm pleased to be joined once again by Josh Ray.
He's the managing director and global lead of Accenture's cyber defense business.
Josh, it's always great to have you back.
Due to things that have been in the news lately, supply chain security has been top of mind for a lot of folks lately.
I want to check in with you, get some words of wisdom from you when it comes to supply chain security.
Yeah, Dave, unfortunately, this has been in the news lately and a pain point, obviously, for a lot of the clients that we're dealing with and helping them kind of work through this.
But, you know, supply chain security, whether you're talking about, you know, Avivor or NotPetya or now even SolarWindss is really about an attack against the trust and confidence
of our broader vendor ecosystem.
And I'm not being overly dramatic when I say
that it's actively under attack,
but we have to stop thinking about this as if it's an IT problem.
This is a business problem that has technical components to it.
So if it's one of the things that the SolarWinds
has really highlighted for us is that, you know, all companies across all industries really now need to take a
hard look at the security of its vendors and evolve their security posture to, you know,
prevent, detect, and respond to these supply chain types of threats.
So how does coming at this from a business point of view, how does that
change the way that you'll approach this particular threat?
I think we have to realize that this is not just for CIOs.
It's not the IT guy's problem.
If you develop or sell a product or a platform, this notion of end-to-end product security absolutely should be top of mind.
You really have to approach it with a series of both technical
and what I would consider probably the less sexy types of things
that you need to do around maintaining an accurate third-party vendor inventory
or review risk tiering and so on and so forth. And I think those are the types of things that
security programs need to adapt really as
an end-to-end operational model.
And what about going beyond compliance?
It's sort of the stereotype about checking the boxes to make sure you're
compliant. But I'm thinking, how many levels down do you need to go to have confidence that you're secure?
I can check my suppliers.
What about their suppliers?
What about their suppliers?
You see where I'm going with this?
Yeah, no, it can be an endless rabbit hole that you just keep going down.
I mean, so I'll give you an example.
So pen testing, for example, it's important.
And you need to adapt a program,
an application security program that takes into
and incorporates, say, the latest threat tactics.
Looking at the SolarWinds attack, for instance,
most of this code was injected at the point
where the software was being compiled.
How do you actually anticipate that?
I think you need to go as far as the threat is going,
or even more importantly, anticipate what that next move is going to be.
We would never have thought, maybe five or six years ago,
that you have to do that level of triage
within your application security testing.
But you absolutely have to now be able to do
very in-depth code reviews, again,
and incorporate the latest threat TTPs
into that application security program.
And then you need to do broader emulation and test all different parts of your
business. Everything from C-suite responses to your security operations center. So that when
there is an activity that requires you to act, you're not acting for the first time in a time
of crisis. You're able to communicate effectively with the regulator or reach out to your clients and so on and so forth.
I think it's easy for a lot of folks to feel overwhelmed by this.
Do you have any recommendations of some specific things that folks can put in place these days to get started?
Yeah, I think the first thing that organizations need to do is assign the proper level of priority to this
business risk, right? So they have to create a dedicated function that focuses on this
and fund it appropriately so that they can really protect their organization, right?
So that's first and foremost. If executives are out there and they're listening, I mean,
this is one of the things that I think you need to do now as a matter of course.
But then there's a little bit more tactical things like reviewing and updating and enforcing your contracts to make sure that they define security behavior and breach notification.
Assuring vendors' security priorities.
Mirror your own to ensure that they take security as seriously as you do.
And also, you're able to share your expectations and practices with them. as seriously as you do. And it also kind of,
you're able to share your expectations and practices with them.
And then there's your normal, you know,
audits and reviews that you do.
But, you know, not just to kind of drive
this idea of compliance,
but really, you know,
enter into a conversation with your vendors
and treat them actually as real partners
because it's going to take all of us
to really, you know, come together and fight this problem.
All right.
Well, Josh Ray, thanks for joining us.
Absolutely.
My pleasure, Dave.
Thank you.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro. It'll save you time and keep you informed.
The greatest name in the great outdoors.
Listen for us on your Alexa smart speaker
too. The CyberWire podcast
is proudly produced in Maryland out of the
startup studios of DataTribe, where they're
co-building the next generation of cybersecurity
teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash,
Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Thanks for listening.
We'll see you back here next week. Thank you. and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.