CyberWire Daily - CISA releases three ICS Advisories. Squealing cars. Rotate your secrets. Russian cyberespionage updates.
Episode Date: January 6, 2023Security vulnerabilities in automobiles. CircleCI customers should "rotate their secrets." CISA Director Easterly notes Russian failures, but warns that shields should stay up. Attempted cyberespionag...e against US National Laboratories. Turla effectively recycles some commodity malware infrastructure. Robert M. Lee from Dragos shares his outlook on ICS for the new year. Our CyberWire Space correspondent Maria Varmazis interviews Diane Janosek from NSA about her research on space-cyber. And the Guardian continues to recover from last month's ransomware attack. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/4 Selected reading. Hitachi Energy UNEM (CISA) Hitachi Energy FOXMAN-UN (CISA) Hitachi Energy Lumada Asset Performance Management (CISA) Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More (Sam Curry) Toyota, Mercedes, BMW API flaws exposed owners’ personal info (BleepingComputer) 16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure (SecurityWeek) Ferrari, BMW, Rolls Royce, Porsche and more fix vulnerabilities giving car takeover capabilities (The Record by Recorded Future) CircleCI security alert: Rotate any secrets stored in CircleCI (CircleCI). CircleCI warns of security breach — rotate your secrets! (BleepingComputer) CircleCI Urges Customers to Rotate Secrets Following Security Incident (The Hacker News) CISA director: US needs to be vigilant, ‘keep our shields up’ against Russia (The Hill) Exclusive-Russian Hackers Targeted U.S. Nuclear Scientists (Reuters via US News) Notorious Russian Spies Piggybacked on Other Hackers' USB Infections (WIRED) Turla: A Galaxy of Opportunity | Mandiant (Mandiant) Fallout from Guardian cyber attack to last at least a month (ComputerWeekly) State of Ransomware Preparedness (Axio) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Security vulnerabilities in automobiles.
CircleCI customers should rotate their secrets.
CISA Director Easterly notes Russian failures but warns that shields should stay up.
Attempted cyber espionage against U.S. national laboratories.
Terla effectively recycles some commodity malware infrastructure.
Robert M. Lee from Dragos shares his outlook on ICS for the new year.
Robert M. Lee from Dragos shares his outlook on ICS for the new year.
Our CyberWire space correspondent Maria Vermatzis interviews Diane Janicek from NSA about her research on space cyber.
And The Guardian continues to recover from last month's ransomware attack. From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Friday, January 6th, 2023.
Happy Friday, everyone. Good to have you along with us here.
Let's open with a quick and easy one, courtesy of the good folks over at the U.S. Cybersecurity and Infrastructure Security Agency, that's CISA. The agency yesterday released three industrial control system advisories.
They affect Hitachi systems. Visit CISA.gov for the details.
Over the course of 2022, a security research team led by Sam Curry found vulnerabilities
affecting vehicles from 16 leading car manufacturers. The manufacturers have since released patches for the flaws,
and Curry's team earlier this week
published an extensive write-up on the vulnerabilities.
The type and severity of the vulnerabilities varied by model.
In some cases, an attacker could unlock the car,
start the engine, report the vehicle as stolen,
or track the car's location.
In addition to vulnerabilities affecting individual cars, the researchers discovered API vulnerabilities that could grant
an attacker access to sensitive company accounts. Bleeping Computer notes that BMW and Mercedes-Benz
could have been affected by company-wide single sign-on vulnerabilities that might have enabled attackers to access internal systems.
So, of course, your tires squeal when you're peeling out,
but your car might be squealing on you,
even if you drive like the little old lady from Pasadena.
Scratch that, we just remembered that the little old lady from Pasadena
was the terror of Colorado Boulevard.
But anyway, squeal.
Get it? Like the noise.
And then squeal, like snitching.
Yeah, get it?
Okay, I know that's unnecessary,
but our auto parts desk over on the editorial side loves the obvious explanation
because they think everyone else is as slow on the uptake as they are.
You've got no idea what we deal with around here sometimes.
Continuous integration and continuous delivery platform CircleCI
has disclosed a security incident that began on December 21st,
Bleeping Computer reports.
The company hasn't released many details about the incident,
but customers are asked to rotate any and all secrets
stored in CircleCI as soon as possible.
CircleCI also says that it's confident that the risk has been eliminated
and the company is working with third-party investigators to validate the steps and actions of their investigation.
CircleCI concluded,
While we are actively investigating the incident, we are committed to sharing more
details with customers in the coming days. The Hill reports that U.S. Cybersecurity and
Infrastructure Security Agency Director Jen Easterly yesterday warned that while Russia
clearly miscalculated its decision to go to war in Ukraine and that its cyber operations have
fallen short of expectations, these shouldn't
be grounds for complacency. She said during a panel discussion at the Consumer Electronics
Show in Las Vegas, it looks like it's not going to end anytime soon. We need to continue to be
vigilant, keep our shields up, and ensure that we are putting all those controls in place.
and ensure that we are putting all those controls in place.
And, as if on cue, there are fresh reports of Russian cyber espionage.
First, Reuters describes a cyber espionage campaign carried out by the hitherto little-known threat group researchers track as Cold River.
The group is circumstantially but convincingly linked to Russian intelligence services,
possibly the FSB,
although that's unclear, through its russophone operations and location. The effort involved
attempted social engineering of U.S. nuclear researchers at the Department of Energy's
Brookhaven, Argonne, and Lawrence Livermore National Laboratories. The campaign peaked in
August and September as Russian President Putin's nuclear
threats reached their peak. It's unknown whether the campaign enjoyed any success. Reuters says
that both the Department of Energy and the FSB declined to comment. Mandiant has found that
Terla, a familiar threat actor associated with Russia's FSB, is piggybacking offensive cyber operations on some old commodity malware.
Turla is using Andromeda malware distributed through infected USB drives
to selectively install the Kopilowak reconnaissance utility
and the Quiet Canary backdoor in Ukrainian targets.
Re-registration of old expired Andromeda domains has proven
particularly useful. As Wired points out, Andromeda is a commonplace banking trojan
criminals use for credential theft. The researchers conclude, as older Andromeda
malware continues to spread from compromised USB devices, these re-registered domains pose a risk
as new threat actors can take control
and deliver new malware to victims.
This novel technique of claiming expired domains
used by widely distributed, financially motivated malware
can enable follow-on compromises at a wide array of entities.
Further, older malware and infrastructure
may be more likely to be overlooked by defenders triaging a wide variety of alerts.
The campaign represents the first time Mandiant has seen Turla in operation against Ukrainian
targets during the present war. The group seems to be using earlier battle space preparation to
pick targets of strategic interest to Russia, but Turla also seems to be using earlier battle space preparation to pick targets of strategic interest to Russia,
but Turla also seems to be acting in haste, and with the necessary disregard for operations
security, haste normally exacts in trade for quick results. And finally, The Guardian continues to
recover from the ransomware attack it disclosed on December 21st,
and the news outlet expects recovery to take at least a month.
Computer Weekly shares widespread speculation
that The Guardian's coverage of Russia's war in Ukraine prompted the attack,
stating,
It can also be fairly said that reporting on major international incidents
such as Russia's war on Ukraine
may leave a title exposed to malicious actions by Russia-backed or aligned groups.
We wish The Guardian a speedy recovery.
Coming up after the break, Robert M. Lee from Dragos shares his outlook on ICS for the new year.
Our CyberWire space correspondent, Maria Vermatsis, interviews Diane Janicek from NSA about her research on space cyber.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com
slash cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
According to the United Nations Office for Outer Space Affairs,
there are over 8,000 satellites orbiting the Earth, about half of them active.
Depending on their age, there is a whole spectrum of sophistication and security, or lack thereof, built into these devices.
Our space correspondent Maria Vermatsis spoke with the NSA's Diane Janicek about her research on the security of the objects in space.
My name is Dr. Diane Janicek. I currently work for the National Security Agency for the Department of Defense as a senior executive. But I'm talking here in my personal capacity on my research that I did for my
PhD in cybersecurity with space security. And I just love this space, literally. So I'm so excited
that you asked me to come talk to you today, Maria. I'm really thrilled to be speaking with
you because this is such an exciting area and that you have expertise in this is just fantastic.
So one of the many papers that you published, one of the ones I wanted to talk to you about today was about nanosatellites and your paper, Nanosatellite Constellations Will Revolutionize IoT.
And I'm sure our CyberWire listeners are familiar with IoT, but probably a lot less nanosatellites.
So can we start there? Just real, real basic. What do we mean when we talk about nanosatellites. So can we start there, just real basic? What do we
mean when we talk about nanosatellites and how are they being used? So a nanosatellite is what
you would think in terms of nanotechnology. They're small satellites. Usually you think of big, huge
satellites, you know, that could take up a whole room or the size of a house almost in terms of
when it's being launched. A nanosatellite could
be the size of a shoebox or they even say sometimes as small as a pizza box. Nanosatellites or cubesats
because sometimes they're in the form of a cube, they're ruggedized in order to be postured for
the dense heat and the dense cold that you have in outer space. They're ruggedized enough to be
placed into orbit for two to five years.
In the context of IoT, how are they being used right now?
So this Internet of Things is now using the celestial-based
nanosatellites constellation for access for the data transmission. If you think about it,
you know, IoT devices are small things, right? They're
security cameras, printers, conference room tablets, remote property sensors, coffee makers,
doorbells, door openers. They have low bandwidth requirements, right? So you don't need huge
systems to transmit that information. So there's, as long as you have the ability to transmit
low density, a type of transmission of data, that's when you
would look to nanosatellites. So as we scale up IoT connections, connectivity with all these
nanosatellites in orbit, are we sort of scaling up also the threats that these IoT devices face?
Like, are we ready to take all these on? How are we doing with that? So people were not thinking before that a coffee maker could have the ability
for someone to access your home network. But when you came to a coffee maker, the original ones had
IoT capacity. They realized they could actually, someone from the outside could physically outside
your house could get access to what's going on inside your house on your home network.
So IoT devices themselves, because it's usually not a lot of
data, not a lot of sensitive data, you certainly wouldn't put your crown jewels on there. It should
be okay. You don't need much security, right? The data is not worth that much money. Well,
what happened was people realized, well, that can be true, but it also cannot be true.
be true, but it also cannot be true. There was an incident with the casinos out in Las Vegas,
and one of the casinos had a beautiful fish tank. And that fish tank had an IoT thermometer to keep the fish to stay alive. Well, through fancy footworking and long lead time,
the hackers were able to get through the thermometer of the IoT
device on that casino. They went through about a couple of different systems to get to the
financial side and their money systems and were able to hack it. That opened up a new paradigm
because it realized it just opened up the aperture in terms of the landscape for vulnerability.
And so people were
not really thinking about that before. So that's where people started thinking, oh my gosh, we
better start thinking about cybersecurity and IoT devices because they're going to be connecting
to something else that connects to something else. And then what it connects to may be worth a lot
of money, could have a lot of privacy data, could have a lot of sensitive information,
trade secret information. So they realize, okay, could have a lot of sensitive information, trade secret information.
So they realize, okay, they have to start thinking about embedding more security into IoT devices.
So now companies have been thinking that way. So cybersecurity and IoT devices is necessary.
And it's necessary, whether it's terrestrial-based internet or the satellite internet.
Absolutely. And it's a great segue to a question
I had. At the end of your paper, you wrote that you urge countries, especially the United States,
to prepare in securing digital communications with nanosatellites and perhaps try to adopt
something like a satellite IoT legislation, which would be maybe akin to the IoT Cybersecurity
Improvement Act of 2020, which was aimed at improving baseline IoT security.
What would you like to see in legislation like that or a satellite IoT legislation?
So nanosatellites have to be launched.
If we make the launch process and the reentry process so difficult and so expensive,
companies are not going to choose to work with the United States.
So the way that it works now is wherever you are launched from, you're under the jurisdiction of
that country. So whatever launched on U.S. soil is considered to be under the jurisdiction of
the United States. So if we make our control and regulation so much harder, we will not have that innovation in the United States. You might have the design in the United States, but then they take it somewhere else to launch it and to monitor it and to maintain it.
do want to meet that sweet spot, right? So at some point, there has to be a risk calculus for these launching of the nanosatellites where the regulation is not as high so that companies
continue to do business in the United States and that the power of our innovation and our
technical spirit and our tech savvy and our network security savviness and software security
and cybersecurity, those companies can do that in the United States and
launch and maintain it all the way through the life cycle of that particular nanosatellite system.
So that's what I would encourage. I would encourage less regulation on some of the smaller things so
that we stay ahead of this game and that the United States stays postured for success. If
you're looking at a $4 trillion industry
by the year of 2040,
if they all pick up and they go somewhere else,
it's not going to be very good for Americans, right?
We want to keep that type of innovation
occurring right here in our backyard
and manage it.
And, you know,
we could impose some type of cybersecurity regulation
in terms of the transmission of the data.
But if they're somewhere else, U.S. regulation won't help anybody, right?
You can't regulate a foreign country in terms of how they transmit and secure their information.
So we want to keep them in the United States, encourage them to innovate here, encourage them to produce here, to launch from here, to transmit to and from here.
to launch from here, to transmit to and from here,
and then, you know, and keep that income and capitalism alive and just the, you know,
the innovative spirit and entrepreneurial spirit
that we have in the United States alive.
I really appreciate your perspective on this.
And it's a fascinating field where, as you've noted,
we're going to see a lot more, so much more growth
and a lot more innovation.
So watch this, watch the space space.
Watch the space of outer space.
Exactly.
Diane, thank you so much.
I really appreciate you taking the time to speak with me today.
There's a lot more to this conversation.
If you want to hear more, head on over to the CyberWire Pro
and sign up for Interview Selects,
where you'll get access to this and many more extended interviews. And joining me once again is Robert M. Lee. He is the CEO at Dragos.
Rob, welcome back. Always a pleasure to have you here.
I want to check in with you on your outlook for 2023.
As you and I record this, it is the beginning of the new year.
What are you hoping to see happen this year?
Yeah, in general, I hope to travel less and see my kid more.
But in terms of...
Fair enough.
Yeah, maybe in terms of the security industry,
I think that the macroeconomic condition and what
that means for financing and venture capital and late stage capital and similar, it's going to have
a pretty big effect on companies. Kind of the last couple of years when interest rates were
basically 0%, it essentially made for free money in terms of investment.
And there was a mentality across a lot of tech companies,
including cybersecurity companies,
that you should do growth at all costs.
And they were encouraged to do that.
How fast can you burn through the money?
How fast can you add growth?
Because money is unlimited, we'll fund you.
When the economy and the financial markets
then crashed, was sort of corrected,
then you started seeing valuations
adjust, and you started seeing a focus
on efficiency, and you started seeing
a focus of these companies of trying
to right-size their businesses for the
new economic conditions.
When people look at that, I hear from
young startup
CEOs and others about,
oh yeah, this is a temporary blip
and then we're back to normal.
I'm like, no, no, no, this is normal.
This is the normal period.
The 0% interest rate, money is free,
was the abnormal period.
You do have to have fundamentals and unit economics
and an understanding of your business
to be able to operate it.
So what does that mean for the larger public?
Well, it means that sort of the downside is
you won't necessarily have as much innovation.
If there's not as many companies getting funded,
there's going to be the same percentage maybe
of innovative tech and companies,
but a lower number of those, right?
Less funded companies, less new ideas.
However, I think you will see companies
also move to the side.
There's a lot of companies that shouldn't have been funded
that were the fifth, sixth, seventh iteration
of the same idea in a crowded market
or just a really niche thing that never had a market
in the first place, but it was an interesting idea.
And they were taking money from folks,
they were hiring people,
and sort of taking oxygen out of the room, if you will,
from those companies that were already doing well
and should have been moving forward.
And so I think you will see both pros and cons in that.
I think the pro being the good companies
will probably get stronger in this period
and be able to attract the talent they needed and so forth.
I also think some level of market correction is appropriate with salaries and so forth.
That's not always an easy topic.
Some people definitely are underpaid, but there are some tech companies that were way
overpaying and inflating the rates where even local banks and utilities and others just
couldn't afford cybersecurity talent
because of the wage inflation.
So I think we'll see corrections across the board.
Again, what that means to everybody else
is I also think that we will start to see
opportunities open up that are more appropriate
for people across the cybersecurity community.
So we'll find people that unfortunately
have a hard time, got laid off or similar,
but I think they'll be able to bounce back quickly in this market and find more stable
companies and better careers, better paths, and be able to
do some new and cool things. I also would argue that we
should probably see a reduction in some of the silly stuff
where everybody has their own conference, everyone has their
own podcast, everyone has their own swag store.
It almost became all of the things around cybersecurity
versus cybersecurity with some of these companies.
And some of that can be fun and morale,
and some of it can just be way over the top.
And I think we may return to a bit of moral normalcy,
which especially for those that do the conference circuit,
I think that would be welcome for everybody.
I know that's not like cybersecurity, like, well, what's the latest attacks?
That's kind of all the normal stuff. I think what we're experiencing right now, though, is far more strategic
for what the industry and community will experience this next year.
What about in your specific neck of the woods, in terms of industrial security?
How do you think things are going to shake out there?
Oh, they're great.
And so I really feel empathetic for folks in various industries
and what they're going through.
And so I don't want to be like popping bottles of champagne
when other people are experiencing hardship.
But from our standpoint, everything has been super good.
First of all, industrial companies are weathering the storm
and the economic conditions pretty well. You think about electric utilities, industrial companies are weathering the storm and the economic conditions pretty well.
You think about electric utilities, pharmaceutical companies,
oil and gas companies, et cetera, are needed by society
and so they're having good years.
And so they have the resources to spend,
or most of them have the resources to spend on security.
And then the other reality is most CEOs,
board of directors, and governments are realizing
that most of the cybersecurity money has gone
to the non-critical part of critical infrastructure.
The IT networks are very, very important,
but not as important, not more important
than the actual operations networks.
And so that, from the pandemic and remote working
to digital transformation to ransomware,
to name your flavor,
there was a bunch of things and compelling events
that highlighted to the executive staffs
and government staffs around the world
that OT wasn't getting the attention it needed.
So we're seeing a boon, if you will,
of investment into OT security,
even as these conditions exist.
So I think these companies will be very thoughtful about it.
Don't expect, here's my blockchain AI app.
Like, get out.
They're not going to invest in stupid stuff.
But also, I have to apologize to you.
I'll do a quick tangent.
I know that there's certain things I'm not supposed to say
on the podcast, like EMP.
EMP, blockchain AI, you and I start getting angry emails every time.
The letters, Rob, the letters.
What are we doing about the EMP?
And everyone's like, why are you doing Southern accents?
Because I'm from Alabama.
Like, get over it.
Anyway, so the reality of the situation, though, is, yeah,
there's a lot of investment going on in industrial infrastructure,
as we would expect.
But I do think that companies will be more thoughtful
and precise about their other infrastructure stacks.
As an example, if you already have 15 products
deployed across your IT network,
is that 16th really going to do a net risk reduction
to justify the budget right now in these economic conditions?
That's going to be hard to justify.
But you only have a firewall for your OT network.
It's probably pretty easy to justify the next two or three items in that spend.
All right. Well, Robert M. Lee, thanks for joining us.
Thank you. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Marissa Atkinson from Flashpoint.
We're discussing Rise Pro Stealer
and paper install malware, Private Loader.
That's Research Saturday. Check it out.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies. Thank you. Maria Vermatsis, Ben Yellen, Nick Vilecki, Millie Lardy, Gina Johnson, Bennett Moe, Catherine Murphy,
Janine Daly, Jim Hochheit, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby,
Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.