CyberWire Daily - Cyberespionage, cybercrime, and patriotic hacktivism. The Heliconia framework described. Cyber risk for the telecom and healthcare sectors. Notes on the hybrid war. Predictions for 2023.
Episode Date: December 1, 2022A new backdoor, courtesy of the DPRK. The Medibank breach is all over but the shouting (or, all over but the suing and the arresting). Risks and opportunities in telecom’s shift to cloud. Cyber risk... in healthcare. An assessment of Russian cyber warfare. Robert M. Lee from Dragos assesses the growing value of the ICS security market. Our guest is Cecilia Seiden of TransUnion to discuss their 2022 Consumer Holiday Shopping Report. And it’s December, which means…predictions. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/229 Selected reading. Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin (ESET) Medibank hackers announce ‘case closed’ and dump huge data file on dark web (the Guardian) New details on commercial spyware vendor Variston (Google) Risks and opportunities in telecom’s shift to cloud. (CyberWire) Moody’s discusses cyber risk in healthcare. (CyberWire) 'Do something:' Ukraine works to heal soldiers' mental scars (AP NEWS) Reformed Russian Cybercriminal Warns That Hatred Spreads Hacktivism (Wall Street Journal) Cybersecurity predictions for 2023. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A new backdoor courtesy of the DPRK.
The MetaBank breach is all over but the shouting and the suing and the arresting.
Risks and opportunities in telecoms shift to the cloud.
Cyber risk in healthcare, an assessment of Russian cyber warfare.
Robert M. Lee from Dragos assesses the growing value of the ICS security market.
Our guest is Cecilia Seiden from TransUnion
to discuss their 2022 Consumer Holiday Shopping Report.
And it's December, which means predictions.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 1st, 2022. ESET researchers yesterday published a detailed description of the Dolphin backdoor
currently being deployed by the North Korean APT StarCraft against targets in South Korea.
Also known as APT-37 or Reaper,
StarCraft conducts cyber espionage against governmental, military,
and industrial organizations of interest to Pyongyang.
Dolphin makes its habitation in the cloud.
ESET concludes its report with this general assessment.
Dolphin is another addition to StarCraft's extensive arsenal of backdoors abusing cloud storage services. After being deployed on selected targets,
it searches the drives of compromised systems for interesting files and exfiltrates them to Google Drive.
One unusual capability found in prior versions of the backdoor
is the ability to modify the settings of victims' Google and Gmail accounts
to lower their security,
presumably in order to maintain account access for the threat
actors. During our analysis of multiple versions of the Dolphin backdoor, we saw continued
development and attempts to evade detection. While Dolphin has so far mostly been seen in South Korea,
other Asian countries should also be on the lookout. This is no friendly flipper.
Asian countries should also be on the lookout.
This is no friendly flipper.
The gang that hacked MetaBank, probably a reconstituted R-Evil,
the well-known Russian cybercrime gang,
has called game over on its dump site and has deposited all the remaining data it stole from Australia's MetaBank,
announcing,
Happy Cybersecurity Day!
Added folder full. Case closed. We'd like to say
dasvidaniya and good riddance, mates, but unfortunately the world is unlikely to have
heard the last of our evil. The Australian Federal Police are continuing to pursue them
intently and relentlessly, and we heartily wish them good hunting. The AFP intend to solicit the help of the Russian authorities,
but this is probably a pro-former gesture.
There's little prospect of Moscow's organs handing over members
of one of Russia's large and active gangs.
Google's Threat Analysis Group has published a report
on a commercial spyware framework developed by a Barcelona-based company, Veristan IT, which describes itself as a provider of custom security solutions.
The framework, called Heliconia, exploited vulnerabilities in Chrome, Firefox, and Microsoft Defender.
While the vulnerabilities have since been patched, Google says it appears likely these were utilized
as zero days in the wild. An anonymous submission to the Chrome bug reporting program tipped the
researchers off to three distinct frameworks. Heliconia Noise is a web framework for deploying
a Chrome renderer exploit, followed by a Chrome sandbox escape and agent installation, while Heliconia Soft is a web framework that deploys a PDF containing a Windows Defender exploit.
Heliconia Files offers a fully documented Firefox exploit chain for Windows and Linux.
Moody's Investors Service released a report detailing the security implications of the cloud for the telecommunications sector.
The telecommunications industry was assessed to have a high-risk categorization for cyber risk.
However, the sector has been found to be more dedicated to cybersecurity, ensuring that human resources and funding is available.
human resources and funding is available. Telecommunications operators enable broadband internet access and communications, so they are vital to the digital economy.
Zero-trust frameworks are increasingly being implemented within the industry to increase
security. Newer technologies, especially cloud-centric technologies, have brought new
capabilities but also bring with them a significant expansion
of the attack surface. Moody's has also released a sector comment on the not-for-profit and public
healthcare sector and associated cyber risk with the industry. The not-for-profit healthcare sector
has a very high risk categorization. Digitization and the use of third-party software are growing,
keeping cyber risk elevated for the sector. The IBM Security Cost of a Data Breach report
is referenced, saying how the healthcare industry worldwide had the highest average
cost of a data breach 11 years in a row, with an approximately 30% increase in average cost from 2020.
94% of survey respondents reported having standalone cyber insurance,
but premiums continue to increase and limits are being put in place,
making the coverage less expansive.
Vetting third-party vendors is also important. While most respondents say they assess new vendors,
only 76% reassess current vendors.
The Economist has a long and thoughtful account of the fortunes of Russian cyber war.
One overarching observation is that such warfare is inherently difficult
and that it takes long and careful preparation to be successful.
So the disabling attacks against Vyassat ground
stations in the opening hours of the war had been under preparation for months, as had the
subsequent Wiper attacks against Ukrainian networks. These enjoyed some success, but that
success was short-lived and not easy to improvise going forward once the defenders were on the alert
for them. They did, however,
demonstrate that Russian cyber capabilities weren't negligible and hadn't been grossly
overestimated. But there's a flip side to this. Russian cyber operations, like Russian kinetic
military operations, also seem to have suffered from sloppiness, careless coordination, and overconfidence. These served
the operators poorly against a defender that proved capable, prepared, resilient, and ably
supported by allies and commercial partners. Ukrainian capability in defense shouldn't be
underestimated either. If Russian cyber operations have largely dwindled to nuisance-level fizzles since March,
Ukraine's defenders deserve a great share of the credit.
The Wall Street Journal has an interview with Dmitry Smilianets, a reformed Russian cyber
criminal who, having served his U.S. sentence, now works for security firm Recorded Future.
He offers some insight into the nexus between the Russian underworld and
Russia's security services, and on the ease with which criminal gangs shifted into nominal
hacktivist mode during Russia's war against Ukraine. The connection is close but complicated.
Smiljanets said, if we talk about financially motivated hackers, what happens is directly or
indirectly, they know
someone from the government and they pass information or help in this or other cases.
It doesn't mean they're employed or it doesn't mean they're on a paycheck with the state,
but there is a connection. Sometimes we see it clear, sometimes not. And they needed little or
no inducement to turn to patriotic hacktivism.
The ransomware gangs found it an especially easy transition to make.
And finally, it's the first day of December.
Over on our CyberWire Pro website, we offer a compendium of predictions from industry experts about the way cybersecurity, its challenges, and opportunities are likely to change in the coming year.
Some of those changes are evolutionary, extrapolations of trends already visibly at work.
Others are more surprising.
And in no case will you have to cross anyone's palm with silver to get this fortune told.
Check it out at thecyberwire.com slash pro.
Coming up after the break, Robert M. Lee from Dragos assesses the growing value of the ICS security market.
Our guest is Cecilia Seiden of TransUnion to discuss their 2022 Consumer Holiday Shopping Report.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
Thanksgiving has come and gone, and here we are in the month of December, which means the holidays are upon us.
And for most of us, that means online holiday shopping. Cecilia Seiden is vice president of TransUnion's retail business,
and she joins us to discuss the findings of their new 2022 consumer holiday shopping report.
Consumers are much more concerned about fraud this year.
So it's really critical that retailers create a noticeably secure shopping experience
to make them comfortable while balancing the need for user experience and efficiency. As a lot more consumers have
been part of a data breach or they've experienced fraud, their concerns about fraud are rising and
their perception of security measures are evolving as well. The second is that while the pandemic
supercharged online shopping last year,
we're actually seeing a shift in how much holiday shopping consumers are planning to do online.
So while e-commerce is certainly here to stay,
the in-store experience is still very important across generations.
And then the third is that the stakes are much higher this year.
So expectations for a great online shopping experience
have raised the bar for what retailers need to deliver,
while at the same time lowering the threshold
for what drives consumers to abandon their carts.
Well, let's go through those one at a time.
I mean, in terms of consumer attitudes
and reassuring them that your site is secure,
what sorts of things are they looking for?
What can put them at ease?
Yes.
So we actually asked about their preferences
in terms of security features and what they'd like to see.
One of the features that they find the most reassuring
is two-factor authentication.
So one-time passwords sent by email or text.
80% of consumers cited those as being very important
or moderately important. There were also additional features that gave them comfort.
So biometric identification, such as a face ID or a fingerprint using their mobile device.
Image or text captchas were also features that could help in that respect. And then also knowledge-based
questions like, who's your childhood best friend? What was the first car that you drove where
supposedly only you should know that answer? So it seems as though we've really reached a
point with sophistication with the consumers where a username and password just isn't going
to cut it anymore. Yes, absolutely. And what I will say too is that
what might have previously been viewed as an inconvenience
and something that added friction to the purchase
is now actually being seen favorably.
People are looking for those measures
to know that that retailer is protecting them
and taking their identity and their data very seriously.
So 60% of consumers now have a
positive view of those measures with online retailers, which was an increase of 20% versus
last year. Wow, that's a really interesting insight. I'm curious about sort of the contrast
between in-person shopping and online shopping. As you mentioned, I think the pandemic drove a lot of people to online shopping. But
can you provide some color onto why that retail experience is still an important one?
Yeah, absolutely. So what we saw this year is that only 17% of shoppers plan to do nearly all
their shopping online, and that's down versus 31% of consumers in 2021. And we believe that's really driven by
a desire for normalcy after the COVID-19 pandemic, where a lot of consumers who perhaps might have
preferred to shop in the store were forced to adopt online shopping just for measures of health
and safety. And what we found especially interesting is that Gen Z actually is more likely to shop in-store than even millennials.
I would have expected to see a linear relationship along the generations.
And instead, we're seeing a little bit of a reversal of that trend.
And we think that this is due to Gen Z's desire for experiences and authentic brand engagement.
And that's really steering them towards those in-store experiences. So for the retailers, does that point to the importance of having
all their bases covered, of having that in-person shopping experience, but also
online as an option? That's exactly right. So people care about in-store. They want the stores
to be fresh. They want them to be clean, well-organized, easy to shop. They like that experience, but at the same time, there's certainly a subset of customers that are craving in their household, are much more likely to be shopping online.
But we're also seeing increasing growth in that sort of omni-channel shopping, curbside pickup and buy online pickup in store really picking up steam as well.
Did you have any sense for what causes frustration among the shoppers here?
As you mentioned, you know, leaving those carts abandoned.
Yes, we did. We probed into some of those reasons. So some of the main ones were really around
fraud, actually. So we saw that 31% of customers would abandon their cart due to fraud concerns,
which was a 72% increase from last year. and 21% would abandon their cart due to insufficient security on the site,
which was a 40% increase from last year.
Outside of those fraud-related reasons,
we also saw shipping costs, perhaps unexpected ones,
popping up at the last minute,
driving that desire to abandon the cart,
as well as payment issues and a poor website experience.
What are your recommendations then for the retailers? abandon the cart, as well as payment issues and a poor website experience.
What are your recommendations then for the retailers? I mean, based on the information that you gathered here from consumers, how can they best go into this holiday season
and provide a good experience? Great question. So the first one that I would say is making sure
that retailers have visible signs of fraud mitigation to the consumer. So
some of those measures that we previously discussed, like two-factor authentication or
image and text captures, are really important here. So maybe before, retailers thought that
solutions that were unobtrusive to customers were sufficient or even ideal. But I think it's
important now that consumers see proof that the merchant is
providing a safe environment in which they can transact. The second one, I would say,
is around that ability to quickly and seamlessly identify fraud. So many merchants have chargeback
management solutions or guarantees in place, which certainly protects them in the event of loss,
but it doesn't necessarily directly protect the consumer
or help the organization become more effective
at fighting fraud over time.
Some of those chargeback solution providers
are also incentivized to be really conservative
to minimize their risk,
which can yield overly high false declines
and lead to revenue loss for those retailers.
So I would recommend that merchants look beyond chargeback solutions to alternatives like device
risk, IP intelligence, behavioral analytics, and email and phone verification solutions.
And that can really help them mitigate fraud in real time while still being invisible and
seamless to the consumer and
privacy safe. And that can help the retailer with transaction results that help them make decisions
to allow a transaction, manually review them, or provide challenge questions, or actually deny that
transaction outright. So as e-commerce and card-not-present fraud continues to grow,
we expect that fraud and identity verification
will remain a priority for both consumers and retailers,
and retailers need to ensure that they're staying proactive
in fighting fraud.
The third one that I'll also mention
is not forgetting about in-store fraud,
especially now that more people are returning to the store,
and then omni-channel fraud
with the growing use of curbside pickup and buy online.
The omni-channel fraud with the growing use of curbside pickup and buy online. The omni-channel mechanisms are especially subject to exploitation because it's an easy
way for fraudsters to evade detection. They don't necessarily have to update their address,
which is a trigger for some fraud detection mechanisms. And that fulfillment window,
right, it could be a two-hour pickup, is often too short for many retailers to do a thorough
manual review. So that's where some of the solutions we talked about can also be very helpful.
That's Cecilia Seiden from TransUnion.
And joining me once again is Robert M. Lee.
He is the CEO at Dragos.
Rob, it's always great to welcome you back to the show. I saw a recent report from an organization called Meticulous Research,
and they were looking at the industrial control system security market.
and they were looking at the industrial control system security market.
They're projecting that by 2029, that market is going to be worth practically $30 billion.
I wanted to get your insight on this.
Obviously, you're in the midst of all this.
What does this indicate here to you?
Yeah, so I'll give you the short answer,
and I'll give you the long, drawn-out, nuanced, overly complex answer that I always do.
But the short answer is, it's a good thing.
It's a good thing that people are seeing
that the size of the industrial market is huge.
And I think one of the mistakes that a lot of analysts made
when they first started looking at this space
is they asked the question not about what is this community,
what are they trying to accomplish,
what is the uniqueness here.
What they asked and said was,
how does this fit in my chart?
Where does this go in a wave or a quadrant or whatever?
What category is this?
And you would see the various things that pop up with,
yeah, there's firewalls, there's endpoint security,
and there's ICS security.
And it's like, what?
It's a whole other market.
It's not a category in your IT market.
So what the analyst firm is really articulating,
and a number of the ones that come out with these big kind of numbers,
what they're ultimately articulating is stop looking at this
as a category in IT security.
It is a whole new market, OT security.
You could have OT-specific firewalls, IDS, endpoints, whatever else.
Stop just thinking that that's a category
inside of your existing market, which is the good thing. The long, overly nuanced answer is,
I think most of these numbers are made up. And I'm very glad that the analyst firms are trying.
Somebody needs to try. But I've had to go through this exercise a bunch with most of these firms,
really smart investment bankers, etc. Because when you raise venture capital,
especially in the early stages,
one of your first questions is,
what's the total addressable market?
What's the size of the market?
Because VCs don't really invest in products normally.
They invest in big markets with good teams.
That's really what they're looking for.
And so that's a common question.
So I've done my own bottoms-up analysis
of based on just the companies above a billion in revenue
that are probably fundamentally going to invest
in these type of areas for our product-specific category.
For just the visibility detection response category,
looking at just the industrial industries
that we think are moving,
not all the ones that could be there,
but just the ones we think are moving,
and just the geos, and just the customers above a billion,
like all these qualifiers.
And we still came up with like a $40 billion number
that's considered bottoms up.
So that would imply that the top down number
is significantly higher than anything people's talking about.
However, I will tell you at the end of six years of doing this
that my final understanding is nobody knows.
And it's just really big. And I got to tell you, all the investments we've taken, probably my
favorite conversation so far was BlackRock. So BlackRock led our D round. They're one of the
largest, if not the largest, invest in the world, over a trillion dollars in our management, etc.
They're big. And I remember having the conversation with the partner, and I was like, okay.
So anyways, here's the total addressable market and the size of it,
because I was going to go to the same crap that everyone always, and he stopped me and said,
Rob, I don't care. We're BlackRock. We know industrial's big.
Our point of view is it's kind of everything that touches physics.
It's huge, And there's no real
reason to even try to size this thing right now. It's big enough to go after. The question is,
why are you the right team? God, I love that. And I was like, okay, that I can dig into.
So long story short, I would expect there's folks that come out and go, oh, that number sounds too
big. I would actually be in the opposite camp going, I bet you it's tiny in comparison,
but when is the market moving?
What segments are you going after?
What geos, et cetera, all come into that.
So don't just think, this is a big, big market.
It's going to just be awesome.
No, sales cycles, customer acquisition costs,
all these things play in to how to look at this number correctly
from an investment standpoint.
Do you suppose that as time goes on, that this number will become clearer, that we'll
have more data to throw at these estimates?
Oh, absolutely.
I mean, as people realize what even is made up in industrial, they'll do that.
Like, I'll normally get on a call with people like, yeah, cool.
So we're doing like electric power and oil and gas.
I'm like, yeah, utilities.
I'm like, yes, and also rail systems.
And they're like, wait, rails have control systems?
And I was like, yes.
And we're doing data centers
with building automation control systems.
And they're like, wait, wait, what?
Underneath the cloud, too?
And so just anecdotally,
by how many conversations I have
with investment bankers, banks,
analyst firms, VCs, et cetera,
that we don't make it three minutes into the conversation
before I have to explain what all goes into industrial for them.
I'm going to say that they're not considering
all of industrial in these numbers.
And the numbers are usually very biased
by the companies that are already talking to you
or talking to those analyst firms.
Again, we've had this conversation before
where IT and security is talking about,
hey, let's talk about 5% or 10% budget increase to go after all this stuff.
And it's like, no, OT is this whole new mission set that you haven't been doing, but now with
the rise of digitization and connectivity, we have to.
Therefore, the budgets are going to be significantly larger going after a whole new mission set.
Boards are absolutely aware and understanding of that.
whole new mission set.
Boards are absolutely aware and understanding of that.
So your math, your calculation of what goes into it and the scope of it are both probably off.
Therefore, yeah, it's much smaller than reality.
And yes, over time it'll get more clear,
but I think that will be years in the making.
All right, well, interesting insights.
Robert M. Lee, thanks for joining us. than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Thank you. Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, Simone Petrella, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.