CyberWire Daily - Cybersespionage reported in Belgium. Low-sophistication attacks on OT networks. Healthcare ransomware attacks. Privateering defined. Advice for boards. And news of crime.
Episode Date: May 26, 2021Hafnium visits Belgium. “Low-sophistication” attacks on operational technology. Updates on healthcare sector ransomware attacks in New Zealand and Ireland. Wipers masquerading as ransomware. “Pr...ivateers” are defined as a new category of threat actor. TSA’s new standards for pipeline security. The World Economic Forum has advice for Boards in the oil and gas sector. Rick Howard interviews Liza Mundy on her book "Code Girls - The Untold Story of the American Women Code Breakers Who Helped Win World War II". Joe Carrigan describes fraudulent search engine ad buys. And as one criminal is sentenced, eight more are arrested. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/101 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Hafnium visits Belgium.
Low sophistication attacks on operational technology.
Updates on healthcare sector ransomware attacks in New Zealand and Ireland.
Wipers masquerading as ransomware.
Privateers are defined as a new category of threat actor.
TSA's new standards for pipeline security.
The World Economic Forum has advice for boards in the oil and gas sector.
Rick Howard interviews Lisa Mundy on her book Code Girls,
the untold story of the American women codebreakers who helped win World War II.
Joe Kerrigan describes fraudulent search engine ad buys.
And as one criminal is sentenced, eight more are arrested.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, May 26th, 2021. It's not all ransomware all the time, although it can certainly seem that way.
Sometimes it's espionage.
Reports out of Belgium say that the country's Federal Home Affairs Ministry came under attack as far back as April of 2019.
The apparent goal, the Brussels Times says, was information theft in the service of espionage.
The incident is under investigation, but sources connect it with Hafnium,
the Chinese threat actor believed to have exploited Microsoft Exchange server vulnerabilities.
Ransomware and other cyber attack tools have for some time been undergoing commodification,
being traded in criminal markets or offered through affiliate programs,
to operators who themselves lack the skills necessary to write effective code.
The same process may now be underway with respect to the compromise of operational technology,
FireEye's Mandiant unit concludes.
The researchers call these low-sophistication
incidents, and while they don't usually have immediate physical effects, they can still
disrupt industrial processes that interact with business systems in particular. They also express
concern that low-sophistication attacks contribute to a normalization of attacks against OT networks.
contribute to a normalization of attacks against OT networks.
Reuters reports that the group claiming responsibility for the cyber attack against the Wakaado District Health Board has begun releasing what seems to be private patient information.
Authorities in New Zealand have been relatively tight-lipped about the incident,
but it's widely taken to have been a ransomware attack.
RNZ says the government has
stated that it won't pay the ransom and that the National Privacy Commissioner has directed all
district health boards to address the vulnerabilities the attackers exploited against the Waikato DHB.
In the other big ongoing ransomware attack against a healthcare organization,
the Irish Times reports that
Ireland's HSE is happy with the decryptors it's obtained and that some suspended services will
resume by tomorrow, although full recovery remains some weeks away. Ransomware has also been used as
cover for attacks whose motive is disruptive or destructive, not financial. The NotPetya
attacks of 2017 are a good example of this particular form of misdirection.
Sentinel Labs is tracking the evolution of Agrius, an Iranian threat group active against
Israeli targets since last year, whose tools began as wipers disguised as ransomware.
In some respects, it's now apparently come full
circle. One of its wipers, Apostle, has recently evolved into what it was pretending to be,
fully functional ransomware, deployed against targets in the United Arab Emirates.
That said, as ZDNet points out, the point of the operation still seems to be disruption
of regional rivals as opposed to
simple financial gain. Speculation has placed the relationship between the dark side ransomware
operators and the Russian government on a spectrum that runs from inattention through incompetence
to corruption and on through toleration, permission, and encouragement all the way to
direction. The reality probably lies somewhere in the middle in the toleration, permission, and encouragement, all the way to direction.
The reality probably lies somewhere in the middle, in the toleration-to-encouragement range.
There's a convergence of interests.
Russia sees a rival embarrassed and inconvenienced, and the gang gets a payoff,
in this case a bit more than $4 million.
With this incident in mind, Cisco's Talos Group has introduced a new threat category in recognition of what appears to be an emerging trend. They call the threat actors privateers
and describe them as actors who benefit either from government decisions to turn a blind eye
toward their activities or from more material support, but where the government doesn't necessarily exert direct control over their actions.
Talos is a bit starchy about the government role in all of this,
saying that the distancing in itself does not diminish the responsibility these governments share with these groups.
The researchers also distinguish privateers from mercenaries, operators whom a government hires for specific purposes.
The U.S. Transportation Security Administration is issuing new standards for pipeline security
this week, prompted by the Colonial Pipeline ransomware attack. The new regulations will,
according to the Wall Street Journal, have teeth for enforcement. Earlier standards were guidelines that relied
upon voluntary compliance. In this respect, the new system will resemble regulations under which
the electrical power industry currently operates. One of the central requirements of the new
regulations is expected to be stronger reporting. Voluntary standards aren't being ignored either. The World Economic Forum has published a white paper,
Cyber Resilience in the Oil and Gas Industry, Playbook for Boards and Corporate Officers,
that offers sector executives guidelines for handling threats like the one that disrupted Colonial Pipeline.
The white paper was prepared with significant input from security companies.
The white paper advances ten principles for boards in particular.
They include responsibility for cyber resilience, command of the subject, an accountable officer, integration of cyber resilience, risk appetite, risk assessment and reporting, resilience plans, community, review, and effectiveness.
The report also offers advice on implementation.
You can find the details on their website.
And finally, two notes on ordinary cybercrime.
The record reports that Kirill Firshov,
30 years young and formerly proprietor of the now-defunct carding forum Deer.io,
was sentenced to two and a half years by a U.S. federal court in California.
Mr. Fersoff took a guilty plea to one charge of unauthorized solicitation of access devices.
And Naked Security has the news that Britain's Dedicated Card and Payment Crime Unit
has collared eight suspects in a home delivery scam, one in which the fish bait is a notice
that appears to be from a trusted courier service,
like the Royal Mail, asking for help in making a delivery.
The fish hook is a link that takes the victims to a page
where they're invited to make a very small payment, pennies really,
but of course that payment is not the goal.
What the scammers are after is the victims' pay card details.
What follows is easily imagined.
Should the suspects be convicted, we trust they'll be detained at Her Majesty's pleasure.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Together, head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
My colleague Rick Howard continues this week's series of interviews with authors of well-known cybersecurity books.
Here's Rick with the latest.
It's Cybersecurity Canon Week here at the Cyber Wire.
And unofficially, all of the Cyber Wire staff members are referring to this week as Shark Week for cybersecurity books.
Because the Cybersecurity Canon Project has announced the author selectees for the Hall of Fame Awards in 2021.
And I'm interviewing all the winning authors.
Each day this week, you will get a taste of the winning author interviews here in this daily podcast segment.
But you can listen to the entire long-form interviews as special episodes in my CSO Perspectives podcast,
only available to the CyberWire Pro subscribers.
CSO Perspectives podcast only available to the CyberWire Pro subscribers. Today's interview is with Liza Munday, the author of Code Girls, the untold story of the American women codebreakers
who helped win World War II. I've been a fanboy to the codebreaking efforts at Bletchley Park
during World War II for many years now. Alan Turing is a personal computer science hero of
mine, and I first heard about his enigma-busting exploits against German codes
in my favorite hacker novel of all time, Cryptonomicon,
written by the cybersecurity canon lifetime achievement winner, Neil Stevenson.
I always knew that there were like-minded efforts going on in the Pacific theater.
I had heard rumors of the Americans breaking various codes,
like the team working for William Friedman, solving the Japanese Purple Code,
and the efforts of Joe Roquefort
breaking the JN25 code
that led to the victory at the Battle of Midway.
But I never stumbled upon any books
that told the complete story.
Well, now I have.
Code Girls by Eliza Munday is a treasure.
When I got Liza to the Cyber Wire hash table,
I asked her about what compelled her
to write this book. Once I learned about the story of 10,000 women being recruited to come
to Washington during World War II, many of them former school teachers and or college seniors,
I couldn't resist telling the story. I couldn't believe that the story hadn't already been told
in the many books that existed on World War II code breaking. The remarkable characteristic
about the Code Girl story is that despite the heroic efforts of Friedman and Roquefort,
the day-to-day work of deciphering Japanese and other nations' codes during World War II
was largely done by American women, civilians at first, and then in
collaboration with the newly formed WAVES, or Women Accepted for Volunteer Emergency Service
in the United States Naval Reserve, and the WACs, the Women's Army Auxiliary Corps, that both came
into service in 1942. While military and civilian men mostly got the credit, it was these remarkable
women who ran the show,
and their efforts were so secretive that many of these women went to their grave without telling their loved ones what they did during the war.
Family and friends thought that the Code Girls simply performed administrative work.
In the book, Liza is able to tell the stories of some 20-plus women,
what they did with their code-breaking efforts, and how they lived their lives during the war. I asked Liza about the decision made by military leaders to inject 10,000 women
into the code-breaking war effort. In other words, what was the catalyst?
Well, obviously, Pearl Harbor was a terrible surprise to the United States. It was the event
that launched us into World War II, and it was also a massive intelligence failure. And at
the very same moment that we were sending tens and ultimately hundreds of thousands of young men
out to fight in all corners of the world, crossing these major oceans, we knew how inadequate our
intelligence gathering abilities were. And we had to ramp up our signals intelligence
really overnight in order to
make sure that another Pearl Harbor didn't occur. And before the war, it would have been young men
who were recruited to do this work, but they were suddenly unavailable. And so when I was doing my
research for the book, I found a document in which you could see the light bulb moment going on above
a naval official's head. It read, It was the recruiting document for the Navy's
code-breaking service, and it read, new source, women's colleges. And so for the first time in
American history, educated women and bright women were allowed to show what they could do.
I want to give a full-throated endorsement for this book. It opens up a history into World War II
that I didn't know about before,
and it makes the case that women don't have to break into the cybersecurity industry.
They have been here from the very beginning. The book is called Code Girls, the untold story of
the American women codebreakers who helped win World War II. The author is Liza Munday,
and she is the newest author addition to the Cybersecurity Canon Hall of Fame. And if you
are interested in the collection of Cybersecurity Canon Hall of Fame books, plus all the candidate books,
and even the best novels with a cybersecurity theme, check out the Cybersecurity Canon website
sponsored by Ohio State University at icdt.osu.edu slash cybercanon, all one word, and with one N
for canon of literature, not two Ns for machines that blow things up. And ifon, all one word, and with one N for canon of literature,
not two Ns for machines that blow things up.
And if that's all too hard,
go to your preferred search engine
and type cybersecurity canon in Ohio State University.
And congratulations to Liza for her induction
into the Cybersecurity Canon Hall of Fame. Thank you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute, Also my co-host over on the Hacking Humans podcast. Hello, Joe.
Hi, Dave.
Interesting article. This is from the folks over at The Record by Recorded Future.
And they're sharing some information they got from the FBI about some folks trying to spoof some banks here.
What's going on here, Joe?
It is an FBI, what they call a PIN
alert, a private industry notification. I don't like the overloading of acronyms, Dave.
But it's called a PIN alert. And it is, unfortunately, the record actually can't share
the entire alert because of sharing restrictions from the FBI. But they've been notified, and they are talking about
some of the things that are going on in here. And what we're seeing is something you and I have
talked about for about the past year. This is something that's relatively new in social
engineering attacks, is search engines that sell ads are selling ads to malicious actors who are
linking to lookalike sites for financial
institutions. So if let's say you have an account with Bank of America, for example,
and you go to Google and you type in Bank of America, because that's what we do, right? We
don't actually go to our web browser and type in bankofamerica.com. We go to Google and type in
Bank of America and Google gives us the link. But at the same point in time, they also give ads, and people are buying ads that then link to a phishing page.
And I'm actually seeing this a lot.
When I'm searching for something, this has happened to me.
I'm a customer of Comcast, and when I call or when I Google Comcast customer support, the first link is not Comcast customer support.
It's an ad to something else trying to sell me like Internet services or something.
Right, right.
And that's the second link.
The actual first search result is Comcast customer support.
But the first thing I see is an ad.
And these ads are particularly malicious.
And they're doing, the FBI says that they're doing two things.
One, they're actually purchasing the ads.
And two, they're using search engine optimization on fake sites.
So they're just letting these search results bubble up to near the top of the search page to see if they can get people to click on them, basically for free.
So they don't have to buy the ads.
In both versions of these schemes,
the spoofed portal prompts the customers to enter a bunch of information. First off,
their account credentials, their telephone number, and then their security questions.
And then these actions, of course, fail to grant access. At that point in time, the account holder,
the victim here, would get a phone call from the malicious actor here who
falsely claims to represent this institution that they've been trying to access. So in our example,
you have a Bank of America account. You click on the fake Bank of America link. You enter your
username, your password. They ask you for your birth date, your telephone number, all this other
stuff. And blood type. Right, blood type, exactly. And then you don't get in and you get a phone call from these guys.
While they're on the phone with you, Dave, they're actually logging into your bank account using all
the information. And if they encounter anything at this point in time, this is my speculation,
but one of the reasons they keep you on the phone is if they encounter anything in the authentication process or the password reset process or whatever it is, they're going to ask you about that to verify some more information.
And they're going to just enter it, and they're going to get right into your account, at which point in time they just start initiating wire transfers out of your account.
And the FBI says they have found that these people have taken hundreds of thousands of dollars out of people's accounts.
Yeah.
I mean, one of the things that I think is particularly troubling here is that, you know, we talk about over on Hacking Humans all the time that if you get a link to something in an email, for example, let's say you get an email and they're saying that they're from your bank.
Right.
Let's say Bank of America or whoever you do your banking with,
our recommendation is never click that link.
Instead, go to your web browser and put in the website
and go directly to their website.
In a way, this is short-circuiting that
because it's relying on people's either the tendency to, as you say,
just search for the name of the bank.
Because if you fat finger it and you misspell it, you know, Google's going to be your friend
and correct it for you. Right, right. But this, by sort of inserting themselves either
through the ad process or just through natural search engine optimization, they're having the bad websites bubble up to the top. Right. Absolutely. And I don't know who to blame here, who to point the finger at.
Obviously, I don't want to blame the victims. They're actually being victimized by these
criminals. But I'm wondering if these ad companies bear some accountability here.
These guys absolutely do not vet any ads that they get. They could not possibly do that.
Um, you look at Google's, uh, revenue streams and advertising is the biggest revenue stream.
They have millions of advertisers and they don't have people that can go in and look
at all these things.
They might be able to write some AI algorithm about it, but, you know, to see if this is,
uh, something impersonating a banking site.
Um, but, but they're not. They're not doing that.
And I'm sure that they're working on it
because I don't genuinely believe
that Google wants this to happen.
This is bad for Google,
and I think they're probably working on something
to stop this.
But in the meantime,
they're letting people get abused this way.
Yeah.
Yeah, I think it's another example
where also a password manager can help you out.
Absolutely.
Because if you go to the fake website and summon your password manager to try to fill it in,
most password managers will say, well, hold on here a minute, cowboy.
This is not the site that I had.
This is not where we usually go to log in here.
Are you sure you want to do this?
Right.
Yeah, that is especially true with the browser integrated password managers.
Yep. Yep. So another vote for password managers there. All right. Well, it's an interesting story. Again, it's over on the record by Recorded Future. Joe Kerrigan, thanks for joining us.
My pleasure, Dave. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.