CyberWire Daily - Electioneering, domestic, but with international implications. The Mirai botnet is exploiting OMIGOD. Container shipper sustains data breach. Odd ads. Phishing with Mr. Musk’s name.
Episode Date: September 20, 2021Cyber electioneering, in Hungary and Russia, the latter with some international implications. The Mirai botnet is exploiting the OMIGOD vulnerability. A shipping company deals with data extortion. Gov...ernment websites have been serving up some oddly adult-themed ads. Malek Ben Salem from Accenture has thoughts on quantum security in the automotive industry. Our guest is Padraic O'Reilly of CyberSaint to discuss concerns about the Defense Industrial Base. And no, there’s no such thing as the Elon Musk Mutual Aid Society. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/181 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Cyber electioneering in Hungary and Russia, some international implications.
The Mirai botnet is exploiting the Oh My God vulnerability.
A shipping company deals with data extortion.
Government websites have been serving up some oddly adult-themed ads.
Malek Bensalam from Accenture on the quantum threat in the automotive industry.
Our guest is Patrick O'Reilly of CyberSaint to discuss concerns about the defense industrial base.
And no, there's no such thing as the Elon Musk Mutual Aid Society.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Monday, September 20th, 2021.
Elections in both Hungary and Russia appear to be accompanied by disturbances in cyberspace, either hacking or suppression by policy, or a mix of both.
Barron's reports that Hungary has delayed its first opposition party primary until September 28.
According to Yahoo News, the opposition says the delay is due to a cyber attack
for which it blames Prime Minister Orban's government,
with the possible involvement of Chinese operators.
The journal says that Orban's Fidesz party has dismissed the incident
due to the opposition alliance's incompetence.
Russia's current elections for the Duma, the national parliament, are also in progress.
The effective leader of opposition to President Putin, Alexei Navalny,
is in prison on a variety of charges ranging from fraud to extremism. External observers
generally regard the charges as trumped up. But the Russian government isn't interested in seeing
the opposition maintaining a presence online either. Setting a precedent during elections
for Russia's Duma that Wired calls
troubling, Apple and Google have acceded to the Kremlin's request that they remove opposition
voting apps prepared by Navalny's smart voting project from their stores. The app in question
was a voting guide, not a mechanism for casting votes. According to Wired, quote,
created by associates of imprisoned opposition
leader Alexei Navalny, it offered recommendations across each of Russia's 225 voting districts
for candidates with the best shot of defeating the dominant United Russia party in each race,
end quote. Radio Free Europe reports that Telegram has done likewise, blocking chatbots
smart voting had used for endorsing candidates.
Telegram said that it was following Russian election silence laws,
represented as similar to laws in other countries
that restrict various forms of campaigning during the elections themselves.
Here in Maryland, for example,
it's illegal to buttonhole people standing in line outside polling places.
If you want to talk to them or hand them a leaflet, you've got to do it outside the parking
lot or at some comparable distance. But according to Radio Free Europe, Telegram's founder significantly
said that developer outfits like his own had little choice but to follow the lead of Apple
and Google. So the decision taken in Silicon Valley
seems to have flowed to other outlets. The Atlantic Council summarizes the issue as follows,
quote, the Russian government has reacted to this voter guide as if facing a serious national
security threat, a reaction that has stirred international controversy. The furious and
ultimately successful efforts to suppress this voter guide not only demonstrate the Russian government's determination to assert broad control over both the outcome of Russian elections and the information Russian citizens can access online, but also how the underlying dynamics of Russia's censorship agenda can become an international problem, forcing companies based outside its
borders into complicity with domestic repression, end quote. Voting was held over the weekend from
the 17th to the 29th of September. Preliminary results indicate that United Russia has retained
its very comfortable majority in the Duma. Linux servers running on Microsoft's Azure cloud remain under distributed denial of
service or crypto jacking attacks by botnets exploiting the oh-my-god vulnerability in the
open management infrastructure application. OMI, installed by default in most Azure Linux
virtual machines, is a Linux equivalent to Windows management infrastructure.
is a Linux equivalent to Windows management infrastructure.
The record describes the issue, which is CVE-2021-38647,
as a remote code execution vulnerability.
Researchers at WIZ, who've described the exploitation,
also have a review of available remediations.
At least one botnet exploiting OMI is a familiar one.
Bleeping Computer reports that Mirai is working actively against vulnerable instances.
The large French container shipping firm CMA-CGM-SA today disclosed, according to MarketWatch,
that it had sustained a data breach whose evident aim is extortion.
The attackers claim to have obtained almost 500,000 individual records of customers. CMA-CGM says that what it characterized as limited customer information includes names,
positions, emails, and phone numbers. The Lodestar reports that customers are awaiting formal
notification from the box ship company and that this is expected to come this evening.
notification from the box ship company and that this is expected to come this evening.
It's the second information security incident CMA-CGM has sustained over the past year,
and should personal information in fact be involved, as it appears to be, the company will be obligated under GDPR to render a prompt report to French authorities.
Let's say you were visiting the Minnesota National Guard's website. Maybe you're
interested in training for a biathlon over at Camp Ripley. Anywho, you arrive there and hey-ho,
you're seeing ads for mail enhancement solutions. That's odd, you might think. You were interested
in one weird trick that might help you with your telemarketing, but it looks as though they're
setting you up for telemarketing. It's not just the Minnesota Guard that's been affected. Numerous
federal agencies, military organizations, and members of Congress have been affected,
and it's not intentional. The senator isn't really recommending that you go visit the vendor of, say,
saucy videos. Vice notes that this has been going on over the past year at a number of U.S.
government sites in both the.gov and.mil domains. Some of those sites have been serving up the sorts
of spammy ads for products that one would be likelier to find on commercial sites that use
relatively indiscriminate ad servers. Security researcher Zach Edwards, whom Vice credits with
having identified the problem,
traces the redirects to a vulnerability in the widely used content management system
Laserfiche Forms. Laserfiche says it's corrected the problem. Edwards thinks it persists in some
corners of the product. And finally, there's a new Elon Musk-themed scam in progress.
Email spam is promoting the Elon Musk Mutual Aid Fund, or sometimes the Elon Musk Club,
offering an opportunity to get yourself some free Bitcoin.
Bleeping Computer says that a lot of the messages, which it describes as low effort,
use strange, nondescriptive subjects and messages,
but include a link with a suggestive name like Get Free Bitcoin. Should you be incautious enough to click in a fit of
abstraction or buccaneering what-the-heck mood, you'll be whisked to a page that has a picture
of Mr. Musk and a greeting that reads, Hello, dear friend. My name is Elon Musk. You'd think
that if you were in fact a dear friend, you wouldn't need to be told his name,
but maybe you figure, hey, billionaires got a lot of irons in the fire,
they can't keep track of all their buddies,
and besides, you're pretty sure you've heard of the guy, so you click to the next step.
This takes you through a series of screens in which you successively register to receive Bitcoin,
seem maybe to get some
and then are asked to donate a small bit back.
Only your donation is real, of course,
and you're out whatever you donated.
Needless to say, this has nothing to do with Elon Musk.
Think no one could fall for this?
Rest assured, they have.
The hoods are simply trading on his fame.
Seems a shame that greetings seem so nice.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Patrick O'Reilly is co-founder and chief product officer at cyber and IT risk management firm CyberSaint. He and his colleagues recently released a report outlining their take on
the state of the defense industrial base
and its ability to handle cybersecurity risk.
I think the first big takeaway that we have from our research is that risk assessment and risk management are really lagging.
They're not doing so well in this sector, and to be fair in other sectors, but in this sector in particular, when you look at them, the actual charts, the high level charts of how companies are doing risk management and risk
assessment are lagging behind. Risk assessment is doing slightly better because there's a lot
of vulnerability management in that. And these companies usually have practices around that.
But the actual flow of information from the IT and cyber staff up to
the governance staff, and then sort of making decisions around how do we cost effectively
improve our cyber posture, that's not working so well. So that's very concerning. So that was the
first big takeaway. Can you give us some insights, for folks who aren't in that world, what are some of the specific challenges that the defense industrial base faces when it comes to cybersecurity?
Well, you know, it's a very interesting space because you've got these giant companies that run these really elaborate programs for cybersecurity.
programs for cybersecurity. So, you know, the prime, the primes, and then you've got the supply chain, which is hundreds of thousands of companies that often, you know, have in IT, it's the old
example of, you know, a couple of people, it's a mom and pop shop and a dog, you know, and these,
these, these companies are making very advanced things, but they might be making one particular
thing, like a particular kind of wire, or a part for a rotor, and they don't have elaborate IT practices. So when the government
says to them, you've got to sell into, if you're going to sell into the supply chain, you have to
harden your systems along these 110 requirements, they face an immediate challenge. So it's not
really a surprise to see that they struggle with this. And part of the executive orders have
stressed that additional funding is going to be required. If we're going to hit companies with
more requirements, we're going to have to also give them additional help. And you see this in
also the water treatment plants as well. They don't have big IT shops. So when these attacks
happen and the press is like, what's going on? We have such advanced technology. That's true. But if you look at the
actual practice inside these companies around cyber and IT, it's very small and it's really
constrained and they need help. What are your recommendations then? I mean, for folks who
are looking to do better at this, what kinds of things can they put in place?
Initially, what companies that are constrained have to do is look at the most cost-effective
ways to make systems more resilient. That includes looking at sort of the open exploits
that are out there, the remote desktop protocol issues, you know, segmenting networks, better
risk management processes. The thing about risk management is it's not just managing risk. It's
also really the decision chain around how do we do this, you know, within our budget. That's really
what risk management is. This is a risk. This is the probability of it happening. This is how much
it could cost us. So the first things to do, even for small companies, are to understand what the crown
jewels are and protect those and protect those in the most cost-effective way.
Sometimes the approach to the standard is everything is equal under the standard.
That's really not the case. There are opportunities to do cost-effective things that can really,
really harden your systems
in the current landscape against the current APT and do it in a cost-effective way.
Are you optimistic that these goals are achievable?
I am. I am personally. I don't know that many in my position or many of my colleagues are.
Part of what I do is try to build a solution to make this easier for people. And I kind of have to believe that, you know, and I want to. And I think there
are a lot of optimistic signals out there at the moment. You know, I think that the CMMC is being
adopted. I think that they're going to put a little bit more, a little bit more enforcement
behind it, but they're going to be fair, you know, and I don't think that raising the bar is unreasonable. I think if you want to sell into the supply chain,
you should have to do certain things for your security and protect information. I think we're
also seeing a little bit more engagement, you know, in the executive orders that are coming out
from very powerful departments, agencies, NIST is writing up software supply chain
requirements. The agencies are reviewing how they do business. There's going to be money available
for it. And as the federal government goes, so does the defense industrial base to some extent,
because they're so closely allied. That's Patrick O'Reilly from CyberSaint. a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution
trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you
total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Malek Ben-Salem.
She is the Technology Research Director at Accenture.
Malek, it's always great to have you back.
I want to touch today on some issues that I know you've been tracking.
This has to do with the automotive industry and the potential quantum threat that they're preparing for.
What can you share with us today?
Yeah, in a previous segment, we talked about the quantum threat and how it affects all industry sectors.
But it's actually more imminent for the automotive industry.
And the reason is the average on-the-road lifespan of a vehicle is about 11 and a half years.
And it takes about five years to design a new vehicle and to bring it to manufacturing.
So that takes, you know, that planning to 16 and a half years.
half years from now, when a new quantum computer is probably available and the quantum threat would be real, then those types of cars that we're designing today have to be designed
with, you know, quantum-safe crypto so that they are not vulnerable to this threat.
And so what kind of systems within the car are we talking about here? Where
are automobiles using encryption generally? Yeah, I think what's most of concern for auto
manufacturers today is not necessarily the systems within the car, although they are also of concern,
but it's more about how to deal with the software updates in the future.
So our cars are becoming smart, right?
They contain huge pieces of code, right?
Millions of lines of code.
And I can bet that those programs contain some bugs and they have to be fixed at some point.
Not to mention that they probably will need to be fixed at some point, not to mention that they would probably
need to be upgraded with new features, etc. So dealing with updating that software
is something that the auto manufacturers have to think about. Obviously, you can take a car
to your mechanic to do the update instead of having an over-the-air software update, but that tends to be very costly.
I think estimates are expected, or the software updates over the air are expected to save the automotive industry about $35 billion.
Wow.
So, yeah, it's not insignificant. And therefore, you know,
they want to design these cars to be updated through software updates over the year.
But how do you ensure that that update itself is not malicious, right? How can you authenticate
that it's coming? How can the car authenticate
that it's coming from the manufacturer and not from somebody else? That is why we need to ensure
that these algorithms that are protocols being used to distribute those software updates are
quantum safe. I could see us sort of getting into a chicken and the egg kind of thing here where,
you know, if you have to update the car's firmware so that it's quantum ready,
how do you make sure that that update isn't vulnerable, right? Exactly, yeah.
Yeah. Exactly. So that's why you need to have the infrastructure, if you will, in place today, right?
You need to ensure, the auto manufacturers need to ensure that they're using, if you will, a hybrid model for encryption and that they're able to upgrade to different crypto algorithms as they become the standard in the future.
So in a way, are they trying to future-proof things?
I mean, is this the kind of thing where, you know, if I were to buy a car in the next decade,
even though it might not be in active use, they will have planned for its eventuality?
Ideally, yes.
Yes, absolutely.
I don't think they will be, you know, 100% future proof. I think there, you know, we'll see things evolve, particularly when it comes to, you know, the hardware requirements and the chips being used on these cars, because as more crypto, or let me say the quantum safe crypto will be, is likely to be more, require more computations. And so the chips that are performing those
computations and also dealing with all the sensors, the new sensors that will be on the car,
the ability to sense things on the road and communicate potentially with other cars, et cetera, that will put a huge computational
burden, right, on these chips.
And so those have to be designed, right?
We cannot keep using the chips we're using today on the cars.
And with all the chip shortages that we see today, I mean, we're going to be dealing with
new hardware requirements. So I think there will be delay, if you will,
or we'll need some time basically to get everything future-proof.
Yeah, challenges ahead.
You know, listeners to this show probably heard me say it before
that my favorite iPhone accessory is my car.
That's the way I look at it these days.
All right.
Well, always a pleasure to talk with you.
Thank you for sharing your expertise.
Malek Ben-Salem, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, ha!
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host.
The subject there is threat intelligence. And every week we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com slash podcast. The Cyber Wire
podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karpf,
Bharu Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.