CyberWire Daily - Hacktivists assemble to attack Pennsylvania water utility.
Episode Date: November 27, 2023Iranian hacktivists claim an attack on a Pennsylvania water utility. North Korea's increased attention to supply-chains. Rhysida's action against British and Chinese targets. Sandworm activity puts Eu...ropean power utilities on alert. Neanderthals and the Telekopye bot. Mirai-based botnet activity. Our guest is Chris Betz, the new CISO of AWS Security, with insights on the upcoming AWS re:Invent conference. And just how easy is it to track the comings and goings at Mar-a-Lago? CyberWire Guest Our guest today is Chris Betz, the new CISO of AWS Security giving us some insight into what to expect at the AWS re:Invent conference. You can connect with Chris on LinkedIn and find out more about AWS re:Invent on the event website. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/224 Selected Reading Municipal Water Authority of Aliquippa hacked by Iranian-backed cyber group (KDKA News) Iranian-linked cyber army had partial control of Aliquippa water system (Beaver Countian) Cyber Av3ngers Claim Israeli MEKOROT National Water Company Hack (Cyberwarzone) A hack in hand is worth two in the bush (Securelist by Kaspersky) Diamond Sleet supply chain compromise distributes a modified CyberLink installer (Microsoft) UK and Republic of Korea issue warning about DPRK state-linked cyber actors attacking software supply chains (National Cyber Security Centre) Rhysida (SentinelOne) Rhysida, the new ransomware gang behind British Library cyber-attack (The Guardian) RHYSIDA RANSOMWARE GANG CLAIMED CHINA ENERGY HACK (Security Affairs) #StopRansomware: Rhysida Ransomware (CISA) Russia continuing cyberthreats against NATO countries (Defence Industry Europe) Europe’s grid is under a cyberattack deluge, industry warns (Politico) Telekopye: Chamber of Neanderthals’ secrets (ESET) InfectedSlurs Botnet Spreads Mirai via Zero-Days (Akamai) We Spied on Trump’s ‘Southern White House’ From Our Couches (Rolling Stone) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Iranian hacktivists claim an attack on a Pennsylvania water utility.
North Korea's increased attention to supply chains.
Raisita's action against British and Chinese targets.
Sandworm activity puts European power utilities on alert.
Neanderthals and the telecopy bot.
Mirai-based botnet activity.
Our guest is Chris Betts, the new CISO of AWS Security,
with insights on the upcoming AWS reInvent conference.
And just how easy is it to track the comings and goings at Mar-a-Lago?
Today is November 27th, 2023.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Our top story today involves an Iranian hacktivist group, the Cyber Avengers,
who have managed to infiltrate the control systems of a water booster station
operated by the Municipal Water Authority of Al-Aquippa in Pennsylvania.
The station, which serves raccoon and potter townships,
triggered an immediate alarm during the breach,
but the hack did not compromise the safety or supply of water to the localities.
The attackers made their political stance clear by displaying an anti-Israel message on the
station's monitors, targeting the Israeli-made Unitronics control system used by the utility.
Operators quickly countered the attack
by switching to manual controls. Previously, the cyber avengers have focused their attacks within
Israel, targeting utilities like Mekarat's CCTV system and falsely claiming to compromise the
Dorad power station. Their move to attack a U.S. utility represents a significant escalation
in their operations, broadening their geographic scope of targeting. This incident serves as a
wake-up call to the industry, emphasizing the need for increased vigilance, robust cybersecurity
measures, and the readiness to revert to manual operations should technological defenses be breached. It also
highlights the geopolitical dimensions of cybersecurity, where domestic infrastructure
can become a proxy battleground for international tensions. By the way, our rural Pennsylvania desk
tells us that Aliquippa, PA provided much inspiration for the 1980s Tom Cruise film,
All the Right Moves.
Microsoft has identified a supply chain attack
by North Korean group Diamond Sleet, also known as Zinc.
This operation involved tampering with a
CyberLink application installer, embedding malicious code capable of executing a secondary
payload. Notably, the attack utilized legitimate update infrastructure and a valid CyberLink
certificate, making detection challenging. This incident has already affected over 100 devices across several countries,
including Japan, Taiwan, Canada, and the U.S. Simultaneously, U.K.'s NCSC and South Korea's
NIS warn of North Korean hackers increasingly targeting software supply chains, exploiting
zero-day vulnerabilities in third-party software. These attacks serve broader North Korean state goals,
generating revenue, espionage, and stealing advanced technology.
So, it may be worth checking to be sure your S-bombs are properly secured.
The RICEDA ransomware gang emerging in May has breached the British Library,
compromising employee data and is demanding 20 bitcoins for the stolen information.
Additionally, they've targeted the Chinese state-owned China Energy Engineering Corporation, asking for 50 bitcoins for that data cache.
align with Russian cyber-privateering patterns. Their choice to attack a Chinese entity is unexpected and suggests potential limits to their coordination or a shift in the Kremlin's stance
on cyber-aggression towards allies. A U.S. government advisory highlights Raisita's
opportunistic targeting across vital sectors and their ransomware-as-a-service operations,
emphasizing the need for cross-sector vigilance
and robust cyber defense strategies to counter such multifaceted threats.
The Polish Institute of International Affairs has sounded an alarm over the intensified rate
of Russian cyber attacks against NATO, with tactics ranging from data theft to system
paralysis and disinformation campaigns.
This uptick in aggression underscores the urgent need for enhanced collaboration
within the Atlantic Alliance to safeguard critical state functions.
The GRU's Sandworm Group is notably active,
inciting calls from European energy sector leaders for heightened security measures
to protect the power grid against these threats,
particularly those emanating from Russian-backed teams
aiming to destabilize EU member states through sustained cyber attacks.
A report from ESET reveals a stark glimpse into the world of cybercrime,
highlighting the use of Telecopy,
a telegram bot that facilitates phishing operations,
which criminals have dubbed Neanderthals. The scammers mock their targets by referring to them
as mammoths. Recruitment is active on criminal forums, where candidates undergo a screening
process and, if accepted, gain full access to Telecopy's phishing template resources.
Required to join two specific channels, one for communication and the other for transaction logs,
these Neanderthals operate within a structured community,
underscoring the sophisticated social organization behind some cybercriminal activities.
Perhaps someday, these Neanderthals will find themselves extinct.
Akamai has detected a new botnet, Infected Slurs, leveraging the Mirai malware framework and
exploiting two zero-day vulnerabilities to proliferate. One vulnerability resides in
network video recorders from an undisclosed manufacturer, and the other affects a wireless LAN router
designed for hotels and residences. Patches are anticipated in December. The router vulnerability,
initially identified as a single model, may extend to a related variant, raising concerns
about the broader implications for the manufacturer's full product line, given the commonality of
the exploited feature.
Coming up after the break,
our own Rick Howard speaks with Chris Betts,
the new CISO of AWS Security,
with insights on the upcoming AWS reInvent conference.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
AWS Security has a new CISO, and his name is Chris Betts.
N2K's Rick Howard recently caught up with Chris Betts to discuss insights from the AWS reInvent conference that's occurring this week.
Hey, everybody. Rick here. As you may or may not know, the CyberWire is an Amazon Web Services media partner. And between 27 November and 1 December of this year, AWS is hosting their
annual reInvent conference in Las Vegas, Nevada, and online. I got to sit down with Chris Betts, the newly
minted AWS CISO, to talk about the focus of his talk at reInvent. Chris has just recently replaced
CJ Moses, who has moved up in the organization to be the CISO and VP of Security Engineering at
Amazon, and Chris and CJ both report to Steve Schmidt, the CSO at Amazon. I've known Chris, it feels like, forever, and I started out by
congratulating him on his new job. So congratulations
on the new job. How about that? Congratulations. Thanks, Greg.
I am really excited to be here. So this is an
incredible role. It's just, wow, it's been quite a
journey. So we have the AWS reInvent conference
coming up in Las Vegas. It's 27 November through 1 December. And you're speaking at a session called
Move Fast and Stay Secure, Strategies for the Future of Security. What are you going to be
talking about? Our CSO, Steve Schmidt, and I actually get to be on stage together, which is going to be a lot of fun. That's fantastic.
It's absolutely awesome. And it's a fun
thing because three months in, being able to tag team
with Steve is an amazing opportunity. Talks are going to be focusing
on some of the most current ways that we think about our cybersecurity opportunities,
some of the awesome innovation that's we think about our cybersecurity opportunities, some of the awesome innovation
that's going on in the cybersecurity space,
and really
tries to provide a direction for
customers as we're all thinking about how
we've applied some of
these technologies and how we should think about applying
and using some of these technologies going forward.
So one of the big points in the
presentation, I believe, is how Amazon
thinks about zero trust.
And so that's a huge marketing term right now.
A lot of people in our community flip our noses up about it because, oh, it's just vendors talking about a new buzzword.
But it is not.
It is a fantastic strategy.
So how does Amazon think about zero trust?
Well, Rick, I think what you bring up is so important.
It's easy to get lost trying to take something off the shelf and apply it to your company.
I've seen any number of my fellow CISOs.
I've even tried it myself environment, and the actions that they're taking provides a really outstanding way to tailor their cybersecurity actions to what they're trying to do. And so my lesson, having seen a number of my peers and
been on the journey myself for Zero Trust in a number of places, the lesson that I've learned
is that having a tailored, having a fit solution for you is so important. And it's all about the
foundational elements, those building blocks. And so I'm not going to steal thunder from my own talk,
but recognize kind of where you can find those building blocks.
Where do you have the building blocks that have spent a lot of time? And how do you use that to make sure that you're getting not the one-size-fits-all solution, but really the tailored solution for you, for your enterprise, for your business is so important.
Well, I agree with that.
I call that meat and potatoes, zero trust, because a lot of our peers feel like they have to reinvent the wheel to deploy a zero trust philosophy.
And in reality, you're already using things that have zero trust capabilities, especially AWS, right?
They've got all kinds of things you could do to improve your zero trust journey.
And that's true for a lot of different security tools, right?
So it's not a rip and replace operation.
It's just it's an improvement
exercise. Am I over-exaggerating that? I don't think you are. I mean, I think there's, to be
clear, there's some discrete new approaches and mindset and philosophy that you need to use.
But you're right. I mean, so much of cybersecurity is built on a really, really strong technical
foundation, knowing that you have those right capabilities.
As you said, at AWS, we build a bunch of really great,
strong technology foundation that gives you the right place
to much more easily get the solution that fits you.
At least that's how I approach the problem.
I like the way you talk about it is that it's not about the buzzwords.
It's not about the flashy bells. Getting this to work right starts off with a really solid
foundation that's designed to work at that scale and in the way you need to for zero trust.
So the conference is AWS reInvent. It's going on in my favorite city of all time, Las Vegas,
27 November to 1 December. Chris, any last words you want to encourage people to come out?
Thanks, Rick.
Yeah, I hope everybody will attend or tune in.
There's a lot of content available online for AWS reInvent, as you said, starting on
Monday.
And I'm also excited to share that the dates and location for AWS reInforce, which is our
security-focused conference, have been announced.
It's June 10th through 12th in Philadelphia.
And this is the best security learning conference
that I've been at in a long time.
And so finally, thank you, Rick and N2K
for talking to me.
It's been great to see you again,
and I hope to see you at reInvent
and at Reinforce next summer.
That's the new CISO at AWS Security, Chris Betts,
speaking with my CyberWire colleague, Rick Howard.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world
when it matters most.
Stay in the know.
Download the free CBC News app
or visit cbcnews.ca.
Wrapping up today's show,
in the digital age,
espionage has evolved dramatically from the daring feats of individuals like Mary Bowser during the American Civil War to a more subtle yet pervasive form of data gathering. Reporters at Rolling Stone have demonstrated the ease with which one can access detailed information about individuals,
including their movements and personal characteristics.
They set their sights on profiling visitors to former President Donald Trump's Mar-a-Lago residence,
revealing not only the demographics of Trump's visitors, but also their likely homes and workplaces.
This ease of data acquisition
underscores a significant shift. Now, anyone can conduct surveillance from the comfort of their
home, posing risks not just to public figures, but to everyone. Our daily digital footprints,
often unknowingly left through innocuous apps, become fodder for data brokers, creating vulnerabilities that can
be exploited for all sorts of purposes, including surveillance and manipulation.
It might just be time to write that letter to your representative in Congress
about federal data privacy legislation.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment on Jason and Brian's show.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producer is Brandon Karp.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.