CyberWire Daily - Happy Slam the Scam Day. Indian authorities continue to investigate grid incidents. CISA tells US Federal agencies to clean up Exchange bugs by noon tomorrow. Supply chain compromise.
Episode Date: March 4, 2021Indian authorities say October’s Mumbai blackout was “human error,” not cybersabotage. CISA directs US civilian agencies to clean up Microsoft Exchange on-premise vulnerabilities. More effects o...f the Accellion FTA supply chain compromise. Some trends in social engineering. Andrea Little Limbago brings us up to date on the RSA supply chain sandbox. Our guest is Brittany Allen from Sift on a new Telegram fraud ring. And happy National Slam the Scam Day. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/42 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Indian authorities say October's Mumbai blackout was human error, not cyber sabotage. CISA directs
U.S. civilian agencies to clean up Microsoft Exchange on-premise vulnerabilities. More
effects from the Accelion FTA supply chain compromise. Some trends in social engineering.
Andrea Little-Limbago brings us up to date on the RSA supply chain sandbox. Our guest is Brittany
Allen from SIFT on a new telegram fraud ring and happy
national slam the scam day.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, March 4th, 2021.
We open with a brief follow-up to the story of alleged Chinese cyber-sabotage attempts against India's power grid.
the story of alleged Chinese cyber-sabotage attempts against India's power grid. The Indian government has said that while some hacking incidents remain under investigation, and that
there seems to have been some malware in some load dispatch centers, the big Mumbai blackout in late
2020 wasn't caused by saboteurs. India's Union Power Minister R.K. Singh has said that October's blackouts in Mumbai were the result of human error and not cyber-sabotage, the Times of India reports.
He did confirm that there were attacks on load dispatch centers, but these were successfully contained and caused no outages.
Against the backdrop of recorded futures report on Red Echo,
Singh resisted offering attribution for the attempts, saying, quote,
we don't have evidence to say that the cyber attacks were carried out by China or Pakistan.
Some people say that the group behind the attacks is Chinese,
but we don't have evidence. China will definitely deny it, end quote.
evidence. China will definitely deny it, end quote. As indeed China has, with accompanying declarations of Beijing's general opposition to cyber attacks in all of their forms.
The mention of Pakistan, by the way, is to be expected. Pakistan and China are India's two
principal regional rivals. Anywho, maybe someone in Beijing should communicate that opposition to cyber
misbehavior to whoever's running their hafnium threat group. The U.S. Cybersecurity and
Infrastructure Security Agency yesterday afternoon issued Emergency Directive 21-02,
requiring federal civilian agencies to take immediate action to remediate the Microsoft Exchange on-premises product vulnerabilities currently under active exploitation.
Agencies are directed to report completion by noon tomorrow.
Microsoft has attributed the ongoing exploitation campaign to a Chinese government threat actor it tracks as Hafnium.
To a Chinese government threat actor, it tracks as hafnium.
The Accelion supply chain compromise has found its way into a security company's operations.
Qualys disclosed yesterday that it had deployed Accelion's code base, or customer data hosted on the Qualys cloud platform.
Two current trends in social engineering are worth noting.
Agari finds that capital call scams are growing more common in business email compromise attempts, and the pandemic is still with us, and so
Barracuda Network's reports are scams using COVID-19 vaccine information as fish bait.
And finally, today, Thursday, March 4th, 2021, we're happy to celebrate National Slam the Scam
Day, as proclaimed by U.S. Social Security Administrator Inspector General Gail S. Ennis.
What's all this about?
Well, have you ever been called by the U.S. Social Security Administration and been threatened with arrest?
Don't be shy. Raise your hand.
We have.
Once upon a time, they called one of our people and demanded to know his street address so they could show up and, quote, put you behind bars, unquote, for abusing his social security number in illegal activity.
Weird, right?
You'd think if you were an American taxpayer living on the grid that the Social Security Administration wouldn't need you to tell them your address.
Maybe you're wondering what kinds of crimes
you might have used your social security number to commit.
We were too.
Perhaps we shouldn't have said that the Social Security Administration
threatened a no-knock raid on us.
More correctly, we should have said that someone claiming to be
the Social Security Police called to schedule the kicking down of our front door.
The background noise sounded sort of like a boiler room in a suburban Mumbai strip mall, but the guy said he
was Special Agent Evan McCarthy, which sounds totally legit despite all the ringing and hollering
in the background. Anyway, our guy is still waiting for Special Agent McCarthy to put the
bracelets on him, but so far, no joy.
He says, Special Agent McCarthy, come and get me.
And that our local social security number perp remains at large, rested, tanned, and ready, we might add,
despite social distancing and sheltering in place, actually isn't surprising,
because, of course, Agent Evan McCarthy, and our apologies to any real Evan
McCarthy's who might be listening, is totally bogus. Apparently, the boys in the boiler room,
and oddly, it occurs to us that we've never spoken to any of the girls from Social Security.
The ladies seem to call us mostly about extending the warranties on our car.
Apparently, the boys in the boiler room are encountering some skepticism
and they've hit on a new wheeze. The U.S. Social Security Administration, the real one, with a
major office right on Security Boulevard here in Greater Baltimore, warns that scammers are using
fake government IDs to gain their marks trust. They're texting or emailing images of the phony
badges to potential victims.
We thought at first these would be like a sheriff's badge you can buy in the dollar store's
toy aisle, but turns out they're better. They're laminating themselves up some photo IDs with
government logos on them, the kind you'd wear to gain access to an office building around D.C.
that houses, say, the Bureau of Land Management or the Fish and
Wildlife Service. But don't be fooled. We should say, by the way, that the police in India take
these crooks seriously. Indian police regard these kinds of scammers as pernicious losers
and sweep them up as resources and the rule of law permit, but there are relatively low barriers
to entry in this particular criminal sector,
and as one petty hood goes away,
another tends to step up to the phone bank.
And in fairness, it's not just India
that spawns this kind of scam.
Opportunity is everywhere,
although fluency in English
is a bit of a subcontinental specialty.
So slam the scam and hang up on these jokers.
You'll make Inspector General Ennis proud.
And Inspector General Ennis, unlike Special Agent McCarthy,
is totally legit.
Brittany Allen is a senior manager and trust and safety architect at digital trust and safety firm
SIFT. I spoke with her over on our Hacking Humans podcast about a new fraud scheme her
team is tracking on Telegram, taking advantage of food delivery apps.
We spend a lot of time learning about fraud in order to fight fraud.
And one of the resources that we had been looking at before had been looking into dark web activity,
seeing what happens with information that ends up there due to a data breach,
see what's happening within these fraud groups. But there's an easier layer to access,
and that is within these apps such asgram, that are secure messaging apps or are
privacy focused. And there is a lot of fraud activity within those groups. But basically,
we were able to go into those groups, sort of learn the language, learn what they're talking
about when they say that they have freshly spammed fulls for sale. We'll learn all of that info. And then we were able to find this
emerging pattern of fraudsters who would agree to order food on behalf of other fraudsters at a
heavily discounted rate. And we learned that that was just another little glimpse into the part of
the fraud ecosystem was that specific role. Well, let's go through this specific case here that you tracked.
This is having to do with some on-demand food delivery services. Walk us through this step
by step. How does it work? Absolutely. So as I mentioned before with the fraud ecosystem,
all of the fraudsters have different roles to play. It's not like they do everything all of
the time. And so there are these fraudsters who have advertised their service of, I will buy food for you on your behalf.
They say what restaurants or what food delivery apps are their specialty.
And then they say at this rate, you can pay me via Bitcoin.
It'll be a substantial discount.
So maybe you're only paying 25 to 30 or 40 percent of the value of the food.
only paying 25 to 30 or 40% of the value of the food.
So it's therefore pretty exciting or pretty attractive to you
so that you can not have to spend a lot of effort
on this ordering of the food
and then also save a little money along the way.
But what they do is they advertise
what they've got available.
You as this prospective diner
will reach out to the fraudster
with a screenshot of what you want
from that website. So you would pull up that food delivery app, let's say, add a whole bunch of
things to your cart, take a screenshot, send it to the fraudster, make your payment via Bitcoin or
whatever else they accept, and then they will place that order on your behalf. And the next
thing you know, you'll have your food delivered to you. You'll have pretty good plausible deniability just in case the food delivery app
does catch on or try to investigate you because you won't have been the one that placed the order,
but you'll still benefit in the end from getting the food. And it's just a sort of another level
of service. And the fraudsters that are running the scam are the ones who specialize in knowing what
are the current vulnerabilities with the delivery apps and the restaurants that I know are popular
and will help me make money by facilitating these orders. There's a lot of variables behind that
that you'll just see through these advertisements that are repeated again and again and again and
again throughout these fraud channels on Telegram. And as more and more and more people are using these apps or as the membership of these fraud
groups grow, that just takes more casual fraudsters and increases their comfort level
with committing fraud and defrauding companies. And that is a emerging pattern that merchants
really should be keeping an eye on because the barrier to entry
of fraud is definitely dropped by the explosion of activity in these fraud channels.
That's Brittany Allen from SIFT. There's more to our conversation.
You can find that over on the Hacking Humans podcast. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And joining me once again is Andrea Little-Limbago.
She's the Vice President of Research and Analysis at Interos.
Andrea, it's always great to have you back.
I wanted to touch base today on a project that you are a part of.
This is with RSA.
Of course, the big conference is virtual this year,
and you're helping them out with some things with their supply chain sandbox.
What's going on there?
Yeah, no, Dave, thanks for allowing me to talk about this.
It's some great work.
It's organized by Bow Woods, who just does a ton of amazing work across the community.
And the mission of the supply chain sandbox at RSA is really to up-level a participant's willingness and capabilities in addressing cybersecurity issues via the supply chain.
And so the goal, though, is to make it fun, immersive, practical,
all those aspects that you don't actually necessarily
always associate with supply chains.
I mean, normally when people think about supply chains,
it kind of seems a little bit dry.
That's probably an understatement.
But really, you're trying to make it fun and informative.
And I know SolarWinds has definitely heightened the awareness
or concern over supply chain risk,
but they had it last year for the first time,
and I'm helping hop on and organize that
with a really great cross-section from industry and government as well.
So it's a nice public-private sector working together,
so it's always a nice example of that.
But really, the goal is to make it a fun, entertaining experience
for folks that are attending RSA.
So it's part of RSA in a different way that you'll be going in.
It's all through virtual, but we'll have a variety of things from virtual Jeopardy.
We've got some trivia games.
We'll have some resource centers in case you want to read more and take a lot of that information home.
So it's really, I think hopefully it should be a really impactful and informative time that the community can learn from
and then also provide a means for people who are interested in this kind of area to network and connect as well.
I think we're all missing connecting with people across the community and meeting new people.
And so this will also hopefully provide a way for folks who are increasingly concerned about supply chain security to connect as well.
Yeah, well, and as you mentioned, I mean, with solar winds, couldn't be more timely. And I
suppose this particular exercise will get a lot more attention than it probably otherwise would
have thanks to what's happening in the news. I think so. And it's something that happened last
year. The planning for this year has been in the works for a while. Solar winds has just elevated
it. And, you know, honestly, we already have seen several different supply chain attacks since then
that haven't been quite as elevated in awareness or making the headlines,
but still very much impactful.
And it'll be the digital supply chain, but also looking at just the third-party risk as well.
I mean, I think we all have heard everything from how fish tanks were the mode of compromise
to HVAC systems to subcontractors.
So it's really looking at the whole range of supply chain security risks that need to be aware of.
And then in addition to keeping on top of what the various government policies are doing and then taking as well a global perspective and what's happening around the world in this area, too.
So it should be a lot of fun.
It should be really informative for folks who are attending RSA. I strongly encourage them to swing by. It's going to have a lot of good interactive components and a good
way to interact and meet folks within the industry. What's the spectrum of expertise that you're
hoping to attract here? I mean, is there something for the broad range, everyone from students
through people who may have expertise in this area? Yeah, I think so. And that's what we're aiming to build it so that everyone at every level,
both professionally, whether you're a new student in the area to someone who's been in the community
for a while, and whether you're super technical or you're more on the policy side, really,
it should be something for everyone there. At the end of the day, I mean, it's such a broad
area of concerns that fall under the umbrella of supply chain risk and supply chain security
that I think there'll be something for everyone there that, one, will expose them to areas that
may be outside the wheelhouse, which I think is always a good thing. But there'll also be plenty
of areas for those who are experts to highlight their expertise and those that are more new to it
to really learn a lot and see what the range of opportunities might be for them if they want to
work in this area. All right. Well, Andrea Little-Limbago, thanks for joining us.
Great. Thank you so much.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for Cyber Wire Pro. It'll save you time and keep you
informed. Made to be strong. Listen for us on your Alexa smart speaker too. The Cyber Wire podcast
is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.