CyberWire Daily - Historical threats to industrial control systems inform current security practices. Ransomware privateering and side-hustling. Updates on the Pegasus Project.
Episode Date: July 21, 2021CISA warns of threats to industrial control systems, profusely illustrated with examples from recent history. Ransomware can be operated either in the course of privateering or as an APT side hustle. ...Security firms outline new and evolving threats and vulnerabilities. Reaction continues to the Pegasus Project’s reports on intercept tools. Joe Carrigan unpacks recent Facebook revelations and allegations. Our guest is Dave Humphrey from Bain Capital on his tech investment bets and predictions. And do you know what “military grade” means? Neither do we, but we think we have an idea. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/139 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA warns of threats to industrial control systems.
Ransomware can be operated either in the course of privateering or as an APT side hustle.
Security firms outline new and evolving threats and vulnerabilities.
Reaction continues to the Pegasus Project's reports on intercept tools.
Joe Kerrigan unpacks recent Facebook revelations and allegations.
Our guest is Dave Humphrey from Bain Capital
on his tech investment bets and predictions. And do you know what military grade means?
Neither do we, but we think we have an idea.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 21st, 2021.
The U.S. Cybersecurity and Infrastructure Security Agency yesterday released an account of six cyberattacks
on industrial control systems that occurred between 2011 and 2016,
suggesting that more such attacks may be in the offing.
The history is interesting in its specific attribution of the attacks to nation-states,
one each to China and Iran, the remaining four to Russia.
CISA also updated its alert on a Chinese cyber campaign
that targeted pipelines between 2011 and 2013.
The campaign wasn't confined to a single pipeline or a single operator,
and the attackers generally approached their targets by social engineering.
CISA wrote, quote,
23 U.S. natural gas pipeline operators targeted from 2011 to 2013 in this spearfishing and
intrusion campaign. Of the known targeted entities, 13 were confirmed compromises,
three were near misses, and seven had an unknown depth of intrusion, end quote.
The goal of the campaign seemed to be reconnaissance and staging. CISA concluded that
the U.S. government has attributed this activity to Chinese state-sponsored actors.
CISA and the FBI assessed that these actors were specifically targeting U.S. pipeline infrastructure for the
purpose of holding U.S. pipeline infrastructure at risk. Additionally, CISA and the FBI assessed
that this activity was ultimately intended to help China develop cyber attack capabilities
against U.S. pipelines to physically damage pipelines or disrupt pipeline operations.
Theft of intellectual property was not the apparent goal.
Again, quoting CISA,
CISA and FBI assess that these intrusions were likely intended
to gain strategic access to the ICS networks for future operations
rather than for intellectual property theft.
This assessment was based on the content of the data that was being exfiltrated
and the
TTPs used to gain that access. One victim organization set up a honeypot that contained
decoy documents with content that appeared to be SCADA-related data and sensitive organizational
information. According to this organization, the SCADA-related decoy content was exfiltrated within
15 minutes of the time it was made available in the honeypot.-related decoy content was exfiltrated within 15 minutes of the time
it was made available in the honeypot. Other sensitive decoy information, including financial
and business-related information, was ignored. The warnings this week and the attribution of
ICS threats to three major hostile states would seem to figure in the U.S. response to more recent incidents,
including not only MSS exploitation of vulnerable Microsoft Exchange server instances,
but also Russian-tolerated or enabled ransomware attacks. It also coincided with the U.S. Transportation Security Administration's issuance of further security guidelines for pipeline
operators. The guidelines were motivated in the first instance
by REvil's ransomware attack on Colonial Pipeline,
but CISA's revisiting of China's earlier campaign is more than coincidence.
Russian toleration of ransomware gangs operating from its territory
against targets in other countries
was a sticking point in the Russo-American summit and follow-on
conversations. The relationship between gangs and the Kremlin has been described as analogous to
privateering. The gangs are able to romp freely through permissible targets and keep whatever
they can steal. The Washington Post today describes how ransomware has become a feature of recent
Chinese activity. In this case,
the Ministry of State Security appears to contract with organizations to carry out operations under
MSS direction. The contractors are then permitted some latitude for extortion or theft. This is more
of a side hustle than it is privateering. The threat actors aren't roving cyberspace looking
for prizes,
but they're able to take prizes in the course of operating under state direction.
Several reports from security firms this morning
describe research into attack vectors and malicious techniques.
Inteser describes its detection of a new attack vector
hitting Kubernetes clusters through misconfigured Argo workflows instances.
Again, it's the configuration.
Zscaler looks at Joker malware and outlines some of the techniques its operators have used to insinuate their code into apps that make it into the Google Play Store,
and from there infect victims who install the malicious apps. The techniques include URL shorteners, string obfuscation key changes,
and abusing the notification process.
Joker steals sensitive information from infected devices
and typically enrolls users in expensive and unwanted services.
Reversing Labs describes how an NPM package
can be used to introduce vulnerabilities into software supply chains.
They found one NPM package that's being used to steal credentials stolen in Chrome browsers.
Bitdefender has seen a spike in the wild of a new malware strain, Mosaic Loader,
a downloader that can deliver a range of payloads to victims.
Mosaic Loader propagates by advertising and representing itself as cracked software.
Its victims are typically would-be users of pirated software.
This should give everyone an incentive to resist the temptation to download stuff they shouldn't download.
It's unlikely it will amount to a virtual free lunch.
Investigation into the Pegasus intercept tool continues with the Guardian's account of alleged corrupt abuse of surveillance
tools. While much of the attention NSO Group has drawn has centered on its sale of Pegasus to
repressive regimes, there are other problems with the tool's dissemination. In the case of at least one journalist murdered in Mexico apparently by a drug cartel,
The Guardian suggests that the intercept tool could have been delivered to the cartel
by corrupt law enforcement officials who had access to it in the course of their duties.
Reaction to government use of Pegasus continues to run strongly in many countries.
Opposition members of India's parliament protested what the Washington Post quotes them as characterizing as a
national security threat posed by the government of Prime Minister Narendra Modi itself,
which has been accused of using NSO group tools to monitor journalists, dissidents, and political opponents.
monitor journalists, dissidents, and political opponents.
The Post also says that France has opened investigations into reports that French officials were themselves targeted by operators of the intercept tool.
Morocco is suspected of running such an operation against French targets,
but the North African country's government has denied doing so.
And finally, a lot of reporting about cyber incidents lately has referred to
military-grade malware or spyware or cyber weapons. A lot of the coverage of the Pegasus
Project has used the expression, we don't want to criticize reporters and editors doing their
front page best, but we'd like to point out that military grade
is almost invariably a marketing expression.
In the case of intercept tools like Pegasus,
it means nothing more than effectively used,
well-designed, or maybe expensive or sophisticated.
But military grade carries a lot of scare value
and also a gloss of official-sounding gravitas.
But really, there's no such thing as military grade,
although we've heard it applied to the sheet metal used in pickup truck beds as well as malware.
There is, in the U.S. at any rate, and other countries have their equivalents,
mil-spec, which means roughly produced in accordance with the requirements specified in a contract.
So, our military desk pleads, let's resolve to hold off on calling anything military-grade.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
My guest today is Dave Humphrey, co-head of Bain Capital's North American private equity business,
where he's responsible for $10 billion in technology portfolio investments.
I checked in with Dave Humphrey for his insights on the cybersecurity investment market,
which areas have his attention, and where he thinks we're headed.
Well, I think it's a fascinating time to be investing in technology and to be investing
in cybersecurity broadly.
And I think information and identities that are flowing through all of those cloud and
on-premises applications.
And so we're seeing a lot of growth in just the security markets generally, as there's
a lot of growth in the technology markets.
But we're also seeing a lot of innovation as new ways of using technology and new methods of deployment or growing methods of deployment
are leading to new attack vectors and also therefore leading to new methods of defense.
So we think it's an exciting time to be investing in technology at large and certainly an exciting
time to be investing in the security sector.
I think if you were to rewind several
years ago, there were lots of cybersecurity themes around fortifying the perimeter and
defense in depth, trying to keep bad actors out of networks or out of corporate technology.
I think now there's a broad acknowledgement that security cannot just be about keeping bad actors out of corporate environments,
but rather presuming that they are indeed in and using things like artificial intelligence and machine learning to evaluate and detect and respond to those actors that may already be inside corporate environments and to protect the identity and data and information
that's flowing in and out of corporate networks.
What sort of advice do you have for the companies that are out there
who are on the rise, those startups who are hoping to attract
the attention of organizations like your own?
What sort of advice would you have for them?
The advice that I would have really for any company, whether a startup or an established business, is to focus on what they do best and to distance their offering relative to their competitors and to do so in a way that creates a lot of value for their customers.
gravitate to businesses that solve a really important problem and that create real competitive advantage in doing so because they can continue to innovate and grow and scale on the basis of
that premise. Our recent investment in ExtraHop, which our pending investment, I should say,
in ExtraHop, I think is one example of that in the security sector. Our investment in Nutanix
last year is another in the infrastructure markets.
But we really would encourage businesses to focus on what they do best and to keep innovating.
Is your outlook optimistic? Are you looking forward to the next few years here?
I'm a perpetual optimist. And so our outlook is indeed optimistic. I think that we see
a lot of innovation going on. I mean, it's pretty
remarkable if you step back. The smartphone as we know it today, the iPhone still only came out 14
years ago. The iPad, I think 11. Cloud infrastructure on the basis of which we know it really only
became a scale piece of enterprise infrastructures within still probably the last five, six, seven years and
still has a long way to go. All of that innovation and change is creating yet further innovation and
growth and opportunity and allowing businesses to come up with new ways of doing things and
things that we can't even imagine as we sit here today. So as investors, I think that's an exciting
thing. We're looking for businesses that have created some real advantage in doing that and supporting those businesses through that journey. That's Dave Humphrey from
Bain Capital. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and
compliant. And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
You know, this new book came out targeting Facebook.
It's called An Ugly Truth.
It's written by Shira Frankel and Cecilia Kang.
And it's quite sensational and attracting a lot of attention.
But there are some specifics here that I think are worth digging into.
I know a couple things have caught your eye.
What are you looking at here, Joe?
So I'm looking at the article that was on Business Insider earlier last week, and it talks about how between January of 2014 and August of
2015, so like almost a period of two years, the company fired 52 employees over exploiting user
data for personal purposes. One engineer who is unnamed tapped into the data to confront a woman with whom he had
been vacationing in Europe after she left the hotel that they had been sharing.
So they were at the hotel.
They got into some kind of spat.
And she said, that's it.
I'm out of here.
And then he was able to find out where she was staying because he accessed her personal
data on Facebook and found out
her location and was able to physically walk up to her.
Another Facebook engineer used his employee access to dig up information on a woman with
whom he had gone on a date after she ghosted him, right?
Mm-hmm.
And in the company systems, he had access to years of private conversations with friends
over Facebook Messenger, events attended, photographs uploaded. And here's one of the
parts that really irritates me, including those she had deleted, right? So I know I hear you on
Grumpy Old Geeks frequently asking about this. What does deleted mean on Facebook? It doesn't mean anything.
It just means we're not showing it to you anymore.
Right, right.
Deleted for thee, but not for me.
Right.
Posts that she had commented or clicked on,
which is another interesting thing.
Facebook tracks just about everything you do
with that mouse.
They have scripts in the background
that send everything back.
So even clicking on a post, they know that you clicked on it. We've actually seen information that if you
start responding to something and then you decide, nah, I'm not going to respond. I'm not getting
involved in this. They still have what you started typing. They still have that in their records.
And it's actually something that's fairly simple to do with with javascript on the back end it just sends it up to the server and he was able to access all this information based on the facebook
app she had installed on her phone uh right and real-time location and he was able to see yeah he
was able to see her real-time location so he was able to really really stalk this woman uh which
which is unconscionable uh The book says that Facebook employees were granted
user, this kind of data in order to quote, cut the red tape that would slow down the engineers.
But there was nothing but just honest behavior, keeping the employees from accessing things they
shouldn't be from abusing their access. And that, that is probably good for 98% of the people. But Facebook had at the
time 16,000 employees with access to this user data. So do the math on that. It's a lot of bad
actors who can just access the information. Now, Facebook says every time we found somebody
accessing the information, we promptly fired them whenever they accessed it inappropriately. But how many times do they not catch people inappropriately accessing the information? I'd like to know that.
Yeah.
within Facebook to limit the number of people that have access to this data to about 5,000,
which is, you know, a step down from 16,000, but it's still a lot of people.
This is why I, you know, I really don't trust Facebook, Dave. I really don't.
Yeah. Yeah. Yeah. You know, I think this, you want to, it would be great if we lived in a world where you could rely on the goodwill of people to make the right decisions and do the right things.
Right. But in a world where human beings have emotions.
Yes.
And I'd say there's probably not one among us who has not been carried away by our emotions and behaved in a way that we were later embarrassed by or ashamed of,
you have to put guardrails on these things, on people's private information, as this shows.
Absolutely.
You know, a jilted lover may not be reacting in a rational way.
And so you need to protect the people on your platform.
And to me, this speaks to a culture certainly back when this was a problem.
I mean, you know, this may be a fixed problem by now.
Right.
But as this book points out, back in 2015, that was not the case.
Yeah.
Facebook was prioritizing, you know, what is the move fast, break things.
They were prioritizing their engineers' ability to do the work that they wanted to do
over their users' privacy.
Right.
And if you're a Facebook user,
I think you need to take that into consideration
how much you engage with that network.
And particularly when you see things like
your deleted photos aren't actually deleted,
to me, that's a real violation of trust.
Right. I would agree.
I mean, that would be something that would be simple to implement, right?
If I go ahead and I say I want to delete this photo, I think we both understand, Facebook, that I'm wanting to delete this photo and you – it's pretty clear I expect you to also delete the photo, right?
Right.
I don't expect you to keep it on your hard drive forever
and keep it associated with me.
I don't expect you to set some flag in the database to deleted.
I actually want that photo deleted from your system.
Well, Joe, you clearly have not read the EULA from start to finish.
Of course not, Dave.
Who does read the EULA from start to finish?
Right, right, exactly.
All right.
Well, as we said at the outset, I mean, this book is attracting a lot of attention and
certainly a bit sensational in the way it presents things.
But I think at the core, there are some really interesting issues here worthy of discussion.
So glad we had the opportunity to discuss it here.
Joe Kerrigan, thanks for joining us.
It's my pleasure.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, the military grade Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.