CyberWire Daily - ICS security–vulnerabilities, mitigations, and threats. A Chinese APT prospects Iranian targets. The persistence of nuisance-level hacktivism. And war takes a toll on the criminal economy.
Episode Date: January 18, 2023CISA adds to its Known Exploited Vulnerability Catalog. Attacks against industrial systems. DNV is recovering from ransomware. Chinese cyberespionage is reported against Iran. The persistence of nuis...ance-level hacktivism. Robert M. Lee from Dragos outlines pipeline security. Our guest is Yasmin Abdi from Snap on bringing her team up to speed with zero trust. And a side-effect of Russia's war: a drop in paycard fraud. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/11 Selected reading. Bolster Your Company Defenses With Zero Trust Edge (iBoss) CISA Adds One Known Exploited Vulnerability to Catalog (CISA) GE Digital Proficy Historian (CISA) Mitsubishi Electric MELSEC iQ-F, iQ-R Series (CISA) Siemens SINEC INS (CISA) Contec CONPROSYS HMI System (CHS) Update A (CISA) Nozomi Networks Researchers Take a Deep Look into the ICS Threat Landscape (Nozomi Networks) A look at IoT/ICS threats. (CyberWire) DNV's fleet management software recovering from ransomware attack. (CyberWire) DNV says up to 1,000 ships affected by ransomware attack (Computing) Ransomware attack on maritime software impacts 1,000 ships (The Record from Recorded Future News) Chinese Playful Taurus Activity in Iran (Unit 42) Playful Taurus: a Chinese APT active against Iran. (CyberWire) Russian hackers allegedly tried to disrupt a Ukrainian press briefing about cyberattacks (Axios) Russia's Ukraine War Drives 62% Slump in Stolen Cards (Infosecurity Magazine) Annual Payment Fraud Intelligence Report: 2022 (Recorded Future) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
CISA adds to its known exploited vulnerabilities catalog,
attacks against industrial systems,
DNV is recovering from ransomware, Chinese cyber espionage is reported against Iran,
the persistence of nuisance-level hacktivism, Robert M. Lee from Dragos outlines pipeline security,
our guest is Yasmin Abdi from Snap on bringing her team up to speed with zero trust,
and a side effect of Russia's war,
a drop in paycard fraud.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Wednesday, January 18th,
2023. Good day to you all. It is great to have you here with us again today. We begin with some notes from CISA, the
U.S. Cybersecurity and Infrastructure Security Agency. Yesterday, CISA made an addition to its
known exploited vulnerability catalog. Tracked as CVE-2022-44-877, the issue involves an OS
command injection vulnerability in the CWP control web panel. That system was
formerly known as the CentOS web panel. Exploitation of the vulnerability could allow
remote attackers to execute commands by using shell metacharacters in the login parameter,
and apparently some remote attackers are doing just that. Federal civilian executive agencies have until February 7th to apply updates per vendor instructions.
Also yesterday, CISA released four industrial control system advisories.
It's worth paying due attention to warnings like those contained in the CISA advisories.
An industry study suggests the range of threats industrial systems face.
Nozomi Networks has released its OT-IoT security report for the second half of 2022,
highlighting disruptive attacks against the transportation and manufacturing industries.
The researchers describe a cyber attack that hit rail technology manufacturer Continental in November.
The attackers stole more than 40 terabytes of data,
which they threatened to publish on the dark web unless the company paid a $50 million ransom.
Continental refused to pay the ransom,
stating that it would only help fund continued attacks on the security of critical infrastructure
such as utilities and
hospitals, educational institutions, and the economy. Nozomi notes that attacks against rail
systems have been growing in frequency, making this sector an attractive target to all threat
actor types at play. Nozomi also outlines wiper attacks against three Iranian steel companies.
These attacks were claimed by the hacktivist group Predatory Sparrow,
though the BBC cites experts who suspect the attacks may have been carried out by state-sponsored actors.
The maritime shipping sector has also been affected by recent cyber attacks. According to the Lodestar,
the ship classification society DNV has disclosed
that its ship manager fleet management software
was hit by a ransomware attack on January 7th.
DNV says approximately 1,000 vessels
belonging to 70 of its customers have been affected,
stating,
DNV experts have shut down ShipManager's IT servers in response to the incident.
All users can still use the onboard offline functionalities of the ShipManager software.
There are no indications that any other software or data by DNV is affected.
The server outage does not impact any other DNV services. DNV experts are working
closely with global IT security partners to investigate the incident and to ensure operations
are online as soon as possible. DNV is in dialogue with the Norwegian police about the incident.
DNV is communicating daily with all 70 affected customers to update them on findings of the ongoing forensic investigations.
In total, around 1,000 vessels are affected.
We apologize for the disruption and inconvenience this incident may have caused.
Tradewinds reports that as of January 17th, DNV was still working to bring Ship Manager back online.
Palo Alto Network's Unit 42 has published a report describing Playful Taurus,
also known as APT-15 or Vixen Panda,
a Chinese threat actor known for carrying out cyber espionage campaigns
against government and diplomatic entities around the world.
In this case,
playful Taurus is targeting government entities in Iran with a new version of its Turian malware.
The threat actor appears to have compromised the networks of at least four Iranian government
organizations, including Iran's Ministry of Foreign Affairs. The new version of the threat
actor's malware includes some additional obfuscation and a modified network protocol.
The researchers conclude that Playful Taurus continues to evolve their tactics and their tooling.
Recent upgrades to the Turian backdoor and new C2 infrastructure suggest that these actors continue to see success during their cyber espionage campaigns.
that these actors continue to see success during their cyber espionage campaigns.
Our analysis of the samples and connections to the malicious infrastructure suggest that Iranian government networks have likely been compromised.
At the same time, we would also caution that playful Taurus
routinely deploys the same tactics and techniques
against other government and diplomatic entities
across North and South America, Africa, and the Middle East.
So take the campaign against Iranian networks as a cautionary tale.
Russian threat actors allegedly disrupted a Ukrainian news conference yesterday, Axios reports.
Media center Ukraine, the service convening the event, said,
We just faced a cyber attack on our information platform committed by Russia.
We understand they don't like to hear the truth about this war, but we're not to be stopped.
We are online. We are broadcasting.
The news conference was set to include an interview with Yuri Shaikol,
head of state service for special communications and information protection,
who was to offer an overview of Russian cyber operations during its war against Ukraine.
The delay was brief. The interview has since been posted by Ukrinform. Its contents are about what
you'd expect. Continued attempts, for the most part ineffectual in terms of combat support,
nuisance-level stuff like the attack on the press conference itself.
And finally, to stay with the hybrid war for a moment longer,
Russia's campaign against Ukraine has had at least one somewhat surprising effect,
a recession in the criminal carding economy.
In the course of surveying pay card fraud during 2022, Recorded
Future's Insikt group noticed a 62% drop in stolen cards being hawked or dumped on the dark web.
That drop, InfoSecurity magazine points out, coincides with Russia's invasion of Ukraine.
The drop came in two waves. The first was occasioned by an unexpected crackdown on some cybercriminal gangs in January of 2022.
Recorded Future says,
The governing theory is that Russia sought to signal its intent to cooperate with the West against cybercrime,
should the West acquiesce to Russian demands regarding Ukraine.
Any expectation of Western goodwill was
soon seen to be a false light. The second wave took place after the invasion proper, and once
it became clear that the war Russia had unleashed was going to be far more protracted than anyone
expected. The report says, after April, slack carding demand and depressed volumes of fresh
records were likely a result of Russia's war. It is highly likely that the war has significantly
impacted Russian and Ukrainian threat actors' ability to engage in card fraud as a result of
mobilization, refugee and voluntary migration, energy instability, inconsistent Internet connectivity, and deteriorated server infrastructure.
Russian-occupied areas of the Donbass region of Ukraine
were long suspected to have hosted cyber-criminal server infrastructure.
And this is in addition to another possible contributing cause we might mention,
the mobilization of gangs as cyber
auxiliaries of the Russian intelligence and security services. This sector of the criminal
underground economy is likely to continue to see a downturn as long as the war continues.
And those 350,000 conscripts President Putin just said he was going to summon have to come
from somewhere. You're not necessarily going to be left alone in the local cyber cafe or your parents' basement.
Coming up after the break, Robert M. Lee from Dragos outlines pipeline security.
Our guest is Yasmin Abdi
from Snap on bringing her team up to speed with zero trust. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform secures their personal devices, home Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Yasmin Abdi is a security engineering manager at Snap, makers of the popular app Snapchat,
and also the CEO and founder of
NoHack. I checked in with her to learn how she and her team at Snap are implementing principles
of zero trust to better secure their organization and their users. So at Snap, I manage our access
control and access employee management team, really trying to make sure that we only give
employees permission to users' data and other sensitive data that they need for their workflow.
So I built out a team of engineers and product managers and program managers
to really build this one-stop shop of really controlling how access is set up at Snap.
So my day-to-day is really checking
in with our engineers, making sure that the project is going forward, making sure that all
of our stakeholders are kept up with our latest changes, if any, and really just making sure that
their project is managed and working in the right direction. Well, what are some of the challenges
you and your team face? Running
at an organization with that kind of scale, what sort of things are you up against there?
Yeah. So some of the challenges that we face is for our stakeholders, some people have differences
of opinions on how certain things may go in terms of the project. So it's really just all in terms
of negotiating, making sure that
everyone's viewpoints are heard, making sure that the stakeholders are having their needs met,
and really making sure that we're all on the same page and we can deliver the best solution and best
services to our stakeholders. And how are you coming at this from a technical point of view?
What are the sort of design philosophies you all have adopted?
a technical point of view? What are the sort of design philosophies you all have adopted?
Yeah, so we're really big on reusing existing services and existing frameworks, guidelines,
and solutions that we have in-house. Really not trying to reinvent the wheel here and use some existing products that we have just to speed up the time of development and implementation.
So I would say that that's probably the biggest
technical solution that we are trying to use here. Yeah, so I think in terms of the technical
challenges that we face, there's a lot of new technology that's coming out every day and just
really trying to figure out how we're going to incorporate new technology with the existing
technology that we use.
And then in terms of some of the solutions that we have in-house,
with all of these differences in technologies,
really trying to weigh for them to all work together seamlessly.
And you all are implementing zero trust?
Yeah, so really limiting the amount of data and the amount of permission that's given to our employees. So really trying to prevent
overexposure of data and really making sure that the appropriate data is given for the workflow.
So because we do host millions of different pieces of user data and sensitive data,
really trying to promote zero trust at the forefront and limiting access to services or
to data sets that are not needed for certain
workflows. And how does that present itself from a practical point of view to your users,
to your stakeholders, to be able to implement zero trust, but not at the same time have too
much friction so that they can't do their jobs? Yeah, I think one of the biggest challenges with implementation of zero trust is just that it does cause maybe an additional layer of requesting access and maybe another step in the access management lifecycle.
certain level of data and a very, very, very small fraction of data to certain employees.
If there's a use case or an edge case of an employee needing a certain data set, you have to go through a whole DuraTicket process. And then it's just another layer of
communication with either different teams and stuff. So even though it is going to be an additional layer
of requests to get that access,
at the end of the day,
when you think about the bigger picture or the goal here,
it's to keep our users safe, secure,
and their data private.
So it's worth it.
And we try to really understand each workflow
and each data set that's needed for workflows.
So that additional layer of requests or that additional layer of access
that would need to be approved by higher up and level managers
sometimes becomes a challenge.
But for the overall goal that we have of really limiting amounts of data
for only the workflow that you need,
that's the goal that we're trying to achieve.
And how do you measure success? How do
you know that the things you're putting in place are being effective? Yeah, I think our biggest
measure of success is limiting data breaches. And those are probably the biggest ones here that we
have. But I think we have audits and we run these audits pretty frequently and checking and fact checking, hey, does this group of employees or this group of contractors, if we just type in their work title, what access do they have?
So running periodic audits is a good measure of success in terms of seeing what really do these employees have access
to and just verifying that. And I think another thing is when we do have maybe an employee's
laptop compromised or a scenario where it is an incident, are we quickly able to revoke access?
So I think the two things here is, can we quickly answer the question of
what access do they have? And then can we quickly revoke it? And if that turnaround time is small
and it's like a couple seconds to do, then I think that's a great measure of success for my team.
What about the cultural element and communicating with your team members,
your colleagues there, explaining what it is you're doing, why you're doing it,
why it matters that they're on board with these policies?
Yeah, I think that communication in my team
is one of the things that I appreciate
and I look forward to the most.
We all have an open-door policy
and there is no hierarchical positioning.
So if someone has a suggestion
or some feedback on how we are communicating or a pain point, or they have some decision,
technical decision or technical solution that they want to bring up, we really do listen and
we really take communication very strongly here. So I think that it's super important to
have that open door mentality and really understanding.
Even if you're a junior and you just started and it's your second week, your opinion and your value does matter.
And you have the ability and the autonomy to bring your solutions to the table.
And we will discuss them and see how we can incorporate, implement them into the overall bigger picture that we have here at Snap and on my team specifically.
That's Yasmin Abdi from Snap and NoHack.
And I'm pleased to be joined once again by Robert M. Lee.
He is the CEO at Dragos.
Rob, you and I have talked about a lot of the different elements of your area of expertise.
But one thing we haven't touched on are pipelines.
And I wanted to touch base on that today is just kind of get an overview from you of, first of all, how they work, how they're monitored, and what are the concerns in that particular area?
Sure. And so, I mean, pipelines themselves are vital to any sort of country that's operating on, well, I mean, in general, they're not just natural gas and fuel. There's a lot of sort of product that moves through pipelines these days. So in general, most countries have a necessity to have pipelines.
And obviously, that can be a contentious topic. You have to have the right of way, you have to be
able to have the land rights to be able to build a pipeline. It's going to probably upset somebody
depending where you go, the route you take, etc. But there's a lot more pipelines than people realize,
and there's a lot more monitoring and care and thought on those pipelines
than people tend to appreciate.
Everything from, especially in the United States,
like Environmental Protection Agency or EPA monitoring,
there's a lot of data points across the pipeline
in terms of how they're running it, how clean it is,
making sure you're not putting off harmful emissions
or product into the environment.
That type of monitoring and reporting the EPA
is going to take data points and pass it back usually
to a historian or some type of SCADA-like application.
Disrupting that alone could make it completely unaffordable to run the pipeline. As an example, if you took down
the ability to report to the EPA, for most
companies, not being able to report to the EPA lands
you pretty large fines. And those fines add up really quick
to the point where it would be non-economical to run the pipeline anymore.
So there's all sorts of little pressure points, if you will.
But I think the big takeaway is, number one,
the infrastructure itself, the focus on safety,
the focus on how to thread the needle
of doing it environmentally appropriate
while understanding that inherently
there's going to be challenges.
There's just a lot of thought process with that.
On the cybersecurity side,
most companies are facing the exact same challenges
everyone else is, which is most companies around the world
have invested very heavily in their IT security.
And that's been a topic for years for CEOs
and board of directors and governments
on let's do cybersecurity critical infrastructure,
not realizing that almost all of their investments
are on the IT security side, not the OT security side.
Obviously when you talk about those operations technology
or industrial control systems,
that's the critical part of critical infrastructure
and it's largely been ignored with good reason.
For a long time it wasn't connected up
and the risk profile was different.
But now all that's changed
and people are trying to play catch up. So I think it's very fair to say that most pipelines are not
where we'd want them in terms of security, but we have to balance that with because things have
changed, not as if they've just been bad operators or so forth over the years. So lots of different
components that go into it. But if you think about it, they are complex networks of applications and purpose-built systems,
custom network protocols, different types of pipelines
are going to have different types of considerations
like gas compressor stations along the route.
There's just a lot of unique equipment and expertise
in running one of those.
Can you help me understand in terms of monitoring these systems? Because obviously
they exist over a large geographic area. Are we talking about sensors that are using cellular
networks to report back their data and all of the pluses and minuses that go with that? And
how has that evolved over time as the technology has come along?
Yeah, used to you would have pretty analog-type systems,
not really connected up. Then we started seeing more cellular-type modems,
VSAT-type communications, wireless, et cetera,
maybe like RF off of a local tower.
We have started to see more IP-based networks
and fiber being run as it's been more affordable
in those kind of situations.
But by and large, anytime you talk about
industrial control systems over a wide area,
you're in the lane of SCADA.
I think there's still a lot of folks out there
that understandably, when they hear of industrial control systems,
they associate that term with SCADA
or supervisory control and data acquisition.
But SCADA really only deals with those large,
wide area networks. If you're talking about more localized, like a
plant, you're usually talking distributed control systems or DCS.
Some type of manufacturing may not even have that. You'll just have program logic controllers or type of
local control elements. But when you have a gas compressor station that has
its control elements, when you have a gas compressor station that has its control elements, when you have a pipeline control center that has its control elements, when you have pipelines
across hundreds if not thousands of miles and all the control elements across it, that's when you
introduce SCADA as kind of this above-the-local-control supervisory control that is there to make sure
that the system of systems is operating as intended and that they've maintained positive control in such a way to, of course,
ensure safety and environmental protection.
When you look at the current state of security with pipelines,
where we stand today versus where ideally we would like to be,
how do you assess that?
Yeah, and again, I'm not trying to put down
any of the individual companies.
We work with some of them who are not in this profile,
but the majority of industrial infrastructure in the world,
I wouldn't say the majority of the critical infrastructure,
but the majority of the industrial infrastructure
in the world is simply not doing a lot of security.
Again, things have changed.
It's not that they're bad companies or whatever.
But those changes now require people to do OT security.
And you can't just take your IT security practices
and copy and paste them into OT for a lot of reasons.
Some folks will go, oh yeah, because of legacy systems.
No, that's really not it.
It can be a barrier.
But the reality is in IT security,
you deal a lot with data security and system security.
In ICS security, you deal a lot with data security and system security. In ICS security you deal a lot with systems of systems security and physics.
And so if the attackers are operating differently,
if the systems tend to be different,
if the communications tend to be different,
if the ways to achieve your goals tend to be different,
if the impact is different,
then you're probably not going to take the same security
and copy and paste it over.
So people are trying to figure out what that means.
I would argue that probably the biggest challenge
for most companies is getting their network
into a good place.
So you usually see some level of segmentation
with a firewall project or an SDN-type project,
and then building out a more reliable network.
And then the very next thing that people will do is turn the lights on in the house.
What do we actually have? Is the architecture what we actually think it is?
That's the whole visibility and monitoring thing that people talk a lot about in the industrial space.
And that then helps people understand where to go,
what to focus on, what the actual issues are.
Most pipeline companies, like many other companies out there,
are not doing anything beyond
the preventative work of
let's segment, let's put firewalls,
maybe we'll do antivirus.
It's understandable because if you look at the standards
and frameworks and regulations out there,
they do push very heavily
on that prevention focus.
But what happens is without the visibility,
without the detection and response,
you end up having that prevention atrophy over the years, and you don't actually have the environment you
think you have. Part of the problem for a lot of infrastructure owners is they spend quite a bit
of time building out a reliable and resilient environment. But without that monitoring,
without that understanding of it, it does atrophy over time. And you have less
and less and less value out of that prevention until there's a tipping point, whether it be a
state act or ransomware or just random crap that can happen and take down a network. So I would say
that pipelines are behind where we want them, behind some of the larger industries, but it's not a simple answer of why.
All right. Well, Robert M. Lee, thanks for joining us. Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Ivan.
Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.