CyberWire Daily - Iran behind attacks on PLCs.
Episode Date: December 4, 2023The US and Israel attribute attacks on PLCs to Iran. Agent Raccoon backdoors organizations on three continents. XDSpy is reported to be phishing the Russian defense sector. Trends in digital banking f...raud. Repojacking Go module repositories. Ann Johnson from Afternoon Cyber Tea speaks with Lynn Dohm, executive director of WiCyS, about the power of diverse perspectives. And when it comes to security, don't look to the stars. CyberWire Guest Guest is Ann Johnson from Afternoon Cyber Tea talking with Lynn Dohm, executive director of WiCyS, about the power of diverse perspectives. Tune in to Microsoft Security’s Afternoon Cyber Tea podcast every other Tuesday on the N2K Network. You can hear Ann’s full interview with Lynn here. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/229 Selected Reading IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities (CISA) Water and Wastewater Cybersecurity (CISA) P2Pinfect - New Variant Targets MIPS Devices (Cado) New Tool Set Found Used Against Organizations in the Middle East, Africa and the US (Palo Alto Networks Unit 42) XDSpy hackers attack military-industrial companies in Russia (The Record) Mobile Emulators Eclipse Bots in 2023 as Preferred Fraud Vector in North America (PR Newswire) Hijackable Go Module Repositories (VulnCheck) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. and Israel attribute attacks on PLCs to Iran.
Agent Raccoon backdoors organizations on three continents.
XD Spy is reported to be phishing the Russian defense sector.
Trends in digital banking fraud.
RepoJack and Go module repositories.
Anne Johnson from the Afternoon Cyber Tea podcast speaks with Lynn Dohm,
executive director of WSIS, about the power of diverse perspectives.
And when it comes to security, don't look to the stars.
Today is Monday, December 4th, 2023.
I'm Trey Hester, filling in for Dave Bittner, and this is your CyberWire Intel Briefing.
CISA, along with the FBI, NSA, EPA, and the INCD recently issued a significant joint cybersecurity advisory
concerning attacks linked to Iran's Islamic Revolutionary Guard Corps. The advisory focuses
on the exploitation of programmable logic controllers in multiple sectors, emphasizing
the broad scope of the threat. Notably, the advisory identifies the IRGC as the perpetrator
behind these attacks, a clear attribution that signals the seriousness of the threat. The advisory highlights that
several U.S. water systems have been targeted, indicating a concentrated effort against critical
national infrastructure. It also expands the scope of concern beyond the water and wastewater sector,
pointing out that these PLCs, manufactured by Unitronics, are widely used in various
industries, including energy, food and beverage, manufacturing, and healthcare. These devices are
often rebranded, making them appear as products of different manufacturers and companies.
Additionally, the advisory criticizes the manufacturer for poor security practices,
specifically for shipping devices with default passwords
and not requiring their reset during installation. This lapse significantly contributes to the
vulnerability of these systems. The advisory also sheds light on the activities of the Cyber
Avengers, an IRGC persona detailing both legitimate and false claims of cyber attacks,
particularly against Israeli targets across several sectors such as water, energy, shipping, and distribution over the past few months.
Despite the mixed veracity of these claims, the intent and capability for disruption are evident.
Since November 2023, the IRGC cyberactors have been accessing multiple U.S.-based water and
wastewater facilities operating Unitronics Vision Series PLCs,
likely exploiting Internet-accessible devices with default passwords.
The joint advisory underscores the increased prevalence and sophistication of state-sponsored cyberattacks,
particularly targeting critical infrastructure,
and highlights the urgent need for heightened cybersecurity measures and responsible manufacturing practices.
Cardo Security has identified a new variant of the P2P Infect botnet malware now targeting MIPS architecture
commonly used in routers, Internet of Things devices, and other embedded devices.
This development indicates a broader targeting strategy by the attackers behind P2P Infect,
aiming to expand the botnet's reach by supporting more processor architectures. development indicates a broader targeting strategy by the attackers behind P2P Infect,
aiming to expand the botnet's reach by supporting more processor architectures.
The MIPS32 variant of P2P Infect features advanced defense evasion techniques and leverages Rust for cross-platform development. The rapid expansion of the botnet, coupled with these sophisticated
aspects, suggests a highly skilled threat actor is orchestrating this campaign.
Palo Alto Network's Unit 42 researchers have discovered a new backdoor named Agent Raccoon,
which has been used to infiltrate organizations across the U.S., Middle East, and Africa.
This backdoor, suspected to be deployed by a nation-state threat actor, has compromised various sectors including education, real estate, retail, nonprofit organizations, telecom companies, and government.
Agent Raccoon is developed using the.NET framework and utilizes DNS to create a covert communication channel with its command and control server.
and control server. The researchers highlight that this toolset is not yet linked to any specific threat actor and appears to be used in multiple campaigns or clusters, indicating its broad
application in cyber espionage activities. Russian cybersecurity firm FAST reported that
the cyber espionage group XD Spy has been targeting a Russian metallurgical company
and a ballistic missile development firm through phishing attacks,
falsely presenting the emails as coming from a nuclear weapons design institute.
The record notes that little is known about XD Spy, active since 2011 and likely state-directed.
Cybersecurity company ESET, which monitored XD Spy until losing access in Russia and Belarus following Russia's invasion of Ukraine, noted the group's unsophisticated
toolkit but exceptional operational security, hindering attribution to any specific government.
XD Spy's activities primarily focus on Eastern Europe, including Russia and the Balkans. While
the record refrains from attributing XD Spy to any nation, it mentions that recent cyber espionage
against Russia has mostly originated
from North Korea and China, with interests aligning in the theft of technical information,
similar to XD Spy's objectives. New research from BioCatch reveals a 64%
increase in mobile banking fraud in 2023 compared to the previous year. The study highlights a
shift in criminal tactics, moving from bot-driven web-based fraud to emulator-based mobile banking fraud.
While there's a rise in both legitimate and illegitimate uses of emulators,
the report emphasizes a notable, sometimes drastic, increase in emulator usage.
Although there is a slower growth in reported fraud cases,
BioCatch cautions that this may be due to the delays in fraud
detection and reporting, suggesting that the actual extent of fraud could be higher.
This trend indicates a changing landscape in digital banking security,
with fraudsters adapting and evolving their methods to exploit mobile banking platforms.
Volnchak's report on repository hijacking or repojacking in the Go module ecosystem
reveals a significant vulnerability. The study finds over 15,000 repositories at high risk
due to changes in GitHub usernames or account deletions. These repositories are crucial,
supporting more than 800,000 Go module versions. Volnchak emphasizes that resolving these repojackings
is a responsibility that
falls on either Go or GitHub, as it's impractical for a third party to register 15,000 GitHub
accounts. Until a solution is implemented, the report advises Go developers to remain vigilant
about the modules they use and to stay informed about the status of the repositories from which
these modules originate. This highlights a critical aspect of software development, being mindful of the foundations
on which your code stands.
Today we have Anne Johnson, host of Microsoft's Afternoon Cyber Tea podcast, speaking with
WSYS director Lynn Dome
about the power of diverse perspectives.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Today, we have Anne Johnson from the Afternoon Cyber Tea podcast speaking with Lynn Dome,
Executive Director of WeSys, about the power of diverse perspectives.
Here's Anne.
Today, I'm joined by Lynn Dome, the Executive Director of Women in Cybersecurity, or WESIS
for short. Lynn brings more than 25 years of organizational and leadership experience to the
Women in Cybersecurity WESIS team. Lynn is passionate about the need for diverse mindsets, skill sets, and perspectives.
She aims to facilitate learning opportunities and discussions on leading with inclusion,
equity, and allyship.
Lynn has collaborated with businesses, nonprofits, grants, and philanthropies to help produce
outcomes aligned with cybersecurity workforce initiatives.
Welcome to Afternoon Cyber Tea, Lynn.
Thanks, Anne. It's a pleasure to be here.
So let's talk a little bit.
I read something, Lynn, in the WSIS blog recently that resonated with me.
The blog said, and I'm quoting it,
one of the most impactful ways that we can create a welcoming environment is through our words.
In every space that we enter,
we have the opportunity to use language that makes everyone around us feel comfortable and
to feel safe. I like this because it is not enough to just hire women into the industry.
Organizations actually have to be intentional every day to create inclusive environments to
make people want to stay. Brett Arsenault, our CISO, likes to say, you go where you're invited,
you stay where you're welcome. So what is your perspective on inclusivity and what practical
advice would you give to our listeners on how they can help create a more inclusive environment
in their organizations? Well, this is one of my favorite topics. So I really appreciate and love
that fact that you're bringing up inclusion here because it's extremely important.
The focus is always like we need to build a diverse cybersecurity workforce.
We need to diversify.
What are we going to do to diversify?
But when you peel back the layers, you then realize that the lack of diversity is a symptom of the lack of inclusion. But as the whole world keeps
talking about diversifying the workforce, we know that sometimes in some instances,
it can turn into a feel-good metric because it's a data point and it's a metric you can measure.
And so for some organizations out there, they might measure their diversity numbers.
They might put in some initiatives, very likely early career. And a year from now,
they can measure those diversity metrics again. And if they grew ever so slightly,
they could feel good about themselves and pat themselves on the back and feel like their job
is well done. And that's all fine and dandy. But inclusion, inclusion is much more complicated.
And it's not normally talked about because it's complicated. Because inclusion
is a feeling and it's not a data point. It's not this metric you can measure, but it's a feeling
and it's more of a feeling felt when you're excluded. And so for Rhesus, it was really
important for us to have this conversation with industry leaders about this state of inclusion
and how are we gonna quantify inclusion
in order for us to open up the doorways
for these conversations.
So we partnered with Illyria
and we quantified the experiences of exclusion
for women in cybersecurity
to identify the state of inclusion.
The findings were really, really interesting
that there is 50% of women that feel like their career and growth lack of advancement opportunities within the organization was their primary source of exclusion in the workplace.
And it was super interesting to us and our research partner because it wasn't found there in any other industries.
research partner because it wasn't found there in any other industries. So for us to continue to do the good work that we're doing within Rhesus, we have to not only focus on the pipeline, but also
that leaky pipe. And that's where the inclusivity really needs to be focused on. And so we put
together so many resources like inclusive language. That's an open source document we're always adding to that
inclusive language in the cybersecurity workforce. We have documents on inclusive leadership,
how to be an ally to women in cybersecurity, and so many others, how to create a neurodiverse event.
That's a very interesting one too. So we have all these resources available for everyone to have access to so that they can
pay attention.
Because we hear time and time again, and as a matter of fact, even at a recent event I
went to, I gathered all these stories that the lack of inclusion is very prominent and
exists very much so.
Just in this day-to-day, we hear stories about managers that put up their new hires on their leadership slide decks and label the slide deck diversity hire.
their time, volunteering their time for elevator pitches, only to say to the only female in her room that the elevator pitch was excellent, but her necklace and her nails were distracting.
Like these instances are happening right here and right now. So our words do matter. How we
express ourselves matter. How we create this culture of inclusion truly does matter in the
cybersecurity workforce,
not only for us to attract diverse talent, but for those individuals to be retained and
to be able to elevate and advance themselves because of it.
That's Anne Johnson from the Afternoon Cyber Tea podcast, speaking with Len Dome, Executive
Director of WeSys.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And finally, Security Affairs reports a data exposure incident at WeMystic, a service focused on astrology, spiritual well-being, and esotericism, which also operates an online store selling items like natural stones and tarot cards.
An unprotected MongoDB database left 34 gigabytes of data, including sensitive customer information, exposed to the internet.
including sensitive customer information exposed to the internet.
The breach involved over 13 million files,
revealing names, email addresses, dates of birth, IP addresses,
gender, astrological signs, and user system data.
Although WeMystic has now secured the database,
it remained open for five days.
In a cosmic twist of fate, it seems that even the stars could not predict this celestial-sized data leak.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. We'd love to know what you think of this podcast. You can email us
at cyberwire at n2k.com. Your feedback
helps us ensure we're delivering the information and insights that help keep you a step ahead in
the rapidly changing world of cybersecurity. This episode was produced by Liz Ervin. Our mixer is me
with original music by Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon
Karp. Our executive editor is Peter Kilpie, and I'm Trey Hester, filling in for Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.