CyberWire Daily - Iranian-Israeli cyber tensions rise. Decaf ransomware described. Philippine government phshbait. Unemployment due to cyberattack. Europol’s latest collars. Facebook rebrands as “Meta.”
Episode Date: October 29, 2021Tensions between Iran and Israel rise as sources in Tehran blame Israel for hacking gas stations, and as apparent Iranian hacktivists dox Israeli defense personnel. A new ransomware strain is discover...ed. A criminal group is spoofing emails from Philippine agencies. Europol and partners sweep up a cyber gang. Betsy Carmelite from BAH on convergence of 5G and healthcare. Our guest is Justin Wray from CoreBTS with a look at the security issues facing online gaming and casinos. And the company formerly known as Facebook rebrands as “Meta.” For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/209 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Tensions between Iran and Israel rise.
A criminal group is spoofing emails from Philippine agencies.
A new ransomware strain is discovered.
Europol and partners sweep up a cyber gang.
Betsy Carmelite from BAH on convergence of 5G and healthcare.
Our guest is Justin Ray from Core BTS with a look at the security issues facing online gaming and casinos.
And the company formerly known as Facebook rebrands as Meta.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, October 29th, 2021.
Iranian news services are calling the incident that disrupted subsidized fuel distribution in Iran as an Israeli cyber
attack.
Ashark al-Aqsaat reports that officials intend to release results of their investigation
within a few days.
In the meantime, Tehran has retaliated by doxing Israeli Defense Minister Benny Gantz
and a number of Israeli soldiers.
The Jerusalem Post says the doxing was accomplished
by a threat actor calling itself Moses Staff, and the Tehran Times suggests that more will
be heard from Moses Staff as tension between Israel and Iran rises. Haaretz reports that
Moses Staff has also obtained Israeli troop deployment information. The members of Moses' staff are generally believed to be Iranian nationals.
The group posted a warning to Defense Minister Gantz on its site,
quote,
We know every decision you make and will hit you where you least expect it.
We have secret defense ministry documents,
operational military maps, and troop deployment information,
and will publish your crimes to the world.
Attribution in these cases is always difficult,
particularly when the groups involved represent themselves as hacktivists.
The case for Israeli involvement in the gasoline distribution hack
is, absent the promised report of Tehran's investigation,
so far a matter of a priori possibility.
Similarly, it's not clear who Moses' staff may be
or to whom they answer.
Morphosec has released research into a new ransomware strain
they're calling Decaf.
It's noteworthy for its use of the Go language,
increasingly popular among cybercriminals.
Babook, Hive, and Hello Kitty are other ransomware tools written in Golang.
Decaf appeared in September and its development has continued into this month.
Morphosec writes, quote,
The development of Decaf continues to this day, showing that ransomware groups constantly innovate their attacks.
day, showing that ransomware groups constantly innovate their attacks, that the attack is written in Golang is further proof of this trend toward innovation among the adversary community.
Threat actors are forever making changes and adding new capabilities
to evade the detection-centric solutions that predominate in the market.
End quote.
Proofpoint has identified a new criminal threat actor, tracked as TA-2722,
that impersonates agencies of the Philippine government in fishing operations
designed to distribute REMCOS and NanoCore remote-access Trojans.
TA-2722 targets shipping, logistics, manufacturing, business services,
pharmaceutical companies, and energy providers.
Victims have been found in North America, Europe, and Southeast Asia.
ZDNet points out that the target selection poses a risk to already stressed supply chains.
That's physical supply chains, not necessarily software supply chains.
It's worth recalling that delays and disruptions to the delivery of tangible goods
has become a global problem, and anything that meddles with business or production systems
is bound to make a difficult situation all the more challenging.
A link in one such supply chain, disrupted last Friday by what's generally believed to be
ransomware, seems now to be on its way to recovery.
The Green Bay Press-Gazette reports that Schreiber Foods has recovered sufficiently from the cyber
incident it sustained to resume plant operations. The company announced Wednesday that it had
resumed taking delivery of milk, Schreiber produces dairy products, and is now back in
production and shipping product to its customers. ZDNet says that Schreiber produces dairy products and is now back in production and shipping product to its customers.
ZDNet says that Schreiber began to bring its plants back online Monday.
The company has so far been tight-lipped about the specific nature of the cyber incident.
CISA has issued a fresh set of industrial control system security advisories.
There are three of them.
Industrial Control System Security Advisories. There are three of them. Sensormatic Electronics LLC, a subsidiary of Johnson Controls, has fixed hard-coded credentials in its Victor product.
Mitsubishi Electric has taken care of an uncontrolled resource consumption problem
in its MELSEC IQR Series C controller module, R12CCPU-V, and Delta Electronics has addressed a stack-based
buffer overflow vulnerability in its DOPSOFT HMI product.
Europol today announced that it has targeted 12 individuals in Switzerland and Ukraine
whom it believes are responsible for a range of cybercrimes that represented
a dangerous combination of
aggressive disruption and high-stakes targets. The criminals' activities were complex, and
Europol sums them up like this, quote, the targeted suspects all had different roles in these
professional, highly organized criminal organizations. Some of these criminals were
dealing with the penetration effort, using multiple mechanisms to compromise IT networks, including brute force attacks, SQL injections, stolen credentials, and phishing emails with malicious attachments.
Once on the network, some of these cyber actors would focus on moving laterally, deploying malware such as TrickBot or post-exploitation frameworks such as Cobalt Strike or PowerShell
Empire to stay undetected and gain further access. The criminals would then lay undetected in the
compromised systems, sometimes for months, probing for more weaknesses in the IT networks before
moving on to monetizing the infection by deploying a ransomware. These cyber actors are known to have deployed Locker-Goga,
Megacortex, and Dharma ransomware, among others.
End quote.
Europol credits an international cooperative effort
for the success of the enforcement operation.
Listen to them.
Children of the night.
What music they make.
The moon wasn't full when the shapeshifting took place.
Our lunar desk tells us it was in the last quarter,
right between a waning gibbous and a waning crescent,
but there was still some shapeshifting reported.
Okay, okay, thank you, wolves.
Down, boys. Good girls.
Please take it back to Borga Pass.
But this isn't about the children of the night.
It's about the children of the social network.
And the shapeshifting was of the rebranding variety
as opposed to the lycanthropic kind.
And it's not Borga Pass either, but rather Menlo Park,
and the company formerly known as Facebook has announced that it will henceforth be known as
Meta. A founder's letter says that the House of Zuckerberg is betting on the Metaverse,
a neologism that refers to an immersive experience in which people will live significant parts of their lives in virtual contact with others.
Facebook is officially all in on the metaverse, and while Mr. Zuckerberg explains that the metaverse won't be built by one company,
but Facebook, I'm sorry, Meta, will play a major role in shaping it.
Reaction to the rebranding is cautiously mixed.
in shaping it. Reaction to the rebranding is cautiously mixed. There are the usual observations that meta is a naughty word in some languages, of course. Wired says that companies typically
rebrand for three reasons. New business ambitions, a new corporate organization,
or an attempt to distance themselves from a name with bad associations. The piece argues that Facebook's conversion to meta
has aspects of all three. The drums roundup of industry reaction is also mixed, with some seeing
the renaming as the bold planting of a flag in new technological territory, and others seeing as
just a PR-conscious reactionary move. And the metaverse itself has come in for its own share of skepticism,
the next phase of
human evolution, or just
Fortnite on steroids.
Anywho, trading begins
on December 1st under the new
ticker symbol MVRS.
Take it away, wolves!
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
If you've watched any televised sports this season, you most certainly have seen the proliferation of ads for online sports betting platforms, gaming apps as they refer to them.
Justin Ray is Director of Operations for Security at CoreBTS, and he joins us with insights on the security considerations of gaming platforms shifting online.
When we talk about gaming in general and really online gaming in particular,
there are a whole lot of different things to consider from a security perspective.
But I think one of the things that's definitely unique, and this isn't the only industry that has some unique aspects, but one of the things that is unique about the gaming industry is that they really have these two different areas within
the organization. You know, you have the actual gaming platforms. And when we're talking about
online gaming, you have the sites that users are interacting with. You have people who are
not physically, you know, at a location that you control that are interacting with your organization,
but you still have all the corporate, you know, back office aspect as well. So there's still,
you know, payroll and customer service
representatives and sales teams that are, you have all that normal corporate business
and corporate technology and networking involved as well. But it's an area where certainly when
you think about the security connotation from an adversary perspective, certainly focus, right?
You have the gaming platforms themselves
that, you know, are publicly available. And how does this compare, you know, to a physical
casino where people may go to enjoy gaming? It strikes me that, you know, with the casino,
we always see these movies where they have the eye in the sky and they keep a physical eye on
people who may be trying to
advantage things to themselves in an unfair way. Do online gaming platforms face similar issues?
I think that's one of the most important aspects. When you think about a casino,
and specifically when you think about casino security, you think of the person at the door checking IDs and, to your point, cameras that are monitoring all the activity.
And of course, when you think about a compromise of a casino, you tend to think of something like Ocean's Eleven.
They're going to come in and they're going to get into the vault.
And unfortunately, there's been a lot of focus and dedication over time in the casino industry and the gaming industry on physical security.
time in the casino industry and the gaming industry on physical security.
And what we're not necessarily seeing evolve as rapidly is the cybersecurity aspect, right?
You've had to rapidly go towards this online paradigm, but the security hasn't necessarily kind of kept at pace.
And so I think this is one of the, like I said, the most important aspects here is that
just like a casino would want to physically protect the casino from somebody coming in and causing them harm, they need to take that same mentality and apply it to the online digital world as well.
And so there's absolutely that aspect, and there's certainly things around, let's say, cheating, for example.
I mean, it has to be top of mind for an online gaming organization, certainly different than other industries. But of course, again, that's
not the only thing they need to be concerned about. The other security risks, you know,
things like ransomware attacks, et cetera, I mean, just as easily can plague a online gaming
organization. So they really have to take that security focus and, again, apply it towards the
gaming aspect in particular, things like anti-cheating,
but also to the kind of just general technology and interconnected world we live in.
You know, we're definitely in the midst of an advertising blitz as these organizations
try to stake their claim and carve out their market share. What is a consumer to do to have confidence that
they're going to be working with a platform that has their back, that has security covered? Are
there any things they should be looking for? That's a great point. And it's one of those
areas that security is a shared responsibility. And so while there is absolutely a responsibility
on the casino themselves to
obviously secure their infrastructure, you know, users have a responsibility to secure themselves
also, right? And the thing that comes top of mind to me is things like account, you know,
credentials and management there. So I would say that, you know, when you're looking at the
different platforms, you're right, there are a lot of options. And certainly, you can look at who's regulating them.
Are they compliant with various security standards?
And oftentimes, they will publish that in some fine print.
The casino's website or organization will kind of make that available to some extent.
But just, again, basic things like, does the site offer multi-factor authentication?
And if it does, you as a subscriber, as a user, should be using multi-factor authentication.
The casino can protect their infrastructure all day long, but if your credentials are compromised and somebody logs in as you, then the casino is not going to know that you're not the one, you know, completing that withdrawal or whatever the case might be.
That's Justin Ray from Core BTS.
There's a lot more to this conversation.
If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects,
where you get access to this and many more extended interviews.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Betsy Carmelite.
She is a senior associate at Booz Allen Hamilton.
Betsy, it is always great to have you back.
You and I recently talked about 5G security and zero trust,
and I want to sort of continue along that line of conversation,
but really focus on healthcare today and how healthcare is converging with 5G as well. What can you share with us?
When you turn to 5G and its convergence with healthcare, we really need to start talking
about its impact on an industry that was forced to embrace the transformation of healthcare
delivery during the pandemic, specifically telemedicine adoption. So what could 5G mean for healthcare and addressing
vulnerabilities in healthcare moving forward that comes along with that transformation?
To start, it really revolutionizes global communications and the connections
across secure connected health, physical devices, and the digital world. And secondly, we are imagining
that 5G will accelerate secure connected health because of its near real-time interactivity,
the expanding internet of medical things. Here's a thought. By 2023, it's estimated that there will be three times more networked devices than humans on Earth.
And 5G has an ability to facilitate AI-enabled healthcare to protect patient data as well.
We're looking at 5G's advancements in network slicing.
And what we mean by that is when multiple dedicated networks are layered on top of a common shared physical
infrastructure, keeping data sets private and separate from each other.
Can you give me some specific examples of how 5G is going to enhance healthcare?
So we have a few scenarios to think about. First, real-time complete patient monitoring in hospitals, and then once patients go home.
So without the restrictions on data streaming that 5G will offer, so we mentioned the greater
bandwidth and lower latency, hospitals could adopt all source patient sensors and personalize
automated treatment plans from data outputs, and patients could
remain under the care of the hospital team once they go home.
Secondly, 5G will extend and expand the reach of remote surgical capability interventions
to meet urgent needs.
So think telesurgical robot platforms capable of being staged further forward, like at a military operating base.
And 5G will also fix network-imposed limitations of telerobotic surgery, such as signal delay.
the ability to have the majority of your healthcare provider services offered in the comfort of your own home with a combination of 5G, AI, edge commuting capabilities,
the benefits for those in remote areas could be really extending world-class hospital-like care
into rural areas, remote areas, with services like mobile intensive care units and full labs for
at-home diagnostics. What about the security implications here? Are there concerns on that
side of things? Yeah, to keep this healthcare ecosystem secure and resilient in its entirety,
because this is really an ecosystem, we need to think about more robust security to leverage the benefits of 5G.
So we're talking about labs, healthcare delivery providers, device manufacturers, and healthcare organizations all coming together.
And this is that internet of medical things I mentioned before.
It's all connected in the proliferation of connected devices and data presents threat actors with new opportunities
to disrupt public health and safety. So there are three pillars that we believe are important
to building a cyber resilient 5G healthcare ecosystem. First, the healthcare community
should follow industry developments closely and prepare to integrate
the new technology. I mentioned in an earlier segment on 5G that now is the time to prepare
to secure the 5G ecosystem while it's in its development. And this is really critical for
healthcare and the healthcare sector to be participating in standards, working groups
to provide the requirements that it needs before the standards
are set. So this is being proactive and maintaining awareness of 5G developments.
And secondly, back to the connected theme, applying integrated cybersecurity and privacy
solutions are critical to securing PHI, sensitive health information, critical healthcare operations.
The applying zero trust here, specifically around least privilege access concepts and
implementing data rights management and encryption are really important.
We see integrating patient-focused solutions with the network hardware and software needed to support
mission and business priorities. So looking at that user experience and putting data privacy
at the heart of it. And thirdly, healthcare delivery organizations can proactively counter
sophisticated network threats by modernizing and implementing advanced architectures.
We do recommend working with partners who have a deep understanding of network threats
to build hardened infrastructures, protecting against both legacy and 5G vulnerabilities
as they move to adopt 5G.
It's always important to understand where your legacy systems and data might have weaknesses. We also recommend designing an infrastructure
that incorporates new 5G-based resiliency techniques
to protect against failure.
And then we also recommend
implementing strict access controls
and data protection techniques
to protect patients' most sensitive information.
All right, well, lots to unpack there. Thank you for helping us understand it.
Betsy Carmelite, thanks for joining us.
Thanks again, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
If you're looking for something to do this weekend, be sure to check out our episode of Research Saturday
and my conversation with Tudor Dimitris from the University of Maryland on their research
When Malware Changed Its Mind, an empirical study of variable program behaviors in the real world.
That's Research Saturday. Do check it out.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karpf, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Our amazing CyberWire team is Thanks for listening.
We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.