CyberWire Daily - Iranian officials blame the US and Israel for gas station cyber sabotage. A new direction for NSO? Cyber extortion, Minecraft phishing, and sugar daddies looking for sugar babies (sez they).
Episode Date: November 1, 2021Iran hasn’t finished investigating its gas station cyber sabotage, but Tehran is pretty sure the Great and Lesser Satans are behind it. NSO Group says it’s going in a new, nicer direction. The Con...ti gang hits a luxury jewelry dealer, and another, unknown group hits an upscale art dealership. The Chaos gang is after Minecraft players (players who cheat). Caleb Barlow on pre-breach pre-approvals. Rick Howard introduces sand tables in cyber space. And sugar daddies come to the world of advance fee scams. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/210 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Iran hasn't finished investigating its gas station cyber sabotage.
NSO Group says it's going in a new, nicer direction.
The Conti gang hits a luxury jewelry dealer,
and another unknown group hits an upscale art dealership.
The Chaos Gang is after Minecraft players, players who cheat.
Caleb Barlow on pre-breach pre-approvals.
Rick Howard introduces sand tables in cyberspace,
and sugar daddies come to the world of advanced fee scams.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday,
November 1st, 2021.
Reuters and others report that Iranian officials have begun to fix blame for the
nominally hacktivist attack that's afflicted
the country's gasoline station since last week. Iran's head of civil defense said Saturday,
We are still unable to say forensically, but analytically I believe it was carried out by
the Zionist regime, the Americans and their agents. The attribution seems so far to be based more on
a priori probability than on, as the civil defense chief says, forensics. The motive of the attack is
still believed in Tehran to be disruption and the fomenting of unrest and dissatisfaction.
According to the Tehran Times, the country's intelligence minister said the investigation
is still in progress
and that full details will be disclosed once it's complete.
The intelligence minister said, quote,
Complete information obtained from this cyber attack will be made available to the public
because what is related to the health, security, and welfare of the people must be made available to them
and the officials consider informing the public in a timely
manner as their duty. Tehran counts on the vigilance and support of the people and their
interest in the homeland and the system to counter and contain any further cyber attacks the country
may sustain. NSO Group, best known for its Pegasus intercept tool, whose sale to and abuse by repressive governments has drawn criticism and provoked controversy,
has shaken up its leadership.
The company says its new strategic direction will include analytics and defensive cyber.
Cyber criminals have hit two upscale brands with extortion attacks.
The threat in both cases appears to be that of doxing, of releasing private information online.
In the first case, Sky News reports that the Russian Conti gang has begun doxing customers,
tycoons and celebrities, as Sky describes them, of the luxury jewelry brand Graf.
The gang wants a large payment in exchange for a promise not to release more information.
What's out so far seems relatively anodyne,
mostly names and addresses that are already in the public domain,
but Conti promises worse to come.
If you are a client, that is, if you're a crime victim,
client is Conti's cynical hoodspeak for victim.
If you are a client who declined the deal, and deal is Conti's cynical hoodspeak for extortion demand, and did not find
your data on the cartel's website or did not find valuable files, this does not mean that we forgot
about you. It only means that data was sold and only therefore it did not publish in free access.
that data was sold and only therefore it did not publish in free access. The emphasis is in the original that security firm Malwarebytes quotes in their discussion of the incident.
Graff's comment on the incident doesn't disclose much about the nature of the attack,
and in particular it doesn't say whether data were encrypted and stolen or merely stolen.
The firm has notified the Information Commissioner's Office, which is opening an
investigation. The second high-end cyber attack comes from the art world. The MCH Group says its
high-end art dealer subsidiary, ArtBessel, has also sustained a criminal data breach.
MCH describes the current state of affairs on its corporate website,
quote, we are working to get all our systems and services fully operational again as soon as possible.
The most important internal and external communication channels are ensured.
The staging of the planned events is guaranteed.
Unfortunately, the available information and analyses indicate
that the perpetrators have nevertheless succeeded in gaining access to data
that contains personal data, such as contact details, of customers, partners, and employees
of the MCH group. Currently, the existing traces are being evaluated in cooperation with cybersecurity
experts. End quote. In this case, the perpetrators are so far unknown, although the attack hit back in October.
The data at risk appears again to be contact information for Art Basel Companies.
MCH Group, which appears determined not to pay the ransom demanded, offers customers who may have been affected by the breach some sensible advice.
The first recommendation is to warn against the risks of password reuse.
Change your MCH passwords to be sure, and if you've used your password elsewhere,
change it there as well. The second recommendation is a warning against the use of breached
information in subsequent phishing attacks. Quote, we also recommend that you exercise caution when
dealing with unknown contacts,
such as if you are contacted by third parties by email or telephone,
who, for example, represent themselves as your bank, internet provider, or insurance company,
and use personal details to gain your trust.
End quote.
As always, sensible, skeptical common sense is to be applied.
Fortinet reports that the chaos Ransomware Gang,
generally believed to operate from China,
is targeting Minecraft gamers in Japan.
Not to blame the victim here,
but we note that the malware hook is hidden in fish bait
that purports to contain stolen game credentials
which no honest player should touch.
And finally, to turn to another activity
you should probably avoid, security firm Avast has a warning out about a new scam. People are
getting contacted over social media with pitches that read something like this,
Hey, my name is Walker and I'm looking for a sugar baby. I would like to pay you 1500 euro weekly.
and I'm looking for a sugar baby. I would like to pay you 1500 euro weekly. So hop to it, ladies,
or actually don't. It's just a hoary old advance fee scam, a riff on the familiar, I am the widow of the late Nigerian prince, come on. Should you pursue it a bit, as Avast did,
you might ask Walker if he's legit. Walker told Avast that, I need a companionship, someone I can talk to online.
When Avast replies, ah, okay, how do I know it's not a scam? Walker simply texts back,
100% safe. Hey, if you can't trust a sugar daddy, who can you trust in the Vale of Tears?
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
We rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, Thank you. slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And it's always a pleasure to welcome back to the show my colleague Rick Howard.
He is the CyberWire's chief security officer, also our chief analyst, but more important than that, he is the host of the CSO Perspectives podcast, part of CyberWire Pro.
Rick, welcome back.
Thanks, Dave.
You are introducing a new segment this week, and it's something called the Cyberspace Sand Table Series. What's going on
here? Well, I was just thinking, are you inspired by Dune that just came out in the movie theater?
You're doing sand tables. What's the story here? I wish I would have thought of that, but yeah,
I'm definitely going to be inspired by Dune, but maybe not. So a few weeks ago, I was watching a program on Tom Brady.
Now he's for the non-sports aficionados out there. He's the famous NFL quarterback from Tampa Bay.
And Dave, if your audience has been listening to you and me talking for the last few months,
they know that we don't typically talk about sports things, right, when we're going around, right?
I don't think either one of, well, I know for me anyway, I am not a sports ball aficionado for sure.
Yeah, so like you and me are more likely to talk about show tunes or superhero movies or, you know.
The important things, right.
Yeah, yeah.
My favorite topic is how I routinely get killed by seven-year-olds in my Fortnite video game, right? But I can appreciate a sports figure who's doing something really good. And, you know, I watch the Olympics, so I have some affection for those guys.
exceptional. He's won seven Super Bowls out of 10 tries while playing on two different teams.
And for the old folks out there, he's 44 years old. Now, I'm not a sports fan, like I said,
but I'm rooting for the old guy, you know, just on general principles. I'm not saying I'm old.
I'm just saying. I'm with you. I'm with you. Yeah. So I'm watching the show on Brady, and you learn pretty quickly that he spends a lot of time reviewing game film on his opponents, not just a couple of hours a week, but every day for hours, so that he can learn to pick apart the defense on the game he's going to play in the following week.
And I realize that our community, the Network Defender community, doesn't really have an equivalent version of reviewing game field,
and maybe we should. Okay, I think I know where you may be headed with this. So,
why are you calling it the Cyberspace Sandtable Series? So, as you know, I'm an old army guy, and when my commanders tried to teach us tactics, either offense or defense, at some point in the process, they would either gather everybody around a patch of dirt or a fancy box with sand in it.
That's the sand table, right? And they put sticks and rocks in it to represent both sides and go
over a famous battle, like, you know, the Battle of Gettysburg or something during the U.S. Civil
War. And so by watching a physical model of the battle, you could more
easily see mistakes made by commanders on the ground. And after watching the Tom Brady show,
I realized that sand tables were the military's version of game film.
Okay. All right. I'm with you. So for your next CSO Perspectives show,
what famous cyber battle are you going to cover?
So for this first one in the series, I'm going to
cover one of my favorite cyber battles, the 2016 Russian cyber attacks against the U.S. Democratic
National Committee. And it's one of my favorites because we have a lot of information about it.
There's lots of, you know, public information about what actually happened. So during the show,
we're going to talk about what the Russians did and what the Americans did and then the impact of all of that and bring in this whole conversation full circle.
We're going to engage in some Monday morning quarterbacking about what the DNC should have done to prevent those attacks.
All right.
Well, it sounds like fun.
And again, that is part of CSO Perspectives, which is part of CyberWire Pro.
You can find out all about that
on our website, thecyberwire.com. Rick Howard, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by our Cyber Wire contributor, Caleb Barlow.
Caleb, always great to have you back.
I want to touch today on this notion of pre-approval, sort of doing the hard work before you get breached so that when you get breached,
and I think it's fair to say when you get breached, you're ready to go, right?
What are some of the considerations here?
Well, I stole this concept from one of my favorite CISOs,
and I won't embarrass him by mentioning who it is here, but, I mean, this guy's got his act together.
And one of the things that he did that I think is just absolutely brilliant is, you know, you're breached.
You need resources,
you need money, you need lawyers, you need outside counsel, and time is of the essence.
This guy got it all pre-approved. And I just, as simple as it sounds, I'm like,
that's absolutely brilliant. So a few things to think about, right? Go in and lay out a bunch
of different incidents of magnitude from a, you know, a level two incident. Maybe, you know, there's malware on a couple of machines, but you, you know, you closed it down quickly to a, you know, maybe something that impacts your network to something more catastrophic that large portions of the company are down in its public knowledge.
Pre-approve a budget for incidents of each of those magnitudes so that if they occur, you do not need
to go track anybody down. You already have budget. You can immediately start spending money. And in
some cases, depending on how financial systems work at your company, I've even seen people get
credit cards, you know, what they call an event card, where these cards are ready to go. You can
basically, you know, keep them at the bottom of your desk.
You pull them out, they're ready to go.
They got $50,000 on them and you can move.
Just a great concept.
I can imagine some of the powers that be at a company
saying, well, hold on here a second.
I'm paying you to prevent this from happening.
Is there an educational process
that's part of this as well?
There is, because remember, when a breach occurs, it's too late to prevent it from happening. You're
already right at the boom. Now it's about mitigating the damage. And the faster you can
move, the faster you can bring resources to bear, the faster you can get your production, your
systems, your hospital, whatever it is, back online. So in a lot of ways, what this is about
is being able to move quickly to reduce that blast radius.
And it's not just pre-approving financial systems.
Let's also pre-approve our communications.
What are you going to say?
Let's get all those things, you know, because let's face it,
most security incidents, you could write today
what you're going to say.
We experienced an incident, we're investigating, we'll be today what you're going to say. We experienced an incident. We're investigating.
We'll be back to you shortly with more information.
Great.
Get that pre-approved by marketing and legal so that it's on the shelf ready to go, and you're not one of these companies that's totally silent for three weeks on what's happening.
How much is this part of your overall incident response plan?
Is it rolled into that, or is it its own separate
thing or do they fuzz together? How does all that work? I think it should be totally rolled into it.
And now here's the big one that people really struggle with. Who's going to make the decisions?
And the wrong answer is it's the CEO or the big boss. Because guess what? They're on a plane to
Australia for the next 12 hours, right?
You have to make decisions with the people in the room.
And you have to pre-approve who gets to make the decision.
Now, my favorite question to ask people always is,
if you had a devastating ransomware incident,
your company was totally down, would you pay the ransom?
And of course, they all say no.
No, we'd never pay it.
Okay, well, let's just pretend you really had to.
Who would make that call? I don't know. Okay, well, let's just pretend you really had to. Who would make that call?
I don't know.
Okay, where would you get the money?
How are you going to get a quarter million dollars in Bitcoin by 3 o'clock this afternoon?
I don't know.
You got to go through that exercise because as much as nobody ever wants to pay the ransomware operators, and by the way, I don't want you to pay either.
We've talked about that many times on the Cyber Wire.
But at least think about who's going to make that really tough decision.
Who's going to make the decision to shut down production or disconnect you from the internet?
You got to decide that ahead of time, because let me tell you, if you've got five executives in a room staring at each other, nobody wants to be the one making that decision.
Hmm. Okay. So I suppose you could label it a responsibility, perhaps a burden,
go too far to say privilege. Security decisions are always a privilege. That's why we're security
professionals, Dave. Fair enough. Yeah. I mean, but seriously, it requires a level of intestinal
fortitude to realize that you're in Christ's decision-making mode. And the best way to
facilitate that is to get these permissions down ahead of time. So when it hits the fan,
executives are comfortable making those decisions and they're not waiting around to do it.
Right. It's one less thing to think about.
That's right.
All right. Well, Caleb Barlow, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment called Security, ha! I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy
Old Geeks where all the fine podcasts are listed, and check out the Recorded Future podcast, which
I also host. The subject there is threat intelligence, and every week we talk to
interesting people about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Valecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.