CyberWire Daily - Malicious Chrome extensions. BEC in Kentucky. Dispatches from a hybrid war, including state-directed, partisan, and criminal action. ICS advisories. “Cosplaying” hardware.
Episode Date: August 31, 2022Chrome extensions steal browser data. A business email compromise attack is under investigation in Kentucky. Belarusian Cyber Partisans claim to have a complete Belarusian passport database. Organizin...g a cyber militia. CISA releases twelve ICS security advisories. Our guest is Asaf Kochan of Sentra on overemphasizing “the big one.” Carole Theriault cautions against getting ahead of yourself in the cryptocurrency supply chain. Cosplaying" hardware. And Canada welcomes a new SIGINT boss. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/168 Selected reading. Chrome extensions with 1.4 million installs steal browsing data (BleepingComputer) Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users (McAfee Blog) Police investigate electronic theft of federal funds (City of Lexington) FBI, Secret Service join Kentucky investigation into $4 million cybercrime theft (The Record by Recorded Future) Russian hackers blamed for ongoing Montenegro cyberattack (Tech Monitor) “For the 1st time in human history a #hacktivist collective obtained passport info of the ALL country's citizens.” (Cyber Partisans) Inside the IT Army of Ukraine, ‘A Hub for Digital Resistance’ (The Record by Recorded Future) Ukraine takes down cybercrime group hitting crypto fraud victims (BleepingComputer) Hitachi Energy FACTS Control Platform (FCP) Product (CISA) Hitachi Energy Gateway Station (GWS) Product (CISA) Hitachi Energy MSM Product (CISA). Hitachi Energy RTU500 series (CISA) Fuji Electric D300win (CISA) Honeywell ControlEdge (CISA) Honeywell Experion LX (CISA) Honeywell Trend Controls Inter-Controller Protocol (CISA) Omron CX-Programmer (CISA) PTC Kepware KEPServerEX (CISA) Sensormatic Electronics iSTAR (CISA) Mitsubishi Electric GT SoftGOT2000 (CISA) Walmart Sells Fake 30TB Hard Drive That’s Actually Two Small SD Cards in a Trench Coat (Vice) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Chrome extensions steal browser data.
A business email compromise attack is under investigation in Kentucky.
Belarusian cyberpartisans claim to have a complete Belarusian passport database.
Organizing a cyber militia, CISA releases 12 ICS security advisories.
Our guest is Asaf Khokhan of Accentra.
On overemphasizing the big one, cosplaying hardware, and Canada welcomes a new SIGINT boss.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 31st, 2022.
Researchers at McAfee have found five cookie-stuffing Chrome extensions
that together have found almost a million and a half users.
The extensions are Netflix Party, Netflix Party 2,
full-page screenshot capture, Flip Shop,
and finally, auto-buy flash sales.
Leaping Computer reports that two of the extensions,
the Netflix-branded apps, have been removed from Google Play.
At the time of their writing, the Netflix-branded apps, have been removed from Google Play. At the time of
their writing, the other three remain online. And as McAfee points out, an app's having a large
install base is no guarantee that it's benign. The Lexington, Kentucky Police Financial Crimes Unit
is investigating the electronic theft of approximately $4 million in federal rent assistance and transitional housing funds, the city announced.
The record says the FBI and Secret Service have been brought in to assist with investigation.
Lexington's description of the theft indicates that it was a business email compromise caper.
The city's statement said,
Police believe a person or persons outside the government
directed an electronic
funds transfer into a private account. The transfer was originally intended for Community Action
Council. Initial information shows no criminal involvement of city or Community Action Council
employees. Lexington's financial system wasn't compromised, but city employees were tricked
into sending
the funds into what proved to be a private bank account.
That account has since been frozen by the financial institution that holds it.
Montenegro's government continues to attribute a widespread cyberattack that began on August
22 to Russia.
The attribution is in part based on a perceived Russian motive. Montenegro has supported
Ukraine during Russia's war, and Moscow has designated the country as hostile. Tech Monitor
reports that Montenegrin Defense Minister Rasko Konevich asked rhetorically, who could have some
kind of political interest in inflicting such damage on Montenegro. And he gave the obvious answer,
I think there is enough evidence to suspect that Russia is behind the attack.
Open sources are short on details concerning the tools used in the campaign,
but Mr. Konyakvik says the malware used doesn't come cheap.
It's listed in dark web markets at between $100,000 and $2.5 million.
Montenegrin authorities say recovery is in progress. Marash Dukai, the country's minister
of public administration, told a press conference, the damage is being repaired and we are assessing
its extent. The system will suffer no lasting effects. A huge amount of money was invested in
this attack on our system. The Belarusian Cyber Partisans, a dissident group opposed to the
continued rule of President Lukashenko, claimed yesterday to have obtained a complete database of
all Belarusian passports. They described their caper like this. For the first time in human
history, a hacktivist collective obtained passport information for all of a country's citizens.
Now we're offering you an opportunity to become part of this history.
Get a unique digital version of Lukashenko passport as NFT.
OpenSea has since taken down the passports.
The cyberpartisans elaborate on their motives, stating,
The dictator has a birthday today. Help us ruin it for him. Get our work of art today.
Belarus has been a close cooperating ally of Russia in its war against Ukraine,
lending its territory to staging Russian forces and launching Russian missile strikes.
engaging Russian forces and launching Russian missile strikes. Cybersecurity experts in many countries have long speculated about how effective cyber
reserve forces might be prepared and mobilized.
Ukraine's IT army may provide a model, a middle ground between loosely inspired hacktivism
and highly structured military reserve forces.
Recorded Future has an interview with a self-described high-ranking member of the force
in which that official describes how the IT Army has evolved
and how it's serving in the current war.
The IT Army is directed by a core group of about 25 cyber professionals
and it's evolved along the lines of a startup corporation.
Building trust has been a challenge,
as has compartmentalizing operations to minimize the effects of any penetration
by Russian intelligence services.
The group is most proud of certain operations inside Russia,
about which the IT admin declined to provide details,
and believes the pressure it's maintained on Russian networks
and the operators who secure them has contributed to Russia's failure to mount successful
large-scale cyber attacks against Ukrainian infrastructure.
Not all unofficial cyber activity in Ukraine is benign.
The country's cyber gangs have continued to operate, even in wartime.
Bleeping Computer reports that Ukrainian authorities have dismantled a network of call centers
a cyber gang used for financial scams.
Among the tactics were targeting known victims of cryptocurrency scams
and dangling the prospect of helping recover stolen funds.
The National Police of Ukraine said in their announcement of the operation,
the organizers used high-tech equipment and software, funds. The National Police of Ukraine said in their announcement of the operation,
the organizers used high-tech equipment and software, which allows to change the telephone numbers of the attackers to the numbers of state banking institutions. If convicted,
those arrested and charged face up to 12 years in prison. Most of the victims were in Ukraine
or the European Union. The U.S. Cybersecurity and Infrastructure Security Agency yesterday released 12 industrial control system advisories
for Hitachi, Fuji, Honeywell, PTC, Kepware, Sensormatic, and Mitsubishi Electric products.
If you run an operation using these systems, go to sysa.gov for the details.
these systems, go to sysa.gov for the details. We'd like to give credit to Vice for the funniest description of a hardware scam we've seen in a long time. Researcher Ray Redacted thought that
a 30-terabyte hard drive selling for the low, low price of just $17.99 was just too much of a bargain
for plausibility. So he bought one, opened it up,
and found a couple of SD cards hot-glued down
and misreporting themselves as being, sure, for real, a 30-terabyte device.
Vice's deadpan motherboard headline called it like this,
Walmart sells fake 30-terabyte hard drive
that's actually two small SD cards in a trench coat.
The author, Joseph Cox, summarized what the researcher discovered. 30TB hard drive that's actually two small SD cards in a trench coat.
The author, Joseph Cox, summarized what the researcher discovered.
Sure enough, he found what amounted to a different item cosplaying as a big SSD.
A serious note for consumers, Walmart, like Amazon, operates in part as a marketplace in which third-party vendors sell their wares. Once Walmart was notified,
the retailer promptly ejected the Hans & Franz hardware from its e-commerce site.
And finally, Shelley Bruce, the head of Canada's communications security establishment,
is retiring after 33 years with the organization. She began her career with the CSE late in the Cold War
and has worked through the shifting missions and priorities the CSE has faced since then
as the leader of one of the Five Eyes intelligence services. She was responsible for launching the
Canadian Centre for Cybersecurity, which is on the front line against cyber threats facing the
country. We wish her well as she moves on to the next stage
of what we're sure will be an interesting and productive career. And we greet her successor,
Caroline Xavier. Welcome, and we wish Director Xavier all success.
Coming up after the break, my conversation with Asaf Khokhan of Centra on overemphasizing the
big one and Carol Terrio cautions against getting ahead of yourself
in the cryptocurrency supply chain.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time
visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, Thank you. with Black Cloak. Learn more at blackcloak.io. Asaf Kohan is CEO and co-founder of cloud security
company Centra. He believes that many firms take a large-scale approach to security by concentrating
on preventing the big one, rather than taking into account which
assets are vital and which assets aren't, making it difficult to limit the consequences of a breach
when it happens. The main point I'm stressing has to do with the fact that most security tools today
are still in the paradigm of the on-prem.
They're trying to protect the perimeter, the network, the access level, endpoints.
But at the same time, most of them are data agnostic.
They don't look as data at the layer of security.
And basically, you have kind of a strange environment
whereby everyone's protecting the museum,
but no one really is dealing with protecting the art
because no one understands.
Once within your environment,
no one really understands where the valuable assets are.
Taking it forward, a lot of the organizations today
kind of are, you know, you hear about the big events
and they're pretty much focused on the big cyber breaches.
My claim, and it's based upon my knowledge and my experience,
I was head of Unit 8200, which is Israeli NSA,
a terrific, very vibrant and cutting-edge technological unit.
So based on my experience, every big breach, when you look into it and you study it,
happens in an environment whereby there were many little breaches.
And it just doesn't happen one day.
And when you look at the small breaches
or the medium breaches,
which some organizations tend to ignore
and they don't really like to publish it,
usually there's a history of breaches
once there's a big breach.
And my claim is that you have to focus
on reducing your attack surface
and reducing the small breaches
because eventually dealing with a lot of small events
reduces and makes the chance of you
encountering a major event much smaller.
And once you encounter an event,
your ability to mitigate it, survive it,
and continue your functionality is much higher. So this is in a nutshell. I hope I was clear.
Yeah. Well, how do you recommend organizations dial that in? I mean, the balance between focusing
on the smaller things, but still being resilient if
the big one happens. Yeah. So my key recommendation would be to play the if game and to assume that
you're going to be breached and to tell the story and to run the story forward. And once you run the story forward,
you must understand where your key assets are
and pre-position yourself.
And this is kind of a play game,
which is much different than the way most organizations act.
Most organizations will basically deal with prevention,
and they won't go and tell the if story.
basically deal with prevention,
and they won't go and tell the if story.
And here the data layer has a significant meaning because in the cloud environment,
the way I see cloud,
cloud is a platform to unlock the potential of data.
This is the gist of the cloud.
And in the cloud environment,
it's extremely easy to duplicate data,
to create data, to create access to data.
The elasticity gives you amazing potential when it comes to unlocking this potential.
And in the cloud environment, a key piece here is to understand your data posture and understand where your sensitive assets are.
Once you have this understanding, you can position yourself much more effectively.
So this is in a nutshell.
Yeah.
How should folks go about protecting those sensitive assets? I mean, I'm thinking in a cloud environment,
as you mentioned, it's easy to duplicate things.
How do you keep track of things proliferating
throughout your cloud environment?
First of all, it's not a bug.
It's a feature.
You want data to proliferate within your cloud environment
because you want democratization of data.
You want the business to enjoy the great potential of data.
You want engineers to access data in order to create amazing products.
So starting with that, it's a feature you want to advocate for.
And basically the idea here is when it comes to data,
you want to bring the different stakeholders together
into one place where you see the truth about the data.
You want to bring the security teams, you want to be the compliance, the legal teams, the engineers, and some of the business together.
And today there's no real platform to bring this single source of truth and to kind of bring these teams together in order to collaborate
when it comes to protecting data and making sure you can continue with the democratization
of data.
And my claim that it's a huge opportunity for security teams to go into this space.
That's Asaf Kohan from Centra.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Corralterio cautions against getting ahead of yourself in the cryptocurrency supply chain. So recently I was checking out Bitcoin's latest valuation.
And I looked at it over the last five years.
And there's something rather interesting.
The price of Bitcoin started to skyrocket when most of us were in some form of lockdown.
Bitcoin started to skyrocket when most of us were in some form of lockdown. And then lo and behold,
now that many of us are back in the mix of living and things, the price plummets to its lowest value since the early days of the pandemic. Whether this is a quinky dink or an actual something that can
be corroborated, I have no idea. But the one thing I do know is that cryptocurrency isn't going away. Every day
we have media and pundits natter about all things crypto all of the time. I mean, as a person who
has dabbled in tech journalism, the cryptocurrency world just keeps on giving. It's rich pickings
when you get a focus on a new and volatile tech concept, especially one which has such incredible winners and pitiful losers.
And one of the big fails, aside from the crashing stock valuation of the cryptocurrency godmother Bitcoin, is the questionable resilience of the ecosystem that supports it.
So we're talking the tools, utilities for storing and converting and
otherwise managing all that cryptocurrency. In order to get into the market fast, you have to
develop your products and services at breakneck speed, right? And we all know what happens when
you run before you can walk, especially in security terms, you can trip up. Because when you trip up on security,
it can be worse than a broken front tooth or a skinned knee. In the first six months of this
year, we've already seen some ghastly crypto hacks. Like in February, attackers exploited a
flaw in the wormhole bridge to grab what was then about $321 million worth of wormholes Ethereum's variant.
And at the end of March, North Korea's Lazarus Group memorably stole what at the time was $540 million worth of Ethereum
and USDC stablecoin from the popular Ronin blockchain bridge.
You know, it's so funny to consider
that these words meant absolutely nothing five years ago. And April, attackers targeted the
stablecoin protocol Beanstalk, granting themselves a flash loan to steal about $182 million worth of
cryptocurrency. Obviously, again, valued at the time. And this is just a teeny tiny
selection of the crazy number of hacks out there involving cryptocurrencies. But this was the
question I was asking myself. You ready? With the most popular cryptocurrency having shed about 70%
of its value since it hit its all-time high of roughly
$69,000 in November last year, and with the overall market capitalization of crypto assets
having dropped to less than $1 trillion from its November 2021 peak of $3 trillion,
are hackers going to lose interest in crypto because the money is drying up?
Or are the pickings just too rich with a market full of insecure products?
Your guess is good as mine.
But I would say that in my experience, hackers tend to go where the money is.
And if the money's drying up, one can't help but wonder what their next target's going to be.
This was Carol Theriault for The Cyber Wire.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive
alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.