CyberWire Daily - Name collision. Spawn of LockBit. Quishing the unwary and the hasty. Trends in healthcare cybersecurity. Inquiries surrounding Russia’s hybrid war against Ukraine.
Episode Date: August 29, 2023Name collision as a DNS risk. A LockBit derivative is active against targets in Spain. QR codes as phishbait. Cybersecurity trends in Healthcare. A Russian hacktivist auxiliary hits Polish organizatio...ns, while investigation of railroad incidents in Poland continues. Ben Yelin looks at the SEC cracking down on NFTs. Mr. Security Answer Person John Pescatore opens up the listener mail bag. And a look at a probably accidental glitch affecting air travel in the UK. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/164 Selected reading. What's in a name? Strange behaviors at top-level domains creates uncertainty in DNS (Cisco Talos) Spain warns of LockBit Locker ransomware phishing attacks (BleepingComputer) Think Before You Scan: The Rise of QR Codes in Phishing (Trustwave SpiderLabs) 78% of Healthcare Organizations Experienced Cyber Incidents in Past Year, 60% of Which Impacted Patient Care (Claroty) Polish stock exchange, banks knocked offline by pro-Russian hackers (Cybernews) Two Men Arrested Following Poland Railway Hacking (SecurityWeek) Century-old technology hack brought 20 trains to a halt in Poland (Cybernews) Poland investigates train mishaps for possible Russian connection (Washington Post) Flight chaos ‘to last for days’ after air traffic control failure (The Telegraph) UK flight chaos could last for days, airline passengers warned (the Guardian) Government can’t rule out cyber attack caused air traffic chaos (MSN) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Name collision as a DNS risk.
A lock bit derivative is active against targets in Spain.
QR codes as fish bait.
Cyber security trends in healthcare.
A Russian hacktivist auxiliary hits Polish organizations
while investigation of railroad incidents in Poland continues.
Ben Yellen looks at the SEC cracking down on NFTs.
Mr. Security Answer Person John Pescatori opens up the listener mailbag,
and a look at a probably accidental glitch affecting air travel in the UK.
I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, August 29th, 2023. Cisco Talos researchers this morning described risks posed by DNS name collision,
which occurs when the name of an internal network resource overlaps with one used by a public top-level domain, a TLD.
One technique the Name Collision Occurrence Management Framework recommends to avoid these collisions is Controlled Interruption, in which a TLD publishes DNS records at the root level to provide information about the domain.
If a network uses an internal name that overlaps with one of these TLDs, it will receive a DNS reply stating,
Your DNS needs immediate attention.tld. Talos found, for example,
that the.kids TLD used a flawed implementation of controlled interruption. Talos says,
one critical piece of information that was left out of the ICANN name collision framework
was that the TLD must ensure the name yourdnsneedsimmediatetention.tld
is not available for public registration. Unfortunately, no such restriction was in
place at the.kids TLD, and Cisco Talos successfully registered the domain name
yourdnsneedsimmediatetention.kids. Talos set up an internet server to log all activity related to this name,
and immediately we received a barrage of HTTP requests
from systems running Microsoft's System Center Configuration Manager.
Because Talos registered the domain name, YourDNSNeedsImmediateAttention.kids,
we were able to masquerade as a trusted system.
Networks using.kids names could be tricked into trusting our system to relay internal mail,
dictate configuration management settings, and more. Talos contacted the administrators of the
.kids TLD, and the issue has since been fixed, but curious and colliding domain names
continue to represent a potential problem. The National Police of Spain have warned of a
lock-bit locker ransomware campaign that's targeting Spanish architectural companies,
bleeping computer reports. The attackers are sending phishing emails posing as a photography company that's seeking a cost estimate for a facility renovation.
After a brief email conversation with the architecture firm, the threat actors schedule a meeting to discuss the project
and send over an archive with documents outlining the proposed renovations.
This archive contains a file that will install the ransomware.
renovations. This archive contains a file that will install the ransomware. This is the most recent case of a lock-bit infestation, but these have been on the upswing ever since the criminal
source code made it possible for opportunists to spawn their own versions of the ransomware.
Trustwave's Spider Labs warns that threat actors are increasingly using QR codes to distribute phishing links.
Many of these attacks impersonate multi-factor authentication prompts from Microsoft and other
providers. Trustwave Spider Lab says, the samples we have observed using this technique are primarily
disguised as multi-factor authentication notifications, which lure their victims into
scanning the QR code with their mobile phones
to gain access. However, instead of going to the target's desired location, the QR code leads them
to the threat actor's phishing page. It's easy, quick, difficult to detect, and plausible. QR codes
are in common use, and many of us will follow them without a lot of reflection. Inevitably, the technique of using QR codes as fish bait has got its own name.
Spider Labs calls it quishing.
Is it just us, or do the variants of fishing sound even worse than the original?
Smishing for SMS fish bait, now quishing for this.
Maybe it's the vague sense that this is onomatopoeia,
like the sound something nasty makes when you step on it.
Keep that quishing stuff off your digital footprints, friends.
Clarity has published a report looking at cybersecurity in the healthcare industry,
finding that 78% of respondents experienced at least one cybersecurity incident in the past year.
Additionally, the survey found that more than 60% of respondents
reported a moderate or substantial impact on care delivery,
and another 15% reported a severe impact that compromised patient health and or safety.
The financial ramifications mainly fell in the $100,000 to $1 million range,
with 26% reporting paying ransoms.
Most of these costs were associated with operational downtime,
followed by reputational damage, insurance premiums, legal fees, and regulatory fines.
Turning to the hybrid war Russia is waging against Ukraine,
the action in cyberspace seems to have shifted toward Poland.
No name 05716 yesterday hit the Warsaw Stock Exchange,
the Polish government's trusted profile identity verification service,
and five major commercial banks.
CyberNews quotes the group's communique as explaining, To express our support to all adequate citizens of Poland who oppose the authorities of their country drowning in Russophobia,
our DDoS rocket launchers today are aimed at Polish targets.
The attacks were all DDoS incidents, which is consistent with no-name 05716's familiar operational pattern.
Some of the attacks seem to have been of longer-than-usual duration.
As of this morning, the Warsaw Stock Exchange and several of the banks
were still experiencing disruption.
Polish authorities have arrested two men, both Polish citizens,
in connection with an attack that halted 20 trains in the vicinity of Szczecin,
Security Week reports.
They used an acoustic tone transmitted over a radio system to issue stop signals.
The incident began Friday night and continued,
but with minimal effect Saturday and Sunday in other parts of the country.
Cyber News says the two men arrested were taken into custody
where they were found in possession of radio equipment.
The suspects' ages are given as 24 and 29, but they're not further identified.
Polish intelligence services continue to investigate the incident for signs of Russian sabotage.
Polish railroads would be attractive sabotage targets.
According to the Washington Post, some 80%
of Western supplies delivered to Ukraine transit Poland, and much of that is carried by rail.
So, motive and probably opportunity point to Russian involvement, but so far no other evidence
has been reported. And finally, a technical problem at the UK's National Air Traffic Services yesterday forced the delay or cancellation of hundreds of flights into the United Kingdom, as the loss of automated capability forced controllers to revert to manual methods.
as a number of reports yesterday put it,
but flight disruptions have been widespread,
even though the problem was identified and corrected yesterday afternoon,
it may continue for some time.
The Telegraph reports that security sources said the fault appeared to be a genuine technical problem
and was not believed to be the work of cyber hackers or a hostile foreign state.
That may well be the case.
Still, the incident remains under investigation,
and MSN cites unnamed sources in and around the government
who think that foreign sabotage can't be entirely ruled out.
Speculation, and it's just that, speculation, inevitably points to Russia.
May the investigators get to the bottom of it soon and flights return to normal.
Coming up after the break, Ben Yellen looks at the SEC cracking down on NFTs.
Mr. Security Answer person John Pescatori opens up the listener mailbag.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Mr. Security Answer Person.
Mr. Security Answer Person.
Hi, I'm John Pescatori, Mr. Security Answer Person.
A question for today's episode.
This month, three news items just caught my eye. One, Microsoft released over 130 patches this month.
Two, Chinese hackers compromised Microsoft's cloud email services by stealing a cryptographic key.
And three, most illegal use of virtual currencies went down except for ransomware, which went up.
Is the world ever going to make any progress in any of these areas?
Oh, dear listener, I think you need a vacation. I did see a happy news item about airfare prices.
They've been declining. But of course, later, I also saw several news items that came out about
cascading flight delays due to weather across the U.S. and strikes in Europe. The short answer is
software engineering is still an oxymoron. Using the cloud still means using software, which still
means vulnerabilities, and criminals will always go after vulnerabilities in people and software.
My favorite quote about security comes from that
famous security analyst, Helen Keller. Ms. Keller, who lost her sight and hearing when she was 19
months old and had near zero communications with the world until she was seven, when a motivated
teacher taught her sign language, you can watch the movie The Miracle Worker to see all about this,
she came up with this quote. Security is mostly a superstition. It does not exist in nature,
nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run
than outright exposure. The fearful are caught as often as the bold. Ms. Keller's quote is very
appropriate in relation to the security of software. Software development is still largely
a craft versus an engineering discipline. And unfortunately, more pressure is put on the
software industry to produce more new products faster than to produce safer products. It is much
like the entertainment industry where the products keep coming out and 75% of them are not very good.
No matter how many big stars are in it, how many critics like a film or a TV show,
or how many AI engines are used to spew out positive quotes anyway,
you run the risk of paying $14 to see a real stinker.
The same is true in software.
Just the prices are a lot higher.
Our job in security is to make those risks tolerable
to enable the bold side of business to stay safe and make money
while using inherently insecure technologies.
Our industry has many parallels
to the pharmaceutical and medical industries.
There are a small number of diseases
that can be eliminated or nearly eliminated,
but there are many, many more
where there's just no end game.
Vaccines and basic hygiene, however,
can bring danger levels down
to socially and economically acceptable ranges.
The other angle in our industry is crime, which also never goes away.
Banks are still robbed, cars are still stolen, scams still happen.
But security controls and basic security hygiene and education allow the motivated not to get caught by the criminals very often.
As far as that news about virtual currencies
and declining criminal use,
I'm going to skew a bit old here.
But I'm really sure that tulip-related crime
saw a similar downswing
after the tulip bubble burst in 1637.
Of course, the value of cryptocurrencies
used illicitly has gone down
because the value of cryptocurrencies has gone down.
The values of virtual currencies and the valuation of startups that were based on the use of virtual currencies
have plummeted in recent months. So obviously criminal use has dropped. But in ransomware,
there's still too many targets. There's way too many targets of opportunity for small companies
and large for that crime to go away. In fact, what we've seen here recently is some very big
targets have once again been hit and once again paid for ransomware via cryptocurrencies.
This tells us we still need to prioritize moving to two-factor authentication to defeat phishing
and continuing security awareness to lower the odds that users will fall for scams.
Add in basic security hygiene and we can enable the bold to confront dangerous markets and minimize risk, which is why they pay us the big bucks. Every new wave of technology will bring business
opportunities along with vulnerabilities that criminals will exploit or well-meaning IT
administrators will expose. If you want to see an entertaining show, by the way, about the next wave
of all that, I'll leave you with this. Watch episode one of season six of The Black Mirror
on Netflix,
an episode called Joan is Awful. Get back to me after you've seen that.
Thanks for listening. I'm John Pescatori, Mr. Security Answer Person.
Mr. Security Answer Person.
Mr. Security Answer Person Mr. Security Answer Person with John Pescatori
airs the last Tuesday of each month right here on the Cyber Wire.
Send your questions for Mr. Security Answer Person to questions at thecyberwire.com And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Hey, Ben.
Hello, Dave.
So, interesting article from the folks over at Fortune.
This is written by Leo Schwartz,
and it's titled,
In a first, the SEC says NFTs sold by an LA-based entertainment firm are securities.
Here's how that could ripple throughout the industry.
What's going on here, Ben?
This is really interesting.
So, for the first time, the Securities and Exchange Commission in Washington, D.C.
has charged this entertainment company called Impact Theory
with conducting an unregistered offering of securities via these non-fungible tokens.
I'm not an owner of NFTs myself.
I think they're kind of silly.
Oh, come on, Ben.
Where's your sense of adventure?
I know, I know.
But a lot of people have them and see them as real assets.
Right. The issue here is what is under the purview of regulation from the Securities and
Exchange Commission. Obviously, owners of any asset, including things like collectibles,
don't want to be under the watchful eye of the Securities and Exchange Commission.
That's bad. You're being regulated.
It's probably going to end up costing you some money and taxes and fees.
Okay.
And also, when you're under the watchful eye of regulators,
you're less likely to be able to get away with nefarious business practices.
So say, for example, I have my collection of priceless artwork
or my collection of priceless Beanie Babies.
Either of those things are outside of the SEC's jurisdiction,
and I want to keep it that way.
Yes, exactly.
So courts across the country have found repeatedly that things like that,
consumer goods, art, collectibles, like baseball, basketball cards,
those are not securities under federal law.
Okay.
What this judge is saying for the first time is that
when you're talking about
something like art or baseball cards, the value would be unaffected if those producers went out
of business. So a piece of art is still valuable even after Michelangelo dies or whatever.
With NFTs, when the developer is managing the blockchain technology behind a collection, the value could be intertwined with the success of the company.
So it's more intertwined with a company
rather than just an individual that has given worth to that object.
And that's just kind of the nature of NFTs and blockchain technology.
This is really groundbreaking.
I think this is going to
change the market for NFTs. One of the benefits of having NFTs as an asset was being outside the
regulation of the SEC. And if the reasoning of this case is adopted, and I think it's reasonably
compelling, then that's going to remove that advantage as an asset. And you might just want
to go back to collecting baseball cards instead of these non-fungible tokens. Or playing the stock market. Exactly. Right. Yeah, it's
interesting. This article points out that Impact Theory, they did not admit or deny the SEC's
allegations, but they did agree to a cease and desist order. And they're paying $6.1 million
in fines, in disgorgement, prejudgment interest, and a civil penalty.
Can you unpack that for me?
What does that mean, Ben?
Sure.
So basically, without acknowledging that
NFTs deserve to be under the protection
or the watchful eye of the SEC,
they made the case go away by paying a bunch of fines
to the agency and returning money to the investors that purchased
these NFTs. So it was a way to settle the case without setting any precedent on behalf of the
company or without the company hurting itself in future litigation by admitting that these NFTs
should be regulated or deserve to be regulated by the SEC. I should note that there
was some dissenting opinions on the commission, which we don't frequently see. Most of their
decisions are unanimous. And they wrote a statement saying that they disagreed with
the application of the relevant Supreme Court precedent called the Howey Test, which determines
whether assets are considered securities. And what they argue, these dissenters
argued, is that NFTs did not represent shares in a company or produce any type of dividend.
It's funny because if you follow that to its logical conclusion, then a company like the one
we're discussing here would be out of business because it would be seen as not a valuable
investment if it didn't provide some type of dividends.
So I think the companies that are selling these are kind of caught between a rock and a hard place.
You need to maintain that these assets are profitable
and that it's a worthy investment
without having it meet those categories
that puts it under SEC jurisdiction.
So it's just kind of an interesting game
that these companies have to play.
If I'm a different company in the NFT business, this surely has my attention.
Absolutely. I think because this is a novel case and the first of its kind,
I think it could have a ripple effect of affecting how these companies do business,
how they structure some of their transactions. Absolutely.
All right. Well, again, this is an article from Fortune written by Leo Schwartz.
Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today
to see how a default deny approach can keep your company safe and compliant.
This episode is brought to you by RBC Student Banking.
Here's an RBC student offer that turns a feel-good moment into a feel-great moment.
Students, get $100 when you open a no-monthly-fee RBC Advantage Banking account
and we'll give another $100 to a charity of your choice.
This great perk and more, only at RBC.
Visit rbc.com slash get 100, give 100.
Conditions apply.
Ends January 31st, 2025.
Complete offer eligibility criteria by March 31st, 2025.
Choose one of five eligible charities.
Up to $500,000 in total contributions.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
Thank you. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.