CyberWire Daily - Novel attacks and creative phishing angles.
Episode Date: November 25, 2024APT28 uses a novel technique to breach organizations via nearby WiFi networks. Your Apple ID is (not) suspended. UK highlighting Russian threats at NATO Cyber Defence Conference. US senators request a...n audit of TSA's facial recognition technology. Supply chain software company sustains ransomware attack. Critical QNAP vulnerability could allow remote code execution. Outdated Avast Anti-Rootkit driver exploited. No more internet rabbit holes for China. Guest Lesley Carhart from Dragos on "The Shifting Landscape of OT Incident Response." Stop & Shop turns cyber oops into coffee and cookies. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is ​​Lesley Carhart, Technical Director at Dragos, speaking with Dave Bittner about "The Shifting Landscape of OT Incident Response." You can find the blog here. Selected Reading Russian Cyberspies Hacked Building Across Street From Target for Wi-Fi Attack (SecurityWeek) The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access (Volexity) New Warning For 2 Billion iPhone, iPad, Mac Users—Your Apple ID Is Suspended (Forbes) Russia plotting to use AI to enhance cyber-attacks against UK, minister will warn (The Guardian) Britain, NATO must stay ahead in 'new AI arms race', says UK minister (Reuters) Senators call for audit of TSA’s facial recognition tech as use expands in airports (The Record) Blue Yonder ransomware attack disrupts supply chains across UK and US (Tech Monitor) Critical QNAP Vulnerability Let Attackers Execute Remote Code (Cyber Security News) Malware campaign abused flawed Avast Anti-Rootkit driver (Security Affairs) When Guardians Become Predators: How Malware Corrupts the Protectors (Trellix report) Imagine a land where algorithms don't ruin the Internet (The Register) Stop & Shop recovers from 'cybersecurity issue,' will give out free food, coffee (WTNH) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
APT28 uses a novel technique to breach organizations via nearby Wi-Fi networks.
Your Apple ID is not suspended.
UK highlighting Russian threats at the NATO Cyber Defense Conference.
U.S. senators request an audit of TSA's facial recognition technology.
Supply chain software company sustains ransomware attack.
Critical QNAP vulnerability could allow remote code execution.
Outdated Avast anti-rootkit driver exploited.
No more internet rabbit holes for China.
Guest Leslie Carhart from Dragos on the shifting landscape of OT incident response.
And Stop and Shop turns cyber-oops into coffee and cookies.
Today is November 25th, 2024. I'm Maria Varmasis, host of the T-Minus Space Daily podcast, in for Dave Bittner, and this is your Cyber Wire Intel Briefing.
In early 2022, cybersecurity firm Vilexity uncovered a sophisticated cyber espionage in close physical proximity to their primary target, referred to as Organization A.
After obtaining valid credentials through password-spraying attacks,
the attackers faced multi-factor authentication barriers on Organization A's public-facing
services. So, to circumvent this, they infiltrated a neighboring entity, Organization B, and exploited a dual-homed system connected via Ethernet and Wi-Fi.
By leveraging the system's Wi-Fi adapter, they accessed Organization A's enterprise Wi-Fi network, effectively bridging the gap without physical presence.
Further investigation revealed that the attackers had also compromised a third nearby
organization, Organization C, using similar tactics. And this method allowed APT28 to
infiltrate their target's network remotely, highlighting the need for robust Wi-Fi security
measures and vigilance against such innovative attack vectors. As Black Friday approaches,
scammers are out there looking for every angle to get into your wallet.
A recent phishing scam is targeting Apple users, with emails falsely claiming that their Apple ID has been suspended.
This attack is highly believable, and in a time when consumers are out there feeling that time is short to get their best deal, and may be tricked into action.
These deceptive messages
aim to deceive recipients into providing personal information or clicking malicious links. Apple
warns that users need to protect themselves and be cautious of unsolicited emails, especially those
requesting sensitive data or urging immediate action. Always verify the authenticity of such
communications by contacting Apple directly through official
channels. On November 25th, 2024, UK Cabinet Office Minister Pat McFadden addressed the
NATO Cyber Defense Conference in London, highlighting the escalating cyber threats
posed by Russia. He emphasized that Russian cyber criminals are increasingly targeting
nations supporting Ukraine, utilizing advanced technologies
like artificial intelligence to enhance their attacks. To counter these threats, McFadden
announced the establishment of the Laboratory for AI Security Research, backed by an initial
8.22 million pound investment. This initiative aims to develop sophisticated cyber defense tools
and to promote intelligence sharing amongst NATO allies. McFadden underscored
the necessity for NATO and its members to remain vigilant and proactive in the evolving AI arms
race, ensuring robust defenses against potential cyber attacks on critical infrastructure.
A bipartisan group of U.S. senators last week sent a letter to the Department of Homeland
Security's inspector general requesting an audit of the Transportation Security Administration's, or TSA's,
use of facial recognition technology, according to the record. The letter stated,
this technology will soon be at use in hundreds of major and mid-sized airports
without an independent evaluation of the technology's precision or an audit of whether
there are sufficient safeguards in place to protect passenger privacy. TSA has not provided Congress with evidence that facial
recognition technology is necessary to catch fraudulent documents, decrease wait times at
security checkpoints, or stop terrorists from boarding airplanes. The senators added that
this program could become one of the largest federal surveillance databases overnight without authorization from Congress. The letter asks DHS Inspector General Joseph Khafari, quote,
to thoroughly evaluate TSA's facial recognition program and report your findings to Congress
before it becomes the default form of passenger verification at security checkpoints.
U.S.-based supply chain management software company Blue Yonder
sustained a ransomware attack last week, disrupting its services to several grocery store chains in
the United States and United Kingdom. Morrison's and Sainsbury's supermarkets in the U.K. have both
confirmed outages related to the incident, and this incident led to challenges in the flow of
goods to stores. Blue Yonder's Azure public cloud services remained unaffected.
The company is collaborating with external cybersecurity experts
to investigate and recover from the attack,
implementing defensive and forensic protocols to safeguard its systems.
As of November 24th, Blue Yonder reported continued progress in restoration efforts,
but has not provided a definitive timeline for full recovery.
A critical vulnerability has been identified in QNAPs, network-attached storage, or NAS devices,
potentially allowing attackers to execute remote code.
This flaw, designated as CVE-2024-27130,
stems from a stack buffer overflow in the no-support ACL function within the share.cgi script.
Exploitation requires the attacker to obtain a valid SSID parameter,
typically generated when a NAS user shares a file.
QNAP has addressed this issue in QTS 5.1.7.2770,
build 2024.05.20 and later, and QUTSHERO H5.1.7.2770, build 2024, 5, 20, and later. Users are strongly advised to
update their systems promptly to mitigate potential risks. Recent cybersecurity investigations have
uncovered a malicious campaign exploiting a legitimate but outdated Avast anti-rootkit driver to disable security
defenses on targeted systems. This technique, known as Bring Your Own Vulnerable Driver, or BYOVD,
involves attackers deploying the legitimate ASWRPot.sys driver, which contains known vulnerabilities
to gain kernel-level access. Once installed, the driver allows the malware
to terminate processes and disable security products, effectively evading detection.
This method has been observed in various malware campaigns, including those involving the Avos
Locker ransomware, highlighting the persistent threat posed by the exploitation of vulnerable
drivers. China's Cyberspace Administration, or CAC, has initiated a
campaign to regulate internet algorithms, aiming to curb practices that create, and I quote,
information cocoons, or echo chambers that limit diverse content exposure. The CAC mandates that
tech companies prevent the dissemination of homogenous content and enhance transparency
in content-rank ranking algorithms. Additionally,
the use of algorithms for discriminatory pricing in e-commerce is prohibited,
requiring platforms to avoid price differentiation based on user demographics.
Companies have until the end of the year to comply, with assessments beginning in January.
Coming up on the guest segment, Dragos' technical director, Leslie Carhart, spoke with Dave Bittner about the shifting landscape of OT incident response.
We'll be right back. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Dragos's technical director, Leslie Carhart, spoke with Dave Bittner about the shifting landscape of OT incident response.
I have found it very, very interesting to see what types of cases we get at Dragos.
We are kind of pathfinders in the space of doing exclusively industrial or OT incident response to cybersecurity incidents.
And since nobody's ever really done that as a dedicated corporate practice, there's some other
organizations that do it, you know, to some extent they have a couple people who do it,
but that's all we do is an incident response business. So nobody really knew what to expect
in terms of the types of calls,
the depth of those calls that we would get. And I've been to Dragos for about seven years now.
And it's been really fascinating to see that landscape evolve and see what our metrics actually look like in terms of the types of cases that we get. And it's definitely different than
enterprise incident response firms. It's certainly different types of cases, and
they tend to give you a little bit of an indication of where the maturity of the industry is and what
people are interested in. Well, let's dig into that. I mean, what are some of the unique challenges
that you and your colleagues face there when it comes to responding to incidents in OT environments
compared to a typical IT environment?
So there's a couple different things to consider. First of all, everything is kinetic consequence
based in cybersecurity and OT. What I mean by that is the result of somebody doing something
malicious to equipment or you making a mistake as a cybersecurity professional isn't just ones and zeros.
It's potentially somebody getting hurt, somebody dying, the environment being contaminating,
critical services being unavailable to the public.
So very clear real-life consequences.
Everything that we have to do in terms of cybersecurity defense and incident response
even has to come down to what avoids those consequences. What is the risk
decision that we make during the response process to get things up and running in a safe way where
we won't see those consequences? And how do we do our practice? How do we do forensics? How do we do
restoration of systems or even containment of systems in a way that doesn't cause worse
consequences than an adversary.
So that's one thing is that focus on process consequences over anything else.
And then there's logistical hurdles as well.
So we're dealing with a lot of legacy stuff.
I see Windows NT, Windows 95, Windows XP on a regular basis in my job,
and I have to deal with those systems.
And if you go to forensic school today,
you're not really typically learning how to work with 30-year-old systems. So it's hard to train
people. It's hard to get tools and equipment and anti-malware that work on those systems.
And they oftentimes just can't be replaced in the near term because, again, process consequences.
Those systems are warranted to work in a safe way as a single unified unit.
And if you start replacing parts, upgrading operating systems, you can again cause that
catastrophic consequence.
So oftentimes we have to work around those legacy systems and figure out ways to do forensics
safely on them.
And finally, there's just different people and logistics involved in getting to these facilities. We're talking about sometimes very remote industrial facilities, things that aren't easy to access, places where there are safety considerations. You need specialized safety training equipment to get onto them or to visit those facilities and work in them. And that makes it a very, very different challenge.
And that makes it a very, very different challenge.
But back to the tooling, another thing to expect if you're getting into this space is that we don't have a suite of modern security tools in a lot of cases. If you're doing enterprise incident response, you have all these logistical things you have to think about in a normal business, but nowhere near the level of the safety considerations and process considerations you've got in the operational environments.
level of the safety considerations and process considerations you've got in the operational environments. But also on top of that, you've got a technology suite of modern security tools in
most enterprise environments. You're talking about Windows 10, Windows 11, modern server versions,
modern versions of Linux. And you have things like EDR, XDR, next generation firewalls, which are
great. I love them, but we see very few of them in those legacy-sensitive environments.
So again, we have to do cybersecurity with much more jury-rigged and creative tools to deal with
not having modern security tooling, but yet dealing with modern adversaries.
Well, how do you monitor those boundaries between the IT and OT systems? I'm thinking especially as things
continue to get more complex. And they're getting more connected. So we're seeing convergence of
technologies. So there's a lot more Cisco and Windows and Linux in those environments than
there used to be because it's cheap and it's easy to replace. It's easy to support. And so you've
got that to deal with. And then, you know, the connectivity of
these environments has changed over time. So we've seen more connections for remote access,
more connections for telemetry, and just integration of devices for efficiency. So a
lot of things that used to be connected to a few things via, say, serial connections are now
connected to vast process
network SCADA systems using Ethernet. So you've got these very sensitive, very critical industrial
protocols, and they're traversing modern networking equipment. And sometimes they're
connected to the internet. Sometimes they're connected to remote access services now.
Sometimes they're connected through a DMZ into the enterprise network. They're very, very
rarely air-gapped. That's something I see maybe a couple times a year in real practical effect.
So controlling, I often use the analogy of an M&M for these networks. I'd like to see them be a
crispy candy outside around that gooey candy center. The devices inside most of these industrial
networks are insecure and vulnerable by design. I see a lot of talk about, you know, PLCs being
vulnerable. Yeah, they're simple computers. They're going to be relatively vulnerable.
There's practically no encryption in industrial protocols for a reason. It has to be efficient and reliable. So inside that industrial equipment
network, yeah, things are pretty vulnerable. What you try to do is you try to monitor it well and
you try to isolate and architect security measures around those segments of the network so that you
can control ingress and egress. That's really, really important. As we see more vendors and
third parties and
even organizations themselves putting in internet connections, cloud connections,
remote access, sometimes multiple forms of remote access, it becomes very hard to restrict that
boundary. And that's where we see a lot of intrusions coming from. How do you evaluate
the current maturity level of folks within the industrial sectors?
Are there specific verticals that are either leading or lagging when it comes to OT cybersecurity?
Yes, absolutely.
It depends a lot directly to funding and legislation, regulation, and resources available to those verticals.
It's quite clear in most cases overall, industries like oil and gas
have a lot of money and they can spend a lot of money. They're motivated to by financial reasons.
They can spend a lot of money on large cybersecurity programs and a lot of new technology
and updating their systems. But if you look at industries like manufacturing, where there's a
very small margin to make profit, you cannot spend that kind of money on your cybersecurity program.
And you don't necessarily have the regulatory or legislative motivation to do so as well.
And then you look at things like small municipal utilities.
When you talk about your local water or sewage utility, usually there's maybe like one or two IT people, much less any cybersecurity staff.
there's maybe like one or two IT people, much less any cybersecurity staff. And those people are responsible for securing that entire utility on whatever budget their local municipality chooses
to give them. So there's vast discrepancies between the, in various countries that varies,
of course, by what's public and private. But for the most part, there's vast discrepancies
between different organization sizes
and different organization verticals.
When we're talking about business continuity
and risk management, do you have any words of wisdom
in terms of like, what are some of the most effective steps
that OT-focused companies can take
to prepare themselves for cyber incidents?
Yeah, so to prevent and deal with the cybersecurity threats overall, there is a
white paper that was released through SANS called the Critical Controls for Industrial Cybersecurity,
the Five Critical Controls for Industrial Cybersecurity. And I recommend that anybody
who's working in that space go download that paper. It's not marketing. It's not sales. It's very, very practical advice.
And it breaks things down into things like building strong architecture. Like I talked
about that crispy candy outside with the gooey candy center. And they also talk about monitoring
your environment. I will never get calls until something is catastrophically broken, unless there's some monitoring in place, unless somebody's actually doing some type of threat detection.
Things have gone pretty far if I get a call and organizations didn't have a way to detect any threats.
They also talk about remote access.
And remote access is a pivotal piece to these modern networks.
In a lot of networks, I find eight, nine different remote access methods into them when they think they have one. And that's a really big deal. That's a really
hard problem to get a handle on. They talk about vulnerability management. And while I mentioned
that a lot of industrial devices are vulnerable by design, it's important to know where those
vulnerabilities exist so you can build controls and monitoring around them. But more relevantly, you really need to be on top of that crispy candy outside.
You need to understand the security or lack of security of your perimeter devices.
If those are vulnerable and somebody gets in because there is a new exploit out there
and you haven't patched in time, there's not going to be many defensive measures inside
the industrial network.
You really have to protect measures inside the industrial network. You really have
to protect that outside of your network. So the final thing that they talk about, though,
is incident response planning and preparation. You should have some kind of incident response plan
for your industrial networks, your industrial segments of your business for cybersecurity
incidents. And I know a lot of people are like, we're a tiny water
utility and we don't have the resources to plan for things. The plan can be, we know who we're
going to call for help. And we know that there's an SLA there and they will actually help us.
And this is how we'll preserve some evidence for them. It could be like a page like that,
and they would be better off than a lot of the organizations I deal with who are,
you know, people are in tears. It's catastrophic. Things have already gone very wrong and they had no way
to even get help because they had no plan at all. If you can have a detailed, sophisticated plan and
be able to do forensics and monitoring and logistics, that's wonderful. That's fantastic.
But you have to have some kind of plan, even a fundamental plan of what you're going to do. I'll tell you, I do this for a living. This is what I do every single week, day in and day out. I respond to incidents in industrial networks. And there is no organization that's too big or too small or too uninteresting or in a vertical nobody cares about. It just happens across the board. It happens to anyone and everyone.
And you need to have a plan. It's nothing against you. You need to commit at least a few hours to
thinking about if you, say, had ransomware in your industrial environment, who would you call?
And would they pick up the phone? You can find a link to the blog that Leslie discussed in our
show notes.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And finally, after a recent cybersecurity hiccup left stop-and-shop shelves emptier than a diet soda can,
the grocery chain has bounced back and offered free coffee and sweet treats to customers in Connecticut, Massachusetts, and Rhode Island.
This gesture was their way of saying, thanks for sticking with us through the tech turbulence.
So if you were in the area over the weekend and happened to swing by between 10 a.m. and 3 p.m. over the Thanksgiving shopping holiday weekend, I hope you got a chance to grab a complimentary pick-me-up.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing
world of cybersecurity. If you like the show, please share a rating and review in your podcast
app. Also, please fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine
of the most influential leaders and operators in the public and private sector, from the Fortune
500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy
for companies to optimize your biggest investment, your people. We make you smarter about your teams
while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilpie is our publisher.
And I'm Maria Varmasas in for Dave Bittner.
Thanks for listening. We'll see you tomorrow. Bye.