CyberWire Daily - Paying for the bomb the 21st century way. Domestic Kitten’s international romp. Malware versus gamers. Patch Tuesday notes. An update on the Oldsmar water system cyber sabotage.
Episode Date: February 10, 2021What’s North Korea doing with all that money the Lazarus Group steals? Buying atom bombs, apparently. Iran’s Domestic Kitten is scratching at some international surveillance targets. Not everyone ...who says they’re a Bear really is one. Parking malware in Discord. Notes on Patch Tuesday. Joe Carrigan details a gift card scam that hit a little close to home. Our guest is Saket Modi, CEO of Safe Security with thoughts on quantifying risk. And the latest on the water system cyber sabotage down in Florida. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/27 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
What's North Korea doing with all that money the Lazarus Group steals?
Buying atom bombs, apparently.
Iran's domestic kitten is scratching at some international surveillance targets.
Not everyone who says they're a bear really is one.
Parking malware in Discord? Notes on Patch Tuesday.
Joe Kerrigan details a gift card scam that hit a little close to home.
Our guest is Saket Modi, CEO of Safe Security with thoughts on quantifying risk and the
latest on the water system cyber sabotage down in Florida.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 10th, 2021.
United Nations panel charged with monitoring the success of international sanctions at restraining North Korean military ambitions has told the Security Council, the AP reports, that Pyongyang's financially motivated hacking has been keeping the DPRK's nuclear program afloat.
An unidentified member of the council said the panel reported that total theft of virtual assets from 2019 to November 2020
is valued at approximately $316.4 million.
The return to prominent activity of Iran's domestic kitten and infi surveillance actors,
flagged by Checkpoint earlier this week, continues to attract attention.
The Washington Post quotes industry sources as
saying that the groups are taking a greater interest in international targets. The BBC
describes some of the deceptive masquerades the groups have undertaken to induce victims to
install their spyware tools, fake menus, free wallpaper, and a range of other malicious apps.
FS ISAC says that more than 100 firms
were threatened with DDoS extortion last year.
The Wall Street Journal observes that the criminals,
and straight-up criminals they appear to have been,
lent menace to their demands by posing variously
as the Lazarus Group, that is, the North Korean state's hackers,
or Fancy Bear, which is Russia's GRU.
Zscaler warns that Discord CDN has become an increasingly popular place
for threat actors to stash malware,
the better to afflict gamers made stir-crazy by pandemic isolation.
Game away if game you must.
I'll admit it, I've played Clash of Clans a time or two, but play safely. Not all the bad actors are non-playing characters.
Yesterday was, of course, Patch Tuesday, and CISA released 23 Industrial Control Systems
advisories. Healthnet Security has a good rundown of Microsoft and Adobe Patch Tuesday fixes.
One noteworthy upgrade from Microsoft,
not a patch, but more of an enhancement.
Henceforth, Windows Defender will alert users
if it detects that some cyber threat actor
in the service of a nation state
is beginning to attend to them.
The FBI has released an advisory
on the Oldsmar water treatment facility incident.
The Bureau said the attack likely exploited an old Windows 7 operating system and weak password security
as they gained access to the TeamViewer software in use at the facility.
The Bureau and the U.S. Secret Service have joined state and local law enforcement in the investigation.
No suspects have so far been named or arrested.
The Tampa Bay Times notes that the attack could have been far worse than it turned out to be.
The paper also quotes TeamViewer as saying that while it had no evidence
that its software had been compromised, it was monitoring the situation closely.
Most speculation holds that the attacker gained access to TeamViewer through compromised
credentials. The Miami Herald says that other regional water utilities have assured them
that they have safeguards in place that would have prevented the sort of incident Oldsmar
sustained. Who did it remains an open question. Computer Weekly goes to a canonical source,
the 2005 film Batman Begins,
which opens with the villains poisoning Gotham City's water supply.
Imaginative hacks can inspire real-world imitators.
If this turns out to be the work of some lone skid,
said skid may indeed take DC villains as his or her moral lodestar.
Sophisticated has become the cyber-equivalent of Lake Wobegon's above-average,
where the children of Lake Wobegon were all above-average.
So, too, the media are in the habit of calling every attack sophisticated.
Maybe yes, and maybe no, but it's worth pointing out
that the sort of attack Oldsmar's water system sustained
was within the range of many threat actors,
from the lone twisted creep in a basement to a national intelligence service.
And don't, by any means, rule out the lone twisted creep in it for the lulls.
It's also worth noting that critical infrastructure can be hit in a variety of ways.
Paradoxically, the very modernization
of some sectors has exposed them to new risk. Where long-lived legacy systems by their very age
afforded a degree of resistance to cyber attack, with many controls remaining manual and many
automated systems being by their nature air-gapped, that's changing, and the risk has risen accordingly.
gapped, that's changing, and the risk has risen accordingly.
A final disturbing thought on the Oldsmar water system cyber-sabotage.
The attack was noticed and stopped by a watchstander who noticed something going on briefly on his workstation that didn't seem right.
As Nozomi Network's Chris Grove put it in an email, quote,
Had a facility operator not noticed the moving mouse on the screen,
this attack would have gone much further.
That level of attention should have been automated,
end quote.
And Chris Grove should know,
we're told he lives down thereabouts.
One hopes that there's more redundancy
in such safety systems than a single watchstander,
however skilled and alert that watchstander might be.
And for heaven's sake, Oldsmar,
give that operator a big raise.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. cybercriminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Every organization has a unique appetite for cyber risk, dialing in the various proactive, reactive, and predictive mitigations they put in place to protect their valuables, all while facing the reality of limited budgets and time.
And, of course, there are a number of companies that have been spun up to help organizations balance those complex security equations.
to help organizations balance those complex security equations.
Saket Modi is CEO of SafeSecurity, a company that provides real-time cyber risk metrics.
Most companies, Dave, what we've seen, and I'm talking about most Fortune 2000 companies that we talk about, there is a concept of, there is something called inherent risk and residual risk,
and what is your tolerant of the residual risk after applying your cybersecurity controls?
In most companies, this concept itself does not exist.
Unfortunately, most of the risk management that we've seen is driven using compliances for at least the bulk of Fortune 2000 companies.
It is changing in at least the more matured sectors like financial services and even service providers and a couple of others.
But currently, the way we look at it, either a tick in the box from a compliance perspective or saying, hey, these are my vulnerability assessment reports or an outside in assessment report.
And my rating of our company are generally the popularly used
methodologies of viewing your own risk posture today, Dave. Well, then how are most organizations
going about their own internal risk assessments? So most of the companies that we see, Dave,
take the other stance where they generally hire an auditor once in a year, which will come in and
do a point-in-time assessment
for a sample set of their assets. And then they extrapolate the results for the entire tech stack.
And typically, that's a long, manual, questionnaire-led assessment which happens,
based on which you get a 600-page report with a lot of red amber greens. And that is, we feel, a very dinosaur-age way of looking at risk again.
And that's what we see in most companies beyond compliance, what they are doing, Dave.
And so what do you propose here?
I mean, what's a better way for organizations to come at this?
It's the same way how the CRM industry changed
how you look at salespeople, Dave,
how the ERP industry changed
how you manage your inventory and your billing.
We feel that cybersecurity is about time
where you move out from a one-time
questionnaire-based assessment
to an API-based dynamic breach likelihood
and risk scoring engine, which can provide to you at a macro
level, your overall risk posture of the entire organization, which can be broken down into
individual business units or crown jewels or departments, and which can further be broken
down into individual assets, such as your laptops, desktop servers, cloud resources, SaaS applications,
and you get a real-time breach likelihood score.
In other words, we call that as a safe score for every asset
within your hybrid environment which is out there, Dave.
That's Saket Modi from Safe Security. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Joe, did you get the gift cards that I sent you?
I got the text message from you requesting that I go buy some gift cards
and send them out to you.
Did you get them?
Dave, I didn't ask for any gift cards.
Of course you didn't.
And I ask you because this story came across my desk, and it says,
Johns Hopkins University warns of email scam targeting staff and faculty.
It's hitting a little close to home here, Joe.
What's going on?
Yeah, we talk about this in staff meetings, actually.
So what's going on is if you go to any Johns Hopkins department website,
you can quickly find out who the chair of that department is.
And in our case at the computer science department,
the chair is a guy named Dr. Randall Burns.
Now, you can also find out the name of all the staff members that work there.
And you can also find out their email addresses
because we want people to be able to reach out to us, right? of all the staff members that work there. And you can also find out their email addresses because
we want people to be able to reach out to us, right? This is the same thing that happens at
the Information Security Institute. If you look at that webpage, you'll see my name on there,
you'll see my email address on there, and you'll see Dr. Tony DeBora's email on there. And this is
the exact same thing that happened to me. I think we talked about this about a year ago or so.
Somebody sent me an email impersonating Dr. DeBura and said, hey, are you available? And I
replied to it and said, yes, I am, and went down to Tony's office only to find it dark.
As soon as I see his office dark, I'm like, they got me. They got me. I'm so mad about it.
And our administrative director comes out and she goes, I think that was a fake
email. And I'm like, oh, and not only did they get me, but my coworkers know they got me.
Even worse. Right. Yeah. Okay.
You know, because it happens, but it always starts with a very simple email that says,
hey, are you available right now? And then if you reply, yes, they'll move it to a different
platform, right? They'll move it over to mobile devices where they start right now? And then if you reply yes, they'll move it to a different platform, right?
They'll move it over to mobile devices
where they start texting you.
And then they're going to ask you to go
and get some gift cards for them
because they're in a meeting, right?
And they need the gift cards for a friend
or something like that.
It's a typical gift card scam.
And that's just what this is.
And this has actually been going on for a while,
we get hit with these every,
every so often.
And in the past,
they have been successful.
They've gotten people built out of a couple hundred bucks.
Wow.
And it's,
it's,
it's unfortunate,
but it does happen.
Right.
We have had meetings where,
where Randall Burns,
Dr.
Burns has said,
I want to go on record right now.
I will never ask you to buy a gift card
for a friend or anybody.
I will never do that.
And if I ever do do that,
it won't be an email or text.
And you know what?
I'll never do it.
I'm just never going to do this.
Yeah.
Well, and I mean, it's a good reminder
that that may be a prudent email to send out to your staff, to your employees, to your coworkers.
If you're in a leadership position, to just preemptively nip this one in the bud and say, hey, everybody, you know, if you ever get something from me that's asking you to buy gift cards, it is not from me.
It is a scam.
And here's the kind of scam it is. And hopefully
inoculate your employees against this particular scam, which is widespread. I mean, you know,
the Johns Hopkins University is not an institution that's full of dummies and rubes, right?
Right. I like to think so, Dave.
Yeah. So, you know, if they can fall for it, anybody can fall for it. So it's a good reminder
here to just be vigilant about this and help spread the word. I would like to remind everybody,
we've had a story on Hacking Humans about a woman who teaches in the School of Medicine at Harvard
University, and she got scammed out of a lot of money. Yeah. This is not an intelligence issue.
This is an emotional issue, right?
Right.
You are dealing with emotions. You're not dealing with intelligence or short-circuiting your thinking when they're doing this.
And that's why they go with the chair of the department in this case.
Or if they're targeting a local company or a larger company, they'll go with a CEO or something, right?
They'll go with a CEO or something, right?
And try to use that kind of power and clout behind an email to get you to go,
uh-oh, I better pay attention to this, right?
Right, yeah.
It's a scam.
Just know it's a scam and just delete the email.
You're done.
Yeah, yeah, absolutely.
Yeah.
All right.
Well, it's a good reminder.
Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Taste the flavor, miss the fat.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataT Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Kirill Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.