CyberWire Daily - Public Wi-Fi advice from NSA. South African ports recover from ransomware. Iranian rail incident was a wiper attack. Developments in the criminal-to-criminal market. Intercept vendors under scrutiny.
Episode Date: July 29, 2021Advice on WiFi security from NSA. South African ports are recovering from their ransomware attack. The attack on Iranian railroads was a wiper, of unknown origin and uncertain purpose. Developments in... the criminal-to-criminal market. Israel undertakes an investigation of NSO Group. Josh Ray from Accenture Security on the road back to the office. Our guest is Duncan Godfrey from Auth0 with insights on managing digital identities. And a bad password is revealed on an open mic during an Olympic broadcast. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/145 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Advice on Wi-Fi security from NSA.
South African ports are recovering from their ransomware attack.
The attack on Iranian railroads was a wiper of unknown origin and uncertain purpose.
Developments in the criminal-to-criminal market.
Israel undertakes an investigation of NSO group.
Josh Ray from Accenture Security on the road back to the office.
Our guest is Duncan Godfrey from Auth0 with insights on managing digital identities.
And a bad password is revealed on an open mic
during an Olympic broadcast.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 29th, 2021.
Just after noon today, NSA issued a cybersecurity information sheet that addressed best practices in securing wireless devices in public settings. Rob Joyce, head of NSA's Cybersecurity Directorate,
described the advice as clear, actionable guidance for those working remotely or traveling to use
public wireless tech securely.
The information sheet addresses the obvious issues of public Wi-Fi.
If you can avoid using it, avoid using it.
But if you must, use a VPN and browse only to HTTPS websites.
The sheet also discusses security awareness for Bluetooth and NFC.
NSA recommends not using Bluetooth for sharing
credentials and also not accepting pairing requests that you haven't initiated. NFC's
short range makes it a bit less risky than other wireless technologies, but you should still turn
it off when you don't need it and keep it away from unknown electronic devices that might
automatically initiate communication.
And finally, of course, don't leave your devices lying around unsecured and unattended.
Reuters reports that South Africa's Ministry of Public Enterprises said yesterday that service is being restored
at ports operated by the state-owned logistics organization Transnet.
The ports of Durban,
Negura, Port Elizabeth, and Cape Town were all affected. Durban is now fully operational,
and eastern Cape ports are expected to return to normal capacity soon. The condition of force
majeure should be lifted within a few days. The nature of the incident seems to be growing
clearer. It was a ransomware attack.
CrowdStrike sees significant similarities between the artifacts found in the attack on Transnet,
particularly in the nature of the ransom demands, and those encountered in earlier ransomware attacks by DeathKitty,
also known as HelloKitty and FiveHands.
DeathKitty was observed earlier this year in attacks on CD
Project and the exploitation of SonicWall. The Death Kitty operators are probably based in Russia,
possibly elsewhere in Eastern Europe, and appear to be a criminal as opposed to an espionage
operation. The cyber attack that affected rail operations in Iran earlier this month is now
believed, the record reports, to have been a wiper attack as opposed to the ransomware
originally suspected. There's no attribution so far, although some political taunting on
train station message boards may suggest at least a partial motive, things along the lines of send your complaints to Supreme
Leader Khomeini's office. Sentinel-1, which has obtained a copy of the malware and analyzed the
attack chain, says it's been unable to associate the attack with any known group. They said,
quote, behind this outlandish tale of stopped trains and glib trolls, we found the fingerprints of an unfamiliar attacker.
End quote. They call the campaign Meteor Express and think that the wiper deployed,
Meteor, was designed to be reused. The attack began with an abuse of group policy
to distribute a cab file necessary to the attack. The record quotes Juan Andre Guerrero Sade,
principal threat researcher at Sentinel-1, on the mixed quality of this new threat actor's performance.
Quote, We see an adversary that doesn't yet have a handle on their deployment pipeline, using a sample of their malware that contains extensive debug features
and burning functionality irreverent to this particular operation.
There's features redundancy between different attack components
that suggest an uncoordinated division of responsibilities across teams.
And files are dispensed in a clunky, verbose, and disorganized manner, unbecoming
of advanced attackers, end quote. It's worth noting that Sentinel-1 acknowledged the work
of an Iranian firm, Aman Pardaz, which published an early assessment of the incident that Sentinel
Labs was able to confirm and use in its own analysis.
McAfee Labs yesterday published a warning that the Babook ransomware operators are apparently making good on their promise to develop their attack tools
into a genuinely cross-platform threat.
Quote,
In recent months, we noticed that several ransomware gangs were experimenting
with writing their binaries in the cross-platform language Golang, Go. Our worst fears were confirmed when Babook announced on an underground forum
that it was developing a cross-platform binary aimed at Linux Unix or ESXi or VMware systems.
Many core back-end systems and companies are running these.nix operating systems, or in the case of virtualization,
think about the ESXi hosting several servers or the virtual desktop environment.
Babook is one of the relative newcomers to the ransomware underworld, but it's already
operating an affiliate network that's bothered some high-profile targets. It has, McAfee says,
struggled with making its encryption work,
which means two things. First, it's likely that Babook will move toward data theft as
its principal mode of extortion. And second, if you are hit by Babook ransomware,
don't count on any decryptor you may actually pay them for working as advertised.
Summing up recent discussions and suggesting a possible answer to the question,
where did Darkseid and our evil go anyway? Cyberscoop points out that Flashpoint, Mandiant,
and Recorded Future all see signs that some or all of their operations may have been reconstituted
as black matter. Why rebrand and resurface? It's a matter of self-presentation.
Roussophone dark web fora catering to criminal markets have, in the face of widespread outrage
over large-scale ransomware attacks and desiring to stay out of the crosshairs of increasingly
impatient international law enforcement agencies, sought to exclude obvious ransomware operations from their platforms.
So Black Matter is coy, as Flashpoint puts it, quote, Black Matter does not openly state that
they are a ransomware collective operator, which technically doesn't break the rules of the forums,
though the language of their posts, as well as their goals, clearly indicate that they are a
ransomware collective operator.
At least they're not claiming to be Robin Hoods.
Where else are the cyber criminal markets moving?
Positive Technologies says that initial access brokers,
criminals who offer to sell other criminals access to targets,
are doing a land office business.
Positive Technologies' observations of the criminal-to-criminal market lead them to conclude that about $600,000 of trade
in corporate network access is being done each quarter. In Paris, for meetings with his French
counterpart, Israel's Defense Minister Benny Gantz, addressed concerns about
NSO Group and its export of intercept technology that the Pegasus Project and others have alleged
is being abused by repressive regimes to target journalists, dissidents, and others who ought to
be outside of the usual scope of legitimate law enforcement or counter-terror operations.
Gantz said, quote, Israel is investigating the matter with the
utmost seriousness. Israel gives cyber licenses exclusively to countries and exclusively for
dealing with terrorism and crime, end quote. Israel's Ministry of Defense yesterday tweeted
that representatives from a number of bodies came to NSO today to examine the publications and allegations raised in its case.
NSO Group confirmed to Motherboard that they had indeed been visited, that they welcomed the visit,
which had been conducted by prior arrangement, and that the company expected any investigation
to vindicate them of the allegations surfacing in the Pegasus project.
Other firms are also receiving scrutiny, although not, as far as is publicly known, official scrutiny.
Haaretz, which is no friend in general to this particular Israeli business sector,
takes a shot at NSO's quieter competitor, Celebrite.
An anonymous essay from a writer whom Haaretz identifies as a former Celebrite employee says the company, quote, knowingly sells products and services to users of dubious repute belonging to autocratic regimes, end quote. Sales to China and Belarus stopped only after inquiries by human rights groups exposed the practice.
rights groups exposed to the practice. And finally, have you heard about this Olympics thing that's going on? All the stories of triumph and struggle and the international
good feeling that sport brings? We have. We've also heard that a broadcaster on an open mic
revealed the password for the computer he was using in his broadcast booth. That he would do
so on an open mic is of course
not a good thing, but it happens, and the open mic is one of the inherent risks of live broadcasting.
The real scandal is the password those who provided the equipment for the media booth
selected. The password, Motherboard reports, was booth.03, just the identifier for that particular booth.
Better than using password or 123456789, but only marginally so.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The team at Auth0 recently released their State of Security Identity Report,
examining the exponential rise of credential stuffing attacks, fraudulent registrations, and the widespread use of breached credentials.
Duncan Godfrey is Vice President of Security Engineering at Auth0,
and he joins us with highlights from the report.
We knew that credential stuffing was a plague on the internet and a plague on our customers, but even I wasn't expecting it to kind of be.
We have 16.5% of all login traffic that we see is a credential stuffing attack.
So it's nearly a fifth of all traffic.
And on some days we see it reaching a peak of 40%.
So that's when a customer or our platform is kind of coming under intense attack.
So that's something that jumped out as very interesting
and something that we need to be thinking carefully about.
So another thing was that roughly 15% of all registration attempts result in failure.
So that is something that is particular to consumer-facing identity,
which is it's called a sign-up attack.
And again, I really wasn't expecting the figure to be that high,
and I really don't think it's something that most of our customers were tracking.
So now it's something we wanted to focus on,
because it can really be an indicator that an attack is on the way
once you see an uptick and things like that.
What exactly is a sign-on attack?
So a sign-up attack is, someone will try and create a number of fake accounts in your application.
So they're basically trying to overwhelm you to either...
In one example, they could be trying to get access to accounts so they can commit some fraud,
but also they could just be trying to slow you down and bring your infrastructure down.
So yeah, it's something that everyone should be wary of.
Gotcha. Another thing that you all took a look at were multi-factor authentication bypass attacks.
What was going on there?
Yeah, MFA was another interesting focus of the report. So MFA has become ubiquitous for most even regular users
who are protecting a lot of their online accounts when they have an authenticator. And
it's often protecting high value accounts. But I think what people don't realize is that
it can actually be targeted in MFA bypass attacks. So that's where an attacker will try and capture the authentication factor or the
code through phishing or spoofing. So what we saw in the report is that there are some industries
that are susceptible to this. So we saw that the tech industry in particular experiences the most
MFA brute force attempts. So that was, we saw that 42% of all these attacks were the technology industry,
but also consumer goods industries, financial services, industrial services, they're all
susceptible to attacks of this nature. So what were some of the key takeaways here from the
information you gathered? What were the lessons learned? Really what we wanted to do here is establish a baseline for moving forward.
So there is something for anyone who is trying to secure an application on the internet,
that they have data, that they have some basic attack type,
so they can start thinking about how they can secure their application
and the types of attacks that they're going to be facing.
So we talked about credential-s credential stuffing attacks, brute force attacks, we talked about sign-up attacks. So that's what
everyone should be thinking about. And that's where a technology platform like Authira can
certainly help with some of the features we offer. But the main takeaway from the beginning was that
MFA is still a basic and the most
effective countermeasure that we should be deploying.
So we encourage everyone to be thinking about how they can, in the most frictionless way
possible, introduce MFA into their users' login flows to secure those accounts.
Was there anything coming out of the data here that was particularly
surprising for you and anything that was unexpected?
So I think as I mentioned before, it was the sheer volume of attacks.
I mean, I think almost this is something that we've lived and breathed
for a period of time.
You know, this is what I obsess about.
This is what the security team assesses about.
And so being able to share just really that
if you're going to put an application on the internet,
you should expect that up to a fifth of the traffic
that you're going to receive is going to be malicious traffic.
And that you should be prepared for that.
And you should be prepared for dealing with peaks
where you could become under sustained
and very high-volume attacks that could have a significant impact on you and your business.
That's Duncan Godfrey from Auth0.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Josh Ray.
He is a managing director and also global cyber defense lead at Accenture Security.
Josh, always great to have
you back. You know, you and I were talking before we started recording here about this sort of sense
of hope that we share as people are getting vaccinated and even just the spring weather
is being nice. And I think that means for a lot of organizations, they're going to be thinking about
people heading back to the office. What are some of your thoughts there?
they're going to be thinking about people heading back to the office.
What are some of your thoughts there?
Yeah, Dave, you know, it is great to see this kind of sense of hope.
And I think if this global pandemic has proved anything is that cyber average service will exploit any technical or physical circumstance that they can use
to further their objectives.
And, you know, we saw this early on in the pandemic where, you know,
attackers were exploiting organizations that were really in this crisis mode of having to accelerate a massive digital transformation, trying to figure out how to secure a remote workforce and really just the security teams trying to keep pace.
months and some organizations are beginning to journey back to the office, we need to collectively think, I think as a community, how the threat is going to leverage this phase to their advantage.
Yeah, I mean, that's an interesting thought. And we have all these devices that have been sort of
out there in the wild, and now they're going to be, I don't know, to mix metaphors, they're going
to be back inside the castle walls, right? Yeah. And there's that kind of traditional IT security problem. But one of the things that
actually our CTI team has been thinking a lot about is really the exploitation around business
travel during this transition back to normal operations. And I think that comes in kind of
three main areas. One of the things that the team has done some really in-depth assessments on is the market for compromised traveler data has flourished.
And our team believes that this is really going to continue in the form of accounts being targeted based on their higher volumes of frequent flyer miles.
So the greater perks and also the higher credit
limits. And then now to kind of further complicate this whole notion of how we travel and how we
interact at borders and such, since February, our team has seen multiple markets selling this false
vaccination records. Similarly, there's a market for forged negative test results as well. So many countries
now require this for travel, you know, not only to events, but also back into the country. So I
think this is going to further complicate our ability to operate. And then third actors are
very much aware of this, you know, rush to implement these contactless mobile apps and the
pressure on travelers to use these apps.
And since the beginning, we've seen threat actors
using pandemic themes in their operations
to deploy spyware and banking trojans and adware.
But this really especially is relevant
to those senior business executives
that have been continuously targeted
by some of those cyber
espionage threat groups.
And that's something that especially that those executives need to be aware of.
And what are your recommendations there for folks to best prepare and protect themselves
against these sorts of things?
Yeah, I think that's right now.
I think it's really remaining and focusing on that information that you trust from those travel advice requirements from official government, tourism board websites.
But more subtle tradecraft around operational security, carrying only essential corporate devices on travel, ensuring those accounts and devices are secured with multi-factor authentication where possible.
those accounts and devices are secured with multi-factor authentication where possible, but also educating staff on staying secure when traveling,
you know, so not connecting to open wifi networks,
making sure that they leverage their VPNs whenever possible.
Don't install any apps that, you know,
are suspect in nature or are not approved by your corporate folks.
So, you know, these are all things that I think are table stakes,
but at least will provide you with some level of security
and lower your risk of being a target while you're traveling.
Yeah, it's an interesting thought that when it comes to traveling,
I suppose on a certain level, a lot of folks are going to be just plain rusty.
Yeah, no, that's exactly right.
We're going to probably start to see longer lines in security too, as you know, folks that are used to kind of going through security really quick and
just, you know, throwing their bags on. But I also, I also goes probably for their, for their
IT hygiene and their security practices and how they operate that way too. Yeah. Yeah. All right.
Well, good advice. Josh Ray, thanks for joining us. For today's stories, check out our daily briefing at thecyberwire.com. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Trey Hester, Elliot Peltzman, Puru Prakash, Justin Savy,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John
Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll
see you back here tomorrow. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.