CyberWire Daily - Ransomware in industrial control systems. Phone hacks, proved and unproved. Britain’s compromise decision on Huawei. Wawa cards in the Joker’s Stash. CardPlanet boss pleads guilty.
Episode Date: January 29, 2020Snake ransomware appears to have hit industrial control systems, and may be connected to Iran. The verdict on the Saudi hack of Mr. Bezos’ phone seems to stand at not proven, but the Kingdom does se...em to have used Pegasus intercept tools against journalists and critics of the regime. Neither the US nor China are happy with Britain’s decision on Huawei. Cards from the Wawa breach are on sale in the Joker’s Stash. And CardPlanet’s boss will do some Federal time. Ben Yelin from UMD CHHS on AOC’s comments during House hearings on facial recognition technology. Guest is Dan Conrad from One Identity on sophisticated “pass the hash” attacks. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/January/CyberWire_2020_01_29.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Snake ransomware appears to have hit industrial control systems
and may be connected to Iran.
The verdict on the Saudi hack of Mr.
Bezos' phone seems to stand
it not proven, but the kingdom does
seem to have used Pegasus' intercept tools
against journalists and critics of the
regime. Neither the U.S. nor
China are happy with Britain's decision on
Huawei. Cards from the Wawa breach
are on sale in the Joker's stash
and Card Planet's boss
will do some federal time.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for January
29th, 2020. Otorio, an Israeli security firm, says that a strain of ransomware called Snake is both linked to Iran
and probably implicated in the recent attack on Bahrain Petroleum Company. Bloomberg reports that
Snake prospects many kinds of files, but it's notably interested in process controls. Many of
the control systems it's been observed to go after are GE products, but as GE points out, the snake
isn't exclusively or even distinctly interested in GE systems. But to take the firm's report on
how the ransomware operates when it does encounter some GE systems, according to Otorio, snake
terminates a GE digital prophecy server critical process, specifically one that enables connectivity to Prophecy HMI SCADA,
manufacturing execution and enterprise manufacturing intelligence systems.
Process termination causes troubles in plant operation.
The termination list Snake uses is similar to the one used by Megacortex Ransomware,
and this too seems consistent with Iran's operational style.
Use proven malware and tailor it as necessary to a particular target.
Otorio thinks the attacker's motive is economic warfare,
in particular an attempt to influence oil prices.
The matter of Mr. Bezos' phone and the Crown Prince's texts
is increasingly regarded as inconclusive and at best
circumstantial. Something seems to have been going on, but a more thorough look would be necessary
to determine what might have been. See, for example, Errata's blog on the topic, which contains
a clear and convincing discussion of why some of the apparent anomalies, like those involving the
size of video files, really aren't anomalies at
all. So the evidence comes down to Saudi means, motives, and opportunity, but the verdict has to
be, so far, not proved. In contrast with all of this, Citizen Labs' account of Saudi Pegasus use
against journalists seems to be holding up. Ben Hubbard, the New York Times reporter who brought a suspicious text to Citizen Lab's attention,
offers an account of his experience.
NSO Group told Mr. Hubbard when he gave them a screenshot of the suspicious text
that it wasn't their Pegasus tool,
but they declined to say how they knew that.
NSO Group has commented publicly to the effect
that it's premature to blame every case of spyware on them.
There are, they correctly point out, a number of other tools out there,
either on the market or developed in-house,
that can give interested parties a look into devices of interest.
NSO Group have been among the more prominent names in the field,
but it's far from being the only one.
Reaction within the U.S. government to Britain's decision to allow Huawei to play in its 5G infrastructure
but only in non-core sections has been decidedly sour.
Fifth Domain offers a representative sample of congressional opinion,
and the judgments are harsh.
They include,
they've chosen the surveillance state over the special relationship,
or,
allowing Huawei to build the U. 5G networks today is like allowing the KGB to build its telephone network during the Cold War.
The nicest comment was simply disappointed.
There's been some congressional harrumphing about scaling back on transatlantic intelligence cooperation,
but what, if anything, that will amount to remains unclear.
intelligence cooperation, but what, if anything, that will amount to remains unclear.
It's unclear because the effects of British policy are themselves so far unclear, too.
Much will depend upon how non-core comes to be defined and on how confident technical authorities are that they can exclude the risk of Huawei equipment from the core components
of the infrastructure.
For now, high-risk vendors, and that's a euphemism for Huawei,
will be excluded from core infrastructure and kept physically away from military installations
and nuclear facilities. They'll also be limited to no more than 35% of the total market share.
A Bloomberg op-ed calls the British policy close to a fudge, but actually something that amounts
to a workable compromise. It's not what the U.S. wanted, but Huawei isn't going to be happy about it either.
That there is a risk isn't seriously in question. How well that risk can be managed and the threat
contained is the question. U.S. Secretary of State Pompeo is in the U.K. for talks this week.
The matter of Huawei will surely figure in among the agenda.
And after having waited to see which way the cat would jump, the European Union enunciated
essentially the same policy with respect to Huawei participation in member states' infrastructure
that Britain adopted yesterday, SC Magazine reports. Several of the EU's 28 members,
that is 28 until the tally drops to 27 over this
coming weekend as Britain Brexits, well, they've already put restrictions in place against Huawei.
France, for example, won't allow Huawei antennas anywhere near Toulouse. Why Toulouse? That's where
Airbus is and French intelligence and security services aren't stupid about industrial espionage.
Researchers have been tracking a specific vulnerability known as Pass the Hash.
It's not just something you might have heard at a party on a college campus back in the 60s.
It's a serious security issue.
Dan Conrad is field strategist at security firm One Identity.
A few years back when customers started asking me for mitigations for pass the hash,
I had to, you know, look back at my brain and think,
I haven't heard about this in a long time.
I remembered I, you know, jump onto Google and refresh my brain on how it works.
Looking back, you know, it dates back to, you know, Windows NT days
when we were using with land manager hashes to give yourself a single
sign-on experience. And the way it works now is it's still there because we get the capability
to fall back in a Windows environment to use that form of single sign-on. And what it is,
it's basically a way to elevate privileges based on a residual credential. So a scenario would look
like maybe a typical phishing attack
where a user's workstation gets compromised through a phishing attack,
which has its own issues.
The remote entity will then gain control of a workstation,
maybe something, a point-of-sale machine,
maybe a laptop that travels,
and create a problem that somebody needs to log on and fix,
somebody with elevated permissions.
And when we log on and fix, somebody with elevated permissions. And when log on and fix that problem, it leaves a hash in the registry.
And so do you have a sense for how prevalent this is these days?
Sort of. So in reality, you may not truly know. It's an awareness of you if you've been breached,
right? So the concept of they're already in the walls. I'm sure you're familiar with that from other, you know, from hacking and from exploits. We've got a mindset now that the attackers are already in the walls.
we don't know. So an organization may have been breached with pass to hash, but not even know about it. Some of them have been subject to ransomware as a result of that. But beyond that,
how would they really even know? And so what are your recommendations?
What are good mitigations for this? There's some complicated ways to solve the
problem. Microsoft actually recommended something called the Enhanced
Security Administrative Environment, which is a multi-tiered forest architecture of Active Directory
that is designed to compartmentalize privileges so that you've got workstations, which are probably
one of your most vulnerable resources in the environment, running all over the place, you know,
in a highly mobile workforce all over the world. They're at one tier, and then you've got enterprise assets at another tier.
And then above that, you've got your top tier enterprise assets that would control everything
with a trust relationship that points up only trusting up, but not down.
So that's fairly complex to implement. And the concept there is that no credential would be
valid across those multiple planes
so that you don't have to worry about, you know, if a hash was compromised in the workstation
environment, it doesn't really affect, you know, the top tier enterprise.
That's difficult to implement for a lot of reasons.
The political side of that is difficult.
The technical side, the policy side is very difficult.
political side of that is difficult. The technical side, the policy side is very difficult. And it's very difficult to do a technical implementation of that policy, if that makes sense.
So what are the takeaways here in terms of people using this information in a practical way?
What do you recommend?
It's one of those things where we're trying to influence human behavior, right? So,
It's one of those things where we're trying to influence human behavior, right?
And as we typically know, the human element of any cybersecurity practice is the most difficult to get your hands around, whether it's social engineering or changing the way users operate or changing the way administrators administer.
I've been a sysadmin for many, many years, and changing my behavior, I know, during those days was difficult. I was resistant to
change. The same concept is here. So if we can maybe socialize the vulnerability here of these
types of attacks, and not even just these types of attacks, but getting control of privilege in
general, you look at default admin passwords and things like that, that have been a vulnerability
in many breaches.
Getting control of these administrative credentials and looping them in and realizing that this actually matters, even if it's something as simple as an IoT device that
has a built-in admin password. The concept of getting control of those that can influence
the rest of your network really needs to be grasped by both the administrators and the users.
One thing that I've learned in kind of the last couple of years
is be willing to change your behavior to behave more securely.
So as we learn, we change.
That's Dan Conrad from One Identity.
Wawa, the convenience store and gas station chain
well-known to all of us here in the Mid-Atlantic,
disclosed last month that it had
been the subject of a criminal cyber attack that began in march was discovered on december 10th
and was contained on december 12th it now appears that the breach was larger and more consequential
than previously believed late monday it was discovered that some 30 million wawa customers
pay card information was being offered for sale on the notorious Joker's Stash,
a sleazy online market that deals in such stolen goods,
to the accompaniment of middle-schoolish pictures
showing mushroom clouds being observed by a hooded figure
who looks like someone of Assassin's Creed.
The Joker's Stash is advertising millions of cards
in a file it calls Big Bada Boom 3.
Gemini Advisory, a New York-based anti-fraud shop, says that the Joker hasn't laid all the cards on the table,
but that those that have been seen map to Wawa customers, mostly in Pennsylvania and Florida.
Usually, carters only release their wares piecemeal to avoid depressing the black market prices.
It's supply and demand, friend.
Krebs on Security has a useful summary of the incident,
including an account of what Wawa is doing to try to limit the damage to its customers.
And speaking of carters, one of the biggest of them all, Mr. Alexei Berkov,
copped last Thursday to be in the guy who ran the notorious Card Planet site,
an online market where stolen paycard information was traded.
He pleaded guilty in the U.S. District Court for the Eastern District of Virginia
to charges of access device fraud and conspiracy to commit computer intrusion,
identity theft, wire and access device fraud, and money laundering,
the U.S. Department of Justice said.
Mr. Burkov, for all his tender years, the gentleman being only 29,
was apparently very well connected, both with the Russian underworld and arguably the Russian government.
After he was detained in Israel on an international warrant in 2015,
and during the period he was fighting extradition to the United States,
he received considerable support from the Kremlin.
Not only did the Russian government demand his return to Russia,
but they went so far as to frame an Israeli woman on drug trafficking charges.
She wasn't even trying to enter Russia.
She was just passing through on a short layover in the airport,
en route to somewhere else entirely.
There are finally signs that the unfortunate woman may now be released,
the Times of Israel reports.
We hope so.
So the card planet boss is going away.
Good work, Justice.
Now, do the Joker's stash.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology. Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He from the university of maryland center for health and homeland security and also my co-host on the caveat podcast ben always great to have you back
good to be here dave uh story came by um this is about recently the united states house oversight
and reform committee held some hearings on facial recognition technology.
And during those hearings, Representative Alexandria Ocasio-Cortez had some interesting comments to make here.
What does she have to say?
Yeah, this is the second piece of news I saw from AOC over the past week.
The first was I follow her on Instagram, and she got a dog named Deco, cute little pug.
Highly recommend following her Instagram stories.
On a more serious note, she used her five minutes at this House hearing to expose what she sees as the danger of pervasive facial recognition technology.
At a long hearing on the House Government and Oversight Reform Committee, the speeches can be kind of monotonous.
AOC is going to go at the end of these hearings because she's one of the most junior members of the committee.
And why I think her particular speech is important is she has a way of making these issues accessible to people who otherwise would never pay attention to what happens in a House Government and Oversight Reform Committee meeting.
And that's what happened here.
So she compared some of what the witnesses said about facial recognition technology
to Black Mirror, the dystopian sci-fi series.
She talked about how some mobile applications bolster their facial recognition systems
through things like Instagram filters,
which all of us use.
That's a source for real-time data
to be collected on us.
And she mentioned, I think this is an area
of particular interest to her,
about how facial recognition systems
fail most frequently when it comes to people of color.
There are consequences to that.
Those false accusations based on faulty facial recognition technology,
which in many cases is more prejudiced than we are as humans,
can lead to false arrests and incarceration.
So sometimes I think it's not necessarily the fact that Alexandria Ocasio-Cortez
is making a statement at these hearings.
It's the fact that only she can generate the type of publicity and notoriety that gets these types of remarks covered in the media.
Well, and so, yeah, I wanted to dig in with that with you because I think there's a couple of things here.
First of all, as you point out, her notoriety, whether you love her or you hate her, and there are certainly plenty of people on both sides of that story, she does generate headlines.
And so she has the ability to bring these things to light.
Right. She has the platform.
Another thing I'll say about her is she is very skilled in congressional testimony.
And this is, again, whether you love her or hate her.
very skilled in congressional testimony. And this is, again, whether you love her or hate her,
I think a lot of her, you know, she's given five minutes to speak at every committee hearing,
but she's used that time to create a lot of viral moments, whether she's questioning bank executives,
whether she's talking about campaign finance. It's her remarks that go viral when the rest of the hearing has been an entire snoozer. Nobody wants to hear
the 85-year-old white guy who's never used a smart device in his or her life remark on the
dangers of facial recognition. Because she is this millennial member of Congress, I think her words
carry some additional notoriety. Again, whether you like her or hate her. And I certainly know people who both like
and dislike her very much. Yeah. Yeah. So I suppose you could say because of her age and
the fact that her age is unusual among folks in Congress, her youth, that perhaps she has some
credibility with these sorts of issues, being a digital native that
some other folks might not have. Absolutely. So she's part of the Facebook generation.
She also, a large part of her notoriety comes from her social media use. Her original campaign
in the Democratic primary for Congress was fueled by social media, producing viral videos that she
put on YouTube and on Twitter.
That's the only way you can beat an entrenched 14-term member of Congress,
which is what she was able to do in the primary. So she is sort of, her words on any digital policy carry more weight just because
she is this digital member of Congress.
She's the person who uses her Instagram stories to show the ins and outs of congressional life and congressional procedure in a way that I think we haven't seen before.
And that's why I think her placement on this particular committee, which conducts oversight, that means they often have the most contentious of all congressional hearings, was a really fortunate placement for her.
Yeah. Well, it's certainly an interesting dynamic to see play out here. Ben Yellen,
thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.