CyberWire Daily - Stopping Cobalt Strike abuse. Leaks are mingled with disinformation. Google offers advice for board members. Securing cars and their garages. CISA releases ICS advisories.
Episode Date: April 7, 2023Preventing abuse of the Cobalt Strike pentesting tool. US investigates a leak of sensitive documents related to the war in Ukraine. Hacktivist activity continues. Google's advice for boards. Electroni...c lockpicks for electronic locks. Nexx security devices may have security flaws. Tesla employees reportedly shared images and videos from Teslas in the wild. Matt O'Neill from US Secret Service discussing investment crypto scams. Our guest is James Campbell of Cado Security on the challenges of a cloud transition. And CISA releases seven ICS advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/67 Selected reading. Stopping cybercriminals from abusing security tools (Microsoft On the Issues) Microsoft leads effort to disrupt illicit use of Cobalt Strike, a dangerous hacking tool in the wrong hands (CyberScoop) Ukraine War Plans Leak Prompts Pentagon Investigation (New York Times) DDoS attacks rise as pro-Russia groups attack Finland, Israel (TechRepublic) Perspectives on Security for the Board (Google Cloud) Thieves Use CAN Injection Hack to Steal Cars (SecurityWeek) How thieves steal cars using vehicle CAN bus (Register) Own a Nexx “smart” alarm or garage door opener? Get rid of it, or regret it (Graham Cluley). Hack and enter! The “secure” garage doors that anyone can open from anywhere – what you need to know (Naked Security) Special Report: Tesla workers shared sensitive images recorded by customer cars (Reuters) CISA Releases Seven Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Preventing abuse of the Cobalt Strike pen testing tool,
the U.S. investigates a leak of sensitive documents related to the war in Ukraine.
Activist activity continues.
Google's advice for boards.
Electronic lockpits for electronic locks.
Next security devices may have security flaws.
Tesla employees reportedly shared images and videos from Teslas in the wild.
Matt O'Neill from the U.S. Secret Service
discusses investment crypto scams.
Our guest is James Campbell of Cato Security
on the challenges of a cloud transition.
And CISA releases seven ICS advisories.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 7th, 2023.
Cobalt Strike, a legitimate penetration testing tool, has often been abused by cyber criminals.
Microsoft's Digital Crimes Unit, in collaboration with cybersecurity company Fortra and the Health Information Sharing and Analysis Center, that's the Health
ISAC, is taking legal and technical measures to disrupt illicit versions of Cobalt Strike
and abused Microsoft software. Microsoft says the cracked software has been used in more than 68
ransomware attacks targeting healthcare institutions around the world, which, in Microsoft's words,
have cost hospital systems
millions of dollars in recovery and repair costs, plus interruptions to critical patient care
services, including delayed diagnostic, imaging, and laboratory results, canceled medical procedures,
and delays in delivering of chemotherapy treatments. Microsoft stated, on March 31, 2023, the U.S. District Court for the
Eastern District of New York issued a court order allowing Microsoft, Fortra, and HealthISAC to
disrupt the malicious infrastructure used by criminals to facilitate their attacks.
Doing so enables us to notify relative internet service providers and computer emergency readiness teams
who assist in taking the infrastructure offline,
effectively severing the connection between criminal operators and infected victim computers.
In full disclosure, Microsoft is a CyberWire partner.
The New York Times reports that U.S. authorities are investigating
an apparent leak of sensitive information concerning plans for U.S. authorities are investigating an apparent leak of sensitive information
concerning plans for U.S. support of Ukraine.
The files have been circulated in Twitter and Telegram by Russian accounts.
A significant fraction of the information seems genuine,
although some, at least, of that could be inferred from publicly known open sources
and genuine enough to prompt an investigation.
publicly known open sources, and genuine enough to prompt an investigation. Other data, notably casualty estimates, appear to have been falsified in the Russian interest, with Russian casualties
understated and Ukrainian casualties exaggerated, and these seem to represent an admixture of
disinformation, which may be the principal point of their publication.
Tech Republic offers a summary of trends in Russian hacktivism.
Finland has become a recent target, as it became a member of NATO this week.
And Anonymous Sudan has stepped up activity against Israel. The nominally Sudanese group appears to be acting in alignment with Russian interests,
if not actual direction.
Google has released a report titled Perspectives on Security for the Board,
highlighting how corporate boards can best navigate cybersecurity and cyber risk.
First, cyber risk should be viewed through the lens of business risk. Google references the
National Institute of Standards and Technology's
cybersecurity framework, which can be useful for boards in reference to cyber.
The framework comprises five core tenets,
identify, protect, detect, respond, and recover.
Google also notes that it is imperative to understand the connection
between threat intelligence and risk mitigation.
To do this, Google advises boards to ask CISOs three questions. How good are we at cybersecurity?
How resilient are we? And what is our risk? Google also advises a bold and responsible approach to AI,
saying that boards and CISOs should work together to secure, scale, and evolve their AI
approaches. Overall, Google recommends getting up to speed, being engaged, and staying in the loop
as sound practices for board members overseeing the management of cyber risk. Automobiles have a
controller area network bus called the CAN bus, and that bus can be compromised.
The technique requires physical access to the automobile. Ian Tabor, an automotive security
expert of EDAG Group, decided to do a forensic analysis to find out how his car was stolen,
Security Week reports. He discovered that his headlight had been destroyed and the wires had been pulled out.
The Register writes that Tabor investigated and found that various systems had seemingly failed
or suffered faults. The faults were generated as the thieves broke into a front headlamp and
tore out the wiring and used those exposed connections to electrically access the CAN bus.
exposed connections to electrically access the CAN bus.
He concluded that the thieves probably used a hacking device that used the car's controller area network bus
to inject false codes to start the car and open the door.
You can buy the hacking hardware on online criminal markets.
Security Week writes that such hacking devices can be acquired on dark websites
for up to $5,500,
and they are often advertised as emergency start devices that can be used by vehicle owners who have lost their keys or automotive locksmiths.
These devices seem to be specific to car makes, which limits the thief or locksmith who uses them to one brand of cars.
which limits the thief or locksmith who uses them to one brand of cars.
For this method, car thieves still have to make physical contact with the car,
and so experts recommend taking proper physical security measures.
When purchasing a smart security system,
buyers assume that the security of the system itself can be assumed as a given.
There is always, however, an inherent risk associated with connecting security devices to the larger internet. And since we're talking about cars, here's a risk to the garages we park
them in. Sam Sabetten, an independent cybersecurity analyst working with CISA, posted on this issue,
writing, I discovered a series of critical vulnerabilities in Nex's smart device product line,
which encompasses smart garage door openers, alarms, and plugs.
These vulnerabilities enabled remote attackers to open and close garage doors,
take control of alarms, and switch smart plugs on and off for any customer.
This is the last thing users would expect when installing a security device.
Sabetin's blog explains the vulnerability, noting that Nex's servers fail to verify if the bearer token in the authorization header corresponds to the alarm trying to connect.
that the MAC address for each device is the same as the device's serial number,
which means that an attacker can register an already registered device and effectively take control of it.
NEX has not so far patched the vulnerability.
Sabetin recommends that NEX users deactivate their devices
and write the company requesting a fix.
There are some new industrial control system advisories out.
Yesterday, CISA released seven ICS advisories affecting systems from JTEC, Industrial Control
Links, CoreNX, MySkata, Hitachi Energy, and Rockwell Automation. Users should take a look
and apply the fixes and mitigations the vendors have on offer. And finally, back to cars, in this case the privacy associated with using them.
Several former Tesla employees admitted that they used to share pictures and videos
from cameras installed in Tesla electric vehicles from 2019 to 2022,
as reported by Reuters on the 6th of April.
These cameras are installed to enable driver safety and automated driving. The media ranged from videos of naked Tesla owners walking
to their cars to an image of a user's garage. Why one would approach one's car naked is not
explained. Among the higher profile images captured include shots of a James Bond
submersible car, allegedly captured inside Elon Musk's garage. It's no secret, formally at least,
that Teslas collect and report images. Tesla states in its customer privacy notice,
we want to be very clear that in order for fleet learning camera recording to be shared with Tesla, Reuters reports that the computer program that Tesla employees used at work
could show the location of recordings,
which would seem to provide less anonymity than customers might expect.
Knowing how a company uses your data is important,
and experts recommend that as onerous as logging through the documents may be,
users should read terms of service and privacy notices.
As the great American philosopher Mr. Tom Waits put it,
the large print giveth and the small print giveth away.
Coming up after the break,
Matt O'Neill from the U.S. Secret Service discusses investment crypto scams.
Our guest is James Campbell of Cato Security on the challenges of a cloud transition.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
James Campbell is CEO and co-founder of Cato Security and a former GCHQ analyst.
I spoke with him about cloud security, the challenges people face,
and the things that can be overlooked during a cloud transition.
It's kind of a double-edged sword because the pace in which you can adopt technologies
or people can take advantage of those new technologies in cloud tends to outpace the speed of which security considerations come into play.
So a lot of organizations are playing catch up, so to say, when it comes to understanding the cloud,
the complexities it brings when it comes to the security side of things. So there's lots of kind
of blind spots there. I guess the other thing to consider as well is that,
you know, I think a lot of people come to the cloud
thinking that their traditional approach to monitoring
and security kind of transfers from the kind of on-premise,
you know, traditional on-premise environments to cloud,
but it doesn't necessarily translate in the same way.
So, you know, there's a lot to learn there.
And this is where kind of gaps start appearing when it comes to security and risk.
What are some of the things that folks typically overlook
as part of this transition?
Good question.
Probably two parts to this answer really, or two examples I can give.
One is the understanding of the shared responsibility model.
Some people come to the cloud taking into consideration,
or thinking at least, that it's the cloud provider's responsibility for security.
But that's not necessarily the case.
And I don't think a lot of people understand where does the line stop from a responsibility perspective and what do they need to look after.
While the cloud provider has a responsibility to provide resiliency
of the underlying services and infrastructure,
ultimately the security of the environment you set up
is your responsibility.
And so I think a lot of people kind of get a little bit confused
about where that gap lies or where that line is, I should say.
So it's good to really understand that.
And I guess the second part is, particularly with new technologies,
cloud is amazing.
So you move to the cloud to embrace the cloud, right?
So you wouldn't just use it like an expensive data center
where all your data is just sitting there on thousands of virtual machines.
What you would probably look at if you're fully embracing the cloud is the use of serverless
technologies like containers and ephemeral infrastructure, Lambda functions, as an example,
just for AWS as one example, auto-scaling groups for your virtual machines.
So you're only using the resources that you need, which ultimately,
you know, for especially large enterprises, you're saving millions of dollars a year.
But this comes with an added risk, which, you know, is one of the gaps that I mentioned,
where, okay, so we're in the cloud, we have containers or virtual machines kind of spinning up and down as we need them? What happens if I had a detection for something suspicious
on a virtual machine that's part of an auto-scaling group?
What happens if that system is only alive for 15 minutes?
How is my team going to investigate that suspicious activity
by the time that data gets recycled and deleted?
So these are the points or the pain points
that people are starting to understand
as their understanding of the cloud is maturing.
That's a really fascinating insight. I'm curious, from your perspective,
you all do cloud incident response. So what are the specific challenges you face
doing incident response in that environment?
I think it's a couple of things.
One is, cloud can be a lot more complex than people think.
I think a lot of things are available at your fingertips, which is great.
But it can also mean a lot of customer environments tend to be
a little Wild West, so kind of shadow IT style, where you have
lots of technical people with lots of technology at their fingertips.
It's very easy to deploy systems,
very easy to deploy new databases, etc.
And so keeping across all that is very difficult to do.
And so if you don't have a tight grip on it at the start,
a lot of customer environments tend to be hundreds of root accounts
and hundreds of different services they didn't know even existed.
And so navigating the complexities of that is quite hard,
particularly if you have, say, a detection or you need to respond to something in an environment,
trying to find out where that asset is, who has access to it,
and how do I get to that data so I can investigate what's going on as soon as possible.
It's really, really hard.
And that's kind of one of the problems we try and help customers with is how do you
kind of automate that?
So how do you embrace the cloud in a way to solve the problem as well through automation
and take away some of those complexities?
So that's definitely a big one there.
And the other big one there is definitely around containers and ephemeral infrastructure.
And the other big one there is definitely around containers and ephemeral infrastructure.
So your assets spinning up and down, terminating, recycling,
all that data is churning very quickly.
And so as part of that automation story,
how do you make sure you're retaining that data
or the useful bits of it when you need it most,
especially if it's only alive for 15 minutes at a time.
What are your recommendations then
for folks to operate most efficiently,
most effectively,
and best to defend their cloud infrastructure?
Any general words of wisdom?
I think it's a big question, really.
There's lots you can do, obviously.
But I think it's really, truly getting a grip of your cloud estate.
So truly understanding the assets or technologies you're using in your cloud estate
and being aware of the controls you have in place.
Also, you need to ask yourself as well,
And also, you need to ask yourself as well,
just having kind of your high-level detections or kind of visibility from that perspective is one thing,
but what do you do next if something happens?
How do you gain access to that data?
How do you actually investigate?
What mitigating control do I need to put in place?
And I think a lot of people tend to stop at the point of saying, right, I have
my data in the cloud, my cloud is set up, I have my policies in place, I have asset
visibility, and then something
happens. And then quite quickly, they're in a world
of trouble where they're trying to contract out a third party who knows about
how to deal with cloud incidents, etc. I think a lot of people have really got to exercise
and understand the full,
I guess, go through the motions of the attack lifecycle, so to say,
all the way from that preparation to the exploitation and what
you do to mitigate such things in the cloud.
That's James Campbell from Cato Security.
There's a lot more to this conversation.
If you want to hear more, head on over to the CyberWire Pro and sign up for
Interview Selects, where you'll get access to this and many more extended interviews.
And I'm pleased to welcome back to the show Matt O'Neill.
He is Deputy Special Agent in Charge for Cyber with the U.S. Secret Service.
Matt, welcome back.
Thank you for having me.
So I want to touch today on something that I know is a focus for you and your colleagues.
These are investment crypto scams,
sometimes referred to as pig butchering. I know that's not your favorite term here, but that's what some people refer to it as. What exactly are we talking about here? Can you describe it for us?
Sure. So what will happen is victims will be contacted largely through social media,
dating sites, sometimes even just text messages.
And they will try to get the victim to invest in this out-of-this-world crypto investment scheme.
And they'll provide with really good sort of graphical interfaces to show you how much money you're making.
Now, keep in mind, you don't know this person at all.
You've never met them. But the ROI
for a lot of these investments appear to be so good that it's tempting to a lot of individuals.
And I think with this sort of lack of knowledge, generally speaking, about cryptocurrency and how
it works, but people read the news and see that, oh, this person made a ton of money in crypto,
then it encourages folks to invest. And so what will happen is once you start investing a little
bit, you'll get access to a platform. It'll look like a traditional investment account.
And then, of course, you're going to look like you're making a lot of money. So that's going
to encourage you to spend more money, invest more money. And then the idea of pig butchering is you get them to invest all of
their money and then you basically pull the rug out of them. And that's where the butchering sort
of comes into. How does something like this begin? These typically start as a romance scam or a
friendship. This is more of a long game kind of thing, right?
Sure.
So it will start either through, like you mentioned, romance scams,
or through just through social media platforms,
whether it's Instagram, LinkedIn, Facebook, you name it.
It could come through there.
A lot of times it's important to know that
we have a high degree of self-disclosure. We tell everybody everything about what we're doing on a
daily basis for us to see that and leverage that against you to give you this sort of feeling of,
oh, well, this person knows me. I'm comfortable. They're just taking advantage of the information
you've already provided to them to develop what you believe to be a relationship.
And then whether it's a professional or personal relationship, and then that will sort of lower your guard a little bit to invest in whatever they're asking for. It's key to know that if you
are involved and the statistics are off the charts for the amount of reported fraud. And we actually think it's even underreported.
It's over $2 billion last year. The key to know is first contact law enforcement,
federal law enforcement, us, Secret Service, FBI, just contact somebody, report it to the IC3
website. But also if you've invested money already and you ask to withdraw your money and they say,
well, you have to pay a fee, you're not going to get your money back and you ask to withdraw your money and they say, well, you have to pay a fee,
you're not going to get your money back and you're just going to give them more of your money.
So that's something that is hard to hear. But the reality of these types of cases is
they have already spent your money, but they've moved it on. This is transnational organized
criminal groups. And there is no real meaningful way for you to get
your money back. The best scenario is to contact your federal law enforcement agency to try to at
least get involved in the process to try to disrupt and dismantle these organizations.
I was going to ask, I mean, if someone reaches out to you, they find that they've been
a victim of something like
this, what sort of resources do you bring to bear to try to help? So we work with the Department
of Justice. We're a global organization, so we will work with our foreign offices and our
foreign partners through groups like Europol to try to affect arrests, but also asset forfeiture. For a couple
years, I ran our asset forfeiture branch, which in my view is one of the best in the world at
recovering funds for victims. And so depending on where the money is currently sitting, if it is at
a virtual asset service provider, like a cryptocurrency exchange that honors legal
process, there is a slight chance, but there is a chance that the money could be frozen
and then returned through the asset forfeiture process back to the victim.
What is the message that you want to get out here for folks? I mean, our audience, I think,
probably considers themselves fairly sophisticated, but then there's always friends and family and relatives
and folks who may not be so sophisticated.
Is this largely an educational process too
of letting people know these things are out there
and to warn them of it?
Yes, I believe so.
I think the key components are the first is
never invest with a complete stranger.
Make sure that you've actually met the person in person
before you start investing.
Do some research as to figuring out yourself
whatever cryptocurrency is that they're claiming to be investing in.
All of that information is readily available.
Do your own research.
And then if and when you're currently in one of these situations and you're trying to get your money back and they're asking for additional money, do not send them additional money.
Please reach out to your local law enforcement, federal law enforcement, and get us involved as quickly as possible.
We might not be able to get your money back, but we're trying to build out sort of the larger ecosystem of where these fraudsters are. And any piece of information is very helpful. All right. Well, Matt O'Neill
is Deputy Special Agent in Charge for Cyber with the U.S. Secret Service. Matt, thanks so much for
joining us. Thank you. fault-deny approach can keep your company safe and compliant.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Sahar Abdel-Nabi from CISPA Hemholtz Center for Information Security.
We're discussing their work, a comprehensive analysis of novel prompt injection threats to application-integrated large language models.
That's Research Saturday. Check it out.
models. That's Research Saturday.
Check it out.
The Cyber Wire podcast is a production of N2K Networks, proudly produced
in Maryland out of the startup studios of
DataTribe, where they're co-building the
next generation of cybersecurity teams
and technologies. Our amazing
Cyber Wire team is Elliot
Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash,
Liz Ervin, Rachel Gelfand,
Tim Nodar, Joe Kerrigan, Carol Terrio, Maria Vermasas, Jason Cole, Ben Yellen, Thanks for listening.
We'll see you back here next week.
Thank you.