CyberWire Daily - Taliban seizes HIIDE devices. T-Mobile customer data compromised. Ransomware attack against Brazil’s Treasury. Social engineering espionage. Ransomware vs. sewers. IoT bug disclosed.
Episode Date: August 18, 2021The Taliban now has, among other things, a lot of biometric devices. T-Mobile concludes that some customer data were compromised in last week’s incident. InkySquid’s in the watering hole. Brazil�...�s Treasury sustained, and says it contained, a ransomware attack. Siamese Kitten’s social engineering on behalf of Tehran. Sewage systems hacked in rural Maine. Josh Ray from Accenture Security on what nation state adversaries may have learned from observing the events surrounding Colonial pipeline. Our guest Manish Gupta from ShiftLeft looks at issues with the Software Bill of Materials. And an IoT vulnerability is disclosed, and mitigations are recommended. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/159 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
The Taliban now has, among other things, a lot of biometric devices.
T-Mobile concludes that some customer data were compromised in last week's incident, The Taliban now has, among other things, a lot of biometric devices.
T-Mobile concludes that some customer data were compromised in last week's incident.
Inky squids in the watering hole.
Brazil's treasury sustained and says it contained a ransomware attack.
Siamese kittens social engineering on behalf of Tehran.
Sewage systems are hacked in rural Maine.
Josh Ray from Accenture Security on what nation-state adversaries may have learned from observing the events surrounding Colonial Pipeline.
Our guest Manish Gupta from Shift Left looks at issues with the software bill of materials.
And an IoT vulnerability is disclosed and mitigations recommended.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, August 18th, 2021. Some have warned that one of the more unpleasant consequences of the swift Taliban overthrow of the Afghan government over the weekend would be the new rulers' access to equipment and information left behind by their predecessors.
One seizure combines both risks.
left behind by their predecessors. One seizure combines both risks. Among the materials seized by the Taliban in Afghanistan are biometric registration and identification devices that
had been used by the former government, The Intercept reports. The handheld interagency
identity detection equipment, HIDE for short, was used for such tactical purposes as checkpoint control and also in broader programs like the preparation of identity documents.
The biometric modalities collected by HIDE include iris scans and fingerprints.
The larger centralized databases to which the devices were connected held, and possibly still hold,
biographical information on a large number of individuals
whose biometrics had been registered by Hyde. How much of the data the Taliban will be able
to access remains unknown for now. T-Mobile has determined that in fact
customer data were accessed by attackers, presumably those who advertised late last
week in a dark web market that they had the
goods for sale. The data affect just under 48 million customers. No pay card or other information
appears to have been compromised, T-Mobile says, but what was lost is serious enough.
In the worst cases, not all 48 million cases, but in the worst of those, the data included customers' first and
last names, date of birth, social security number, and driver's license ID information.
The company is in the process of alerting affected individuals. We'll have more notes
on this incident, along with some security industry reaction, in this afternoon's pro-policy briefing.
This afternoon's pro-policy briefing.
Valexity yesterday reported that the North Korean APT it tracks as Inky Squid, also known as APT-37 or ScarCraft, has compromised the NK News site into a watering hole serving blue light malware as its payload.
NK News is a legitimate South Korean outlet focused on news about the DPRK.
ZDNet reports that the Brazilian government has disclosed that a ransomware attack hit the National Treasury Friday,
but without structural damage to trading platforms.
The Ministry of the Economy said in a statement that they took prompt steps to contain the effects of the attack once it was discovered and that it intends to be as transparent as possible about the incident. The federal police
are investigating. Trading in treasury bonds, according to the Brazilian report, remains
unaffected. Security firm Clear Sky has an update on the operations of Siamese Kitten, an APT associated with the government of Iran
that's also known as Lyceum and Hexane, which continues an espionage campaign that began in
2018 and targets organizations in Israel. It proceeds by social engineering, typically with
an approach to employees of IT and other tech or communication companies that offers a bogus job. The immediate goal is to
direct the target to a site where they are induced to install a malicious payload, in recent cases
an upgraded backdoor called Shark, through which the Danbot remote access Trojan is downloaded.
The initial targets appear to be a means to an end, with Siamese Kitten interested in using them to pivot into their real targets.
To lend plausibility to their approach, Siamese Kitten's operators impersonated websites belonging to legitimate companies,
Chip PC, an Israeli IT firm, and the large German tech company Software AG.
Neither firm, needless to say, is complicit in the imposture.
Think your local sewage system is too small to attract the interest of threat actors?
Think again. The wastewater systems of Mount Desert and Limestone, two towns in the U.S.
state of Maine that are nobody's idea of metropolis, were hit with indifferent successful ransomware attacks last month.
The town sewer authorities said no ransom was paid,
no data lost, and best of all, no service interrupted.
But it's an interesting cautionary tale.
The ransomware didn't affect control systems,
but it did induce the authorities to temporarily take some alerting mechanisms offline.
And what was the point of infection? An obsolete Windows 7 computer that was still in use. Operators told
Security Week it was due to be replaced anyway, and presumably by now it has. The incident shows
the surprising persistence of old legacy hardware and control environments. It got the attention of Aristouk
County. Limestone Water and Sewer District Superintendent Jim Leighton said, quote,
it was a bad thing for us, but a good thing for the county. Everyone took notice and did things
to their computers so they couldn't be hit, end quote. So good, and now flush in tranquility when you're down east.
And finally, Kalu Kalei in the you-may-not-be-interested-in-the-IoT-but-the-IoT-is-interested-in-you department.
Security firm Mandiant has published a report disclosing vulnerabilities it found in IoT devices that use the ThruTech Kalei network.
ThruTech, headquartered in Taipei,
claims that some 83 million devices, a great many of them cameras and monitors,
connect through this network. The vulnerability could enable an attacker to authenticate as a
target device and collect feeds from that device through the network. Mandiant has worked with
both ThruTech and the U.S. Cybersecurity and
Infrastructure Security Agency to develop mitigations for the issue. CISA summarizes
these in three steps. First, minimize network exposure for all control system devices and or
systems and ensure that they are not accessible from the internet. Second, locate control system
networks and remote devices behind firewalls
and isolate them from the business network. And last, when remote access is required,
use secure methods, such as virtual private networks, recognizing that VPNs may have
vulnerabilities and should be updated to the most current versions available. Also,
recognize VPN is only secure as the connected
devices. Note that last point about VPNs, only as secure as their connected devices.
As useful as it may be, a VPN isn't a foolproof cloak of virtual invisibility.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. cybercriminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your
executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
There's been a good amount of speculation lately about whether upcoming cybersecurity legislation might include requirements for a software bill of materials, a sort of manifest tracing the various components of deployed applications to their sources.
For insights on the potential pluses and minuses of such a requirement, I checked in with Manish Gupta, CEO at code security platform provider
ShiftLeft. So by asking a software vendor to provide the list of thousands of dependencies,
okay, I think we are largely just checking the box and saying, yes, acknowledge that this is a risk.
And by requiring you to communicate, at least we are ensuring that you are as a software
vendor looking inside your house and seeing what dependencies you are using. But if we were to try
and figure out if this is how actionable this is, I think that is where the new executive order
in my mind fails that test. So imagine I'm a customer and the vendor provides me thousands of dependencies.
Okay, great.
So what am I supposed to do?
Should I be going and looking at each of these software dependencies
to find out whether it's vulnerable?
Well, let's say I go ahead and do the work, or maybe the vendor gives it to me.
Well, the next question is, of course, for me as a customer to ask the vendor,
hey, when is it going to be that you will fix all of these?
You will upgrade to dependencies that don't have vulnerabilities.
And given the fact that the vendor hasn't done this yet
and the process of upgrading dependencies, unfortunately, Dave, is non-trivial.
It can take weeks, sometimes months to upgrade a
dependency. And so the reason the software vendor has not upgraded, it is a business decision.
He is acknowledging that he's more willing to take the risk that comes by using this dependency
as opposed to taking the time that is required to upgrade this dependency.
So I think what we're, and unfortunately not all dependencies are the same, you know,
software dependency is in and of itself a piece of software which has multiple functionalities.
So an application could be using a part of that dependency and not the entire software dependency.
So really we should be asking the question,
well, is the component,
is the part of software dependency
that you're using, is that vulnerable?
And as a result,
is your application vulnerable?
Because that is the crux of the question
that between the two parties
we're trying to establish, right?
Shouldn't matter to us a whole lot if the application is using vulnerable software dependencies
or not.
If we knew very accurately the question, which one of these software dependencies actually
makes the application vulnerable?
Hmm.
application vulnerable. Is there an element of risk here when it comes to mixing different components? In other words, I'm sort of thinking like, you know, if I want to clean my kitchen or
my bathroom and I can choose to use bleach or I could choose to use ammonia, but I better not use
both of them at the same time, right? Because then I get mustard gas. I mean, do similar things exist
in the software world where one or the other may come with their own risks, but when you put them,
we really need to be careful about combining these things. Great, great question, Dave. You're
absolutely right. And that is precisely what we have to do is, you know, if a software is, as we discussed earlier, the supply chain, i.e., it's blending
together of multiple components, as we do that, as we create this new concoction, we
have to analyze that concoction.
We cannot be just analyzing piece parts because your example is great.
Stand alone, these two things are perfectly benign.
Mixed together, we've got a volatile mixture.
Same thing here.
Stand alone, these dependencies are fine.
But when you mix them along with the functionality that the company desires and has codified using custom code,
that is when everything comes together
and we have, voila, a vulnerable application.
And so, you know, yesterday, the industry was very focused on,
which is what I referred to, right?
Sort of, we've had this technology to tell us
which vulnerabilities that I'm using are vulnerable.
We've had it for 15 years.
And it was 15 years.
And it was great yesterday.
But today, we can start using more sophisticated mechanisms,
more sophisticated technologies to analyze the entire application with its bits and parts.
That's Manish Gupta from Shift Left. left. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Josh Ray. He's Managing Director and Global Cyber Defense Lead at Accenture Security.
Josh, it is always great to have you with us.
You know, I wanted to check in with you kind of in the aftermath of the Colonial Pipeline situation here.
I wanted to get your take on what people can take away from this,
particularly how are some of our adversaries going to look at the way we responded to this? Yeah, thanks, Dave, and thanks for having me back. And I've actually
been thinking a lot about this and really what our nation-state level adversaries have likely learned
from observing how we've responded during the events surrounding the colonial ransomware
incident. And if it wasn't apparent before,
it should be very clear to everyone now
that critical infrastructure absolutely needs to have
the highest levels of protection
and needs to be the most resilient
from a security posture standpoint.
You know, when I looked at some of the stories
in the news of our responses to this from an individual point of view, you know, you like to think that we as a society are strong and resilient and all those good things.
And yet we saw plenty of footage of people running out and hoarding gasoline and, you know, responding contrary to the ways that our leadership would ask them to.
That sends a message as well.
It absolutely does. And I realize that a lot of time and effort will be spent on
after actions, specifically focused on not the victim organization, but also the broader industry.
And that absolutely needs to happen, right? And this could have happened probably to multiple
organizations. But I'm not trying to be an alarmist here.
But from a strategic standpoint, I'm really concerned
about what the next attack could look like.
If I'm a bad guy, I think the fact is that I now have direct evidence
how much economical, societal, and to your point, psychological impact
a single well-placed ransomware attack can have.
So how do we take that knowledge, you know, the sort of now that we know what they know,
how do we roll that into where we go from here?
That's a great question. And I think just, you know, think about this for a second. You know, what if this had been just a little bit more coordinated and included the targeting of, say, a major fuel transport company in addition to a pipeline company?
Now I've just significantly disrupt a disrupted plan B. And you can extrapolate that. And I'm sure, you know, listeners can as, to many more nightmarish supply chain scenarios with wide-ranging impacts.
But the point is this.
I think, first, we really need to get serious about preparedness.
And I think the time is now for that wide-ranging public and commercial, multi-sector, multi-industry, real-world cyber exercises that focus on critical infrastructure and
they're supporting supply chains.
And secondly, companies can't wait for the regulations to drive the action.
They need to take a proactive approach and partner with their critical suppliers to conduct
that wide-ranging, realistic simulations.
And these can't be paper-thin compliance checkbox assessments.
They have to be intelligence-driven adversary simulations
that really drive those tangible business
and, for all of our sake, national cyber resilience outcomes.
Are you seeing indications that those sorts of things may be happening? Are we seeing
responses from government, from private industry saying, hey, this was a bit of a wake-up call and
changes need to be made? Yeah, absolutely. I do think the executive order is a good first step.
a good first step. And I think that, you know, if companies and should, you know, take many of those directives to heart and start with the implementation. But, you know, you combined
SolarWinds with this last incident. And I think any company or any board that is not taking
cybersecurity very seriously now and understanding where they sit in the broader
ecosystem, both from a shareholder value standpoint and from a national interest standpoint.
Those two scenarios alone should drive action, and hopefully we'll see some tangible results
at the end of it.
All right.
Well, Josh Ray, thanks so much for joining us.
Thank you, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Puru Prakash, Justin Sabey, Tim
Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard,
Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.