CyberWire Daily - Tardigrade malware infests the US biomanufacturing sector. GoDaddy suffers a significant data breach. Facebook Papers to be reviewed and released. NSO Group’s troubles.
Episode Date: November 23, 2021Tardigrade malware infests the US biomanufacturing sector. GoDaddy suffers a significant data breach. A Gizmodo-led consortium will review and release the Facebook Papers. Ben Yelin on our privacy rig...hts during emergency situations. Our guest is Ric Longenecker of Open Systems to discuss how ransomware attacks represent the number one threat for universities. And NSO Group may not recover from current controversy over its Pegasus intercept tool. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/225 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Tardigrade malware infests the U.S. biomanufacturing sector.
GoDaddy suffers a significant data breach.
A Gizmodo-led consortium will review and release the Facebook papers.
Ben Yellen on our privacy rights during emergency situations.
Our guest today is Rick Longenecker of Open Systems to discuss how ransomware attacks represent the number one threat for universities.
And the NSO Group may not recover from current controversy over its Pegasus intercept tool.
From the CyberWire studios at DataTribe, I'm Trey Hester with your CyberWire summary for Tuesday, November 23rd, 2021.
Bio-ISAC, the Bio-Economy Information Sharing and Analysis Center, yesterday released a report on malware
it calls Tardigrade, named after the moss piglet, or, if you prefer, water bear micro-animal,
and which it describes as the work of an advanced persistent threat, that is, a nation-state
intelligence service. Tardigrade appeared this spring when it hit BioBright's manufacturing
facility. It resurfaced in an October attack.
There are some similarities with the SmokeLoader malware, familiar since 2011,
and those similarities are enough for BioISAC to assess Tardigrade as a member of the SmokeLoader family.
SmokeLoader, which MITRE calls a malicious bot application that can be used to load other malware, has been involved with what BioISAC describes as, quote,
multi-purpose tools that include keylogging, information theft, botnet support, and backdoor access, end quote.
But there are some significant differences that show Tardigrade as having evolved beyond its parent malware.
Quote, previous smoke loader versions
were externally directed, dependent on CNC infrastructure. End quote. Bio-ISAC says,
whereas, quote, this tardigrade version is far more autonomous, able to decide on lateral movement
based on internal logic. End quote. It's also good at immediate privilege escalation to the highest level.
And Tardigrade is more than polymorphic malware.
It is, Biosec says, metamorphic, by which they mean it seems to be able to recompile the loader from memory without leaving a consistent signature.
Recompiling occurs after a network connection in the wild that could be a call to a command and control server to download and execute the compiler. This gives the malware an unusual level of autonomy. The malware is
installed either by infected email software, malicious plugins, malvertising, general network
infection, or contaminated removable media like USB drives. Wired says Tardigrade seemed curiously
indifferent to whether they were actually paid. Tardigrade seemed curiously indifferent to whether they were
actually paid. Tardigrade proved more advanced than it appeared, evasive, persistent, and clearly
interested in more than ransom. BioISAC says the malware is spreading through the biomedical sector,
which suggests that some intelligence service is actively scouting the U.S. biomedical industry.
There's no further attribution available
at this time. While which nation-state might be responsible for Tardigrade, Bio-ISAC offers some
speculation on the motive, which it bases on the malware's behavior. The main role of this malware,
the ISAC's report says, is still to download, manipulate files, send main.dll library if possible, deploy other modules, and remain hidden.
First, Tardigrade's operator seems interested in stealing intellectual property from the biomanufacturing industry.
The second objective seems to be staging, battlespace preparation, and establishing persistence with a view toward further operations.
Finally, the researchers think that at least some
of those subsequent operations may have been ransomware attacks. BioISAC offers recommendations
for organizations in the biomedical sector that may be at risk. First, review your biomanufacturing
network segmentation. Run tests to verify proper segmentation between corporate, guest, and operational networks.
Most facilities use remote logins with shared passwords to operate key instrumentation.
Enforcing segmentation is essential.
Second, work with a biologist and automation specialist to create a crown jewels analysis for your company.
Ask, if this machine was inoperable overnight, what would be the impact?
And how long would it take to recertify this instrument? Third, test and perform offline
backups of key biological infrastructure. That should include, the ISAC says, ladder logic for
biomanufacturing instrumentation, SCADA, and historian configurations and batch record system.
Scada, and historian configurations and batch record system.
Finally, inquire about lead times for key bioinfrastructure components, including chromatography systems, endotoxin, and microbial contamination systems.
That final point is worth considering when studying the risks associated with any industrial
system.
Many components may need to be replaced after a successful attack,
and they're not always immediately available right off the shelf.
Domain registrar and hosting company GoDaddy had disclosed in an SEC filing a major data breach
affecting up to 1.2 million active and inactive managed WordPress accounts. The breach began,
and inactive managed WordPress accounts.
The breach began, GoDaddy believes, on September 6th.
The company discovered it on November 17th,
and investigation remains in progress.
The essential points of the disclosure are these.
Quote,
The original WordPress admin password that was set at the time of provisioning was exposed.
If those credentials were still in use, we reset those passwords.
For active customers, SFTP and database usernames and passwords were exposed.
We reset both passwords.
For a subset of active users, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.
End quote.
GoDaddy's security team believes the attackers used a compromised password
to access GoDaddy's provisioning system for its managed WordPress service. Gizmodo has announced
its intention to release, to responsibly disclose, as Gizmodo puts it, the Facebook papers first
reported by the Wall Street Journal and provided to committees of the U.S. Senate. The Facebook papers record internal discussions of the design and operation of Meta's Facebook and Instagram
platforms, recently controversial over allegations that their very design conduces the spread of hate,
misinformation, and material that's harmful to minors. Gizmodo and its partners at New York
University, the University of Massachusetts Amherst, Columbia University, Marquette University, and the American Civil Liberties Union will be sifting through the material and releasing it as they complete their review.
The responsibility in the disclosure lies in the group's avowed intention to avoid perpetuating harm.
Quote,
to avoid perpetuating harm.
Quote,
We believe there's a strong public need in making as many of the documents public as possible,
as quickly as possible.
To that end, we've partnered with a small group
of independent monitors who are joining us
to establish guidelines for an accountable review
of the documents prior to publication.
The mission is to minimize any costs
to individuals' privacy or the furtherance of any harms
while ensuring the responsible disclosure of the greatest amount of information There's also an acknowledgement that simply dumping the material,
which was provided by Facebook whistleblower Francis Haugen,
could cause harm in other systemic ways.
Quote, End quote.
It's worth remembering in this context that whatever
the company's other faults may or may not be, Facebook's record of exposing coordinated
inauthenticity, the deliberate use of bogus accounts by mostly governments to spread
disinformation, has been seen as a positive one. And finally, the Headwinds NSO group faces appear
to be blowing harder.
The Intercept Tool vendor was sanctioned earlier this month by the United States,
and reputational damage continues to press the company.
Bloomberg reported yesterday afternoon that Moody's investor service cut NSO Group's rating
to CAA2, which is eight degrees below what's considered investor grade. The company, Moody says,
faces a risk of default on approximately $500 million in debt. NSO Group's cash burn is expected
to continue for the remainder of the year as it loses customers and as U.S. sanctions begin to
bite. Among the big accounts NSO Group has lost as revelations of the controversial use of its tools emerged was MIT Technology Review reports, the government of France, which was nearing a decision to acquire the company's Pegasus intercept tool before it backed out.
News that French politicians were among those on other nations Pegasus target list did not help the company's sales.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Universities find themselves in the crosshairs of ransomware operators,
and given their size and complexity of their mission, it's not surprising.
Rick Longenecker is CISO at Open Systems, a provider of managed detection and response products.
He joins us with insights on the challenges universities face.
You've got anywhere between one and, you know,
20,000 students on a campus, you know, people in an interesting time of their lives. I remember
back in the day when I was in school, Napster, other things, right? So you can definitely have
a lot of different things, research, you know, you could say hackers among the students, etc.,
activists, etc. So it just makes the whole bit with the university, you know, you could say hackers among the students, et cetera, activists, et cetera.
So it just makes the whole bit with the university, you know, having a large student population quite interesting.
And at the same time, especially, you know, at many universities now, I mean, they're obviously a great source of IP innovation and other things all over the world.
And so that makes things quite interesting and quite, from an IP perspective.
And if you look at the other end of things, they typically have, you know, reasonable
endowments or sponsorship based on the university.
So you also know that, you know, there's a bit of funding or a way to get something of
value out of them monetarily.
And on top of it, they all hate bad publicity.
Yeah, I mean, every university wants to maintain
the absolute best publicity they can, best reputation.
And so they're interested in handling problems,
you could say, sometimes internally, right?
You can even relate that to, you know,
athletic associations and other things.
And cyber is the same, right?
People want to know that their kids are going to a good university, handle security well.
And then from the other end, many universities don't necessarily fund or have the IT teams
or be able to recruit the right IT teams that you might be able to see at, let's say, a
Fortune 500 or something.
Some countries and some places around the world, I've been a pretty global guy.
I worked for the UN for a while on things.
They actually have CERTs, Computer Emergency Response Teams for their universities.
But especially we see in the States, we don't necessarily have that because we have so many
universities and it's so widespread across states.
So it really kind of represents a unique problem where you've got this pot of people on a campus that can present some very interesting challenges for an IT team that need to maintain a great reputation.
And then on the other end, maybe the IT teams that aren't necessarily capable of handling the problem.
On the other end, maybe the IT teams that aren't necessarily capable of handling the problem and not a lot of, you could say, government or centralized guidance or support in order to actually manage and meet the problem.
So it's kind of the perfect storm.
It really strikes me that, you know, particularly for a large university, that it is – it's like a little city. I mean, they're providing housing and food and transportation, you know, heating and air conditioning, you know, all of the basics of everyday life. And within that complexity is a long list of potential targets.
has like an immediate potential to impact people. You know, if you talk about safety, other things,
and fully operations. I mean, if you look at during COVID, almost every university had to transition like every business to completely virtual operations.
Well, let's talk about some recommendations there for how universities can get in front of this.
Talking about MDR specifically, is there a benefit for organizations
who are taking advantage of managed detection and response
that that MDR provider likely has a view
into many organizations beyond their own?
So that sort of shared incoming information
benefits everybody.
So many organizations are presented that unless they invest millions,
they can't actually set up an ops and fusion center, et cetera.
They just can't keep up with it.
And so many organizations right now, including universities,
just have a million security tools.
I mean, there's a thousand new cyber startups in Israel this year.
I think last year or the year before,
somebody said that there was different studies that are out, and there's more than 9,000 cyber companies. And
just especially at, you could say, a university perspective, there's the possibility to bring
a lot of different options in. And that literally makes it difficult to provide focus
and actually to dwell on what you actually need.
And if you look at actual threat intelligence from a single university to digest that, create
that, et cetera, even if you take in feeds and make different integrations, whether it's
Stix or MISP or something else, and that are the news every day.
And a lot of the UN agencies, just like academia, don't necessarily talk to each other.
So when an incident happens in one place,
it's not necessarily communicated in the other.
And indicators of compromise, IOCs are shared.
But just like a lot of government and the education sector,
it's not necessarily shared within a rapid period of time.
and the education sector, it's not necessarily shared within a rapid period of time.
And I even go back to my time there when I was in Geneva, Switzerland, and WannaCry,
not Petya, was happening.
At the time, we didn't necessarily have a CERT completely organized or a SOC. And so we relied on outsourced services.
And actually, that's just the continued way of actually working.
As I mentioned before, it takes time to do this.
The education sector kind of has the same thing.
If you have a provider that would work across a number of different sectors and or partners with other companies,
and that really, really can be beneficial to the team who has a lot of other things to deal with in their digital journey.
That's Rick Longenecker from Open Systems.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
An article caught my eye over on the Washington Post.
This is written by Drew Harwell, and it's titled, Data Bro pieces or billions of pieces of location data
for the District of Columbia to use as part of their public health efforts during the pandemic.
Here's my question. To what degree do our civil rights, do our privacy rights go out the window
when we are in an emergency situation. I think we can agree,
certainly the onset of the pandemic was an emergency situation. So what happens then?
Well, frankly, it's a major concern. At the federal level, there are reasonable constraints
on emergency powers, depending on the circumstances. At the state level, just based on
our constitutional system, states have the power to protect the health, safety, and welfare of their citizens.
And that certainly makes its way to emergency powers. I know at least in Maryland and in almost
all states, the governor's powers as it relates to emergencies are relatively limitless. Once
there's a declared emergency, in most circumstances, the governor
can control ingress and egress from a particular area. They can issue mandatory curfews,
quarantine in isolation. They can suspend, in most states, any law or statute that is inhibiting
the emergency response. And in some other circumstances, I know this is true in Maryland,
they can actually compel people who have experience in healthcare services, so
doctors, nurses, et cetera, to get on the front lines against their will and participate in a
public health response. Wow. So these powers are extremely broad, and there's been a concern
with the COVID-19 pandemic. Yes, it's been a real-world emergency. You know, we've lost
700,000 people, so you can't minimize the impact of it. But how long are we going to be under these
emergency conditions? Most states are still under some version of a declared disaster,
an emergency declaration, which gives their governments pretty broad powers. And, you know, taking a somewhat pessimistic view on this,
we're probably going to be dealing with COVID in one way or another
for at least the next several years.
And, you know, there are going to be these cycles of uptick in case,
and then people get boosters, and there's a downtick.
But that means, you know, we might not see a cessation of these emergency declarations,
and that will allow states and localities like the district did here
to do things that might not be kosher in the absence of an emergency.
So that's something that people have to be concerned about and be vigilant about.
Well, let's talk about, I mean, this case in particular,
we're talking about location data gathered by our mobile devices.
Right.
about location data gathered by our mobile devices, could an argument be made that gathering this kind of data is less intrusive than setting up checkpoints? You know, like when
you're trying to establish whether or not people are obeying things you put in place for social
distancing, for staying at home, those sorts of things,
if you can do that in a passive way, could that perhaps be less unsettling to the community than
having people out on the streets with guns, you know, enforcing this sort of thing?
Am I, is this at all a decent argument in your mind?
It is a decent argument.
The flip side to that is it's not as effective of a tool because there really isn't an enforcement mechanism. You can get data on people's traveling habits.
So it looks like there are a lot of cell phones at this frat house in Georgetown.
Right, right.
It looks like they're not observing isolation and social distancing policies.
Okay.
But that data is not – there are ways to de-anonymize it, as we know, but it is anonymized at least in its raw form.
And according to the Electronic Frontier Foundation, their researchers, they looked into this data.
They were the one that submitted the FOIA request.
There hasn't been an abuse or there hasn't been alleged abuse from law enforcement and how they've handled this data. So it is less severe. It is less restrictive than
having boots on the ground, sending in the National Guard, etc. Is this something that
we would want to continue indefinitely? I think that's a separate question. But yeah, I think it's
absolutely less intrusive than many of the other methods that were used or could be used to enforce public health measures.
What would be the methods by which the state's ability to do these sorts of things in an emergency situation could be dialed back?
There have been proposals that have passed in a limited number of states.
I think they've probably been proposed in every single state by the state legislatures
to rein in governor's powers
during an emergency.
We saw this effort in Maryland.
It went nowhere,
but it was proposed.
There are probably a dozen or so bills
that sought to curb
the governor's emergency powers.
So for example,
a governor could declare an emergency
for 30 days,
but after 30 days,
it would have to be ratified
by the state legislature
in one form or another. Otherwise, that declaration would be discontinued. I see. Or just revising emergency
powers to take some, you know, certain powers away from the governor. So maybe things like,
you keep things like controlling egress and ingress from a affected disaster zone, keep that, but do away with compulsory service for health workers.
You can try and dial down some of the specific powers.
But this would be a third rail that the feds would stay away from, right?
The state powers.
It is, yeah.
I mean, it really is not the federal government's role.
This is the states under our constitutional system
have primary responsibility in responding
to emergencies. The federal government's role is quite limited. It's really through the Stafford
Act, you can request money for a disaster declaration. And FEMA certainly, when we're
talking about a multi-state emergency, they play a role in coordination. And when we're talking
about COVID, things like the CDC, that comes into play. But in coordination. And we're talking about COVID, you know, things like the CDC,
that comes into play. But in terms of emergency response and bringing the hammer down in terms of
government regulations, that is really something that happens at the state level.
Frankly, no matter who your governor is, I would say it's unlikely a governor is going to sign a
bill in most circumstances limiting their own powers.
Right, right.
So, you know, that's the type of thing you're probably going to need a veto-proof majority for, for something like that.
All right. Well, interesting stuff for sure.
Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro. It will save you time and keep you informed. Also, listen for us on your Alexa smart speaker. Thank you. team is Elliot Peltzman, Brandon Karpf, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilby, and I'm Trey Hester, filling in for Dave Bittner.
Thanks for listening, and we'll see you tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided Thank you.