CyberWire Daily - The big ransomware incident in the food-processing sector. US authorities seize domains used in Nobelium’s USAID impersonation campaign. Siemens addresses PLC vulnerabilities.
Episode Date: June 2, 2021Food processing is also vulnerable to ransomware: the case of multi-national meat-provider JBS. The US and Russia are in communication about the possibility that the criminals responsible for the JBS ...incident might be harbored in Russia. Domains used in the USAID impersonation campaign have been seized by the US Justice Department. Our guest is Melissa Gaddis from TransUnion with results from their Global Consumer Pulse study. Joe Carrigan looks at criminals abusing online search ads. Siemens addresses a critical issue in its PLCs. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/105 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Turns out food processing is also vulnerable to ransomware,
the case of multinational meat provider JBS. Turns out food processing is also vulnerable to ransomware.
The case of multinational meat provider JBS.
The U.S. and Russia are in communication about the possibility that the criminals responsible for the JBS incident might be harbored in Russia.
Domains used in the USAID impersonation campaign have been seized by the U.S. Justice Department.
Our guest is Melissa Gaddis from TransUnion with results from their Global Consumer Pulse study.
Joe Kerrigan looks at criminals abusing online search ads.
And Siemens addresses a critical issue in its PLCs.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 2, 2021. JBS, the Sao Paulo-based multinational meat processing company,
sustained a ransomware attack on Sunday.
Company servers in the U.S. and Australia were hit,
inducing the company to shut down some operations in Australia, the U.S., and Canada.
Operations elsewhere were unaffected.
The company summarized the incident in a media release it issued the day after the attack.
Quote,
On Sunday, May 30, JBS USA determined that it was the target of an organized cybersecurity attack,
affecting some of the servers supporting its North American and Australian IT systems.
The company took immediate action, suspending all affected systems, notifying authorities and activating the company's global network of IT professionals, A follow-up announcement yesterday said that JBS had begun resumption of deliveries to its customers
and that a full recovery is in progress.
As far as the company has been able to determine,
no customer, supplier, or employee information was compromised.
JBS concluded that it had been hit by a Russian ransomware gang, and Reuters says communicated that conclusion to U.S. authorities,
who seem to have accepted it.
And while JBS didn't initially call the attack ransomware, the White House did.
The BBC cites White House spokeswoman Karine Jean-Pierre,
who yesterday said, quote,
JBS notified the White House that the ransom demand came from a criminal organization likely based in Russia.
The White House is engaging directly with the Russian government on this matter
and delivering the message that responsible states do not harbor ransomware criminals, end quote.
If they're betting on form, on a priori probability, that's not an unreasonable working theory, and JBS presumably
has shared the ransom note. Russia's Deputy Foreign Minister Sergei Ryabkov confirmed that
the U.S. government had been in touch with Moscow. There's no word on whether JBS has paid,
intends to pay, or has refused to pay the ransom the attackers demanded.
to pay, or has refused to pay, the ransom the attackers demanded.
JBS is a very big operation, currently the world's largest beef and poultry producer and the second largest pork producer, Bleeping Computer points out.
The FBI is investigating, as are law enforcement agencies in Australia, where the ABC reports
the Federal Agriculture Ministry is working to help bring JBS operations back online.
The Australian Cybersecurity Centre is also rendering assistance.
Forbes describes the effects of the attack on JBS Canadian plants,
where facilities in Alberta and Ontario also suspended operations.
operations. The industry publication Beef Central has an account of the effect a ransomware attack can have on a food processor. They wrote, quote, like all large meat processors, virtually every
part of the modern JBS processing business is heavily reliant on computer systems and internet
connectivity for record-keeping, regulatory documentation, sortation, and countless other functions.
The sector is one in which timing is vital to the supply chain,
and the effects of a disruption in a major supply quickly ripple through vendors and customers.
The Wall Street Journal quotes industry observers to the effect that a lot of frenzied buying of fresh commodities is underway.
The incident has also had an effect on commodities speculation.
Live cattle futures trading on the Chicago Mercantile Exchange fell on Tuesday,
with the most active cattle contract closing down Tuesday by 1.9%, to nearly $1.17 a pound.
The primary factor driving the contract down was the hack, livestock traders said,
raising the risk that some plants would be unable to purchase livestock.
Comparisons with the Colonial Pipeline incident have been widespread,
with Input Magazine providing a representative sample.
In both cases, a ransomware attack on a critical private sector
company induced that company to shut down operations while it contained and remediated
the incident. The attack on JBS was like that on Colonial Pipeline, brazen in that, as Recode
points out, they picked a high-profile target where an attack couldn't be quietly hushed up
or gone without general public
notice. This suggests that the gang really aren't particularly concerned about being detected and
pursued, and that seems to have been true in both cases, whatever implausible statements
Colonial's dark side attackers may have made about retiring from their criminal activities.
The Washington Post's Cyber 202 quotes with
approval various experts who think this latest incident makes the case for mandatory industry
standards and more effective regulation even stronger than the colonial pipeline attack had
already rendered it. So the JBS hack will give Presidents Biden and Putin another possible topic of discussion during their upcoming summit.
The U.S. President is expected to bring up the SolarWinds incident and the more recent compromise of USAID's Constant Contact email account.
That second incident, described by Microsoft, SecureWorks, Minerva, and others, is seen by many as a supply chain incident,
and many are calling for U.S. action against the presumed Russian authors of the attack.
CISA and the FBI are being circumspect about attribution,
but industry researchers are not,
attributing the campaign to the threat actor variously called
Nobelium, APT-29, Cozy Bear, and The Dukes,
or in plain organizational terms,
Russia's SVR, Foreign Intelligence Service. Part of that action will be legal, as it has been in
past incidents. The U.S. Department of Justice yesterday announced the seizure of domains the
USAID impersonators used to control the cobalt strike tools they implanted in their victims' networks.
The action was taken on Friday, pursuant to an order issued by the U.S. District Court for the
Eastern District of Virginia. The announcement said, quote,
The National Security Division's Counterintelligence and Export Control Section
and the United States Attorney's Office for the Eastern District of Virginia are investigating this matter in coordination with the FBI's Cyber Division and Washington
Field Office, end quote. Here on the U.S. East Coast, Brood X cicadas are having an increasing
impact on industry. For more on that, we go to the cicadas right outside our office door.
That was Brood 10 Cicadas for the Cyber Wire. And finally, CISA has issued an advisory about vulnerabilities found and patched
in the Siemens SIMATIC S7-1200 and S7-1500 CPU families of programmable logic controllers.
Industrial cybersecurity firm Clarity's analysis of the vulnerabilities
calls them the holy grail of PLC vulnerabilities.
The memory bypass issues could permit attackers to write native code in the PLCs.
As Sissa puts it,
quote,
If you operate Siemens PLCs, by all means, upgrade to the latest versions the company
has provided. account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents, winning with
purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their
families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
The folks at consumer credit reporting agency TransUnion recently published their Global Consumer Pulse study, and it confirmed what many of us probably expected.
Attempts at digital fraud were way up throughout the pandemic.
Melissa Gaddis is Senior Director of Customer Success for Global Fraud and Identity Solutions at TransUnion.
Well, we track fraud, fraud trends, and the consumer survey has been
conducted for years. But we were particularly interested a year or so ago in the impact that
COVID and the pandemic was having on fraud, both via the surveys we're finding via the surveys that
we're sending out globally, as well as what we're finding via the surveys that we're sending out globally,
as well as what we're seeing with our own transactions within our TrueValidate solutions.
Do you have any sense for whether we expect to see this continuing as things settle down
post-pandemic? In other words, is this the shape of things to come, this shift towards
an increased focus from the bad guys on these types of fraud, or might we see things ease off
a little bit? I think we're going to see a few things. First, I don't think that we're going to
go back to where we were pre-pandemic. I think that people, the way we're
working is shifting. I think more people are going to be telecommuting. I think more businesses have
found a niche on being online where they wouldn't necessarily have gone as quickly as they did this
past year. Not 100%. Brick-and-mortar businesses are opening back up. People are going in person,
and there's a real value in that, but it's not going to go back to where we were before.
As such, there's more opportunity for fraud to be perpetrated. However, as businesses decide this
is their reality moving forward and their business model moving forward, we have seen a shift in businesses put protections in place.
Monitoring devices that are accessing their accounts, knowing that Melissa Gaddis usually logs in from one of the four devices I have on my desk right now, right?
Right, right.
But from Portland, right? And knowing when the anomalies kick in and questioning in real time,
you know, maybe putting in some friction to ensure that it is me if suddenly I pop up from,
you know, somewhere else in the world, which pre-pandemic would have been normal
because I traveled quite a bit and will again,
but they have to recognize that.
But as businesses put those protections in place,
which protect both the consumer and the business,
now it gets harder for the fraud to be perpetrated.
And therefore, again, going back to that return on investment, the fraudsters are going to find a different avenue. They're always going to find
a new avenue. So I think the fraud trends are going to start lowering, declining, but it's
not going to go back to where we were just because there's more avenues now. I do think, though,
that as the dust settles here, we will start seeing less of this younger generation getting targeted because now it's becoming the new norm.
People are going back to employment and that sense of desperation goes away or lowers.
People aren't going to fall for the phishing attacks like they have been in the past year.
That's Melissa Gaddis from TransUnion.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
You know, over on Hacking Humans, we cover a lot of scams and social engineering things, all that stuff.
All that great stuff.
All that great stuff.
And, you know, I don't know about you, but there's a story over on The Verge written by Sean Hollister,
and it's titled Amazon is suing to stop SMS raffle scams.
Have you ever received one of these scams?
Why don't you describe to us
what's going on here, Joe? So it's a typical SMS scam. I like the way they call it smishing,
right? Because it's like phishing, but you use SMS instead of email. Right. So the victim receives
a text message. And in fact, the author, Sean, has received one such message and has a picture of it here. And what's interesting is it says, Amazon, colon, congratulations, Sean.
And then it says, you came in second in March's Amazon pod raffle.
Check the link or click the link to, click the link to, and then colon, it just has a
link.
Okay.
Right?
And it's one of those, it looks like it's one of those link shortening services.
Right.
But who knows what it is?
It could just be a link to the – because it looks like a random series of characters in the domain name as well.
Of course, when you click on the link, Sean actually did that.
It says, congratulations, today you have been chosen to participate in a survey.
And then it collects a bunch of information from you and then tries to get you to buy stuff from some other site that isn't Amazon.
And the speculation is that this SMS is being sent out by some affiliate of some other marketing organization.
So Amazon has filed a lawsuit against 50 unnamed people.
They're all John Does is what they're called.
Yeah.
And this tactic has worked in the past to help unmask these people.
So what they do is they get a Doe subpoena,
and then they start going after the senders of these messages
to try to find people.
In the past, they have found four people
and managed to get an injunction issued.
I don't know how effective that is.
In fact, they may find the same four people behind it right now. And Amazon says it's won at least $1.5 million in settlements. I'd like to
know how many of those 1.5 million they have collected. I would guess it's very close to zero.
Yeah. Well, and all that's chump change for Amazon.
Sure it is.
I think, I mean, part of the, what's interesting here is that that page that Sean clicked through to looks just like an Amazon.
I mean, it's branded with all sorts of Amazon stuff.
And that's actually the basis of the lawsuit is they're saying we're going after these people because they're using our logo.
And you know what?
I think Amazon should be doing this.
Number one, it's not just trademark infringement.
It's actually harming people
in Amazon's name.
And they should absolutely
be going after these people.
Yeah.
Reputational damage.
Right.
All that sort of stuff.
Yep.
Yeah.
Also, they make the point here
that it's also putting the word out
to other folks
who may be trying to pull off
these sorts of scams
that Amazon is going to try to come after you.
Right.
So you're going to have to be looking over your shoulder.
Yeah, absolutely.
And I'm not really one to say, yeah, I want companies going after people,
especially large, powerful, multinational, conglomerate companies
run by billionaires who send rockets into space coming after people. But in this case, I think Amazon's doing the right thing here.
I think they're doing what they should. They need to protect their image, which they're
entitled to do. More importantly, they need to protect the consumers. And this is definitely
something that moves in that direction. Yeah. And I guess also, obviously, the other part of this is that if you find yourself getting one
of these text messages, ignore it. Right. Absolutely. Yeah. But also, you know, spread
the word to your friends, family, loved ones, you know, your parents, all those folks, because,
you know, those of us who are in the know about these security things, we may raise our eyebrows and laugh that how could someone fall for this?
But as we talk about over on Hacking Humans,
people fall for these things all the time.
All the time.
And we can't blame the victim, can't make them feel bad about it.
The best we can do is equip them so that if they do get something like this,
they're educated to know what to do and to not do anything.
Right, and they just ignore it.
Exactly.
Block the sender.
Yep, absolutely.
All right, well, Joe Kerrigan, thanks for joining us.
It's my pleasure.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out the first free season of CSO Perspectives, our podcast hosted by my colleague Rick Howard.
It's available on our website, thecyberwire.com. Thank you. Thanks for listening. We'll see you back here tomorrow. Thank you. ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.