CyberWire Daily - The Port of Nagoya continues its recovery from ransomware. Charming Kitten ups its game. Spyware in the Play store. Risks to electrical infrastructure. And a quick update on hacktivist auxiliaries.
Episode Date: July 6, 2023LockBit 3.0 claims responsibility for Nagoya ransomware attack. Charming Kitten sighting. Spyware infested apps found in Google Play. Threats and risks to electric vehicle charging stations. Solar pan...els and cyberattacks. Dave Bittner speaks with Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, to talk about CISA’s effort for companies to build safety into tech products.Rick Howard sits down with Clarke Rodgers of AWS to discuss the mechanics of CISO roundtables. And Hacktivist auxiliaries remain active in Russia's hybrid war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/127 Selected reading. Pro-Russian hackers target Port of Nagoya, disrupting loading of Toyota parts (The Japan Times) Port of Nagoya resumes operations later than planned after Russian hack (The Japan Times) Ransomware Halts Operations at Japan's Port of Nagoya (Dark Reading) Nagoya Port Faces Disruption After Ransomware Attack (Infosecurity Magazine) Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware | Proofpoint US (Proofpoint) Two spyware tied with China found hiding on the Google Play Store (Pradeo) EV Charger Hacking Poses a ‘Catastrophic’ Risk (WIRED) Exploited Solar Power Product Vulnerability Could Expose Energy Organizations to Attacks (SecurityWeek) The Continued Expansion of Cyber Incidents by Non-State Actors in the War in Europe (OODA Loop).  Russian railway site allegedly taken down by Ukrainian hackers (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Blockbit 3.0 claims responsibility for Nagoya ransomware attack.
A charming kitten sighting.
Spyware-infested apps found in Google Play.
Threats and risks to electric vehicle charging stations, solar panels, and cyber attacks.
Abe Bittner speaks with Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA,
about CISA's effort for companies to build safety into tech products.
Rick Howard sits down with Clark Rogers of AWS
to discuss the mechanics of CISO roundtables.
And Hacktivist Auxiliaries remain active in Russia's hybrid war.
I'm Trey Hester, filling in for Dave Bittner with your CyberWire Intel Briefing for Thursday, July 6, 2023.
The port of Nagoya resumed some container operations Thursday as it restored normal services in the course of recovering from Tuesday's ransomware attack. Bloomberg reports
that five terminals are returning to operation. The Japan Times quoted the Nagoya Harbor
Transportation Association as saying that LockBit 3.0, the well-known Russian ransomware gang,
has issued a ransomware demand, thereby claiming responsibility for the disruption.
TechMonitor notes that LockBit 3.0, a ransomware-as-a-service gang, has been unusually active over the past week.
Its other victims include Taiwanese chipmaker TSCM, as well as a range of organizations in the Netherlands, Spain, Canada, and the United States.
The amount LockBit 3.0 has demanded remains unknown.
Proofpoint researchers have been tracking the Iranian threat group TA453,
also known as Charming Kitten,
and have observed it deploying Mac malware
and replacing Microsoft Word malicious macros with LNK infection chains.
The approach begins with patient social engineering,
contacting targets with benign emails.
The hook is set only later.
Proofpoint explains in its conclusion that TA453 continues to significantly adapt its infection chains
to complicate detection efforts and conduct cyber espionage operations against the targets of interest.
The use of Google Scripts, Dropbox, and Clever Apps demonstrate that TA453 continues to subscribe to a multi-cloud approach in its efforts to likely minimize disruptions from threat hunters.
TA453's willingness to port malware to Mach-O also demonstrates how much effort the threat actor is willing to put into pursuing targets.
Regardless of the infection method, TA453 continues to deploy modular backdoors
in an effort to collect intelligence from highly targeted individuals.
Pradeo has notified Google that its researchers have discovered two malicious apps in Google Play.
Both of them represent themselves as file management tools, and both of them serve as
spyware. They launch without user interaction, and they send exfiltrated data to servers in China. They look legitimate, they run unobstructively, and they're difficult to
uninstall. The two apps between them have a million and a half downloads, and the data the
apps collect and transfer include user contact lists from the device itself and from all connected
accounts such as email and social networks, media compiled in the application, meaning pictures,
audio, and video
contents, real-time user location, mobile country code, network provider name, network code of the
SIM provider, operating system version number, which can lead to vulnerable system exploit like
the Pegasus spyware did, and device brand and model. Electric vehicle charging stations are
arousing concern about potential vulnerabilities that could have a larger impact than just the particular station or the car that's charging there.
An article in Wired describes the potential impacts of vulnerabilities affecting electric vehicle charging stations.
Ken Monroe, a co-founder at Pentest Partners, told Wired that his top concern was with vulnerabilities that could allow attackers to stop or start chargers en masse,
which could destabilize electricity networks. Monroe said, quote,
We've inadvertently created a weapon that nation-states can use against our power grid.
End quote. Monroe says legislation in the United Kingdom could serve as a model for lawmakers in the U.S. The U.K. requires EV charging stations to have a randomized delay functionality of up to 10 minutes,
which would mitigate the impact of thousands of charging stations turning on at the same time.
Monroe also stated that you don't get that spike, which is great.
It removes the threat from the power grid.
Other electrical technology is also susceptible to cyber attack.
Security Week reports that hundreds of instances of solar power monitoring product Context SolarView
are still affected by an actively exploited vulnerability described by Palo Alto Networks last month.
An exploit for the vulnerability, CVE-2022-29303, has been public since May 2022.
Researchers at Volnchek found 600 SolarView instances exposed to the Internet, 400 of which are vulnerable.
Volnchek states,
When considered in isolation, exploitation of this system is not significant.
The SolarView series are all monitoring systems, so loss of view is likely the worst-case scenario.
However, the impact of exploitation could be high, depending on the network the SolarView hardware is integrated into.
could be high, depending on the network the SolarView hardware is integrated into.
For instance, if the hardware is part of a solar power generation site, then the attacker may affect loss of productivity and revenue by using the hardware as a network pivot to attack other
ICS resources. End quote. And finally, turning to the cyber phase that the hybrid war Russia
has launched against Ukraine, OODA Loop has an overview of non-state actors' recent
cyber operations in the war. Activists operating in the Ukrainian interest have devoted some
attention to interfering with Russian rail traffic. The rail operator RZD disclosed yesterday in its
Telegram channel that its website and mobile app had been taken down by a cyber attack.
The Ukrainian IT army claimed responsibility. Belarusian dissidents have
also been active. The Belarusian cyberpartisans claim to have successfully intruded into the
systems of the Belarusian State University, wiping systems and shutting down domain controllers.
The university acknowledges having problems, but denies having come under a cyber attack.
Its problems are due to technical issues, the university says.
And pro-Russian hacktivist auxiliaries have also stayed busy. No Name 057's Didosia project is directed against Ukraine and
that country's supporters in the West. It also hit one domestic victim, Russia's Wagner Group,
whose sites were attacked as Wagnerite's weekend mutiny was underway.
Coming up after the break, Dave Bittner speaks with Eric Goldstein,
Executive Assistant Director for Cybersecurity at CISA,
about CISA's effort for companies to build safety into tech products. And Rick Howard sits down with Clark Rogers of AWS to discuss the mechanics of CISO roundtables.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
In another episode of our continuing series of interviews that our N2K colleague Rick Howard gathered at the recent AWS Reinforce conference,
today, Rick speaks with Clark Rogers of AWS to discuss the mechanics of CISO roundtables.
Here's Rick.
The CyberWire is an Amazon Web Services media partner, and in June 2023, Jen Iben,
the CyberWire's senior producer and I, traveled to the magical world of Disneyland in Anaheim,
California to attend their AWS Reinforce conference and talk with senior AWS leaders about the latest developments in securing
the Amazon cloud. I got to sit down with Clark Rogers. He's a director on the enterprise strategy
team at AWS. And we got to talking about one of the perks of being a CISO, the old CISO dinner
roundtable format. This is where security vendors organize an intimate dinner, usually at some
swanky restaurant somewhere, and invite a
handful of CISOs and other kinds of InfoSec practitioners and thought leaders to gather
around a good meal and in a Chatham House kind of way, talk about the mutual problems that we all
face in the industry, meaning that whatever is said at the dinner table stays at the dinner table.
More importantly, CISOs can talk about successes and failures that they've had,
and others can learn from their experience. Out of all the things I do to stay current in the
cybersecurity industry, the CISO dinner is one of the things that I find most valuable.
I asked Clark about the AWS version of this kind of event. The program is actually called the CISO
Circles. How can we get CISOs together to talk about issues that are common amongst all of
them? And then how can we help find solutions for them, right? So it could be something as simple as
maybe we need to build a service that would help them with whatever the issue is, or maybe they
need to discuss it amongst themselves for best practices. So it started in November of 2020.
We've gone year over year, adding more and more of them,
and now it's a global program.
And what's really interesting,
especially as I look at it as a former customer, right,
I used to be on the other side of that CISO desk
where, hey, come hear all about what CISOs are doing,
or here's our new security product,
whatever the case may be.
And it ends up always being at a very nice steakhouse.
Yeah, of course.
It's one of the perks of being a CISO.
That's right.
It's a very nice steakhouse.
There's usually a very flashy, well-done presentation
about whatever product or thing
that's going to save your day
from the bad and evildoers out there.
And more often than not,
you walk away with a bit
wider waistline, a little higher cholesterol in your blood, but you didn't really get anything
out of it, right? There was very little time for networking. You were the product almost at that
point just being sold to. So the counter to that is the CISO circles, where we listen to our customers and say,
what do you want to talk about? We also gather data from the attendees. What worked? What didn't
work? What would you like to hear next time? So we have a laundry list of different topics that
we get from people. And then that helps set up the next CISO circle. It's run under Chatham House
rule. So anything that you say in there can be used by
your peers that have learned from you. They just can't attribute it directly back to you.
So it's a safe space. They didn't mind that there wasn't a 14-inch steak for them. They were happy
with the turkey sandwich and the soft drinks, but they walked away having learned
something. They've learned something. They've made friends. They've made connections. And,
you know, they're going to meet up again at their respective cohorts. And it's really a fantastic
opportunity for customers. I used to do a bunch of these in a previous life, and I have some
definite rules for how you do them too, right? We kept the steak because, you know, you don't get
to look like this without the steak dinner, right? But the room had to be perfect, right? We kept the steak because, you know, you don't get to look like this without the steak dinner, right?
But the room had to be perfect, right?
It had to be big enough to get everybody around the table
that you could all see each other.
Yep, the U-shape, yep.
U-shape or circle, it couldn't be really long, okay?
And the room had to accommodate all that.
You had to be able to turn the music off from the restaurant
so you could actually talk, right?
So that was a key ingredient.
Yep, yep.
And there was always one conversation.
When I was doing them, I would mediate,
and I refused to let the table break up into smaller parties.
We eliminated the panels, no presentations, nothing like that.
It was just the discussion.
I found more value in that than most of the things I ever did with other CISOs.
It was just fabulous.
But I do have a story.
You know, sometimes CISOs are shy.
They don't want to talk until you break the ice.
So when that would happen, I was doing these back when the Snowden thing was a big deal.
So I would just drop on the table, Snowden, traitor or patriot, discuss.
And, you know, that usually set the world on fire.
Yeah.
And, you know, that usually set the world on fire.
Fortunately, we have a good group of CISOs,
and they all have opinions on things.
That is true.
So we don't have to throw the Snowden bomb in the room.
Yesterday, you know, specifically,
we had a panel on, you know, a very popular topic with folks,
and that's security and AI, right?
So we had some AWS employees who just happened to be PhDs
in artificial intelligence.
So they really sort of laid the groundwork
for what it is and what it's not
and how to think about large language models, et cetera.
So as you can imagine,
that was quite a robust discussion around that.
The next session I actually ran,
and I brought in two leaders within AWS security
to talk about how they operate their own security programs.
So a lot of good feedback asking those questions about how does AWS do it.
And in one case, we had the CISO from Prime Video was on the panel.
So he was able to talk about how they do
it at Prime Video. So very interesting for folks. But it was the in-between conversations, you know,
that I would watch CISO A talking to CISO B and completely different industries, same problems,
you know, whether it would be culture or how do you think about zero trust or whatever the case
may be. And it works out very, very nicely to see that
and sort of foster that safe environment for them to do so.
Good stuff, Clark.
Thanks for coming on the show and doing this.
Appreciate it.
Thank you so much for having me,
and I hope I'll see you at Reinforced.
I hope to be there.
Reinvent later.
Reinvent, that's right.
Thank you, sir.
All right.
That's Rick Howard speaking with Clark Rogers of AWS.
And I'm pleased to welcome back to the show Eric Goldstein. He is Executive Assistant Director for Cybersecurity at the
Cybersecurity and Infrastructure Security Agency. Eric, welcome back. I want to touch today on this
notion of security by default. I know that's something you and your colleagues at CISA have
been focused on. Can we start with some definitions here? What are we talking about when we say
security by default? Absolutely, Dave. So we really have two separate concepts here that we talk about at the same time, but they are worth
splitting up. The first is security by design. And what that means is that when a product,
a technology product, software or hardware, is being created, that it is designed, developed, and built in a manner that places security top of mind.
That the developers are using secure coding practices, that we are using memory-safe languages,
that the product is undergoing rigorous security testing, that we are dealing with vulnerabilities in the development chain,
not leaving it to beta testers to fix and find them for us,
or even worse, once it's fully pushed out to production,
making sure that security, again, is a paramount priority
in the software development process.
Let's separate that from security by default,
which means that when the product is being developed,
that it includes strong security controls baked in at no added
charge. This could be features like rigorous logging, both logging types and logging retention.
It could be multi-factor authentication. The nuances will depend on the product,
but the idea here is that security shouldn't be a premium feature. It should be something
that is baked in when a customer plugs in or installs the feature. It should be something that is baked in when a customer
plugs in or installs the product. It should have the security features that are expected
for the nature of the product and the risk that we're all facing.
So how are you and your colleagues there at CISA moving this conversation forward?
The first key point here is really having a conversation about where we think as a country, the accountability for cybersecurity should lie.
And we know that historically, we've really focused on the victim.
When there's been an intrusion, we've often said, oh, well, a user at the victim clicked on a spear phishing email or the victim didn't patch that internet-facing server.
And, you know, that's a reasonable question that we should ask,
and of course, we should encourage good cyber hygiene by every enterprise. But we also have
to ask, well, given the resources of that victim, their maturity, the threats we're facing, was it
ever reasonable for that victim to be expected to shoulder the security burden that they're facing?
Or, in fact, should we look into the tech providers
to do a bit more, to make sure that perhaps
there are less prevalent vulnerabilities
in that internet-facing server
so that the enterprise could actually
manage their patching burden,
or maybe even get out of patching altogether?
Did the product have the right security features
so that the enterprise didn't have to think about
opting in to MFA or
installing a third-party service. It just came out of the box, working seamlessly, no more added
cost. And so by asking those questions of saying not just how did the breach occur, but also what
were the conditions in which it happened and was the apportionment of accountability there
right-sized to ensure that the victim could actually manage
that burden, that's the first place to start. Once we have that conversation, then we can have
more specifics. And, you know, we at CISA recently had, led by our director, Jen Easterly, an article
in Foreign Affairs, a speech at Carnegie Mellon University, and then more recently, a product that
we released with multiple international partners and our colleagues at FBI and NSA, really getting more specific on what customers should expect.
And so really, there's a two-sided conversation here.
The first conversation is with tech providers to understand perhaps what they think of as secure by design and secure by default and how they can get there through investments that they are already making in many cases.
And then there's the customer side.
How can we drive that market signal
so customers are asking the right questions
to drive the right kind of product safety features
and product security across the ecosystem?
To what degree do you think that this is an issue
of the maturation of that technology ecosystem?
I think about things like, I don't know, if I buy a toaster or a hairdryer.
We've been working on electricity for so long that the regulations are in place,
and I think consumers have a certain expectation that these devices are going to be safe.
Are we there yet with cyber or how do we
get to that point? I think maturation really is a part of it. And a big element is thinking about
cybersecurity as a fundamental safety issue. You know, if you mentioned toasters and hair dryers,
well, you know, those have security features because none of us want our houses burning down.
Certainly, when we think about how technology is used, not only across our infrastructure,
but in all of our homes, certainly, you know, adversarial misuse could result, and we've
seen in some cases, you know, really negative consequences.
And so we see at CISA, and I think the broader community is also aligned here as really a
fundamental safety issue.
You know, as you mentioned, Dave, we've seen in the past a lot of these changes in adoption
of strong requirements, strong controls have been driven by regulation.
We don't think that that is necessarily the only path here today.
We think that we can do a lot of work in the voluntary trust-based model that we in CISA
adopt.
And we think that if we can get specific enough about what are the characteristics of a safe technology product, we think that we can bring together providers and customers to send those market signals and drive the right change, even in the absence of or as a precursor to any sort of compulsion that's coming down the road.
Yeah, I guess when I look at the reality in today's marketplace, when a lot of folks will
just log on to Amazon or some kind of online retailer and find the cheapest home security
camera that they can, it seems to me like it's a bit of an uphill battle here. You and your
colleagues there have your work cut out for you. We certainly face a challenge, but we think the challenge is also the opportunity,
right? Because we know that, well, if the cheap product is the insecure product,
then those manufacturers should be driven out of the market. We think that those companies,
and there are dozens, hundreds of tech companies in America who are investing every day in their
product safety and product security.
Those are the products that should be bought and used on American networks, not those that are sold for a cut right price that are introducing insecurity secure from those that aren't, well, that's an advantage to American companies.
That's an advantage to our economy,
to our prosperity, and to our innovation.
But we need to figure out how to really clarify
what safe and secure means
and then reflect to the consumer,
both the individual and the enterprise,
how to differentiate
so we can send those market signals
that incentivizes those companies
that are doing it right
and relegates those companies that aren't doing it right to go sell somewhere else.
All right.
Well, Eric Goldstein is Executive Assistant Director for Cybersecurity at CISA.
Eric, thanks so much for joining us.
Thank you. thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
With TD direct investing, new and existing clients could get 1% cash back.
Great. That's 1% closer to being part of the 1%.
Great. That's 1% closer to being part of the 1%. Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31st, 2025. Visit td.com slash dioffer to learn more. Thank you. n2k.com. Your feedback helps us ensure we're delivering the information and insights that help you keep a step ahead in the rapidly changing world of cybersecurity. This episode was produced
by Liz Ervin and senior producer Jennifer Iben. Our mixer is me with original music by Elliot
Peltzman. The show is written by our editorial staff. Our executive editor is Peter Kilby,
and I'm Trey Hester filling in for Dave Bittner. Thanks for listening. We'll see you back here
tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.