CyberWire Daily - Turla hijacks OilRig infrastructure. Bouncing Golf is no game. CISA panel recommends supply chain security reforms. AMCA driven toward bankruptcy by data breach. Florida town pays ransom.
Episode Date: June 20, 2019Call it Waterbug or call it Turla, the Russian cyber operation has been hijacking Iran’s OilRIg cyber espionage infrastructure. Other cyber campaigns also afflict Middle Eastern targets. A US panel ...convened by CISA has some recommendations for supply chain security. An ad agency inadvertently exposes sensitive personal data. A bankruptcy filing in the AMCA breach. And Riviera Beach, Florida, decides to pay $600,000 in ransom to decrypt its files. Johannes Ullrich from SANS and the ISC Stormcast podcast on DNS security issues. Carole Theriault returns with an interview with ethical hacker Zoe Rose, who shares her advice for woman working in cyber security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_20.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Call it Waterbug or call it Turla,
the Russian cyber operation has been hijacking Iran's oil rig cyber espionage infrastructure.
Other cyber campaigns also afflict Middle Eastern targets.
A U.S. panel convened by CISA has some recommendations for supply chain security.
An ad agency inadvertently exposes sensitive personal data.
A bankruptcy filing in the AMCA breach.
And Riviera Beach, Florida decides to pay $600,000 in ransom to decrypt its files.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 20, 2019.
A Russian espionage operation, Waterbug, which others refer to as Turla, appears to have hijacked Iran's oil rig infrastructure, also known as Krambus, according to Symantec. The activity falls into three distinct campaigns, one using Meterpreter, another hitherto unremarked backdoor, Neptune, and a third backdoor that executes PowerShell scripts without PowerShell.exe.
and a third backdoor that executes PowerShell scripts without PowerShell.exe.
Symantec doesn't attribute Waterbug or Krambus to any nation state, but notes that press reports have done so.
In any case, Symantec thinks that Terla opportunistically stole credentials from OilRig in January of 2018
and has since then used OilRig's infrastructure to stage its own espionage operations in the Middle East and elsewhere.
It appears that Oil Rig did not react to the hijacking,
which Symantec says is the first such spy-versus-spy hijacking it's seen.
Trend Micro is also describing a cyber espionage campaign that afflicts targets in the Middle East.
The researchers call it Bouncing Golf,
and they say it shows some
significant similarities to the earlier domestic kitten campaign. Domestic kitten has been generally
attributed to Iran. Checkpoint fingered Tehran for domestic kitten last September.
We received an email late yesterday from CISA, the U.S. Department of Homeland Security's
Cybersecurity and Infrastructure Security Agency, outlining recommendations on information and communication technology,
that is, ICT, supply chain security. The recommendations are the work of the CISA
organized ICT Supply Chain Risk Management Task Force. The full set of recommendations
are expected to be posted soon, but in outline, the task force proposes a
reform of U.S. federal acquisition regulations to incentivize purchases from original equipment
manufacturers and their authorized resellers only. Why does this matter? It matters because going
down the path the CISA panel recommends might help resolve certain tensions involving acquisition
rules that strongly encourage agencies and contractors to make low-cost
an overriding factor in procurements.
To take one example we've heard about from Control Global's Unfettered blog,
counterfeit Yokogawa transmitters,
in general use with electrical power distribution process sensors,
are widely available, and Yokogawa warns that they're even for sale on eBay.
They're pretty convincing knockoffs made in China of Yokogawa's real McCoys. One might well worry
about the likelihood that counterfeit goods are low-quality junk, but of course there's the
additional concern that there could be deliberately induced vulnerabilities in them. And of course,
their presence on eBay would suggest that anything
you buy from the web isn't necessarily coming from an authorized vendor. The Defense Appropriations
Act says that for commercial off-the-shelf, that is, COTS equipment, you're supposed to buy low-cost
devices and buy them from the internet wherever possible. So policy would seem to have an
inconsistency. The authors of the bill have their hearts in the right place.
You don't want to spend more than necessary on a commodity device,
but in this case economy is at war with security and perhaps even safety,
as is usually the case if you have inconsistent preferences,
in this case supply chain security and lowest costs,
you can usually be induced to take a sucker bet.
and lowest costs, you can usually be induced to take a sucker bet.
The demand for cybersecurity professionals shows no signs of slowing down.
So how can those of us who enjoy success share our experience and wisdom with those who aspire to join us? Our UK correspondent Carol Theriault files this report.
So I dedicate a lot of time to educating people on how to be safer online
through podcasts like this one, speaking at schools and events and so on.
Zoe Rose is an ethical hacker based in the UK,
and she too is very involved in helping people be safer online.
I asked her about her experiences and what advice she had for young people,
especially women who might want to get into the industry.
Here's Zoe Rose.
Reality is, I mean, if you look back,
before there was all this technology in our lives
and we were coding through, you know,
sheets of paper that have holes punched in it.
But if you looked at it, those people,
the majority of them were women.
If you watch the Hidden Figures
movie, those women were the computers, you know, they were the ones doing all the technical. So
it's not really unique to women. But I think it's more the cultural change of where we've made that
assumption that it makes us unique. And so I think identifying to young people that actually,
it does come naturally, and you're not, it's not going to be ridiculously challenging for you to
get into it, because you probably have a good understanding. Do you feel that women are treated
differently in the industry? What I've noticed is, in the beginning, I found it very challenging.
This is more than 10 years ago, mind you. But I was told by one organization, they don't hire
women because they're too distracting to men. I've had, yeah, I know. I told them to stop hiring
children. I've also had situations where I've had to block colleagues and, you know, remove them from my life because they've become very uncomfortable and I've felt unsafe.
But what I've noticed was in those situations, it was the top down that was allowing that culture to exist.
Right.
It wasn't everybody thought that.
It was that senior leadership didn't say anything
or actively participated in that belief.
And actually, finding organizations that aren't like that,
I mean, back then I found it very challenging,
but now I find it actually quite a bit easier.
And when I find an organization I potentially want to work for, I look at how senior leadership, you know, approaches this.
So I don't know if it's easier now because I'm much more knowledgeable and secure and, you know, know a lot more than I did 15, 20 years ago. My instincts say to me that the environment is changing for the good.
And it is, I think it's easier for women to get into the industry now than it may have been.
But at the same time, there's probably going to be new challenges now.
Definitely. So last year, I spoke in Sri Lanka.
And what really stood out to me, and the reason I bring this up, is I presented,
I think I called it
in the life of an ethical hacker and afterwards I got a lot of young young men school age to just
about graduate um and young men came up and they're like oh I'm going to be the most elite
pen tester I'm going to be the coolest hacker and um none of them talks about their skills or
anything they just talk about how they're going to be super elite.
And then these two young women came up to me
and they were like, you know what?
Actually, it was really cool hearing your talk
because I never thought I'd be good enough to be a hacker
or I'd be good enough to be a programmer.
I really thought that I just don't have the skill.
So I was talking to them about their experience
and my goodness, Carol,
these two young ladies are more advanced, more intelligent than I could ever dream to be.
They were so skilled. It was bloody impressive. And I was thinking about it after and I was like,
looking at the males and how, you know, confident they were that they were going to take over the world. Whereas these two young women, they were highly technical, but
didn't think they were. They were very intelligent, very hardworking. And yet they still worried that
they wouldn't be good enough. It is really refreshing to hear about young people that
understand that in order to become really good at something, it takes a lot of patience and work and skill. And that's how you develop the skill
by just dedicating yourself to it. Definitely. I mean, my background is networking, network
architecture, and then I went into network security, and then I went to cybersecurity.
So I admit that I've got gaps in my knowledge. I mean, I was never a programmer, and I would never
say I am. And that to me is vital, because people will come to me and be like, how can I be the best programmer?
And I'll be like, honestly, I'm not going to be the most effective person.
So here's the people that you should speak to because they're brilliant.
I like what she says about women and technology having always been intertwined and that women tend to really work on their skills before they get into the industry.
This could just give them a bit of edge.
This was Carol Terrio for the Cyber Wire.
VPN Mentor found an exposed database, now secured, belonging to Florida advertising agency X Social Media.
The database contained business and personal information concerning medication side effects,
The database contained business and personal information concerning medication side effects,
defective infant care products, injuries attributable to pesticides, medicines, or medical devices,
and U.S. veterans' combat wounds.
Much of ex-social media's ad business is said to lie with law firms cultivating class action suits.
A data breach can swiftly kill a company.
Over the past two and a half weeks, we've been following the American Medical Collection Agency breach, that's AMCA,
that spilled data belonging to medical testing and diagnostic companies.
AMCA says it began to suspect a breach in March when it was warned that unusual credit card activity suggested that its data might have been compromised.
That breach was publicly revealed on June 3rd when Quest Diagnostics disclosed it in an 8K filing.
Now, AMCA and its parent company are going under.
Retrieval Masters Creditors Bureau, Inc.,
AMCA's corporate parent,
on Monday filed for Chapter 11 bankruptcy
in the U.S. Bankruptcy Court
for the Southern District of New York.
The action is the result of the AMCA data breach that affected Quest Diagnostics,
LabCorp, and BioReference Laboratories.
The filing suggests that this is the first step toward orderly liquidation.
Loss of business, immediate costs of response, and the costs of notification
were more than AMCA could handle.
The company's four biggest customers, LabCorp, Quest Diagnostics, Conduent, and CareCentrics,
either terminated or substantially curtailed their relationship with AMCA.
The costs are also worth reviewing.
The Chapter 11 filing says the company had already spent $400,000 hiring outside consultants
to find and fix the causes of the breach.
The expense of notification that good practice and regulation required were even heavier.
AMCA had to assume, it says in the filing, that all the data on its servers had been compromised,
which meant that it had to notify some 7 million individuals. That cost $3.8 million.
It also had to cut jobs, dropping its headcount from the 113 employees it had at the end of 2018 to just 25 as of Monday.
The data breach has been an instructive case of third-party risk.
It's now also an instructive case of a cyber attack killing off an entire small business.
off an entire small business. The City Council of suburban Riviera Beach, Florida, voted unanimously to pay ransomware extortionists $600,000 to recover city files. The AP reports that the town
understands it's a crapshoot. Even paying may not get them their files back. WPTV points out that
backups would have been cheaper. An expert the television station quotes put it this way,
Grandma has backups of her photos.
Why does a city of this size not have backups?
He's got a point.
We don't want to minimize the friction involved in such good practices as regular secure backup,
but it's surely less trouble and far less expensive than finding 600 grand in Bitcoin
to fork over to some sleazy hood.
On the side of Riviera Beach, well, it's in Palm Springs County, and it's got about 35,000
residents, which doesn't strike us as all that big, really. After all, Baltimore has more than
600,000 people living in it, and Charm City wasn't backing up its stuff either.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Johannes Ulrich.
He is the Dean of Research at the SANS Institute, and he also hosts the ISC Stormcast podcast.
Johannes, it's always great to have you back.
We wanted to discuss today some issues with DNS security.
There's been some talk about DNS cookies and things like that, but you have some specific issues you wanted to address today. Yes, you probably have heard and you mentioned in your
podcast a couple of times these sort of attacks against DNS recently, like the sea turtle attacks.
What essentially happened is that an attacker got into a company and organizations, a DNS administrators system,
and then changed DNS settings.
Now, DNSSEC is often thrown around
as sort of a cure against these problems,
which, well, is actually not really true
because if an attacker has access
to your DNS admin system,
they typically can also fix the DNSSEC records to a match. And one problem in the
past really has been that DNSSEC is sort of one of those great protocols. Actually, whoever designed
DNSSEC did it just right from a security point of view. They first worried about security,
then they worried about usability, and that's exactly DNSSEC's problem. It's very secure,
usability. And that's exactly DNSSEC's problem. It's very secure, but it's really difficult to use it correctly. The only way you really can use it in any practical means is usually if you just
let your registrar worry about it, like GoDaddy, Google, they all have a little checkbox enabled
DNSSEC, all is good at this point. But DNSSEC really doesn't prevent a lot of real ongoing problems at
this point. Now, to help with this a little bit, there is now a simpler feature that was added to
DNS recently. And that really has been getting some support. For example, the latest version of
Buntool with its version of the bind name server is supporting it.
And that's DNS cookies.
So not DNSSEC.
Instead, we're using these DNS cookies.
Great thing about them, there's really nothing you have to configure.
They're sort of just a checkbox you enable.
They enable themselves.
They configure themselves for the most part.
And they really solve one big problem, and that's the spoofing of DNS queries.
This is part of what DNSSEC tried to be a little bit about, but really did a bad job about really addressing the entire issue with DNS spoofing.
addressing the entire issue with DNS spoofing. So DNS cookies are really trying to prevent this particular attack and are doing a reasonable good job about this. So DNS cookies, very easy to
implement. They're solving real problems, not as good as DNSSEC, but then again, easy to implement.
So for most people, would this be a good enough solution?
So, for most people, would this be a good enough solution?
That's really what this is about. It's good enough. And the other attack it really prevents is all these denial-of-service attacks that we have with DNS that rely on spoofed DNS queries. DNS cookies don't totally avoid these attacks, but at least they mitigate some of the effects of these attacks.
All right. Interesting development.
Johannes Elric, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default And that's the Cyber Wire.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building
the next generation of cybersecurity
teams and technologies. Our amazing
Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben
Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John
Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.