CyberWire Daily - Uber sustains a major data breach. Notes on the underworld. A large DDoS attack is stopped in Eastern Europe. An FBI alert and a brace of CISA advisories. Congress deliberates cyber policy.
Episode Date: September 16, 2022Uber suffers a data breach. Social media executives testify before Congress. A Large DDoS attack is thwarted in Eastern Europe. The FBI warns of increased cyberattacks against healthcare payment proce...ssors. Policy makers consider new OT security incentives. Malek Ben Salem from Accenture on future-proof cloud security. Our guest Diana Kelley from Cybrize discusses the need for innovation and entrepreneurship in cybersecurity. And if you’ve been hoping for a LockerGoga decryptor, you’re in luck. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/179 Selected reading. Uber hacked, internal systems breached and vulnerability reports stolen (BleepingComputer) Uber suffers computer system breach, alerts authorities (Washington Post) Uber Investigating Data Breach After Hacker Claims Extensive Compromise (SecurityWeek) Uber Investigating Breach of Its Computer Systems (New York Times) Uber investigating "total compromise" of its internal systems (Computing) There’s No Honor Among Thieves: Carding Forum Staff Defraud Users in an ESCROW Scam (Digital Shadows) Social media hearings highlight lack of trust, transparency in sector (The Record by Recorded Future) Breaking the Boycott (Cybersixgill) Record-Breaking DDoS Attack in Europe (Akamai) Cyber Criminals Targeting Healthcare Payment Processors, Costing Victims Millions in Losses (FBI) Siemens Mobility CoreShield OWG Software (CISA) Siemens Simcenter Femap and Parasolid (CISA) Siemens RUGGEDCOM ROS (CISA) Siemens Mendix SAML Module (CISA) Siemens SINEC INS (CISA) Siemens RUGGEDCOM ROS (Update A) (CISA) Simcenter Femap and Parasolid (CISA) Siemens Industrial Products Intel CPUs (Update A) (CISA) Siemens OpenSSL Affected Industrial Products (CISA) Siemens OpenSSL Vulnerability in Industrial Products (Update E) (CISA) Siemens SCALANCE (CISA) CISA Adds Six Known Exploited Vulnerabilities to Catalog (CISA) Building on our Baseline: Securing Industrial Control Systems Against Cyberattacks (House Committee on Homeland Security) Bitdefender Releases Universal LockerGoga Decryptor in Cooperation with Law Enforcement (Bitdefender Labs) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Uber suffers a data breach.
Social media executives testify before Congress. A large DDoS attack is thwarted in Eastern Europe. The FBI warns of increased cyber attacks against healthcare payment processors.
proof cloud security. Our guest is Diana Kelly from CyberEyes to discuss the need for innovation and entrepreneurship in cybersecurity. And if you've been hoping for a locker go-go decryptor,
you're in luck. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, September 16th, 2022.
Uber is investigating a breach of its systems, the New York Times reports.
Yesterday, the company said in a tweet,
We are currently responding to a cybersecurity incident.
We are in touch with law enforcement and will post additional updates here as they become available.
The Times reports that the breach looks to have compromised a multitude of Uber's systems,
with the hacker sending the Times images of email, cloud storage, and code repositories.
Sam Curry, a security engineer at Yuga Labs who was in contact with the hacker, says,
They pretty much have full access to Uber. This is a total compromise from what it looks like.
have full access to Uber. This is a total compromise from what it looks like. The threat actor reportedly compromised a worker's account on the company's internal messaging service, Slack,
saying, I announce I am a hacker and Uber has suffered a data breach. Two employees who weren't
authorized to speak on the situation publicly have said that they were told not to use Slack
and that other internal systems were inaccessible.
The breach utilized phishing and social engineering
through sending a text to a worker convincing them to send a password
that would gain the hacker access.
An Uber spokesperson says that the breach is under investigation by the company
and that law enforcement officials are being contacted.
Once again, we see that there's no honor among thieves.
Digital Shadows reports an interesting example of faithlessness in the criminal-to-criminal
marketplace.
Two admins working in a carding ring in the alternate forum scammed their prospective
affiliates with an address baited to induce the marks
to feed cryptocurrency into wallets the scammers of thieves themselves controlled.
May they all get caught. May both sides lose.
Social media executives from Meta, Twitter, TikTok, and YouTube
testified before the Senate Homeland Security Committee, TechCrunch reports,
and apparently they didn't overshare.
The hearing, intended to dive into the impact social media has on national security, took place on Wednesday, covering topics ranging from domestic extremism and misinformation to connections with China. Testimony was, as it so often is before a Senate committee, guarded. When asked by Committee Chair Senator Gary Peters to disclose the number of employees working full-time on trust and safety,
the only answer offered was by Twitter General Manager of Consumer and Revenue Jay Sullivan,
who said 2,200 people were working on trust and safety across Twitter,
but it is unclear if all those employees worked only on trust and safety.
Senator Alex Padilla asked Meta executive Chris Cox,
In your testimony, you state that you have over 40,000 people
working on trust and safety issues.
How many of those people focus on non-English language content
and how many of them focus on non-U.S. users?
The senator didn't offer an answer.
When TikTok COO Vanessa Pappas was asked about the social media giant's connections with China,
specifically where Chinese-based parent company of TikTok ByteDance is based.
She fumbled, answering the question by saying that the company is distributed and doesn't have a headquarters at all.
Slate reports that Senator John Ossoff said to Pappas when talking about Chinese connections,
I'm going to humbly and respectfully ask you not to give me the top-line talking points.
Pappas also denied reports that the parent company's employees were regularly accessing private data on U.S. users of the app,
despite leaked audio saying otherwise.
Cyber6Gil reports that Russian operators and the dark web are turning their skills at handling contraband
to exploitation
of the shortages international sanctions have induced in Russia. While it doesn't work for
perishables like McDonald's cheeseburgers, it works just fine for durable goods, particularly
consumer IT hardware. Cyber6Gil says, our research has found that Russian actors are using the dark web to circumvent sanctions, enabling them to transfer funds and purchase goods from beyond Russia's borders.
can still get their hands on technology products produced by Apple, AMD, Intel, Microsoft, or NVIDIA,
even though they suspended sales in Russia and Belarus.
Their skills have also proved well-adapted to getting around bans on purchases major bank cards have imposed,
stating,
And despite the fact that Visa, MasterCard, and American Express prohibit Russian cardholders from purchasing items outside of Russia,
actors on underground forums can procure cryptocurrency or virtual and prepaid credit cards in order to make purchases abroad.
Akamai says that it stopped a record-setting distributed denial-of-service attack against an unnamed Eastern European customer this week,
denial of service attack against an unnamed Eastern European customer this week, stating,
On Monday, September 12, 2022, Akamai successfully detected and mitigated the now-largest DDoS attack ever launched against a European customer on the Prolexic platform, with attack traffic
abruptly spiking to 704.8 megapackets per second in an aggressive attempt to cripple the organization's business operations.
The attacker's command and control was unusually supple.
Akamai offers no attribution, but the target selection and the choice of DDoS as an attack technique
are suggestive of recent Russian offensive activity.
The FBI reports that they've observed an increase in cyber criminal
attacks against healthcare payment processors, redirecting victims' payments. Threat actors rely
on personally identifiable information that is public, along with social engineering,
to impersonate the victims and gain access to files, healthcare portals, payment information, and websites,
going so far as even changing direct deposit information to the attacker's own.
Security Week says that in February 2022, $3.1 million was redirected after the direct deposit information was changed. The same thing happened again, and the actor stole $700,000.
The same thing happened again, and the actor stole $700,000.
The U.S. Cybersecurity and Infrastructure Security Agency has released 11 industrial control systems advisories.
In addition to these advisories, CISA has also added six new entries to its known exploited vulnerabilities catalog. Federal civilian executive agencies falling under CISA's remit have until October 6,
2022, to take action to identify and mitigate them. Policymakers and federal agencies are
considering new incentives for operational technology security in hopes of getting
critical infrastructure companies to prioritize cybersecurity and replace old technologies,
SC Media reports. The House Homeland Security Committee held a hearing on the topic Thursday.
Representative Yvette Clark, chair of the House Homeland Security Subcommittee on Cybersecurity,
Infrastructure Protection, and Innovation, said that focusing on IT systems at the cost of OT systems is simply not an option in today's threat landscape,
as OT becomes more Internet-connected,
integrating with IT systems, and attractive to our adversaries.
Many OT systems are outdated, running either old software or unpatched software,
which allows for hackers to easily target the systems,
as even the most minor
change can cause significant disruptions to necessary services.
Michael Dransfield, a senior technical executive for control systems cybersecurity at the NSA,
highlighted the increasing age in workers familiar with OT security, which has caused
many companies to transition to vulnerable automated systems.
After the break, our guest Diana Kelly from CyberEyes discusses the need for innovation
and entrepreneurship in cybersecurity, and Malek Ben-Salalam from Accenture on future-proof cloud
security. Stay with us. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility
is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, Thank you. with Black Cloak. Learn more at blackcloak.io.
Diana Kelly is CSO and co-founder of security workforce development company CyberEyes,
and she also is one of the judges of the upcoming Data Tribe Challenge,
where startup hopefuls compete for up to $2 million in funding.
The CyberWire is a media partner with DataTribe.
Here's my conversation with Diana Kelly.
Yeah, I think it's a really incredible time in cyber right now in terms of innovation because there have been a lot of advances in technology that have now enabled us to create and to come up with,
just ideate really new ways to use that technology.
So what do I mean specifically the cloud?
We've talked about digital transformation
and we're all going to be built in cloud.
And now we're here.
We are in the cloud.
Organizations take a huge advantage
of all the offerings in the cloud. Organizations take a huge advantage of all the offerings in the cloud.
And that means that security now can take that step of we don't always have to sit on premise.
We can now go into the cloud, go into multiple clouds, get that signal, that information, the economies of security scale, if I like to call it.
And that's really just driving a lot of innovation and adoption.
We've also seen other advances that are helping in terms of things like the technology.
We just have faster computers.
We have more compute power that's available to all of us.
We have Always On, which is not something that has been a reality.
Even now, you can be on Wi-Fi on the plane, like it or not,
but you can literally work anywhere, anytime. So it's a really great time right now in security.
And the other thing that's driving the innovation is this forcing factor of,
we need to be able to manage not just our own organizations, but also our entire system, our ecosystem,
which includes our partners and consultants and vendors that we work with. And that means that
there's this real big drive for automation because we just can't do all of this manually.
What does that mean for the folks who are out there looking to innovate, for those hopeful people who think they have an idea that may change the world and are looking to just get the word out and tell people about their ideas?
But there are a lot of voices who are competing for attention.
And you've got some voices that are very loud because they've been here for a long time.
And they've been contributing to security and have a fairly big megafile.
So as new or innovative companies, you need to find a way to have your voice vibrate at the right level so that you can be heard above some of this conversation that's going on, an important conversation that's going on.
So it's really about differentiating.
It doesn't need to be a blue ocean anymore.
If you remember that book where,
try to find the blue ocean.
You don't need to find a pure blue ocean,
but do understand what may have gone wrong
if the ocean's already red. And what I mean by that is that you look at, we seem to improve and
optimize in this cyclical way in security. So SIEM, security event information managers,
were introduced to the market a little over 20 years ago.
And over time, we've seen next generation SIMs come out that are smarter, easier to use, cloud aware or functioning in the cloud.
Very importantly, using things like machine learning to be better about the information and their analysis and the alerts that they're
sending. So it doesn't have to be a space no one's been in before. There's a lot of next generation
optimization that's going on in existing tool categories. And then there are also new and
emerging tool categories to keep up with the pace of technology. You're going to be participating in the upcoming Data Tribe Challenge.
Why is this something that you feel
as though is worth your time,
that you want to contribute to?
Because, again, it's very hard
to get your voice heard
if you're a new, exciting idea,
but there isn't a market space
or a niche for it yet,
and you just haven't gotten the funding.
So I really love that Data
Tribe is doing this where three finalists are going to split the $20,000, but then there's an
up to $2 million in seed capital that's available potentially for the winner. And I think that it
can be very hard to get an idea off the ground. And I love that Data Tribe is going out saying,
let's just let everybody come in. In VC, sometimes it can be as in anything in life.
It can be a little bit of a who you know. And in this case, it's not a who you know at all.
It's open to everyone. That's why we've got a judging panel to look at what's submitted. So
I just love that it's this very open democratic process to help give
funding and support to these ideas that may not have been heard yet.
What's your advice to that hopeful startup or someone who's out there trying to get noticed?
Any words of wisdom? Define the problem. Founders can decide there's a problem, but they don't
really understand that. So define
the problem very, very clearly, make sure that you've researched it and that you actually have
a solution that is a problem and not just a solution that's looking for a problem. So be
very clear on tying those together and focus the message. It's not uncommon with founders. You kind
of want to solve everything and do everything. And very often when you go out and start talking to investors or potential buyers,
they'll say, but what about this? And what about that? You want to stay laser focused in your
message. So laser focused as you explain what your solution is to the judging panel.
And then the other thing that's really important is to make sure that you differentiate it,
And then the other thing that's really important is to make sure that you differentiate it.
Understand who the competitors are.
You've got a problem.
You're very focused.
But also, who else is solving that problem and why do you do it better?
That's Diana Kelly from CyberEyes. You can find out more about the upcoming DataTribe Challenge on their website, datatribe.com.
There's a lot more to this conversation.
If you want to hear more, head on over to the CyberWire Pro and sign up for Interview Selects,
where you'll get access to this and many more extended interviews.
And it is always my pleasure to welcome back to the show Malek Ben-Salem.
She is the Security Innovation Principal Director at Accenture Security.
Malek, welcome back.
I want to touch base with you today on some stuff I know you and your colleagues have had your eye on,
and that's machine language security and safety.
What can you share with us today? Yeah, I think this is a problem or an area of security that does not get enough attention,
which is why I'd like to talk about it again on this podcast. As you know, AI and
powered by machine learning is being deployed in high stakes environments, right?
And in medical devices and medical settings and for autonomous driving.
So these are environments that are obviously high stake,
that include some safety aspects, you know, with the AI interacting with a physical environment
or where it may have an impact on the safety of the individual or the people in the surroundings.
So it needs to be built in a secure and safe manner. The other aspect or factor that makes it difficult to build
AI that is secure and safe is the lack of modularity or encapsulation when building
these AI-powered systems. So unlike traditional applications,
we're familiar with how we write code.
There are, say, object-oriented codes
where we have abstraction principles,
we have modularity principles.
That's not valid for machine learning models, right?
Or these neural network architectures. So that makes them
very complex, very hard to understand, right? For humans. And it makes it hard to know what
output can we expect by giving these AI systems certain inputs.
can we expect by giving these AI systems certain inputs.
Yeah, help me understand here.
I mean, to what degree are they kind of black boxes where you put stuff in and quite often it could be
to your surprise, delight, or horror what comes out the other side?
To a very high degree, I would say,
which is why there are certain research communities
working on explainability for these systems
or for these machine learning models.
So developing certain techniques to make them more explainable.
Obviously, that is important,
but that in and of itself has its own security implications,
because the more you explain, the more transparent you make these models, the more they become
vulnerable as well to adversaries, because now they know how they are working. They know the
inner workings of these models and that may help them attack them even easier in an easier fashion.
So it's really a trade-off. We need to make them explainable for the developers so that they're
able to make them more robust, but not necessarily expose them or make them transparent to adversaries and threat actors.
And are there any standards for dialing that in? I mean, are there frameworks that have been
adopted? Yeah, that's the big challenge, right? I think we have different communities working on
making these machine learning models more robust.
But we don't have, you know, widely adopted frameworks,
or at least the frameworks that we have may be lacking.
When I talk about robustness, I, you know, there's two aspects of robustness, right?
There is the aspect of making these machine learning models be able to work in an environment where they see
or overcome an unusual event, right? That's one form of robustness. And the other aspect of
robustness is being robust to adversarial attacks. So that's another aspect. And sometimes these two goals may not go hand in hand,
right? If you build your model to be able to react in certain events. And let me give an example.
You know, let's say you're building an autopilot on a self-driving car. It's supposed to
you're building an autopilot on a self-driving car.
It's supposed to recognize stop signs, right?
And when it recognizes a stop sign, it's supposed to stop.
But what happens if that stop sign shows up in, say, a traffic bar, right? That is like on a parking entry, right, and that bar is risen.
You're not necessarily supposed to stop at that point. Or what if somebody is wearing a t-shirt
with a stop sign? That car stopping at that point may be a hazard, right? So recognizing those unusual events and having the autopilot system respond to them in a proper manner is a challenge.
But as I mentioned, the adversarial case as well is important to recognize. What if a passerby wears that T-shirt advertently, right, in order to create some chaos?
So again, you know, the problem is not easy to solve.
There are certain defenses that I can talk to or proposed ways of responding or mitigating this problem.
But I think they do require definitely more research
and more attention by ML engineers.
Yeah. All right. Well, interesting stuff.
Malek Ben-Salem, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Sam Crowther from Casada.
We're discussing their work, The New Way Fraudsters Bypass Bot Management.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin, Rachel Gelfand,
Tim Nodar, Joe Kerrigan, Harold Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett
Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.