CyberWire Daily - US, RoK agencies outline DPRK ransomware. Reddit breached. ICS and IIoT issues. It’s almost Valentine’s Day. Have you noticed? (The hoods have.)
Episode Date: February 10, 2023US and Republic of Korea agencies outline the DPRK ransomware threat. Reddit is breached. CISA releases six ICS advisories. Flaws are found in IIoT devices. Dinah Davis from Arctic Wolf shares cyberse...curity stats every IT professional should know. Our guest is Kayla Williams from Devo autonomous SOCs. And, it’s almost Valentine’s Day. Have you noticed? (The hoods have.) For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/28 Selected reading. #StopRansomware - Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities (CISA) #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities (CISA) U.S., South Korean Agencies Partner to #StopRansomware Threat from DPRK (National Security Agency/Central Security Service) US and South Korea accuse North Korea of using hospital ransoms to fund more hacking (The Record from Recorded Future News) North Korea using healthcare ransomware attacks to fund further cybercrime, feds say (SC Media) U.S., South Korea Warn of North Korean Ransomware Threats (Bank Info Security) r/reddit - We had a security incident. Here’s what we know. (reddit) Hackers breach Reddit to steal source code and internal data (BleepingComputer) Reddit Breached With Stolen Employee Credentials (Dark Reading) Reddit Says It Was Hacked But That You Don't Need to Worry. Probably. (Gizmodo) Control By Web X-400, X-600M (CISA) LS ELECTRIC XBC-DN32U (CISA) Johnson Controls System Configuration Tool (SCT) (CISA) Horner Automation Cscape Envision RV (CISA) Omron SYSMAC CS/CJ/CP Series and NJ/NX Series (CISA) ARC Informatique PcVue (CISA) Industrial Wireless IoT - The direct path to your Level 0 (Otorio) Critical Infrastructure at Risk from New Vulnerabilities Found in Wireless IIoT Devices (The Hacker News) Romance scammers’ favorite lies exposed (Federal Trade Commission) New FTC Data Reveals Top Lies Told by Romance Scammers (Federal Trade Commission) Romance scammers could cause unhappy Valentine’s Day (Washington Post) Love Bytes (Georgia State News Hub) As V-Day nears: Romance scams cost victims $1.3B last year (Register) Michigan AG warns of cybersecurity risks after data breach of gaming sites (mlive) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
U.S. and Republic of Korea agencies outline the DPRK ransomware threat.
Reddit is breached.
CISA releases six ICS advisories.
Flaws are found in industrial IoT devices.
Dinah Davis from Arctic Wolf shares cybersecurity stats every IT professional should know.
Our guest is Kayla Williams from Devo on autonomous socks.
And it's almost Valentine's Day.
Have you noticed? The bad guys have. Williams from Devo on Autonomous Sucks. And it's almost Valentine's Day.
Have you noticed?
The bad guys have.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, February 10th, 2023.
UK state-affiliated actors have been observed targeting the healthcare and critical infrastructure sectors with Maui and Holy Ghost ransomware as a means to extort money to further fund North Korea's Intelligence Service, and the Republic of Korea Defense Security Agency
released a joint advisory yesterday discussing tactics, techniques, and procedures of DPRK threat actors
using ransomware attacks to target both nations' health care and critical infrastructure industry.
They also suggest mitigations for victim organizations.
They also suggest mitigations for victim organizations.
NSA wrote that once the identity and location of the scammers are sufficiently hidden,
the attackers will move to common vulnerabilities and exposures to overtake a victim network and release ransomware.
The vulnerabilities most exploited by these malicious actors are the Apache Log4J software library, also known as Log4Shell,
and remote code execution in various SonicWall appliances. Reddit has disclosed that it sustained a data breach on February 5th after an employee fell for a phishing attack, bleeping computer
reports. Reddit said in a statement that an attacker set up a website that impersonated the company's intranet gateway
and was designed to steal credentials and two-factor authentication tokens.
After an employee fell for the ruse, the attacker gained access to some internal docs, code,
as well as some internal dashboards and business systems.
The company added,
and business systems.
The company added, We show no indications of breach of our primary production systems,
the parts of our stack that run Reddit and store the majority of our data.
Reddit also hasn't found any signs that the attacker accessed user data.
The U.S. Cybersecurity and Infrastructure Security Agency
yesterday released six industrial control system advisories.
Check out their website for the details.
Earlier this week, researchers at Otorio discovered 38 vulnerabilities affecting industrial Internet
of Things devices from four separate vendors.
Three of the vulnerabilities affect eTIC Telecom's remote access server, two of the flaws impact Sierra Wireless AirLink routers,
and five affect in-hand networks in-router 302 and in-router 615. The rest of the vulnerabilities
are still in the disclosure process. The researchers note that attackers can use publicly
available apps, such as Wiggly, to identify these types of vulnerabilities, stating,
our scanning uncovered thousands of wireless devices related to industrial and critical
infrastructure, with hundreds configured with publicly known weak encryptions.
Not to be a downer or anything, but the most stressful day in the calendar shows up next week.
The most stressful day in the calendar shows up next week.
Yes, Valentine's Day falls on Tuesday.
And in addition to the nightmare vision of demure cupids shooting arrows of desire from their bows of gold,
you can expect romantic love itself to be turned against you.
Yes, scammers have been observed participating in romance fraud campaigns
as the hallmark holiday of love nears.
Scams have been seen targeting users of dating apps, utilizing pig butchering fraud techniques,
and increasingly using sextortion scams. The U.S. Federal Trade Commission assesses the amount of
sheer financial damage romance scams caused in 2022 at $1.3 billion, stolen from almost 70,000 individuals.
And of course, there's no accounting for the toll they took in sadness, humiliation, shame, despair, and deeper loneliness.
There's been some study of this in universities.
Georgia State University released a study detailing the primary hunting grounds for fraudsters this season, dating apps.
Fang Xiao Wang, a doctoral student in the university's Department of Criminal Justice and Criminology
and the primary author of the study, says that her and her fellow researchers
really wanted to take advantage of open intelligence data sources
to find out what these fraudsters were doing that
was so effective. The purpose is to identify patterns and uncover strategies that users can
adopt to protect themselves. The research analyzed victims approached on popular social media sites
or dating apps and sites. Emotional triggers are a common method these scammers have been observed using, manufacturing faux crises to
extort money from victims. Movement away from dating apps to private email and messaging
communications can also be a red flag, researchers report, often with pressure applied on the victim
to make quick decisions. The indelicately named pig butchering scams are also expected to reach a culminating point around Valentine's Day.
It's not surprising. Pig butchering is a long game.
The scammers spend a fair amount of time cultivating their victims' trust.
The marks are eventually pressured to invest in cryptocurrency,
or, in reality, an illegitimate website that will fill the pockets of the scammers
with any money you may invest, as the Register wrote today.
The Register goes on to report that European police in January
saw the arrest of 15 malicious actors and the seizure of a multinational call center network
that had funneled hundreds of millions of euros from victims shilling fake cryptocurrency,
as well as the seizure of seven pig- butchering domains in the U.S.
that put $10 million in the pockets of scammers.
And it gets worse, albeit in another way that's completely predictable.
The Register also reports the increasing risk associated with the exchange of not-safe-for-work photos,
as sextortion scams have been escalating. These scams are defined by the threat of leaking the inappropriate photos
to the victim's social media contacts unless victims pay. The primary demographic targeted
in these campaigns are people aged 18 to 29, with more than half of the reports of sextortion scams last year
noting social media as the primary method of contact.
We know, we know,
swapping saucy selfies is a new courtship ritual,
as Mr. Carlos Danger could tell you,
but please, friends, show some restraint.
Send chocolate or flowers and not selfies.
And finally, to return to the U.S. government,
the Federal Trade Commission is displaying some unexpected expertise in matters of the heart.
We'd always thought the U.S. government's experts in such things
were for the most part found among Marine Corps aviators.
Anywho, the FTC has tracked the top lies romance scammers tell,
and they're an interesting but sadly familiar collection. Here they are, from least to most
prevalent, with some extra comments from our dating desk. And yes, we do have one. These don't
represent the opinions of the Federal Trade Commission, or for that matter, the U.S. Marine
Corps' Aviation Division.
First up, you can trust me with your private pictures. This brings up the rear at 3% and shows the unpleasant trend towards sextortion among the scammers. I'm on an oil rig or ship.
Ahoy, love. This surprisingly specialized come on made up 7% of the attempts. Tell Romeo to stay safely offshore, if you get this one.
With 7%, we see I've come into some money or gold. This one's a throwback, especially if the
nominal author is a widowed Nigerian princess in distress. We've never met, but let's talk about
marriage. 12% of the scammers are cold calling for love.
I need help with an important delivery.
This accounted for 18%. Extra credit if it's from a Nigerian cabinet minister.
I'm in the military, far away.
The appropriate response to the 18% of messages that include this one would be,
Good, stay there, and thank you for your service.
I can teach you how to invest.
At 18%, this one probably delivers some ROI to the scammers. And the most common lie at 24% is,
I or someone close to me is sick, hurt, or in jail. This one seems particularly loathsome
with its attempts to take advantage of the Marx sympathy and better inclinations.
Thanks to the FTC, by the way, for the advice.
Read it and heed it.
Lovers everywhere.
Coming up after the break,
Dinah Davis from Arctic Wolf shares cybersecurity stats every IT professional should know.
Our guest is Kayla Williams from Devo
with thoughts on autonomous socks.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
When's the last time you checked in with the folks running your SOC?
I mean, really checked in with them?
Security firm Devo recently published a report that found that 71% of SOC professionals responded
that they are likely to quit their job with the top reasons cited as information and work overload,
insufficient downtime, a lack of tool integration, and alert fatigue.
Kayla Williams is Chief Information Security Officer at Devo.
In my very humble opinion, I feel that up until now, that the one word that would describe the SOC is overworked, for sure.
The SOC is overworked, for sure.
I think there's a lot of monotony in the way the SOC is run today.
Too many companies, doesn't matter the size,
they're really bogged down with false positives and searching for alerts.
And they're not able to really utilize their resources in a way that delivers value to an organization. So the aim of an autonomous SOC is to address that and to help
supplement or augment the actual security operations center team that allows them to
deliver value and really focus on providing risk management to their organization.
So what are the things that traditionally have kept a SOC team from really being able to provide
the maximum amount of productivity and value? I think it's a couple things. First, there is
no one individual or team that knows everything.
So the attack surface continues to grow,
sometimes by the hour at certain organizations.
And being able to stay on top of that and the technology that supports that growth is very taxing.
And sometimes I would even say it's exhausting.
So that is one thing.
And I think another thing is that
they're being pulled in many directions. It doesn't matter how many people that are in your
company's sock. It's just a resource constraint to constantly have to shift and address priorities.
As I said, the threat landscape changes, so you're having to pivot
in one day or one minute or one hour. You can have something that is a priority one,
and all of a sudden something else comes in and it's that zero day, all hands on deck and having
to stop what you're doing and pivot to address the risk. So by having a SOC that can be supplemented in a way that allows
some of that monotony, some of that risk management to be put into an automated fashion
will really help alleviate some of that panic, some of that anxiety around,
oh no, I have to stop what I'm doing and pivot immediately. So that's kind of where I see that.
pivot immediately. So that's kind of where I see that. You know, it reminds me of, you know,
the fact that when we travel and we fly, you know, from point A to point B, that it's likely that a good part of that trip is being handled by the autopilot. But most of us are comfortable with
that, but we're not quite so comfortable with the idea of taking pilots out of that cockpit
altogether, right? We like to know that landing and takeoff, the more critical parts of that journey are still going to have humans
handling it and indeed overseeing the whole process. I'm curious, is that an apt analogy
in your view? Absolutely. I think that's great. I actually didn't even put that type of context
onto this, but that's absolutely absolutely right it's the same as the
the drive the driverless cars the autonomous cars that we have they're still getting into
car accidents because people aren't paying attention they're just relying on the technology
um i certainly don't mind having autopilot um for for my flights as long as there's a pilot
there if something goes wrong you know it's when the flight in New York that landed on the
Hudson because there was a variable that came into play. Right. Geese. And you needed to have...
Wretched creatures. Exactly. And you needed to have a pilot there who could navigate that
variable that created a potential catastrophe. And having
that oversight of Captain Sully, I believe was his name, having his ability to think quickly
saved lives that day. And I'm not saying that a sock is going to save lives. Someday I'm not
trying to draw that close of a correlation between the two scenarios, but having the ability to have eyes
checking the homework, if you will, checking to make sure that the processes that they've designed
are operating fully and accurately is very important to ensure that you don't have a crash,
or in this case, an incident. So what are your recommendations for organizations who want to
explore this? How do they get started?
How do they see if it's a good fit for them?
I think the first step is ensuring that you have documented standard operating procedures
and reviewing them and making sure that it's something that could be put to a machine's
use.
Of course, as I said before, having someone kind of check that homework and reviewing
it, sure, it's checking your own homework, but it's still having someone kind of check that homework and reviewing it. Sure, it's checking
your own homework, but it's still having someone review it to make sure that it can be put into
this use case of autonomous SOC. It'll pay off dividends. And of course, even if you decide
later on that it's not something that you could move into just yet, you're going to have a better
product at the end because you're going to have documented steps
that you can go back and repeat over and over again.
That's Kayla Williams from Devo.
There's a lot more to this conversation.
If you want to hear more, head on over to the CyberWire Pro and sign up for interview selects where you'll get access to this and many more extended interviews. And I'm pleased to be joined once again by Dinah Davis.
She is the VP of R&D Operations at Arctic Wolf.
Dinah, it's always great to welcome you back to the show.
I want to touch base with you.
Wolf. Dinah, it's always great to welcome you back to the show. I want to touch base with you.
I saw you and your colleagues there at Arctic Wolf had a blog post recently about improving your security posture at your home. I think this is something worth visiting here. What do you got
to share with us today? Yeah, I mean, we often think about hackers trying to come at a company
like through company resources, right? But they're really going to try from every angle possible.
And one popular way that they've been making progress is through people's personal accounts,
right? So even if we look at the May Cisco breach, the hacker there gained access to the employee's
personal Google email account. This was really interesting.
It wasn't just that they reset passwords and stuff, but once they did that, they were able
to get into their Chrome browser password store and extract all the passwords from there.
One of which was really bad, which was the VPN access to their work.
Which like, people, your VPN access,
any work password should never be in a personal password store anyway, full stop.
But again, this is why maybe using a Chrome browser
or the Safari key password store is not a great idea.
Having things separated makes it harder.
Well, let's go through some of the things that really caught your eye here.
What are some of the ones that rise to the top of your attention?
So you want to use VPNs as much as possible, right?
So if you're at home in a coffee shop or anywhere that is not the office,
you could be subject to a man-in-the-middle attack,
which is when somebody is able to pretend they're actually your home Wi-Fi
or the coffee shop Wi-Fi
and give you access to the internet through that,
but see everything you're typing.
So if that happens, if you're using a VPN,
what a VPN is going to do is encrypt all the data
going through and so even if you are in the middle of a man in the middle of tech wow that's some
inception right there um you're going to be fine right so that's those are really important also
using mfa multi-factor authentication, right?
So even if they got his whole password store,
if he'd have had MFA or a second-factor authentication, it still would have been hard for them to get in, right?
Right, right.
I remember seeing a study from Google,
it was probably a year ago now,
where they said that people who put MFA
on their Gmail accounts don't get hacked. It wasn't like 90%. It was like 100%. If you have
a hardware key, you're probably good to go. Yeah, because, okay, I liken it back to when I
grew up. I grew up in Winnipeg, Manitoba, Canada, and it happens to be the car theft capital of Canada, or it was in the 90s.
Let's put it that way.
I have no idea if it still is.
Okay.
Okay?
Right.
And so what we used to do is we had this thing called the club, and it was like this metal bar that you put across your steering wheel, and you locked it it and it made it so you couldn't turn the
wheel. So even if they hotwired your car, they couldn't turn that wheel. Now, could they still
get that off with like a massive saw or something like that? Sure they could. But if they're going
down the street looking into the driver's seats of all the cars, the ones with the clubs aren't
going to get hit because it's just too much work, right? And I think that's the same principle that's happening when you put MFA on your accounts,
right?
You've made it harder unless they really, really want you for a very specific reason.
They're not going to bother, right?
Here's a good one that I failed at recently.
Secure your physical devices.
So that means do not leave things on airplanes.
I feel like there's a story here.
Yeah, I might have just done that recently. It was very annoying.
Oh, no. Oh, no.
If you leave it on an airplane while it's in airplane mode, it's very hard to get to.
But here's a good thing to do. Make sure you set up that emergency contact on the
front of the phone because it will turn the airplane mode off when they call you for 24 hours
and you can get the device wipe and find your phone, Google or iPhone in there. So it does
happen. I wasn't worried when I lost my phone because I have all the
passwords set. I have MFA on my Google accounts. I was able to reach my phone and security wipe it.
So it's not an issue, but it's still not something I would have liked to do in the future. I don't
think I'll ever do that again. But when you're running for
a connection, sometimes it's easy to misplace some things. Yeah, leave that in that pocket in
the front of the seat next to you. I mean, it brings up a good point that I've heard people
say when you're traveling, which is not to put all of your electronic eggs in one basket. In other
words, you have your mobile device and it gets lost.
You need to have another device to be able to go and try to change whatever settings you need to on that original device.
A hundred percent.
So, you know, I was able to log into my computer that I also had with me and, you know and get the device wipe. And then until I got my phone back,
I was able to use my iPad for the key store.
Like I was so happy that I had a authenticator
that backed up into the cloud.
So, you know, like Google Authenticator,
I use a different one.
I use the one that LastPass uses.
And so you can back it up into your LastPass account.
I'm very careful not to use the same password keeper app.
So I use 1Password for my passwords and LastPass for my authenticator.
So they're in two separate systems entirely.
But I was able to pull that all up on my iPad and relive. So I've had,
I had very little disruption to my life other than not being able to receive text messages
while the phone was lost. And, you know, kept going and I wasn't really worried.
All right. Well, good tips for sure. Dinah Davis, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Pascal Ackerman from GuidePoint Security.
We're discussing his work on discovering a vulnerability in the integrity of common HMI client-server protocols.
That's Research Saturday. Check it out.
The CyberWire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester,
Brandon Karp, Eliana White, Puru Prakash, Liz Ervin,
Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Maria Vermatsis, Ben Yellen, Nick Vilecki,
Millie Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janine Daly, Jim Hoshite, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Simone Petrella, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.