CyberWire Daily - Watch out for cybercrime over holidays (like Labor Day). Ransomware warning for the food and agriculture sector. Gift card and loyalty program fraud. NIST draft IoT guidelines out for comment.
Episode Date: September 3, 2021Uncle Sam recommends cyber vigilance during your kinetic relaxation this Labor Day weekend. The ransomware threat to food and agriculture. “Low and slow” fraud from compromised email in-boxes. Isr...ael promises an investigation of cyber export controls. Josh Ray from Accenture Security on giving back to the community and the Jenkins Attack Framework for red teaming. Our guest is Andy Ellis on the transparency in cybersecurity initiative. And NIST has draft consumer IoT guidelines out for comment. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/171 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Uncle Sam recommends cyber vigilance during your kinetic relaxation this Labor Day weekend.
The ransomware threat to food and agriculture.
Low and slow fraud from compromised email inboxes.
Israel promises an investigation of cyber export controls.
Josh Ray from Accenture Security on giving back to the community and the Jenkins attack framework for red teaming. Our guest is Andy Ellis on the transparency in cybersecurity initiative.
And NIST has draft consumer IoT guidelines out for comment.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 3rd, 2021.
The U.S. Labor Day holiday is coming with its annual long weekend tomorrow through Monday,
and the U.S. government has been warning everybody not to let their guard down in cyberspace.
Criminals expect it, and they've shown spikes of cyberactivity during other holidays,
most recently over the Fourth of July. The The White House at its regular press conference yesterday
reinforced warnings given earlier this week by the U.S. FBI and CISA
to the effect that the nation should be on heightened alert for cyberattacks,
especially ransomware attacks, over the Labor Day long weekend.
The U.S. government seems to be betting on form here,
not on any particular chatter or specific signs of threatening activity.
Deputy National Security Advisor Neuberger said that while there were no specific indications of attacks,
criminals in particular have a track record of taking advantage of the reduced staffing and relaxed vigilance that often accompany holidays.
Here's some of what she had to say, courtesy of C-SPAN.
Good afternoon, everyone. So we want to take a moment to encourage organizations to be on guard
for malicious cyber activity in advance of the holiday weekend. To be clear, we have no specific
threat information or information regarding attacks this weekend. But what we do have is history.
And in the past, over holiday weekends,
attackers have sometimes focused on security operations centers
that may be understaffed or a sense
that there are fewer key personnel on duty
as they may be on vacation.
And indeed, a long weekend can sometimes
make attackers feel they have extra time
to navigate in a network before they're detected.
So as the long weekend comes, we want to raise awareness, and this need for awareness is particularly for critical infrastructure owners and operators who operate critical services for
Americans. That's yesterday at the White House, and you can listen to the whole thing over at C-SPAN.
Holidays aren't the only thing on the federal mind, of course.
The ransomware threat has been much discussed in both public and private circles,
and warnings directed at the various sectors that make up critical infrastructure continue.
And what's more critical than food?
The U.S. FBI on Wednesday issued a private industry notification warning the food and agriculture sector that it's under active attack by ransomware gangs.
There's nothing particularly distinctive about the criminals' approach to organizations in this sector.
The tactics and techniques they employ are familiar.
But it's a sector not accustomed to thinking of itself as a high-priority criminal target.
The FBI's notification briefly describes five occasions since last November when ransomware attacks have disrupted agricultural and food distribution operations.
In July 2021, a U.S. bakery company lost access to their server, files, and applications,
halting their production, shipping, and receiving
as a result of Sodinokibi R-Evil ransomware, which was deployed through software used by an
IT support managed service provider. The bakery company was shut down for approximately one week,
delaying customer orders and damaging the company's reputation. In May 2021, cyber actors using a variant of the Sojino-Kibi R-Evil
ransomware compromised computer networks in the U.S. and overseas locations of a global meat
processing company, which resulted in the possible exfiltration of company data and the shutdown of
some U.S.-based plants for several days. The temporary shutdown reduced the number of cattle and hogs slaughtered,
causing a shortage in the U.S. meat supply and driving wholesale meat prices up as much as 25%,
according to open-source reports. This, of course, was the notorious attack on JBS,
one of the incidents that brought Russian privateering to general attention.
one of the incidents that brought Russian privateering to general attention.
The beverage subsector has also been hit.
Quote,
In March 2021, a U.S. beverage company suffered a ransomware attack that caused significant disruption to its business operations,
including its operations, production, and shipping.
The company took its systems offline to prevent the further spread of malware,
directly impacting employees
who were unable to access specific systems, according to open-source reports. And farms
themselves have been targeted. Quote, In January 2021, a ransomware attack against an identified
U.S. farm resulted in losses of approximately $9 million due to the temporary shutdown of their farming operations.
The unidentified threat actor was able to target their internal servers by gaining administrator-level
access through compromise credentials, end quote. So, ransomware has touched the very point of
origin of the food supply. Finally, quote, in November 2020, a U.S.-based international food and
agriculture business reported it was unable to access multiple computer systems tied to their
network due to a ransomware attack conducted by 1% group threat actors using a phishing email with
a malicious zip file attachment. The cyber criminals downloaded several terabytes of data
through their identified cloud service provider prior to the encryption of hundreds of folders.
The company's administrative systems were impacted.
The company did not pay the $40 million ransom and was able to successfully restore their systems from backups.
End quote.
That last story is encouraging.
The victim refused to pay and restored affected systems from backups.
The same risk mitigation measures that apply to other sectors
can be equally effective for organizations working in the food supply chain.
Krebs on Security notes the low and slow and lucrative approach
one criminal gang has taken to fraud, compromising about 100,000 email
inboxes daily. They're selective in their take, scanning for emails related to gift cards and
customer loyalty programs, both of which have a useful resale value in criminal markets.
Krebs on security writes, quote, the fraudsters aren't downloading all of their victims' emails. That
would quickly add up to a monstrous amount of data. Rather, they're using automated systems
to log in to each inbox and search for a variety of domains and other terms related to companies
that maintain loyalty and points programs and or issue gift cards and handle their fulfillment,
end quote. Reward points are particularly attractive to the hoods
because they're easily extracted and can be resold quickly
for about 80% of their nominal value.
Israeli Foreign Minister Yair Lapid promised closer investigation
of NSO Group's intercept tool exports, Security Week reports. The foreign
minister makes the familiar point that the government of an exporting country has only
limited influence over how the importers use the tools they buy, but he acknowledges a responsibility
to do what's possible to prevent abuse. He explicitly compared cyber exports to arms exports
and suggested they would be controlled in the same way.
And finally, if you're looking for some profitable reading over the weekend,
consider taking a look at the National Institute of Standards and Technology's draft
Baseline Security Criteria for Consumer IoT Devices.
It's part of NIST's response to Executive Order 14-028
issued back in May.
Among other things,
the criteria are intended
to result in labeling
for consumer products.
And NIST's goal
is that those labels
be understandable
and actionable by consumers
and that they be effective
in conveying the product's value.
The label should clearly convey
when a product
provides a greater level of security so that a consumer can understand why there may be a greater
value to the individual and to society more broadly, and why there may be a cost differential
among competing products with similar functionality but different security performance.
So, read the whole thing. NIST would like to have comments by October 17th.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it
comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Andy Ellis is operating partner at YL Ventures and former CSO at Akamai. He is
among a group of individuals and vendors who've started a new nonprofit called Transparency in
Cyber, which hopes to foster more open conversations about
security products. I checked in with Andy Ellis for the details. So the goal of the Transparency
in Cyber Security Organization's mission is really to evangelize that this is a change
that ought to be made. That really the three core tenets of our mission is that product benchmarks
and real-world experiences ought to be shareable.
That we need to be able to understand
what our products do and don't do
because that's how we're going to get
to a safer digital world.
That companies need to really put that
into their business operations.
That if one of your customers comes and says,
hey, I want to test this with a third party,
you don't get to say no.
It's reasonable for you to say, hey, would want to test this with a third party, you don't get to say no. It's reasonable for you to say,
hey, would you share the results with us
before you publish them?
I think that's a fair ask.
But to say no, you're not allowed to find out
if the product does what we say it does, not okay.
And then we actually think that transparency
will be the great equalizer.
And that's not about an equalizer between vendors,
although it will actually do some equalization there,
but it's really about equalizing
between the vendor and the customer.
I've been a buyer where I've bought a technology
and like two years later,
we were pretty certain it stopped working
and we could not get the vendor to talk to us about it.
It stopped giving us any alerts.
The person who bought it was like,
oh, we've done such great security
that this detection system can't find anybody breaking in bought it was like, oh, we've done such great security that this
detection system can't find anybody breaking in. And I said, yeah, or the detection system just
doesn't work. But we had no way to verify that belief. And maybe we had great security or maybe
we had awful security, but I was stuck as a buyer not knowing. And that would be fixed with better
transparency. So from the point of view of the providers of these services,
these products, I mean, what's in it for them?
How do you deal with what I could imagine would be,
maybe if not some pushback, maybe a little hesitancy here?
So I think there definitely will be some hesitancy.
I think if you have a product that works,
this is a good thing for you, right?
This enables your customers to talk to you, to give you feedback,
because your good customers aren't going to go test your product,
find a problem, and not tell you.
They're going to find something and say,
wow, you have this WAF, and for some reason it doesn't work on SQL injection,
which would be sort of awful.
I don't think your technology actually works there.
But they're going to tell you, rather than keeping that secret or you never knowing,
and your product can get better because you're now part of this information ecosystem.
So it enables you to let your customers be part of your product research organization.
That's helpful.
It lets you see where you stand against your competition,
because I suspect you will see sort of third-party rating
agencies that have a little more transparency than the analyst firms sometimes have today.
And I think that only is a good thing for everyone. And how does this work alongside
things like bug bounty programs? I think it's completely compatible. I think anybody who has
a bug bounty program is already 90% of the way to a transparency model here.
A lot of this is sort of getting people to stop having these reflexive no's to conversations about something like a bug bounty.
But this isn't saying everybody needs to have a bug bounty.
I think a bug bounty is above and beyond what we're asking for.
We're basically asking you to sort of commit, hey, don't like sue people just
because they've figured out that your product has some flaws and want to share that. That's Andy
Ellis. You can find out more about the new nonprofit at transparencyincyber.org. There's a
lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro
and sign up for interview selects, where you'll get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Josh Ray.
He's Managing Director and Global Cyber Defense Lead at Accenture Security.
Josh, always great to have you back.
I wanted to touch today on some tools that I know you and your team have been developing
that could be of assistance to red teamers.
What are you all working on there?
Yeah, thanks, Dave.
Excited to talk about this topic.
And as you know, the team and I are super passionate
about sharing information and giving back to the security community,
which ultimately we want to really make the world a safer place, right?
The Jenkins Attack Framework, or JAF, is a tool that our adversary simulation R&D team developed.
And we did this in order to make some of our engagements a bit easier and scale more effectively.
So basically, JAF is an Accenture internally developed tool for red teamers for interacting with Jenkins build servers.
So you're putting this out here for the community as large?
That's correct, yeah.
And really the use case is that this is to help clients
improve their broader security posture.
That's how we use it.
Many times we come across Jenkins installations
in client environments, and they can be, let's say, useful
for our red team engagements because they will sometimes store credentials and source code
and have the ability to elevate access in their production networks. And as a result,
our team also finds ourselves being able to leverage this to move throughout the environment undetected,
much as an adversary would. So really the value here is to allow other folks to leverage this tool
to do the same thing. What goes into the decision for you all to make this available to the broader
community? This tool has value.
You could very well just keep it to yourself and your colleagues there.
Why put it out there for everyone?
Yeah, I think we have to balance that.
But, you know, ultimately, we're really trying to be good stewards of the community.
And where we have the opportunity, we want to do the right thing, right?
So this has been, you're right, this has been incredibly valuable to our team over the past year or two.
But really, in the spirit of giving back to the community,
we've been able to secure the approval to release this for industry use for their own security testing.
We have a blog that outlines all the technical details, but there's some really
interesting features like being able to run system commands and list current API tokens and dump
creds and such. But ultimately, our mission is really to help our clients prepare for and spar
against some of the most advanced cyber threats out there. And we have a responsibility, I think, not only to secure the world, but also help
folks in the security community to further that mission
and enable that mission. And we do that through things like
releasing tools and information. This is really just about making sure folks
know that it was out there and available for them to use.
Alright, well if you're looking for for it over on the Accenture security website,
it is the Jenkins ATT&CK Framework.
Josh Ray, thanks for joining us.
Thanks, Dave.
Clear your schedule for you time
with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado cozy up with the familiar flavors of
pistachio or shake up your mood with an iced brown sugar,
oat shaken espresso, whatever you choose,
your espresso will be handcrafted with care at Starbucks.
And that's the Cyber Wire.
We'll be taking a break from our daily podcast on Monday as we observe the Labor Day holiday
with appropriately unrelaxed cyber vigilance
even as we enjoy kinetic relaxation.
We hope you are all able to do likewise
and we'll be back as usual on Tuesday.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's episode of Research Saturday and my conversation with Ben
Sary. He's VP of Research at Armis. We're discussing remote code execution vulnerabilities
in the pneumatic tube system
of Swisslog. That's Research Saturday. Do check it out. The Cyber Wire podcast is proudly produced
in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation
of cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you. insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.