CyberWire Daily - Where ICS touches the Internet. BunnyLoader traded in C2C markets. Phantom Hacker scams. API risks. Cybersecurity attitudes and behavior. DHS IG reports on two cyber issues. Updates on the hybrid war.
Episode Date: October 3, 2023Nearly 100,000 ICS services exposed to the Internet. BunnyLoader in the C2C market. Phantom Hacker scams. API risks. Cybersecurity attitudes and behaviors. Homeland Security IG finds flaws in TSA pipe...line security programs, and privacy issues with CBP, ICE, and USSS use of commercial telemetry. Kyiv prepares for Russian attacks on Ukraine's power grid. Ben Yelin on the Department of Commerce placing guardrails on semi-conductor companies. As part of our sponsored Industry Voices segment, Dave Bittner sits down with Nick Ascoli, Founder and CTO at Foretrace, to discuss the last year in data leaks. And Russian disinformation is expected to aim at undermining US support for Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/189 Selected reading. Bitsight identifies nearly 100,000 exposed industrial control systems (Bitsight) New BunnyLoader threat emerges as a feature-rich malware-as-a-service (BleepingComputer) "Phantom Hacker" Scams Target Senior Citizens and Result in Victims Losing their Life Savings (FBI) FBI warns of surge in 'phantom hacker' scams impacting elderly (BleepingComputer) APIs: Unveiling the Silent Killer of Cyber Security Risk Across Industries (Hacker News) Oh Behave! The Annual Cybersecurity Attitudes and Behaviors Report 2023 (National Cybersecurity Alliance) Watchdog says pipeline security regulations, data collection safeguards not up to snuff at DHS (Washington Post) Better TSA Tracking and Follow-up for the 2021 Security Directives Implementation Should Strengthen Pipeline Cybersecurity (REDACTED) (Office of Inspector General, Department of Homeland Security) CBP, ICE, and Secret Service Did Not Adhere to Privacy Policies or Develop Sufficient Policies Before Procuring and Using Commercial Telemetry Data (REDACTED) (Office of Inspector General, Department of Homeland Security) Ukraine prepares for winter again as Russia targets its power grid (The Economist) Putin’s Next Target: U.S. Support for Ukraine, Officials Say (New York Times Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Nearly 100,000 ICS services exposed to the Internet.
Bunnyloader in the C2C market.
Phantom hacker scams and API risks.
Cybersecurity attitudes and behaviors.
Homeland Security IG finds flaws in TSA pipeline security programs
and privacy issues with CBP, ICE, and USS's use of commercial telemetry.
Key prepares for Russian attacks on Ukraine's power grid.
Van Yellen on the Department of Commerce placing guardrails on semiconductor companies.
As part of our sponsored Industry Voices segment, Dave Bittner sits down with Nick Ascoli, founder and CTO at Fortress, to discuss the last year in data leaks.
And Russian disinformation is expected to take aim at undermining U.S. support for Ukraine.
I'm Trey Hester, filling in for Dave Bittner with your CyberWire Intel briefing for Tuesday, October 3rd, 2023. BitSight has identified nearly 100,000 industrial control systems exposed to the Internet,
particularly in the education, technology, government, politics, and business sectors.
However, the researchers note
that overall there's been a steady decline in the internet-exposed ICS services since 2019.
So in some respects, this is actually a good news story. BitSight adds, quote,
exposed systems and devices communicating via the Modbus and S7 protocols are more common in June
2023 than before, with the former increasing in prevalence from 2020
and the latter more recently from mid-2022. However, exposed industrial control systems
communicating via NiagaraFox have been trending downward since roughly 2021.
Organizations should be aware of these changes in prevalence to inform their OT
and ICS security strategies." Zscaler is tracking a new malware-as-a-service offering called BunnyLoader that's being sold on underground forums for a one-time price of $250.
The malware is designed to steal information related to web browsers, cryptocurrency wallets, VPNs, and much more.
BunnyLoader targets cryptocurrency wallets for Bitcoin, Monero, Ethereum, Litecoin, Dogecoin, Zcash, and Tether.
The researchers note that the malware has been under rapid development since the initial release
on September 4th. The FBI has warned of an increase in phantom hacker scams targeting
senior citizens. This phantom hacker scam is an evolution of more general tech support scams,
layering imposter tech support, financial institution,
and government personas to enhance the trust victims place in the scammers and identify the most lucrative accounts to target. Victims often suffer loss of entire banking, savings, retirement,
or investment accounts under the guise of protecting their assets. The Bureau says victims
have lost over $542 million to tech support scams in the first half of 2023,
with 66% of these losses from victims over 60 years old.
Breachlock has published an article for the Hacker News
looking at cybersecurity risk associated with APIs.
Breachlock states, quote,
The 2023 reports indicate cyberattacks targeting APIs have jumped 137%,
with healthcare and manufacturing seen as prime
targets by attackers. Attackers are especially interested in the recent influx of new devices
under the Internet of Medical Things and API ecosystem that has supported the provision of
more accessible patient care and services. Another industry that's vulnerable is manufacturing,
which has experienced an increase in IoT devices and systems,
leading to a 76% increase in media tax in 2022. The National Cybersecurity Alliance and CybSafe have published a report looking at cybersecurity behaviors around the world. In the United States,
the researchers found a significant majority now recognize multi-factor authentication,
and, encouragingly, 70% within this group are
actively using it to enhance their online security on a regular basis. However, despite these positive
trends, there are concerns about access to adequate training. Based on the survey, only 44%
of participants in the United States reported having access to cybersecurity training programs.
A redacted version of a report by the Office of the Inspector General at the Department
of Homeland Security has been released. The IG was looking into the TSA's formulation and
enforcement of pipeline safety regulations after the May 2021 ransomware attack against Colonial
Pipeline. The TSA responded with two regulations. One, Security Directive Pipeline-2021-01,
Security Directive Pipeline-2021-02, titled Pipeline Cybersecurity
Mitigation Actions, Contingency Planning, and Testing, issued on July 19th of that year,
requires owners and operators of pipelines designated as critical to implement additional
and immediately needed cybersecurity measures to prevent disruption and degradation to their
infrastructure in response to an ongoing threat. The issue is in the oversight.
The IG found that TSA, while it properly worked with stakeholders to develop the rules,
did not effectively follow up to track compliance.
The IG made three recommendations, all of them procedural enhancements,
designed to ensure proper oversight of operator compliance.
The TSA has concurred with the IG's report and its recommendations
and states that improvements are expected to be on the way.
Another Homeland Security Inspector General report found that three of the department's agencies, Customs and Border Protection, Immigration and Customs Enforcement, and the Secret Service, did not adhere to department privacy policies or develop sufficient policies before procuring and using commercial telemetry data.
policies before procuring and using commercial telemetry data. The data purchased included mobile device geolocation information, and the IG found that they had not prepared to preserve
the privacy of the individuals whose data they purchased. Ukraine is preparing for winter attacks
against energy infrastructure, The Economist reports, a reprise of last winter's Russian
counter-grid program. That program was dominated by kinetic attacks, and Ukraine expects more of the same over the coming months. But it's also working to increase
its resilience in the face of cyberattacks against power generation and distribution,
as these are also expected. And finally, as the 2024 elections approach, the U.S. intelligence
community expects Russia to mount influence operations directed against U.S. support for
Ukraine. The New York Times reports that Russian disinformation about NATO in general
and the U.S. and U.K. in particular have been common during the war, but the next round of
influence operations is thought likely to be directly disruptive in concept. The U.S. elections
next year are expected to be targeted, with Russian operators seeking to support candidates
unsympathetic to Ukraine and to denigrate candidates who favor continued U.S. support for Kyiv. Heavy use of
influence washing and troll farms directed by Russian intelligence services is expected.
Coming up after the break, Ben Yellen on the Department of Commerce placing guardrails on semiconductor companies.
And as part of our sponsored Industry Voices segment, Dave Bittner sits down with Nick Ascoli, founder and CTO at Fortress, to discuss the last year in data leaks.
Stick around. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Nick Escoli is founder and chief technical officer at Fortrace, whose offerings include an external attack surface management platform.
In this sponsored Industry Voices segment, I ask Nick Ascoli to explain the differences between a data leak and a data breach and why that difference matters.
There is a fundamental difference between
a data leak and a data breach. While the outcome is, you know, overwhelmingly the outcome is the
same, which is that an unauthorized third party has access to your data, the difference between
a leak and a breach is a leak is basically when sensitive data is exposed publicly and accessible
to the unauthorized third party. A breach is a successful
attempt to steal sensitive data from an organization's digital infrastructure. Now,
that's not Webster's definition of a data leak or a data breach, but that's the definition I go on
generally. So a common data leak scenario, the ones especially that we've seen in the last year, are like misconfigured web applications, a file system being made public, an API vulnerability that
enables the accessing of data that's not intended for the user.
A breach scenario are the ones we're familiar with and see very, very often in some of the
larger, more notorious data breach news stories, which is an internal compromise, you know, lateral movement and exfiltration using, you know, complex post-exploitation
frameworks. So the common root of a leak is an accident, usually, procedural or technical oversight.
Occasionally it's malicious, but in a breach scenario, it's overwhelmingly malicious. So
that's the fundamental difference.
For the folks that you work with who are having success in preventing this,
what are the common elements, the things that people put in place to protect themselves?
Pathway to success for ensuring your data isn't present in a data leak is really just doing exactly what the adversary does yourself, which, you know, as our job,
that's exactly what I do, is looking for customers' content in the public, really agnostic of source.
A lot of people try and take the approach of sort of grouping in data leak detection with
third-party risk in the sense that you might monitor or look at the public footprint of third parties. But the reality is, you know, third parties use third parties who use fourth parties.
There's an infinite, you know, list of parties involved in the handling of any one organization
or any one application's data. So what organizations should be doing is looking for their data completely agnostic of source. That is checking
public, open, indexed forms of data wherever they lie, which encompasses a truly wide variety of
sources where data gets published online, whether it's by applications or by people,
and looking for your data within those. Because if you narrow your scope to where you think your data is,
odds are your data is in a lot more places than you think,
which is sort of the nature of that fourth-party risk phrase,
is that your data will end up in, your third parties have third parties too,
and your data is changing hands a lot.
So to really find it in the wild, you have to kind of be agnostic of where you think it is
and look for it where it actually lies. What are those conversations like for you? I mean,
when you present to someone and say, look, this is what we found, these are the things,
is there generally surprise at the degree to which things are out there?
Yeah. I mean, there's certainly been meetings where, you know, the meeting has had to be cut
short for it turned into a fire drill right away. Something was out there that wasn't supposed to be,
and that's an issue. But overwhelmingly, what we look for, you know, we're monitoring continuously.
So these end up are sort of notifications of,
you know, us finding an email and password on a, you know, on a one of the many public Git sites,
or a token present in a public Google Doc for some reason, or, you know, any number of
leaked things that we're looking for. These become sort of triaged like a normal internal incident
would and baked into the sort of fabric of security operations, which is something that we've pushed for for a long time is the weaving the sort of fabric of external reconnaissance and adversaries techniques for reconnaissance into traditional security operations such that the response can either be automated with a SOAR, in the case that it can, or is triaged by the internal security team and managed the way it
should be. These incidents usually involve a little bit more, you know, potential legal or
PR consideration due to their public nature. But usually the remediation still falls in the hands
of the security team. But there is, to your point, there's a lot of surprise. There's really
no shortage of findings that we end up coming up with of data that the customer truly could not
have predicted ended up there. And that's because the handle that an organization tries to get on
where their data is going via, you know, subsidiaries, vendors,
partners, consultants, their sort of known register of people who have their data,
often ends up looking a lot different in reality. And places that their data end up,
while, you know, they would seem innocuous, like a developer using GitHub, even though,
you know, the organization is a bitbucket shop. One misconfiguration of a repo making that proprietary code with hard-coded stuff in it public,
which is an example we do see a lot, can have dramatic consequences,
despite it being one person engaging in a single shadow IT instance.
So there are a lot of surprises, definitely.
What are your recommendations for organizations
who want to do a better job with this,
who want to start down this path of getting a handle here?
How should they begin?
I think starting from scratch,
you should be looking at your external footprint
through the lens of an adversary to the extent that you can.
And there's a lot you can do
without making an
investment upfront, like rotating, if you're an enterprise, rotating defenders to search for this
kind of data by hand. And I'm talking literally running Google dorks, you know, on some schedule,
querying Shodan yourself, querying, you know, looking on the Git sites for your code showing up, maybe perusing or having an experienced
OSINT professional peruse criminal forums and marketplaces for the presence of your data
to understand where it exists online. But do this by hand to understand the scale that you're
dealing with, and then to the extent that you can, automate it and look
into tooling that can automate it for you to get ahead of these issues. Otherwise, it's something
that will pop up. You'll get the sort of reconnaissance pages of your pen test report,
and that will be your picture of the outside. But the issue is that's a snapshot. So having
defenders, rotating defenders, or offensive personnel, if you have it, doing this
continuously enables you to be, A, much better prepared for those findings, and B, hopefully
getting in front of those findings so that you don't find out six months later that this service
was misconfigured and facing the public, but you find out, you know, when it goes online.
That's Nick Escoli, founder and chief technical officer at Fortrace.
And joining me once again is Ben Yellen. He is from the University of Maryland Center for Health and Homeland Security
and also my co-host on the Caveat podcast.
Hey, Ben.
Hey, how are you, Dave?
I'm doing well, thanks.
Interesting article here from The Record, which is a Recorded Futures news organization.
This is written by Martin Matysiak.
And it's about guardrails that the folks at the Department of Commerce
have put on semiconductor companies in the effort to increase national security here.
What's going on here, Ben?
So last year, Congress enacted a bill called the Chips and Science Act,
and this was a bipartisan bill to boost domestic semiconductor manufacturing. It was considered a really big
legislative accomplishment. This is something that's going to be good for our economic development
and to be a leader in the semiconductor field. And take away some of our dependence on
other nations, and I suppose specifically China for the manufacturing of a lot of our semiconductors.
Yeah, yeah.
That's actually one of the reasons they passed this legislation
is so that the United States can be that counterweight to China
in advancing this type of computing technology.
So in that spirit, the U.S. Commerce Department
has released their national security guardrails
from any business that's seeking federal funding under this legislation.
Basically, the regulation would prohibit companies that are receiving funding under this bill from,
quote, expanding material semiconductor manufacturing capacity in foreign countries
of concern. And those foreign countries, namely, are China and Russia. And that would be applicable
for a period of 10 years. years. I think there are kind of
two ways to look at it. One is that this is kind of a protectionist measure that is intended to
boost U.S. industries. We don't want any of the funding, even in an indirect way, to go to Chinese
and Russian entities. Now, a classic economist might tell you that these types of protectionist measures end up
hurting us all in the long run. I'm not somebody who tends to think that way, so I understand why,
especially given the goal of the legislation, which was to boost U.S. manufacturing,
that you'd need these national security guardrails. And then there's just the general
national security concerns. I mean, semiconductors are going to be a part of our critical infrastructure.
Having these types of chips, these chips are going to fuel things that we need to live and survive and to secure our country.
Right.
And putting any money in the hands of our entities controlled by our foreign adversaries certainly presents some of those long-term risks that we would
really like to avoid. So I certainly understand it from that perspective.
It also points out that it restricts them from engaging in certain joint research or technology
licensing efforts. What does that address here? So I just think it would be like going in on a
contract together. So you have like a U.S. company who's bidding on money that's being released under this bill.
If they were to go in on a bid with a Chinese or a Russian company,
that would generally be prohibited under these regulations
so that we're fulfilling the goal of the bill, which is to boost domestic manufacturing.
You don't want a tiny U.S. company that's, granted, this is an absurd example,
but you don't want a tiny U.S. company that's, granted, this is an absurd example, but
you don't want a tiny U.S. company that's just going to do like the grants management and then
all the actual semiconductor production goes to a Chinese company. So I think they're trying to
limit those types of partnerships. And there is an enforcement mechanism. Basically, if you are
found to be violating these guardrails, then you would have your own federal dollars revoked. And
I don't think any company wants to see that happen. Yeah. Do you suspect that this is going
to cause a lot of heartache here or these seem to be reasonable restrictions? I don't think these
are necessarily surprising. You might have some type of deleterious effect on the industry just
because prior to this point, China in particular has been
such a leader in this field. So you might be relinquishing some of your access to institutional
expertise by having something like this. But I just think it's still prudent for a couple of
reasons. One, the purpose of the bill was increasing domestic manufacturing of these chips.
And two, I think we just have to recognize the major national security implications.
We don't want to be beholden to some of these foreign countries.
So I think any sort of negative effects that would come from these types of regulations
are outweighed by the national security imperative here.
All right.
Interesting stuff.
Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and
compliant. This episode is brought to you by RBC Student Banking. Here's an RBC student offer that turns a feel-good moment into a feel-great moment.
Students, get $100 when you open a no-monthly fee RBC Advantage Banking account
and we'll give another $100 to a charity of your choice.
This great perk and more only at RBC.
Visit rbc.com slash get 100, give 100.
Conditions apply.
Ends January 31st, 2025.
Complete offer eligibility criteria by March 31st, 2025.
Choose one of five eligible charities.
Up to $500,000 in total contributions.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefings at thecyberwire.com.
We'd love to know what you think about this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that keep you a step ahead in the rapidly changing world of cybersecurity.
This episode was produced by Liz Ervin and senior producer Jennifer Ivan.
Our mixer is me, with original music by Elliot Peltzman.
The show was written by our editorial staff, our executive editors, Peter Kilby,
and I'm Trey Hester, filling in for Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.