Paying for the bomb the 21st century way. Domestic Kitten’s international romp. Malware versus gamers. Patch Tuesday notes. An update on the Oldsmar water system cyber sabotage.
Dave Bittner: What's North Korea doing with all that money the Lazarus Group steals? Buying atom bombs, apparently. Iran's Domestic Kitten is scratching at some international surveillance targets. Not everyone who says they're a Bear really is one. Parking malware in Discord. Notes on Patch Tuesday. Joe Carrigan details a gift card scam that hit a little close to home. Our guest is Saket Modi, CEO of Safe Security, with thoughts on quantifying risk. And the latest on the water system cyber sabotage down in Florida.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 10, 2021.
Dave Bittner: A United Nations panel charged with monitoring the success of international sanctions at restraining North Korean military ambitions has told the Security Council, the AP reports, that Pyongyang's financially motivated hacking has been keeping the DPRK's nuclear program afloat. An unidentified member of the council said the panel reported that "total theft of virtual assets from 2019 to November 2020 is valued at approximately $316.4 million," end quote.
Dave Bittner: The return to prominent activity of Iran's Domestic Kitten and Infy surveillance actors, flagged by Check Point earlier this week, continues to attract attention. The Washington Post quotes industry sources as saying that the groups are taking a greater interest in international targets. The BBC describes some of the deceptive masquerades the groups have undertaken to induce victims to install their spyware tools - fake menus, free wallpaper and a range of other malicious apps.
Dave Bittner: FS-ISAC says that more than a hundred firms were threatened with DDoS extortion last year. The Wall Street Journal observes that the criminals - and straight-up criminals they appear to have been - lent menace to their demands by posing variously as the Lazarus Group - that is, the North Korean state's hackers - or Fancy Bear, which is Russia's GRU.
Dave Bittner: Zscaler warns that Discord CDN has become an increasingly popular place for threat actors to stash malware - the better to afflict gamers made stir-crazy by pandemic isolation. Game away if game you must - I'll admit it, I've played Clash of Clans a time or two - but play safely. Not all the bad actors are nonplaying characters.
Dave Bittner: Yesterday was, of course, Patch Tuesday, and CISA released 23 industrial Control Systems Advisories. Help Net Security has a good rundown of Microsoft and Adobe Patch Tuesday fixes. One noteworthy upgrade from Microsoft - not a patch, but more of an enhancement - henceforth, Windows Defender will alert users if it detects that some cyberthreat actor in the service of a nation-state is beginning to attend to them.
Dave Bittner: The FBI has released an advisory on the Oldsmar water treatment facility incident. The Bureau said the attack likely exploited an old Windows 7 operating system and weak password security, as they gained access to the TeamViewer software in use at the facility. The Bureau and the US Secret Service have joined state and local law enforcement in the investigation. No suspects have so far been named or arrested.
Dave Bittner: The Tampa Bay Times notes that the attack could have been far worse than it turned out to be. The paper also quotes TeamViewer as saying that while it had no evidence that its software had been compromised, it was monitoring the situation closely. Most speculation holds that the attacker gained access to TeamViewer through compromised credentials. The Miami Herald says that other regional water utilities have assured them that they have safeguards in place that would have prevented the sort of incident Oldsmar sustained.
Dave Bittner: Who did it remains an open question. ComputerWeekly goes to a canonical source - the 2005 film "Batman Begins," which opens with the villains poisoning Gotham City's water supply. Imaginative hacks can inspire real-world imitators. If this turns out to be the work of some lone skid, said skid may indeed take DC villains as his or her moral lodestar.
Dave Bittner: Sophisticated has become the cyber equivalent of Lake Wobegon's above average. Where the children of Lake Wobegon were all above average, so too the media are in the habit of calling every attack sophisticated. Maybe yes and maybe no. But it's worth pointing out that the sort of attack Oldsmar's water system sustained was within the range of many threat actors, from the lone twisted creep in a basement to a national intelligence service. And don't, by any means, rule out the lone twisted creep in it for the lulz.
Dave Bittner: It's also worth noting that critical infrastructure can be hit in a variety of ways. Paradoxically, the very modernization of some sectors has exposed them to new risk, where long-lived legacy systems, by their very age, afforded a degree of resistance to cyberattack, with many controls remaining manual and many automated systems being, by their nature, air-gapped. That's changing, and the risk has risen accordingly.
Dave Bittner: A final disturbing thought on the Oldsmar water system cyber sabotage - the attack was noticed and stopped by a watchstander who noticed something going on briefly on his workstation that didn't seem right.
Dave Bittner: As Nozomi Network's Chris Grove put it in an email, quote, "had a facility operator not noticed the moving mouse on the screen, this attack would have gone much further. That level of attention should have been automated," unquote. And Chris Grove should know. We're told he lives down thereabouts. One hopes that there's more redundancy in such safety systems than a single watchstander, however skilled and alert that watchstander might be. And for heaven's sake, Oldsmar, give that operator a big raise.
Dave Bittner: Every organization has a unique appetite for cyber risk, dialing in the various proactive, reactive and predictive mitigations they put in place to protect their valuables, all while facing the reality of limited budgets and time. And, of course, there are a number of companies that have been spun up to help organizations balance those complex security equations. Saket Modi is CEO of Safe Security, a company that provides real-time cyber risk metrics.
Saket Modi: Most companies, Dave, what we've seen - and I'm talking about most Fortune 2000 companies that we talk about - there is the concept of - that there is something called inherent risk and residual risk. And what is your tolerant of the residual risk after applying your cybersecurity controls? In most companies, this concept itself does not exist. Unfortunately, most of the risk management that we've seen is driven using compliances for at least the bulk of Fortune 2000 companies.
Saket Modi: It is changing in at least the more mature sectors, like financial services and even service providers and a couple of others. But currently, the way we look at it, either ticking the box from a compliance perspective or saying, hey, these are my vulnerability assessment reports or an outside assessment report and my rating of our company are generally the popularly used methodologies of viewing your own risk posture today, Dave.
Dave Bittner: Well, then how are most organizations going about their own internal risk assessments?
Saket Modi: So most of the companies that we see, Dave, take the other stance, where they generally hire an auditor once in a year which will come in and do a point-in-time assessment for the sample set of their assets. And then they extrapolate the results for the entire tech stack. And typically, that's a long manual questionnaire-led assessment, which happens based on which, you know, you get a 600-page report with a lot of red amber greens. And that is, we feel, a very dinosaur-age way of looking at risk again. And that's what we see in most companies beyond compliance, what they're doing, Dave.
Dave Bittner: And so what do you propose here? I mean, what's a better way for organizations to come at this?
Saket Modi: It's the same way how the CRM industry changed how you look at salespeople, Dave, how the ERP industry changed how you manage your inventory and your billing. We feel that cybersecurity is about time where you move out from a one-time questionnaire-based assessment to an API-based dynamic breech likelihood and risk-scoring engine, which can provide to you at a macrolevel your overall risk posture of the entire organization, which can be broken down into individual business units or crown jewels or departments and which can further be broken down into individual assets, such as your laptops, desktops, servers, cloud resources, SAS applications. And you get a real-time breach likelihood score. In other words, we call that as a safe score for every asset within your hybrid environment which is out there, Dave.
Dave Bittner: That's Saket Modi from Safe Security.
Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Joe, did you get the gift cards that I sent you? I got the text message from you requesting that I go buy some gift cards and send them out to you. Did you get them? Did you...
Joe Carrigan: Dave, I didn't ask for any gift cards.
Dave Bittner: (Laughter) Of course, you didn't.
Dave Bittner: And I ask you because this story came across my desk, and it says, "Johns Hopkins University Warns Of Email Scam Targeting Staff And Faculty." Hitting a little close to home here, huh, Joe? What's going on?
Joe Carrigan: Yeah, we talk about this in staff meetings, actually. So what's going on is, if you go to any Johns Hopkins department website, you can quickly find out who the chair of that department is. And in our case, at the computer science department, the chair is a guy named Dr. Randal Burns. Now, you can also find out the name of all the staff members that work there, and you can also find out their email addresses because we want people to be able to reach out to us, right?
Joe Carrigan: This is the same thing that happens at the Information Security Institute. If you look at that webpage, you'll see my name on there. You'll see my email address on there. And you'll see Dr. Tony Dahbura's email on there. And this is the exact same thing that happened to me. I think we talked about this about a year ago or so. Somebody sent me an email impersonating Dr. Dahbura and said, hey, are you available? And I replied to it and said, yes, I am, and I went down to Tony's office only to find it dark.
Dave Bittner: (Laughter).
Joe Carrigan: As soon as I see his office dark, I'm like, they got me. Ugh, they got me. I'm so mad about it. And our administrative director comes out, and she goes, I think that was a fake email. And I'm like, not only did they get me, but my coworkers know they got me.
Dave Bittner: Even worse.
Joe Carrigan: Right (laughter).
Dave Bittner: Even worse (laughter). Right. Yeah, OK.
Joe Carrigan: You know, 'cause - it happens. But it always starts with a very simple email that says, hey, are you available right now? And then, if you reply yes, they'll move it to a different platform, right? They'll move it over to mobile devices, where they start texting you. And then they are going to ask you to go and get some gift cards for them 'cause they are in a meeting - right? - and they...
Dave Bittner: Right.
Joe Carrigan: ...Need the gift cards for a friend or something like that. So it's a typical gift card scam, and that's just what this is. And when this - this has actually been going on for a while. We get hit with these every so often. And in the past, they have been successful. They've gotten people bilked out of a couple hundred bucks.
Dave Bittner: Wow.
Joe Carrigan: And it's unfortunate, but it does happen, right?
Dave Bittner: Yeah.
Joe Carrigan: We have had meetings where Randal Burns, Dr. Burns has said, I want to go on record right now; I will never ask you to buy a gift card for a friend or anybody.
Dave Bittner: (Laughter) Right, right.
Joe Carrigan: I will never do that. And if I ever do do that, it won't be an email or text. And you know what? I'll never do it. I'm just never going to do this.
Dave Bittner: Yeah. Well, and, I mean, it's a good reminder that that may be a prudent email to send out to your staff, to your employees, to your co-workers if you're in a leadership position to just preemptively nip this one in the bud and say...
Joe Carrigan: Right.
Dave Bittner: ...Hey, everybody, you know, if you ever get something from me that's asking you to buy gift cards, it is not from me.
Joe Carrigan: Right.
Dave Bittner: It is a scam.
Joe Carrigan: Right.
Dave Bittner: And here's the kind of scam it is - and hopefully inoculate your employees against this particular scam, which is so - which is widespread. I mean, you know, Johns Hopkins University is not an institution that's full of dummies and rubes, right?
Joe Carrigan: Right (laughter). I like to think so, Dave.
Dave Bittner: I mean (laughter) - yeah. So, you know, if they can fall for it, anybody can fall for it. So it's a good reminder here to just be vigilant about this and help spread the word.
Joe Carrigan: I would like to remind everybody we had a story on "Hacking Humans" about a woman who teaches in the School of Medicine at Harvard University, and she got scammed out of a lot of money.
Dave Bittner: Yeah.
Joe Carrigan: This is not an intelligence issue. This is an emotional issue, right?
Dave Bittner: Right.
Joe Carrigan: You are dealing with emotions. You're not dealing with intelligence or short-circuiting your thinking when they're doing this. And that's why they go with the chair of the department, in this case, or if they're doing - if they're targeting a local company or a larger company, they'll go with a CEO or something - right? - and try to use that kind of power and clout behind an email to get you to go, oh, I better pay attention to this, right?
Dave Bittner: Right, yeah.
Joe Carrigan: So it's a scam. Just know it's a scam. And just delete the email. You're done.
Dave Bittner: Yeah, yeah. Absolutely. Yeah. All right, well, it's a good reminder. That's Joe Carrigan. Thanks for joining us.
Joe Carrigan: It's my pleasure, Dave.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Taste the flavor, miss the fat. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.