The CyberWire Daily Podcast 6.2.21
Ep 1345 | 6.2.21

The big ransomware incident in the food-processing sector. US authorities seize domains used in Nobelium’s USAID impersonation campaign. Siemens addresses PLC vulnerabilities.


Dave Bittner: Turns out food processing is also vulnerable to ransomware - the case of multinational meat provider JBS. The U.S. and Russia are in communication about the possibility that the criminals responsible for the JBS incident might be harbored in Russia. Domains used in the USAID impersonation campaign have been seized by the U.S. Justice Department. Our guest is Melissa Gaddis from TransUnion with results from their Global Consumer Pulse study. Joe Carrigan looks at criminals abusing online search ads. And Siemens addresses a critical issue in its PLCs.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 2, 2021. 

Dave Bittner: JBS, the Sao Paulo-based multinational meat processing company, sustained a ransomware attack on Sunday. Company servers in the U.S. and Australia were hit, inducing the company to shut down some operations in Australia, the U.S. and Canada. Operations elsewhere were unaffected. 

Dave Bittner: The company summarized the incident in a media release it issued the day after the attack. Quote, "on Sunday, May 30, JBS USA determined that it was the target of an organized cybersecurity attack affecting some of the servers supporting its North American and Australian IT systems. The company took immediate action, suspending all affected systems, notifying authorities and activating the company's global network of IT professionals and third-party experts to resolve the situation. The company's backup servers were not affected, and it is actively working with an incident response firm to restore its systems as soon as possible," end quote. 

Dave Bittner: A follow-up announcement yesterday said that JBS had begun resumption of deliveries to its customers and that a full recovery is in progress. As far as the company has been able to determine, no customer, supplier or employee information was compromised. 

Dave Bittner: JBS concluded that it had been hit by a Russian ransomware gang and, Reuters says, communicated that conclusion to U.S. authorities who seem to have accepted it. And while JBS didn't initially call the attack ransomware, the White House did. The BBC cites White House spokeswoman Karine Jean-Pierre, who yesterday said, quote, "JBS notified the White House that the ransom demand came from a criminal organization likely based in Russia. The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals," end quote. 

Dave Bittner: If they're betting on form, on a priori probability, that's not an unreasonable working theory, and JBS presumably has shared the ransom note. Russia's deputy foreign minister, Sergei Ryabkov, confirmed that the U.S. government had been in touch with Moscow. There's no word on whether JBS has paid, intends to pay or has refused to pay the ransom the attackers demanded. 

Dave Bittner: JBS is a very big operation; currently, the world's largest beef and poultry producer and the second largest pork producer, BleepingComputer points out. The FBI is investigating, as are law enforcement agencies in Australia, where, the ABC reports, the Federal Agriculture Ministry is working to help bring JBS operations back online. The Australian Cyber Security Centre is also rendering assistance. Forbes describes the effects of the attack on JBS Canadian plants, where facilities in Alberta and Ontario also suspended operations. 

Dave Bittner: The industry publication Beef Central has an account of the effect a ransomware attack can have on a food processor. They wrote, quote, "like all large meat processors, virtually every part of the modern JBS processing business is heavily reliant on computer systems and internet connectivity for record-keeping, regulatory documentation, sortation, and countless other functions," end quote. The sector is one in which timing is vital to the supply chain, and the effects of a disruption in a major supply quickly ripple through vendors and customers. 

Dave Bittner: The Wall Street Journal quotes industry observers to the effect that a lot of frenzied buying of fresh commodities is underway. The incident has also had an effect on commodities speculation. Quote, "Live cattle-futures trading on the Chicago Mercantile Exchange fell on Tuesday, with the most-active cattle contract closing down Tuesday by 1.9% to nearly $1.17 a pound. The primary factor driving the contract down was the hack, livestock traders said, raising the risk that some plants would be unable to purchase livestock." 

Dave Bittner: Comparisons with the Colonial Pipeline incident have been widespread, with Input magazine providing a representative sample. In both cases, a ransomware attack on a critical private sector company induced that company to shut down operations while it contained and remediated the incident. 

Dave Bittner: The attack on JBS was, like that on Colonial Pipeline, brazen in that, as Recode points out, they picked a high-profile target where an attack couldn't be quietly hushed up or gone without general public notice. This suggests that the gang really aren't particularly concerned about being detected and pursued. And that seems to have been true in both cases, whatever implausible statements Colonial's DarkSide attackers may have made about retiring from their criminal activities. 

Dave Bittner: The Washington Post's Cyber 202 quotes with approval various experts who think this latest incident makes the case for mandatory industry standards and more effective regulation even stronger than the Colonial Pipeline attack had already rendered it. 

Dave Bittner: So the JBS hack will give Presidents Biden and Putin another possible topic of discussion during their upcoming summit. The U.S. president is expected to bring up the SolarWinds incident and the more recent compromise of USAID's Constant Contact email account. That second incident, described by Microsoft, SecureWorks, Minerva, and others is seen by many as a supply chain incident, and many are calling for U.S. action against the presumed Russian authors of the attack. CISA and the FBI are being circumspect about attribution, but industry researchers are not, attributing the campaign to the threat actor variously called Nobelium, APT29, Cozy Bear and The Dukes, or, in plain organizational terms, Russia's SVR foreign intelligence service. 

Dave Bittner: Part of that action will be legal, as it has been in past incidents. The U.S. Department of Justice yesterday announced the seizure of domains the USAID impersonators used to control the Cobalt Strike tools they implanted in their victims' networks. The action was taken on Friday, pursuant to an order issued by the U.S. District Court for the Eastern District of Virginia. The announcement said, quote, "The National Security Division's Counterintelligence and Export Control Section and the United States Attorney's Office for the Eastern District of Virginia are investigating this matter in coordination with the FBI's cyber division and Washington field office," end quote. 

Dave Bittner: Here on the U.S. East Coast, Brood X cicadas are having an increasing impact on industry. For more on that, we go to the cicadas right outside our office door. 


Dave Bittner: That was Brood X cicadas for the CyberWire. 

Dave Bittner: And finally, CISA has issued an advisory about vulnerabilities found and patched in the Siemens SIMATIC S7-1200 and S7-1500 CPU families of programmable logic controllers. Industrial cybersecurity firm Claroty's analysis of the vulnerabilities calls them the holy grail of PLC vulnerabilities. The memory bypass issues could permit attackers to write native code in the PLCs. As CISA puts it, quote, "Successful exploitation of this vulnerability could allow an attacker to write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks," end quote. If you operate Siemens PLCs, by all means, upgrade to the latest versions the company has provided. 

Dave Bittner: The folks at consumer credit reporting agency TransUnion recently published their Global Consumer Pulse Study, and it confirmed what many of us probably expected. Attempts at digital fraud were way up throughout the pandemic. Melissa Gaddis is senior director of customer success for global fraud and identity solutions at TransUnion. 

Melissa Gaddis: Well, we track fraud, fraud trends. And the consumer survey has been conducted for years. But we were particularly interested a year or so ago in the impact that COVID and the pandemic was having on fraud, both via the surveys - we're finding, via the surveys that we're sending out globally, as well as what we're seeing with our own transactions within our TruValidate solutions. 

Dave Bittner: Hmm. Do you have any sense for whether we expect to see this continuing as things settle down post-pandemic. In other words, is this the shape of things to come, the shift towards an increased focus from the bad guys on these types of fraud, or might we see things ease off a little bit? 

Melissa Gaddis: I think we're going to see a few things. First, I don't think that we're going to go back to where we were pre-pandemic. I think that people - the way we're working is shifting. I think more people are going to be telecommuting. I think more businesses have found a niche on being online where they wouldn't necessarily have gone as quickly as they did this past year. Not a hundred percent brick-and-and-mortar businesses are opening back up. People are going in person, and there's a real value in that. But it's not going to go back to where we were before. And as such, there's more opportunity for fraud to be perpetrated. 

Melissa Gaddis: However, as businesses decide this is their reality moving forward and their business model moving forward, we have seen a shift in businesses put protections in place - you know, monitoring devices that are accessing their accounts, knowing where - you know, that Melissa Gaddis usually logs in from, you know, one of the four devices I have on my desk. Right? 

Dave Bittner: (Laughter) Right, right. 

Melissa Gaddis: And - but from Portland, right? And knowing when the anomalies kick in and questioning in real time, you know, maybe putting in some friction to ensure that it is me, if suddenly I pop up from, you know, somewhere else in the world, which pre-pandemic would have been normal because I traveled quite a bit and will again. But they have to - they have to recognize that. But as businesses put those protections in place, which protect both the consumer and the business, now it gets harder for the fraud to be perpetrated. And therefore, again, going back to that return on investment, the fraudsters are going to find a different avenue. They're always going to find a new avenue. 

Melissa Gaddis: So I think the fraud trends are going to start lowering, declining. But it's not going to go back to where we were, just because there's more avenues now. I do think, though, that as the dust settles here, we will start seeing less of this younger generation getting targeted because now it's becoming the new norm. People are going back to employment and that sense of desperation goes away or it lowers. People aren't going to fall for the phishing attacks like they have been in the past year. 

Dave Bittner: That's Melissa Gaddis from TransUnion. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: You know, over on "Hacking Humans," we cover a lot of scams and social engineering, things that - all that stuff. 

Joe Carrigan: All that great stuff, yeah. 

Dave Bittner: (Laughter) All that great stuff. And, you know, I don't know about you, but this is - there's a story over on The Verge written by Sean Hollister. And it's titled "Amazon is Suing to Stop SMS Raffle Scams." Have you ever received one of these scams? Why don't you describe to us what's going on here, Joe? 

Joe Carrigan: So it's a typical SMS scam. It's - I like the way they call it smishing, right? 

Dave Bittner: Yeah. 

Joe Carrigan: Because it's like phishing, but you use SMS instead of email. 

Dave Bittner: Right. 

Joe Carrigan: So the victim receives a text message. And in fact, the author, Sean, has received one such message and has a picture of it here. And what's interesting is it says Amazon - colon - congratulations, Sean. And then it says, you came in second in March's Amazon pod raffle. Check the link or click the link to - click the link to - and then colon - and it just has a link. 

Dave Bittner: OK. 

Joe Carrigan: Right? And there's one of those - it looks like it's one of those link-shortening services. 

Dave Bittner: Right, right. 

Joe Carrigan: But who knows what it is. 

Dave Bittner: (Laughter). 

Joe Carrigan: It could just be a link to the - because it looks like a random series of characters... 

Dave Bittner: Yeah. 

Joe Carrigan: ...In the domain name as well. 

Dave Bittner: Right. 

Joe Carrigan: Of course, when you click on the link - Sean actually did that. And it says, congratulations. Today, you've been chosen to participate in a survey. And then, it collects a bunch of information from you and then tries to get you to buy stuff from some other site that isn't Amazon. And the speculation is that this SMS is being sent out by some affiliate of some other marketing organization. So Amazon has filed a lawsuit against 50 unnamed people. They're all John Does - is what they're called. 

Dave Bittner: Yeah. 

Joe Carrigan: And this tactic has worked in the past to help unmask these people. So what they do is they get a doe subpoena, and then they start going after the senders of these messages to try to find people. In the past, they have found four people and managed to get an injunction issued. I don't know how effective that is. In fact, they may find the same four people behind it right now. 

Dave Bittner: (Laughter). 

Joe Carrigan: And Amazon says it's won at least $1.5 million in settlements. 

Dave Bittner: Yeah. 

Joe Carrigan: I'd like to know how many of those $1.5 million they have collected. I would guess it's very close to zero. 

Dave Bittner: Yeah. Well, and all that's chump change for Amazon. 

Joe Carrigan: Sure it is. 

Dave Bittner: I think - I mean, part of the - what's interesting here is that that page that Sean clicked through to looks just like an Amazon - I mean, it's branded with all... 

Joe Carrigan: Right. 

Dave Bittner: ...Sorts of Amazon stuff, right? 

Joe Carrigan: And that's actually the basis of the lawsuit... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Is saying, we're going after these people because they're using our logo. And you know what? You know, I think Amazon should be doing this. No. 1, it's not just trademark infringement, it's actually harming people in Amazon's name. And they should absolutely be going after these people. 

Dave Bittner: Yeah, reputational damage. 

Joe Carrigan: Right. 

Dave Bittner: All that sort of stuff. 

Joe Carrigan: Yup. 

Dave Bittner: Yeah. And also, they make the point here that it's also putting the word out to other folks who may be trying to pull off these sorts of scams that Amazon is going to try to come after you. 

Joe Carrigan: Right. 

Dave Bittner: And so you're going to have to be looking over your shoulder. 

Joe Carrigan: Yeah, absolutely. And I'm not really one to say, yeah, I want companies going after people, especially large, powerful, multinational conglomerate companies run by billionaires who send rockets into space... 

Dave Bittner: Right (laughter). 

Joe Carrigan: ...Coming after people. But in this case, you know, I think Amazon is doing the right thing here. I think they're doing what they should. They need to protect their image, you know, which they're entitled to do. 

Dave Bittner: Yeah. 

Joe Carrigan: But they - more importantly, they need to protect the consumers. And this is definitely something that moves in that direction. 

Dave Bittner: Yeah. And I guess also, obviously, the other part of this is that if you find yourself getting one of these text messages, ignore it. Don't... 

Joe Carrigan: Right, absolutely. 

Dave Bittner: Yeah. But also, you know, spread the word to your friends, family, loved ones, you know, your parents, all those folks. Because, you know, those of us who are in the know about these security things, we may, you know, raise our eyebrows and laugh that, how could someone fall for this? 

Joe Carrigan: Sure. 

Dave Bittner: But as we talk about over on "Hacking Humans," people fall for these things all the time. 

Joe Carrigan: All the time. 

Dave Bittner: And we can't, you know, blame the victim, can't make them feel bad about it. The best we can do is equip them so that if they do get something like this, they're educated to know what to do and to not do anything. 

Joe Carrigan: Right, and they just ignore it. 

Dave Bittner: Yeah. 

Joe Carrigan: Exactly. Block the sender. 

Dave Bittner: Yup, absolutely. All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Be sure to check out the first free season of "CSO Perspectives," our podcast hosted by my colleague Rick Howard. It's available on our website, 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.