A threat to release stolen proprietary data. The C2C market: division of labor and loss-leading marketing ploys. Misconfigured Salesforce Communities. Sanctions-induced headwinds for Huawei.
Elliott Peltzman: RansomEXX threatens to release stolen proprietary data. Some looks at the C2C market, the criminal division of labor and a splashy carder marketing ploy. Misconfigured Salesforce Communities expose organizational data. Our guest is Ron Brash from Verve International on a CISA advisory regarding GE ICS equipment. Ben Yelin on the proposed U.S. Bureau of Cyber Statistics. Huawei faces sanctions-induced headwinds. Mexico's investigation of Pegasus abuse continues, but so far without arrests or resignations.
Elliott Peltzman: From the CyberWire studios at DataTribe, I'm Elliott Peltzman, filling in for Dave Bittner, with your CyberWire summary for Tuesday, August 10, 2021.
Elliott Peltzman: The RansomEXX gang, recently active against targets in many countries, is threatening to leak sensitive information it stole during its ongoing extortion of hardware manufacturer Gigabyte, Computing reports. The data are claimed to be proprietary, with many of them under nondisclosure agreements.
Elliott Peltzman: The attack caused Gigabyte to shut down some of its operations last week. BleepingComputer saw the ransom note, which said, in part, quote, "we have downloaded 112 gigabytes of your files, and we are ready to publish it. Many of them are under NDA," end quote. Screenshots of four documents said to be under an NDA were provided to show that the thieves had the goods they claimed.
Elliott Peltzman: A study by the cyber intelligence shop at IntSights sketches the criminal-to-criminal market and why it exists in the first place. Truly vertical integration is as rare in the underworld as it is in legitimate markets. No gang is likely to be able to do it all, hence the emergence of affiliate programs, initial access brokers and so on.
Elliott Peltzman: IntSights' white paper says, quote, "these underground criminal websites are key enablers for both buyers and sellers. On one hand, they enable buyers with fewer skills or resources to obtain raw materials with which to construct criminal enterprises, including malware, other malicious tools, illicit infrastructure and compromised data, accounts and payment card details. This accessibility lowers barriers to entry into the criminal ecosystem for actors who might otherwise lack necessary skills or resources but have the money to make investments. On the other hand, these websites enable actors with more skills and resources to monetize the fruits of their labor and convert their attacks or other malicious activities into profits," end quote.
Elliott Peltzman: The criminal-to-criminal fora are polyglot, but the Russophone sites appear to be the leaders. IntSights writes, quote, "the Russian-language forums tend to have the most unique and sophisticated offerings and often display higher standards of professionalism. English-language forums include not only North American and other native Anglophone criminals but also nonnative speakers of English from around the world, including former British colonies. Other language-specific forums serve geographically concentrated communities, such as the Romanian speakers of Romania and Moldavia and the Portuguese speakers of Brazil, both of which are also significant hubs for cybercrime. Forums also exist in other widely spoken languages, such as Spanish and German," end quote.
Elliott Peltzman: The initial access brokers form a thriving subsector of the criminal economy, and buying access makes economic sense to the criminal gangs who are the purchasers.
Elliott Peltzman: The C2C marketplace also sees a range of marketing ploys. AllWorld Cards, a relative newcomer to the carding market - the underworld market where pay card information is traded - is seeking to make a name for itself by dumping about a million stolen cards online. BleepingComputer reports that Livorno-based security firm D3 Lab has looked at the dump and believes about half the cards are current and valid, which is an unusually high fraction for any carder offering. And security company Cyble told BleepingComputer that the data on offer includes credit card numbers, expiration dates, CVVs, names, countries, states, cities, addresses, ZIP codes for each credit card and email addresses or phone numbers.
Elliott Peltzman: The criminal buyers of carder services seem to have been favorably impressed by the marketing ploy, and so AllWorld Cards will probably bear watching. To Interpol, Europol, the FBI and other law enforcement authorities, we simply say, good hunting.
Elliott Peltzman: Security firm Varonis has found exposed Salesforce Communities accessible to the internet. The exposures are the result of misconfigurations. The data at risk includes such things as customer lists, support cases and employee email addresses.
Elliott Peltzman: If such a misonfiguration is detected and exploited, what would the consequences be? Varonis says, quote, "at a minimum, a malicious actor could exploit this misconfiguration to perform recon for a spear-phishing campaign. At worst, they could steal sensitive information about the business, its operations, clients and partners," end quote. There's also the possibility of lateral motion from the Salesforce account into other services that the organization has integrated with their Salesforce account.
Elliott Peltzman: The U.S. continues its efforts to persuade friendly governments to avoid Huawei-manufactured equipment. Reuters describes a recent U.S. approach to Brazil, during which the U.S. observed that Huawei's supply chain difficulties would end up with it leaving Brazil's telecommunications infrastructure high and dry. Those supply chain difficulties, of course, have been induced by worldwide concern over the security risks Huawei equipment may carry with them and, of course, due to U.S. sanctions that have restricted Huawei's access to the technology it needs to develop and produce its products.
Elliott Peltzman: China's Embassy in Brazil has protested what it characterized as American smears and coercion. The state-run media outlet Global Times says the embassy put it this way - quote, "we express strong discontent and vehement objection to such behaviors of publicly coercing and intervening in other countries' 5G construction and sabotaging normal China-Brazil cooperation," end quote.
Elliott Peltzman: The Washington Post and SecurityWeek both have overviews of how Apple's child protection initiatives have prompted a resurgence in the Crypto Wars. We'll have more notes on the current engagement in this afternoon's Pro Policy Briefing.
Elliott Peltzman: Mexican prosecutors continue to investigate their country's corner of the NSO scandal, seeking to determine who authorized using Pegasus intercept tools against ordinary citizens and government critics. Reuters reports that so far, there's no joy. They've come up with no arrests and prompted no firings.
Elliott Peltzman: Watchdog organizations have been critical of the investigation's progress, complaining that the office conducting the probe is effectively itself implicated in the use of Pegasus. The investigators point out that it's a difficult and complicated investigation. Ricardo Sanchez Perez del Pozo, head of the Special Prosecutor for Crimes against Freedom of Expression, defending his investigative team, said they were close to bringing the first case to court. He told Reuters, quote, "this is a really complex investigation. It has advanced significantly," end quote.
Elliott Peltzman: Mexico was the first significant international Pegasus customer, spending 160 million on the intercept tool since 2011.
Elliott Peltzman: And finally, a quick reminder that it's Patch Tuesday. Expect fixes to be issued throughout the day.
Dave Bittner: Ron Brash is director of cybersecurity insights at Verve Industrial Protection. I caught up with him recently for his reaction to a CISA advisory regarding ICS equipment from General Electric.
Dave Bittner: So today we're going to be talking about this new CISA advisory regarding the GE ICS equipment. Can we start off with just some high-level stuff here? Can you give us a little brief overview of what we're talking about?
Ron Brash: Sure. So, I mean, there was four - I think four different organizations involved here. There was Idaho National Labs. There was SCADA-X. There was - and when I say Idaho National Labs, it's, like, the CyTRICS program. And then you have VuMetric.
Ron Brash: And obviously, there's a lot of people that went in - you know, a lot of thinking that went into making this collection of vulnerabilities. But actually, what it does is it affects a large number of products that share very similar firmware to each other that accounts for a big portion of the energy industry's relays. But they're not just limited to the energy industry because you can make energy anywhere, or you run a turbine or a generator. And so these separate devices, these protective relays are used all over the place, not just, you know, for example, in windmills or next to a coal turbine. But they're used even, you know, for heating the water in a mine (ph) in a remote area. It's not your typical GE product demographic, but that could be a potential use case of it.
Ron Brash: So there's a bunch of vulnerabilities there that affect what largely looks like third-party components, right? There's things with, you know, the ciphers that are used for communication over SSH, for example. You also have issues with the web server that's running on the device and how it parses traffic. And then there's other functionality, such as - that we call first-year OEM software - right? - that can push firmware into the device and there's no integrity checking up on it. And then there's also - there's some bootloader problems there, too. So there's a whole gamut of vulnerabilities in this release.
Dave Bittner: And so what are the opportunities for folks to mitigate the issues here?
Ron Brash: Well, the good news is that GE did the right thing and said, hey, you know, we do provide firmware updates, right? That's a great step by a vendor. Unfortunately, instead of just saying, like, hey, we're going to end-of-life the product; you should move to a newer one, the updates don't apply to all of the firmware of all of these devices.
Ron Brash: So there's 14 different CPU revisions for this device, which would make sense, right? It's lived a long time. It's over many different products. There's just different hardware inside of each of them. And there's only firmware really available for four of those 14 different CPUs. Now, I'd say this - all of the fixes are unique, right? There's different versions of firmware for all of them. But there is some gaps there. So if I were to say, go update your devices when it's appropriate, that works if you can. But if you can't - right? - you want to make sure that you've, you know, locked down the devices to a set of least functionality or least principal (ph) features that are available to the device.
Ron Brash: So I'll give you an example. If you have the option of turning of web server, do it, right? Like, if you're not using it, that would make sense. You know, the bootloader vulnerabilities - you know, watch for weird things at startups, right? Prevent them from physical access.
Ron Brash: The vulnerability for that one was actually a bit misquoted, not one I could speak to much more. But the other ones - you know, limit the access to them. Make sure they're on isolated networks. Make sure the system's speaking to them by speaking to them in a secure manner and are secure themselves.
Ron Brash: You know, it's your general boilerplate cybersecurity, you know, remediation strategies. But in particular, because these devices are used in critical infrastructure and in a very critical-in-function-type situations, we really need to be - to engineer out the risks by doing all of the things that I just mentioned.
Dave Bittner: And to what degree will the folks who are working with this particular type of equipment be aware that, first of all, they're working with this kind of equipment and that potentially they have an issue here?
Ron Brash: Well, probably one of the first indicators that you'd have this device - I mean, assuming that you knew nothing about your inventory of assets out there in the field - one of the things that they'll probably do is to look through, hey, which OEM software tools that we have, right? So that could be the Enervista series. And for each of these products, they have their own installers. But you want to find out what you're using and where it's being used from.
Ron Brash: So they're probably going to say, OK, we know we got some GE relays out back. Hey, let's pull up the specs or log in to the technician laptop or something and see if that OEM software's there. If you see it there, chances are then you know that you have at least one of these devices out there in the field. So that would give you a good indicator of, you know, OK, I have a problem. Let's go figure out how many devices I have.
Ron Brash: The other thing is many of these devices are in their most insecure deployment schema, if you will. There's a bunch of reasons for that. Part of its integrators didn't do - you know, didn't harden them. The customer didn't require it. These options are there, but no one used it because it had some sort of idiosyncrasy where it didn't work under a situation. There's plenty there for a vendor to get started even without a firmware update.
Ron Brash: And then what they want to do is to make sure that those devices are secure within their premises and also within their particular network zones as well.
Dave Bittner: How do you see things playing out as we go forward in terms of this being an ongoing issue?
Ron Brash: This will absolutely be an ongoing issue. Vulnerabilities will continue to be created, right? They - well, I mean, not created. Discovered is probably a better term. And in that case, what you need to do is to think about a consequence - you know, engineer of the risk - consequence-based engineering - right? - to quote Andy Bochman and INL. You're going to have to think more about that. You're going to have to think that almost all embedded devices are vulnerable. So what do I do to get that risk down to a level that I'm comfortable with? And to do that, you'll have to think about compensating controls right off the bat and try to really limit, you know, the connections to these devices.
Ron Brash: One option might people to say (ph), well, let's not have any ethernet, you know, functionality. Let's go back to the old analog and serial ways. There's a reason why we got away from that. And so I don't see that as a particularly good option.
Ron Brash: But one option could be for asset owners to start leveraging more of the secure deployment guidelines that are produced by vendors and forcing their integrators, forcing the persons that are installing this gear, to actually adhere to them and actually testing whether or not someone actually did the work - right? - instead of just saying they did so. I think that there'll be more focus on that, of secure deployments moving forward. But a lot of these devices are legacy devices or legacy deployments. And so we're just - we're, you know, doing cleanup at the moment.
Dave Bittner: That's Ron Brash from Verve Industrial Protection.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: Interesting article - this is from the folks over at Federal News Network. This one's written by Jory Heckman, and it's titled "National Cyber Director: Bureau of Cyber Statistics Needed to Understand the (ph) Threat Landscape." What's going on here, Ben?
Ben Yelin: So this article leads off with a great hook. I did not know about this historical fact. But in the early days of the U.S. Post Office, when Benjamin Franklin was postmaster general, he gave local postmen at the time a task to jot down the local weather conditions, mail them back to headquarters on a postcard so that they could aggregate information because Benjamin Franklin rightly realized that weather in one area didn't exist in a vacuum and you could understand more about, you know, the meteorological conditions in this country by collecting a wide array of data.
Ben Yelin: To circle that back to something that's relevant to us, what the national cyber director, Chris Inglis, said at a recent meeting is that we need to engage in a similar sort of effort as it relates to cyberthreats. We need to know, in his words, which way the winds are blowing.
Ben Yelin: So his idea is to stand up what would be called a Bureau of Cyber Statistics - this would require an act of Congress - that would be housed within the Department of Homeland Security. And they would be tasked with collecting, analyzing and publishing data on cybersecurity, cybercrime and threats.
Ben Yelin: You know, one thing that's interesting to me is these are the type of statistics that have been so valuable to us in a pandemic. We've been collecting them in the public health realm. Obviously, we haven't been doing a good enough job collecting that data.
Dave Bittner: Right.
Ben Yelin: But to get a, you know, full understanding of - to get a full threat assessment - you know, what are the conditions out there, what are the variants of concern that are going to increase infections, what are problem areas of the country where we're seeing surges and hospitalizations? - we have, through the CDC, set up a centralized system where we can collect data from states and localities, local hospital systems, to understand the threat landscape.
Dave Bittner: Right.
Ben Yelin: And right now, we don't have that in the cyber world. So this is not only an idea that's been pushed by Director Inglis, but it was also originally proposed in the Solarium Commission report, which is interesting because one of the other recommendations of the Solarium Commission report was to create the job that Mr. Inglis himself now holds. So Congress certainly has taken to heart some of those recommendations in the Solarium Commission report, and I think it would be wise of them to take this recommendation as well.
Dave Bittner: You know, I've heard some folks compare this sort of thing to aviation where, you know, if you have an incident, you're obligated to report that incident, and then there will be an investigation. Could we see a similar sort of effort? I mean, could something like that be rolled into this organization?
Ben Yelin: Yeah. I mean, I think that's what the idea is here - is you're collecting disparate information on individual circumstances and trying to aggregate it so that you get a better picture of the threat landscape. And we see that in, you know, law enforcement tools that are used at the local level where you're collecting information on the location of crime, high crime, certain characteristics of neighborhoods that lead to more violent crime.
Ben Yelin: Now, obviously, we can question the accuracy of those tools, but the idea is each piece of disparate information is not collected in a vacuum. You have to have some sort of central location where it's stored and analyzed so that you can identify the next threat potentially before it comes to pass.
Dave Bittner: I guess what I'm getting at, though, is also the obligation to report because we hear, you know, folks are reticent to report ransomware incidences, for example, because of - they don't want to be - they don't want the bad PR that could come from that with their customers.
Ben Yelin: In an ideal world, there would be an obligation to report. That might not be as politically tenable. I still think creating this Bureau of Cyber Statistics would be valuable even if there wasn't a legal obligation to report...
Dave Bittner: Right.
Ben Yelin: ...Because a lot of entities would still voluntarily report. You know, if they're less concerned about their own liability or, you know, if they're sure they're not going to be held liable or, you know, they're not going to suffer reputational damage from being the victim of a cyberattack, they may see value in a broader effort to, you know, aggregate information and try and protect our networks for the future. So I think it can still work even in the absence of mandatory reporting, and I think the article makes that clear.
Ben Yelin: We're not always going to collect every piece of relevant data. The more data we can aggregate, the better. So, you know, I think as long as we recognize that this is going to be an imperfect system, I don't think that should stop us from setting up a system that would perform that role.
Dave Bittner: All right. Well, again, the article is from the Federal News Network. It's titled "National Cyber Director: Bureau of Cyber Statistics Needed to Understand Threat Landscape." Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. Find out more about sponsoring our programs at thecyberwire.com/sponsor.
Elliott Peltzman: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Elliott Peltzman: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Elliott Peltzman, filling in for Dave Bittner. Thanks for listening.