The CyberWire Daily Podcast 8.18.21
Ep 1399 | 8.18.21

Taliban seizes HIIDE devices. T-Mobile customer data compromised. Ransomware attack against Brazil’s Treasury. Social engineering espionage. Ransomware vs. sewers. IoT bug disclosed.


Dave Bittner: The Taliban now has, among other things, a lot of biometric devices. T-Mobile concludes that some customer data were compromised in last week's incident. InkySquid's in the watering hole. Brazil's treasury sustained and says it contained a ransomware attack. Siamesekitten's social engineering on behalf of Tehran. Sewage systems are hacked in rural Maine. Josh Ray from Accenture Security on what nation-state adversaries may have learned from observing the events surrounding Colonial Pipeline. Our guest Manish Gupta from ShiftLeft looks at issues with the software bill of materials. And an IoT vulnerability is disclosed and mitigations recommended.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 18, 2021. 

Dave Bittner: Some have warned that one of the more unpleasant consequences of the swift Taliban overthrow of the Afghan government over the weekend would be the new rulers' access to equipment and information left behind by their predecessors. 

Dave Bittner: One seizure combines both risks. Among the material seized by the Taliban in Afghanistan are biometric registration and identification devices that had been used by the former government, The Intercept reports. The Handheld Interagency Identity Detection Equipment, HIIDE for short, was used for such tactical purposes as checkpoint control and also in broader programs, like the preparation of identity documents. The biometric modalities collected by HIIDE include iris scans and fingerprints. The larger centralized databases to which the devices were connected held and possibly still hold biographical information on a large number of individuals whose biometrics had been registered by HIIDE. How much of the data the Taliban will be able to access remains unknown for now. 

Dave Bittner: T-Mobile has determined that, in fact, customer data were accessed by attackers, presumably those who advertised late last week in a dark web market that they had the goods for sale. The data affect just under 48 million customers. No pay card or other information appears to have been compromised, T-Mobile says. 

Dave Bittner: But what was lost is serious enough. In the worst cases - not all 48 million cases, but in the worst of those - the data included customers' first and last names, date of birth, Social Security number and driver's license ID information. The company is in the process of alerting affected individuals. We'll have more notes on this incident, along with some security industry reaction, in this afternoon's Pro policy briefing. 

Dave Bittner: Volexity yesterday reported that the North Korean APT it tracks as InkySquid, also known as APT37 or ScarCruft, has compromised the NK News site into a watering hole, serving Bluelight malware as its payload. NK News is a legitimate South Korean outlet focused on news about the DPRK. 

Dave Bittner: ZDNet reports that the Brazilian government has disclosed that a ransomware attack hit the National Treasury Friday, but without structural damage to trading platforms. The Ministry of the Economy said in a statement that they took prompt steps to contain the effects of the attack once it was discovered and that it intends to be as transparent as possible about the incident. The federal police are investigating. Trading in Treasury bonds, according to the Brazilian report, remains unaffected. 

Dave Bittner: Security firm ClearSky has an update on the operations of Siamesekitten, an APT associated with the government of Iran that's also known as Lyceum and Hexane, which continues an espionage campaign that began in 2018 and targets organizations in Israel. It proceeds by social engineering, typically with an approach to employees of IT and other tech or communication companies, that offers a bogus job. The immediate goal is to direct the target to a site where they are induced to install a malicious payload, in recent cases, an upgraded back door called Shark through which the DanBot remote access Trojan is downloaded. 

Dave Bittner: The initial targets appear to be a means to an end, with Siamesekitten interested in using them to pivot into their real targets. To lend plausibility to their approach, Siamesekitten's operators impersonated websites belonging to legitimate companies - Chip PC, an Israeli IT firm, and the large German tech company Software AG. Neither firm, needless to say, is complicit in the imposture. 

Dave Bittner: Think your local sewage system is too small to attract the interest of threat actors? Think again. The wastewater systems of Mount Desert and Limestone, two towns in the U.S. state of Maine that are nobody's idea of metropolis, were hit with indifferent successful ransomware attacks last month. The town sewer authorities said no ransom was paid, no data lost and, best of all, no service interrupted. But it's an interesting cautionary tale. 

Dave Bittner: The ransomware didn't affect control systems, but it did induce the authorities to temporarily take some alerting mechanisms offline. And what was the point of infection? An obsolete Windows 7 computer that was still in use. Operators told SecurityWeek, "it was due to be replaced anyway," and presumably by now it has. 

Dave Bittner: The incident shows the surprising persistence of old legacy hardware in control environments. It got the attention of Aroostook County. Limestone Water and Sewer District Superintendent Jim Leighton said, quote, "it was a bad thing for us but a good thing for the county. Everyone took notice and did things to their computers so they couldn't be hit," end quote. 

Dave Bittner: So good, and now flush in tranquility when you're down East. 

Dave Bittner: And finally, kalloo kalay, in the you may not be interested in the IoT, but the IoT is interested in you department - security firm Mandiant has published a report disclosing vulnerabilities it found in IoT devices that use the ThroughTek Kalay network. ThroughTek, headquartered in Taipei, claims that some 83 million devices, a great many of them cameras and monitors, connect through this network. 

Dave Bittner: The vulnerability could enable an attacker to authenticate as a target device and collect feeds from that device through the network. Mandiant has worked with both ThroughTek and the U.S. Cybersecurity and Infrastructure Security Agency to develop mitigations for the issue. 

Dave Bittner: CISA summarizes these in three steps. First, minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the internet. Second, locate control system networks and remote devices behind firewalls, and isolate them from the business network. And last, when remote access is required, use secure methods, such as virtual private networks, recognizing that VPNs may have vulnerabilities and should be updated to the most current versions available. Also recognize VPN is only secure as the connected devices. 

Dave Bittner: Note the last point about VPNs - only as secure as their connected devices. As useful as it may be, a VPN isn't a foolproof cloak of virtual invisibility. 

Dave Bittner: There's been a good amount of speculation lately about whether upcoming cybersecurity legislation might include requirements for a software bill of materials - a sort of manifest tracing the various components of deployed applications to their sources. For insights on the potential pluses and minuses of such a requirement, I checked in with Manish Gupta, CEO at code security platform provider ShiftLeft. 

Manish Gupta: So by asking a software vendor to provide the list of thousands of dependencies, OK, I think we are largely just checking the box and saying, yes, acknowledge that this is a risk. And by requiring you to communicate, at least we are ensuring that you are, as a software vendor, looking inside your house and seeing what dependencies you are using. But if we were to try and figure out if this is - how actionable this is, I think that is where the new executive order, in my mind, fails that test. 

Manish Gupta: So imagine I'm a customer, and the vendor provides me thousands of dependencies. OK, great. So what am I supposed to do? Should I be going and looking at the - each of these software dependency to find out whether it's vulnerable? 

Manish Gupta: Well, let's say I go ahead and do the work, or maybe the vendor gives it to me. Well, the next question is, of course, for me as a customer to ask the vendor, hey, when was it going to be that you will fix all of these, you will upgrade to dependencies that don't have vulnerabilities? And given the fact that the vendor hasn't done this yet - and the process of upgrading dependencies, unfortunately, Dave, is nontrivial. It can take weeks, sometimes months to upgrade a dependency. And so what - the reason the software vendor has not upgraded - it is a business decision. He is acknowledging that he's more willing to take the risk that comes by using this dependency as opposed to taking the time that is required to upgrade this dependency. 

Manish Gupta: So I think what we're - and unfortunately, not all dependencies are the same. You know, a software dependency is, in and of itself, a dependency - you know, a piece of software which has multiple functionalities. So an application could be using a part of that dependency and not the entire software dependency. 

Manish Gupta: So really, we should be asking the question, well, is the component, is the part of software dependency that you're using, is that vulnerable? And as a result, is your application vulnerable? Because that is the crux of the question that between the two parties we're trying to establish, right? It shouldn't matter to us a whole lot if the application is using vulnerable software dependencies or not if we knew very accurately the question, which one of these software dependencies actually makes the application vulnerable? 

Dave Bittner: Is there an element of risk here when it comes to mixing different components? In other words, I'm sort of thinking, like, you know, if I want to clean my kitchen or my bathroom and I can choose to use bleach or I could use - choose to use ammonia, but I better not use both of them at the same time, right... 

Manish Gupta: Yeah. 

Dave Bittner: ...Because then I get mustard gas. 

Manish Gupta: (Laughter) Yes. 

Dave Bittner: I mean, is this - do similar things exist in the software world, where one or the other may come with their own risks, but when you put them - we really need to be careful about combining these things? 

Manish Gupta: Great, great question, Dave. You're absolutely right. And that is precisely what we have to do - is, you know, if a software is, as we discussed earlier, in the supply chain, i.e., it's a blending together of multiple components - as we do that, as we create this new concoction, we have to analyze that concoction. We cannot be just analyzing these parts because - your example is great. Stand-alone, these two things are perfectly benign. Mixed together, we've got a volatile mixture. Same thing here - stand-alone, these dependencies are fine. But when you mix them along with the functionality that the company desires and has codified using custom code, that is when everything comes together and we have, voila, a vulnerable application. 

Manish Gupta: And so, you know, yesterday, the industry was very focused on, which is what I referred to - right? - sort of we've had this technology to tell us which vulnerabilities that I'm using are too vulnerable for - we've had it for 15 years, and it was great yesterday. But today, we can start using more sophisticated mechanisms, more sophisticated technologies to analyze the entire application with its bits and parts. 

Dave Bittner: That's Manish Gupta from ShiftLeft. 

Dave Bittner: And joining me once again is Josh Ray. He's managing director and global cyber defense lead at Accenture Security. Josh, it is always great to have you with us. You know, I wanted to check in with you kind of in the aftermath of the Colonial Pipeline situation here. I wanted to get your take on what people can take away from this, particularly, how are some of our adversaries going to look at the way we responded to this? 

Josh Ray: Yeah. Thanks, Dave. And thanks for having me back. And I've actually been thinking a lot about this and, really, what our nation-state-level adversaries have likely learned from observing how we've responded during the events surrounding the Colonial ransomware incident. And, you know, if it wasn't apparent before, it should be very clear to everyone now that critical infrastructure absolutely needs to have the highest levels of protection and needs to be the most resilient from a security posture standpoint. 

Dave Bittner: You know, when I looked at some of the stories in the news of our responses to this, from an individual point of view, you know, you like to think that we as a society are strong and resilient and all those good things. And yet we saw plenty of footage of people running out and hoarding gasoline and, you know, responding contrary to the ways that our leadership would ask them to. That sends a message as well. 

Josh Ray: It absolutely does. And I - you know, I realize that a lot of time and effort will be spent on after action, specifically focused on not the victim organization, but also the broader industry. And that absolutely needs to happen, right? And this could have happened probably to multiple organizations. 

Josh Ray: But I'm not trying to be an alarmist here. But from a strategic standpoint, I'm really concerned about what the next attack could look like. If I'm a bad guy, I think the fact is that I now have direct evidence how much economical, societal and, to your point, psychological impact a single, well-placed ransomware attack can have. 

Dave Bittner: So how do we take that knowledge, you know, the sort of - now that we know what they know, how do we roll that into where we go from here? 

Josh Ray: That's a great question. And I think - just, you know, think about this for a second. You know, what if this had been just a little bit more coordinated and included the targeting of, say, a major fuel transport company in addition to a pipeline company? Now I've just significantly disrupted plan B. And you can extrapolate that - and I'm sure, you know, listeners can as well - to many more nightmarish supply chain scenarios with wide-ranging impacts. 

Josh Ray: But the point is this. I think first, we really need to get serious about preparedness. And I think the time is now for that wide-ranging public and commercial, multisector, multi-industry, real-world cyber exercises that focus on critical infrastructure and their supporting supply chains. 

Josh Ray: And secondly, companies can't wait for the regulations to drive the action. They need to take a proactive approach and partner with their critical suppliers to conduct that, you know, wide-ranging realistic simulations. And these can't be paper-thin compliance check-box assessments. They have to be intelligence-driven adversary simulations that really drive those tangible business and, for all of our sake, national cyber resilience outcomes. 

Dave Bittner: Are you seeing indications that those sorts of things may be happening? You know, are we seeing responses from government, from private industry saying, hey, you know, this was a bit of a wake-up call and changes need to be made? 

Josh Ray: Yeah, absolutely. I do think the executive order is a good first step. And I think that, you know, if companies - and should, you know, take many of those directives to heart and start with the implementation. 

Josh Ray: But, you know, you combined SolarWinds with this last incident, and I think any company or any board that is not taking cybersecurity very seriously now and understanding where they sit in the broader ecosystem, both from a, you know, shareholder value standpoint and from a national interest standpoint - those two scenarios alone should drive action. And hopefully we'll see some tangible results at the end of it. 

Dave Bittner: All right. Well, Josh Ray, thanks so much for joining us. 

Josh Ray: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.