Watch out for cybercrime over holidays (like Labor Day). Ransomware warning for the food and agriculture sector. Gift card and loyalty program fraud. NIST draft IoT guidelines out for comment.
Dave Bittner: Uncle Sam recommends cyber vigilance during your kinetic relaxation this Labor Day weekend. The ransomware threat to food and agriculture. Low and slow fraud from compromised email inboxes. Israel promises an investigation of cyber export controls. Josh Ray from Accenture Security on giving back to the community and the Jenkins Attack Framework for red teaming. Our guest is Andy Ellis on the transparency in cybersecurity initiative. And NIST has draft consumer IOT guidelines out for comment.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Friday, September 3, 2021. The U.S. Labor Day holiday is coming with its annual long weekend, tomorrow through Monday, and the U.S. government has been warning everybody not to let their guard down in cyberspace. Criminals expect it, and they've shown spikes of cyber activity during other holidays, most recently over the Fourth of July. The White House at its regular press conference yesterday reinforced warnings given earlier this week by the U.S. FBI and CISA to the effect that the nation should be on heightened alert for cyberattacks, especially ransomware attacks over the Labor Day long weekend. The U.S. government seems to be betting on form here, not on any particular chatter or specific signs of threatening activity. Deputy National Security Adviser Neuberger said that while there were no specific indications of attacks, criminals in particular have a track record of taking advantage of the reduced staffing and relaxed vigilance that often accompany holidays. Here's some of what she had to say, courtesy of C-SPAN.
(SOUNDBITE OF ARCHIVED RECORDING)
Anne Neuberger: Good afternoon, everyone. So we want to take a moment to encourage organizations to be on guard for malicious cyber activity in advance of the holiday weekend. To be clear, we have no specific threat information or information regarding attacks this weekend, but what we do have is history. And in the past, over holiday weekends, attackers have sometimes focused on security operations centers that may be understaffed or a sense that there are fewer key personnel on duty as they may be on vacation. And indeed, a long weekend can sometimes make attackers feel they have extra time to navigate in a network before they were detected. So as the long weekend comes, we want to raise awareness. And this need for awareness is particularly for critical infrastructure owners and operators who operate critical services for Americans.
Dave Bittner: That's yesterday at the White House, and you can listen to the whole thing over at C-SPAN. Holidays aren't the only thing on the federal mind, of course. The ransomware threat has been much discussed in both public and private circles. And warnings directed at the various sectors that make up critical infrastructure continue. And what's more critical than food? The U.S. FBI on Wednesday issued a private industry notification warning the food and agriculture sector that it's under active attack by ransomware gangs. There's nothing particularly distinctive about the criminals' approach to organizations in this sector. The tactics and techniques they employ are familiar, but it's a sector not accustomed to thinking of itself as a high-priority criminal target.
Dave Bittner: The FBI's notification briefly describes five occasions since last November when ransomware attacks have disrupted agricultural and food distribution operations. Quote, "in July 2021, a U.S. bakery company lost access to their server files and applications, halting their production, shipping and receiving as a result of Sodinokibi/REvil ransomware, which was deployed through software used by an IT support managed service provider. The bakery company was shut down for approximately one week, delaying customer orders and damaging the company's reputation. In May 2021, cyber actors using a variant of the Sodinokibi/REvil ransomware compromised computer networks in the U.S. and overseas locations of a global meat processing company, which resulted in the possible exfiltration of company data and the shutdown of some U.S.-based plants for several days. The temporary shutdown reduced the number of cattle and hogs slaughtered, causing a shortage in the U.S. meat supply and driving wholesale meat prices up as much as 25%, according to open source reports," end quote.
Dave Bittner: This, of course, was the notorious attack on JBS, one of the incidents that brought Russian privateering to general attention. The beverage subsector has also been hit. Quote, "in March 2021, a U.S. beverage company suffered a ransomware attack that caused significant disruption to its business operations, including its operations, production and shipping. The company took its systems offline to prevent the further spread of malware, directly impacting employees who were unable to access specific systems, according to open source reports." And farms themselves have been targeted. Quote, "in January 2021, a ransomware attack against an identified U.S. farm resulted in losses of approximately $9 million due to the temporary shutdown of their farming operations. The unidentified threat actor was able to target their internal servers by gaining administrator level access through compromised credentials," end quote. So ransomware has touched the very point of origin of the food supply.
Dave Bittner: Finally, quote, "in November 2020, a U.S.-based international food and agriculture business reported it was unable to access multiple computer systems tied to their network due to a ransomware attack conducted by OnePercent Group threat actors using a phishing email with a malicious zip file attachment. The cybercriminals downloaded several terabytes of data through their identified cloud service provider prior to the encryption of hundreds of folders. The company's administrative systems were impacted. The company did not pay the $40 million ransom and was able to successfully restore their systems from backups," end quote. That last story is encouraging. The victim refused to pay and restored affected systems from backups. The same risk mitigation measures that apply to other sectors can be equally effective for organizations working in the food supply chain.
Dave Bittner: KrebsOnSecurity notes the low and slow and lucrative approach one criminal gang has taken to fraud, compromising about 100,000 email inboxes daily. They're selective in their take, scanning for emails related to gift cards and customer loyalty programs, both of which have a useful resale value in criminal markets. KrebsOnSecurity writes, quote, "the fraudsters aren't downloading all of their victims' emails. That would quickly add up to a monstrous amount of data. Rather, they're using automated systems to log in to each inbox and search for a variety of domains and other terms related to companies that maintain loyalty and points programs and/or issue gift cards and handle their fulfillment," end quote. Reward points are particularly attractive to the hoods because they're easily extracted and can be resold quickly for about 80% of their nominal value.
Dave Bittner: Israeli Foreign Minister Yair Lapid promised closer investigation of NSO Group's intercept tool exports, SecurityWeek reports. The foreign minister makes the familiar point that the government of an exporting country has only limited influence over how the importers use the tools they buy. But he acknowledges a responsibility to do what's possible to prevent abuse. He explicitly compared cyber exports to arms exports and suggested they would be controlled in the same way.
Dave Bittner: And finally, if you're looking for some profitable reading over the weekend, consider taking a look at the National Institute of Standards and Technologies Draft Baseline Security Criteria for Consumer IOT Devices. It's part of NIST's response to Executive Order 14028 issued back in May. Among other things, the criteria are intended to result in labeling for consumer products. And NIST's goal is that those labels be understandable and actionable by consumers and that they be effective in conveying the product's value. The labels should clearly convey when a product provides a greater level of security so that a consumer can understand why there may be a greater value to the individual and to society more broadly, and why there may be a cost differential among competing products with similar functionality but different security performance. So read the whole thing. NIST would like to have comments by October 17.
Dave Bittner: Andy Ellis is operating partner at YL Ventures and former CSO at Akamai. He is among a group of individuals and vendors who've started a new nonprofit called Transparency in Cyber, which hopes to foster more open conversations about security products. I checked in with Andy Ellis for the details.
>>ANDY ELLIS: So the goal of the Transparency in Cybersecurity organization's mission is really to evangelize that this is a change that ought to be made, that really the three core tenets of our mission is that, you know, product benchmarks and real-world experiences ought to be shareable, that we need to be able to understand what our products do and don't do because that's how we're going to get to a safer digital world, that companies need to really put that into their business operations, that if one of your customers comes and says, hey, I want to, you know, test this with a third party, you don't get to say no, right? It's reasonable for you to say, hey, would you share the results with us before you publish them? I think that's a fair ask. But to say no, you're not allowed to find out, you know, if the product does what we say it does - not OK - and that we actually think that transparency will be the great equalizer. And that's not about an equalizer between vendors, although that - it will actually do some equalization there. But it's really about equalizing between the vendor and the customer.
>>ANDY ELLIS: You know, I've been a buyer where I've bought a technology and, like, two years later, we were pretty certain it stopped working. And we could not get the vendor to talk to us about it - you know, had stopped giving us any alerts. You know, and the person who'd bought it was like, oh, we've done such great security that this detection system can't find anybody breaking in. And I said, yeah, or the detection system just doesn't work. But we had no way to verify that belief. And maybe we had great security, or maybe we had awful security. But I was stuck as a buyer not knowing. And that's what would be fixed with better transparency.
Dave Bittner: So from the point of view of the providers of these services, these products, I mean, what's in it for them? How do you deal with what I could imagine would be, maybe if not some pushback, maybe a little hesitancy here?
>>ANDY ELLIS: So I think there definitely will be some hesitancy. I think if you have a product that works, this is a good thing for you, right? This enables your customers to talk to you, to give you feedback because your good customers aren't going to go test your product, find a problem and not tell you, right? They're going to find something and say, wow, you know, you have this WAF, and for some reason it doesn't work on SQL injection, which would be sort of awful - I don't think your technology actually works there. But they're going to tell you, rather than keeping that secret or you never knowing.
>>ANDY ELLIS: And your product can get better because you're now part of this information ecosystem. So it enables you to let your customers be part of your product research organization. That's helpful. It lets you see where you stand against your competition because you - I suspect you will see sort of third-party rating agencies that have a little more transparency than the analyst firms sometimes have today. And I think that's - only is a good thing for everyone.
Dave Bittner: And how does this work alongside things like bug bounty programs?
>>ANDY ELLIS: I think it's completely compatible. I think anybody who has a bug bounty program is already, you know, 90% of the way to a transparency model here. A lot of this is sort of getting people to stop having these reflexive noes to conversations about something like a bug bounty. But this isn't saying everything needs to have a bug bounty. I think a bug bounty is above and beyond what we're asking for. We're basically asking you to sort of commit, hey, don't, like, sue people just because they've figured out that your product has some flaws and want to share that.
Dave Bittner: That's Andy Ellis. You can find out more about the new nonprofit at transparencyincyber.org. There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for Interviews Selects, where you'll get access to this and many more extended interviews.
Dave Bittner: And joining me once again is Josh Ray. He's managing director and global cyberdefense lead at Accenture Security. Josh, always great to have you back - I wanted to touch today on some tools that I know you and your team have been developing that could be of assistance to red teamers. What are you all working on there?
Josh Ray: Yeah, thanks, Dave - excited about this - to talk about this topic. And as you know, the team and I are super passionate about sharing information and giving back to the security community, which - you know, ultimately we want to really make the world a safer place, right? The Jenkins Attack Framework, or JAF, is a tool that our adversary simulation R&D team developed. And we did this in order to make some of our engagements a bit easier and scale more effectively. So basically, JAF is an Accenture internally developed tool for red teamers, for interacting with Jenkins-built servers.
Dave Bittner: So you're putting this out here for the community as large?
Josh Ray: That's correct. Yeah. And, you know, really the use case is that, you know, this is to help clients improve their the broader security posture. That's how we use it. Many times, you know, we come across Jenkins installations in client environments, and they can be, say, useful for our red team engagements because they will sometimes store credentials and source code and, you know, have the ability to elevate access in their production networks. And as a result, you know, our team also finds ourselves being able to leverage this to move throughout the environment undetected, much as an adversary would. So really, the value here is, you know, to allow other folks to leverage this tool to do the same thing.
Dave Bittner: What goes into the decision for you all to make this available to the broader community? You know, this tool has value. You could very well just keep it to yourself and your colleagues there. Why put it out there for everyone?
Josh Ray: Yeah, I think we have to balance that. But, you know, ultimately, we're really trying to be good stewards of the community. And where we have the opportunity, we want to do the right thing, right? So this has been - you're right. This has been incredibly valuable to our team over the past year or two. But really, in the spirit of giving back to the community, we've been able to secure the approval to to release this for industry use for their own security testing. We have a blog that outlines all the technical details. But, you know, there's some really interesting features like, you know, being able to run system commands and list current, you know, API tokens and dump creds and such.
Josh Ray: But ultimately, you know, our mission is really to help our clients prepare for and, you know, spar against some of the most advanced cyber threats out there. And we have a responsibility, I think, not only to secure the world, but also help, you know, folks in the security community to further that mission and enable that mission. And we do that through things like, you know, releasing tools and information. And this is really just about making sure folks knew that was out there and available for them to use.
Dave Bittner: All right. Well, if you're looking for it over on the Accenture security website, it is the Jenkins Attack Framework. Josh Ray, thanks for joining us.
Josh Ray: Thanks, Dave.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible.
Dave Bittner: And that's the CyberWire. We'll be taking a break from our daily podcast on Monday as we observe the Labor Day holiday with appropriately unrelaxed cyber vigilance, even as we enjoy kinetic relaxation. We hope you are all able to do likewise. And we'll be back as usual on Tuesday.
Dave Bittner: For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. Be sure to check out this weekend's episode of "Research Saturday" and my conversation with Ben Seri. He's VP of research at Armis. We're discussing remote code execution vulnerabilities in the pneumatic tube system of Swisslog. That's "Research Saturday." Do check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.