The CyberWire Daily Podcast 10.29.21
Ep 1449 | 10.29.21

Iranian-Israeli cyber tensions rise. Decaf ransomware described. Philippine government phshbait. Unemployment due to cyberattack. Europol’s latest collars. Facebook rebrands as “Meta.”


Dave Bittner: Tensions between Iran and Israel rise. A criminal group is spoofing emails from Philippine agencies. A new ransomware strain is discovered. Europol and partners sweep up a cyber gang. Betsy Carmelite from BAH on convergence of 5G and health care. Our guest is Justin Wray from CoreBTS with a look at the security issues facing online gaming and casinos. And the company formerly known as Facebook rebrands as Meta.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, October 29, 2021. 

Dave Bittner: Iranian news services are calling the incident that disrupted subsidized fuel distribution in Iran as an Israeli cyberattack. Asharq al-Aqsat reports that officials intend to release results of their investigation within a few days. In the meantime, Tehran has retaliated by doxxing Israeli Defense Minister Benny Gantz and a number of Israeli soldiers. The Jerusalem Post says the doxing was accomplished by a threat actor calling itself Moses Staff, and The Tehran Times suggests that more will be heard from Moses Staff as tension between Israel and Iran rises. 

Dave Bittner: Haaretz reports that Moses Staff has also obtained Israeli troop deployment information. The members of Moses Staff are generally believed to be Iranian nationals. The group posted a warning to Defense Minister Gantz on its site. Quote, "we know every decision you make and will hit you where you least expect it. We have secret Defense Ministry documents, operational military maps and troop deployment information and will publish your crimes to the world," end quote. 

Dave Bittner: Attribution in these cases is always difficult, particularly when the groups involved represent themselves as hacktivists. The case for Israeli involvement in the gasoline distribution hack is, absent the promised report of Tehran's investigation, so far a matter of a priori possibility. Similarly, it's not clear who Moses Staff may be or to whom they answer. 

Dave Bittner: Morphisec has released research into a new ransomware strain they're calling Decaf. It's noteworthy for its use of the Go language increasingly popular among cybercriminals. Babuk, Hive and HelloKitty are other ransomware tools written in Golang. Decaf appeared in September, and its development has continued into this month. Morphisec writes, quote, "the development of Decaf continues to this day, showing that ransomware groups constantly innovate their attacks. That the attack is written in Golang is further proof of this trend toward innovation among the adversary community. Threat actors are forever making changes and adding new capabilities to evade the detection-centric solutions that predominate in the market," end quote. 

Dave Bittner: Proofpoint has identified a new criminal threat actor, tracked as TA2722, that impersonates agencies of the Philippine government in phishing operations designed to distribute Remcos and Nanocore remote-access Trojans. TA2722 targets shipping, logistics, manufacturing, business services, pharmaceutical companies and energy providers. Victims have been found in North America, Europe and Southeast Asia. ZDNet points out that the target selection poses a risk to already stressed supply chains. That's physical supply chains, not necessarily software supply chains. It's worth recalling that delays and disruptions to the delivery of tangible goods has become a global problem, and anything that meddles with business or production systems is bound to make a difficult situation all the more challenging. 

Dave Bittner: A link in one such supply chain, disrupted last Friday by what's generally believed to be ransomware, seems now to be on its way to recovery. The Green Bay Press Gazette reports that Schreiber Foods has recovered sufficiently from the cyber incident it sustained to resume plant operations. The company announced Wednesday that it had resumed taking delivery of milk. Schreiber produces dairy products and is now back in production and shipping product to its customers. ZDNet says that Schreiber began to bring its plants back online Monday. The company has so far been tight-lipped about the specific nature of the cyber incident. 

Dave Bittner: CISA has issued a fresh set of industrial control system security advisories. There are three of them. Sensormatic Electronics, LLC, a subsidiary of Johnson Controls, has fixed hard-coded credentials in its Victor product. Mitsubishi Electric has taken care of an uncontrolled resource consumption problem in its MELSEC iQ-R Series C Controller module R12CCPU-V. And Delta Electronics has addressed a stack-based buffer overflow vulnerability in its DOPSoft HMI product. 

Dave Bittner: Europol today announced that it has targeted 12 individuals in Switzerland and Ukraine whom it believes are responsible for a range of cybercrimes that represented a dangerous combination of aggressive disruption and high-stakes targets. The criminals' activities were complex, and Europol sums them up like this. Quote, "the targeted suspects all had different roles in these professional, highly organized criminal organizations. Some of these criminals were dealing with the penetration effort, using multiple mechanisms to compromise IT networks, including brute force attacks, SQL injections, stolen credentials and phishing emails with malicious attachments. Once on the network, some of these cyber actors would focus on moving laterally, deploying malware such as TrickBot or post-exploitation frameworks, such as Cobalt Strike or PowerShell Empire, to stay undetected and gain further access. The criminals would then lay undetected in the compromised systems, sometimes for months, probing for more weaknesses in the IT networks before moving on to monetizing the infection by deploying a ransomware. These cyber actors are known to have deployed LockerGoga, MegaCortex and Dharma ransomware, among others," end quote. Europol credits an international cooperative effort for the success of the enforcement operation. 


>>BELA LUGOSI: (As Count Dracula) Listen to them - the children of the night. What music they make. 

Dave Bittner: The moon wasn't full when the shapeshifting took place. Our lunar desk tells us it was in the last quarter, right between a waning gibbous and a waning crescent, but there was still some shapeshifting reported. 


Dave Bittner: OK. OK. Thank you, wolves. Down, boys. Good girls. Please take it back to Borgo Pass. 

Dave Bittner: But this isn't about the children of the night. It's about the children of the social network, and the shape-shifting was of the rebranding variety as opposed to the lycanthropic kind. And it's not Borgo Pass, either, but rather Menlo Park. And the company formerly known as Facebook has announced that it will henceforth be known as Meta. A founder's letter says that the house of Zuckerberg is betting on the metaverse, a neologism that refers to an immersive experience in which people will live significant parts of their lives in virtual contact with others. Facebook is officially all in on the metaverse. And while Mr. Zuckerberg explains that the metaverse won't be built by one company, but Facebook - I'm sorry - Meta will play a major role in shaping it. 

Dave Bittner: Reaction to the rebranding is cautiously mixed. There are the usual observations that meta is a naughty word in some languages, of course. WIRED says that companies typically rebrand for three reasons - new business ambitions, a new corporate organization or an attempt to distance themselves from a name with bad associations. The piece argues that Facebook's conversion to Meta has aspects of all three. The Drum's roundup of industry reaction is also mixed, with some seeing the renaming as the bold planting of a flag in new technological territory and others seeing as just a PR-conscious, reactionary move. And the metaverse itself has come in for its own share of skepticism - the next phase of human evolution, or just Fortnite on steroids? Anyhoo (ph), trading begins on December 1 under the new ticker symbol MVRS. Take it away, wolves. 


Dave Bittner: If you've watched any televised sports this season, you most certainly have seen the proliferation of ads for online sports betting platforms - gaming apps, as they refer to them. Justin Wray is director of operations for security at CoreBTS, and he joins us with insights on the security considerations of gaming platforms shifting online. 

Justin Wray: When we talk about gaming in general and, really, online gaming in particular, you know, there are a whole lot of different things to consider from a security perspective. But I think one of the things that's definitely unique, and this isn't the only industry that has some unique aspects, but one of the things that is unique about the gaming industry is that they really have these two different areas within the organization. You know, you have the actual gaming platforms, and when we talk about online gaming, you have the sites that users are interacting with. You have people who are not physically, you know, at a location that you control that are interacting with your organization, but you still have all of the corporate, you know, back-office aspect as well. So there are still, you know, payroll and customer service representatives and, you know, sales teams that are - you know, you have all that normal corporate business and corporate technology and networking involved as well. But it's an area where, you know, certainly, when you think about the security connotation from an adversary perspective, certainly focus, right? You have the gaming platforms themselves that, you know, are publicly available. 

Dave Bittner: And how does this compare, you know, to a physical casino where people may go to enjoy gaming? It strikes me that, you know, with the casino, we always see these movies where they have the eye in the sky, and they keep a physical eye on people who may be trying to, you know, advantage things to themselves in an unfair way. Do online gaming platforms face similar issues? 

Justin Wray: I think that's one of the most important aspects. When you think about a casino and specifically when you think about casino security - right? - you think of the person at the door checking IDs and, to your point, cameras that are monitoring all the activity. And, of course, when you think about a compromise of a casino, you tend to think of something like "Ocean's Eleven," right? They're going to come in, and they're going to get into the vault. And unfortunately - right? - you know, there's been a lot of focus and dedication over time in the, you know, casino industry or in the gaming industry on physical security. And what we're not necessarily seeing evolve as rapidly is the cybersecurity aspect, right? You've had to rapidly go towards this online paradigm, but the security hasn't necessarily kind of kept at pace. 

Justin Wray: And so I think this is one of the - like I said, the most important aspects here is that just like a casino would want to physically protect the, you know, the casino from somebody coming in and causing them harm, they need to take that same mentality and apply it to the kind of online, digital world as well. And so there's absolutely that aspect. And there's certainly, you know, things around, you know, let's say, cheating, for example. I mean, it has to be top of mind for an online gaming organization - certainly different than other industries. But of course, again, that's not the only thing they need to be concerned about. The other security risks, you know, things like ransomware attacks, et cetera, I mean, just as easily can plague a online gaming organization. So they really have to take that security focus and, again, apply it towards the gaming aspect in particular - things like anti-cheating - but also to the kind of just general technology and interconnected world we live in. 

Dave Bittner: You know, we're definitely in the midst of an advertising blitz as these organizations try to stake their claim and carve out their market share. What is a consumer to do to have confidence that they're going to be working with a platform that has their back, that has security covered? Are there any things they should be looking for? 

Justin Wray: That's a great point, and it's one of those areas that, you know - security is a shared responsibility. And so while there is absolutely a responsibility on the casino themselves to, obviously, secure their infrastructure, you know, users have a responsibility to share - to secure themselves also, right? And the thing that comes top of mind to me is things like account, you know, credentials and management there. So I would say that, you know, when you're looking at the different platforms, you're right. There are a lot of options. And certainly, you can look at, you know, who's regulating them? You know, are they compliant with various security standards? And oftentimes, they will, you know, publish that in some fine print. You know, the casino's website or organization will kind of make that available to some extent. But just, again, basic things like, you know, does the site offer multifactor authentication? And if it does, you as a, you know, subscriber, as a user should be, you know, using multifactor authentication. The casino can protect their infrastructure all day long, but if your credentials are, you know, compromised and somebody logs in as you, you know, then the casino's not going to know that you're not the one, you know, completing that withdrawal or whatever the case might be. 

Dave Bittner: That's Justin Wray from CoreBTS. 

Dave Bittner: And I'm pleased to be joined once again by Betsy Carmelite. She is a senior associate at Booz Allen Hamilton. Betsy, it is always great to have you back. Now, you and I recently talked about 5G security and zero trust, and I was - want to sort of continue along that line of conversation but really focus on health care today and how health care is converging with 5G as well. What can you share with us? 

Betsy Carmelite: When you turn to 5G and its convergence with health care, we really need to start talking about its impact on an industry that was forced to embrace the transformation of health care delivery during the pandemic, specifically telemedicine adoption. So what could 5G mean for health care and addressing vulnerabilities in health care moving forward that comes along with that transformation? To start, it really revolutionizes global communications and the connections across Secure Connected Health, physical devices and the digital world. 

Betsy Carmelite: And secondly, we are imagining that 5G will accelerate Secure Connected Health because of its near-real-time interactivity, the expanding internet of medical things. Here's a thought - by 2023, it's estimated that there will be three times more networked devices than humans on Earth. And 5G has an ability to facilitate AI-enabled health care to protect patient data as well. We're looking at 5G's advancements in network slicing, and what we mean by that is when multiple dedicated networks are layered on top of a common shared physical infrastructure, keeping datasets private and separate from each other. 

Dave Bittner: Can you give me some specific examples of how 5G is going to enhance health care? 

Betsy Carmelite: So we have a few scenarios to think about - first, real-time, complete patient monitoring in hospitals and then once patients go home. So without the restrictions on data streaming that 5G will offer - so we mentioned, you know, the greater bandwidth and lower latency - hospitals could adopt all source patient sensors and personalize automated treatment plans from data outputs. And patients could remain under the care of the hospital team once they go home. 

Betsy Carmelite: Secondly, 5G will extend and expand the reach of remote surgical capability interventions to meet urgent needs. So think telesurgical (ph) robot platforms capable of being staged further forward, like at a military operating base. And 5G will also fix network-imposed limitations of telerobotic (ph) surgery, such as signal delay. And finally, the ability to have the majority of your health care provider services offered in the comfort of your own home - with the combination of 5G, AI, edge computing capabilities, the benefits for those in remote areas could be really extending world-class hospital-like care into rural areas, remote areas with services like mobile intensive care units and full labs for at-home diagnostics. 

Dave Bittner: What about the security implications here? Are there concerns on that side of things? 

Betsy Carmelite: Yeah. To keep this health care ecosystem secure and resilient in its entirety - because this is really an ecosystem - we need to think about more robust security to leverage the benefits of 5G. So we're talking about labs, health care delivery providers, device manufacturers and health care organizations all coming together. And this is that internet of medical things I mentioned before. It's all connected, and the proliferation of connected devices and data presents threat actors with new opportunities to disrupt public health and safety. So there are three pillars that we believe are important to building a cyber resilient 5G health care ecosystem. First, the health care community should follow industry developments closely and prepare to integrate the new technology. I mentioned in an earlier segment on 5G that now is the time to prepare to secure the 5G ecosystem while it's in its development. And this is really critical for health care and the health care sector to be participating in standards working groups to provide the requirements that it needs before the standards are set. So this is being proactive and maintaining awareness of 5G developments. 

Betsy Carmelite: And secondly, back to the connected theme, applying integrated cybersecurity and privacy solutions are critical to securing PHIs, sensitive health information, critical health care operations. The - applying zero trust here, specifically around least privileged access concepts and implementing data rights, management and encryption are really important. We see integrating patient-focused solutions with the network hardware and software needed to support mission and business priorities - so looking at that user experience and putting data privacy at the heart of it. 

Betsy Carmelite: And thirdly, health care delivery organizations can proactively counter sophisticated network threats by modernizing and implementing advanced architectures. We do recommend working with partners who have a deep understanding of network threats to build hardened infrastructures, protecting against both legacy and 5G vulnerabilities as they move to adopt 5G. It's always important to understand where your legacy systems and data might have weaknesses. We also recommend designing an infrastructure that incorporates new 5G-based resiliency techniques to protect against failure. And then we also recommend implementing strict access controls and data protection techniques to protect patients' most sensitive information. 

Dave Bittner: All right. Well, lots to unpack there - thank you for helping us understand it. Betsy Carmelite, thanks for joining us. 

Betsy Carmelite: Thanks again, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at If you're looking for something to do this weekend, be sure to check out our episode of "Research Saturday" and my conversation with Tudor Dumitras from the University of Maryland on their research, "When Malware Changed Its Mind: An Empirical Study of Variable Programmed Behaviors in the Real World." That's "Research Saturday." Do check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe - and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.