The CyberWire Daily Podcast 11.1.21
Ep 1450 | 11.1.21

Iranian officials blame the US and Israel for gas station cyber sabotage. A new direction for NSO? Cyber extortion, Minecraft phishing, and sugar daddies looking for sugar babies (sez they).


Dave Bittner: Iran hasn't finished investigating its gas station cyber sabotage. NSO Group says it's going in a new, nicer direction. The Conti gang hits a luxury jewelry dealer, and another unknown group hits an upscale art dealership. The Chaos gang is after Minecraft players - players who cheat. Caleb Barlow on pre-breach preapprovals. Rick Howard introduces sand tables in cyberspace. And sugar daddies come to the world of advanced fee scams.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 1, 2021. 

Dave Bittner: Reuters and others report that Iranian officials have begun to fix blame for the nominally hacktivist attack that's afflicted the country's gasoline stations since last week. Iran's head of civil defense said Saturday, quote, "we are still unable to say forensically, but analytically I believe it was carried out by the Zionist regime, the Americans and their agents," end quote. 

Dave Bittner: The attribution seems so far to be based more on a priori probability than on, as the civil defense chief says, forensics. The motive of the attack is still believed in Tehran to be disruption and the fomenting of unrest and dissatisfaction. 

Dave Bittner: According to the Tehran Times, the country's intelligence minister said the investigation is still in progress and that full details will be disclosed once it's complete. The intelligence minister said, quote, "complete information obtained from this cyberattack will be made available to the public because what is related to the health, security and welfare of the people must be made available to them, and the officials consider informing the public in a timely manner as their duty," end quote. 

Dave Bittner: Tehran counts on the vigilance and support of the people and their interest in the homeland and the system to counter and contain any further cyberattacks the country may sustain. 

Dave Bittner: NSO Group, best known for its Pegasus intercept tool, whose sale to and abuse by repressive governments has drawn criticism and provoked controversy, has shaken up its leadership. The company says its new strategic direction will include analytics and defensive cyber. 

Dave Bittner: Cybercriminals have hit two upscale brands with extortion attacks. The threat in both cases appears to be that of doxxing, of releasing private information online. 

Dave Bittner: In the first case, Sky News reports that the Russian Conti gang has begun doxxing customers - tycoons and celebrities, as Sky describes them - of the luxury jewelry brand Graff. The gang wants a large payment in exchange for a promise not to release more information. What's out so far seems relatively anodyne, mostly names and addresses that are already in the public domain, but Conti promises worse to come. 

Dave Bittner: If you are a client - that is, if you're a crime victim - client is Conti's cynical hood-speak for victim. If you are a client who declined the deal - and deal is Conti's cynical hood-speak for extortion demand - and did not find your data on the cartel's website or did not find valuable files, this does not mean that we forgot about you. It only means that data was sold and only therefore it did not publish in free access. The emphasis is in the original that security firm Malwarebytes quotes in their discussion of the incident. 

Dave Bittner: Graff's comment on the incident doesn't disclose much about the nature of the attack, and in particular it doesn't say whether data were encrypted and stolen or merely stolen. The firm has notified the Information Commissioner's Office, which is opening an investigation. 

Dave Bittner: The second high-end cyberattack comes from the art world. The MCH Group says its high-end art dealer subsidiary Art Basel has also sustained a criminal data breach. 

Dave Bittner: MCH describes the current state of affairs on its corporate website. Quote, "we are working to get all our systems and services fully operational again as soon as possible. The most important internal and external communication channels are ensured. The staging of the planned events is guaranteed. Unfortunately, the available information and analyses indicate that the perpetrators have nevertheless succeeded in gaining access to data that contains personal data - such as contact details - of customers, partners and employees of the MCH Group. Currently, the existing traces are being evaluated in cooperation with cybersecurity experts," end quote. 

Dave Bittner: In this case, the perpetrators are so far unknown, although the attack hit back in October. The data at risk appears, again, to be contact information for Art Basel companies. 

Dave Bittner: MCH Group, which appears determined not to pay the ransom demanded, offers customers who may have been affected by the breach some sensible advice. The first recommendation is to warn against the risks of password reuse. Change your MCH passwords to be sure. And if you've used your password elsewhere, change it there as well. 

Dave Bittner: The second recommendation is a warning against the use of breached information in subsequent phishing attacks. Quote, "we also recommend that you exercise caution when dealing with unknown contacts, such as if you are contacted by third parties by email or telephone, who, for example, represent themselves as your bank, internet provider or insurance company and use personal details to gain your trust," end quote. 

Dave Bittner: As always, sensible, skeptical common sense is to be applied. 

Dave Bittner: Fortinet reports that the Chaos ransomware gang, generally believed to operate from China, is targeting Minecraft gamers in Japan. Not to blame the victim here, but we note that the malware hook is hidden in phishbait that purports to contain stolen game credentials, which no honest player should touch. 

Dave Bittner: And finally, to turn to another activity you should probably avoid, security firm Avast has a warning out about a new scam. People are getting contacted over social media with pitches that read something like this. "Hey. My name is Walker, and I'm looking for a sugar baby. I would like to pay you 1,500 euro weekly." So hop to it, ladies. Or actually don't. It's just a hoary old advance fee scam, a riff on the familiar, I am the widow of the late Nigerian prince come-on. 

Dave Bittner: Should you pursue it a bit, as Avast did, you might ask Walker if he's legit. Walker told Avast that I need a companionship, someone I can talk to online. When Avast replies, ah, OK, how do I know it's not a scam, Walker simply texts back, 100% safe. Hey, if you can't trust a sugar daddy, who can you trust in the vale of tears? 

Dave Bittner: And it's always a pleasure to welcome back to the show my colleague Rick Howard. He is the CyberWire's chief security officer, also our chief analyst. But more important than that, he is the host of the "CSO Perspectives" podcast, part of CyberWire Pro. Rick, welcome back. 

Rick Howard: Thanks, Dave. 

Dave Bittner: You are introducing a new segment this week, and it's something called the Cyberspace Sand Table Series. 

Rick Howard: Easy for you to say (laughter). 

Dave Bittner: What's going on here? Are you - well, I was just thinking, are you inspired by "Dune" that just came out in the movie theater? You're doing sand tables. What's the story here? 

Rick Howard: I wish I would have thought of that. But, yeah, I'm definitely going to be inspired by "Dune." 

Dave Bittner: (Laughter) OK. 

Rick Howard: But maybe not. So a few weeks ago, I was watching a program on Tom Brady. Now, he's - for the non-sports aficionados out there, he's the famous NFL quarterback from Tampa Bay. And... 

Dave Bittner: Right. 

Rick Howard: ...Dave, if your audience has been listening to you and me talking for the last few months, they know that we don't typically talk about sports things - right? - when we're going around, right? 

Dave Bittner: No (laughter). I don't think either one of - well, I know for me, anyway, I am not a sports ball aficionado, for sure. 

Rick Howard: (Laughter) Yeah. So, like, you and me are more likely to talk about show tunes or superhero movies or, you know... 

Dave Bittner: Yeah, the important things. Right. 

Rick Howard: Yeah, yeah. My favorite topic is how I routinely get killed by 7-year-olds in my Fortnite video game, right? But so - but I can appreciate a sports figure who is doing something really good. And, you know, I watch the Olympics, so I have some affection for those guys. 

Dave Bittner: Sure. 

Rick Howard: And Tom Brady, whether or not you're a fan or not, you have to admit he is exceptional. He's won seven Super Bowls out of 10 tries while playing on two different teams. And for the old folks out there, he's 44 years old. Now, I'm not a sports fan, like I said, but I'm rooting for the old guy, you know, just on general principles. 

Dave Bittner: (Laughter) Right. 

Rick Howard: I'm not saying I'm old. I'm just saying, OK? So... 

Dave Bittner: I'm with you. I'm with you. Yeah. 

Rick Howard: Yeah. So I'm watching this show on Brady, and you learn pretty quickly that he spends a lot of time reviewing game film on his opponents - not just a couple of hours a week, but every day for hours - so that he can learn to pick apart the defense on the game he's going to play in the following week. And I realized that our community - the network defender community - doesn't really have an equivalent version of reviewing game film, and maybe we should. 

Dave Bittner: OK. I think I know where you may be headed with this. So why are you calling it Cyberspace Sand Table Series? 

Rick Howard: So as you know, I'm an old Army guy. And when my commanders tried to teach us tactics, either offense or defense, at some point in the process, they would either gather everybody around a patch of dirt or a fancy box with sand in it - that's the sand table, right? - and they'd put sticks and rocks in it to represent both sides and go over a famous battle, like, you know, the Battle of Gettysburg or something during the U.S. Civil War. And so by watching a physical model of the battle, you could more easily see mistakes made by commanders on the ground. And after watching the Tom Brady show, I realized that sand tables were the military's version of game film. 

Dave Bittner: OK. All right. I'm with you. So for your next "CSO Perspectives" show, what famous cyber battle are you going to cover? 

Rick Howard: So for this first one in the series, I'm going to cover one of my favorite cyber battles - the 2016 Russian cyberattacks against the U.S. Democratic National Committee. And it's one of my favorites because we have a lot of information about it. There's lots of, you know, public information about what actually happened. 

Rick Howard: So during the show, we're going to talk about what the Russians did and what the Americans did and then the impact of all of that. And bringing this whole conversation full circle, we're going to engage in some Monday morning quarterbacking about what the DNC should have done to prevent those attacks. 

Dave Bittner: All right. Well, sounds like fun. And again, that is part of "CSO Perspectives," which is part of CyberWire Pro. You can find out all about that on our website, Rick Howard, thanks for joining us. 

Dave Bittner: And I'm pleased to be joined once again by our CyberWire contributor Caleb Barlow. Caleb, always great to have you back. I wanted to touch today on this notion of preapproval, sort of doing the hard work before you get breached so that when you get breached - and I think it's fair to say when you get breached - you're ready to go, right? I mean, what are some of the considerations here? 

Caleb Barlow: Well, I stole this concept from one of my favorite CSOs. And I won't embarrass him by mentioning who it is here. But, I mean, this guy's got his act together. And one of the things that he did that I think is just absolutely brilliant is - you know, you're breached. You need resources. You need money. You need lawyers. You need outside counsel. And time is of the essence. This guy got it all preapproved. And I just - as simple as it sounds, I'm like, that's absolutely brilliant. 

Caleb Barlow: So a few things to think about, right? Go in and lay out a bunch of different incidents of magnitude from a, you know, a Level 2 incident - maybe, you know, there's malware on a couple of machines, but you're - you know, you closed it down quickly - to a - you know, maybe something that impacts your network to something more catastrophic - that large portions of the company are down, and it's public knowledge. Preapprove a budget for incidents of each of those magnitudes so that if they occur, you do not need to go track anybody down. You already have budget. You can immediately start spending money. 

Caleb Barlow: And in some cases, depending on how financial systems work at your company, I've even seen people get credit cards - you know, what they call an event card - where these cards are ready to go. You can basically, you know, keep them at the bottom of your desk. You pull them out. They're ready to go. They've got $50,000 on them, and you can move. Just a great concept. 

Dave Bittner: I can imagine some of the powers that be at a company saying, well, hold on here a second. I'm paying you to prevent this from happening. Is there an educational process that's part of this as well? 

Caleb Barlow: There is. Because remember, when a breach occurs, it's too late to prevent it from happening. You're already right at the boom. 

Dave Bittner: Yeah. 

Caleb Barlow: Now it's about mitigating the damage. And the faster you can move, the faster you can bring resources to bear, the faster you can get your production, your systems, your hospital - whatever it is - back online. So in a lot of ways, what this is about is being able to move quickly to reduce that blast radius. 

Caleb Barlow: And it's not just preapproving financial systems. Let's also preapprove our communications. What are you going to say? Let's get all those things - you know, 'cause let's face it. Most security incidents you could write today what you're going to say. We experienced an incident. We're investigating. We'll be back to you shortly with more information. Great. Get that preapproved by marketing and legal so it's on the shelf ready to go and you're not one of these companies that's totally silent for three weeks on what's happening. 

Dave Bittner: How much is this part of your overall incident response plan? Is it rolled into that, or is it its own separate thing, or do they fuzz together? How does all that work? 

Caleb Barlow: I think it should be totally rolled into it. And now here's the big one - and here's the big one that people really struggle with. Who's going to make the decisions? And the wrong answer is it's the CEO or the big boss 'cause - guess what - they're on a plane to Australia for the next 12 hours, right? 

Dave Bittner: (Laughter). 

Caleb Barlow: You have to make decisions with the people in the room, and you have to preapprove who gets to make the decision. 

Caleb Barlow: Now, my favorite question to ask people always is, if you had a devastating ransomware incident, your company was totally down, would you pay the ransom? Of course, they all say no. No, we'd never pay it, right? OK, well, let's just pretend you really had to. Who would make that call? I don't know. OK, where would you get the money? How are you going to get a quarter-million dollars in bitcoin by 3 o'clock this afternoon? I don't know. 

Caleb Barlow: You got to go through that exercise because as much as nobody ever wants to pay the ransomware operators - and by the way, I don't want you to pay either, right? We've talked about that many times on the CyberWire. 

Dave Bittner: Right. 

Caleb Barlow: But at least think about who's going to make that really tough decision. Who's going to make the decision to shut down production or disconnect you from the internet? You've got to decide that ahead of time because let me tell you, if you got five executives in a room staring at each other, nobody wants to be the one making that decision. 

Dave Bittner: OK. So I suppose you could label it a responsibility, perhaps a burden, go too far to say privilege. 

Caleb Barlow: Security decisions are always a privilege. That's why we're security professionals, Dave. 

Dave Bittner: (Laughter) Fair enough. 

Caleb Barlow: But, you know - yeah, I mean, but seriously, it requires a level of intestinal fortitude to realize that you're in crisis decision-making mode. And the best way to facilitate that is to get these permissions down ahead of time so when it hits the fan executives are comfortable making those decisions and they're not waiting around to do it. 

Dave Bittner: Right, it's one less thing to think about. 

Caleb Barlow: That's right. 

Dave Bittner: All right. Well, Caleb Barlow, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.