Malicious Chrome extensions. BEC in Kentucky. Dispatches from a hybrid war, including state-directed, partisan, and criminal action. ICS advisories. “Cosplaying” hardware.
Dave Bittner: Chrome extensions steal browser data. A business email compromise attack is under investigation in Kentucky. Belarusian Cyber Partisans claim to have a complete Belarusian passport database; organizing a cyber militia. CISA releases 12 ICS security advisories. Our guest is Asaf Kochan of Sentra on overemphasizing the big one. Cosplaying hardware; and Canada welcomes a new SIGINT boss.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 31, 2022.
Chrome extensions steal browser data.
Dave Bittner: Researchers at McAfee have found five cookie-stuffing Chrome extensions that, together, have found almost a million-and-a-half users. The extensions are Netflix Party, Netflix Party 2, Full Page Screenshot Capture, FlipShope and, finally, AutoBuy Flash Sales. BleepingComputer reports that two of the extensions, the Netflix-branded apps, have been removed from Google Play. At the time of their writing, the other three remain online. And as McAfee points out, an app's having a large install base is no guarantee that it's benign.
Business email compromise attack under investigation in Kentucky.
Dave Bittner: The Lexington, Ky., Police Financial Crimes Unit is investigating the electronic theft of approximately $4 million in federal rent assistance and transitional housing funds, the city announced. The record says the FBI and Secret Service have been brought in to assist with investigation. Lexington's description of the theft indicates that it was a business email compromise caper. The city's statement said, police believe a person or persons outside the government directed an electronic funds transfer into a private account. The transfer was originally intended for Community Action Council. Initial information shows no criminal involvement of city or Community Action Council employees. Lexington's financial system wasn't compromised, but city employees were tricked into sending the funds into what proved to be a private bank account. That account has since been frozen by the financial institution that holds it.
Russia's cyberattack against Montenegro.
Dave Bittner: Montenegro's government continues to attribute a widespread cyberattack that began on August 22 to Russia. The attribution is, in part, based on a perceived Russian motive. Montenegro has supported Ukraine during Russia's war, and Moscow has designated the country as hostile. Tech Monitor reports that Montenegrin Defense Minister Rasko Konjevic asked, rhetorically, who could have some kind of political interest in inflicting such damage on Montenegro? And he gave the obvious answer - I think there is enough evidence to suspect that Russia is behind the attack. Open sources are short on details concerning the tools used in the campaign. But Mr. Konjevic says the malware used doesn't come cheap. It's listed in dark web markets at between $100,000 and $2.5 million. Montenegrin authorities say recovery is in progress. Marash Dukaj, the country's minister of public administration, told a press conference the damage is being repaired and we are assessing its extent. The system will suffer no lasting effects. A huge amount of money was invested in this attack on our system.
Belarusian Cyber Partisans claim to have a complete Belarusian passport database.
Dave Bittner: The Belarusian Cyber Partisans, a dissident group opposed to the continued rule of President Lukashenka, claimed yesterday to have obtained a complete database of all Belarusian passports. They describe their caper like this - for the first time in human history, a hacktivist collective obtained passport information for all of a country's citizens. Now we're offering you an opportunity to become part of this history. Get a unique digital version of Lukashenka passport as NFT. Opensea has since taken down the passports. The Cyber Partisans elaborate on their motives, stating - the dictator has a birthday today. Help us ruin it for him. Get our work of art today.
Organizing a cyber militia.
Dave Bittner: Belarus has been a close, cooperating ally of Russia in its war against Ukraine, lending its territory to staging Russian forces and launching Russian missile strikes. Cybersecurity experts in many countries have long speculated about how effective cyber reserve forces might be prepared and mobilized. Ukraine's IT army may provide a model, a middle ground, between loosely inspired hacktivism and highly structured military reserve forces.
Dave Bittner: Recorded Future has an interview with a self-described high-ranking member of the force in which that official describes how the IT army has evolved and how it's serving in the current war. The army is directed by a core group of about 25 cyber professionals, and it's evolved along the lines of a startup corporation. Building trust has been a challenge as has compartmentalizing operations to minimize the effects of any penetration by Russian intelligence services. The group is most proud of certain operations inside Russia about which the IT admin declined to provide details and believes the pressure it's maintained on Russian networks and the operators who secure them has contributed to Russia's failure to mount successful large-scale cyberattacks against Ukrainian infrastructure.
Ordinary crime persists in wartime.
Dave Bittner: Not all unofficial cyber activity in Ukraine is benign. The country's cyber gangs have continued to operate, even in wartime. Bleeping Computer reports that Ukrainian authorities have dismantled a network of call centers a cyber gang used for financial scams. Among the tactics were targeting known victims of cryptocurrency scams and dangling the prospect of helping recover stolen funds. The National Police of Ukraine said in their announcement of the operation, the organizers used high-tech equipment and software, which allows to change the telephone numbers of the attackers to the numbers of state banking institutions. If convicted, those arrested and charged face up to 12 years in prison. Most of the victims were in Ukraine or the European Union.
CISA releases twelve ICS security advisories.
Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency yesterday released twelve Industrial Control Systems Advisories for Hitachi, Fuji, Honeywell, PTC Kepware, Sensormatic and Mitsubishi electric products. If you run an operation using these systems, go to cisa.gov for the details.
Motherboard is funny (and right).
Dave Bittner: We'd like to give credit to Vice for the funniest description of a hardware scam we've seen in a long time. Researcher Ray Redacted thought that a 30 terabyte hard drive selling for the low, low price of just 17.99 was just too much of a bargain for plausibility, so he bought one, opened it up and found a couple of SD cards hot-glued down and misreporting themselves as being - sure, for real - a 30 terabyte device. Vice's deadpan Motherboard headline called it like this, Walmart Sells Fake 30 Terabyte Hard Drive That's Actually Two Small SD Cards in a Trenchcoat. The author, Joseph Cox, summarized what the researcher discovered. Sure enough, he found what amounted to a different item cosplaying as a big SSD.
Dave Bittner: A serious note for consumers - Walmart, like Amazon, operates in part as a marketplace in which third-party vendors sell their wares. Once Walmart was notified, the retailer promptly ejected the Hans-and-Franz (ph) hardware from its e-commerce site.
Not adieu, but au revoir.
Dave Bittner: And finally, Shelly Bruce, the head of Canada's Communications Security Establishment, is retiring after 33 years with the organization. She began her career with the CSE late in the Cold War and has worked through the shifting missions and priorities the CSE has faced since then as the leader of one of the Five Eyes intelligence services. She was responsible for launching the Canadian Centre for Cyber Security, which is on the front line against cyberthreats facing the country. We wish her well as she moves on to the next stage of what we're sure will be an interesting and productive career. And we greet her successor, Caroline Xavier - welcome. And we wish Director Xavier all success.
Dave Bittner: Coming up after the break, my conversation with Asaf Kochan of Sentra on overemphasizing the big one, and Carole Theriault cautions against getting ahead of yourself in the cryptocurrency supply chain. Stay with us.
Dave Bittner: Asaf Kochan is CEO and co-founder of cloud security company Sentra. He believes that many firms take a large-scale approach to security by concentrating on preventing the big one, rather than taking into account which assets are vital and which assets aren't, making it difficult to limit the consequences of a breach when it happens.
Asaf Kochan: The main point I'm stressing has to do with the fact that most security tools today are still in the paradigm of the on-prem. They're trying to protect the perimeter, the network, the access level, endpoints. But at the same time, most of them are data agnostic. They don't look at data as a layer of security. And basically, you have kind of a strange environment whereby everyone's protecting the museum, but no one really is dealing with protecting the art because no one understands. Once within your environment, no one really understands where the valuable assets are.
Asaf Kochan: Taking it forward, a lot of organizations today kind of are, you know, you hear about the big events. And they're pretty much focused on the big cyber breaches. My claim, and it's based upon my knowledge and my experience - I was head of Unit 8200, which is Israeli NSA, a terrific, very vibrant and cutting-edge technological unit - so based on my experience, every big breach, when you look into it and you study it, happens in an environment whereby there were many little breaches. And it just doesn't happen one day. And when you look at the small breaches or the medium breaches, which some organizations tend to ignore, and they don't really like to publish it, usually there's a history of breaches once there's a big breach. And my claim is that you have to focus on reducing your attack surface and reducing the small breaches because eventually, dealing with these, a lot of small events reduces and makes a chance of you encountering a major event much smaller. And once you encounter event, your ability to mitigate it, survive it and continue your functionality is much higher. So this is in a nutshell. I hope I was clear.
Dave Bittner: Yeah. Well, how do you recommend organizations dial that in - I mean, to the balance between focusing on the smaller things but, you know, still being resilient as the big one happens?
Asaf Kochan: Yeah. So my key recommendation would be to play the if game and to assume that you're going to be breached and to tell the story and to run the story forward. And once you run the story forward, you must understand where your key assets are and pre-position yourself. And this is kind of a play game, which is much different than the way most organizations act. Most organizations will basically deal with prevention, and they won't go and tell the if story. And here, the data layer makes a significant meaning, because in the cloud environment, from what the way I see cloud, cloud is a platform to unlock the potential of data.
Asaf Kochan: This is the gist of the cloud. And in the cloud environs, it's extremely easy to duplicate data, to create data, to create access to data. That elasticity gives you amazing potential when it comes to unlocking this potential. And in the cloud environment, a key piece here is to understand your data posture and understand where your sensitive assets are. Once you have this understanding, you can position yourself much more effectively. So this is in a nutshell.
Dave Bittner: Yeah. How should folks go about protecting those sensitive assets? I mean, I'm thinking in a cloud environment, as you mentioned, it's easy to duplicate things. How do you keep track of things proliferating throughout your cloud environment?
Asaf Kochan: First of all, it's not a bug. It's a feature. You want data to proliferate within your cloud environment because you want democratization of data. You want the business to enjoy the great potential of data. You want engineers to access data in order to create amazing product. So starting with that, it's a feature you want to advocate for. And basically, the idea here is when it comes to data, you want to bring the different stakeholders together into one place where you see the truth about the data. You want to be - you bring the security teams. You want to be the compliance, the legal teams, the engineers, and some of the business together.
Asaf Kochan: And today, there's no real platform to bring this single sort of truth and to kind of bring these teams together in order to collaborate when it comes to protecting data and making sure you can continue with the democratization of data. And my claim - that it's a huge opportunity for security teams to go into this space.
Dave Bittner: That's Asaf Kochan from Sentra.
Dave Bittner: Carole Theriault cautions against getting ahead of yourself in the cryptocurrency supply chain.
Carole Theriault: So recently I was checking out bitcoin's latest valuation. And I looked at it over the last five years, and there's something rather interesting. The price of bitcoin started to skyrocket when most of us were in some form of lockdown. And then, lo and behold, now that many of us are back in the mix of living and things, the price plummets to its lowest value since the early days of the pandemic. Whether this is a coinkydink (ph) or an actual something that can be corroborated, I have no idea. But the one thing I do know is that cryptocurrency isn't going away. Every day we have media and pundits natter about all things crypto all of the time. I mean, as a person who has dabbled in tech journalism, the cryptocurrency world just keeps on giving. It's rich pickings when you get a focus on a new and volatile tech concept, especially one which has such incredible winners and pitiful losers.
Carole Theriault: And one of the big fails, aside from the crashing stock valuation of the cryptocurrency godmother bitcoin, is the questionable resilience of the ecosystem that supports it. So we're talking the tools, utilities, for storing and converting and otherwise managing all that cryptocurrency. In order to get into the market fast, you have to develop your products and services at breakneck speed, right? And we all know what happens when you run before you can walk, especially in security terms. You can trip up because when you trip up on security, it can be worse than a broken front tooth or a skinned knee.
Carole Theriault: In the first six months of this year, we've already seen some ghastly crypto hacks - like in February, attackers exploited a flaw in the Wormhole bridge to grab what was then about $321 million worth of Wormhole's Ethereum's variant. And at the end of March, North Korea's Lazarus Group memorably stole what at the time was $540 million worth of Ethereum and USDC stablecoin from the popular Ronin blockchain bridge. You know, it's so funny to consider that these words meant absolutely nothing five years ago. And April, attackers targeted the stablecoin protocol Beanstalk, granting themselves a flash loan to steal about $182 million worth of cryptocurrency - obviously, again, valued at the time. And this is just a teeny tiny selection of the crazy number of hacks out there involving cryptocurrencies.
Carole Theriault: But this was the question I was asking myself. You ready? With the most popular cryptocurrency having shed about 70% of its value since it hit its all-time high of roughly $69,000 in November last year, and with the overall market capitalization of crypto assets having dropped to less than 1 trillion from its November 2021 peak of 3 trillion, are hackers going to lose interest in crypto because the money is drying up, or are the pickings just too rich, with a market full of insecure products? Your guess is as good as mine. But I would say that in my experience, hackers tend to go where the money is, and if the money's drying up, one can't help but wonder what their next target is going to be. This was Carole Theriault for the CyberWire.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. Find out more about sponsoring our programs at thecyberwire.com/sponsor.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.