Ukraine's Defense Intelligence warns of coming Russian cyberattacks against infrastructure. Next moves for Lapsus$? Cashout scams and neglected wallets. Developments in the Optus breach.
Rick Howard: Hey, everybody. Rick Howard here, the CyberWire's chief security officer, chief analyst and senior fellow. I want to remind you that I will be hosting the CyberWire's quarterly analyst call this Friday from 1:30 to 2:30 p.m. Eastern Standard Time. I've invited two experts to the CyberWire Hash Table to discuss the most impactful stories from the last 90 days - Roselle Safran, the CEO and founder at KeyCaliber, and William MacMillan, the former CISO for the CIA and currently the SVP of security product and program management at Salesforce.
Rick Howard: And you all know as regular listeners that cyber news comes in fast and furious and in large volumes. It's hard to tell what's important and what's not. In this show, we're going to hit the pause button and try to figure it out. Come join us. It's always fun, and you might learn a thing or two. You can register at the CyberWire's website. Just click the Register button at the top of the page that says CW Pro Q3 Analyst Call. And I hope to see you there.
Dave Bittner: Ukraine's defense intelligence warns of coming Russian cyberattacks against infrastructure. What are the next moves for LAPSUS$? We know it's a bear market, but take a look at your wallet, crypto speculators. Mr. Security Answer Person John Pescatore on next year's most over-hyped term. Ben Yelin explains a $35 million data privacy settlement. And finally, developments in the Optus breach.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 27, 2022.
Ukraine's Defense Intelligence warns of coming Russian cyberattacks against infrastructure.
Dave Bittner: The Ukrainian Defense Intelligence Service warned yesterday that the Kremlin is planning to carry out massive cyberattacks on the critical infrastructure facilities of Ukrainian enterprises and critical infrastructure institutions of Ukraine's allies. The GRU added, first of all, attacks will be aimed at enterprises of the energy sector. The experience of cyberattacks on Ukraine's energy systems in 2015 and 2016 will be used when conducting operations.
Dave Bittner: Their estimate concludes that the cyberattacks will be a combat support operation intended to augment the effects of kinetic strikes. They state, by the cyberattacks, the enemy will try to increase the effect of missile strikes on electricity supply facilities, primarily in the eastern and southern regions of Ukraine. The occupying command is convinced that this will slow down the offensive operations of the Ukrainian defense forces.
Dave Bittner: And Ukrainian allies, especially Poland and the Baltic States, are warned to expect further distributed denial of service attacks. Ukraine has said - and outside security experts tend to agree - that the country learned from the 2015 and 2016 cyberattacks against its power grid. Ars Technica notes the ways in which CERT-UA and its partners appear to have avoided a repeat of those attacks. It seems that a massive takedown of that grid has since become markedly more difficult and considerably less likely than it was in the middle of the last decade.
Dave Bittner: Russian cyber operations have underperformed international expectations during the present war. Their most marked success, the takedown of the Viasat network in the early hours of the invasion, now seems retrospectively to have been less consequential than initially believed. Services were indeed crippled, but the target selection in this case seems to have been wayward. The evident intent was to degrade Ukrainian command and control, but Ukrainian forces used the satellite network only as a backup, and its disruption didn't have any significant impact on military communications, Zero Day reports.
Next moves for Lapsus$?
Dave Bittner: After the high-profile incidents at Uber and Rockstar Games, the LAPSUS$ Group seems again to have been disrupted by an arrest, but it's unlikely we've seen and heard the last of them. Digital Shadows offers some speculation about where the group may be headed next. Researchers at Digital Shadows have published a report looking at the possible next moves for LAPSUS$. The group tends to carry out a combination of hacktivist and financially motivated crimes, although their tactics are generally opportunistic.
Dave Bittner: The researchers say if reports are to be believed, then many of the culprits for the recent attacks may receive law enforcement attention. One 17-year-old in London has already been arrested, which is likely related to the incidents involving Uber or Rockstar Games. It is realistically possible that this arrest may have a similar impact to what we saw in March. LAPSUS$ may go underground for a period in reaction to increased media and law enforcement scrutiny. There are also signs of an incipient but growing connection between the Lapsus$ group and ransomware gangs, notably Yanluowang. Digital Shadows points out, within the attack against Cisco, Lapsus$ were also attributed with activity that is consistent with pre-ransomware deployment activity.
Take a look at your wallet.
Dave Bittner: As cryptocurrency assets remain in a bear market, many speculators are reluctant to look at their accounts. It's just too depressing. Scammers have been exploiting that inattention to run cash-out scams against account holders. Sift has published a report finding that cybercriminals are targeting neglected cryptocurrency accounts amidst the drop in cryptocurrency's value over the past few months, stating, as cryptocurrency prices have plummeted in recent months, Sift's Trust and Safety Architects uncovered a new scam targeting crypto account holders. Stating, in this crypto cash-out scam, one fraudster who is looking to launder stolen funds solicits the help of another fraudster who has successfully taken over connected bank accounts and crypto wallets. Once they team up, the cybercriminals load the stolen funds into the hijacked bank account and then into the corresponding stolen crypto wallet before draining the funds and splitting the profits.
Dave Bittner: Brittany Allen, trust and safety architect at Sift, said, account takeover attacks are proving to be a primary attack method among fraudsters in our challenging economic environment. Adding insult to injury, cybercriminals are leveraging automation via bots and scripts to match ATO attacks at scale, often forcing businesses to choose between introducing excessive friction in their user experience or being consumed by fraud. So as painful as it may be, take a look at your wallets every now and then.
Developments in the Optus breach.
Dave Bittner: And finally, investigation of the breach suffered by Optus in Australia continues. The U.S. FBI is rendering assistance to the Australian Federal Police. Australia's Minister for Home Affairs and Cybersecurity called the attack, quite a basic hack, and criticized the telco for permitting it to happen, the record says. For their part, the criminals have sought to increase the pressure on those being extorted by releasing some of the data taken, ABC reports. The hackers are also presenting some of the Robin Hood schtick sometimes seen in other double extortion incidents, saying, sorry too 10,200 Australian whos data was leaked. It's not quite Shadowspeak, but if you could see the spelling, you'd call it, well, Shadow-writing. Whoever you are, sir, Robin Hood, you ain't. They spelled better in Sherwood Forest.
Dave Bittner: Coming up after the break, Mr. Security Answer Person, John Pescatore, on next year's most overhyped term. Ben Yelin explains a $35 million data privacy settlement. Stay with us.
Dave Bittner: There is no shortage of hype in cybersecurity when the marketing and PR folks get their hands on everything. In this edition of Mr. Security Answer Person, John Pescatore takes a look at what just might be next year's most overhyped term.
Automated Voice: Mr. Security Answer Person. Mr. Security Answer Person.
John Pescatore: Hi, I'm John Pescatore, Mr. Security Answer Person. Our question for today's episode - I just listened to the segment where you talked about how overhyped the term Zero Trust is. Can you give us a prediction of what you think will be next year's most overhyped term? Well, I promise I'll get back to your actual question, but first, I'm going to answer a slightly modified version. What do I think should be the most hyped-up term in cybersecurity in 2023?
John Pescatore: Last year, my daughter had her first child - our first grandson. And - no surprise - he turned their lives upside down. I started calling him Chaos Monkey after a cool piece of testing software that Netflix developed and describes this way - Chaos Monkey randomly terminates virtual machine instances and containers that run inside of your production environment. Now, here's the important part of the quote - "exposing engineers to failures more frequently incentivizes them to build resilient surfaces," end quote - kind of like exposing DINKs - dual income no kids couples - to their first baby does.
John Pescatore: Chaos Monkey is just one of the tools in a collection Netflix calls the Simian Army. A lot of this grew out of chaos engineering work Peter Deutsch at Sun and others did, where they defined the eight fallacies that developers in the early days of internet software assumed were true of distributed computing over the internet. The eight fallacies are one, the network is reliable; two, there is zero latency; three, bandwidth is infinite; four, the network is secure; five, topology never changes; six, there is one administrator; seven, transport cost is zero; eight, the network is homogenous. Too often, some or all of those eight fallacies are still taken as gospel when developers write code today, even using fancy new DevOps methodologies.
John Pescatore: All of this reminds me of when I used to drive an old car that broke down a lot, so I carried a lot of spare parts and tools and often planned my trips so that I'd always be in range of help if the inevitable failure occurred. Cars have actually gotten a lot more reliable over the years, but software really has not. Of course, Mr. Security Answer Person's focus is mostly on fallacy number four. The network is secure? Here, the network means the entire internet, as in all the connecting paths and all the endpoints. So even if transport security is always running - as in SSL everywhere or over IPsec - we know many of the endpoints will never be secure because they're running software and most endpoints are being used or being administered by people. Software and people are soft and squishy and don't get harder very fast.
John Pescatore: So I think chaos security should be the new buzzword and CISOs should be called chief chaos safety officers or something like that. I've kind of become convinced that chaos can be navigated safely, but chaos can never be made secure. Realistically, though, I doubt we are ready to admit all that yet.
John Pescatore: With that off my chest, let me answer your original question, which brings me back to the second line of Peter Deutsch's quote - "exposing engineers to failures more frequently incentivizes them to build resilient services." Resiliency popped up on the cybersecurity buzzword radar screen years ago, but it is definitely on the rise. An example is supply chain resiliency vendor Interos and the resiliency operations center, or ROC concept, around maintaining a secure, reliable and yes, resilient supply chain. We have certainly seen the impact of near-chaos in supply chains in the past few years, as well as a definite lack of both resiliency and security. With wars and pandemics and climate change all hitting the world all at once, resiliency is actually a pretty lofty goal. I'm looking forward to broad adoption of resiliency development - maybe we'll call it ResDevSecOps - resilient data and yes, even resilient trust architectures.
Unidentified Group: Mr. Security Answer Person.
John Pescatore: Thanks for listening. I'm John Pescatore, Mr. Security Answer Person.
Unidentified Group: Mr. Security Answer Person.
Dave Bittner: Mr. Security Answer Person with John Pescatore airs the last Tuesday of each month right here on the CyberWire. Send your questions for Mr. Security Answer Person to email@example.com.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: Interesting story - this is from the Wall Street Journal, written by Dave Michaels. And it is about the good folks over at Morgan Stanley paying 35 million bucks to settle claims of failing to protect customer records. What's going on here, Ben?
Ben Yelin: So there is a federal regulation that requires brokers and money managers like Morgan Stanley to protect the security and confidentiality of customer records. So we don't have a comprehensive data privacy law in this country, at least at the time that we're recording this. So we have this sort of patchwork that applies in various industries. HIPAA applies when we're talking about health care and covered entities. The SEC has promulgated regulations as it applies to these brokers and money managers.
Ben Yelin: So what happened with Morgan Stanley is allegedly, it scrapped computer servers and hard drives without ensuring that they no longer held sensitive customer information. And they resold those servers and hard drives with customer data still on it.
Dave Bittner: Oops.
Ben Yelin: Yeah. So that's a big problem.
Dave Bittner: Right.
Ben Yelin: So it's the role of the SEC to impose fines for a variety of purposes. The first is to pay monetary damages to individuals who have suffered harm. And that's part of this 35 million that's been imposed here. But the other part is to send a message to Morgan Stanley that this type of improper safeguarding of sensitive customer data is unacceptable, and we will bring the full force of Uncle Sam down on you if you don't do your due diligence.
Ben Yelin: So 35 million is a lot of money. It's going to be a very steep penalty, probably one of the largest we've seen for what they refer to in this article as a record keeping misstep. The three previous fines levied by the SEC on financial firms for this type of violation were much smaller fines, only in the amount of about $300,000 or so. So we're talking about multiplying that - what is that? - 100 fold?
Dave Bittner: Yeah.
Ben Yelin: I'm not so great at math, but...
Dave Bittner: I believe an order of magnitude is the term of art (laughter).
Ben Yelin: Exactly. We'll go with that.
Dave Bittner: Right. Right.
Ben Yelin: I think from Morgan Stanley's perspective, they're a big company. They're probably going to be fine. They are going to pay the fine and be relieved of the obligations of this investigation...
Dave Bittner: Right.
Ben Yelin: ...Which has been...
Dave Bittner: They're admitting no wrong here - worth noting, I suppose.
Ben Yelin: They are not admitting any wrong. They're just paying. It's sort of how I feel about - when I get caught by one of those speed cameras...
Dave Bittner: Right.
Ben Yelin: ...Where I'm probably not going to be able to challenge this. I...
Dave Bittner: Yeah.
Ben Yelin: ...Could certainly argue that maybe I wasn't going 45 in a 30, but it's not worth it for me to go to court on this. So they're going to pay the fine. They say that they've notified all of their applicable clients about what happened. They say this is something that happened in the past. They've been much better over recent history about detecting and protecting against unauthorized access to personal client information. And so from their perspective, and I think from the government's perspective, this matter has been resolved.
Dave Bittner: Yeah. It's interesting. This article points out that the SEC claims that Morgan Stanley lost track of 42 computer servers that potentially contained unencrypted customer data, which it sounds like were in field offices; you know, not at Morgan Stanley headquarters, but out in the offices they have around the country. And it's easy to imagine a scenario where, you know, the IT folks come in to upgrade the server and transfer all the data over. And now you got this pile of old servers. And what are you going to do with them? Well, you know, maybe Bob'll take - put them on Craigslist or...
Ben Yelin: Exactly.
Dave Bittner: You know, like, you know, who knows? But...
Ben Yelin: It's easy to sell them.
Dave Bittner: Right.
Ben Yelin: I mean, you probably just don't think about the inherent risks of there being confidential customer information on them...
Dave Bittner: Yeah.
Ben Yelin: ...If it's just one piece of hardware in an office. But when you multiply this by a large magnitude - and we're talking about 40 different devices or servers - then that becomes a pretty big problem, and it feels more like a pattern and practice than just an isolated incident. It seems like they just had been somewhat negligent in how they dealt with those outdated servers and that outdated hardware.
Dave Bittner: Yeah. I think this is a really good reminder for folks who are tasked with these sorts of things that - 'cause I've seen several cases over the years where a piece of hardware gets decommissioned, and then it just kind of gets forgotten about. It sits on a shelf maybe for years. And then at some point somebody says, what are we doing with all these, you know, servers that are on that shelf? I don't know. Just, you know, tell you what, Bob. Go out - just, you know, toss them in the dumpster. No one will ever know.
Ben Yelin: What you've got to do is go full "Office Space" on them.
Dave Bittner: (Laughter) Right.
Ben Yelin: Take them to a field with a baseball bat.
Dave Bittner: Yup.
Ben Yelin: And just whack them...
Dave Bittner: Yeah.
Ben Yelin: ...And get some good music playing in the background, too.
Dave Bittner: Yeah, yeah. That's a solid plan. All right. Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.