The CyberWire Daily Podcast 12.19.22
Ep 1726 | 12.19.22

BEC gets into bulk food theft. BlackCat ransomware update. Epic Games’ settlement with FTC. InfraGard data taken down. More on the hybrid war. And Twitter asks for the voice of the people.


Dave Bittner: BEC takes aim at physical goods, including food. BlackCat ransomware activity increases. Epic Games settles an FTC regulatory case. The InfraGard database was pulled from a dark web auction site. CISA releases 41 ICS advisories. Rick Howard interviews author Andy Greenberg. Rob Boyce from Accenture examines holiday cyber threats. The growing value of open-source intelligence. And Twitter says vox populi, vox dei.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, December 19, 2022. 

BEC used to steal physical goods (including food).

Dave Bittner: The FBI, the FDA, USDA have issued a joint cybersecurity advisory warning of BEC. And for those of you playing acronym bingo, congratulations on your win. But seriously, these are business email compromise attacks designed to steal food shipments. Threat actors are impersonating real food and agriculture companies to order hundreds of thousands of dollars' worth of food and ingredients. The report says, while BEC is most commonly used to steal money, in cases like this, criminals spoof emails and domains to impersonate employees of legitimate companies to order food products. The victim company fulfills the order and ships the goods, but the criminals do not pay for the products. Criminals may repackage stolen products for individual sale without regard for food safety regulations and sanitation practices, risking contamination or omitting necessary information about ingredients, allergens or expiration dates. Counterfeit goods of lesser quality can damage a company's reputation. In one incident that took place as far back as February of this year, scammers posed as four different companies and stole nearly $600,000 worth of whole milk powder and nonfat dry milk from a food manufacturer.


BlackCat ransomware activity increases.

Dave Bittner: The BlackCat/ALPHV ransomware group is showing some increased activity lately, including an attack on a Colombian energy supplier and the release of data from DC's official convention and sports authority. BleepingComputer reports that EPM, an energy company in Colombia, fell victim to a ransomware attack orchestrated by the BlackCat ransomware group last Monday. The attack took the supplier's online services down and disrupted company operations. How much data was stolen from one of Colombia's largest public energy, water and gas providers remains unclear as of the posting of the article. Security researcher German Fernandez notes that just over 40 devices were listed on the ExMatter tool of the threat actors, discovered via a malware analysis site. 

Dave Bittner: Following an October cyberattack on Events DC in October, the BlackCat ransomware group published what they claim is approximately 80 gigabytes of data from the convention and sports authority on Thursday, The Washington Post reports. The released data, which the ransomware group claims are internal Events DC files, include incident and injury reports filed by customers impacted by the breach, contracts, board minutes, bank statements and tax forms for employees, city plans and arena security. The documents have not been confirmed to be genuine by Events DC. 

Epic Games settles FTC regulatory case for $520 million.

Dave Bittner: The U.S. Federal Trade Commission announced this morning that Epic Games, publisher of the popular Fortnite game, among others, has agreed to pay a total of $520 million in relief over allegations the company violated the Children's Online Privacy Protection Act and deployed design tricks known as dark patterns to dupe millions of players into making unintentional purchases. Two hundred seventy-five million dollars of the total settles the accusation that Epic Games violated COPPA by collecting children's personal information without verifiable consent from a parent. The remaining $245 million in the settlement will take the form of refunds to customers over allegations that Epic Games used dark pattern deceptive tactics to induce customers to make in-game purchases. Epic Games, in its own response to the settlement, focused on what it intended to do about the practices that caused the problem in the first place. It offered advice to developers about the hazards that attend attempts to streamline the checkout process. 

InfraGard database pulled from dark web auction site.

Dave Bittner: The hacker who posted data stolen from InfraGard, a public-private cyber intelligence service led by the U.S. FBI, has removed it from the breached forums market where they'd been offered for sale. HackRead reports that the culprit said he didn't want to cause any more trouble. And in what appears to be the result of a startling moral awakening, the hacker also stated that all the email addresses present in the database were emailed to Troy Hunt so that he could add them to his website, Have I Been Pwned? The data stolen had included full names, email addresses, employment details, industry of employment, social media user IDs and more. 

CISA releases forty-one ICS advisories.

Dave Bittner: At the end of last week, CISA released 41 industrial control system advisories. One involves a Prosys system. The other 40 address issues in Siemens control products. 

Further assessment of Russian cyber performance.

Dave Bittner: The Carnegie Endowment for International Peace has published another paper, this one titled "Russia’s Wartime Cyber Operations in Ukraine: Military Impacts, Influences, and Implications." It assesses the surprising shortfalls of Russian performance in cyberspace before and during the current war. The study refers to offensive cyber operations as cyber fires, not unreasonably, given the way electronic attack has historically been managed by fire support coordinators, at least in U.S. doctrine. Some of the conclusions are Russian cyber fires - disruptive or destructive attacks - may have contributed modestly to Moscow's initial invasion, but since then, they have inflicted negligible damage on Ukrainian targets. 

Dave Bittner: Cyber fires have neither added meaningfully to Russia's kinetic firepower nor performed special functions distinct from those of kinetic weapons. Intelligence collection, not fires, has likely been the main focus of Russia's wartime cyber operations in Ukraine, yet this, too, has yielded little military benefit. While many factors have constrained Moscow's cyber effectiveness, perhaps the most important are inadequate Russian cyber capacity, weaknesses in Russia's noncyber institutions and exceptional defensive efforts by Ukraine and its partners. As the war continues, Russian intelligence collection probably represents the greatest ongoing cyber risk to Ukraine. The study also offers advice for other countries facing hybrid war in the future, Russian or otherwise. The short message is probably best summed up as offensive cyber operations are hard, but don't drop your guard, and keep your shields up. 

The growing value of open source intelligence.

Dave Bittner: Open-source intelligence, OSINT, isn't new, General Hockenhull, commander of the U.K.'s Strategic Command, told the Royal United Services Institute, but it's certainly risen to prominence during Russia's war against Ukraine. Commercial satellites and the overhead imagery they provide have had considerable effect on collection and the intelligence developed therefrom. Online networks have made it easy for civilians in and around the war zone to report combat information about Russian forces. The Washington Post offers a similar discussion. Their reporting focused on the ubiquity of video. The war against Ukraine has become, in the opinion of experts the Post consulted, one of the most visually documented wars in history. 

Twitter agonistes.

Dave Bittner: And finally, over the weekend, Elon Musk put up a poll asking whether he should continue to run Twitter. Should I step down as head of Twitter, Mr. Musk tweeted yesterday. I will abide by the results of this poll. Early reporting by Bloomberg, based on Mr. Musk's Twitter feed itself, suggests that the ayes are having it. The poll followed an earlier announcement of a new Twitter policy banning accounts created solely to promote other social media platforms. That proved unpopular and was soon rescinded. And Mr. Musk committed to holding votes among Twitter users before enacting other major policies, stating, going forward, there will be a vote for major policy changes. My apologies. Won't happen again. The Wall Street Journal also reporting on the poll returns, mentions Mr. Musk's ruminations to the effect that if he were to go, there might be no one else willing to take the job. Maybe he's right. We have little to add by the way of commentary to the ongoing saga of Twitter and its adjustment to new ownership, except to say that it reminds us more and more of the literary classic "Clarissa," with Mr. Musk as the eponymous heroine, the internet as whole playing the part of Robert Lovelace. Or perhaps we've got it backwards, and the internet is Clarissa and Mr. Musk is Lovelace. Discuss amongst yourselves. 

Dave Bittner: Coming up after the break, Rick Howard interviews author Andy Greenberg. Rob Boyce from Accenture examines holiday cyber threats. Stay with us. 

Dave Bittner: It's always my pleasure to welcome back to the show Rick Howard. He is the CyberWire's own chief security officer, also our chief analyst. Rick, welcome back, and happy holidays, my friend. 

Rick Howard: Oh, yes. Happy holidays. Here we are at the end of the year. 

Dave Bittner: That's right. It is the end of 2022. Where did it go? I would say I have to start learning to write 2023 on my checks, but I can't remember the last time I wrote a check. 

Rick Howard: That was the only way I would remember it because I wrote those things, and now I don't do that anymore, right? So... 

Dave Bittner: Yeah, yeah. Well, I have to say it at the start of every podcast, so I'm going to be rerecording that a lot the first couple of weeks of January. So you and your interns down in the Sanctum Sanctorum have prepared a special treat for all of your "CSO Perspectives" listeners. What do you have in store for us? 

Rick Howard: So, Dave, both you and I are giant fans of Andy Greenberg. He's the senior writer at WIRED magazine. You've interviewed him a couple of... 

Dave Bittner: Yeah. 

Rick Howard: ...Times, right? Yeah? 

Dave Bittner: Oh, yeah. Yeah. Always a good interview. Absolutely. 

Rick Howard: And he's authored several fantastic cybersecurity books. One of them, "Sandworm," about the Russian attacks against Ukraine from 2014 to 2017, that's a Cybersecurity Canon Hall of Fame winner. 

Dave Bittner: Yeah, a great book. I think that's - I know that's one of the books that I interviewed Andy about. And, you know, it seems especially pertinent in light of all the activity in that area of the world these days. 

Rick Howard: Yeah, exactly. Well, Greenberg's written a new book, all right? It's called "Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency." That is a fantastic title, by the way, right? And it just came out. And I have to say, Dave, it's the best cybercrime book that I've read in over a decade. 

Dave Bittner: Wow. 

Rick Howard: And I got to interview Andy about it. He's one of the - he came on one of our shows the first time, so it's fantastic. It's about how an academic researcher, a Silicon Valley entrepreneur and an IRS investigator and a bunch more people, they used this new technique called blockchain analysis to track down dark web criminals and arrest them. Here's a clip from the show. 

Andy Greenberg: This is the end of the Silk Road story but, really, just the beginning of the story of the book because that was when Tigran realized that bitcoin can be traced, and he had just proved somebody's guilt through cryptocurrency tracing for the first time in the history of law enforcement. And not only that, but he soon followed another thread of, like - a kind of loose thread of, like, missing bitcoins from the Silk Road to show that they had been taken by another corrupt agent, a Secret Service agent who worked in the same Baltimore office as Carl Mark Force. That was Shaun Bridges. And the two of them were both corrupt agents, both investigating the Silk Road and simultaneously trying to enrich themselves from that investigation. Anyway, they - just taking whatever dirty bitcoins they could. And both of them had thought that those bitcoins would be untraceable so they could never be caught. And Tigran caught them both, and they both went to prison. 

Dave Bittner: So did I catch that right? The IRS agent, Tigran, caught two law enforcement officers acting badly on the dark web and put them in jail? 

Rick Howard: I know. He did. You couldn't - if I was writing this down and making it up in a novel, people would say, oh, that's unrealistic. 

Dave Bittner: (Laughter). 

Rick Howard: Not one, two law enforcement officials. 

Dave Bittner: Yeah. 

Rick Howard: Right? 

Dave Bittner: Wow. 

Rick Howard: And those are just two small stories in the book. And it's packed with - full of amazing things. So I highly recommend it. And you can hear my interview with Andy on "CSO Perspectives" Pro this week. 

Dave Bittner: All right. Well, that is on the Pro side. How about on the public feed this week? 

Rick Howard: So the Sanctum interns have unvaulted another Pro episode for the public to listen to. This one is from the last episode of Season 9. It's called "Security Infrastructure As Code." And we cover the history of software development from the old waterfall model in the 1980s to agile development in the 2000s to the DevOps movement in the 2010s and, finally, to the DevSecOps resurgence starting in around 2016. 

Dave Bittner: Yeah, it's my impression that we've made significant progress here in the last few years in regards to DevSecOps, right? 

Rick Howard: Well, I would say that some security practitioners have inserted themselves into the CI/CD - that's continuous integration, continuous delivery - pipeline, you know, for things like linear regression testing and OWASP roles. But we as a community have done virtually nothing to automate the tasks that we typically might see in the SOC, you know, things like zero-trust monitoring, intrusion kill chain control deployments, resilience maintenance and risk forecasting. So we have a ways to go here. 

Dave Bittner: Well, before I let you go, what is the phrase of the week over on your "Word Notes" podcast? 

Rick Howard: The phrase of the week - I love just saying it that way... 

Dave Bittner: (Laughter). 

Rick Howard: ...Is ransomware. It's everything you ever... 

Dave Bittner: I'm sorry. I'm sorry. Ransomware? I don't think I'm familiar with that. 

Rick Howard: (Laughter). 

Dave Bittner: Ransomware? 

Rick Howard: It's this new-fangled term. It's brand new (laughter). 

Dave Bittner: What is ransomware? 

Rick Howard: It's brand new on the Gartner Hype Cycle, so we've never heard it before. 

Dave Bittner: (Laughter). 

Rick Howard: So we're going to talk about everything you've ever wanted to know about the evolution of ransomware. And we have a fantastic nerd clip from my favorite hacker TV show, "Mr. Robot." 

Dave Bittner: All right. Well, we will look forward to all of that. Rick Howard is the host of the "CSO Perspectives" podcast. Rick, thanks for joining us. 

Dave Bittner: And joining me once again is Robert Boyce. He is the global lead for cyber resilience and also an advisory board member at Accenture. Rob, it's always great to welcome you back to the show. I can't believe I'm saying this already, but the holidays are upon us, and with that, there are all kinds of folks who are looking to take advantage of perhaps folks being away or being distracted by the holidays. I want to touch base with you on that. What sorts of things are you tracking as we head into this season? 

Robert Boyce: Hi, Dave. And thanks for having me back. You know, I think, you know, holidays are interesting for me. In my role, you know, I almost call it holiday vigilance instead of holiday spirit because we're always expecting the worst to happen at this time of year. So we're always so on guard. You know, I find it fascinating, always fascinating, just on how innovative and how much ingenuity our threat actors have when it comes to things like fraud. And, you know, we've just gone through, you know, COVID and now in a recession, so there's so many opportunities - well, now entering the holidays, of course, there's so many opportunities for threat actors to take advantage of consumers and organizations. And fraud seems to be one of those - the biggest things that are going on around the holiday time. You know, a few things that I find really fascinating - and, again, to me, even, you know, my team giving me this research, I even thought, wow, I never thought some of these are actually happening in place. But, you know, there's a couple of things that stand out to me. 

Robert Boyce: One is around what we call the refund service offering. So this is interesting - where we have, you know, a threat actor, you know, purchase a bunch of things online from, you know, a number of different retailers and then a different threat actor going back to those retailers and trying to refund the money through social engineering. And it's very well-coordinated. So the - you know, the threat actors will post in a dark web forum, basically saying, you know, listen; if you are able to buy something from these, say, eight different retailers, let me know, give me the information about the purchase, and I will go ahead and get a refund there through different social techniques, social engineering techniques that they employ. And for that, they keep about, you know, 40% of whatever is refunded. So it's really - yeah, it's quite fascinating that this happens. And what we've seen so far in the chatter already this year is that more requests than ever have been - started to go back and forth between, you know, the individuals and the threat actors offering these services. So we're already seeing an uptick in that behavior now. 

Dave Bittner: Do you suppose that that uptick is a response to sort of global financial conditions or just a continuation that they're finding that these things work? 

Robert Boyce: I think it's a little bit of both. You know, I think when - since COVID, really, the - I think online shopping has been, you know, the No. 1 priority for most consumers, and so we're seeing a lot more of the activity taking place that they can - you know, that they can use to target for this type of activity. But I also just think that it's proven to work. And, you know, it's just - again, just so much ransomware, it's a very viable business for them. 

Dave Bittner: In terms of the retailers themselves trying to defend themselves against this - I mean, you mentioned that a big component of this is social engineering, and I suppose any retailer expects a certain amount of loss just to keep customers happy. Is that what the bad guys are focusing in on here? 

Robert Boyce: Yeah. And I think - and the time of year is no coincidence when, you know, the retailers are receiving probably the highest volume of calls that they're going to have throughout the year. And so I think the - I wouldn't say that their guard is down, but I just think the volume of calls that they're getting, both legitimate and illegitimate, is very hard to keep the same level of structured response that they may have in the slower times of the year. So I think that's a big part of it as well. 

Dave Bittner: So is the message here one of vigilance, or are there also some technical measures people can put in place? 

Robert Boyce: I think this is vigilance and training, right? So this is when we're always saying, you know, the people are the weakest link. I find that a lot of the holiday attack scenarios are very much around individuals, around people, focused on them, focused on social engineering. So it's really just, you know, making sure that you follow the standard advice for phishing emails, the standard advice for, you know, what - those text - the smishing that you get from text messages. And, you know, there's this - there is definitely the time of year. If you're ever going to be more vigilant with messages that you're getting and you want to validate and verify that the sender is real and the requests are real is definitely during the holidays. 

Dave Bittner: Yeah. Well, good advice, as always. Rob Boyce, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. 

Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.