ICS security–vulnerabilities, mitigations, and threats. A Chinese APT prospects Iranian targets. The persistence of nuisance-level hacktivism. And war takes a toll on the criminal economy.
Dave Bittner: CISA adds to its Known Exploited Vulnerabilities Catalog. Attacks against industrial systems. DNV is recovering from ransomware. Chinese cyber-espionage is reported against Iran. Persistence of nuisance-level hacktivism. Robert M. Lee from Dragos outlines pipeline security. Our guest is Yasmin Abdi from Snap on bringing her team up to speed with zero trust. And a side effect of Russia's war - a drop in pay card fraud.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, January 18, 2023.
CISA adds to its Known Exploited Vulnerability Catalog.
Dave Bittner: Good day to you all. It is great to have you here with us again today. We begin with some notes from CISA, the U.S. Cybersecurity and Infrastructure Security Agency. Yesterday, CISA made an addition to its Known Exploited Vulnerability Catalog, tracked as CVE-2022-44877. The issue involves an OS command injection vulnerability in the CWP, Control Web Panel. That system was formerly known as the CentOS Web Panel. Exploitation of the vulnerability could allow remote attackers to execute commands by using shell metacharacters in the login parameter. And, apparently, some remote attackers are doing just that. Federal civilian executive agencies have until February 7 to apply updates per vendor instructions. Also yesterday, CISA released four industrial control system advisories. It's worth paying due attention to warnings like those contained in the CISA advisories. An industry study suggests the range of threats industrial systems face.
Other attacks against industrial systems.
Dave Bittner: Nozomi Networks has released its OT/IoT Security Report for the second half of 2022, highlighting disruptive attacks against the transportation and manufacturing industries. The researchers describe a cyberattack that hit rail technology manufacturer Continental in November. The attackers stole more than 40 terabytes of data, which they threatened to publish on the dark web unless the company paid a $50 million ransom. Continental refused to pay the ransom, stating that it would only help fund continued attacks on the security of critical infrastructure, such as utilities and hospitals, educational institutions and the economy. Nozomi notes that attacks against rail systems have been growing in frequency, making this sector an attractive target to all threat actor types at play. Nozomi also outlines wiper attacks against three Iranian steel companies. These attacks were claimed by the hacktivist group Predatory Sparrow, though the BBC cites experts who suspect the attacks may have been carried out by state-sponsored actors.
DNV recovering from ransomware.
Dave Bittner: The maritime shipping sector has also been affected by recent cyberattacks. According to the LoadStar, the ship classification society DNV has disclosed that its ShipManager fleet management software was hit by a ransomware attack on January 7. DNV says approximately 1,000 vessels belonging to 70 of its customers have been affected, stating, DNV experts have shut down ShipManager's IT servers in response to the incident. All users can still use the onboard, offline functionalities of the ShipManager software. There are no indications that any other software or data by DNV is affected. The server outage does not impact any other DNV services. DNV experts are working closely with global IT security partners to investigate the incident and to ensure operations are online as soon as possible. DNV is in dialogue with the Norwegian police about the incident. DNV is communicating daily with all 70 affected customers to update them on findings of the ongoing forensic investigations. In total, around 1,000 vessels are affected. We apologize for the disruption and inconvenience this incident may have caused. TradeWinds reports that as of January 17, DNV was still working to bring ShipManager back online.
Chinese cyberespionage reported against Iran.
Dave Bittner: Palo Alto Networks' Unit 42 has published a report describing Playful Taurus, also known as APT15 or Vixen Panda, a Chinese threat actor known for carrying out cyberespionage campaigns against government and diplomatic entities around the world. In this case, Playful Taurus is targeting government entities in Iran with a new version of its Turian malware. The threat actor appears to have compromised the networks of at least four Iranian government organizations, including Iran's Ministry of Foreign Affairs. The new version of the threat actor's malware includes some additional obfuscation and a modified network protocol.
Dave Bittner: The researchers conclude that Playful Taurus continues to evolve their tactics and their tooling. Recent upgrades to the Turian backdoor and new C2 infrastructure suggest that these actors continue to see success during their cyberespionage campaigns. Our analysis of the samples and connections to the malicious infrastructure suggest that Iranian government networks have likely been compromised. At the same time, we would also caution that Playful Taurus routinely deploys the same tactics and techniques against other government and diplomatic entities across North and South America, Africa and the Middle East. So take the campaign against Iranian networks as a cautionary tale.
The persistence of nuisance-level hacktivism.
Dave Bittner: Russian threat actors allegedly disrupted a Ukrainian news conference yesterday, Axios reports. Media Center Ukraine, the service convening the event, said we just faced a cyberattack on our information platform committed by Russia. We understand they don't like to hear the truth about this war, but we're not to be stopped. We are online. We are broadcasting. The news conference was set to include an interview with Yurii Shchyhol, head of State Service for Special Communications and Information Protection, who was to offer an overview of Russian cyberoperations during its war against Ukraine. The delay was brief. The interview has since been posted by Ukrinform. Its contents are about what you'd expect - continued attempts, for the most part ineffectual in terms of combat support, nuisance-level stuff like the attack on the press conference itself.
A side-effect of Russia's war: a drop in paycard fraud.
Dave Bittner: And finally, to stay with the hybrid war for a moment longer, Russia's campaign against Ukraine has had at least one somewhat surprising effect - a recession in the criminal carding economy. In the course of surveying paycard fraud during 2022, Recorded Future's Insikt Group noticed a 62% drop in stolen cards being hawked or dumped on the dark web. That drop, Info Security Magazine points out, coincides with Russia's invasion of Ukraine. The drop came in two waves. The first was occasioned by an unexpected crackdown on some cybercriminal gangs in January of 2022. Recorded Future says, the governing theory is that Russia sought to signal its intent to cooperate with the West against cybercrime should the West acquiesce to Russian demands regarding Ukraine. Any expectation of Western goodwill was soon seen to be a false light.
Dave Bittner: The second wave took place after the invasion proper and once it became clear that the war Russia had unleashed was going to be far more protracted than anyone expected. The report says, after April, slack carding demand and depressed volumes of fresh records were likely a result of Russia's war. It is highly likely that the war has significantly impacted Russian and Ukrainian threat actors' ability to engage in card fraud as a result of mobilization, refugee and voluntary migration, energy instability, inconsistent internet connectivity and deteriorated server infrastructure. Russian-occupied areas of the Donbas region of Ukraine were long suspected to have hosted cybercriminal server infrastructure. And this is in addition to another possible contributing cause we might mention - the mobilization of gangs as cyber auxiliaries of the Russian intelligence and security services. This sector of the criminal underground economy is likely to continue to see a downturn as long as the war continues. And those 350,000 conscripts President Putin just said he was going to summon have to come from somewhere. You are not necessarily going to be left alone in the local cyber cafe or your parents' basement.
Dave Bittner: Coming up after the break, Robert M. Lee from Dragos outlines pipeline security. Our guest is Yasmin Abdi from Snap on bringing her team up to speed with zero trust. Stay with us.
Dave Bittner: Yasmin Abdi is a security engineering manager at Snap, makers of the popular app Snapchat, and also the CEO and founder of noHack. I checked in with her to learn how she and her team at Snap are implementing principles of zero trust to better secure their organization and their users.
Yasmin Abdi: So at Snap, I manage our access control and access employee management team, really trying to make sure that we only give employees permission to users' data and to other sensitive data that they need for their workflow. So I built out a team of engineers and product managers and program managers to really build this one-stop shop of really controlling how access is set up at Snap. So my day to day is really checking in with our engineers, making sure that the project is going forward, making sure that all of our stakeholders are kept up with our latest changes, if any, and really just making sure that their project is managed and working in the right direction.
Dave Bittner: Well, what are some of the challenges you and your team face? You know, running - at an organization with that kind of scale, what sort of things are you up against there?
Yasmin Abdi: Yeah, so some of the challenges that we face is, for our stakeholders, some people have differences of opinions on how certain things may go in terms of the project. So it's really just all in terms of negotiating, making sure that everyone's viewpoints are heard, making sure that the stakeholders are having their needs met, and really making sure that we're all on the same page and we can deliver the best solution and best services to our stakeholders.
Dave Bittner: And how are you coming at this from a technical point of view? What are the sort of design philosophies you all have adopted?
Yasmin Abdi: Yeah, so we're really big on reusing existing services and existing frameworks, guidelines and solutions that we have in-house, really not trying to reinvent the wheel here and use some existing products that we have just to speed up the time of development and implementation. So I would say that that's probably the biggest technical solution that we are trying to use here. Yeah, so I think in terms of the technical challenges that we face, there's a lot of new technology that's coming out every day, and just really trying to figure out how we're going to incorporate new technology with the existing technology that we use. And then in terms of some of the solutions that we have in-house, with all of these differences and technologies, really trying a way for them to all work together seamlessly.
Dave Bittner: And you all are implementing zero trust?
Yasmin Abdi: Yeah, so really limiting the amount of data and the amount of permission that's given to our employees, so really trying to prevent overexposure of data and really making sure that the appropriate data is given for the workflow. So because we do host millions of different pieces of user data and sensitive data, really trying to promote zero trust at the forefront and limiting access to services or to data sets that are not needed for certain workflows.
Dave Bittner: And how does that present itself from a practical point of view to your users, to your stakeholders, to be able to implement zero trust but not, at the same time, have too much friction so that they can't do their jobs?
Yasmin Abdi: Yeah, I think one of the biggest challenges with implementation of zero trust is just that. It does cause, maybe, an additional layer of requesting access and maybe another step in the access management life cycle. When we do only expose a certain level of data and a very, very, very small fraction of data to certain employees, if there's a use case or an edge case of an employee needing a certain data set, you have to go through a whole DIRA (ph) ticket process, and then it's just another layer of communication with their different teams and staff. So even though it is going to be an additional layer of request to get that access, at the end of the day, when you think about the bigger picture or the goal here, it's to keep our users safe, secure and their data private. So it's worth it. And we try to really understand each workflow and each data set that's needed for workflows. So that additional layer of request or that additional layer of access that would be needed to be approved by higher-up and level managers sometimes becomes a challenge. But for the overall goal that we have of really limiting amounts of data for only the workflow that you need is - that's the goal that we're trying to achieve.
Dave Bittner: And how do you measure success? How do you know that the things you're putting in place are being effective?
Yasmin Abdi: Yeah, I think our biggest measure of success is limiting data breaches, and those are probably the biggest ones here that we have. But I think we have audits - and we run these audits pretty frequently - and checking and fact-checking, hey, does this group of employees or this group of contractors, if we just type in their work title, what access do they have? So running periodic audits is a good measure of success in terms of seeing what really did these employees have access to, and just verifying that. And I think another thing is, when we do have, maybe, an employee's laptop compromised or a scenario where it is an incident, are we quickly able to revoke access? So I think the two things here is, can we quickly answer the question of what access do they have, and then can we quickly revoke it? And if that turnaround time is - Swann is, like, a couple seconds to do. Then I think that's a great measure of success for my team.
Dave Bittner: What about the cultural element and communicating with your team members, your colleagues there - you know, explaining what it is you're doing, why you're doing it, why it matters that they're on board with these policies?
Yasmin Abdi: Yeah, I think that communication in my team is one of the things that I appreciate and I look forward to the most. We all have a (ph) open-door policy, and there is no hierarchical positioning. So if someone has a suggestion or some feedback on how we are communicating or a pain point or they have some decision - technical decision or technical solution that they want to bring up, we really do listen, and we really take communication very strongly here. So I think that it's super important to have that open-door mentality and really understand that even if you're a junior and you just started and it's your second week, your opinion and your value does matter, and you have the ability and the autonomy to bring your solutions to the table, and we will discuss them and see how we can incorporate, implement them into the overall bigger picture that we have here at Snap and on my team specifically.
Dave Bittner: That's Yasmin Abdi from Snap and noHack.
Dave Bittner: And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, you and I have talked about a lot of the different elements of your area of expertise. But one thing we haven't touched on are pipelines. And I wanted to touch base on that today - just kind of get an overview from you of, first of all, how they work, how they're monitored and what are the concerns in that particular area.
Robert M Lee: Sure. And so, I mean, pipelines themselves are vital to any sort of country that's operating on - well, I mean, in general, that they're not just natural gas and fuel. There's a lot of sort of product that moves through pipelines these days. So in general, most countries have a necessity to have pipelines. And obviously that can be a contentious topic. You have to have the right-of-way. You have to be able to have the land rights to be able to build a pipeline. It's going to probably upset somebody depending where you go, the route you take, etc. But there's a lot more pipelines than people realize, and there's a lot more monitoring and care and thought on those pipelines than people tend to appreciate - everything from, especially in the United States, like, Environmental Protection Agency, or EPA, kind of monitoring.
Robert M Lee: There's a lot of data points across the pipeline in terms of how they're running it, how clean it is, making sure you're not putting off harmful emissions or product into the environment. That type of monitoring and reporting, the EPA is going to take data points and pass it back, usually, to a historian or some type of SCADA-like application. Disrupting that alone could make it completely unaffordable to run the pipeline. As an example, if you took down the ability to report to the EPA - for most companies, not being able to report to the EPA lands you pretty large fines, and those fines add up really quick to the point where it would be noneconomical to run the pipeline anymore. So there's all sorts of little pressure points, if you will.
Robert M Lee: But I think the big takeaway is, No. 1, the infrastructure itself - the focus on safety, the focus on how to thread the needle of doing it environmentally appropriate while understanding that inherently there's going to be challenges. There's just a lot of thought process with that. On the cybersecurity side, they're facing - most companies are facing - the exact same challenges as everyone else is, which is most companies around the world have invested very heavily in their IT security. And that's been a topic for years for CEOs and board of directors and governments on let's do cybersecurity critical infrastructure, not realizing that almost all of their investments are on the IT security side, not the OT security side. Obviously when you talk about those operations, technology or industrial control systems, that's the critical part of critical infrastructure and has largely been ignored with good reason. For a long time it wasn't connected up, and the risk profile was different. But now all that's changed, and people are trying to play catch-up.
Robert M Lee: So I think it's very fair to say that most pipelines are not where we want them in terms of security, but we have to balance that with, because things have changed, not as if they've just been bad operators or so forth over the years. So lots of different components that go into it. But if you think about it, they are complex networks of applications and purpose-built systems. Custom network protocols, different types of pipelines - you're going to have different types of considerations like gas compressor stations along the routes. There's just a lot of unique equipment and expertise in running one of those.
Dave Bittner: Can you help me understand it in terms of monitoring these systems because obviously they, you know, they exist over a large geographic area. Are we talking about, you know, sensors that are using cellular networks to report back their data and all of the pluses and minuses that go with that? And how has that evolved over time as the technology has come along?
Robert M Lee: Yeah. It used to you would have pretty analog-type systems not really connected up. Then we started seeing more cellular-type modems, VSAT-type communications, wireless, etc., maybe like an RF off of a local tower. We have started to see more IP-based networks and kind of fiber being run as it's been more affordable in those kind of situations. But by and large, any time you talk about industrial control systems over a wide area, you're in the lane of SCADA, right? So I think there's still a lot of folks out there that understandably, when they hear of industrial control systems, they associate that term with SCADA, or supervisory control and data acquisition.
Robert M Lee: But SCADA really only deals with kind of those large, wide area networks. If you're talking about more localized, like a plant, you're usually talking distributive control systems or DCS. Some type of manufacturing may not even have that. You'll just have program logic controllers or type of local control elements. But when you have a gas compressor station that has its control elements, when you have a pipeline control center that has its control elements, when you have pipelines across hundreds, if not thousands, of miles and all the control elements across it, that's when you introduce SCADA as kind of this above the local control, supervisory control that is there to make sure that the system of systems is operating as intended and that they maintain positive control in such a way to, of course, ensure safety and environmental sort of protection.
Dave Bittner: When you look at the current state of security with pipelines, where we stand today versus where - ideally, where we would like to be, how do you assess that?
Robert M Lee: Yeah. And again, I'm not trying to put down any of the individual companies we work with, some of them who are not sort of in this profile, but the majority of industrial infrastructure in the world - I wouldn't say the majority of the critical infrastructure, but the majority of the industrial infrastructure of the world - is simply not doing a lot of security. Again, things have changed. It's not that they're bad companies or whatever. But those changes now require people to do OT security. And you can't just take your IT security practices and copy and paste them into OT for a lot of reasons. Some folks will go, oh, yeah, 'cause the legacy systems. No, that's really not it. It can be a barrier. But the reality is, in IT security, you deal a lot with data security and system security. In ICS security, you deal a lot with systems of systems security and physics. And so if the attackers are operating differently, if the systems tend to be different, if the communications tend to be different, if the ways to achieve your goals tend to be different, if the impact is different, then you're probably not going to take the same security and copy and paste it over.
Robert M Lee: So people are trying to figure out what that means. I would argue that probably the biggest challenge for most companies is getting their network into a good place. So you'll usually see kind of some level of segmentation with, like, a firewall project or an SDN-type project, and then building out a more reliable network, and then kind of the very next thing that people will do is kind of turn the lights on in the house. Like, what do we actually have? Is the architecture what we actually think it is? That's the whole visibility and monitoring thing that people talk a lot about in the industrial space. And that then helps people understand kind of where to go, what to focus on, what the actual issues are.
Robert M Lee: Most pipeline companies, like many other companies out there, are not doing anything beyond the preventative work of, let's segment. Let's put firewalls. Maybe we'll do antivirus. It's understandable because if you look at the standards and frameworks and regulations out there, they do push very heavily on that prevention focus. But what happens is without the visibility, without the detection response, you end up having that prevention atrophy over the years, and you don't actually have the environment you think you have. Part of the problem for a lot of infrastructure owners is they spend quite a bit of time building out a reliable and resilient environment, but without that monitoring, without that understanding of it, it does atrophy over time, and you have less and less and less value out of that prevention until there's a tipping point, whether it be a state actor, ransomware or just random crap that can happen and take down a network. So I would say that pipelines are, you know, behind where we want them, behind some of the larger industries, but it's not a simple answer of why.
Dave Bittner: All right. Well, Robert M. Lee, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show is written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
