The CyberWire Daily Podcast 2.8.23
Ep 1756 | 2.8.23

An ICS update from CISA. Ransomware notes: LockBit, Clop, and ESXiArgs. Vulnerability in Toyota’s GSPIMS. Two new Russian cyberespionage efforts hit Ukraine. And a direction for US privacy policy.


Dave Bittner: CISA releases an ICS security advisory affecting a smart facility system. LockBit threatens to release Royal Mail data tomorrow. Cl0p ransomware expands to Linux-based systems. A vulnerability is identified in Toyota's GSPIMS. There's an ESXiArgs update. New trackers and mitigation tools are available. Russia is running two new cyberespionage campaigns against Ukraine. Our guest is Roya Gordon from Nozomi Networks to discuss the ICS threat landscape. And The Washington Post's Tim Starks provides analysis on last night's State of the Union.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 8, 2023. 

CISA releases an ICS security advisory.

Dave Bittner: We begin with a quick note for operators. The U.S. Cybersecurity and Infrastructure Security Agency has released an industrial control system advisory for EnOcean SmartServer, which is mostly used in smart building, smart city and smart factory settings. Users should check their systems for vulnerable instances and apply the necessary updates and mitigations in accordance with the vendor's instructions. 

LockBit threatens to release Royal Mail data tomorrow.

Dave Bittner: According to Computing, the LockBit ransomware gang has run out of patience. The gang says it will release the data it took from the Royal Mail tomorrow if its ransom demands aren’t met by then. Reuters reports that Royal Mail doesn't believe the stolen data contains any sensitive financial or personal information, which may be why the Royal Mail has, so far, hung tough on paying the ransom. 

Cl0p ransomware expands to Linux-based systems.

Dave Bittner: SentinelOne reports that the operators of the Cl0p ransomware have expanded their scope of their operation to include Linux systems. The executable and linkable format variant - that's ELF - is out and active in the wild. There's good news as well, however. The ELF executable contains a flawed encryption algorithm, making it possible to decrypt locked files without paying the ransom. And bravo, SentinelOne, which has made the free decryptor available

Vulnerability identified in Toyota's GSPIMS.

Dave Bittner: Security researcher EatonWorks claims the ability to breach Toyota's global supplier preparation information management system, GSPIMS, which the company uses to manage its global supply chain, BleepingComputer reports. EatonWorks explains that any user could be logged into just by knowing their email, completely bypassing the various corporate login flows. And they were able to gain full access to internal Toyota projects, documents, and user accounts including user accounts of Toyota's external partners and suppliers. The researcher found that the user service would generate a JSON web token after simply entering an email address with no password. JWTs are session tokens used to validate authenticated users. They logged in by guessing a Toyota employee's corporate email address, then used this access to discover employees with more access. EatonWorks eventually gained full control over more than 14,000 users as well as access to thousands of confidential documents. EatonWorks responsibly disclosed this issue to Toyota, and it was patched in November 2022. They note that they weren't offered a bug bounty for their efforts. 

ESXiArgs update: mitigation tools are made available.

Dave Bittner: We've heard a lot over the past week or so about the old and, we stress, patched, issue in VMware's ESXi product. And the news continues to come. CISA and SecurityScorecard have both developed tools to mitigate and track attacks by ESiArgs (ph) ransomware. CISA has releasedscript that can, in some cases, rebuild virtual machines from flat files and recover data encrypted by ESXiArgs. BleepingComputer explains that the ransomware failed to encrypt flat files where the data for virtual disks are stored. CISA itself advised that the script was prepared on the basis of work by third-party researchers. SecurityScorecard has published a report looking at potentially vulnerable ESXi servers and cases in which these servers have recently communicated with malicious IP addresses. They state, the IP address that appears most likely to reflect an attempt by a ransomware group to exploit this vulnerability is They add that it not only appeared in all three of the ESXi traffic samples collected in response to the recent advisories, but also appeared in multiple previous STRIKE team ransomware investigations. So continue to check your systems and update them as appropriate. 

New infostealer deployed against Ukraine.

Dave Bittner: Turning to Russia's war against Ukraine, researchers at Symantec have discovered a new Russian infostealer deployed against targets in Ukraine. They state, the Nodaria espionage group, also known as UAC-0056, is using a new piece of information-stealing malware against targets in Ukraine. The malware, Infostealer.Graphiron, is written in Go and is designed to harvest a wide range of information from the infected computer, including system information, credentials, screenshots and files. In addition to being called UAC-0056, Nodaria has also been known as SaintBear, UNC2589, and TA471. 

Dave Bittner: Symantec doesn't link Nodaria with any specific Russian intelligence or security service, but they do say it's been active at least since March of 2021. Nodaria has specialized in collecting against Ukrainian organizations, with possibly some work against Georgia and Kyrgyzstan, so call it an organization that's been active against the former Soviet republics of the near abroad. Its most prominent action has, so far, been the WhisperGate wiper attack that hit Ukraine in January 2022. Nodaria's typical attack technique begins with spear-phishing emails that deliver a range of malicious payloads to the targets. 

Dave Bittner: Wherever Nodaria fits into the Russian services' organization charts, Symantec thinks the group's range and level of activity probably makes it one of the key players in Russia's ongoing cyber campaigns against Ukraine. 

CERT-UA warns of Remcos used in Russian cyberespionage campaign.

Dave Bittner: CERT-UA has issued a warning that Russian cyber-espionage operators are using the legitimate remote management tool Remcos to establish a remote surveillance presence in its targets' systems. It's a phishing expedition that casts a broad net, with a mass distribution of emails, supposedly from JSC Ukrtelecom, with the subject raising the threat of a court claim against the recipient, and an attached RAR file that is surely up to no good. CERT-UA attributes the activity to a threat actor it tracks as UAC-0050. 

The cyber State of the Union.

Dave Bittner: And finally, last night, U.S. President Biden delivered the annual State of the Union address before both houses of Congress, members of the Supreme Court and everyone else in the galleries, as well as those watching on TV or from, like, any passing Chinese spy balloons. Connoisseurs of the presidential address genre found it surprisingly light on cybersecurity, but there were some points made that suggest the likely direction of U.S. cyber policy over the coming year. The president singled out, in particular, the challenge of enhancing online privacy and the importance of protecting children from exploitation by big tech. The president said there should be clear and strict limits on the ability to collect, use, transfer and maintain our personal data, especially for sensitive data such as geolocation and health information. And the burden must fall on companies, not consumers, to minimize how much information they collect. 

Dave Bittner: The speech augurs continued tough scrutiny for big tech, and President Biden named the target as such, asking Congress to pass bipartisan legislation to stop big tech from collecting personal data on kids and teenagers online, ban targeted advertising to children and impose stricter limits on the personal data these companies collect on all of us. So U.S. regulatory policy may assume a more prescriptive form in 2023. 

Dave Bittner: Stay tuned for my conversation with Tim Starks from The Washington Post's Cybersecurity 202 and his analysis of the speech. 

Dave Bittner: Coming up after the break, our guest is Roya Gordon from Nozomi Networks discussing the ICS threat landscape. The Washington Post's Tim Starks provides analysis on last night's State of the Union. Stay with us. 

Dave Bittner: Nozomi Networks recently published an OT/IoT security report titled "A Deep Look Into the ICS Threat Landscape." Roya Gordon is security research evangelist at Nozomi Networks. 

Roya Gordon: I do want to talk about a new part of the report that we added that hasn't been in any of our reports, and I think it's a big game-changer. So of course, we talk about the overall threat landscape. We talk about some statistics from our honeypots - you know, what they've collected from malicious IoT botnets. We talk about ICS-CERT advisories, and we do analysis on those. 

Roya Gordon: But what we're sharing now that we haven't shared before are insights into our customer environments - so, you know, Nozomi Networks' technology that secures OT and IoT - and to kind of see what are the types of alerts our customers are getting. What are the types of intrusions? What are the types of malware that's targeting these environments? I think that's very beneficial for other critical infrastructure organizations to know. And, yeah, that's kind of, like, the most exciting part about this report because, again, we've never shared this, and now we're able to. Obviously, these are customers that volunteer for us to share this information anonymously. But again, I think that's the best part of this report. 

Dave Bittner: Well, let's go through some of the details there. What are some of the things that your customers have been tracking? 

Roya Gordon: Yep. So there's a lot of different types of alerting that can go on in an IT/OT environment. And we try to catch all of them - right? - because maybe not everything is indicative of a cyber attack. So there's alerts on clear-text passwords, weak passwords. You know, these are things we like to alert customers on because this is how, you know, threat actors access environment. So if they get in and they're stealing information, if you have clear-text passwords or weak passwords, they could use this to their advantage. But there's other types of alerts, like TCP SYN flood, you know? And that's where the threat actor will flood a server with connection requests. That's indicative of a denial-of-service attack. There's different types of man-in-the-middle attack alerts, UDP flood, which is essentially the same thing, anomalous packets. So while there are possibly alerts that could be just legitimate employee error, that coupled with other alerts could be, you know, indicative of - there's some malicious intent going on here. 

Roya Gordon: So we have all of the numbers over the past six months. So you can kind of put it into perspective of, for OT environments, how many of these types of alerts organizations are seeing. And I think people can look at this and say, hey, it looks like there's a lot of man-in-the-middle attacks on critical infrastructure, or this TCP SYN flood thing is a pretty big deal. Let's see how we can remediate that. So that's just one type of, you know, information that we shared. The other one is most commonly detected malware categories. And this is where we get into trojans and remote access tools and DDoS malware, and are they targeting IT, IoT and OT? And that gets pretty interesting. And, you know, we have those numbers in our report as well. 

Dave Bittner: Are there any items here that were particularly surprising or unexpected that you were able to uncover? 

Roya Gordon: In the threat landscape part - you know, we talk about, you know, attacks on transportation and health care, but I think the biggest trend that stood out is hacktivists are now launching disruptive cyber attacks. So I've, you know, been in this field for a while. And every time we would look into disruptive attacks, the first threat actor we would look at would be a nation-state. You know, they're acting on the behalf of Russia, China, you know, Iran. And then, we noticed that ransomware threat actors - you know, financially motivated threat actors - they were launching disruptive attacks. And even though the motives are different, you know, the impact is the same. So a ransomware threat actor - they don't really care. They just want money, while a nation-state threat actor is acting on the behalf of another country. But now, we're noticing that hacktivists, who traditionally did, like, data breaches and denial-of-service attacks - they're getting on the train of causing disruptive attacks on critical infrastructure. And I've seen that more now, in 2022, than I have in previous years. 

Roya Gordon: And there's a couple of reasons for this. I've been getting asked this - like, well, why are hacktivists changing their tactics? Well, the availability of tools on the dark web - you know, so you no longer have to be super technical. You can just purchase network access and then purchase wiper malware and deploy it. And it's pretty easy. It's easily accessible, but the other reason is because these types of attacks make a bigger statement in the media, and that's what hacktivists want. They want awareness for their cause, awareness of why they're doing it. And if they're disrupting a train system, obviously that's going to get them the media coverage that they're looking for. So kind of bracing myself to kind of see what these hacktivists do in 2023. 

Dave Bittner: Well, based on the information that you've gathered here, what are your recommendations for organizations to best defend themselves? 

Roya Gordon: Yep. So I always tell people - everyone, you know, when it comes to critical infrastructure, they want some super secret sauce recommendations. And a lot of the times, it's like, no - things that you should have already been doing to secure your IT - you just got to keep doing that. If you look at a history of a lot of disruptive attacks, it was threat actors stole credentials because no one was monitoring if the employee was still working at the company or not or still needed that access. So, you know, access controls or not changing default passwords and default credentials, which - that's another part of the report where we actually have a list of credentials that malicious threat actors are using to access IoT devices. So make sure you're changing that. Make sure that you're keeping up with patching. And of course, we know it's difficult in OT environments to do that, but there's a lot of workarounds that you can implement while waiting for a patch day. But, again, it's important to patch. 

Roya Gordon: It's important to check logs. There are some tactics that these threat actors are using that's kind of living off the land. So they're using techniques that's going to - it's going to kind of blend in with normal activity to where you may not get an alert. But if you're checking logs, then maybe you'll notice something is off. So, you know, there's a lot. Obviously, threat intelligence - you have to know what IOCs you should be tracking, what's associated with malicious activity. So there's a lot of things that organizations can do to protect themselves from these threats. 

Dave Bittner: That's Roya Gordon from Nozomi Networks. The research is titled "A Deep Look Into the ICS Threat Landscape." You can find a link in our show notes. 

Dave Bittner: And joining me once again is Tim Starks. He is the author of The Cybersecurity 202 over at The Washington Post. Tim, it's always great to welcome you back to the show. 

Tim Starks: Good we do this. 

Dave Bittner: (Laughter) So last night was the State of the Union from President Biden - always a chance for him to roll out plans and aspirations for the coming year. Before we dig into some of the cyber stuff that did or did not happen, what was your overall take on the State of the Union? 

Tim Starks: You know, it was a - if we're just talking about the generalities of it - the, you know - it was a pretty passionate speech by some standards of the ones that I've seen over the years. And, you know, there was a little bit more call and response than we've seen in past years. I mean, others have pointed it out that it wasn't that long ago that someone could get censured on the House floor for having called the president a liar during a State of the Union, and now it's kind of the norm. So it was a pretty substantial speech and pretty well delivered, I thought. You know, he's obviously taken a lot of criticism over the years for his age and how he stammers in places. There was some of that. But for the most part, it seemed like a pretty solid speech to me. 

Dave Bittner: Yeah, I would agree, and it overall seems to be getting fairly solid marks. Well, so let's dig into the cybersecurity aspects here - what was said and what was not. 

Tim Starks: Yeah, so he did not directly use the word cyber. And one of the things that was an interesting feature that my Washington Post colleagues did recently was words that Biden has spoken in speeches that no president had before. And he was the first to use the word cybersecurity. But if you go back a little further, you know, there were other presidents who have talked about cyber. This time, he did not use that phrase. He used it in 2021. He did not talk about cyber in 2022 either. So from that standpoint, there were some folk who were disappointed on all sides of the political spectrum that he didn't go directly at that. The fact of the matter, though, is that some of these things that are - you know, I use the phrase cyber adjacent a lot. Data privacy is - you know, it's kind of cybersecurity. As one of the people I spoke to pointed out, you know, when you're talking about things that Biden said about not collecting massive amounts of information or not keeping it for very long, that poses a cybersecurity risk when you have that material because that creates a target for hackers. So that was one example. You know, obviously, the kids' privacy was an emphasis, but he also talked about general privacy... 

Dave Bittner: Right. 

Tim Starks: ...Issues. I suppose if you wanted to stretch even a little further, you could point to the mentions he had of identity theft as it pertained to COVID-19 checks. As it - and then, you know, a little bit of China - we're going to stand up for our sovereignty - which was largely a reference to the spy balloon. But you could, you know, like I said, stretch it and say that was somewhat cybersecurity related. 

Dave Bittner: Yeah. It was interesting to me, the emphasis on protecting the privacy of children. I mean, I suppose, when it comes to political rhetoric, that's kind of a - it's a layup, you know? Protect our kids. And so to come at it from that angle - I guess not surprising, but, at the same time, interesting emphasis. 

Tim Starks: It is. I think if you - you know, as someone who often has blinders on for cyber only in the news, sometimes I don't read about a lot of other things that are going on in the world. But I have read a good amount of - you know, a good amount about and talk to people occasionally about, you know, this kids' online privacy issue. And it's been a long-running problem, where Congress has been wanting to revisit it and hasn't quite been able to get over the finish line on some things. So it's in the news a fair amount. Certainly, when you hear about the debates about TikTok, you know, one of the big levers on that is people worrying about what that is going to do to the minds of children. 

Tim Starks: So if you're talking about privacy - you know, if you're talking about it from the perspective of the right, there's obviously been a lot of discussion about this idea that pedophiles are widespread, and that there's this grooming issue. If you - then, you also can look at it from the perspective of the debate over encryption. You know, one of the things that people have been concerned about is the spread of - I'm trying remember the modern terminology - child exploitation material... 

Dave Bittner: Right. CSEM. 

Tim Starks: Child sexual exploitation material. 

Dave Bittner: Yeah, child sexual... 

Tim Starks: Yeah. 

Dave Bittner: Yep. Yep. 

Tim Starks: Yeah, I think that's the right - I might have said it wrong. But that phrasing is something that I think people on both sides of the aisle are concerned about. But then, when you get into encryption and the big social media platforms wanting to, you know, not make a lot of what they're - they want to protect the privacy of their people. And it raises this kind of twin privacy debate, where you're getting into, well, if you have too much encryption, then, you know, the privacy - the things that are happening to children - you know, the government can't get at it. And then, of course, you have the other side, which is saying, if we don't have encryption, then we're - you know, we're not - we're opening the door to too much government intervention on everything - not just the children's issue. 

Dave Bittner: Yeah. As I was listening to the speech - and, again, you know, the things that he didn't say, the fact that cyber was not really front and center, I wonder if that's a little bit of a - not necessarily so much as a wake-up call, but a reminder to properly calibrate ourselves when it comes to folks who are in the cyber world that, when it comes to these dinner-table conversations, that perhaps these issues aren't as front-as-center to most folks as we sometimes think they are. 

Tim Starks: I think that's certainly possible. You know, one of the things I was talking to people about earlier this week with the Chinese spy balloon - you know, that this thing, however capable it was, has not been able, probably, to snag a fraction of the information about U.S. citizens that Chinese hackers have over the years. And there's a different way that people tend to look at cyber versus the way they look at things that are more physically, obviously tangible. But what's interesting - you know, I think I was looking at a poll that the Chamber of Commerce did not that long ago, where they were talking to people about digital issues. And No. 1 was cybersecurity, and No. 2 was privacy. So I - it sometimes can be hard to get a sense of calibrating what is truly important to people versus what we perceive as important to people versus what we perceive as understandable and relatable. And I think that's all in the mix of what happened here. You know, one of the people I spoke to for the story said, you know, the State of the Union is something of a performance. And if you're not of the mind that you're reaching an audience that is very concerned about an issue, then you're not going to perform that song. So we didn't get the cybersecurity song this time. Maybe that is one of the reasons. 

Dave Bittner: Yeah. All right. Well, Tim Starks is author of The Cybersecurity 202 at The Washington Post. Tim, thanks so much for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cyber security teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.