US, RoK agencies outline DPRK ransomware. Reddit breached. ICS and IIoT issues. It’s almost Valentine’s Day. Have you noticed? (The hoods have.)
Dave Bittner: U.S. and Republic of Korea agencies outline the DPRK ransomware threat. Reddit is breached. CISA releases six ICS advisories. Flaws are found in industrial IoT devices. Dinah Davis from Arctic Wolf shares cybersecurity stats every IT professional should know. Our guest is Kayla Williams from Devo on autonomous SOCs. And it's almost Valentine's Day. Have you noticed? The bad guys have.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, February 10, 2023.
US, RoK agencies outline DPRK ransomware threat.
Dave Bittner: DPRK state-affiliated actors have been observed targeting the health care and critical infrastructure sectors with Maui and H0lyGh0st ransomware as a means to extort money to further fund North Korea's national priorities, including cyber-espionage, SC magazine wrote yesterday. The US Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, National Security Agency, Department of Health and Human Services, the Republic of Korea (ROK) National Intelligence Service, and the ROK Defense Security Agency released a joint advisory discussing tactics, techniques and procedures of DPRK threat actors using ransomware attacks to target both nations' health care and critical infrastructure industry. They also suggest mitigations for victim organizations.
Dave Bittner: NSA wrote that once the identity and location of the scammers are sufficiently hidden, the attackers will move to common vulnerabilities and exposures to overtake a victim network and release ransomware. The vulnerabilities most exploited by these malicious actors are the Apache Log4j software library, also known as Log4Shell, and remote code execution in various SonicWall appliances.
Dave Bittner: Reddit has disclosed that it sustained a data breach on February 5 after an employee fell for a phishing attack, BleepingComputer reports. Reddit said in a statement that an attacker set up a website that impersonated the company's intranet gateway and was designed to steal credentials and two-factor authentication tokens. After an employee fell for the ruse, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems. The company added, we show no indications of breach of our primary production systems, the parts of our stack that run Reddit and store the majority of our data. Reddit also hasn't found any signs that the attacker accessed user data.
CISA releases six ICS advisories.
Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency yesterday released six industrial control system advisories. Check out their website for the details.
Flaws found in IIoT devices.
Dave Bittner: Earlier this week, researchers at Otorio discovered 38 vulnerabilities affecting industrial Internet of Things devices from four separate vendors. Three of the vulnerabilities affect ETIC Telecom's Remote Access server. Two of the flaws impact Sierra Wireless AirLink routers. And five affect InHand networks InRouter302 and InRouter615. The rest of the vulnerabilities are still in the disclosure process. The researchers note that attackers can use publicly available apps, such as WiGLE, to identify these types of vulnerabilities, stating, our scanning uncovered thousands of wireless devices related to industrial and critical infrastructure, with hundreds configured with publicly known weak encryptions.
Romance scams rise as Valentine's Day approaches.
Dave Bittner: Not to be a downer or anything, but the most stressful day on the calendar shows up next week. Yes, Valentine's Day falls on Tuesday. And in addition to the nightmare vision of demure Cupid shooting arrows of desire from their bows of gold, you can expect romantic love itself to be turned against you. Yes, scammers have been observed participating in romance fraud campaigns as the Hallmark holiday of love nears. Scams have been seen targeting users of dating apps, utilizing pig butchering fraud techniques and increasingly using sextortion scams. The US Federal Trade Commission assesses the amount of sheer financial damage romance scams caused in 2022 at $1.3 billion, stolen from almost 70,000 individuals. And, of course, there's no accounting for the toll they took in sadness, humiliation, shame, despair and deeper loneliness.
Dave Bittner: There's been some study of this in universities. Georgia State University released a study detailing the primary hunting grounds for fraudsters this season: dating apps. Fangzhou Wang, a doctoral student in the university’s Department of Criminal Justice and Criminology and the primary author of the study, says that her and her fellow researchers really wanted to take advantage of open intelligence data sources to find out what these fraudsters were doing that was so effective. The purpose is to identify patterns and uncover strategies that users can adopt to protect themselves. The research analyzed victims approached on popular social media sites or dating apps and sites. Emotional triggers are a common method these scammers have been observed using, manufacturing faux crises to extort money from victims. Movement away from dating apps to private email and messaging communications can also be a red flag, researchers report, often with pressure applied on the victim to make quick decisions.
Dave Bittner: The indelicately named pig butchering scams are also expected to reach a culminating point around Valentine's Day. It's not surprising. Pig butchering is a long game. Scammers spend a fair amount of time cultivating their victims' trust. The marks are eventually pressured to invest in cryptocurrency or, in reality, an illegitimate website that will fill the pockets of the scammers with any money you may invest, as the Register wrote today. The Register goes on to report that European police in January saw the arrest of 15 malicious actors and the seizure of a multinational call center network that had funneled hundreds of millions of euros from victims shilling fake cryptocurrency, as well as the seizure of seven pig-butchering domains in the U.S. that put $10 million in the pockets of scammers.
Dave Bittner: And it gets worse, albeit in another way that's completely predictable. The Register also reports the increasing risk associated with the exchange of not-safe-for-work photos, as sextortion scams have been escalating. These scams are defined by the threat of leaking the inappropriate photos to the victim's social media contacts unless victims pay. The primary demographic targeted in these campaigns are people aged 18 to 29, with more than half of the reports of sextortion scams last year noting social media as the primary method of contact. We know. We know. Swapping saucy selfies is a new courtship ritual, as Mr. Carlos Danger could tell you. But please, friends, show some restraint. Send chocolate or flowers and not selfies.
The FTC is the Bureau d’Amour.
Dave Bittner: And finally, to return to the U.S. government, the Federal Trade Commission is displaying some unexpected expertise in matters of the heart. We'd always thought the U.S. government's experts in such things were, for the most part, found among Marine Corps aviators. Anyhoo, the FTC has tracked the top lies romance scammers tell, and they're an interesting but sadly familiar collection. Here they are, from least to most prevalent, with some extra comments from our Dating Desk. And yes, we do have one. These don't represent the opinions of the Federal Trade Commission or, for that matter, the U.S. Marine Corps' aviation division.
Dave Bittner: First up, you can trust me with your private pictures. This brings up the rear at 3% and shows the unpleasant trend toward sextortion among the scammers. I'm on an oil rig or ship. Ahoy, love. This surprisingly specialized come-on made up 7% of the attempts. Tell Romeo to stay safely offshore if you get this one. With 7%, we see I've come into some money or gold. This one's a throwback, especially if the nominal author is a widowed Nigerian princess in distress. We've never met, but let's talk about marriage - 12% of the scammers are cold-calling for love. I need help with an important delivery. This accounted for 18%. Extra credit if it's from a Nigerian cabinet minister. I'm in the military, far away. The appropriate response to the 18% of messages that include this one would be good, stay there, and thank you for your service. I can teach you how to invest - at 18%, this one probably delivers some ROI to the scammers. And the most common lie at 24% is I or someone close to me is sick, hurt or in jail. This one seems particularly loathsome, with its attempts to take advantage of the mark's sympathy and better inclinations. Thanks to the FTC, by the way, for the advice. Read it and heed it, lovers everywhere.
Dave Bittner: Coming up after the break, Dinah Davis from Arctic Wolf shares cybersecurity stats every IT professional should know. Our guest is Kayla Williams from Devo with thoughts on autonomous SOCs. Stay with us. When's the last time you checked in with the folks running your SOC - I mean, really checked in with them? Security firm Devo recently published a report that found that 71% of SOC professionals responded that they are likely to quit their job with the top reasons cited as information and work overload, insufficient downtime, a lack of tool integration and alert fatigue. Kayla Williams is chief information security officer at Devo.
Kayla Williams: In my very humble opinion, I feel that, up until now, that the one word that would describe the SOC is overworked, for sure. I think there's a lot of monotony in the way the SOC is run today. Too many companies - it doesn't matter the size - they're really bogged down with false positives and searching for alerts, and they're not able to really utilize their resources in a way that delivers value to an organization. So the aim of an autonomous SOC is to address that and to help supplement or augment the actual security operation center team that allows them to deliver value and really focus on providing risk management to their organization.
Dave Bittner: What are the things that, you know, traditionally have kept a SOC team from really being able to provide, you know, the maximum amount of productivity and value?
Kayla Williams: I think it's a couple things. First, there is no one individual or team that knows everything. So the attack surface continues to grow, sometimes by the hour, at certain organizations, and being able to stay on top of that and the technology that supports that growth is very taxing. And sometimes - I would even say it's exhausting. So that is one thing. And I think another thing is that they're being pulled in many directions. It doesn't matter how many people that are in your company's SOC; it's just a resource constraint to constantly have to shift and address priorities. As I said, the threat landscape changes, so you're having to pivot in one day or one minute or one hour. You can have something that is a Priority 1, then all of a sudden something else comes in, and it's - you know, that zero-day, all hands on deck, and having to stop what you're doing and pivot to address the risk.
Kayla Williams: So by having a SOC that can be supplemented in a way that allows some of that monotony, some of that risk management to be put into an automated fashion will really help alleviate some of that panic, some of that anxiety around, oh, now I have to stop what I'm doing and pivot immediately. So that's kind of where I see that.
Dave Bittner: You know, it reminds me of, you know, the fact that, when we travel and we fly, you know, from Point A to Point B, that it's likely that a good part of that trip is being handled by the autopilot. But most of us are comfortable with that, but we're not quite so comfortable with the idea of taking pilots out of that cockpit altogether, right? We like to know that at landing and takeoff, you know, the more critical parts of that journey are still going to have humans handling it and, indeed, overseeing the whole process. I'm curious. Is that an apt analogy in your view?
Kayla Williams: Absolutely. I think that's great. I actually didn't even put that - the type of context onto this. But it's absolutely right. It's the same as the driverless cars, the autonomous cars that we have. They're still getting into car accidents because people aren't paying attention. They're just relying on the technology. I certainly don't mind having autopilot for my flights, as long as there's a pilot there if something goes wrong, you know? It's like the - when the flight in New York that landed on the Hudson because there was a variable that came into play.
Dave Bittner: Right.
Kayla Williams: Geese. And you needed to have...
Dave Bittner: Wretched creatures.
Kayla Williams: Exactly. And you needed to have a pilot there who could navigate that variable that created a potential catastrophe. And having that oversight of, you know, Captain Sully, I believe was his name...
Dave Bittner: Yeah.
Kayla Williams: ...Having his ability to think quickly saved lives that day. And I'm not saying that a SOC is going to save lives someday. I'm not trying to, you know, draw that close of a correlation between the two scenarios, but having the ability to have eyes checking the homework, if you will, checking to make sure that the processes that they've designed are operating fully and accurately, is very important to ensure that you don't have a crash or, in this case, an incident.
Dave Bittner: So what are your recommendations, you know, for organizations who want to explore this? How do they get started? How do they see if it's a good fit for them?
Kayla Williams: I think the first step is ensuring that you have documented standard operating procedures and reviewing them and making sure that it's something that could be put to a machine's use. Of course, as I said before, having someone kind of check that homework and reviewing it - sure, it's - you know, it's checking your own homework, but it's still - having someone review it to make sure that it can be put into this use case of autonomous SOC - it'll pay off dividends. And, of course, even if you decide later on that it's not something that you could move into just yet, you're going to have a better product at the end because you're going to have documented steps that you can go back and repeat over and over again.
Dave Bittner: That's Kayla Williams from Devo.
Dave Bittner: There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews.
Dave Bittner: And I'm pleased to be joined once again by Dinah Davis. She is the VP of R&D operations at Arctic Wolf. Dinah, it's always great to welcome you back to the show. I want to touch base with you. I saw you and your colleagues there at Arctic Wolf had a blog post recently about improving your security posture at your home. I think this is something worth visiting here. What do you got to share with us today?
Dinah Davis: Yeah. I mean, we often think about hackers trying to come at a company, like, through company resources, right? But they're really going to try from every angle possible. And one popular way that they've been making progress is through people's personal accounts, right? So even if we look at the May Cisco breach, the hacker there gained access to the employee's personal Google email account. This was really interesting. It wasn't just that they, like, reset passwords and stuff, but once they did that, they were able to get into their Chrome browser password store and extract all the passwords from there, one of which was really bad, which was the VPN access to their work, which, like - people, your VPN access, any work password, should never be in a personal password store anyway, full stop. But, again, this is why maybe using a Chrome browser or the Safari key password store is not a great idea. Having things separated makes it harder.
Dave Bittner: Well, let's go through some of the things that really caught your eye here. What are some of the ones that rise to the top of your attention?
Dinah Davis: So you want to use VPNs as much as possible, right? So if you're at home, in a coffee shop or anywhere that is not the office, you could be subject to a man-in-the-middle attack, which is when somebody is able to pretend they're actually your home Wi-Fi or your - the coffee shop Wi-Fi and give you access to the internet through that but see everything you're typing. So if that happens, if you're using a VPN, what a VPN is going to do is encrypt all the data going through. And so even if you are in the middle of a man-in-the-middle attack - wow, that's some inception right there - you're going to be fine, right? So that's - those are really important. Also using MFA, multifactor authentication - right? - so even if they got his whole password store, if he'd have had MFA or a second-factor authentication, it still would have been hard for them to get in, right?
Dave Bittner: Right, right. I remember seeing a study from Google. It was probably a year ago now, where they said that people who put MFA, like, on their Gmail accounts don't get hacked. Like, it wasn't, like, 90%. It was, like, 100%. It - if you have a hardware key, you're probably good to go.
Dinah Davis: Yeah, because, like - OK, I liken it back to when I grew up - I grew up in Winnipeg, Manitoba, Canada, and it happens to be the car-theft capital of Canada, or it was in the '90s. Let's put it that way. I have no idea if it still is.
Dave Bittner: OK.
Dinah Davis: OK.
Dave Bittner: Right.
Dinah Davis: And so what we used to do is - like, we had this thing called the club, and it was, like, this metal bar that you put across your steering wheel, and you locked it, and it made it so you couldn't turn the wheel. So even if they hotwired your car, they couldn't turn that wheel. Now, could they...
Dave Bittner: Right.
Dinah Davis: ...Still get that off with, like, a massive saw or something like that? Sure they could. But if they're going down the street, looking into the driver's seats of all the cars, the ones with the clubs aren't going to get hit because it's just too much work.
Dave Bittner: Right.
Dinah Davis: And I think that's the same...
Dave Bittner: Right.
Dinah Davis: ...Principle that's happening when you put MFA on your accounts, right? You've made it harder. Unless they really, really want you for a very specific reason, they're not going to bother, right? Here's a good one that I failed at recently. Secure your physical devices. So that means do not leave things on airplanes.
Dave Bittner: I feel like there's a story here.
Dinah Davis: Yeah, I might have just done that recently. It was very annoying.
Dave Bittner: (Laughter) Oh, no. Oh, no.
Dinah Davis: If you leave it on an airplane while it's an airplane mode, it's (laughter) very hard to get to. But here's a good thing to do - make sure you set up that emergency contact on the front of the phone because it will turn your - the airplane mode off when they call you for 24 hours, and you can get the device wipe and find your phone, Google or iPhone, in there. So it does happen. I wasn't worried when I lost my phone because I have all the passwords set. I have MFA on my Google accounts. I was able to reach my phone and security wipe it. So it's not an issue, but it's still not something I would have liked to do. In the future...
Dave Bittner: Yeah.
Dinah Davis: ...I don't think I'll ever do that again. But when you're running for a connection, sometimes, it's easy to misplace some things.
Dave Bittner: Yeah. Leave that in that pocket in the front of the seat next to you. I mean, it brings up a good point that I've heard people say when you're traveling, which is not to put all of your electronic eggs in one basket. In other words, you have your mobile device, and it gets lost, you need to have another device to be able to go and try to change whatever settings you need to on that original device.
Dinah Davis: A hundred percent. So, you know, I was able to log into my computer, that I also had with me, and, you know, get the device wipe. And then, you know, until I got my phone back, I was able to use my iPad for the keystore. Like, I was so happy that I had a authenticator that backed up into the cloud. So, you know, like, Google Authenticator - I use a different one. I...
Dave Bittner: Right.
Dinah Davis: ...Use the one that LastPass uses.
Dave Bittner: Yeah.
Dinah Davis: And so you can back it up into your LastPass account. I'm very careful not to use the same, like, password keeper app, so I use one password for my passwords and LastPass for my authenticator. So they're in two separate systems entirely. But I was able to, you know, pull that all up on my iPad and relive. So I've had - I had very little disruption to my life, other than not being able to receive text messages while the phone was lost and, you know, kept going. And I wasn't really worried.
Dave Bittner: All right. Well, good tips, for sure. Dinah Davis, thanks for joining us.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. Find out more about sponsoring our programs at thecyberwire.com/sponsor.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Pascal Ackerman from GuidePoint Security. We're discussing his work on discovering a vulnerability in the integrity of common HMI client-server protocols. That's "Research Saturday." Check it out.
Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.