The Port of Nagoya continues its recovery from ransomware. Charming Kitten ups its game. Spyware in the Play store. Risks to electrical infrastructure. And a quick update on hacktivist auxiliaries.
Tré Hester: LockBit 3.0 claims responsibility for Nagoya ransomware attack. A Charming Kitten sighting. Spyware infested apps found in Google Play. Threats and risks to electric vehicle charging stations. Solar panels and cyberattacks. Dave Bittner speaks with Eric Goldstein, Executive Assistant Director for cybersecurity at CISA about CISA's efforts for companies to build safety into tech products. Rick Howard sits down with Clarke Rodgers of AWS to discuss the mechanics of CISO roundtables. And hacktivist auxiliaries remain active in Russia's hybrid war.
Tré Hester: I'm Tré Hester filling in for Dave Bittner with your Cyberwire intel briefing for Thursday, July 6th, 2023.
LockBit 3.0 claims responsibility for Nagoya ransomware attack.
Tré Hester: The port of Nagoya resumed some container operations Thursday as it restored normal services in the course of recovering from Tuesday's ransomware attack. Bloomberg reports that five terminals are returning to operation. The Japan Times quotes the Nagoya Harbor Transportation Association as saying that LockBit 3.0, the well-known Russian ransomware gang, has issued a ransom demand, thereby claiming responsibility for the disruption. Tech Monitor notes that LockBit 3.0, a ransomware-as-a-service (RaaS) gang, has been unusually active over the past week. Its other victims include Taiwanese chip maker TSCM, as well as a range of organizations in the Netherlands, Spain, Canada, and the United States. The amount Lockbit 3.0 has demanded remains unknown."
Charming Kitten sighting.
Tré Hester: Proof point researchers have been tracking the Iranian threat group TA453, also known as Charming Kitten, and have observed a deploying Mac malware in replacing Microsoft Word malicious macros with [inaudible] infection chains. The approach begins with patient social engineering, contacting targets with benign emails. The hook is set only later. Proof point explains in its conclusion that TA453 continues to significantly adapt its infection chains to complicate detection efforts and conduct cyber espionage operations against the target's of interest. The use of Google Scripts, Dropbox, and Clever apps demonstrate that TA453 continues to subscribe to a multi cloud approach in its efforts to likely minimize disruptions from threat hunters. TA453's willingness to port malware to mock O also demonstrates how much effort the threat actor is willing to put into pursuing targets. Regardless of the infection method, TA453 continues to deploy modular backdoors in an effort to collect intelligence from highly targeted individuals.
Spyware infested apps found in Google Play.
Tré Hester: Prodeo has notified Google that its researchers have discovered two malicious apps in Google Play. Both of them represent themselves as file management tools and both of them serve as spyware. They launch without user interaction, and they send [inaudible] data to servers in China. They look legitimate. They run unobstructively and they're difficult to uninstall. The two apps between them have a million and a half downloads, and the data the app collects and transfer include user contact list from the device itself and from all connected accounts such as email and social networks. Media compiled in the application, meaning pictures, audio, and video contents, real time user location, mobile country code, network provider name, network code of the SIM provider, operating system version number, which can lead to vulnerable system exploit like the Pegasus software did, and device brand and model.
Threats and risks to electric vehicle charging stations.
Tré Hester: Electric vehicle charging stations are arousing concern about potential vulnerabilities that could have a larger impact than just the particular station or the car that's charging there. An article in Wired describes the potential impacts of vulnerabilities affecting electric vehicle charging stations. Ken Monroe, a cofounder at Pen Test Partners, told Wired that his top concern was with vulnerabilities that could allow attackers to stop or start chargers in mass which could destabilize electricity networks. Monroe said, "We've inadvertently created a weapon that nation states can use against our power grid." Monroe says legislation in the United Kingdom could serve as a model for lawmakers in the US. The UK requires EV charging stations to have a randomized delay functionality of up to 10 minutes which would mitigate the impact of thousands of charging stations turning on at the same time. Monroe also stated that you don't get that spike which is great. It removes the threat from the power grid.
Solar panels and cyberattacks.
Tré Hester: Other electrical technologies also susceptible to cyberattack. Security Week reports that hundreds of instances of solar power monitoring product contact solar view are still affected by an actively exploited vulnerability described by Palo Alto Networks last month. An exploit for the vulnerability (CVE-2022-29303) has been public since May 2022. Researchers at VulnCheck found 600 solar view instances exposed to the Internet, 400 of which are vulnerable. VulnCheck states, "When considered in isolation, exploitation of the system is not significant. The solar view series are all monitoring systems so loss of view is likely the worst-case scenario; however, the impact of exploitation could be high. Depending on the network, the solar view hardware is integrated into. For instance, if the hardware is part of a solar power generation site, then the attacker may affect loss of productivity and revenue by using the hardware as a network pivot to attack other ICS resources."
Hacktivist auxiliaries remain active in Russia's hybrid war.
Tré Hester: And finally, turning to the cyber phase of the hybrid war Russia has launched against Ukraine, OODA loop has an overview of non-state actors recent cyber operations in the war. Hacktivists operating in the Ukrainian interests have devoted some attention to interfering with Russian rail traffic. The rail operator RZD disclosed yesterday in its telegram channel that its website and mobile app have been taken down by a cyberattack. The Ukrainian IT army claimed responsibility. Belarusian dissidents have also been active. The Belarusian Cyber Partisans claim to have successfully intruded into the systems of the Belarusian State University wiping systems and shutting down domain controllers. The university acknowledges having problems but denies having come under a cyberattack. Its problems are due to technical issues the university says and pro-Russian hacktivist auxiliaries have also stayed busy. No name's 057's [inaudible] project is directed against Ukraine and that country's supporters in the west. It also hit one domestic victim, Russia's Wagner Group as [inaudible] weakened mutiny was under way.
Tré Hester: Coming up after the break, Dave Bittner speaks with Eric Goldstein, executive assistant director for cybersecurity at CISA about CISA's efforts for companies to build safety into tech products, and Rick Howard sits down with Clark Rogers of AWS to discuss the mechanics of CISA roundtables. Stick around.
Tré Hester: In another episode of our continuing series of interviews that are our N2K colleague Rick Howard gathered at the recent AWS Reinforce Conference. Today, Rick speaks with Clark Rogers of AWS to discuss the mechanics of CISA roundtables. Here's Rick.
Rick Howard: The Cyberwire is an Amazon Web Services media partner, and in June 2023, Jim Ivine, the Cyberwire's senior producer and I, traveled to the magical world of Disneyland in Anaheim, California, to attend their AWS Reinforce Conference and talk with senior AWS leaders about the latest developments in securing the Amazon cloud. I got to sit down with Clarke Rogers. He's a director on the enterprise strategy team at AWS, and we got to talking about one of the perks of being a CISO. The old CISO dinner roundtable format. This is where security vendors organize an intimate dinner usually at some swanky restaurant somewhere and invite a handful of CISOs and other kinds of INFOSEC practitioners and thought leaders to gather around a good meal and in a Chatham House kind of way, talk about the mutual problems that we all face in the industry. Meaning that whatever is said at the dinner table, stays at the dinner table. More importantly, CISO's can talk about successes and failures that they've had, and others can learn from their experience. Out of all the things I do to stay current in the cybersecurity industry, the CISO dinner is one of the things that I find most valuable. I asked Clarke about the AWS version of this kind of event.
Clarke Rogers: The program is actually called the CISO Circles. How can we get CISO's together to talk about issues that are common amongst all of them, and then how can we help find solutions for them? So, it could be something as simple as maybe we need to build a service that would help them with whatever the issue is or maybe they need to discuss it amongst themselves for best practices. So, it started in November of 2020. We've gone year over year adding more and more of them, and now it's a global program. And what's really interesting, especially as I look at it as a former customer, I used to be on the other side of that CISO desk where hey come here. All about what CISO's were doing or, "Here's our new security product," or whatever the case may be, and it ends up always being at a very nice steakhouse.
Rick Howard: Yes, of course. It's one of the perks of being a CISO.
Clarke Rogers: It's a very nice steakhouse. There's usually a very flashy well-done presentation about whatever product or thing that's going to save your day from the bad and evildoers out there. And more often than not, you walk away with a bit wider waistline, a little higher cholesterol, but you didn't really get anything out of it, right? There was very little time for networking. You were the product almost at that point just being sold to. So, the counter to that is the CISO Circles where we listen to our customers and say, "What do you want to talk about?" We also gather data from the attendees. What worked? What didn't work? What would you like to hear next time? So, we have a laundry list of different topics that we get from people and then that helps set up the next CISO Circle. It's run under Chatham House Rule so anything that you say in there can be used by your peers that have learned from you. They just can't attribute it directly back to you. So, it's a safe space. They didn't mind that there wasn't a 14-inch steak. They were happy with the turkey sandwich and the soft drinks, but they walked away having learned something. They've learned something. They've made friends. They've made connections, and they're going to meet up again at their respective cohorts, and it's really fantastic opportunity for customers.
Rick Howard: I used to do a bunch of these in a previous life and I have some definite rules for how you do them too. We kept the steak because you don't get to look like this without the steak dinner, but the room had to be perfect, right? It had to be big enough to get everybody around the table that you could all see each other. U-shape or a circle. It couldn't be really long, and the room had to accommodate all of that. You had to be able to turn the music off from the restaurant so you could actually talk. So, that was a key ingredient. And there was always one conversation. When I was doing them, I would mediate, and I would refuse to let the table break up into smaller parties. We eliminated the panels. No presentations. Nothing like that. It was just the discussion. I found more value in that than most of the things I ever did with other CISO's. It was just fabulous. But I do have a story. Sometimes CISO's are shy. They don't want to talk until you break the ice. So, when that would happen, I was doing these back when the Snowden thing was a big deal. So, I would just drop on the table, "Snowden traitor or patriot. Discuss." And that usually set the world on fire.
Clarke Rogers: Fortunately, we have a good group of CISO's, and they all have opinions on things.
Rick Howard: That is true.
Clarke Rogers: So, we don't have to throw the Snowden bomb in the room. Yesterday specifically we had a panel on a very popular topic with folks and that's security and AI, right? So, we had some AWS employees who just happened to be Ph.D. in artificial intelligence. So, they really laid the groundwork for what it is and what it's not and how to think about large language models, et cetera. So, as you can imagine that was quite a robust discussion around that. The next session I actually ran, and I brought in two leaders within AWS security to talk about how they operate their own security programs. So, a lot of good feedback asking those questions about how does AWS do it. And in one case we had the CISO from Prime Video was on the panel. So, he was able to talk about how they did it at Prime Videos. So, very interesting for folks. But it was the in-between conversations that I would watch CISO A [inaudible] CISO B and completely different industries, the same problems, whether it would be culture or how do you think about zero trust or whatever the case may be. And it works out very, very nicely to see that and sort of foster that safe environment for them to do so.
Rick Howard: Good stuff, Clarke. Thanks for coming on the show and doing this. Appreciate it.
Clarke Rogers: Thank you so much for having me, and I hope I'll see you at [crosstalk].
Rick Howard: I hope to be there.
Clarke Rogers: Reinvent latest [crosstalk].
Rick Howard: Reinvent. That's right. Thank you, sir.
Tré Hester: That's Rick Howard speaking with Clarke Rogers of AWS.
Dave Bittner: And I'm pleased to welcome back to the show Eric Goldstein. He is executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency. Eric, welcome back. I want to touch today on this notion of security by default. I know that's something you and your colleagues at CISA have been focused on. Can we start with some definitions here? What are we talking about when we say security be default?
Eric Goldstein: Absolutely.
Eric Goldstein: So, we really have two separate concepts here that we talk about at the same time, but they are worth splitting up. The first is security by design. And what that means is that when a product, a technology product, software or hardware is being created that it is designed, developed, and built in a manner that places security top of mind. That the developers are using secure coding practices. That we are using memory safe languages. That the product is undergoing rigorous security testing. That we are dealing with vulnerabilities in the development chain. Not leaving it to beta testers to fix and find them for us. Or even worst, once it's fully pushed out to production, making sure that security, again, is a paramount priority in the software development process. Let's separate that from security by default which means that when the product is being developed that it includes strong security controls baked in at no added charge. This could be features like rigorous logging but logging types and logging retention. It could be multi-factorial authentication. The nuance would depend on the product, but the idea here is that security shouldn't be a premium feature. It should be something that is baked in when a customer plugs in or installs the product. It should have the security features that are expected for the nature of the product and the risk that we're all facing. So, how are you and your colleagues there at CISA moving this conversation forward?
Eric Goldstein: The first key point here is really having a conversation about where we think as a country, the accountability for cybersecurity should lie. And we know that historically we really focus on the victim. When there's been an intrusion, we've often said usually the victim clicked on a spearfishing email or the victim didn't patch that Internet facing server. And, you know, that's a reasonable question that we should ask. And, of course, we should encourage good cyber hygiene by every other prize, but we also have to ask, well given the resources of that victim, the maturity, the threats we're facing, was it ever reasonable for that victim to be expected to shoulder the security burden that they're facing? Or in fact, should we look at the tech providers to do a bit more. To make sure that perhaps there are less prevalent vulnerabilities in that Internet facing server so that the enterprise could actually manage their patch and burden or even maybe get out of patching all together. Did the product have the right security features so that enterprise didn't have to think about opting in to MFA or installing a third-party service. It just came out of the box working seamlessly, no more added cost. And so, by asking those questions of saying not just how did the breach occur, but also what were the conditions in which it happened and was the apportionment of accountability there [inaudible] to ensure that the victim could actually manage that burden. That's the first place to start. Once we have that conversation then we could have more specifics. And we had CISA. We recently had led by [inaudible] an article in foreign affairs. A speech at Carnegie Mellon University, and then more recently a product that we released with multiple international partners at our colleagues at FBI and NSA. Really getting more specific on what customers should expect. And so, really there's a two-sided conversation here. The first conversation is to tech providers to understand perhaps what they think of as secured by design and secured by default and how they can get there. A few investments that they are already making in many cases, and then there's the customer side. How can we drive the market signal, so customers are asking the right questions to drive the right kind of product safety features and product security across the ecosystem?
Dave Bittner: To what degree do you think that this is an issue of the maturation of that technology ecosystem? I think about thinks like if I buy a toaster or a hairdryer, we've been working on electricity for so long that the regulations are in place, and I think consumers have a certain expectation that these devices are going to be safe. Are we there yet with cyber or how do we get to that point?
Eric Goldstein: I think maturation really is a part of it. A big element is thinking about cybersecurity as a fundamental safety issue. If you mentioned toasters and hairdryers those have security features because none of us want our houses burning down. Now certainly when we think about how technology is used, not only across [inaudible] structure but in all of our homes, certainly adversarial misuse could result, and we've seen in some cases, really negative consequences. And so, we see at CISA and I think the [inaudible] community is also aligned here as really a fundamental safety issue. As you've mentioned Dave, we've seen in the past a lot of these changes in adoption of strong requirements, strong controls have been driven by regulation. We don't think that that is necessarily the only path here today. We think that we can do a lot of work in the voluntary trust-based model that we insist CISA adopt, we think that if we can get specific enough about what are the characteristics of a safe technology product, we think that we can rig together providers and customers to set those market signals and drive the right change even in the absence of or as a precursor to any sort of compulsion that's coming down the road.
Dave Bittner: Yes. I guess when I look at the reality in today's marketplace when a lot of folks will just log onto Amazon or some kind of online retailer and find the cheapest home security camera that they can, it seems to me like it's a bit of an uphill battle here. That you and your colleagues there have your work cut out for you.
Eric Goldstein: We certainly face a challenge, but we think the challenge is also an opportunity because we know that well if the cheap product is the insecure product, then those manufacturers should be driven out of the market. We think that those companies and there are dozens, hundreds of tech companies in America who are investing every day in their product safety and product security, those are the products that should be bought and used on American networks. Not those that are sold for a cut right price that are introducing insecurity into our tech [inaudible]. And so, we think that if we can clearly differentiate those products that are safe and secure from those that aren't, well that's an advantage to American companies. That's an advantage to our economy, prosperity, and to our innovation but we need to figure out how to really clarify what safe and secure means and then reflect to the consumer, both the individual and the enterprise, how to differentiate so we can send those market signals that incentivizes those companies that are doing it right and regulate those companies that aren't doing it right to go sell somewhere else.
Dave Bittner: All right. Well, Eric Goldstein is executive assistant director for cybersecurity at CISA. Eric, thanks so much for joining us.
Eric Goldstein: Thank you again. I appreciate it as always.
Tré Hester: And that's the Cyberwire. For links of all of today's stories check out daily briefing at the cyberwire.com. We'd love to know what you think about this podcast. You can send us an email at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help you keep a step ahead in the rapidly changing world of cybersecurity. This episode was produced by Liz Irvin and senior producer Jim Driven. Our mixer is me with original music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Trey Hester filling in for Dave Bittner. Thanks for listening and see you back here tomorrow.