Name collision. Spawn of LockBit. Quishing the unwary and the hasty. Trends in healthcare cybersecurity. Inquiries surrounding Russia’s hybrid war against Ukraine.
Dave Bittner: Name collision as a DNS risk. A LockBit derivative is active against targets in Spain. QR codes as phishbait. Cybersecurity trends in Healthcare. A Russian hacktivist auxiliary hits Polish organizations, while investigation of railroad incidents in Poland continues. Ben Yelin looks at the SEC cracking down on NFTs. Mr. Security Answer Person John Pescatore opens up the listener mail bag. And a look at a probably accidental glitch affecting air travel in the UK.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Tuesday, August 29th, 2023.
Name collision as a DNS risk.
Dave Bittner: Cisco Talos researchers this morning described risks posed by DNS name collision, which occurs when the name of an internal network resource overlaps with one used by a public top-level domain (TLD).
Dave Bittner: One technique the Name Collision Occurrence Management Framework recommends to avoid these collisions is “controlled interruption,” in which a TLD publishes DNS records at the root level to provide information about the domain. If a network uses an internal name that overlaps with one of these TLDs, it will receive a DNS reply stating “your-dns-needs-immediate-attention.<TLD>.”
Dave Bittner: Talos found, for example, that the .kids TLD used a flawed implementation of controlled interruption:
Dave Bittner: “One critical piece of information that was left out of the ICANN name collision framework was that the TLD must ensure the name, ‘your-dns-needs-immediate-attention.<TLD>’ is not available for public registration. Unfortunately, no such restriction was in place at the .kids TLD, and Cisco Talos successfully registered the domain name: your-dns-needs-immediate-attention.kids.
Dave Bittner: “Talos set up an internet server to log all activity related to this name, and immediately we received a barrage of HTTP requests from systems running Microsoft’s ‘System Center Configuration Manager’....Because Talos registered the domain name ‘your-dns-needs-immediate-attention.kids’, we were able to masquerade as a trusted system. Networks using .kids names could be tricked into trusting our system to relay internal mail, dictate configuration management settings, and more.”
Dave Bittner: Talos contacted the administrators of the .kids TLD, and the issue has since been fixed. But curious and colliding domain names continue to represent a potential problem.
LockBit derivative active against targets in Spain.
Dave Bittner: The National Police of Spain have warned of a LockBit Locker ransomware campaign that’s targeting Spanish architecture companies, BleepingComputer reports. The attackers are sending phishing emails posing as a photography company that’s seeking a cost estimate for a facility renovation. After a brief email conversation with the architecture firm, the threat actors schedule a meeting to discuss the project, and send over an archive with documents outlining the proposed renovations. This archive contains a file that will install the ransomware.
Dave Bittner: This is the most recent case of a LockBit infestation, but these have been on the upswing ever since the criminal source code made it possible for opportunists to spawn their own versions of the ransomware.
QR codes as phishbait.
Dave Bittner: Trustwave SpiderLabs warns that threat actors are increasingly using QR codes to distribute phishing links. Many of these attacks impersonate multifactor authentication prompts from Microsoft and other providers:
Dave Bittner: “The samples we have observed using this technique are primarily disguised as Multifactor Authentication (MFA) notifications, which lure their victims into scanning the QR code with their mobile phones to gain access. However, instead of going to the target’s desired location, the QR code leads them to the threat actor’s phishing page.”
Dave Bittner: It’s easy, quick, difficult to detect, and plausible. QR codes are in common use, and many of us will follow them without a lot of reflection. And, inevitably, the technique of using QR codes as phishbait has got its own name. SpiderLabs calls it “quishing.” Is it just us, or do the variants of “phishing” sound even worse than the original? Smishing for SMS phishbait, and now quishing for this. Maybe it’s the vague sense that this is onomatopoeia, like the sound something nasty makes when you step in it. Keep that quishing stuff off your digital footprints, kids.
Healthcare cybersecurity trends.
Dave Bittner: Claroty has published a report looking at cybersecurity in the healthcare industry, finding that 78% of respondents experienced at least one cybersecurity incident in the past year. Additionally, the survey found that “more than 60% of respondents reported a moderate or substantial impact on care delivery, and another 15% reported a severe impact that compromised patient health and/or safety. The financial ramifications mainly fell in the $100,000 – $1,000,000 USD range with 26% reporting paying ransoms.”
Dave Bittner: Most of these costs were associated with operational downtime, followed by reputational damage, insurance premiums, legal fees, and regulatory fines.
Russian hacktivist auxiliary hits Polish organizations.
Dave Bittner: Turning to the hybrid war Russia is waging against Ukraine, the action is cyberspace seems to have shifted toward Poland.
Dave Bittner: NoName057(16) yesterday hit the Warsaw Stock Exchange, the Polish Government's Trusted Profile identity verification service, and five major commercial banks: Bank Pekao, Raiffeisen Bank, Plus Bank, Credit Agricole Bank, and BNP Paribas. Cybernews quotes the group's communique as explaining, “To express our support to all adequate citizens of Poland who oppose the authorities of their country drowning in Russophobia, our DDoS rocket launchers today are aimed at Polish targets.” The attacks were all distributed denial-of-service (DDoS) incidents, which is consistent with NoName057(16) familiar operational pattern. Some of the attacks seem to have been of longer than usual duration. As of this morning the Warsaw Stock Exchange, Bank Pekao, and Raiffeisen Bank were still experiencing disruption.
Investigation of railroad incidents in Poland continues.
Dave Bittner: Polish authorities have arrested two men, both Polish citizens, SecurityWeek reports, in connection with an attack that halted twenty trains in the vicinity of Szczecin [SHTAY-cheen]. They used an acoustic tone transmitted over a radio system to issue stop signals. The incident began Friday night around Szczecin [SHTAY-cheen], and continued, but with minimal effect, Saturday and Sunday in other parts of the country, notably around Gdynia and Bialystok. Cybernews says the two men arrested were taken into custody in Bialystok, where they were found in possession of "radio equipment." The suspects' ages are given as 24 and 29, but they're not further identified.
Dave Bittner: Polish intelligence services continue to investigate the incident for signs of Russian sabotage. Polish railroads would be attractive sabotage targets. According to the Washington Post, some 80% of Western supplies delivered to Ukraine transit Poland, and much that is carried by rail. Thus motive and (probably) opportunity point to Russian involvement, but so far no other evidence has been reported.
A technical issue grounds the UK’s air traffic control system’s automated features.
Dave Bittner: And, finally, a technical problem at the UK’s National Air Traffic Services (Nats) yesterday forced the delay or cancellation of hundreds of flights into the United Kingdom yesterday, as the loss of automated capability forced controllers to revert to manual methods.
Dave Bittner: The UK’s airspace wasn’t “closed,” as a number of reports yesterday misleadingly put it, but flight disruptions have been widespread, and even though the problem was identified and corrected yesterday afternoon, may continue for some time.
Dave Bittner: The Telegraph reports that, “Security sources said the fault appeared to be a genuine technical problem and was not believed to be the work of cyber-hackers or a hostile foreign state.” And that may well be the case. Still, the incident remains under investigation, and MSN cites unnamed sources in and around the government who think that foreign sabotage can’t be entirely ruled out. Speculation, and it’s just that–speculation–inevitably points to Russia. May the investigators get to the bottom of it soon, and flights return to normal.
Dave Bittner: Coming up after the break, Ben Yelin looks at the SEC cracking down on NFTs. Mr. Security Answer Person John Pescatore opens up the listener mailbag. Stick around. [ Music ]
Computer-Generated Voice #1: Mr.
Computer-Generated Voice #2: Security
Computer-Generated Voice #3: Answer
Computer-Generated Voice #4: Person.
Computer-Generated Voice #1: Mr.
Computer-Generated Voice #2: Security
Computer-Generated Voice #3: Answer
Computer-Generated Voice #4: Person.
John Pescatore: Hi. I'm John Pescatore, Mr. Security Answer Person. A question for today's episode. This month, three news items just caught my eye. One, Microsoft released over 130 patches this month; two, Chinese hackers compromised Microsoft's cloud email services by stealing a cryptographic key; and, three, most illegal use of virtual currencies went down except for ransomware, which went up. Is the world ever going to make any progress in any of these areas? Oh, dear listener, I think you need a vacation. I did see a happy news item about airfare prices. They've been declining. But, of course, later I also saw several news items that came out about cascading flight delays due to weather across the US and strikes in Europe. The short answer is software engineering is still an oxymoron. Using the cloud still means using software, which still means vulnerabilities. And criminals will always go after vulnerabilities in people and software. My favorite quote about security comes from that famous security analyst Helen Keller. Ms. Keller, who lost her sight in hearing when she was 19 months old and had near zero communications with the world until she was seven when a motivated teacher taught her sign language -- you can watch the movie The Miracle Worker to see all about this -- she came up with this quote, Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. The fearful are caught as often as the bold. Miss Keller's quote is very appropriate in relation to the security of software. Software development is still largely a craft versus an engineering discipline. And, unfortunately, more pressure is put on the software industry to produce more new products faster than to produce safer products. It is much like the entertainment industry where the products keep coming out, and 75% of them are not very good. No matter how many big stars are in it, how many critics like a film or a TV show, or how many AI engines are used to spew out positive quotes, anyway, you run the risk of paying $14 to see a real stinker. The same is true in software, just the prices are a lot higher. Our job in security is to make those risks tolerable to enable the bold side of business to stay safe and make money while using inherently insecure technologies. Our industry has many parallels to the pharmaceutical and medical industries. There are a small number of diseases that can be eliminated or nearly eliminated; but there are many, many more where there's just no end game. Vaccines and basic hygiene, however, can bring danger levels down to socially and economically acceptable ranges. The other angle in our industry is crime, which also never goes away. Banks are still robbed, cars are still stolen, scams still happen. But security controls and basic security hygiene and education allow the motivated not to get caught by the criminals very often. As far as that news about virtual currencies and declining criminal use, I'm going to skew a bit old here. But I'm really sure that tulip-related crime saw a similar downswing after the tulip bubble burst in 1637. Of course, the value of cryptocurrencies used illicitly has gone down because the value of cryptocurrencies has gone down. The values of virtual currencies and the valuation of startups that were based on the use of virtual currencies have plummeted in recent months. So, obviously, criminal use has dropped. But, in ransomware, there's still too many targets. There's way too many targets of opportunity for small companies and large for that crime to go away. In fact, what we've seen here recently is some very big targets have once again been hit and once again paid for ransomware via cryptocurrencies. This tells us we still need to prioritize moving to two-factor authentication to defeat phishing and continuing security awareness to lower the odds that users will fall for scams. Add in basic security hygiene and we can enable the bold to confront dangerous markets and minimize risk, which is why they pay us the big bucks. Every new wave of technology will bring business opportunities along with vulnerabilities that criminals will exploit or well meaning IT administrators will expose. If you want to see an entertaining show, by the way, about the next wave of all that, I'll leave you with this. Watch Episode 1 of Season 6 of the Black Mirror on Netflix, an episode called Joan is Awful. Get back to me after you've seen that. [ Music ]
Computer-Generated Voice #1: Mr.
Computer-Generated Voice #2: Security
Computer-Generated Voice #3: Answer
Computer-Generated Voice #4: Person.
John Pescatore: Thanks for listening. I'm John Pescatore, Mr. Security Answer Person.
Computer-Generated Voice #1: Mr.
Computer-Generated Voice #2: Security
Computer-Generated Voice #3: Answer
Computer-Generated Voice #4: Person.
Dave Bittner: Mr. Security Answer Person with John Pescatore airs the last Tuesday of each month right here on the CyberWire. Send your questions for Mr. Security Answer Person to questions@thecyberwire.com. [ Music ] And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security and also my cohost over on the Caveat podcast. Hey, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: So interesting article from the folks over at Fortune. This is written by Leo Schwartz, and it's titled, In a first, the SEC says NFTs sold by an LA-based entertainment firm are securities. Here's how that could ripple throughout the industry. What's going on here, Ben?
Ben Yelin: This is really interesting. So, for the first time, the Securities and Exchange Commission in Washington, DC has charged this entertainment company called Impact Theory with conducting an unregistered offering of securities via these nonfungible tokens. I am not an owner of NFTs myself. I think they're kind of silly but.
Dave Bittner: Oh, come on, Ben. Where's your sense of adventure?
Ben Yelin: I know, I know. But a lot of people have them and see them as real assets.
Dave Bittner: Right.
Ben Yelin: The issue here is what is under the purview of regulation from the Securities and Exchange Commission. Obviously, owners of any asset, including things like collectibles, don't want to be under the watchful eye of the Securities and Exchange Commission. That's bad. You're being regulated. It's probably going to end up costing you some money in taxes and fees.
Dave Bittner: Okay.
Ben Yelin: And, also, when you're under the watchful eye of regulators, you're less likely to be able to get away with nefarious business practices.
Dave Bittner: So say, for example, I have my collection of priceless artwork or my collection of priceless Beanie Babies. Either of those things are outside of the SEC's jurisdiction, and I want to keep it that way.
Ben Yelin: Yes. Exactly. So courts across the country have found repeatedly that things like that -- consumer goods, art, collectibles like baseball, basketball cards --
Dave Bittner: Oh, yeah.
Ben Yelin: -- those are not securities under federal law.
Dave Bittner: Okay.
Ben Yelin: What this judge is saying for the first time is that, when you're talking about something like art or baseball cards, the value would be unaffected if those producers went out of business. So a piece of art is still valuable, even after Michelangelo dies or whatever. With NFTs, when the developer is managing the blockchain technology behind a collection, the value could be intertwined with the success of the company. So it's more intertwined with a company rather than just an individual that has given worth to that object, and that's just kind of the nature of NFTs and blockchain technology. This is really groundbreaking. I think this is going to change the market for NFTs. One of the benefits of having NFTs as an asset was being outside the regulation of the SEC. And if the reasoning of this case is adopted, and I think it's reasonably compelling, then that's going to remove that advantage as an asset. And you might just want to go back to collecting baseball cards instead of these nonfungible tokens.
Dave Bittner: Or playing the stock market.
Ben Yelin: Exactly.
Dave Bittner: Which is -- right. Yeah. It's interesting. This article points out that Impact Theory, they did not admit or deny the SEC's allegations, but they did agree to a cease and desist order. And they're paying $6.1 million in fines in disgorgement, prejudgment interest, and a civil penalty. Can you unpack that for me? What does that mean, Ben?
Ben Yelin: Sure. So, basically, without acknowledging that NFTs deserve to be under the protection or the watchful eye of the SEC, they made the case go away by paying a bunch of fines to the agency and returning money to the investors that purchase these NFTs.
Dave Bittner: Okay.
Ben Yelin: So it was a way to settle the case without setting any precedent on behalf of the company or without the company hurting itself in future litigation by admitting that these NFTs should be regulated or deserve to be regulated by the SEC. Now, I should note that there was some dissenting opinions on the Commission, which we don't frequently see. Most of their decisions are unanimous. And they wrote a statement saying that they disagreed with the application of the relevant Supreme Court precedent called the Howey Test, which determines whether assets are considered securities. And what they argued, these dissenters argued is that NFTs did not represent shares in a company or produce any type of dividends. It's funny because if that, if you follow that to its logical conclusion, then a company like the one we're discussing here would be out of business because it would be seen as not a valuable investment if it didn't provide some type of dividends. So I think the companies that are selling these are kind of caught between a rock and a hard place. You need to maintain that these assets are profitable and that it's a worthy investment --
Dave Bittner: Right.
Ben Yelin: -- without having it meet those categories. That puts it under SEC jurisdiction. So it's just kind of an interesting game that these companies have to play.
Dave Bittner: If I'm a different company in the NFT business, this surely has my attention.
Ben Yelin: Absolutely. I think because this is a novel case and the first of its kind, I think it could have a ripple effect of affecting how these companies do business, how they structure some of their transactions. Absolutely.
Dave Bittner: All right. Well, again, this is an article from Fortune written by Leo Schwartz. Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tré Hester with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]