The CyberWire Daily Podcast 11.27.23
Ep 1954 | 11.27.23

Hacktivists assemble to attack Pennsylvania water utility.

Transcript

Dave Bittner: Iranian hacktivists claim an attack on a Pennsylvania water utility. North Korea's increased attention to supply-chains. Rhysida's action against British and Chinese targets. Sandworm activity puts European power utilities on alert. Neanderthals and the Telekopye bot. Mirai-based botnet activity. Our guest is Chris Betz, the new CISO of AWS Security, with insights on the upcoming AWS re:Invent conference. And just how easy is it to track the comings and goings at Mar-a-Lago?

Dave Bittner: Remember to leave us a 5-star rating and review in your favorite podcast app.

Dave Bittner: Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

CyberWire Guest

Dave Bittner: Our guest today is Chris Betz, the new CISO of AWS Security giving us some insight into what to expect at the AWS re:Invent conference.

Dave Bittner: You can connect with Chris on LinkedIn and find out more about AWS re:Invent on the event website.

Want to hear your company in the show?

Dave Bittner: You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.

Dave Bittner: The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc.

Dave Bittner: Iranian hacktivists claim an attack on a Pennsylvania water utility. North Korea's increased attention to supply-chains. Rhysida's action against British and Chinese targets. Sandworm activity puts European power utilities on alert. Neanderthals and the Telekopye bot. Mirai-based botnet activity. Our guest is Chris Betz, the new CISO of AWS Security, with insights on the upcoming AWS re:Invent conference. And just how easy is it to track the comings and goings at Mar-a-Lago? 

Dave Bittner: Today is November 27, 2023. I’m Dave Bittner. And this is your CyberWire Intel Briefing. 

Iranian hacktivists claim an attack on a Pennsylvania water utility.

Dave Bittner: Our top story today involves  an Iranian hacktivist group, the Cyber Av3ngers, who have managed to infiltrate the control systems of a water booster station operated by the Municipal Water Authority of Aliquippa in Pennsylvania. The station, which serves Raccoon and Potter Townships, triggered an immediate alarm during the breach, but the hack did not compromise the safety or supply of water to the localities. The attackers made their political stance clear by displaying an anti-Israel message on the station's monitors, targeting the Israeli-made Unitronics control system used by the utility. Operators quickly countered the attack by switching to manual controls.

Dave Bittner: Previously, the Cyber Av3ngers have focused their attacks within Israel, targeting utilities like MEKOROT's CCTV systems and falsely claiming to compromise the Dorad power station. Their move to attack a U.S. utility represents a significant escalation in their operations, broadening their geographical scope of targeting. This incident serves as a wake-up call to the industry, emphasizing the need for increased vigilance, robust cybersecurity measures, and the readiness to revert to manual operations should technological defenses be breached. It also highlights the geopolitical dimensions of cybersecurity, where domestic infrastructure can become a proxy battleground for international tensions.

Dave Bittner: By the way, our rural Pennsylvania desk tells us that Aliquippa PA provided much inspiration for the 1980s Tom Cruise film All the Right Moves. 

North Korea's increased attention to supply-chain attacks.

Dave Bittner: Microsoft has identified a supply chain attack by North Korean group Diamond Sleet (ZINC). This operation involved tampering with a CyberLink Corp. application installer, embedding malicious code capable of executing a secondary payload. Notably, the attack utilized legitimate update infrastructure and a valid CyberLink certificate, making detection challenging. This incident has already affected over 100 devices across several countries, including Japan, Taiwan, Canada, and the U.S.

Dave Bittner: Simultaneously, UK's NCSC and South Korea's NIS warn of North Korean hackers increasingly targeting software supply chains, exploiting zero-day vulnerabilities in third-party software. These attacks serve broader North Korean state goals: generating revenue, espionage, and stealing advanced technology. 

Dave Bittner: So, it may be worth checking to be sure your SBOMs are properly secured. 

Dave Bittner: The Rhysida ransomware gang, emerging in May, has breached the British Library, compromising employee data, and is demanding 20 bitcoins for the stolen information. Additionally, they've targeted the Chinese state-owned China Energy Engineering Corporation, asking for 50 bitcoins for that data cache. While Rhysida's attacks align with Russian cyber privateering patterns, their choice to attack a Chinese entity is unexpected and suggests potential limits to their coordination or a shift in Kremlin's stance on cyber aggression towards allies. A U.S. government's advisory highlights Rhysida's opportunistic targeting across vital sectors and their ransomware-as-a-service operations, emphasizing the need for cross-sector vigilance and robust cyber defense strategies to counter such multifaceted threats.

Sandworm activity puts European power utilities on alert.

Dave Bittner: The Polish Institute of International Affairs has sounded an alarm over the intensified rate of Russian cyberattacks against NATO, with tactics ranging from data theft to system paralysis and disinformation campaigns. This uptick in aggression underscores the urgent need for enhanced collaboration within the Atlantic Alliance to safeguard critical state functions. The GRU's Sandworm group is notably active, inciting calls from European energy sector leaders for heightened security measures to protect the power grid against these threats, particularly those emanating from Russian-backed teams aiming to destabilize EU member states through sustained cyberattacks.

Neanderthals and the Telekopye bot.

Dave Bittner: A report from ESET reveals a stark glimpse into the world of cybercrime, highlighting the use of Telekopye, a Telegram bot  that facilitates phishing operations. which criminals have dubbed "Neanderthals". The scammers mock their targets by referring to them as "mammoths." Recruitment is active on criminal forums, where candidates undergo a screening process and, if accepted, gain full access to Telekopye's phishing template resources. Required to join two specific channels, one for communication and the other for transaction logs, these Neanderthals operate within a structured community, underscoring the sophisticated social organization behind some cybercriminal activities.

Dave Bittner: Perhaps someday these neanderthals will find themselves extinct. 

Mirai-based botnet activity.

Dave Bittner: Akamai has detected a new botnet, "InfectedSlurs," leveraging the Mirai malware framework and exploiting two zero-day vulnerabilities to proliferate. One vulnerability resides in network video recorders from an undisclosed manufacturer, and the other affects a wireless LAN router designed for hotels and residences. Patches are anticipated in December 2023. The router vulnerability, initially identified in a single model, may extend to a related variant, raising concerns about the broader implications for the manufacturer's full product line, given the commonality of the exploited feature. 

Dave Bittner: We are joined by AWS Securuity’s new CISO Chris Betz. Rick Howard recently caught up with Chris Betz to discuss insights from the AWS re:Invent conference that is occurring this week. 

Dave Bittner: And finally, in the digital age, espionage has evolved dramatically from the daring feats of individuals like Mary Bowser during the American Civil War to a more subtle, yet pervasive, form of data gathering. Using legal and openly available data broker services,reporters at Rolling Stone have demonstrated the ease with which one can easily access detailed information about individuals, including their movements and personal characteristics. They set their sights on profiling visitors to former president Donald Trump's Mar-a-Lago residence, revealing not only the demographics of Trump’s visitors, but also their likely homes and workplaces. This ease of data acquisition underscores a significant shift: now, anyone can conduct surveillance from the comfort of their home, posing risks not just to public figures but to everyone. Our daily digital footprints, often unknowingly left through innocuous apps, become fodder for data brokers, creating vulnerabilities that can be exploited for all sorts of purposes, including surveillance and manipulation. 

Dave Bittner: It might just be time to write that letter to your representative in congress about federal data privacy legislation. 

Dave Bittner: Coming up after the break, our own Rick Howard speaks with Chris Betz, the new CISO of AWS security, with insights on the upcoming AWS Reinvent Conference. Stay with us. [ Music ] AWS security has a new CISO, and his name is Chris Betz. N2k's Rick Howard recently caught up with Chris Betz to discuss insights from the AWS Reinvent Conference that's occurring this week.

Rick Howard: Hey, everybody, Rick here. As you may or may not know, the Cyberwire is an Amazon Web Services media partner. And between 27 November and 1 December of this year, AWS is hosting their annual reinvent conference in Las Vegas, Nevada and online. I got to sit down with Chris Betz, the newly minted AWS CISO to talk about the focus of his talk at Reinvent. Chris has just recently replaced CJ Moses, who has moved up in the organization to be the CISO and VP of security engineering at Amazon. And Chris and CJ both report to Steve Schmidt, the CSO at Amazon. I've known Chris it feels like forever. And I started out by congratulating him on his new job. So congratulations on the new job. How about that? Congratulations.

Chris Betz: Thanks Rick. I'm really excited to be here. So this is this is a, this is an incredible role that's just -- it's been quite a journey.

Rick Howard: So we have the AWS Reinvent Conference coming up in Las Vegas, the 27 November through 1 December, and you're speaking at a session called Move Fast and Stay Secure, Strategies for the Future of Security. What are you going to be talking about?

Chris Betz: Our CISO, Steve Schmidt and I actually get to be on stage together, which is going to be a lot of fun.

Rick Howard: That's fantastic.

Chris Betz: It's absolutely awesome. Well, and it's a fun thing, because, you know, three months in being able to tag team with Steve is an amazing opportunity. Talks we're going to be focusing on some of the most current ways that we think about our cybersecurity opportunities, some of the awesome innovation that's going on in the cybersecurity space, and really try to provide a direction for customers as we're all thinking about how we've applied some of these technologies and how we should think about applying and using some of these technologies going forward.

Rick Howard: So one of the big points in the presentation, I believe is how Amazon thinks about zero trust. And so that's a huge marketing term right now. A lot of people in our community flip our noses up about it, because, oh, it's just vendors talking about a new buzzword. But it is not, it is a fantastic strategy. So how does Amazon think about zero trust?

Chris Betz: Well, Rick, I think what you bring up is so important. It's easy to get lost trying to take something off the shelf, and apply it to your company. I've seen any number of my fellow CISOs. I've even tried it myself sometimes. And that's painful. Yeah, so. And you're right, the zero trust approach, the philosophy that deeply involves things that you know about the environment, things you know about the user or things you know about the user's environment, and the actions that they're taking, provides a really outstanding way to tailor their cybersecurity reactions to what they're trying to do. And so my lesson that having seen a number of my peers and been on the journey myself, for zero trust, a number of places. The lesson that I've learned is that having a tailored, having a fit solution for you is so important. And it's all about the foundational elements, those building blocks. And so I'm not going to steal thunder from my own talk, but recognize kind of where you can find those building blocks, where do you have the building blocks that have spent a lot of time, and how do you use that, to make sure that you're getting not the one size fits all solution, but really the tailored solution for you, for your enterprise, for your business is so important.

Rick Howard: Well, I agree to that. I call that meat potatoes zero trust, because a lot of our peers feel like they have to reinvent the wheel to deploy a zero trust philosophy. And in reality, you're already using things that have zero trust capabilities, especially AWS, right? They got all kinds of things you could do to improve your zero trust journey. And that's true for a lot of different security tools. Right? So it's not a rip and replace operation. It's just, it's an improvement exercise. Am I over exaggerating that?

Chris Betz: I don't think you are. I mean, I think there's a to be clear, there's some discrete new approaches and lines and different philosophy that you need to use. But you're right. I mean, so much of cybersecurity is built on a really, really strong technical foundation, knowing that you have those right capabilities. You know, as you said, at AWS we build a bunch of really great, strong technology foundation that gives you the right place to much more easily get the solution that fits you. But at least that's how I approach the problem. I like the way you talk about it is that, you know, it's not about the buzzwords, it's not about the flashy bells. Getting this to work right starts off with a really solid foundation that's designed to work at that scale, and in the way you need to for zero trust.

Rick Howard: So the conference is AWS Reinvent. It's going on in my favorite city of all times, Las Vegas, 27 November to 1 December. Chris, any last words, you want to encourage people to come out?

Chris Betz: Thanks, Rick. Yeah. I hope everybody will attend or tune in. There's a lot of content available online for AWS Reinvent, as you said, starting, starting on Monday. And I'm also excited to share the dates and location for AWS Reinforce, which our security focused conference have been announced. It's June 10th through 12th in Philadelphia. This is the best security learning conference that I've been at in a long time. [Music] And so finally, thank you, Rick [inaudible 00:13:30] for talking to me. It's been great to see you again. And I hope to see you at Reinvent and at Reinforce next summer.

Dave Bittner: That's the new CISO at AWS Security, Chris Betts speaking with my Cyberwire colleague, Rick Howard. [ Music ] Wrapping up today's show, in the digital age, espionage has evolved dramatically from the daring feats of individuals, like, Mary Bowser during the American Civil War, to a more subtle, yet pervasive form of data gathering. Using legal and openly available data broker services, reporters at Rolling Stone have demonstrated the ease with which one can access detailed information about individuals, including their movements and personal characteristics. They set their sights on profiling visitors to former President Donald Trump's Mar-a-Lago residents, revealing not only the demographics of Trump's visitors, but also their likely homes and workplaces. This ease of data acquisition underscores a significant shift. Now anyone can conduct surveillance from the comfort of their home, posing risks, not just to public figures but to everyone. Our day The digital footprints often unknowingly left through innocuous apps become fodder for data brokers, creating vulnerabilities that can be exploited for all sorts of purposes, including surveillance and manipulation. It might just be time to write that letter to your representative in Congress about federal data privacy legislation. [ Music ] And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at the cyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment on Jason and Brian show. You can find Grumpy Old Geeks where all the fine podcasts are listed. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2k and podcasts like the Cyberwire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Erban and Senior Producer Jennifer Eiben. Our mixer is Trey Hester with Original Music by Elliott Peltzman. Our executive producer is Brandon Carr. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.