Pipeline cyber rules, a Coinbase extortion attempt and World Cup scammers

Quinten de Graaf / Unsplash

Welcome to Changelog for 12/4/22, published by Synack! It’s me, Blake, back after a Thanksgiving break. Grudging kudos to the Netherlands for besting the U.S. in the World Cup on Saturday. Now I’m rooting for France to win it all. Here’s what caught my eye and that of README senior editor Nathaniel Mott recently:

 

The payload

U.S. transportation officials last week took their first formal step toward setting highly anticipated cybersecurity rules for the pipeline and rail industries.

The Transportation Security Administration — yes, that TSA — issued an advance notice of proposed rulemaking aimed at boosting cybersecurity practices among “high-risk” rail and pipeline operators.

The announcement comes a year and a half after a ransomware attack on Colonial Pipeline forced the gasoline and refined petroleum carrier to shut off operational technology (OT) controlling nearly half the fuel supplies to the East Coast. That disruption spurred TSA, which has authority over surface transportation cybersecurity, to issue a series of security directives ahead of last week’s rulemaking. Broadly, the agency has signaled it wants owner operators to “continually assess their cybersecurity posture,” whether through pentesting, redteaming or something else.

“Ransomware attacks targeting critical infrastructure threaten both IT and OT systems and exploit the connections between these systems,” TSA pointed out in its notice. It also said “recent incidents” show “the potentially devastating impact that increasingly sophisticated cybersecurity events can have on our nation’s critical infrastructure, as well as the direct repercussions felt by U.S. citizens.”

The American Gas Association, which represents many major U.S. pipeline companies, welcomed the rulemaking in a statement but has already said it plans to seek an extension to TSA’s 45-day comment window. And despite the agency citing the “need to take urgent action,” the rulemaking process could take years to play out.

The week, compiled

It seems like companies are starting to learn from at least some of Uber’s past cybersecurity mistakes.

Coinbase, a leading cryptocurrency exchange, refused to pay a scammer who claimed “to have ‘dehashed’ and ‘decrypted’ sensitive data from 306 million Coinbase user accounts” in November, CoinDesk reported. The company said it had no evidence any breach had taken place, despite the scammers’ $450,000 ransom demand.

 1_wJ6W6PYwxrVVyK3iaTyS6A
Art Rachen / Unsplash

The cryptocurrency company also encouraged would-be hackers to report vulnerabilities through its legitimate bug bounty programs. Contrast that with former Uber CISO Joe Sullivan, who was convicted in October of covering up a data breach by disguising it as a payout for the company’s bug bounty program.

This kind of after-the-fact “bug bounty” is reportedly fairly common in the cryptocurrency realm. Thieves often make off with obscene amounts of money by exploiting flaws in crypto exchanges, bridges and other parts of the ecosystem — only to be offered a portion of their haul in exchange for returning most of the stolen funds and sharing information about how the victim can shore up their defenses.

Coinbase’s message is clear: It’s not looking to cut similarly sketchy deals, and its security team isn’t in a rush to follow Sullivan to prison.

Here’s some other top news:

CyberScoop: Scammers have been taking advantage of the FIFA World Cup by using fake websites and mobile apps to gather information, deploy malware and steal money from the sporting event’s massive fanbase. Group-IB said that at least 90 accounts for Hayya, which CyberScoop described as “the mandatory system established so World Cup attendees can enter Qatar and access tickets and other services such as transportation,” also seem to have been compromised.

TechCrunch: Google’s Threat Analysis Group published a report on the so-called Heliconia exploitation framework “with likely ties” to Spain-based spyware vendor Variston IT. The malware abused zero-day vulnerabilities in Chrome, Firefox and Windows to deploy spyware.

A message from Synack

APIs are on track to be the most frequent attack vector in 2022, according to Gartner. Join Synack co-founder and CTO Mark Kuhr and Sabre application security principal Cris Rodriguez for a webinar to learn of a better way to pentest for APIs. They break down the top API vulnerabilities and share best practices for securing this critical part of organizations’ attack surfaces. Learn more and view the webinar on demand here.

Flash memory

SolarWinds isn’t the kind of company anyone expects to become a household name. It offers a variety of products meant to help IT workers manage complex networks, systems and databases — unlikely to be topics of conversation during the holiday season.

But then SolarWinds was identified as the weak link in a supply chain attack that compromised U.S. government agencies, leading tech companies and the FireEye security firm.

 1_vHu-2EFgUZc_tT1x_MnVPA
Nathan Watson / Unsplash

Reuters reported in December 2020 that the Treasury and Commerce departments had been hacked by a group linked to Russia’s intelligence services — “believed to have gotten in by surreptitiously tampering with updates released by IT company SolarWinds.”

The U.S. Cybersecurity and Infrastructure Security Agency said it was “aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020.” (SolarWinds CEO Sudhakar Ramakrishna said at the RSA Conference in 2021 that his company had been hacked as early as January 2019.)

“This APT actor has demonstrated patience, operational security and complex tradecraft in these intrusions,” CISA said.

But targeting one of the world’s leading incident response firms in the process turned out to be a mistake: FireEye was quick to report on how the attackers gained access to targeted networks and what they did after they were inside them in a bid to help organizations recover.

That wasn’t the end of the story for SolarWinds. TechCrunch reported in November that the company would “pony up $26 million to shareholders and face possible enforcement action from the federal government” as a result of the hack.

Local files

Risky Business News: Australia passed a new privacy bill on Nov. 28 that allows the Office of the Australian Information Commissioner to fine companies up to 50 million Australian dollars or 30% of their adjusted turnover if they fail to properly secure customer data. The bill’s passage follows high-profile data breaches affecting the Optus telecommunications company, Medibank health insurance provider and other Australian companies over the last few months.

The New Yorker: A lawsuit brought against NSO Group by lawyers at the Knight First Amendment Institute at Columbia University on behalf of 35 journalists working at a Salvadoran publication called El Faro marked the first time a U.S. citizen has sued the Israeli company for deploying its Pegasus spyware.

The Record: Guatemala’s Ministry of Foreign Affairs told The Record it was investigating a ransomware attack after it appeared on a leak site for the Onyx ransomware group in September and November.

Off-script

I visited my hometown of Sanibel, Fla., over the Thanksgiving break to help my family clean up after Hurricane Ian struck the barrier island as a Category 4 storm on Sept. 28.

This was far, far worse than Hurricane Charley in ’04, with Ian’s storm surge leaving little that could be salveaged from hundreds of homes and businesses. It will take years for parts of Southwest Florida to recover from the storm — I fear this was the “big one” that may forever upend the community. I just hope as many people as possible can pick up the pieces and bounce back.

 1_oQqt-DhlyBKosWQrTm5bTQ
A street view on Sanibel nearly two months after Hurricane Ian made landfall. Photo credit: Blake Sobczak

That’s all for this Sunday — see you next week! Send tips and feedback to bsobczak@synack.com or nmott@synack.com.