CyberWeekly: Pwned IoT Cameras, NYC Cyber Startups, and Iranian Cyber-Espionage Campaign

CyberWeekly Newsletter: Weekly Edition

Pwned Nest Cameras

The cybersecurity community is well aware at this point of the potential for threat actors to exploit Internet-of-Things (IoT) devices. Hopefully, recent news of IoT cameras being exploited in-the-wild will push that awareness into the minds of more consumers. Earlier this month a supposed white hat hacker—claiming to be part of Anonymous Calgary Mindhive in Canada—pwned an Arizona real estate agent’s home Nest camera… then talked to the realtor through the camera in order to school him about network security. While that example may get a chuckle out of most professionals, the next one definitely doesn’t.

A Texas couple had someone pwn the Nest camera in their infant son’s bedroom. As you can imagine, it would freak any parent out to hear some guy yelling from your baby’s room, “I’m going to kidnap your baby. I’m in your baby’s room.”

Cybersecurity journalist Brian Krebs offers some good basic advice for securing IoT devices:

• Rule #1: Avoid connecting your devices directly to the Internet

• Rule #2: If you can, change the thing’s default credentials

• Rule #3: Update the firmware

• Rule #4: Check the defaults

• Rule #5: Avoid IoT devices that advertise Peer-to-Peer (P2P) capabilities

• Rule #6: Consider the cost

Check out Briag Krebs’s site for a thorough explanation of his IoT rules. Hopefully this give you enough ammo to spread some wisdom this holiday season… or at least to finally convince your aunt at Christmas dinner that cybersecurity isn’t just the government's concern (though hopefully some of the proposed government legislation below will help).

By the way, I’ll add one more rule to the list.

• Rule #7: Never put an IoT camera in a room in which you’re ever likely to be undressed.

I’m just saying…

AI and Cyber Workforce Priority in Congress

Reportedly Congress—or at least the House Oversight and Government Reform Subcommittee on IT—will be prioritizing artificial intelligence and the cyber workforce, when the new Congress is back in session in January. Additionally, they are also looking at IoT devices. The goal would be to get “basic cybersecurity standards to be baked into government-purchased Internet of Things (IoT) devices.” These all sound like good things. I’ll get a bit more excited though, when I see Congress make some actual progress. After all, while the House appropriated $150 million for the Technology Modernization Fund (TMF), their colleagues in the Senate zeroed out that budget. This is why we can’t have nice things.

NYC Cyber Startup Radar Call

The New York City Economic Development Corporation (NYCEDC) has been busy pursuing the vision of making New York a global player in the cybersecurity community. Most notably, in October NYCEDC launched Cyber NYC, a $100 million public and private sector investment in the growth of a local cyber ecosystem. As part of Cyber NYC, the NYCEDC is now partnering with the consultancy Wavestone to design the New York City Cybersecurity Startup Radar, which is supposed to provide a “consolidated map” of the local cyber startup community. The aims is to provide investors, entrepreneurs and corporate executives a better understanding of how NYC-based cyber startups are evolving. Wavestone has previously designed Cybersecurity Startup Radars for France and the UK.

At this point you’re probably asking, What exactly is a “Cybersecurity Startup Radar”? Fair question. Best I can tell from the France and UK versions is that’s simply a cool graphic that shows a bunch of local startups and their niches. While it’s not a marketing cure-all for startups, I can see how entrepreneurs would rather be included, than not. So, on that note, NYCEDC announced last week they are now accepting applications for the NYC Cybersecurity Startup Radar (though no deadline was mentioned). The criteria are pretty straightforward:

• Offer a technological solution or service directly related to cybersecurity

• Be a legally incorporated company less than 10-years-old

• Maintain a registered office in New York City

• Employ less than 50 people

The final Startup Radar is scheduled to be presented in “early 2019” at the Chelsea-based Global Cyber Center. All contributors, startups, and interested businesses will be invited to attend, which could be pretty cool since the Center hasn’t opened yet. Let me know, if you know any entrepreneurs, who are applying. After all, I am a believer in the growth of the NYC cybersecurity community.

Iranian Cyber-Espionage Campaign

This month security researchers from the Symantec DeepSight Adversary Intelligence Team published some interesting research about the Iran-nexus APT Seedworm (aka MuddyWater). It looks like Seedworm has been on an active, cyber-espionage campaign hitting more than 130 victims in 30 organizations since September 2018. This research garnered some sensational headlines with Wired declaring, “The Iran Hacks Cybersecurity Experts Feared May Be Here”. Separately, another Iran-nexus APT Charming Kitten made news for a cyber-espionage campaign targeting politicians involved in economic and military sanctions against Iran, which circumvented two-factor authentication (2FA).

It seems like this year Iranian APTs haven’t  gotten quite as much attention as those from Russia, China and North Korea (unless of course, you work in the oil & gas industry). However, recent research makes it clear that Iran is indeed active.

A few things jumped out as interesting in the Symantec research:

• Seedworm has a preference “for speed and agility over operational security.” This seems like a key attribute of the group. It implies that, if an organization finds Seedworm-related indicators of compromise (IOCs) in their network, that organization needs to get their incident response team moving quickly.

• “After compromising a system… Seedworm first runs a tool that steals passwords saved in users’ web browsers and email.” I suspect many people have been lulled into the false sense of security (not that it takes much) and believe saving passwords in web browsers is safe. Advice: use a password manager with a web browser extension for safer results.

• In September 2018, Symantec “found evidence of Seedworm and the espionage group APT28 (aka Swallowtail, Fancy Bear), on a computer within the Brazil-based embassy of an oil-producing nation.” So this Iranian threat actor is swimming in the same pools as Russia’s GRU? Sounds like a threat actor that won’t be limited to the oil & gas industry.

• Of the 131 victims Symantec analyzed, the largest number of victims were located in Pakistan (39%). You normally hear about Iran being in conflict with select Arab countries. However, Iran and Pakistan share a 596 miles (959 km) long border. As well, they fall on opposite sides of Islam’s Sunni-Shia divide, which seems like a key determinant for adversarial relations in the region: Iran is 95% Shia and Pakistan is nearly 80% Sunni.

Clearly, no one should sleep on Iranian threat actors in 2019—just ask Italian oil services firm Saipem, who recently has over 300 computers compromised with a variant of the Shamoon virus.

Cool Job of the Week

• Google — Regional Security Intel Specialist, Global Security Operations Center (Location: Mountain View, CA)

Veteran-Preferred Job of the Week

• T-Mobile — 2019 Technology Internship (IT/Cyber Security) (Location: Bellevue, WA)

Hope you’ve enjoyed this week’s edition of the CyberWeekly Newsletter. Please share with a friend or colleague.

Click here to subscribe to the CyberWeekly Newsletter.

Happy holidays!

Stay vigilant,

Oritse J. Uku, Editor-in-Chief

Disclaimer: The opinions expressed in this newsletter are my own.