CyberWire Daily - 2022’s top exploited vulnerabilities are still a risk. Rilide in the wild. Abusing a legitimate tool. Malicious PyPi packages. A brief update on the cyber aspects of Russia’s hybrid war.
Episode Date: August 4, 2023The Five Eyes warn against top exploited vulnerabilities. The Rilide info stealer in the wild. Malicious PyPI packages. Valerie Abend, Global Cyber Strategy Lead from Accenture, unpacks the Securities... and Exchange Commission’s recently announced cyber regulations. In our Solution spotlight: Our own Simone Patrella speaks with Microsoft’s Ann Johnson on how Microsoft is attracting and retaining top cyber talent. And cyber attacks continue to gutter on both sides of Russia's war against Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/148 Selected reading. CISA, NSA, FBI, and International Partners Release Joint CSA on Top Routinely Exploited Vulnerabilities of 2022 | CISA (Cybersecurity and Infrastructure Security Agency CISA) CISA, NSA, FBI and International Partners Issue Advisory on the Top Routinely Exploited Vu (National Security Agency/Central Security Service) New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3 (Trustwave) Tunnel Vision: CloudflareD AbuseD in the WilD (GuidePoint Security) VMConnect: Malicious PyPI packages imitate popular open source modules (ReversingLabs) Bilyana Lilly on how cybersecurity assistance to Ukraine has helped thwart Russian cyberattacks (CyberScoop) Microsoft says Russia-linked hackers behind dozens of Teams phishing attacks (Reuters) Ukraine's invisible battle to jam Russian weapons (BBC News) How Ukraine’s cyberwarriors are upending everyday life in Russia (Times) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The five eyes warn against top-exploited vulnerabilities,
the Rylide Inf stealer in the wild.
Malicious PiPi packages?
Valerie Abend, global cyber strategy lead from Accenture, unpacks the Securities and Exchange Commission's recently announced cyber regulations.
In our Solution Spotlight, our own Simone Petrella speaks with Microsoft's Anne Johnson on how Microsoft is attracting and retaining top cyber talent.
And cyber attacks continue to gutter
on both sides of Russia's war against Ukraine.
I'm Dave Bittner with your CyberWire Intel briefing
for Friday, August 4th, 2023.
Yesterday, intelligence services from the Five Eyes Alliance came together to issue a comprehensive cybersecurity advisory, 2022 Top Routinely Exploited Vulnerabilities. It's aimed at highlighting
the most critical vulnerabilities that had been consistently targeted and exploited
by cyber attackers throughout the year. We highlight just a few here. At the top of the
list was the Fortinet SSL VPN vulnerability.
This vulnerability had been a persistent target since 2020, underscoring the tendency of some
organizations to lag behind in applying necessary patches and updates. Proxy shell vulnerabilities
in Microsoft Exchange email servers ranked high on the hackers' leaderboard. These vulnerabilities, when exploited
together, allowed remote code execution, making them an attractive target for cybercriminals.
Another noteworthy entry was the Zoho ManageEngine AddSelfServicePlus vulnerability,
enabling unauthenticated remote code execution. The advisory highlighted its connection to an
outdated third-party dependency,
emphasizing the importance of up-to-date software practices.
The widely used Atlassian Confluence server and data center also made the list due to its
susceptibility to unauthenticated arbitrary code execution. Governments and private companies
relying on this web-based collaboration tool
became potential targets. One of the most infamous entries was the log4shell vulnerability,
which impacted Apache's log4j library used in numerous products worldwide. The ability to
execute arbitrary code and gain full system control made this vulnerability particularly enticing to malicious
actors. As the list demonstrates how several of these vulnerabilities continue to be exploited
despite patches being available, the CSA emphasizes the critical importance of promptly
applying updates per vendor instructions to bolster cybersecurity defenses and protect
organizations from potential threats.
It's worth noting how many of the vulnerabilities continued to be exploited after patches were available.
It suggests the effect that slow patching can have on an organization.
As CISA so often says, apply updates per vendor instructions, and we might add, sooner rather than later.
vendor instructions, and we might add, sooner rather than later. Trustwave's Spider Labs describes a new version of the Rylide Steeler extension that's targeting Chromium-based browsers.
The researchers note that the malware uses a creative way to work around the Chrome extension
manifest version 3 from Google, which is aimed at blocking the installation of malicious extensions for
Chromium browsers. Compared to earlier versions of Rylide, this variant exhibits a higher level
of sophistication through modular design, code obfuscation, adaptation to the Chrome extension
manifest, and additional features such as the ability to exfiltrate stolen data to a telegram channel or interval-based
screenshot captures. GuidePoint Security outlines how the legitimate tool CloudFlare Tunnel,
also known as CloudFlared, is being abused by threat actors. GuidePoint writes,
CloudFlared allows a TA to configure an environment in advance of an attack,
then execute a single command from
a victim machine to establish a foothold and conduct further operations. Since the Cloudflared
execution only requires the token associated with the tunnel they've created, the TA can initiate
these commands without exposing any of their configurations on the victim machine prior to a
successful tunnel connection.
Once the tunnel is established, CloudFlared obtains the configuration and keeps it in the running process.
Researchers at Reversing Labs discovered 24 malicious packages in the Python Package Index open source repository, PyPy.
The campaign began in late July, and the attackers keep posting new malicious
packages daily as the older ones are removed. Reversing Labs states, in contrast to other
recent supply chain campaigns, such as Operation Brain Leaches, the malicious packages that make
up this campaign display evidence of a concerted effort to deceive developers. They achieve this
by implementing the entire functionality of the modules they are imitating
and standing up corresponding and linked GitHub projects
that omit the malicious functionality found in the PyPy release package.
And finally, a quick note on Russia's hybrid war against Ukraine.
Cyber action has recently been characterized by Russian cyber
espionage. That action, which used Microsoft Teams in phishing campaigns, is the most prominent of
recent cyber operations, but there have been others. The Times of London describes ongoing
disruption of Russian online services by Ukrainian hacktivist auxiliaries. This has been, as wartime hacktivism has tended to be,
nuisance-level activity. For now, at least at the tactical level, both sides have been paying
more attention to traditional electronic warfare, especially to jamming and target location.
Coming up after the break, Valerie Abend, Global Cyber Strategy Lead from Accenture,
unpacks the Security and Exchange Commission's recently announced cyber regulations. In our Solution Spotlight, our own Simone Petrella speaks with Microsoft's Anne Johnson
about how Microsoft is attracting and retaining top cyber talent.
Stay with us.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The U.S. Securities and Exchange Commission recently grabbed headlines with new cybersecurity requirements for public companies. In particular, a requirement that cyber incidents be reported within four days of determination of material impact has drawn a lot of attention.
Valerie Abend is Global Cyber Strategy Lead at Accenture, and I reached out to her for insights on the SEC's regulations, starting with the four-day requirement.
It's not about four days of having an incident. The requirement is that you have
a reasonably practical timeframe for determining whether or not an incident is material or not.
And you have a pretty good process then to do that, which we should dig into.
But it's really once you determine that something is material, you have four days to report it.
And has the SEC indicated that they'll be having scrutiny over this?
So after an event to go in and say,
was the pathway towards the determination that this is material,
was that reasonable and timely?
So you've hit it spot on, Dave.
This is the thing.
When you have an incident, that's when all these things become challenging.
This is the thing.
When you have an incident,
that's when all these things become challenging, right? The final rule for a regulator
is not going to give you the example
of what best practice looks like.
It's not going to tell you exactly
how your process should go.
The problem will come when you have an incident
and maybe you didn't think it was material
and they come in and they realize it was material
and the reporting didn't happen and you didn't have a really good process. And the SEC says, show me
all the documentation. Show me how you made that decision. Show me who was involved. How did you
practice that so that you had a good process that you evolved over time based on the risk of your
company and the threats it's facing? And that will be the challenge is, you know, a lot of folks
who don't go through that process before they have an incident will be caught flat footed.
I know another concern that's been voiced is this notion that organizations may have to reveal too
much information that in the process, in the timeliness of revealing that the incident has
occurred, that that could be an opportunity for other attackers
to take advantage of that intelligence?
So the SEC made some pretty significant changes
between the proposed rule and what they ultimately voted out
to be the final regulation.
And one of the things that they changed,
which I think was really smart,
was how much information,
how much detail in this public filing you have to include about what was attacked. Are you still
vulnerable? So that you don't provide a roadmap, right, to the bad guys about what they should
continue to attack you on or even attack others on. So they did narrow what you have to disclose
in the face of an incident.
And I think that was really smart.
And they got a lot of comment from public companies
and from the industry about that exact thing.
How do we do the right thing
to provide shareholder transparency,
but how do we also manage the risk of further exposure
to that company or any other companies?
So what are your recommendations then for folks who are in leadership positions in a public
company, a CISO, maybe a board member, with these new rules, what sort of things should they be
concerned with? So I think there are a few challenges. And the first thing I would always
say on this one is because they did soften, you know,
various provisions between what they had originally proposed versus what they voted as final.
The first thing I say is I think a lot of folks are going to sort of let their foot
off the gas.
And I don't think that's a great plan.
As we talked about earlier, when you have an incident, that's when you're going to get
caught with like, oh, we didn't really have a well-defined process and we thought we did. And that's not just on the incident
materiality part. That's also on the sort of two other big areas of the regulation, one of which is
just your ongoing day-to-day cyber risk management processes. So in the rule, you have to
risk management processes. So in the rule, you have to disclose every year about how you're managing cyber risk. That's really smart. It doesn't require too much detail. But if you have
an incident and in that you don't really have all your details really worked out and the SEC comes
to do an investigation, that's where you're going to have a challenge. And so having a very strong cyber risk management framework with policies and procedures and clear ability to actually
quantifiably describe what are your higher risks in the context of your specific business
and how you're not just maturing your information security function, but actually holding all
members of the C-suite accountable for their
specific role in managing cyber risk, to me, that's going to be, I think, a big area that
a lot of companies need to focus on.
And if I were a CISO, I would partner with my CEO to see how we can do that, particularly
working with this management committee that's described in the rule.
So in the rule, they actually tell the board
that their job is to oversee
this cyber risk management committee
or an executive risk management committee
that's handling cyber.
And so if I were to see,
so I would partner with the CEO and with the board
to really strengthen that management committee,
all the members of that committee, make sure it's clear what their responsibilities are,
and have it very well documented and practiced.
In terms of broader trends, of what this indicates,
in terms of a trajectory that the SEC is indicating here,
any thoughts on where we're heading with cybersecurity and public companies?
I think that what we're seeing is an increasingly complex regulatory landscape. As a matter of fact,
the White House just released a request for information around regulatory harmonization
and with an eye not just in what's happening in the United States, but internationally as well.
And we have very different approaches in the United States versus Europe, versus Asia Pacific
and other parts of the world in how we regulate generally, but specifically in cybersecurity.
And that is a challenge. I think that's the reality. I don't see it changing.
And so as we look at not just the SEC, but what other regulators are doing. So for example, CISA
has a requirement for critical infrastructure to report. CISA also is able to share that
information with other agencies. Are they going to give a heads up to the
SEC even before you do if you're experiencing an incident and have already reported that to CISA?
So I think there are various issues around regulatory complexity that a lot of publicly
held companies need to consider going forward. Valerie Abend is Global Cyber Strategy Lead at
Accenture. You can hear an extended version of this conversation
on the Caveat podcast.
Do check it out.
In an occasional segment that we call Solution Spotlight,
our own Simone Petrella speaks with Microsoft's Ann Johnson
about how Microsoft is attracting and retaining top cyber talent.
Hello, everybody.
Today, I am joined with Ann Johnson,
Corporate Vice President for Microsoft.
Microsoft has been leading the charge on talent and
workforce development for years. In fact, Microsoft launched an initiative in 2021 to
partner with community colleges, given their broad reach, to expand the cyber workforce
by providing curriculum, training faculty, and providing scholarships. And the following year
expanded in support of building the cyber workforce globally as well,
helping people in places like Colombia and India acquire cybersecurity and digital skills for in-demand jobs.
And thanks for joining us. How is that going almost two years later?
You know, it's just fantastic.
Look, there's not enough cybersecurity professionals globally to protect public and private infrastructure.
We're certainly not training or certifying enough cybersecurity students to close the gap. And we recognize
that no one has a higher responsibility to address cybersecurity threats and emerging
threats than tech companies. So as you mentioned, around the world, we've partnered with educational
institutions, nonprofits, governments, and businesses to develop local cybersecurity
skilling that meet the unique needs of their market. Also, we want to anchor that data of
where the gaps are in cyber in each region of the world in each country. So our cybersecurity
skills initiative is now in 28 countries. To date, we've trained more than 400,000 professionals
through a variety of channels, including our Microsoft Learn channel. And people at Microsoft Learn can earn valuable security training certificates. We've trained
through LinkedIn Learning courses, including systems administration, network security,
and more for the courses. And we are partnering with global educational institutions and
nonprofits throughout the world for even greater impact. I want to give one example. In India,
our Cyber Shitska program is working
to close the gender gap in the cybersecurity field. Since its inception, it's trained 1,250
women and employed more than 800 women. So tremendous impact through the programs with
the India program just being one highlight. That's incredible. I think one thing that
really has always stuck out to me is that in our current way, just in the US alone, That's incredible. instead of nine. And I thought that analogy was particularly interesting because we talk a lot around here
about this concept of money ball
and the idea that organizations and employers
aren't often looking at their talent
through that team-based lens.
Meaning, I'm curious when you think about
those differing roles, those career paths,
and what's happening even within the Microsoft ecosystem,
how do you all think about team skills
and what's ultimately needed as a team
to execute on your security strategy,
whether that's zero trust
or intrusion kill train prevention,
resilience, you name it?
Yeah, I think it's really important
to think about all those different career paths, right?
And to think about the fact that when we have an event
or something that happens internally,
it's not just the cyber technical professionals
that are joining the event.
It's the cyber lawyers.
It's folks that have finance backgrounds.
It's folks that have communications backgrounds.
It's folks that have partnership
or business development backgrounds.
And it takes all of that to solve any one problem.
So you need those deep technical experts,
but you also need people to understand
the business of cybersecurity.
All of those roles are equally important
in both solving the talent gap,
but also in solving the problems that are inherent to the cyber industry.
Yeah, absolutely.
And so it goes without saying, the other side of the coin here is,
what are some of the challenges that you see in these initiatives
and across others that are pervasive among the industry
when it comes to us making a statistically significant gap in this talent shortage? Look, demand, you know, if you think about, you know, the tech industry right
now, and there's, as we record this, obviously, there's been a lot of layoffs the first half of
the year, but cyber talent remains in high demand. These studies tell us that by 2025, there's going
to be three and a half million open cybersecurity jobs globally. That represents a 350% increase over the past eight years.
And demand for these jobs has driven by an average of 35% this year alone.
There's a whole lot of demand out there and not enough people that are qualified to fill it.
The second thing is there's this lack of diversity, right?
In the U.S., cybersecurity careers are still majority white and majority male. We need to build a cybersecurity workforce that's larger, and expanding the diversity and inclusivity of the industry is one way to go.
Because at the end of the day, you want your teams to be as diverse as the problems you have to solve.
But also, there's this really pragmatic approach that says, if we don't actually recruit more types of people into the industry, we're never going to solve the talent shortage.
That requires a tremendous amount of intentionality in whatever programs we design.
And we have to create more inclusive and supporting learning environments. We have to
think about the language of cybersecurity. It's incredibly important. And we have to help people
when they do get on board to help them feel included so that we have cohorts where that
look like, you know, people want to see representation. The cohorts they work in
need to look like them and sound like them. Yeah. And I think that the word you use
there is so appropriate. It's intentionality. How do we have intentionality about the things
that we're doing so that we can actually achieve those kind of ultimate business goals? I think
sometimes those sometimes get conflated because we're just trying to hit the numbers without
thinking about the actual kind of effects on overall resilience or how we can increase diversity and representation.
That's absolutely correct. And if we are not intentional about increasing representation,
we're never going to fill the talent gap. Yeah. Well, Anne, thank you so much. I appreciate you
taking the time to be with us today. Is there anything else that you want to cover that I
didn't necessarily ask?
Security is a team sport. So as much as Microsoft is working on these initiatives,
and we have a lot of them that are people and talent related, so are industry peers. And I
would encourage our peers and us to continue the work of being very intentional how we think about
training, recruiting, and retaining cybersecurity talent across a broad breadth of folks with different backgrounds.
And if we do that together,
we have hope of actually resolving all the talent shortage.
Very well said.
Thank you, Anne.
Appreciate your time as always
and hope to talk to you again soon.
Thank you so much for having me on.
That's Microsoft's Anne Johnson
speaking with N2K's Simone Petrella.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
sensitive data and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Breaking news happens anywhere, anytime. Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on
and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit
cbcnews.ca
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out
this weekend's Research Saturday
and my conversation with Alexander Milankovsky from Sentinel-1.
We're discussing their work, Kimsuki Strikes Again,
new social engineering campaign aims to steal credentials
and gather strategic intelligence.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, Thank you. We make you smarter about your team while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.