CyberWire Daily - A look back at midterm cybersecurity. Communications security lessons learned in Ukraine. Known Exploited Vulnerabilities and Patch Tuesday. Off-boarding deserves some attention.
Episode Date: November 9, 2022US midterm elections proceed without cyber disruption. Communications security lessons learned. CISA publishes new entries to its Known Exploited Vulnerabilities Catalog. Patch Tuesday notes. Carole T...heriault examines cross border money laundering. The FBI’s Bryan Vorndran offers guidance on how companies should think about their exposure in china. And a recent study finds reasons to be concerned about off-boarding. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/216 Selected reading. Taking a look at election security on US midterm Election Day. (CyberWire) Communications Security: Lessons Learned From Ukraine (BlackBerry) CISA Adds Seven Known Exploited Vulnerabilities to Catalog (CISA) Microsoft November 2022 Patch Tuesday (SANS Institute) November Patch Tuesday Updates | 2022 (Syxsense Inc) Microsoft Fixes Six Actively Exploited Flaws (Decipher) Microsoft fixes ProxyNotShell Exchange zero-days exploited in attacks (BleepingComputer) Microsoft Scrambles to Thwart New Zero-Day Attacks (SecurityWeek) Infrastructure access and security. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
U.S. midterm elections proceed without cyber disruption.
Some communications security lessons are learned.
CISA publishes new entries to its known exploited vulnerabilities catalog.
We got some patch Tuesday notes.
Carol Terrio examines cross-border money laundering.
The FBI's Brian Vordren offers guidance on how companies should think about their exposure in China.
And a recent study finds reasons to be concerned about off-boarding.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, November 9th,
2022. The U.S. midterm elections were completed yesterday, and while the votes are being counted,
we can reach a preliminary assessment of whether there was any cyber activity that interfered with the voting.
It appears that nothing much happened.
Reuters reported that the U.S. midterm elections proceeded without unusual difficulty.
A review of voting the morning after the election showed little evidence of cyber attacks and even less evidence of disruption.
So, little seems to have changed
since we heard from senior CISA officials
at their three media availabilities yesterday.
As one of those officials said midday,
we continue to see no specific or credible threat
to disrupt election infrastructure.
In particular, the official added,
to be very, very clear,
we have not seen any evidence of foreign influence
affecting our election infrastructure.
The FBI's assessment last week
of distributed denial-of-service operations
seems to have been borne out.
WAPT reported some intermittent DDoS incidents late yesterday
that had a minor impact
on the Mississippi Secretary of State's public website, but these had no effect on voting and were in
any case quickly remediated. CISA officials said during their evening briefing yesterday
that an unnamed Russian hacktivist group, and remember in this context that Russian
hacktivists are best understood as auxiliaries for the Kremlin's
security and intelligence services, claimed responsibility in its Telegram channel for
hitting the Mississippi Secretary of State, but that there wasn't enough evidence for attribution.
Mississippi is the only state where CISA observed a sustained, albeit minor, outage,
and this one affected only a public-facing website with no immediate
connection to the voting. One county, Champaign County in downstate Illinois, reported outages
and computer performance issues, but NBC Chicago reports said that the issues were quickly
remediated without significant effect on voting. The tabulation machine outage in Maricopa County, Arizona,
seems to have been a malfunction.
A senior CISA official said yesterday evening
that the agency had quickly investigated the Maricopa incident
and found no indication of malfeasance.
To put Champaign and Maricopa counties into proper perspective,
consider that there are well over 3,000 counties
in the United States. We received some notes from Cloudflare earlier today on what they'd
observed during the voting. The secure networking companies summarized their conclusions in a single
sentence. There were no large-scale attacks this election. The state and local governments
protected by the company's Athenian project
saw an increase in application-layer DDoS attacks over the first week of November
that exceeded October's rates by only 3.4 percent. And that, in Cloudflare's experience,
really doesn't amount to much. Remember, in this context, that state and local governments are the
ones who actually conduct the elections.
For political parties and campaigns, the story was different.
Cloudflare for campaigns, which protected these, saw a threefold increase of application layer attacks over that same period.
Counting the votes and certifying the results will take time, of course.
That's not unusual. It's part of the normal process.
It's also part of the unfortunate norm
that there will be many bogus claims
of cyber meddling in the election.
The disinformation phase of this election season
has a ways to run.
And we're looking at you, Internet Research Agency,
and you too, Killnet.
Speaking of hacking and hybrid conflict,
BlackBerry has looked at the war against Ukraine and drawn some lessons for communications security.
They're old lessons, the kind that every war reteaches, but they're worth reviewing nonetheless.
The central lesson is that one should expect one's communications to be intercepted.
Whether the opposition can read them in time to use them
depends upon the effectiveness and the general use of your encryption.
BlackBerry points out that businesses, as well as armies, should keep this in mind.
CISA yesterday added seven new entries to its known exploited vulnerabilities catalog.
They include four issues in Microsoft products
and three for Samsung mobile products.
In accordance with Binding Operational Directive 22-01,
U.S. federal civilian executive agencies
have until November 29th to review their systems
and take steps to secure them.
As usual, CISA wants the agencies it oversees
to apply updates per vendor instructions.
Microsoft yesterday released fixes to address 68 issues in its products. By the SANS Institute's
tally of these, 10 are critical, one was previously disclosed, and four are already being exploited.
Users should check vendor security sites and, as CISA puts it,
apply updates per vendor instructions. Teleport this morning released its 2022 State of
Infrastructure Access and Security Report. The report details various challenges for DevOps,
security engineering, and other security professionals. In general, their findings indicate that organizations remain vulnerable to the threats former insiders pose. Respondents to
Teleport's survey were asked how confident they were that once an employee leaves their company,
all of their access is revoked. Less than a quarter of those surveyed said that they had
100% confidence, and almost half of the companies are less than 50% sure of the lack of access.
57% of respondents also report that new security measures have been put in place
that were not adopted by employees.
So again, HR, think about your off-boarding.
Think about your off-boarding.
Coming up after the break,
Carol Terrio examines cross-border money laundering.
The FBI's Brian Vordren offers guidance on how companies should think about their exposure in China.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Once the bad guys get your money, which these days usually involves cryptocurrency,
they have to figure out how to get that money into whatever currency they use locally. That often can involve cross-border money laundering,
and our UK correspondent Carol Ter, files this report about that.
The United Nations estimates that up to $2 trillion of cross-border money laundering takes place each year.
And they say the possible social and political costs of money laundering, if left unchecked or dealt with ineffectively are serious.
As some of us know, organized crime can infiltrate financial institutions,
acquire control of large sectors of the economy through investment,
or offer bribes to public officials and even governments.
But the big question is how to address this.
Well, greater information sharing and collaborative
analytics among financial organizations could transform the detection of this criminal activity.
But research suggests that this is hindered by the legal, technical, and even ethical challenges
involved in jointly analyzing sensitive information. And maybe what is needed
is privacy-enhancing technologies, also known as PETs, as they could play a transformative role
in fighting financial crime. Well, at least that's what the UK and US governments are hoping for. Six months after their initial announcement, they are preparing to kick off prize challenges focused on advancing the maturity of privacy-enhancing technologies to combat financial crime.
So the plan is this.
will be asked to develop state-of-the-art privacy-preserving federated learning solutions,
try and say that five times quickly, to help tackle the barriers to the wider use of these technologies. So in other words, figure out clever ways to bypass all the red tape in sending data
to and from different geographies efficiently and legally, right, in order to share
insights and do this all without compromising federal or organizational privacy. So it's a
pretty tall order. As part of the Privacy Enhancing Technology Prize challenges, innovators will be
able to engage with regulators. So this includes the UK Financial
Conduct Authority and the US Financial Crimes Enforcement Network. And the challenges will
be open to innovators on both sides of the Atlantic starting this summer. Challenge solutions
will be showcased in the second Summit for Democracy to be convened by President Joe Biden in early 2023.
So, do you think you have what it takes?
Then I suggest you keep an eye on communiques
from the UK and US governments.
This was Carol Theriault for The Cyber Wire. And I am pleased to welcome back to the show FBI Cyber Assistant Director Brian Vordren.
Brian, welcome back.
I want to touch with you today, high-level stuff here,
some of the national security threats that you and your colleagues there at the FBI are tracking.
What can you share with us today?
Sure. Thanks, Dave. It's good to be back with you.
When we look at the national security threats from a cyber perspective,
I think it's important for the audience to know that the ultimate goal is early detection, containment,
and eviction. And that's going to be a different message than ransomware, which we'll talk about
later, which really should be a prevention. But in the national security nation-state space,
it really should be early detection, containment, and eviction. Undoubtedly, China is the most
prolific threat. Their threat encompasses corporate espionage, destructive attacks, obviously influence operations,
and certainly an intelligence collection at scale, which we'll also mention here a little
bit more in detail.
When we go back to SolarWinds, specifically with Russia, we saw Russia's ability to target
a handful of U.S. government agencies.
But in doing that, they compromised an additional
18,000-plus companies and organizations. And it's just a really good reminder for all of us about
Russia and other nation-states' patience and persistence to conduct these state-sponsored
attacks. You know, I think for your audience and for organizational leaders, this supply chain
threat and the third-party risk associated with
it, it's just so important for executives to understand how technical and organizational
interdependencies really increase the risk of potential exposure. You know, getting back to
China a little bit, certainly the theft of intellectual property is always at the top of
our mind. And what China does is, you know, they take this intellectual
property that they steal, they run it through their vast holdings through AI and attempt to
monetize it. We have to look no further back than how they targeted U.S. universities during the
COVID vaccine research period. And certainly we and others in the United States have no problem
with sharing the results of our research, but we would want to
do it on our terms because we've invested the time and the money to do it, and we don't want
that stolen by someone. China obviously poses a threat with theft of AI technologies, machine
learning, quantum computing, communication, clean energy, and the list goes on. We're also concerned
about how state actors moonlight for personal
gain, right? And when actors are uncontrolled, they have fewer constraints and they do do off
the record work. And, you know, as an example, we have to look no further back than six months ago
when China sponsored hackers compromised six UnitedStatesState.gov domains for a various set
of reasons, but including profit. And, you know,
when we talk about nation states, the last thing I'll mention is just what we refer to as access
and furtherance of attacks. You know, in military circles, this is known as prepping the battlefield,
but it's the pre-positioning of tools and capabilities to really maximize advantage.
And those advantages are taken or executed upon when a specific red line
is crossed. Very, very difficult to detect these access points and furtherance of attack.
This just highlights the importance of pen testing and threat hunting. So while China and Russia
certainly maintain high, high thresholds for kinetic action, others do not. And just as I
round out this part of my comments, we have to
look no further back than how the Iranians targeted Boston Children's Hospital within the last year
as an example of indiscriminate targeting and lower thresholds for kinetic action.
You know, we recently saw DOJ made some major announcements about the Chinese threat,
making some indictments. What does that
sort of messaging do on the global stage, putting them on notice that we're not going to stand for
this sort of thing? You know, I think China is a really interesting conversation. And, you know,
China does pose the broadest, most active, persistent espionage threat to corporations.
But it's not just a cyber threat. It's also a human threat. And, you know, companies and organizations that are based in the United
States really do have to think about their exposure when doing business in China, right?
And so the messaging coming out of DOJ continues to reemphasize this point that there is significant
risk from the Chinese government, both through cyber vectors and through human vectors, to steal intellectual property and to cause harm to
the United States.
When we're talking in public about the China threat, you know, it's really important for
businesses to know that the environment in China for them is really challenging.
You know, the cost of Americans doing business seems to include
blanket consent to state surveillance under the guise of security, and that's kind of a best-case
scenario. In a worst-case scenario, it's accepting the risk that all of your sense of information may
be co-opted by the government. And so this isn't really hyperbole to us. In 2020, we identified
that the Chinese government had forced U.S. companies to
download tax software to comply with different quote-unquote cybersecurity laws, and then the
Chinese government stole from those companies using that mandated software. So, you know,
we know that the market in China is an important one for American businesses, and only those
businesses can understand their true risk proposition, risk profile.
But they need to be very, very careful
as they enter into that market.
All right.
Well, FBI Cyber Assistant Director Brian Vordren,
thanks for joining us.
Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The Cyber Wire podcast is a production of N2K Networks, proudly produced in
Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester,
Brandon Karp, Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Carol Terrio, Maria Varmatsis, Ben Yellen, Nick Valecki,
Gina Johnson, Bennett Moe, Catherine Murphy, Janine Daly,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, Simone Petrella, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.