CyberWire Daily - A new joint advisory from the US and Australia. BackConnect evolution. Cl0p counts coup. Ransomware trends. DDoS for influence. It’s “dot-mil,” Nigel.
Episode Date: July 28, 2023A joint warning on IDOR vulnerabilities. IcedID’s BackConnect protocol evolves over one year. Cl0p claims to have accessed data from another Big Four accounting firm. Ransomware victims increased si...gnificantly in 2023. Cyberattacks support influence operations. Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger joins us to discuss the Biden Administration's recent cyber initiatives. Eric Goldstein, Executive Assistant Director at CISA, looks at cybersecurity performance goals. And spelling counts. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/143 Selected reading. Preventing Web Application Access Control Abuse (Joint Cybersecurity Advisory: ACSC, NSA, CISA) Inside the IcedID BackConnect Protocol (Part 2) (Team Cymru) Deloitte denies Cl0p data breach impacted client data in wake of MOVEit attack (ITPro) Ransomware Report: Q2 2023 (ReliaQuest) Kenya ICT minister admits cyber-attack on eCitizen portal, insists data secure (The East African) Anonymous Sudan: the group behind recent anti-Kenya cyberattacks (TechCabal) Kenya President Ruto to skip Russia-Africa Summit (The East African) UK accidentally sent military emails meant for US to Russian ally (POLITICO) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A joint warning on IDOR vulnerabilities.
Iced ID's BackConnect protocol evolves over the year.
Plop claims to have accessed data from another Big Four accounting firm.
Ransomware victims increased significantly in 2023.
Cyber attacks support influence operations.
Deputy National Security Advisor for Cyber and Emerging Technology,
Ann Neuberger, joins us to discuss the Biden administration's recent cyber initiatives.
Eric Goldstein, Executive Assistant Director at CISA,
looks at cybersecurity performance goals.
And spelling counts.
I'm Dave Bittner with your CyberWire Intel briefing for Friday, July 28, 2023. The Australian Signals Directorate's Australian Cybersecurity Centre,
the U.S. Cybersecurity and Infrastructure Security Agency,
and the U.S. National Security Agency have issued a joint advisory to warn vendors, designers,
and developers of web applications and organizations
using web applications about insecure direct object reference vulnerabilities. That's IDOR.
So what is an insecure direct object reference anyway? It's not as difficult to understand as
the forbidding name might make it appear to be. In fact, that forbidding name is actually more
informative than most. IDOR is basically what can happen when a web application or an application
programming interface uses an identifier that grants direct access to an object in an internal
database, but which fails to check for some form of access control or authentication. So it's basically a programming
error that fails to protect access to some object. The advisory explains, these vulnerabilities are
common and hard to prevent outside the development process since each use case is unique and cannot
be mitigated with a simple library or security function. Additionally, malicious actors can detect and exploit them
at scale using automated tools. These factors place end-user organizations at risk of data
leaks, where information is unintentionally exposed, or large-scale data breaches, where
a malicious actor obtains exposed sensitive information. Has this actually happened? Well, yes, it has. The three agencies
point to three instances in which iDoor vulnerabilities were used to facilitate data
breaches. First, in October 2021, a global data leak took place exposing mobile phone data,
including text messages, call records, photos, and geolocation from numerous devices. The leak resulted from
insecure stalkerware apps, which collected and transferred data from the phones to a foreign
server infrastructure. This server had an IDOR vulnerability, CVE-2022-0732, which facilitated
the exposure of the collected app data. In 2019, a data breach incident affected a U.S. financial
services sector organization, leading to the exposure of over 800 million personal financial
files. The compromised information included bank statements, bank account numbers, and mortgage
payment documents. Additionally, in 2012, a malicious cyber actor successfully obtained the personal data of more than 100,000 mobile device owners from a U.S. communications sector's organization's publicly accessible website.
Team Kimri has released part two of their Inside the ICED-ID BackConnect protocol series, in which they take a closer look into BAC Connect, or BC. BC is a protocol
used to transmit ICED-ID infections. ICED-ID, also known as BACBOT, started life in early 2017
as a banking trojan that later evolved to include dropper malware capabilities.
These capabilities enabled ICED-ID to download and deploy additional malware like
Cobalt Strike, with recent infections leading to quantum ransomware, according to Team Kimri.
The researchers go on to explain, the use of the BC protocol is of particular interest to us and
remains a priority for our overall tracking of ICED-ID. Analyzing activity related to BC infrastructure
provides a strategic view into threat actor activity and interests, as it's a window into
what occurs after a successful infection and the victim was deemed valuable for their use.
The threat's evolving, and the researchers at Team Kimru note that they have identified a
possible connection between infected machines and a spamming campaign, which represents a potential double blow for victims, as not only are they compromised and incurring data and financial loss, but they're also further exploited for the purposes of spreading further ICE-ID campaigns.
campaigns. Klopp has posted data it claims to have hacked from Big Five accounting firm Deloitte,
Cyber News and other outlets report. The gang says it exploited vulnerabilities in MoveIt to accomplish the data theft. It had earlier this month bragged about targeting Pricewaterhouse
Coopers and Ernst & Young. Deloitte acknowledged receiving Klopp's attentions but discounted the effect as
negligible. A Deloitte spokesperson said,
Our analysis determined that our global network use of the vulnerable Move-It transfer software
is limited. Having conducted our analysis, we have seen no evidence of impact on client data.
So there's probably less to the attack than Klopp would have everyone think,
but this kind of nonsense is an ongoing irritant. ReliaQuest has released a report on ransomware
trends for the second quarter of 2023. The company's study concludes that victim counts
for the second quarter have skyrocketed. They write, in the second quarter of 2023, close to 1,400 organizations
were named on ransomware and data extortion websites. This marked a substantial increase,
66%, from the first quarter of 2023, which saw close to 850 affected organizations.
What makes this increase even more impressive is that quarter one of 2023 had set the record for the most victims ever recorded,
but quarter two of 2023 shattered that record with 500 more.
The number of organizations being named in ransomware websites has more than doubled over the past two quarters,
highlighting a sudden growth in ransomware operations.
ReliaQuest finds that Klopp's MoveIt campaign was the most
impactful of the campaigns in the second quarter, but also they note that it's technically an
extortion campaign as opposed to a ransomware effort, strictly speaking. Klopp has yet to
encrypt the files they're taking. If a double extortion campaign is one that both encrypts
and steals data with the threat of doxing,
then CLOP simply moves to stage two, skipping the encryption stage. The cyber criminals with
the highest victim count belong to LockBit, with close to 250 organizations being named in their
ransom requests. The U.S. continues to be the main target for cybercrime campaigns, with the UK, Germany, Canada, and
France trailing by large margins. The sectors most heavily hit were science and technology,
manufacturing, and finance and insurance. Anonymous Sudan, a front for Russian intelligence
services, has claimed responsibility for a cyberattack against Kenya's e-citizen portal.
The East African reports that Kenya's ICT minister acknowledged an attack on the system,
a place where Kenyans access government services online, but said that no data had been lost.
The government was working to secure e-citizen and restore it to full operation.
TechKabal has an account of the extent of the disruptions,
which it characterizes as DDoS attacks.
The outlet also quotes the rationale Anonymous Sudan offered for the campaign,
stating that Kenya has released statements doubting the sovereignty of the Sudanese government.
Here's a more likely explanation.
Kenya's president, William Ruto,
declined to attend the Russo-African summit and gave, as his reason, the impropriety of appearing
to support one side in Russia's war. And finally, we're not going to point fingers or cast stones
here because that's not our place, but gosh darn it, it's.mil, not.ml..mil is the top-level
domain for the U.S. military..ml is the top-level domain for Mali. So it's like this. The Times of
London harrumphed that Ministry of Defense officials in the United Kingdom accidentally
sent emails containing classified information to Mali,
an African country with close links to the Kremlin, because of a typing error. That is,
they typed.ml in the address and off they went. His Majesty's Ministry of Defense harrumphed back,
stating, This report misleadingly claims state secrets were sent to Mali's email domain.
We assess fewer than 20 routine emails were sent to an incorrect domain
and are confident there was no breach of operational security
or disclosure of technical data.
We say harumphed, but actually they tweeted it or X'd it
or whatever we're supposed to be calling transmissions
over at the House of Musk's social platform these days.
Javad Malik,
lead security awareness advocate at KnowBefore, commented sadly about this incident, stating,
human error contributes to most cyber incidents, and this is no exception. It is a stark reminder of how technical controls can't prevent all scenarios, and security awareness and training
is also a vital component in keeping organizations safe.
We'll add a lesson we all tried to learn in grade school.
Spelling counts.
At any rate, the MOD explained further.
An investigation is still ongoing.
Emails of this kind are not classified as secret or above.
This should be, insofar as the causes of the incident are concerned, the world's
shortest investigation. We'll do it for you. Ally to ally. Finding. Someone fat-fingered their
keyboard. Recommendation. Gadzooks, pay attention to your typing. Hit our tip jar and call it a day,
M.O.D. Politico's headline points out sternly that Mali is a Russian ally. Okay, well, Mali
isn't an ally of Russia like the U.S. is an ally of the U.K. Think of the countries as just casually
seeing each other, not actually dating, still less going steady. Full disclosure, our editorial staff
confesses to misspelling Mali as male no less than four times in the course of preparing this script.
Staff writers, spelling counts.
Spell M-I-L.
Coming up after the break, Deputy National Security Advisor for Cyber and Emerging Technology,
Ann Neuberger, joins us to discuss the Biden administration's recent cyber initiatives.
Eric Goldstein, Executive Assistant Director at CISA, looks at cybersecurity performance goals. Stay with us. visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Thank you. today by talking about the announcement that you all released recently. This has to do with labeling for consumer IoT devices. What do we need to know about this?
So we're trying to get at a really core hard problem in cybersecurity, which is we need companies to build more secure products, secure by design. We know Americans are really concerned
about the security of products they're bringing into their homes and offices. How do we link the two?
So we're linking the two by having a U.S. government cyber trust mark,
a label that consumers can start looking for on a device.
Think about smart meters, think about smart microwaves,
smart climate control systems.
If the companies producing that met a specific cybersecurity standard for the security
of the product, for the ongoing updates and maintenance of that product, it will earn the
right to bear that label. So essentially what we're trying to do is give Americans that peace
of mind when they're shopping to say, if you see that label, you know that product is secure and
it meets a government cybersecurity standard. I've heard people describe it as a sort of energy star label for cyber.
That's exactly the goal.
So when you and I are shopping for a particular device,
you know, we don't, I'll speak for myself,
I don't necessarily know what makes the details of why it's energy efficient,
but I know when I see that energy star label on it that it is.
And we have the same goal.
Americans don't need to understand
the details unless they really want to, why a specific smart TV is cyber secure, but they need
the peace of mind that there is a secure option available for them when they're shopping online
or in stores and when they're then bringing that product into their home. Now, my understanding is
at this point, the program is voluntary, but you have quite a number of organizations who've signed up to support this.
It is indeed voluntary. Manufacturers and retailers were excited about it.
So we had companies like Amazon, Best Buy, Google, LG Electronics, Logitech, and Samsung, both all announcing support for the program,
that they would be working to apply it to products meeting the established cybersecurity criteria.
And in fact, a part of the rollout included a showcase where those companies brought the product they will be submitting to review and assessment to see if they meet the cybersecurity standard which NIST has created.
And when do you suppose we might see some of these labels on products?
is created. And when do you suppose we might see some of these labels on products? So the FCC,
which will be running the program, has a very specific set of steps it needs to roll out. So they'll be rolling out something called a notice for a rulemaking to get input from various
stakeholders. For example, how should we be testing these products against the standard
that NIST has created?
There's always this balance between how rigorous the testing is and the fact that we want to get many products to have this label, many products ready to be more secure. So they'll be taking input from the public, from stakeholders about how to test products against the standard.
They'll get that input in.
test products against the standard. They'll get that input in. Based upon that, they will set those details of the program and finalize several final legal steps. Our goal is
that in 2024, there will be products on the shelf with this mark.
President Biden also recently reached out to a number of the big players in the artificial
intelligence community and asked for a meeting to discuss commitments for them,
for safety, for American citizens,
and indeed folks all around the world.
What was that process like
and where do we stand coming out of that?
Great question.
So the White House brought together
seven leading AI companies last week,
following up on a meeting
the President and Vice President hosted
here at the White House,
where he assembled these companies and said, you have an obligation, you have a responsibility
to improve the trust and safety of your products, to ensure that they're safe before introducing
them to the public, and then to ensure that the systems themselves are secure by, for example,
safeguarding the models against cyber and insider threats and sharing best practices among the industry of that.
And finally, companies, you have the obligation to really earn Americans' trust,
making it easier for users to tell if the video or the voice content
is in its original form or it's been altered by AI.
So those are the set of commitments that companies
came together to make at the White House last week. Again, similar to the labeling announcement,
these are voluntary commitments. So the White House sees that as being a good first step here?
The words you used are exactly right, Dave. These are a first step. In parallel, the government is
working on an executive order that will frankly ensure that we're doing everything in our power to advance safe, secure, and trustworthy AI that manages risks and also ensures that we're leading the way in using AI where it does bring benefits to our society, to our economy.
that executive order. And it's also a bridge to, as you know, the work Congress is doing, led by Leader Schumer, to put in place regulations on exactly these same issues, on trust and safety,
on countering bias, on managing the risks to individuals and to our society.
Well, it's certainly been a busy few weeks out of the Biden White House here with the National
Cybersecurity Strategy, the labeling announcement, and this AI commitment announcement. I understand you have something
coming up as we come into the back to school season. Yeah. So first, we're trying to move
at the pace of tech, Dave. So one of the areas that keeps me up at night, frankly,
is the rising ransomware attacks we've been seeing against schools and we've been seeing against hospitals.
And the ransomware attacks we see against schools, both are disruptive.
You know, last year around Labor Day,
shout out and thanks to the FBI who rapidly deployed a team to L.A.
because there was a ransomware attack against the school district.
And the superintendent reached out and was really concerned
that the school might not be able to open
right after Labor Day because of that.
And it was just rapid efforts by the FBI,
by LA, the school district to recover,
and they were indeed able to open.
We've seen that ongoing throughout the year,
not only the disruption,
but also the theft of sensitive data
about students that's been released on the deep web.
So we'll be having an event here at the White House first week of August,
bringing together school superintendents, bringing together teachers,
bringing together key companies that produce tech for schools.
The Secretary of Education will be here, Secretary of Homeland Security,
key readers, CISA, FBI, to announce, to both discuss the problem set, announce a specific
set of resources from various entities across U.S. government to help schools to really get
schools ready, not only for this year's school opening, but for a set of resources to support
them over the coming months to improve the cybersecurity of schools and really push back
against the ransomware threat we're seeing. Ann Neuberger is Deputy National Security Advisor for Cyber and Emerging Technologies.
Deputy Neuberger, thanks so much for joining us.
And joining me once again is Eric Goldstein.
He is Executive Assistant Director at CISA.
Eric, it is always great to welcome you back to the show.
You know, one of the challenges that I think organizations face is measuring success. And I really wanted to touch base with you today about where we stand and where you think we're going when it comes to some of these cybersecurity performance goals.
Thanks so much, Dave. It is wonderful to be back on with you.
And it's really been an exciting the first version of the performance goals based upon a
really clear message from the cybersecurity community, from owners and operators across
sectors, which is there is so much that we can do in cybersecurity. There are so many standards,
guidance documents, best practices. Where do we start? And so the performance goals are intended to be a helpful answer to
that question, at least a starting point to say, if I'm a small or medium organization,
if I'm an under-resourced utility, for example, how do I prioritize my investment based upon
impact, complexity, and cost? And so over the past few months, we've been marketing and we've been doing assessments
based upon these performance goals across sectors. And now going forward, we're really focusing on
doing these sector-specific performance goals with nuances per sector, and then rolling out
additional tools that make it easier for organizations to actually use the performance
goals to assess gaps in their programs and figure
out where to go next. Can you give us some ideas of things you all have learned along the way?
Absolutely. The first thing we've learned is that right now there are 38 performance goals.
That felt to us when we built this like a reasonable number, but it turns out for many
organizations that's actually still too
many. And so one of the things that we're excited to be working on now is a tool that we're going
to roll out in the months to come that's going to walk organizations through the performance goals
in a really user-friendly, easy-to-use way, and then say, based upon your maturity, based upon
what you've done so far, Here are the few investments that you might
want to make next. And here are some resources from CISA, from other government partners,
and from the private sector that can help you get there. And really think, if you're
a local school district, if you're a small hospital, if you're a water utility,
you might only be able to invest in two, three, four cybersecurity initiatives this quarter or
even year, where do
you go with those limited resources to have the most impact on your security and resilience?
And what are you hearing back from the folks who are looking at these goals? I mean,
my understanding, rather, is that CIS's approach to this is to be very collaborative,
that this isn't the big bad government agency coming down on high and telling folks what they have to do.
That's exactly right.
We released the first iteration of these goals in December of last year.
We then got feedback from dozens of partners around the country on our GitHub page, which is still open for comment and feedback. We then released the next
iteration in March, and we're still going out there soliciting feedback both on our GitHub page
as well as every time we have a discussion with a partner or do an assessment using our performance
goal tool. Part of that goal is to say, how are these working for you? Are these really helping
you direct your investment towards the right place to reduce the
most risk? And so we intend to keep rolling out new versions of these cross-sector performance
goals, even as we simultaneously work on sector-specific goals for those critical sectors
that have unique risk environments or uses of technology where some more nuanced goals
might be applicable. And how do you and your colleagues there at CISA measure success when it comes to the implementation of these goals?
That is such a good question.
You know, there are really two ways to measure success.
The first is just organizations who we know are using the performance goals.
So, for example, we track the number of entities that have downloaded and used our free assessment tool.
We track the number of assessments that our regional team members are delivering across
the country. But we also know that adoption doesn't equal security. And so we are working
both with our native visibility through, for example, our attack surface management program,
as well as with third parties in the cybersecurity community
to really figure out across every performance goal what is the data that's available nationally
on an anonymized aggregate level to actually show change, to actually show, well, is the
country getting better, for example, at mitigating known exploited vulnerabilities?
Is the country getting better at adopting multi-factor authentication for privileged accounts? That's data that even if
we don't have it organically here at CISA, it's data that exists. And so we're developing these
dashboards and way of tracking performance goal adoption nationally and across sectors so that
we can actually show not just use of the performance goals,
but actual security change.
And whether or not that change is due to us evangelizing the performance goals, it doesn't
matter because we're achieving the right security outcomes that we need to accomplish as a country.
All right.
Well, Eric Goldstein is Executive Assistant Director at CISA.
Eric, thank you so much for joining us.
Thanks so much, Dave. Always a pleasure.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant. happens anywhere, anytime. Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on
and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit
cbcnews.ca. And that's The Cyber Wire. For links to all of today's stories, check out our daily
briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday
and my conversation with Ashley Bang from Reversing Labs.
We're discussing Operation Brain Leaches,
malicious NPM packages, fuel supply chain, and phishing attacks.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. Your feedback
helps us ensure we're delivering the information and insights that help keep you a step ahead in
the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the Cyber
Wire are part of the daily intelligence routine of many of the most influential leaders and
operators in the public and private sector, as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence
and law enforcement agencies.
N2K's strategic workforce intelligence
optimizes the value of your biggest investment,
your people.
We make you smarter about your team
while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben. while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.