CyberWire Daily - A public-private conference takes up open source software security at the White House. MuddyWater attributed to Iran. Espionage and ransomware arrests.
Episode Date: January 13, 2022A White House government-industry summit today addresses open-source software security. The US officially makes its second attribution of the week to a nation-state: it calls out Iran as the operator ...of the MuddyWater threat group. Israel arrests five on charges related to spying for Iran (they’re thought to have been recruited through catphishing). Citizen Lab finds Pegasus in Salvadoran phones. Ukraine arrests a ransomware gang. Thomas Etheridge from CrowdStrike on the importance of threat hunting for zero days. Our guest is Dr. David Bader of New Jersey Institute of Technology discussing the challenges of securing massive-scale analytics. And ransomware hits US state and local governments. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/9 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A White House government industry summit today addresses open source software security.
The U.S. officially makes its second attribution of the week to a nation state.
Israel arrests five on charges related to spying for Iran.
Citizen Lab finds Pegasus in Salvadoran phones.
Ukraine arrests a ransomware gang.
Thomas Etheridge from CrowdStrike on the importance
of threat hunting for zero days, our guest is Dr. David Bader of the New Jersey Institute
of Technology discussing the challenges of securing massive-scale analytics, and ransomware
hits U.S. state and local governments.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 13th, 2022. The direct warning of a Russian threat to U.S. infrastructure that CISA, NSA, and the FBI jointly issued earlier this week came after some weeks of work to find and remediate vulnerabilities in the Apache Foundation's vulnerable Log4J open-source library.
Yesterday, U.S. Cyber Command formally attributed the activities of the threat group
familiarly known as Muddy Water to Iran's intelligence agencies,
specifically to the Ministry of Intelligence and Security.
Among the tools the group uses are variants of the open-source Palgoop DLL sideloader. Muddy Water
seems to have been more involved in espionage than sabotage, but its dependence on open-source
tools is noteworthy. Government and industry leaders are meeting today in a White House
open-source software security summit, where they will address the current threats to open-source software and
seek ways of reducing risk. The issues with open-source security have gained prominence
during the prolonged search for and remediation of Log4J vulnerabilities.
CyberScoop reports the tech industry attendees include Akamai, Amazon, Apache Software Foundation,
Apple, CloudFlare, Facebook Meta, GitHub, Google, IBM,
Linux Open Source Foundation, Microsoft, Oracle, Red Hat, and VMware. The U.S. government agencies
in attendance include the Departments of Commerce, Defense, Energy, and Homeland Security,
and such agencies as CISA, the National Institute of Standards and Technology,
the National Science Foundation, the National Institute of Standards and Technology, the National Science
Foundation, the Office of the National Cyber Director, and the White House Office of Science
and Technology Policy. Log4J is a single case of a more widespread challenge. We saw Tuesday that
the Apache Software Foundation intended to argue that downstream users of open-source software
should play a larger role securing the supply chain
in which so many of their products depend.
Kent Walker, president, global affairs,
and chief legal officer of Google and Alphabet,
this morning commended the administration's decision to convene the meeting.
Walker said, quote,
Given the importance of digital infrastructure in our lives,
it's time to start thinking of it in the same way we do our physical infrastructure.
Open-source software is a connective tissue for much of the online world.
It deserves the same focus and funding we give to our roads and bridges.
Today's meeting at the White House was both a recognition of the challenge
and an important first step toward addressing it.
End quote.
U.S. Cyber Command's attribution of muddy water to Iran's Ministry of Intelligence and Security
is the second formal attribution of malicious activity in cyberspace the U.S. has made this week,
coming as it does shortly after the joint CISA-FBI-NSA warning
of Russian activity against critical infrastructure.
In the case of Muddy Water, U.S. Cyber Command shared details of the tools Muddy Water is known to be using
and advises network operators that finding such tools in their systems
may indicate the presence of Iranian malicious cyber actors.
Other Iranian threat actors also make use of open-source tools.
Checkpoint describes how APT35, also known as Charming Kitten, has been using Log4J
vulnerabilities to distribute a new modular PowerShell toolkit. The tools both encrypt
and exfiltrate data APT35 takes from its targets.
Israel has arrested five people on charges connected with alleged Iranian espionage, Bloomberg reports.
Four women and one man were arrested.
Yahoo News says they were persuaded to spy on behalf of Tehran through a catfishing operation that used the bogus identity Rambad Namdar,
which the fishers represented as a Jewish-Iranian.
The Israelis prospected in the operation were also Jews of Iranian origin, and so the operation
appears to be a classic affinity scam of the kind long used by intelligence services seeking
to recruit human assets.
The University of Toronto's Citizen Lab reports that it's found NSO Group's Pegasus intercept tools
in phones belonging to some 35 journalists, non-governmental organizations,
and members of civil society in El Salvador.
Two independent journalists were also affected and a third unnamed organization.
Citizen Lab says, quote,
The hacking took place while the organizations were reporting on sensitive issues
involving the administration of President Bukele,
such as a scandal involving the government's negotiation of a pact with the MS-13 gang
for a reduction in violence and electoral support, end quote.
There's a single customer of Pegasus in El Salvador, unidentified,
but which Citizen Lab calls Torregas.
There's no clear attribution of Torregas,
but Citizen Lab argues that circumstantial evidence points to the government.
While there is no conclusive technical evidence
that Torregas represents the Salvadoran government,
the strong country-specific focus of the infections suggests that this is very likely.
Additionally, in the single case of hacking in this investigation,
in which Citizen Lab recovered the domain names of the Pegasus servers used,
the Torogaz operator was implicated.
Ukrainian authorities have arrested five alleged members of a ransomware
gang that operated internationally. Exactly what ransomware group they're associated with is
unclear, but Ukrainian police say that they operated against at least 50 targets and used
a variety of identities on the dark web. A man said to be the leader of the group was arrested,
along with his wife and three alleged accomplices.
The police also seized bank cards, phones, computers, flash drives,
and it hardly needs be mentioned, three cars,
because cyber criminals like their cars.
And finally, ransomware attacks continue to hit a broad range
of U.S. state and municipal agencies,
including health departments and schools.
The state of Maryland has confirmed that a cyber incident that began on December 4th
was indeed a ransomware attack against the state's Department of Health.
The department's IT staff noticed anomalous behavior in a server
and reported it to responsible state authorities, who work to
contain and remediate the incident. The state is satisfied that the damage has been contained,
but that it's exercising caution in restoring services.
Bernalillo County, New Mexico, has been working to recover from last week's ransomware attack,
with many services still disrupted. The Verge reports that among the affected institutions
was the Metropolitan Detention Center, the Albuquerque Jail, which has effectively been
forced into a lockdown. And KRQE reports that a cyber attack's effects have spread to the
Albuquerque Public Schools, which have had to close today. Details on this particular attack
are still sparse,
and while officials hope to be able to reopen tomorrow,
they're still working to fix systems they regard as essential
to both instruction and student safety.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
When considering the data computers collect, everything from system logs to medical information,
atmospheric measurements to personal location data.
A phrase you'll hear often used is a firehose of data.
The notion that there's so much data coming at us, it's a challenge to even channel and contain it.
But that, my friends, is where the data scientists come in.
Wrangling data just happens to be their superpower.
come in. Wrangling data just happens to be their superpower. Dr. David Bader is Distinguished Professor and Founder of the Department of Data Science at the New Jersey Institute of Technology
and also Inaugural Director of the Institute for Data Science at NGI. When we look around the world,
we see data being collected from sensors, from health records, from network traffic in many different
places. And what I try to do is to make sense of this information and to be able to act on this
data in some meaningful way. The area that I work in is high-performance data analytics, where often we design hardware and software solutions and new algorithms to be able to make decisions based on the analytics of these massive datasets.
And is that the fundamental challenge, the scale of these datasets that you're dealing with, and how you come at them in an efficient, practical way?
That's right.
The scale becomes very challenging.
Many of our tools for data science,
for instance, we may use our Jupyter notebook
and run Python on our laptops,
and that's great when our data set fits on our laptop.
But when we have data sets that are much larger, for instance,
terabytes in size, that no longer is feasible, and we need to design new solutions. So that scale
is a challenge, as well as the interactivity with analyzing these massive data sets.
So being able to ask a query and get an answer back as you sit there,
as well as some of the algorithms need to handle the fidelity
that you need to see when you get to these large data sets.
Can you give us an example of this sort of thing
that people would be able to wrap their heads around?
What sort of applications does this have in the,
I guess I'll use the word real world,
even though that might not be the best term for it.
Sure, that's a great question.
And we regularly work with data sets
coming from many different disciplines.
For instance, in healthcare,
rather than looking at just an individual patient,
we may be working with an entire database of hundreds of thousands of patient records and trying to understand individual patterns among those patients.
So it really gives you the power to analyze across these really large data sets.
large data sets. But also in cybersecurity, we often have system logs and these system logs could go back in a very long amount of time in previous history and really cover many different
areas within an organization. So rather than just taking the last day of logs, we could look at the last 10 years of logs.
And we also want to move from just reporting any time an intrusion occurs to really predicting and understanding concerns before some egregious event happens.
So for instance, after an intrusion, we may collect logs to understand how the intruder got in, what did they touch, what did they exfiltrate, what did they damage, and learn
from that.
Where we'd like to get to is being able to use all of these logs and data in near-world
time, not to report the news after something bad happens, but to predict and to really have the capability to stop future attacks.
As you and your colleagues are doing the work that you do, what part do considerations of security and privacy play?
Security and privacy clearly are part of everything that we do.
When we've worked on problems, for instance, insider threats within large organizations,
we normally work with data sets where individuals within the organization were explicitly informed
that they would be monitored within those organizations. We've also designed data
structures where we have fields that will record the provenance of data and help maintain access
control within very sensitive data sets. It's always a concern in data science for understanding
security and privacy of these data sets. And we aim to push the conversation as we move to
analyzing these massive data sets. You know, You mentioned doing work through things like DARPA grants and so on and so forth.
Is there a certain amount of national pride in the work that we're doing here
that we remain a leader in this area?
I think so.
The United States is really poised to accelerate what we're doing
with high-performance
computing, and especially for problems in cybersecurity and nation-scale security.
I was a part of the Obama administration's National Strategic Computing Initiative
that really laid out a strategic plan that was updated by the Trump administration in 2019, and then the FACE program
from the current administration for really pushing what we do in terms of partnerships in industry,
in academia, and in government for making the United States the leader for strategic computing. So this is a place where we have an advantage. We have
great minds. We have some of the leading vendors who are building the systems, both hardware and
software. And also we're training a workforce in the United States. In fact, at the New Jersey
Institute of Technology, we have an Institute for Future Technologies,
and we have programs in cybersecurity that are really training the next generation of
a diverse workforce that's able to solve the needs of this cybersecurity community.
That's Dr. David Bader.
He is professor and founder of the Department of Data Science at the New Jersey Institute of Technology.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Thomas Etheridge.
He's Senior Vice President of Services at CrowdStrike.
Thomas, it's always great to have you back.
You know, you and I have touched on the topic of threat hunting before, and I really want to dig in with that with you today.
When a new zero day comes out,
what part does threat hunting play in an organization's
response plan? Thanks, Dave. Great to be here. I think threat hunting is absolutely essential to
being able to address some of the issues we see today in the market related to the zero day
vulnerabilities that are published quite frequently these days. Threat hunting allows an organization to look past the
exploitation of the vulnerability into what a threat actor could be doing in an environment
after that exploits occur. And doing that in collaboration with an organization's existing
security team is important. Organizations have their own level of context and detail about the
environment that they're responsible for monitoring. And a lot of threat hunting organizations,
CrowdStrikes included, has a lot of great context around the tactics and techniques that threat
actors are employing to carry out their tradecraft. And they understand the tooling that they're using
as well. How do you make the case for folks who may be new to threat hunting?
How do you convince them that this is something that needs to be a part of their regular operations?
Dave, the best way for me to describe the impact that threat hunting can have on an organization
is that there is no perfect solution from an endpoint detection capability to be able to understand what tooling the threat actor is
using and or deploying in the environment, what their motivations are, bringing intelligence
and an understanding of threat actor tactics and techniques to that contextual understanding of
what the threat actor could be doing to carry out their mission is really critical. but not understand the context of what might be happening in the same industry vertical or in the same region or geography,
to bring that context to a threat hunt is really critical.
When it comes to organizations dialing in their implementation of threat hunting, what are your recommendations there?
Everyone has a limited amount of time. They have a limited amount of budget.
You know, when they're turning those knobs as to what they're allocating their resources towards,
where does threat hunting fit in? Well, I think you got to look at the landscape and have an
understanding of what's going on in the market. In the telemetry that CrowdStrike collects, in the last year, approximately 75% of the intrusion
attempts we saw in 2021 have been associated with e-crime threat actors. Those are actors
that are financially motivated. They're looking to deploy malware, ransomware into an environment,
possibly exfil data that they can use to extort a ransom payment.
The threat actors on the e-crime side have been prolific, and that's not new news.
But understanding where you're vulnerable in your environment is important as well.
88.41% of the intrusion attempts we looked at in 2021 from a threat hunting perspective
targeted the Windows operating
system. So if you're a prolific Windows shop, understanding the security and patch level of
those assets, whether or not they're vulnerable to an attack, those are things that are important
to invest in from a threat hunting perspective. Last thing I could point out is the tool set that threat actors are
using. It's not uncommon for threat actors to use similar tools and technologies that exist in many
of the environments today using PS Exec, Cobalt Strike, Mimikatz, Bloodhound, Defender Control.
A lot of those tools are pretty standardized in a lot of organizations
today, but threat actors are able to take advantage of those tools to remain persistent in an
environment. Being able to monitor and threat hunt against those types of tools and understand
how they're being used is really critical. All right. Well, Thomas Etheridge, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity
teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.