CyberWire Daily - CISA issues Binding Operational Directive 23-01. LAUSD says ransomware operators missed most sensitive PII. Trends in API protection SaaS security. Making a pest of oneself in a hybrid war.
Episode Date: October 4, 2022CISA issues a Binding Operational Directive. An LA school district says ransomware operators missed most sensitive PII. An API protection report describes malicious transactions. Analysis of cyber ris...k in relation to SaaS applications. Joe Carrigan describes underground groups using stolen identities and deepfakes. Our guest is Eve Maler from ForgeRock on consumer identity breaches. And someone is making a nuisance of themself in Russia. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/191 Selected reading. Binding Operational Directive 23-01 (CISA) CISA Directs Federal Agencies to Improve Cybersecurity Asset Visibility and Vulnerability Detection (Cybersecurity and Infrastructure Security Agency) CISA aims to expand cyber defense service across fed agencies, potentially further (Federal News Network) CISA directs federal agencies to track software and vulnerabilities (The Record by Recorded Future) Student, Teacher Data Not Affected in Los Angeles School District Hack (Wall Street Journal) ‘No evidence of widespread impact,’ LAUSD says of data released by hackers (KTLA) New API Threat Research Shows that Shadow APIs Are the Top Threat Vecto (Cequence Security) Secureworks State of the Threat Report 2022: 52% of ransomware incidents over the past year started with compromise of unpatched remote services (Secureworks) Russian Citizens Wage Cyberwar From Within (Kyiv Post) Russian Hackers Take Aim at Kremlin Targets: Report (Infosecurity Magazine) Russian retail chain 'DNS' confirms hack after data leaked online (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA issues a binding operational directive.
An L.A. school district says ransomware operators missed most sensitive PII. CISA issues a binding operational directive.
An L.A. school district says ransomware operators missed most sensitive PII.
An API protection report describes malicious transactions. We've got analysis of cyber risk in relation to software as a service applications.
Joe Kerrigan describes underground groups using stolen identities and deep fakes.
Our guest is Eve Mailer from ForgeRock on consumer identity breaches.
And someone is making a nuisance of themselves in Russia.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, October 4th, 2022.
Happy Fiscal New Year to all of our U.S. federal listeners.
The first significant cyber policy of Fiscal Year 23 appeared yesterday.
CISA opened the U.S. Federal Fiscal Year with Binding Operational Directive 23-01,
Improving Asset Visibility and Vulnerability Detection on Federal Networks. improving asset visibility and vulnerability detection on federal networks.
The directive specifies desired outcomes for asset visibility and vulnerability detection
without prescribing the steps federal executive civilian agencies need to take to comply.
The key compliance deadline is April 3, 2023,
by which time the organizations falling under CISA's tutelage will be expected to,
first, perform automated asset discovery every seven days.
Second, initiate vulnerability enumeration across all discovered assets,
including all discovered nomadic or roaming devices, that means laptops, every 14 days.
There's some wiggle room here for larger,
more complex organizations, and CISA recognizes that it might not be possible to get full visibility in two weeks. Nonetheless, CISA says that enumeration processes should still be
initiated at regular intervals to ensure all systems within the enterprise are scanned on
a regular cadence within this window. Third, within six months of CISA publishing requirements
for vulnerability enumeration performance data, all FCEB agencies are required to initiate
the collection and reporting of vulnerability enumeration performance data as relevant to this directive to the CDM dashboard.
These data are of interest to CISA as a means of automating its oversight and monitoring of agencies' scanning performance.
And fourth, by April 3, 2023, agencies and CISA, through the CDM program,
and CISA through the CDM program will deploy an updated CDM dashboard configuration that enables access to object-level vulnerability enumeration data for CISA analysts as authorized by the
executive order on improving the nation's cybersecurity. Regular reporting will kick in
at 6, 12, and 18-month intervals. Again, it's CISA's intention that the directive be
understood as a mission order, that there are many ways agencies can comply, and the precise
methods and procedures they choose are largely up to them. The Los Angeles Unified School District
continues its recovery from the ransomware attack it first reported on September
5th. The Wall Street Journal reports that the district says that the data taken by the criminals
did not include student or staff psychiatric records, as had been rumored. The district says
that the compromised data included little information on students or staff. Sequence Security has published a report on API security,
finding that 31% of the 16.7 billion observed malicious transactions in the first half of 2022
targeted unknown or unmanaged APIs, also known as shadow APIs. Sequence explains, shadow APIs are a particularly pernicious threat that can
be categorized as OWASP API 9 improper asset management abuse. Shadow APIs are a common
problem in organizations that do not have proper inventory on their quality assurance and development
API endpoints or their versioning system, and attackers can easily
discover API endpoints that will interact with production data. Shadow APIs can also appear when
endpoints are coded to accept variables or wildcard inputs either with the uniform resource identifier
path or at the end. Attackers are able to easily find shadow APIs by analyzing a production API,
which may be well-protected,
then simply fuzz or modify the values,
enumerating through other API endpoints
on different versions under different host names,
or simply accepting random characters
at the end of the URI.
The vast majority of malicious activity targeting APIs is powered by automation,
for example, sneaker bots attempting to cop the latest dunks or Air Jordans,
or stealthy attackers attempting a slow trickle of card-testing fraud on stolen credit cards
to pure brute-force credential-stuffing campaigns.
Varonis released a report today detailing software-as-a-service applications and the
cyber risks associated with them.
The researchers analyzed 15 petabytes of data across 717 organizations across a number of
industries.
The researchers found that about 81% of companies analyzed had sensitive SaaS data exposed to the whole internet.
The average company has 10% of cloud data exposed to every employee, 157 sensitive records exposed
to the open internet through SaaS sharing features, 33 super administrator accounts with over half of
those accounts not utilizing multi-factor authentication,
and just over 4,400 user accounts without multi-factor authentication. It was also
discovered that there are over 40 million unique permissions across SaaS applications and over
12,000 Microsoft 365 sharing links. The most alarming statistic discovered was that 6% of an organization's cloud
data was exposed to the entire internet. On average, each terabyte of data in an organization's
cloud seems to contain more than 6,000 sensitive files, with nearly 4,000 folders shared with
contacts outside of the organizations, with more than 2.1 million
permissions. Microsoft 365 was also found to be a treasure trove of exposure, with 7% of companies
having more than 10,000 exposed files. Alarmingly, there were 10 analyzed companies that had over
100,000 exposed files. Even more startling, one company had more than 1.5 million files exposed in Microsoft 365.
In full disclosure, we note that Microsoft is a partner of the CyberWire,
and we also note that this exposure is a matter of user configuration,
not of vulnerabilities in the software itself.
SecureWorks' State of the-the-threat report for 2022
is out, and it shares the widespread assessment that the effect of Russian cyber operations in
the war against Ukraine has been confined to a nuisance level, stating,
The war against Ukraine has been revealing for Russia's cyber capabilities. At the outset of
the conflict, there were wide fears of destructive
attacks with wide-scale repercussions, as was seen with NotPetya in 2017. However, despite a steady
cadence of cyber activity directed against Ukrainian targets, some of which is identifiably
from Russian government-sponsored threat actors, no widely disruptive attacks have been successful.
The most visible Russian threat group tracked by the CTU over the past year has been Iron Tilden.
This group is notable for spear phishing attacks conducted primarily against Ukraine,
but also against Latvia's parliament in April. And finally, if Russian hacking has been a nuisance as opposed to a war winner,
much the same can be said of hacking directed at Russian targets. In a communique delivered to the
Kyiv Post, the National Republican Army, a group that identifies itself as a popular Russian
organization devoted to the overthrow of President Putin's regime,
said that it has executed a ransomware attack against Unisoftware, a large Russian tech firm.
Unisoftware has a number of important clients, the Federal Tax Service,
the Ministry of Finance of the Russian Federation, and the Central Bank of Russia among them.
And the Kyiv Post said it was able to confirm that some of the data
belonged to customers. The National Republican Army declined to say how much secondary access
it had achieved, but suggested that it had carried out related attacks against large Russian
organizations. InfoSecurity magazine speculates that one of the secondary targets may have been the retailer DNS, which
early this week disclosed a breach and offered reassurance and apologies to its customers.
The attack, DNS said, originated outside of Russia. We emphasize that claims by and about
the National Republican Army should be treated with caution and skepticism. The organization,
control, and even the very existence of the group have reasonably been questioned.
That there's some cybercrime going on inside Russia is almost certainly true,
on grounds of a priori probability alone, but seeing the hand of a serious organized opposition
group in that cybercrime
probably involves a good deal of wishful thinking being carried out in the interest of Key.
Coming up after the break,
Joe Kerrigan describes underground groups using stolen identities and deep fakes.
Our guest is Eve Mailer from ForgeRock on consumer identity breaches.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive
protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. Researchers at identity management and security firm ForgeRock
recently published their 2022 Consumer Identity Breach
Report, detailing the impact data breaches have on consumers across a variety of industries and
regions. For details from the report, I spoke with Eve Mailer, Chief Technology Officer at ForgeRock.
Here's the scary part for me. It looks to me in the numbers like bad actors have learned how to
scale. So for one, we had 4.7 billion data records in the U.S. compromised last year. And that is,
sad to say, a 37% increase over the previous year. We also saw 297% increase in username and password compromises. And so these are just
indicators that, you know, things are sort of accelerating. And I think that's partly pandemic
era and partly, you know, the consequences of digital transformation, kind of the downsides,
and partly just, you know, bad actors learning how to kind of automate and scale to new heights, if you will.
What sorts of things are you tracking in terms of what sectors are being targeted here?
We were able to look at the financial services industry, healthcare, social media.
And one of the things we noticed was that healthcare was the most targeted industry for the third year in a row. The cost of a retail breach actually jumped up
to $3.27 million. That's sort of average per breach. And that is a 63% increase from the prior year. And then financial services, the financial services industry saw
10%, maybe only, of all records breached by ransomware attacks, but experienced 22%
of all phishing attacks that we saw last year. So there's like some consequences for, you know,
industries that are important to all of us.
And how do you explain these trend lines?
Are the threat actors getting more sophisticated? Are we becoming better at reporting these things? Or is it a mix of all that?
There are some imperatives starting to appear on the scene
regulatorily to require reporting
of data breaches.
However, that's not something that we can really rely on yet.
It's not something we can say,
well, we've caught all of them, we can see everything.
I think what it indicates is that cyber criminals are actually figuring out the tools to do what I call a one-two punch.
So when you think about
the number of credentials, so usernames and passwords from breach one, they can be leveraged
by a cyber criminal to perpetrate breaches two, three, four, five. And what they're doing is
those subsequent breaches often are, they're more data rich. So I'll just give you some numbers to put
this into perspective. We had 45% of breaches last year containing a username and password
versus 8% the prior year, which is really significant as an increase. What we saw around
data rich breaches, think about date of birth and social security number. We saw 60% of all records breached, including either social security number or date of birth or both.
And that nearly doubled from the previous year.
So I think it's evidence that we've got credentials, whether they were secured through,
whether they're exfiltrated through unauthorized access of various sorts,
or whether there might have been a more targeted phishing attack.
You're seeing those turned into greater power on the part of the bad actors.
Well, so based on the information that you all have gathered here, what are your recommendations?
How do we stem this tide?
Well, if cyber criminals are learning how to scale, we need to learn how to scale.
And one of the best tools that you can apply is actually artificial intelligence, machine learning, heuristic checking.
So artificial intelligence is a way that you can start to apply mitigations kind of in machine time versus human time.
You know, we all have foibles. We all
may be susceptible to social engineering attacks, phishing attacks. So if you can use artificial
intelligence techniques, so we think of it as autonomous, ways to go autonomous. So autonomous
identity is our approach for, you know, making sure that entitlements aren't overbroad
so that you can help prevent lateral movement
once a bad actor is in your system.
Or autonomous access, which is our way of gathering
a diverse set of risk signals
so that you can then make appropriate authorization decisions.
So artificial intelligence is a fantastic tool.
That's number one.
Number two, credentials are the really weak spot in this picture,
usernames and passwords particularly.
And the world has changed a bit in the last year or so.
We've got tools such as the FIDO2 standards,
which enable, in the main, passwordless experiences of authentication
that mean that if a password
exists, it's not exposed as much to bad actors. And in a lot of cases, you can start to get rid
of that password in the authentication equation, for example, using a known device. And a lot of
people have devices capable of this kind of passwordless interaction. And once the credentials
are not there to be stolen, they can't be leveraged for the increasingly data-rich breaches.
Are you optimistic that we can get a hold of this, that we may be headed in the right direction?
Yeah, I actually think so.
I mean, the numbers were not looking good in 2021.
At the same time, some of the technologies that have been able to help us mitigate these risks, tackle these risks, have been on the upswing in 2022.
So AI, absolutely.
We really believe that identity is the right layer
for unifying your systems of intelligence,
whether it's threat intelligence, fraud intelligence,
even customer intelligence.
Because you really have to infuse identity into your systems to make those good decisions,
whether it's about authorization or even upsell and cross-sell.
And also, this move towards passwordless authentication becoming a kind of no-compromises solution so that you can have great security and also a great experience,
that's becoming ever more possible in the modern era.
So I think that we have the tools to do a much better job going forward.
That's Eve Mailer from ForgeRock.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
So we talk a lot over on Hacking Humans about scams, of course.
Yes, we do.
And one of the things that's captured the imagination of people around the world is deepfakes.
Deepfakes.
And I saw some research come by from the folks over at Trend Micro.
Yes.
It was an article they published titled,
How Underground Groups Use Stolen Identities and Deepfakes.
What's going on here, Joe?
Well, this is a pretty disturbing article, actually.
It starts off talking about famous people, right?
We have been seeing for years now,
in fact, the one that comes to mind
is the picture of Keanu Reeves, right?
Yeah.
There's pictures of him out there
and somebody always Photoshop's a new shirt on him.
Okay.
Well, imagine taking that capability, but now you're creating videos of people. Right. And they're endorsing products
which they didn't endorse. And that has actually happened to one of our own here, Chris Sistrug,
who is a security person and well-known, has a Twitter account, has been deepfaked into advertising
and shilling a product that he does not endorse. And the deepfake video is of him saying things
he never said. Wow. So, I mean, it's a scam product, I think. Yeah. Even if it's a real
product, this is remarkably unethical and probably illegal as well. Elon Musk has been
targeted. There are videos of him endorsing some kind of financial scheme. And of course, Elon has
never done this. It's remarkably disturbing. And there are people on these underground forums,
there's a great post here that gives you an example of what they're talking
about. Popular exchanges like Bitstamp or LocalCoins require a webcam link. Maybe anyone
here able to bypass a webcam link and emulate a webcam, use a deepfake? Let me know. We'll pay
for your help. So these people are looking for ways to essentially emulate a webcam, but instead of sending a video stream of the webcam, send the
video stream of a deepfake. And this is what it's come to now. And this is going to be possible.
This is technically possible right now. This article goes on to talk about how deepfakes can
affect existing attacks and monetization schemes. One, they list here messenger scams. You're on some messenger
application. Somebody can call you, and a lot of times, these have voice and video chat. If somebody
can emulate the webcam and just send a deepfake feed, if the deepfake is good enough and fast
enough to actually generate these things on the fly, it can be remarkably deceiving. Business email compromise
is another good one. I want to be careful with the term business email compromise. A lot of times
that term gets used as a catch-all. And when I say business email compromise, I mean the actual
compromising of business accounts, right? Like your Office 365 account. Remember that your Office 365 account is probably
also where maybe you reset your Zoom credentials, right? So if somebody has access to some deep fake
system that can feed into Zoom as a webcam, guess what? They can impersonate the CEO of your company
and even be on his account if they've compromised the account. Right, right. And I imagine you could, you know, say that, oh, I'm sorry,
the quality isn't better. My connection must be funny right now. You know, that sort of thing.
Sure. Other ways of doing this, making accounts for money laundering, there are all kinds of ways
that people try to verify your identity. So, if your identity is faked in a video call and somebody opens an account in
your name, they may be able to launder money through that. And that may, I don't know if that
would cause legal problems for individuals that have been impersonated, but it certainly allows
the crime to continue. It can also allow for hijacking of accounts and taking them over.
There are two other things in here that I'm not really sure how I feel about them. They list blackmail and disinformation campaigns. And I think this is
a gate that swings both ways, right? I can create a deep fake of Dave Bittner doing something
horrible, right? And then go tell the world, look how god-awful Dave Bittner is. Or maybe I go out and do something that's terrible,
and Dave goes, look how bad Joe is. And I go, that was a deep fake. Don't believe it.
Oh, sure. Yeah, okay.
So now I have plausible deniability here.
Interesting.
So there are also social engineering attacks and hijacking of Internet of Things devices,
like if somebody can fake my voice, they might be able to use my Google
Assistant, right? Which, good for them, I guess. If they want to try that, that's fine. Here's
something that's really interesting, and I feel kind of a little bit vindicated here, Dave. For
years, I have been saying that biometrics are not good as a means of verification of a person because they are immutable.
Okay.
Right?
And here we are now looking at deepfakes that are impersonating this.
So your information is already out there for what you look like.
If that information is leaked, you have no way of changing that information.
There's nothing you can do.
You can sit there all you want and grunt and grunt and groan,
but your face will never change from what it looks like.
Right, right.
So I think I feel a little bit of vindication reading this article, and that's the one upside.
But everything else in here is just downside.
What are some of the recommendations here that they have?
Excellent question.
One, multi-factor authentication approach for just about everything, particularly of your financial accounts.
And I say use a hardware token, preferably one from the FIDO Alliance, or maybe using, if you're up for it, using some kind of private key, public key, or zero-knowledge proof-based authentication like Squirrel.
Any of those are great.
Those are very hard to duplicate and
impersonate, and they're not biometric. One of the things they say here is organizations should
authenticate the user with three basic factors, something the user has, something the user knows,
and something the user is, and make sure those something items are chosen wisely.
Personnel training done with relevant samples. You know, the know your customer principle for financial organizations is very important.
Deepfake technology is not perfect.
There are certain red flags in an organization the staff should look for.
I think that's an okay recommendation for now.
Those red flags that are noticeable by people are going to go away very quickly.
Those deepfake technologies are going to improve.
And what needs to happen is there needs to be a technical solution in here because actually deepfakes are pretty easy to
spot from a technical standpoint, at least right now. So you can have something in the middleware
that is looking at the video feed to say, there's a good chance this video feed is being altered or
not genuine, right? Social media users should limit the exposure of high quality personal images.
I don't know how much of a good help that is. I mean, if the information's already out there,
I mean, you can go out and shut it down, but somebody already has it. I keep my Facebook
account locked down so nobody can see it. And all of my
profile pictures are not of me. But if you're at a friend's birthday party and they post pictures
of the group, you know, there you go. There you are. If someone takes a high resolution picture
of you with your hand up, they can actually get your fingerprint off that. We've seen research
on that already. Yeah. For verification of sensitive accounts, for example, bank or corporate
profiles, users should prioritize the use of biometric patterns that are less exposed to the public, like irises and fingerprints.
Again, I say if that information is ever breached, then that information can be simulated as well.
And again, it's information you can't change.
Significant policy changes are required to address the problem on a larger scale.
These policies should address the use of current and previously exposed biometric data, like I just talked about.
And they must also take into account the state of cybercriminal activities and how to prepare for the future.
That's a good recommendation, preparing for the future.
There needs to be, at some point in time, we're going to have to move beyond all of this stuff.
at some point in time, we're going to have to move beyond all this stuff, and we're going to have to go into some identity verification system that has revocable identities that are
demonstrated by physical presence somewhere. And I think there's ways to do that. I don't think
that's impossible. I think that we could find lots of ways to do that. Yeah. All right. Well,
it's interesting research.
Again, this is from the folks over at Trend Micro.
It's titled How Underground Groups Use Stolen Identities and Deepfakes.
Joe Kerrigan, thanks for joining us.
My pleasure, David.
Thank you. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, Thank you. Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Catherine Murphy, Bennett Moe,
Chris Russell, John Petrick, Jennifer Ivan,
Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.