CyberWire Daily - CISA provides an account of progress toward Log4shell remediation. Other issues are reported in open-source libraries. Undersea cable security. FIN7’s BadUSB campaign. Security and Yealink.
Episode Date: January 10, 2022CISA describes progress toward remediating Log4shell. Other open-source libraries are found to have similar issues, in one case problems deliberately introduced by the developer. Concerns are expresse...d over undersea cable security. FIN7’s BadUSB campaign. Security questions about another Chinese-made phone. Our guest is Bob Maley from Black Kite on their report - The Government Called, Are You Ready to Answer? Chris Novak from Verizon on PCI 4.0. And Russo-American talks open in Geneva. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/6 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA describes progress toward remediating log for shell.
Other open source libraries are found to have similar issues.
In one case, problems deliberately introduced by the developer.
Concerns are expressed over undersea cable security.
Fin7's bad USB campaign.
Security questions about another Chinese-made phone.
Our guest is Bob Maley from BlackKite.
On their report, the government called.
Are you ready to answer?
Chris Novak from Verizon on PCI 4.0.
And Russo-American talks open in Geneva.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, January 10th, 2022.
CISA describes the response to Log4Shell, and while it sees a long tail of remediation remaining, the agency has a good news story to report.
Like others interested in security, the U.S. Cybersecurity and Infrastructure Security Agency
found out about Log4Shell on December 10th, when the vulnerability was first disclosed.
This morning, CISA held a media call to outline, one month into the Log4Shell on December 10th, when the vulnerability was first disclosed. This morning, CISA held a
media call to outline, one month into the Log4Shell affair, how the community it serves has responded
to this widespread open-source software vulnerability. CISA Director Jen Easterly and
Executive Assistant Director for Cybersecurity Eric Goldstein both spoke during the call.
While Director Easterly emphasized that
while Log4Shell was easily the most serious vulnerability she'd seen in her career,
being widespread, easily exploitable, and high in potential impact, the news she brought to
this update was, on balance, a good news story. CISA has seen an unprecedented level of collaboration among its partners, and that,
so far, the agency has observed no serious consequences of log-for-shell exploitation.
Such exploitation, as they have been observed so far, have been commonplace of a fairly low-grade
criminal nature. They've seen mostly cryptojacking and bot herding, the latter presumably a preparation for
subsequent opportunistic use. CISA hasn't been able to confirm that Log4Shell had been used to
deploy any ransomware. The agency, Goldstein said, was aware of the risk of ransomware and was
particularly alert to threats to hospitals, but that so far ransomware seems not to have made extensive use
of Log4Shell. CISA has also not been able to independently confirm reports of nation-state
attacks, and the U.S. government seems to have escaped disruptive attack. Goldstein said that
CISA has observed scanning of U.S. government agencies, but no successful attempts to compromise them.
That said, he cautioned against complacency. Log4Shell is too attractive a target for
potential exploitation. CISA's role in the Log4J response exemplifies how the agency sees itself
discharging its mission. CISA has sought to serve as a single authoritative source for information
and remediation guidance.
It's provided crowdsourced scanning tools and its aggregated advice from its partners,
again in a single accessible location.
Goldstein drew attention to the importance of the binding operational directives CISA
has issued to the 101 federal civilian agencies of the executive branch that it supports.
While such directives are binding on these agencies, they're also made publicly available
and can serve as a useful source of practical guidance to others. He paid tribute to what he
called the incredible power of crowdsourcing and made particular mention of CISA's use of
bug crowd in the preparation of its response to the incident mention of CISA's use of bug crowd in the preparation of
its response to the incident. The CISA executives confined their discussion specifically to log for
shell and not the other ancillary vulnerabilities the Apache Foundation has recently found and
mitigated, but they did offer some thoughts for the future of regulation and for the open-source
software community as a whole.
Easterly expressed disappointment that mandatory incident reporting legislation had stalled in Congress, but she also noted that incident disclosure is different from vulnerability
disclosure and that mandatory incident disclosure wouldn't necessarily have brought Log4Shell to
light, and hoped that the legislation would pass in some form soon.
Goldstein said that the Log4Shell incident showed the need for widespread adoption of
software bills of materials. These would contribute greatly to organizations' ability
to determine their exposure to any particular vulnerability. He also said that CISA believed
the incident showed the extreme importance of
open-source software and said that the agency was looking into ways of working to ensure that it was
working with partners to invest appropriately in the open-source community. Easterly added that
CISA was working to catalog vulnerabilities and would continue to work closely with its partners
in the public and private sectors. She alluded briefly to a forthcoming effort that would prioritize primary important system entities,
thereby focusing attention and resources on areas an adversary would consider high-value targets.
Not Log4J, but Log4J-like, as it's being called,
Not Log4J, but Log4J-like, as it's being called.
The Java SQL database H2 has been found to have vulnerabilities similar to those that afflict Log4J.
JFrog, whose researchers identified the vulnerability, describe H2 and its use as follows. Quote,
H2 is a very popular open-source Java SQL database offering a lightweight in-memory solution that doesn't require data to be stored on disk.
This makes it a popular data storage solution for various projects from web platforms like Spring Boot to IoT platforms like ThingWorx.
The com.h2-database-h2 package is part of the top 50 most popular Maven packages with almost 7,000 artifact dependencies.
End quote.
Naked Security writes that the most probable avenues through which an attacker might exploit the H2 vulnerability
are either through an active H2 web-based console or an H2 console listening on an external network interface.
Some attacks could open targets to unauthenticated remote code execution.
Users of the H2 database should update their instances to version 2.0.206 as soon as possible.
Some open-source developer dissident activities surfaced over the weekend.
Bleeping Computer reports that Marek Squires, developer of the widely used open-source libraries Colors and Faker,
introduced an infinite loop into the libraries so that applications that use them would be bricked with gibberish.
would be bricked with gibberish.
Mr. Squires is apparently disgruntled by his sense of being ill-used and uncompensated by the companies who use open-source software.
Sonotype warns that, quote,
developers using colors and faker NPM projects should ensure they are not using an unsafe version, end quote.
Some developers, while not exactly approving of what Mr. Squires is said to
have done, nonetheless have expressed some understanding of his feelings of ill-use.
Sonatype's blog suggests that the incident, along with the labor involved in fixing problems with
Log4J, quote, draws attention to the issue of the open-source sustainability problem, end quote,
attention to the issue of the open-source sustainability problem, end quote, something GitHub has drawn attention to, and for that matter, something CISA alluded to in their call this
morning. According to the Barents reporter, the Svalbard undersea fiber-optic cable between the
island of that name in the Barents Sea and the Norwegian mainland suffered an unspecified disruption on Friday.
The system has two cables, one of which was affected. Coincidentally, Admiral Sir Tony
Rattigan, newly appointed chief of the UK's defence staff, said Friday in an interview with
the Times that the Russian undersea forces had taken a particular interest in undersea cables
and that, under certain circumstances, disrupting undersea cables, and that, under certain circumstances,
disrupting undersea cables, which nowadays carry a great deal of internet traffic,
could constitute an act of war. Cutting or tapping undersea cables goes back, of course,
more than a hundred years. The Royal Navy, for one, fished up cables serving Imperial Germany at the outset of World War I,
cutting or placing taps on them.
The record reports that the FBI has warned that FIN-7,
the criminal gang well-known for operating DarkSide and BlackMatter ransomware,
has undertaken a bad USB campaign against U.S. organizations in the transportation, insurance, and defense sectors.
The physical USBs, which carry malware, are being sent by the U.S. Postal Service or by
the United Parcel Service, and what could be more innocent-looking than those two organizations?
Some represent themselves as packages arriving from the U.S. Department of Health and Human Services that carry important
COVID-19 information. Others pose as holiday packages from Amazon, complete with festive
wrapping, a thank-you note, a bogus gift card, and of course the malicious USB drive. The payloads
observed include Metasploit, Cobalt Strike, PowerShell Scris, Carbonac, Griffin, Diceloader, and Tyrion,
as well as Black Matter and Our Evil Ransomware.
Defense One writes that there's U.S. senatorial concern about the risk Chinese-made
Yealink phones might present users. Senator Chris Van Hollen, Democrat of Maryland,
wrote the Department of Commerce back in September asking for an explanation of the Yealink software that could, at least in principle,
monitor and report users' calls and online activity.
Russo-American talks prompted by, but not confined to, the Russian threat to Ukraine
opened today in Geneva, Military Times reports.
We'll be learning more about their
progress over the course of the week. Stay tuned.
Do you know the status of your compliance controls right now, like right now. We know that real-time visibility is
critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Black Kite, a provider of a third-party risk monitoring platform, recently released research titled, The Government Called, Are You Ready to Answer? Evaluating the State of Third-Party Risk
Affecting the U.S. federal government.
Bob Maley is chief security officer at BlackKite, and he joins us with highlights from the report.
We saw across the board that they all have issues with patch management of operating system versions.
That's one of the number one things that we saw.
They just had a poor rating on that. We also saw that there was quite a few of the companies that were susceptible
to ransomware. And why is that? Why specifically do the defense contractors find themselves
vulnerable to these specific things? So it's not just the defense contractors. Obviously,
So it's not just the defense contractors. Obviously, ransomware is the current criminal activity du jour for bad actors. It's an easy way to exfiltrate cash, and they're taking a second tact on it now. internet with bad actors. And they look for specific things.
So there are a lot of types of, in the information security world, what we call controls or things
that are put in place to prevent bad things from happening.
And the bad actors are really good at finding out, well, which of these controls are typically not configured correctly
or are easy to exploit that we can get inside and then execute our ransomware attack.
And, you know, we see that that's how we've produced our ransomware susceptibility index.
We kind of think just like the bad actors do. We know what they look for. We know how they try to
get in. We know the things that make it easy to do.
And we do a quantitative assessment of that and produce the RSI.
And that's a probability that a company is going to become a victim to ransomware in
the near future.
And we saw, I think it was about 20% of the dib was susceptible.
Now, based on the information that you've gathered here, what would your
recommendations be for these organizations to better protect themselves? Well, I would say
they should follow the advice of the CISA. There is a great website called the CIS, it's
stopransomware.org that they produce. And there are clear directions on what companies,
whether it's in the Dib or anywhere else,
should be doing to stop ransomware.
Now, to be very clear,
the information that they're giving is not brand new. It's not something that they just came up with.
These are guidance and instructional documents
that they have been producing over the last decade.
It's just that companies don't seem to want to follow the advice and do the needful things to protect themselves.
How does the defense industrial base do compared to other verticals? Where do they rate?
Well, we've done a number of verticals, and not surprising, they're about the same as everybody else, all the other different verticals.
I think we have a system-wide problem, not just defense companies, but companies in general with these issues that have been just for years that have been ignored simply because, well, nothing's happened.
So we really don't need to do anything.
But obviously now things are happening and it's becoming more high profile.
It strikes me that that is really an overall dilemma
that a lot of folks face in cybersecurity,
which is, you know, there's always money for cleaning up the mess.
But it's hard sometimes, I imagine, to report back to the board and say,
hey, we spent all this money and, hey, guess what?
Nothing happened.
Exactly.
That's why there's a process.
It's called FAIR, Factor Analysis of Information Risk.
Fair Institute that allows you to look at cyber controls and analyze them to see how much they can reduce that financial impact.
So essentially, it gives you a return on investment.
Back in the day, I've been doing cybersecurity a long time where there really wasn't a clear and easy way to show,
here's the ROI for giving me this budget money to do these things.
It was thought more of as an insurance policy,
that if you could show, well, here's what the worst case scenario is,
this might happen, and I kind of call it FUD, fear, uncertainty, and doubt,
and you could get the money, but there's
then no real way to show, was that money spent effectively? Because you don't know, did it stop
something, or did you just not get hit yet? So, FAIR is a quantitative process that cybersecurity
professionals can actually use to produce, well, here's the probable financial impact of this
particular threat if it happens in the next 12 months. And here, if we spend X amount of dollars
to add this additional control or do something different, here's the difference. So it turns it
from a technical conversation into a business conversation.
And a lot of Fortune 1000 companies are using FAIR now.
It's a real important tool for the cyber community to embrace.
That's Bob Maley from Black Kite.
Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today
to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Chris Novak. He is the Global Director of the Threat Research Advisory Center with Verizon.
Chris, it's always great to have you back. You know, I've been seeing folks talking about
PCI 4.0 on the horizon here. I want to touch base with you about it. How's this coming on your radar?
Yeah, thanks. Thanks, Dave. Always a pleasure to be here. You know, it's coming on our radar
pretty big and bright. You know, the new standard
that will be coming out here, it's probably the most significant departure from, you know,
what organizations have been used to in the past. You know, and I think it's an important topic to
discuss just as, you know, everyone kind of needs to get prepared for, you know, those changes ahead.
You know, what does the new standard mean for them? And how do you not get surprised
by it, right? Nobody wants to be faced with a deadline looming and them not being ready with
appropriate changes and controls and such. Well, before we jump into some of the specifics of this
latest version here, can you give us a little overview of what exactly we're talking about
here, who this affects? Sure. Yeah, great point. So PCI, Payment Card Industry, DSS, Data Security Standard,
pretty much if you think about it as the standard globally
for securing payment card information.
So if you're in an industry that deals with credit cards,
debit cards, and the like pretty much anywhere in the world,
this standard probably touches your business. And for now going on, you know, well over a decade, this has been the standard that,
you know, the MasterCards, the visas, the American Expresses of the world, and so on,
have required organizations to comply with in order to, you know, achieve security of kind of
the system or the community that deals with payment card
transactions, ensuring that there is confidence in the system so that people will be comfortable
using and relying on their payment cards.
And so where do we stand right now?
So right now, PCI 4.0 will be the 10th edition of the PCI standard.
4.0 will be the 10th edition of the PCI standard. Over the course of years now, this has kind of evolved already. So I mentioned this is 4.0. There's been a lot of, you know, minor releases
as well as some major releases during that time. But the first iteration of the report, actually,
the first iteration of the standard actually came out in 2004, which is pretty wild. That was the 1.0. And so, you know,
now ultimately what the PCI Council aims to do by evolving their standard is keeping up with
the changes in the way both threat actors operate, but also changes in the way business operates.
There are new technologies and ways of doing business.
And I mean, the pandemic has changed lots of things for lots of organizations.
You hear so many organizations talking about their digital transformations,
a large shift towards things like e-commerce, which also changes the way in which payment cards may be transacted. So it's important that things like cloud technologies and other changes
in the payment security industry
are considered in new versions of the standard. So what are some of the specific things that
we're going to see with version four? Sure, I'd say that probably some of the biggest things
organizations will see as being different is that, you know, it doesn't necessarily alter the
fundamental structure of the standard. So if you're used to the 12 kind of key macro
requirements, that still exists. But the new version now enacts multiple changes to reflect
things like moving from very prescriptive controls to actually now giving organizations a bit more
flexibility in actually how they implement the controls. So kind of think of it
as moving from thou shall do A, B, and C to now moving towards a model where organizations
can follow a, you must achieve a certain level of security or your control must meet a certain
intent. But the actual way you go about it may differ from organization to organization.
And I think, you know, this is an important kind of shift in the landscape.
I think the earlier versions of PCI were prescriptive because, honestly, industry maturity was not really there yet.
A lot of organizations really were not doing something unless they were required to do it.
to do it. Now, I think we've seen a big sea change in organizations actually wanting to be secure and now actually wanting to take more ownership and control over how they actually get there.
And so this change actually, I think, allows, you know, if you have a hundred different
organizations, the way they may actually get to achieving their compliance may all vary differently, but the goal is at the end of the day,
they still meet that same bar or level that PCI requires.
Are there any specific security enhancements that are part of the latest standard?
Yeah, so I'd say some of the biggest things that people will probably notice are going to be
targeted around things like cloud and kind of as-a-service type offerings because so many organizations have migrated towards those types of technologies
or have moved things like their payment processing and transaction handling
into, say, third parties.
And so there's going to be an enhancement in the controls around some of those areas
that will probably be some of the newer and maybe more different areas
that organizations will be needing to be mindful of. And what kind of timeline are we on here?
It's a great question. So this is actually expected to be released in March. So March 2022,
we expect this to be released. Typically, the PCI Council gives a transition period. So
it's typically looking at about a two-year period
after the transition before it is now the new mandated required standard of compliance. And
some folks may be hearing that and go, oh, two years? Well, that's great. I will start looking
at it in a year, a year and a half from now. My strong recommendation is like anything,
use this time to maximize the opportunity,
especially if you're an organization that may have a long planning, procurement, strategy,
life cycle, start planning now so that when you reach that two-year point, this is more
of a BAU type of thing that you've already included in your strategy and your plan and
your workflows versus waiting until you get
closer to that deadline. And now all of a sudden you may have to make a lot more knee-jerk changes
to what it is that you're trying to accomplish in order to maintain your compliance.
All right. Well, good information as always. Chris Novak, thanks for joining us. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.