CyberWire Daily - Codecov may have sustained a supply chain attack. Natanz sabotage update. Big data gangs. Protecting ransomware gangs. Counterretaliation in the SolarWinds affair.
Episode Date: April 19, 2021Another supply chain incident surfaces. The Natanz sabotage seems to have landed a punch, but not a knock-out blow against Iran’s nuclear program (and it appears to have been a bomb). China’s “b...ig data” gangs and their place in the criminal economy. Tolerating (and protecting?) ransomware gangs in Russia? Betsy Carmelite looks at the intersection of 5G and zero trust. Rick Howard is focusing on finance and fraud in the latest season of CSO Perspectives. Russia’s counterretaliation for US sanctions in the SolarWinds affair. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/74 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Another supply chain incident surfaces.
The Natanz sabotage seems to have landed a punch,
but not a knockout blow against Iran's nuclear program.
China's big data gangs and their place in the criminal economy.
Tolerating ransomware gangs in Russia?
Betsy Carmelite looks at the intersection of 5G and zero trust.
Rick Howard is focusing on finance and fraud in the latest season of CSO Perspectives.
And Russia's counter-retaliation for U.S. sanctions in the SolarWinds affair.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 19, 2021.
U.S. authorities are investigating an incident affecting the software auditing company CodeCove, Reuters reports, it amounts to another potential supply chain compromise,
specifically of the firm's Bash uploader.
Bleeping Computer says CodeCove became aware of the problem on April 1st
when customers notified them that they'd spotted suspicious activity
and that attackers seemed to have been active since January
when they began stealing developers' credentials.
CodeCove has published a security update with remediation advice and a history of how the
incident unfolded. Quote, On Thursday, April 1, 2021, we learned that someone had gained
unauthorized access to our Bash uploader script and modified it without our permission. The actor
gained access because of an error in CodeCove's Docker image creation process
that allowed the actor to extract the credential required to modify our Bash uploader script.
End quote.
The company says it secured and remediated the affected script
and undertook an investigation with the support of a forensic firm CodeCove brought in.
Preliminary results say that, quote,
beginning January 31st, 2021, there were periodic unauthorized alterations of our bash uploader script by a third party,
which enabled them to potentially export information stored in our users' continuous integration environments.
This information was then sent to a third-party server outside of CodeCove's infrastructure.
CodeCove says three categories of data and services are potentially affected. Once more, quote,
executed, any services, data stores, and application code that could be accessed with these credentials, tokens, or keys, and the Git remote informati to CodeCove in CI.
CodeCove recommends that its users re-roll all their affected credentials, tokens, and keys.
Reuters notes that some early reaction has compared the CodeCove compromise to the Solar
Winds incident.
Both represented attacks on the software supply chain.
The Jerusalem Post reports that Iran has acknowledged that the explosion at its Natanz uranium enrichment facility in fact disabled a large number of centrifuges,
but also records speculation that the action against Natanz,
which is widely held to have been organized by Israel's Mossad,
fell short of a knockout blow to Iran's weapons program, which Iran denies having.
For its part, Iran says it's got a suspect in the sabotage,
which appears to have been a bomb, that their suspect has fled abroad,
and that they've asked Interpol to track him down.
Interpol could not confirm to the BBC that they had the suspect on their fugitive watch list.
And with this, we conclude our coverage of the Natanz story,
unless some unknown cyber angle should develop.
Intel 471 has published a report on the Chinese criminal market for Big Data.
It's large, well-structured, and marked by clear organizational hierarchies and division of labor.
It's worth noting that this particular underworld does not seem to be thriving
with the encouragement or tolerance of the domestic government.
Chinese police appear to investigate and arrest gang members and their customers when they can find them.
As Intel 471 puts it,
Chinese authorities reportedly adopted measures to crack down on the illegal big data trade
and tighten regulations governing personal data and privacy.
A series of regulatory measures regarding Internet privacy protection
and the security of personal information reportedly was introduced
by the Cyberspace Administration of China in addition to the large-scale crackdown. What's that? What government would connive with organized crime?
Well, many believe the Russian government would.
The New Zealand website Stuff has a long account of how Evil Corp and other ransomware gangs operate under the sufferance of the Russian government.
Observation of Russophone dark web chatter by the security firm Advanced Intelligence picks up such comments as,
Mother Russia will help, love your country and nothing will happen to you.
Ransomware can be strategically damaging and gangs like Evil Corp. studiously avoid action against Russia
and closely allied targets in parts of the former Soviet near abroad.
And finally, as expected in a customary tit-for-tat, Russia expelled 10 U.S. diplomats over the weekend.
It's a counter-retaliation for Washington's expulsion of 10 Russian diplomats last week,
Deutsche Welle reports.
Baseball fans will recognize an analogy when their pitcher plunks one of yours.
Your pitcher is going to throw some chin music in the next inning.
This is expected.
The U.S. took the action as part of its response to the SolarWinds supply chain compromise,
an operation the U.S. intelligence community has attributed to Russia's SVR, Foreign Intelligence Service.
The Kremlin also expelled three Polish diplomats after Warsaw ejected the same number of Russian personnel on Thursday.
Euronews says that Poland ejected the three Russian diplomats
in response to what the Polish government characterized as Russia's hostile actions. The U.S. Cyber Command and the Cybersecurity and Infrastructure Security Agency
last week released what they described as samples of Russian malware used in the incident,
but Russian authorities continue to maintain, the Moscow Times reports,
that the U.S. attribution of the SolarWinds incident to Russia is nonsense.
It's entirely possible that both sides of the dispute may take additional action.
Russian sanctions wouldn't, as Deutsche Welle reports,
have the sort of effect on the U.S. economy that American sanctions would have on Russia's,
but that doesn't mean that Moscow is without resources, short of combat, and short of hacking.
One possible response, the expression of which Deutsche Welle attributes to Fyodor Lukyanov,
a foreign policy expert at the Russian International Affairs Council,
is closer diplomatic and economic cooperation with China.
Lukyanov said, quote,
Closer cooperation with China on coordinating actions to contain the United States
will develop more quickly now as the Chinese are interested in that, end quote.
In spite of Moscow's economic clout falling short of what Washington can muster,
Lukyanov says that Russia has ample capabilities to stimulate changes in the world order.
Such cooperation has been under discussion
for some months, as both Russia and China have been subjected to U.S. and other Western sanctions
in response to state-directed hacking.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber. That's vanta.com slash
cyber for $1,000
off.
Clear your schedule
for you time with a handcrafted
espresso beverage from Starbucks.
Savor the new small and
mighty Cortado. Cozy up with the
familiar flavors of pistachio
or shake up your mood with an
iced brown sugar oat shaken espresso.
Whatever you choose,
your espresso will be handcrafted with
care at Starbucks.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And it is my distinct pleasure to welcome back to the show Rick Howard.
He is the CyberWire's Chief Security Officer, also our Chief Analyst.
Rick, welcome back.
Thank you, sir. It's good to be back.
It's been a couple weeks, and you've got some exciting news that you're bringing with you today. Yeah, thanks, Dave.
Here's what's happened.
For the last couple weeks, CSO Perspectives has been on a hiatus, getting ready for Season 5.
But I'm happy to announce that the first episode of that season goes out today.
And for the entire season, we are tackling an issue that I've been debating with other security executives for well over a decade.
Are the – are you ready for this?
Because it's a good one, right?
Okay.
Bracing myself.
Go ahead.
Go ahead.
Hold on.
Okay.
Strap in.
So here it is.
Are the strategies that security practitioners pursue different because of the vertical they reside in?
Or because the digital environment we are charged to protect is somehow, you know,
not traditional, like IoT environments or supply chain arrangements, those kinds of things.
In other words, okay, if we're in the financial vertical or the healthcare vertical or even the
energy vertical, is our collection of strategies different? So this episode, we're going to focus
on the financial vertical, and we brought in some 100-pound brain financial experts
to have a sit at the hash table and discuss it with us.
Wow. Okay.
Well, I mean, that's not all.
Of course, CSO Perspectives is on the pro side of CyberWire,
so that's our subscription side.
So if you're not a subscriber, you won't be able to access it,
but you're doing something on the free
side today as well.
Yeah, that's right.
So for those of our listeners who have yet to pony up for a CyberWire Pro subscription,
you know, and by the way, what are you waiting for?
That's right.
Because, you know, I talk about those week after week, and I know that they are feeling
intrigued and curious about what we are discussing on the side of the Cyberwire offering.
Yeah, well, they're feeling left out.
They're feeling left out.
Yeah, they feel like they need to, you know, do something, right?
Sure, sure.
Okay, all right.
So maybe not enough to plop down their hard-earned cash to get a taste of it.
So we have a deal for them.
We are releasing episodes from Season 1 starting today on the free side
so that they can get a sense of what the podcast is all about.
And this first episode is on sassy.
And, you know, say it with me, Dave.
Sassy.
Sassy.
Yes.
It's one of my favorite topics, right?
Yeah.
And I think the listeners will get a lot out of it.
And as they listen to season one episodes each week,
they can decide that they want to be with the cool kids who are listening to the most up-to-date shows over on Season 5.
Right.
Or slumming with me and the rest of the gang over here on the free side.
Yeah, you guys.
Yeah.
Okay, I see.
I see how it is.
We're throwing a bone to you guys.
All right.
All right.
I see how it is.
All right.
So, Rick Howard, welcome back. CSO Perspectives, again, is over on CyberWire Pro. Do check it out. I have to say it is good stuff and well worth your time. Rick, thanks for joining us.
Thank you, man.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And I'm pleased to be joined once again by Betsy Carmelite.
She's a senior associate at Booz Allen Hamilton.
Betsy, it's always great to have you back.
You know, you and I recently were chatting about zero trust architecture, and I wanted
to explore that a little further, specifically as we're starting to see the build out and
adoption of 5G.
How does that all play into zero trust?
Sure.
Where zero trust can be applied here as a security approach, again, there's tenets of
assuming breach, never trust, always verify,
use least privilege access,
where this applies to nascent 5G technology
is getting out ahead with risk reduction now
in a mission-centric context.
So while 5G technology is in development now,
the security components and requirements
will not be fully understood
or inherently applied until the networks are actually deployed. 5G networks will introduce
new pathways of attack and expand the attack surface for organizations. And another concern
very much at the forefront of everybody's mind in the security industry now is the protection
of the supply chain and really the supply chain for
5G network hardware. So the basic building block levels of 5G itself, concerns with that?
Sure. So when we talk about the 5G mission-centric approach to zero trust,
one of the things we talk about is looking specifically at how an
organization plans to adopt 5G across the enterprise. And if we look at the Department
of Defense as an example, consider its enterprise and it can be really overwhelming. It will have
to work through worldwide existing 5G infrastructure, and it will assume those worldwide 5G applications are untrusted and will have vulnerabilities.
With 5G adoption in the IoT environment, adversaries could, for example, exploit IoT security gaps to sabotage missions and equipment, compromise operational security, and jeopardize the lives
of military leaders and warfighters. And so we have to assume breach in these cases.
This is where we see the need for the security culture and the mindset shift to zero trust
coming in to protect our military service women and men and infrastructure, and where we see the
NSA urging adoption of zero trust for critical
networks, which does include DoD and national security system networks. Can you help me
understand, I mean, how in this, the context in which, you know, 5G is not merely, you know, 4G,
but one faster? So to that question, Dave, I wanted to refresh on some of the points about 5G
that I had touched on before as a starting point before we jump into an example. 5G is really the
convergence of the physical device realm and the digital environment at scale. So it's the consumer level and at the critical infrastructure level.
Because of this convergence in scale, security has to be part of the design because any breach
or attack, and we would be looking at a high impact, high probability event. And finally, 5G
may be gaining popularity over 4G, as we can see from advertising and discussion in the media, but 5G is really in its nascent stage.
So now is the time to prepare for a secure application of 5G zero trust before pervasive adoption in the coming four to five years.
I think it's, for me personally, it's something I'm really finding myself challenged at wrapping my head around.
Can you give us an example?
Sure, sure.
So let's stay on this Department of Defense example.
A scenario that we've been working with through that would require, again, these concepts, use of least privilege access and never trust, always verify, is the insider threat. So imagine a disgruntled military service person
working in a DoD smart warehouse where equipment, some of it maybe sensitive communications equipment,
is deployed and maintained. That person may want to modify data being processed
on a military logistics system. And specifically in the 5G example,
let's say it's with the multi-access edge compute.
That's the MEC deployment at that warehouse.
For context, MEC distributes data
and computation intensive tasks
to resources across the radio interfaces.
So the person could modify the data on the MEC
and the scenario could be to indicate the equipment is not available, might be delayed, and in turn falsely communicates that a unit's operationally unprepared, causes mission sabotage, possibly compromises the operational security of a mission.
Among other impacts, like knowing the unit's movements
or changing their plans as a result.
And so zero trust would help us how?
Yeah, so in this case,
a mitigation could be to limit the service person's data access
based on security policies.
So that's where that use least privilege access comes in. And so look at the user
role, the device attributes that that person uses to reduce the chance of unauthorized access to the
mech. And then the modification of the data could also trigger the need to validate and ensure the
data being processed is the same warehouse data that was reported from the smart sensors in the 5G network in the smart warehouse.
It could trigger the use of artificial intelligence or machine learning
to monitor and detect deviations in equipment availability or volume in that warehouse.
And it could flag suspicious changes for investigations.
So that's the concept of never trust, always verify.
All right. Well, fascinating stuff.
Betsy Carmelite, thanks so much for joining us.
You're welcome, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
No matter how you slice it, it comes up peanuts.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment called Security, ha!
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
And check out the Recorded Future podcast, which I also host.
The subject there is threat intelligence.
And every week we talk to interesting people about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Guru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you.