CyberWire Daily - Cyber war: a continuing threat, a blurry line between combatants and noncombatants. Chinese cyberespionage and its “plumbing.” CISA adds Known Exploited Vulnerabilities. News from Jersey.
Episode Date: June 8, 2022US officials continue to rate the threat of Russian cyberattack as high. Civilians in cyber war. Broadcast interference and propaganda. A Joint CISA/FBI warning of Chinese cyberespionage. What gets a ...vulnerability into the Known Exploited Vulnerabilities Catalog? Andrea Little Limbago from Interos and Mike Sentonas from Crowdstrike join us with previews of their RSA conference presentations. And, finally, some Jersey-based cyber campaigns (that’s the Bailiwick, not the Garden State). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/110 Selected reading. Russian Cyber Threat Remains High, U.S. Officials Say (Wall Street Journal) Shields Up: The New Normal (CyberScoop) Russian Government, Cybercriminal Cooperation a 'Force Multiplier' (Decipher) Opinion The U.S.-Russia conflict is heating up — in cyberspace (Washington Post) Smartphones Blur the Line Between Civilian and Combatant (Wired) Russian Cyberattack Hits Wales-Ukraine Football Broadcast (Gov Info Security) People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices (CISA) US agencies detail the digital ‘plumbing’ used by Chinese state-sponsored hackers (The Record by Recorded Future) CISA Provides Criteria and Process for Updates to the KEV Catalog (CISA) Reducing the Significant Risk of Known Exploited Vulnerabilities (CISA) Jersey computers used in international cyber-attacks (Jersey Evening Post) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
U.S. officials continue to rate the threat of Russian cyber attack as high.
Civilians in cyber war, broadcast interference and propaganda,
a joint CISA-FBI warning of Chinese cyber espionage.
What gets a vulnerability into the known exploited vulnerabilities catalog?
Andrea Little-Limbago from Interos and Mike Santonis from CrowdStrike
join us with previews of their RSA conference presentations.
And finally, some Jersey-based cyber campaigns. That's the bails of their RSA Conference presentations. And finally,
some Jersey-based cyber campaigns. That's the bailiwick, not the Garden State.
From the RSA Conference in San Francisco, I'm Dave Bittner with your CyberWire summary
for Wednesday, June 8, 2022.
U.S. cybersecurity officials speaking at the RSA Conference here in San Francisco have urged businesses not to grow complacent about the continuing threat of cyber attack.
The Wall Street Journal quotes CISA's Jen Easterly as saying,
I don't think we are out of the woods in terms of a threat at this point in time.
We're only 100 days into this war.
We know that it's part of the Russian playbook to use malicious cyber activity,
whether it's through a state-sponsored
entity, whether it's through criminally aligned groups. Given the kinetic nature of the fighting,
the brutality, and the atrocities, there has been a lot of focus on that aspect of it,
but there has also been a huge amount of cyber activity from the Russians against Ukraine.
NSA's cybersecurity director Rob Joyce concurred. He said,
What I can say is, from intelligence, the threat was and is real.
The Russians have a capability that we need to be cautious about,
and they are at a decision point of if or when they choose to apply that.
An op-ed by Easterly and National Cybersecurity Director Chris Inglis, published this week in CyberScoop,
also emphasized the continuing threat of Russian cyber operations.
Russia, for its part, sees aggression in cyberspace as largely an American phenomenon.
A Washington Post analysis summarizes recent statements from Moscow
warning that the U.S. must face the consequences if it continues what the Kremlin characterizes as a cyber campaign against Russia.
Foreign Ministry cyber lead Andrei Krutschek said,
We do not recommend that the United States provoke Russia into retaliatory measures.
A rebuff will certainly follow. It will be firm and resolute.
However, the outcome of this mess could be catastrophic because there will be no winners in a direct cyber clash of states.
And the U.S. continues to detail Russia's use of cyber criminals as deniable privateers.
The gangs amount to a force multiplier.
Decipher quotes Matt Olson, U.S. Assistant Attorney General for National Security, who spoke about the issue at RSAC.
He said,
We know they're very focused on being able to establish persistent access to United States
critical infrastructure, and they have a very sophisticated set of actors in their foreign
intelligence service. They also have a force multiplier in the way they're able to co-opt
the criminal groups. We're still seeing that trend of Russia cooperating with the criminal groups.
The Wall Street Journal notes that U.S. sanctions have presented the gangs
with difficulties in monetizing their attacks,
particularly their ransomware attacks,
by interfering with their ability to receive and launder payments.
But that's interference only with their ability to cash out,
not their ability to go on the attack.
Their role as combat multiplier is likely to continue.
Western tech companies, notably Palantir, Google, Microsoft, and SpaceX, to list just a few,
have played a significant part in delivering support to Ukraine in the cyber phases of the current war.
Their role is an overt, legitimate, and so far as
can be seen defensive counterpart to the role being played by privateering gangs working on
behalf of Russia. But these and other activities also raise questions about how easy it will be
to develop norms for cyber conflict along the lines of those that exist for armed conflict,
that is, kinetic war.
One of the principal tenets of the just war tradition is discrimination,
that is, the obligation belligerents have to distinguish the military from civilians and to avoid civilian harm.
Military targets are legitimate targets under the usages of war,
but for the most part, civilian targets should be off-limits to attack. Wired
notices, however, that the proliferation of tech, the ubiquity of smartphones, may be eroding the
military-civilian distinction. Civilians are using their devices, sometimes with apps dedicated to
that purpose, to help Ukrainian forces keep track of Russian activities. Espionage, for example, is not protected by the
laws of armed conflict. Is someone in a village who phones in a report acting as a spy and thus
as a combatant? The question isn't entirely new, but the sheer quantity, the ready availability,
and the connectivity that consumer electronics now give people, has given that question more importance and has rendered the answers murkier.
Over the weekend, as Ukraine played Wales
in a World Cup qualifying round,
Russian operators replaced the game feed
with the online television platform OLL.tv
with what Ukraine's State Service of Special Communication
and Information Protection called
propaganda news by Russian mass media.
The Russian news feeds, of course,
featured tendentious coverage of the special military operation.
OLL.tv halted the feed until it could eject the Russian content
and resume normal broadcasting.
The SSS-CIP continues to express concern over disinformation which it sees as a
core Russian threat govinfo security points to OLL TV's Facebook page which put the incident down to
envious Russian soccer fans resentment of Ukrainian success they said envious Russia is trying to
spoil the viewing of the match of the national team for the 2022 World Cup.
We are making every effort to neutralize the cyber attack as soon as possible.
CISA and the FBI yesterday provided an overview of ongoing Chinese cyber espionage activity against U.S. targets, alert AA22-158A. Beijing's threat actors, the alert says,
continue to exploit publicly known vulnerabilities
in order to establish a broad network of compromised infrastructure.
Their typical approach is to compromise unpatched network devices,
especially small office or home office routers and network-attached storage devices.
Compromised SOHO routers and NAS devices can then serve as additional access
points to route command and control traffic and act as midpoints to conduct network intrusions
on other entities. The threat actor's initial targets are commonly telecommunications or
network service providers, where they use the router-sploit and router-scan open-source framework
to identify points of vulnerability.
From there, they look for critical users and infrastructure, including systems critical to
maintaining the security of authentication, authorization, and accounting, obtain appropriate
credentials, and proceed to act like authorized users. The alert recommends 14 practices
organizations should follow to render themselves harder targets,
and the first of those is patching.
NSA's Rob Joyce told The Record, as he characterized the Chinese activity,
this work is building the foundation that they can do all of their objectives.
This is their plumbing.
CISA has also outlined the criteria it uses to select issues for inclusion in its known exploited vulnerabilities catalog.
The three basic criteria are, first, the vulnerability must have been assigned a CVE identification.
Second, it must be, as the catalog's name implies, undergoing active exploitation in the wild.
No proofs of concept or thought experiments need apply.
And third, there must be what CISA calls clear remediation guidance available.
Shortly after noon today, CISA added 36 new vulnerabilities that meet these three criteria
to its catalog. The U.S. federal agencies whose security CISA oversees must report remediation of all the issues by June 22nd.
And finally, the Jersey Evening Post reports that threat actors were using devices in Jersey
they'd obtained control of to mount unspecified cyber operations against targets in Europe and North America.
The Post says Matt Palmer of the government's Cyber Emergency Response Team
said between five and 13 compromised machines targeted computers in the United States, Germany and Hungary,
although it is not known who was behind the attacks.
Investigation and remediation are underway.
Listeners, take note. This is the Ballywick of Jersey, not the U.S. state of New Jersey.
It's the Channel Islands, not the U.S. state of New Jersey. It's the Channel Islands,
not the Garden State. Forget about it.
Do you know the status of your compliance controls right now? Like, right now. We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Mike Santonis is Chief Technology Officer at CrowdStrike. And here at RSA Conference,
he's co-presenter of a talk titled Hacking Exposed, Next Generation Tactics, Techniques,
and Procedures. He joins us with highlights from the presentation.
George Kurtz and I, who are doing the presentation together,
were thinking about what we wanted to do as part of the Hacking Exposed series.
And basically, with the rise in popularity of containers and the use of containers,
we wanted to explore that a little bit because a container escape is probably the worst case scenario
because an adversary could, in theory, exploit a containerized app's vulnerabilities
or misconfiguration to breach its isolation boundaries.
So it is pretty serious.
It's not that easy, but when it does happen, it's pretty severe,
and we wanted to demonstrate that at RSA.
I should mention that the presentation is this coming Thursday, June 9th.
It's at 9.40 a.m. over at Moscone South, and it's titled
Hacking Exposed, Next Generation Tactics, Techniques, and Procedures.
When we're talking about next generation, what do you put under that umbrella?
Yeah, it's an interesting, I mean, from an attack technique perspective,
like I said, we're focused on containers.
And the reason why we kind of called it that is it's very different
to a traditional attack where you're targeting a host machine
or a piece of hardware directly.
And what was interesting about this particular session
that we're going to do, when we were planning the topic and we were planning
through some ideas, our research team actually found
a vulnerability.
So we're using something that we submitted.
It's got a CV number, a risk rating of 8.8,
so it's pretty high.
And effectively when that vulnerability is invoked,
an attacker can escape from a Kubernetes container and then get root access to the host.
And then at that point, they can move anywhere in the cluster.
Now, for folks who may not be all that familiar with Kubernetes containers, can you give us a little bit of the background there, why this is a specific threat?
Yeah, so people obviously are probably more familiar
with virtual machines.
I'm sure obviously a lot of people listening in
are very familiar with containers as well.
But containers and virtual machines are very similar
resource virtualization technologies.
Virtualization is the process where a system
has singular resources using RAM, CPU, disk, etc., networking.
All of those capabilities can be virtualised
and represented actually as multiple resources.
But what's different about a container
is where virtual machines virtualise an entire machine
down to the hardware layers,
containers only virtualise software layers
above the operating system level.
So very lightweight containers, containers are very lightweight.
They can execute, they contain software application.
They, you know, they have dependencies.
There's obviously pros and cons for using all of them.
But obviously in the case of what we're talking about here,
the entire host can be compromised because of a problem in a container.
Can you give us a little sneak preview of some of the things that you're planning on covering?
Yes, I'm going to go into a little bit of detail about the differences and a little bit more detail between virtual machines and containers, the pros and the cons.
We're going to talk about container escapes, talk about the concept where processes in a container
should be isolated from the container host.
And if you second that, it's called container escape.
And then we're going to talk a little bit about Cryo,
which is a container runtime engine that underpins Kubernetes.
And so it's a lightweight alternative, if you will,
to the better known
Containerd or a Docker-made runtime solution. It's used by Red Hat OpenShift. It's used by
Oracle Container Engine. OpenSUSE Cubic uses it. So very, very popular. And we're going to go through a vulnerability in Cryo
which basically causes this entire problem.
So version 1.19 introduced support for sys control.
That allows the ability to set kernel options for a pod
and that's where the problems kind of start.
So we're going to show the hack and then we're going to show
some practical advice on how you can limit these sorts of issues from happening in the future. And of course,
fix this one up specifically. And what do you hope people come away from the presentation with?
Yeah, it's a really good question, Dave, because I think, you know, when you look at security for
containers, a lot of people really focus on detections
and they focus on security for the actual containers themselves.
And a lot of time when we do incident response,
we see that the underlying host was forgotten.
And we want to make sure that people understand
how these issues can happen, the scope of the problem,
how severe they can be.
And we want to give some practical advice for how do you detect these things in the future?
How do you prevent them?
How do you minimize your attack surface?
How do you think about the host?
And just make sure that if people aren't aware of these problems that can happen with containers,
that they walk away with a few of those practical examples and
they can apply them back in their office. From a personal point of view, any thoughts on being
back together face-to-face here at the RSA conference? It's a mixed feeling, to be honest
with you. The last conference in 2020 was the week before COVID really took off in the US.
So, yeah, the first time being back together.
I think just everyone that I've spoken to, myself included,
were just so excited to connect and spend a little bit of time together.
Hopefully everyone can do that safely and securely
and no one gets COVID and takes it back home,
which is obviously the most important thing,
to make sure everyone stays safe.
But we're really, really excited to connect with everybody in person.
It's long overdue.
That's Mike Santonis from CrowdStrike.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. Andrea Little-Limbago is Senior Vice President of Research and Analysis at Interos. Her RSA conference presentation is titled,
A Data Faustian Bargain? An Analysis of Government-Mandated Data Access.
We got together for a preview of her talk.
You know, for decades now, companies have expanded their global footprint in various countries.
And in many cases, they've had to make the bargain that in exchange for market presence,
they may or may not have to have data access as a component of it.
So depending on what country they're in.
And increasingly, it is the requirement that for it to be located in a certain country, you're going to be underneath
the regulations or requirements that a government can ask for data upon request with minimal
accountability and oversight. And so it puts your data at quite a bit of risk in those kind of
countries versus others that have more individual data protections and so forth. And so what I want
to do is really look at the evolution of that and create a scale for countries that are protecting the data better, where companies, if they decide
to have a global footprint in those countries, will not have to have as much of a security risk
versus others where it is a much greater security risk for data access. And there basically is no
need to hack because you're required to hand over the data if they ask for it.
Right, right. Can you give us an example of sort of the spectrum of what we're talking about?
Like, can we name names?
Who's on either end of the spectrum?
We can, yeah.
And that's exactly a good way to think about it, because it is a spectrum.
It's 100% a spectrum where you've got China on one end, which is not terribly surprising,
where within their data privacy and security laws,
although there are aspects along the lines for data privacy, like data minimalization and so forth, they also have a, you know, sort of a loophole for,
oh, by the way, you know, if the government does ask you for data, you have to turn it over if you
want to have a footprint in that country. And then so you have that on the one extreme, and there are
many governments that are starting to include that aspect or other kinds of interesting tools,
such as a required government certificate to be placed on all computers that basically provides a person in the middle
kind of attack or access to data.
So that's on one end.
And there are a couple of different regulations
that are popping up with different means
to provide that data or access to that data.
And then on the other end of the spectrum
is something like the European Union's GDPR,
where it has individual data protections and so forth
and has much greater
transparency and accountability and judicial oversight in case the government does ask
for various kinds of data.
And so that's built into the index that I look at, sort of a spectrum of areas where
it's, you know, data could be turned over by governments, but is there some sort of
transparency and accountability?
Because that does make a big difference if there's judicial oversight as well. Because at the end of the day,
almost every country under the auspices of national security will say you do have to turn
over data. And so from there, it's, you know, how much oversight is there? How often is it
happening? Is it because, is it just like simply for a footprint there? Or does it have to be,
you know, some sort of event to actually prompt some of it? So there's a lot of different
circumstances. And I try and tease out a lot of those different areas
within the index.
When we look at a country like China,
is it an all-or-nothing proposition?
At the end of the day, there's no guarantee
that they will ask you for your data if you're a company,
and so you may be completely fine,
but there is the...
The specter is always hanging over.
That's exactly right, yeah.
It always will be there.
If you do have data in there,
and that gets back to some of the data localization,
data sovereignty laws,
where data has to be stored in those countries.
Right.
So if the data actually has to be stored there,
they can request to access it.
And in some countries
where the data localization requirements are there,
it may not be such a big concern,
such as within Canada, for instance, or some
aspects of the EU and different kinds of data requires to be stored there. But then conversely,
having to have your data stored in China does pose a bigger threat for those kinds of reasons.
And given the, you know, the huge history of IP theft, you know, it's not unprecedented.
It just wouldn't need to be stolen. You'd have to turn it over.
I guess I'm wondering, you know,
if you think about a big company like Apple
with a huge manufacturing presence they have in China,
but also wants access to the huge market that is China,
how do they straddle that
and also have any legitimacy
when their messaging says they're leading with privacy?
True, and that's exactly,
so that's part of the Faustian bargain, right?
For an exchange for market
access, they're going to have their data
at greater risk, and it is. It's completely
orthogonal to every billboard we're seeing around
RSA right now with Apple as
the leader in privacy.
So it is something that
I don't think there's been enough
discussion of, and at the same time, we
are seeing Apple start to explore a more
diverse footprint, talking about moving some other manufacturing to Vietnam, for instance.
And so it'll be interesting to see what they do going forward, because they have been
fairly ingrained and fairly dependent writ large with the geographic concentration risk in that
area. And so it'll be interesting to see going forward as they seek to diversify both because of
your range of export controls and also due to data and security risks.
You know, I mean, GDPR famously has global reach.
Is this sort of policy thing the kind of thing that can, I don't know, extend even to things like treaties, international agreements?
Where do we stand with that?
Yeah, and they are increasingly.
We're starting to see it.
So even the NAFTA 2.0 has cross-border data flows as part of it.
And so we are seeing within various kinds of international agreements cross-border data flows and specific components of that within basically trade treaties.
So we are increasingly seeing that, which is really interesting.
And in many cases, they actually contradict some of the actual country-specific data laws.
And so they have to try and harmonize those
within specific countries as well.
So a lot of different layers are going on,
and it's through a variety of different areas
where you're starting to see data and security
and trade and industrial policy
all starting to kind of merge together now.
Yeah.
What are the take-homes for the presentation you're giving here?
What do you hope people leave with?
You know, what I'm hoping that they leave is that really we're heading into an area
where the new normal is that we're seeing just dramatic dynamicism
in the regulatory environment for data right now.
It's been fairly static for decades.
And now, I mean, almost every week you're starting to see a new data policy pop up.
And because in the US,
there was a bipartisan agreement
which just was leaked as far as the data privacy law.
So we'll see where that goes.
Depending on those new regulations
and depending on their firm's global footprint,
their data is more or less at risk.
They're thinking about their data risks
and looking at their cybersecurity risk strategies.
They should think about their global footprint and the footprint of their suppliers and their main
partners as well, because those partners have their data.
And if those partners are in those countries that might be more at risk, they really need
to start thinking about how to secure that.
It should inform their data and minimalization strategies, their access controls, and all
aspects of normal cyber hygiene that they should be considering.
They need to consider this as well
as sort of another layer on top of
sort of the complex environment they're thinking about
in regards of cyber risk.
Yeah.
All right.
Well, Andrea Little-Limbago, thanks for joining us.
Thanks so much, Dave. Thank you. in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Liz Urban,
Rachel Gelfand, Elliot Peltzman, Trey Hester,
Brandon Karp, Eliana White, Puru Prakash,
Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.