CyberWire Daily - Data breaches and IP. Current cyberespionage campaigns. A warning that the cyber phases of the hybrid war can’t be expected to be over, yet. Exfiltration via machine learning inference.
Episode Date: March 8, 2023CISA adds three known exploited vulnerabilities to its Catalog. A data breach at Acer exposes intellectual property. Sharp Panda deploys SoulSearcher malware in cyberespionage campaigns. US Cyber Comm...and’s head warns against underestimating Russia in cyberspace. Dave Bittner sits down with Simone Petrella of N2K Networks to discuss the recently-released Defense Cyber Workforce Framework. Betsy Carmelite from Booz Allen Hamilton speaks about CISA's year ahead. And are large language models what the lawyers call an attractive nuisance. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/45 Selected reading. CISA Adds Three Known Exploited Vulnerabilities to Catalog (Cybersecurity and Infrastructure Security Agency CISA) March 7 CISA KEV Breakdown | Zoho, Teclib, Apache (Nucleus Security) Acer Confirms Breach After Hacker Offers to Sell Stolen Data (SecurityWeek) Acer confirms breach after 160GB of data for sale on hacking forum (BleepingComputer) “Sharp Panda”: Check Point Research puts a spotlight on Chinese origined espionage attacks against southeast asian government entities (Check Point Software) Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities (Check Point Research) What can security teams learn from a year of cyber warfare? (Computer Weekly) Russian cyberattacks could intensify during spring offensives in Ukraine, US Cyber Command general says (Stars and Stripes) US Bracing for Bolder, More Brazen Russian Cyberattacks (VOA) Russia remains a ‘very capable’ cyber adversary, Nakasone says (C4ISRNet) Employees Are Feeding Sensitive Business Data to ChatGPT (Dark Reading) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. CISA adds three known exploited vulnerabilities to its catalog.
A data breach at Acer exposes intellectual property.
Sharp Panda deploys soul-searcher malware in cyber espionage campaigns.
U.S. Cyber Command's head warns against underestimating Russia in cyberspace.
Dave Bittner sits down with Simone Petrella of N2K Networks to discuss the recently released Defense Cyber Workforce Framework.
Betsy Carmelite from Booz Allen Hamilton speaks about CISA's year ahead.
And our large language models what the lawyers call an attractive nuisance.
From the CyberWire studios at DataTribe, I'm Trey Hester, filling in for Dave Bittner with your CyberWire summary for Wednesday, March 8, 2023.
CISA has added three entries to its Known Exploited Vulnerabilities Catalog.
Presently undergoing active exploitation are CVE-2022-28810, a Zoho ManageEngine AD Self-Service
plus Remote Code Execution Vulnerability, CVE-2022-33891, an Apache Spark Command Injection Vulnerability, and CVE-2022-35914, a TechLib GLPI Remote Code Execution Vulnerability.
U.S. federal civilian executive agencies have until March 28 to inspect their systems and address the issues they find there.
As CISA says, apply updates per vendor instructions.
Computer manufacturer Acer has confirmed that it sustained a data breach
that resulted in the theft of company data.
Security Week reports that a hacker is offering 160 gigabytes of stolen data
for sale on a criminal forum.
According to Bleeping Computer, the hacker claims the stolen data
contains technical manuals, software tools, back-end infrastructure details, product model documentation for phones, tablets, and laptops, BIOS images, ROM files, ISO files, and replacement digital product keys.
Acer said in a statement to Security Week,
We have recently detected an incident of unauthorized access to one of our document servers for repair technicians.
While our investigation is ongoing, there is currently no indication that any customer data was stored on that server.
End quote.
Most discussions of data breaches tend to concentrate on the threat they pose to personal data.
The incident at Acer shows that threat actors are also interested in intellectual property.
Threat actors are also interested in intellectual property.
Checkpoint is tracking a Chinese cyber espionage operation that's targeting government entities in several Southeast Asian countries,
including Vietnam, Thailand, and Indonesia.
The threat actor is delivering the Sol malware framework
via a new version of the Sol searcher loader.
The Sol framework was previously unattributed,
but the researchers conclude, based on the campaign,
that the malware is being used by one or more APTs based in China. framework was previously unattributed, but the researchers conclude, based on the campaign,
that the malware is being used by one or more APTs based in China. The operation has overlapped with previous campaigns by the Chinese APT Sharp Panda, though the researchers point out that since
sharing custom tools or operational methods is common among Chinese-based threat actors
to facilitate intrusion efforts and poses a challenge to their attribution.
Russia remains a very capable adversary, U.S. Cyber Command and NSA Chief General Paul Nakasone
told the U.S. Senate Armed Services Committee yesterday. The general told the senators that
U.S. Cyber Command was monitoring the war very carefully. Representatives of General Nakasone's
two commands were also forthright in sharing a warning,
anonymously and not for attribution, with the media.
The Voice of America writes, The weight of this conflict remains significant.
A spokesperson for U.S. Cyber Command told Voice of America,
sharing information on the condition of anonymity due to the nature of the ongoing fight.
They stated,
We anticipate their cyber activities may become bolder and look at broader targets.
Officials at the National Security Agency have reached similar conclusions, quote, if the conflict
continues to not go well for Russia, there is some chance that Russia will become increasingly brazen
in its cyber attacks on civilian infrastructure as we have already seen in their kinetic activity,
end quote. Russian cyber operations have so far shown disappointing results,
especially for the amount of effort expended on them. The warnings from NSA and Cyber Command
think, however, that Russian forces will seek to redress battlefield failures with cyber attacks,
and especially cyber attacks against those countries that have provided Ukraine important
support. Lindy Cameron, head of the UK's National Cyber Security Centre,
offered an appreciation quoted in Computer Weekly. Both efforts have largely failed,
thanks to the efforts of Ukraine and Western digital expertise within governments and private sector. In many ways, the most important lesson to take from the invasion is not around the Russian
attacks, which have been very significant and, in many cases, very sophisticated. It is around
Russia's lack of success.
Try as they might, Russian cyber attacks simply have not had the intended impact.
We haven't seen the cyber Armageddon.
What we have seen is very significant conflict in cyberspace,
probably the most sustained and intensive cyber campaign on record.
End quote.
Thus, both American and British cyber authorities warn that Russia may not have exhausted itself in cyberspace yet.
And finally, Dark Reading reports an odd result from Cyberhaven,
who's blocking a fair number of interactions with large language models in its clients' networks.
The interactions are troubling because employees are feeding sensitive data
into what are for the most part third-party data aggregators and processors. Dark Reading writes, quote, in one case, an executive cut and pasted the firm's 2023
strategy document into ChatGPT and asked it to create a PowerPoint deck. In another case,
a doctor input his patient's name and medical condition and asked ChatGPT to craft a letter
to the patient's insurance company. End quote.
This emergent class of risk is being called exfiltration via machine learning inference.
Coming up after the break, Dave Bittner sits down with Simone Petrella of N2K Networks to discuss the recently released Defense Cyber Workforce Framework.
And Betsy Carmelite from Booz Allen Hamilton speaks about CISA's year ahead.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families
24-7, 365 365 with Black Cloak.
Learn more at blackcloak.io.
On February 15th, the Department of Defense issued DOD Manual 8140.03,
the Cyberspace Workforce Qualification and Management Program.
DOD says the program provides a targeted role-based approach to identify, develop,
and qualify cyber personnel by leveraging the DOD Cyber Workforce Framework. For insights on this,
I reached out to one of our in-house experts, Simone Petrella,
president of N2K Networks and CEO and founder of CyberVista.
This document, this directive, is actually a manual that is a companion to Directive 8140.
That directive, which has been out for some time, was intended or is intended
to provide a targeted role-based approach to cybersecurity personnel that are supporting
the Department of Defense. The manual, which has been long anticipated and is just coming out now,
is really the details that was never fleshed out in the original directive. So we've known for
quite some time that the intent was to move the DOD into a more role-based approach.
But the inevitable question was, well, what does this mean or what will this mean? This manual is
essentially there now to answer that question as far as what are the qualifications,
how does the Department of Defense actually evaluate and validate that the personnel supporting
their work, whether civilian or contractor, have the qualifications they need to perform
in those work roles.
So I know you've been spending some time going through the manual here.
What are some of the things in here that have caught your eye? The thing that's caught my eye the most is for those who are familiar with 8140's
predecessor, which was DOD Directive 8570, that was a qualification matrix that was very reliant
on certifications. And the first thing that strikes me is that this is actually really, by design,
taking into account levels of experience that demonstrate knowledge and ability and capacity
to serve in roles that are far beyond certification. So it is a movement away from certifications.
However, what also strikes me is that when I look at the way that
they are outlining their approach to provide that kind of level of validation, there's a lot there.
It's pretty intense as far as, you know, we can choose between education and training,
potentially certifications. There's also ways to look at the experience levels.
So what strikes me is that there's not only going to be a fairly high burden for
personnel to meet the requirements, but there's going to be an equivalent burden on the DOD
to track this in a sustainable and scalable way. It's just a lot of data.
Does this give them the potential to open up these opportunities for more people?
Does it give them more flexibility?
It definitely provides more flexibility because they're allowing for options that are beyond
traditional certifications.
That said, one of the things that I did find very interesting is that for anything that
does meet the qualifications of being appropriate training,
they are requiring that it has an assessment component to it based on the lesson objectives of that course.
So there does need to be a measurement element in order to demonstrate all of those things.
The other thing that I think is also really telling is that there is an emphasis on continuing education, which is really
around the collection and maintenance of CPE credits as people go through individual and
professional development. What are the practical implications of this? For the folks that this
affects, what sort of things are they going to have to do now? I think it's going to practically put a pretty high standard
and bar on organizations that support the DOD
to track and maintain their workforce
in a way that they can actually justify indictment.
And that's at a level here that is unprecedented.
Prior to this coming out, you could put,
I'll use a kind of a defense
contractor perspective to start. You could place someone on a contract by demonstrating that they
met a certain certification credential, and that was sufficient to essentially check the box.
Now, it's about four different categories of things that we need to put forward to say this
person is qualified. And then you're
thinking, you know, times that by however many personnel are going on to staff, you have to
maintain it too. So I think it's going to put a pretty large reporting requirement on both sides
of the DOD itself and the organizations that support the DOD. And what sort of timeline are we on here for implementation?
Again, the organizations who have to follow this, how's the clock running for them?
Yeah, the timeline, like most things in the DOD, first of all, I mean, we waited over five years
plus for this manual to come out. So that gives an implementation timeline. I think there is about two years of
time for the civilian employees to actually meet the qualifications under this definition of work
role elements and three years for other work roles. Contractors, so anyone who is supporting
the DOD in a consultative or contracted capacity, they have to comply with this upon any new award of work.
So that's almost immediately.
Is that realistic?
Again, what sort of burden do we think this is going to place on the contractors?
It's certainly going to put them in a scramble to try and document and figure out how they can capture information about their
workforce in a way that they can present that meet these qualifications. So that's going to
be the biggest burden right off the bat is they're going to have to do a good clean inventory of who
they already have been putting on these contracts and making sure that they meet all the existing
criteria as they're outlined in this new manual. Overall, what is your take on this? Do you think
this will be an effective way to improve the cybersecurity of the DoD? Overall, you know,
I think what is most striking to me, it corrects one of the failings that 8570 ultimately ultimately had the unintended consequence of making us more reliant on someone having a
credential or certification as evidence of their qualification to be competent in their role.
And it was well-intended, but it had the adverse effect of really becoming a check the box.
And I think from a, you know,
intention of like, we want to make our national security posture more secure. This is putting a
higher burden on actual, how do we demonstrate that someone has the knowledge? How do we
demonstrate that someone has the abilities to do this type of work so that we can result in
a higher degree of security? It's going to be hard to get there,
but I think that the fact that it's now written so clearly that this is something that we are
looking at from a role-based perspective, that's going to have a pretty significant effect,
not only the DoD, but the fact that they're the first organization to do it, I think you'll start to see other elements of the government agencies as well as the private sector start to kind of look at their workforce in similar ways.
Our thanks to our own Simone Petrella for joining us. And joining me once again is Betsy Carmelite.
She's a principal at Booz Allen Hamilton.
Betsy, it's always great to welcome you back to the show.
I want to talk to you today about CISA,
the Cybersecurity and Infrastructure Security Agency,
and the kinds of things that you see on their roadmap for this year ahead.
What can you share with us today?
Sure. So this past fall, we saw CISA release its 2023 to 2025 strategic plan.
And this was a major milestone for the agency.
It's the agency's first. It's a relatively young agency,
so it's its first comprehensive strategic plan since it was established in 2018.
And the plan focuses and guides the agency's efforts, and specifically the plan sets CISA
on a path over the next three years to drive change in four key areas, spearheading the national effort to ensure the defense and
resilience of cyberspace, reducing risks to and strengthening the resilience of America's
critical infrastructure, strengthening the whole of nation operational collaboration
and information sharing environment, and then unifying as one CISA through integrated functions, capabilities,
and its workforce. And then on top of that, we saw this past fall that CISA's Jen Easterly outlined
the agency's 2023 priorities, in which she said one of the agency's focuses will be on supporting
so-called target-rich, resource-poor sectors, such as K-12 education. So here we're looking
at municipalities, school districts who are often constant victims of ransomware.
Same with hospitals, water and wastewater facilities, and small businesses.
So what about in terms of critical infrastructure here? I mean,
how do these cybersecurity performance goals go at protecting them? Yeah, so again, another development this
last fall was what you just mentioned, the cybersecurity performance goals. And these
outline the highest priority baseline measures that businesses and critical infrastructure
owners of all
sizes can take to protect themselves against cyber threats.
So we're kind of seeing this linear build of the strategic plan and then the focus from
the CISA director.
And now we're seeing the cybersecurity performance goals.
So we're seeing the goals being helpful to organizations decide how to leverage their
cybersecurity investments with confidence that the measures they will take will make some sort
of material impact on protecting their businesses and safeguarding the country. Also within those
goals, the performance goals are a comprehensive list of best practices and recommendations,
covering everything from zero trust, segmentation, asset visibility and management.
And those goals are a great starting point for organizations looking to work through
the cybersecurity maturation process.
And I think that's really important as you're building from a ground up. Like, where is this going to take me? Will this help me reach a point where I am
confident that I am maturing through these processes, especially for those operational
technology networks that our critical infrastructure is reliant on and proactively bolstering their cyber defensive posture.
You know, as someone who keeps an eye on the federal space
the way I know you do,
where do you suppose CISA is going to head this year?
What do you think is on their roadmap?
So a couple of things.
So I think we're going to continue to see
the focus on critical infrastructure organizations having a relationship with CISA and integrating its products and outputs in their processes.
steps between CISA and the critical infrastructure organizations and operators. Now is the time,
and we're hopeful, that implementation strategies are being developed. The hard work we know is being done inside of CISA to help those organizations mature, use those investments,
but how do we tactically take that out to the public? I think we've seen a really good example with CISA kicking off some of these efforts in
January.
They released a toolkit for K-12 institutions to help them better protect against cybersecurity
threats.
So some of that focus direction for those under-resourced entities.
direction for those under-resourced entities. Also, how can CISA facilitate information sharing moving forward? Data transport between government entities and private sector critical infrastructure
entities. How can CISA encourage CI operators really to come to the table now to take part in
these performance
goals. That's hugely important. And I do think we also need to acknowledge that to make all of
those things happen, there is so much more work involved. We're looking at where does future
legislation come into play, data ownership rights. And CI sectors are going to, the critical
infrastructure sectors are going to have expected
outcomes from CISA through these relationships. So really putting some definition around that.
You know, it's been my perspective or my take that so far, as you say, CISA is a young
organization, but it seems to me like they've been getting pretty high marks on what they've
been able to accomplish so far. Does that track with what you've been seeing as well?
Yeah, it does.
And I think you're right with understanding the context.
And we should always be looking at this through the context of where it's come since just
2018.
And really, the role that it's looking to have with the public has been so much more a focused effort.
And that's where our information, that's where our infrastructure lies with public and private networks.
So I think the work moving forward to make sure that understanding what implementation can occur across those public and private networks is really what the best is yet to come.
All right. Well, Betsy Carmelite, thanks for joining us.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
This episode was produced by Liz Ervin and senior producer Jennifer Ivan.
Our mixer is me, with original music by Elliot Peltzman.
This show was written by John Petrick.
Our executive editor is Peter Kilpie.
And I'm Trey Hester, filling in for Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.