CyberWire Daily - Government security advisories, and the difficulty of recovering from ransomware attacks. Authority for offensive cyber under deliberation. Google wins Glupteba suit.
Episode Date: November 18, 2022CISA and its partners issue a Joint Advisory on the Hive ransomware-as-a-service operation. Ransomware continues to trouble governments, internationally and at all levels. The US Defense Department ma...y see enhanced authority to conduct offensive cyber operations. Russian attacks on Ukrainian infrastructure remain kinetic, as missiles show up, but cyberattacks don’t. Kevin Magee from Microsoft about leveraging cybersecurity apprentices. Our guest is Paul Giorgi from XM Cyber describing creative attack path in enterprise networks.And, hey, glupost’ [GLUE-post]–don’t mess with Google’s lawyers. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/222 Selected reading. CISA Alert AA22-321A – #StopRansomware: Hive Ransomware. (CyberWire) #StopRansomware: Hive Ransomware (CISA) Vanuatu: Hackers strand Pacific island government for over a week (BBC News) Ransom attack cripples Vanuatu government systems, forces staff to use pen and paper (The Sydney Morning Herald) Ransomware incidents now make up majority of British government’s crisis management COBRA meetings (The Record by Recorded Future) Suffolk County, N.Y., Hack Shows Ransomware Threat to Municipalities (Wall Street Journal) Biden set to approve expansive authorities for Pentagon to carry out cyber operations (CyberScoop) Red Lion Crimson (CISA) Cradlepoint IBR600 (CISA) A ruling in our legal case against the Glupteba botnet (Google) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA and its partners issue a joint advisory
on the high of ransomware as a service operation.
Ransomware continues to trouble governments internationally and at all levels.
The U.S. Defense Department may see enhanced authority to conduct offensive cyber operations.
Russian attacks on Ukrainian infrastructure remains kinetic as missiles show up, but cyber attacks don't.
Kevin McGee from Microsoft speaks about leveraging cybersecurity
apprentices. Our guest
is Paul Georgie from XM Cyber
describing creative attack
paths in enterprise networks.
And hey, Blue Post, don't mess
with Google's lawyers.
From the CyberWire Studios and Data Tribe, I'm Dave Bittner with your CyberWire summary for Friday, November 18th, 2022.
Yesterday afternoon, the FBI, CISA, and HHS released a companies have fallen victim to Hive ransomware,
and the criminals using the ransomware-as-a-service have received some $100 million in ransom payments.
The advisory says, Hive ransomware follows the ransomware-as-a-service model,
in which developers create, maintain, and update the malware, and affiliates conduct the ransomware attacks.
From June 2021 through at least November 2022, threat actors have used Hive ransomware to target
a wide range of businesses and critical infrastructure sectors, including government
facilities, communications, critical manufacturing, information technology, and especially healthcare
and public health.
What should organizations do? The advisory provides indicators of compromise and tactics,
techniques, and procedures identified through FBI investigations. Hive has exploited Microsoft
Exchange server vulnerabilities. The FBI, CISA, and HHS have some recommended steps that can be taken against Hive.
These include finding and ejecting Hive operators from networks,
installing updates for operating systems, software, and firmware as soon as possible,
and requiring phishing-resistant multi-factor authentication.
The BBC reports that government networks in the Pacific Island nation of Vanuatu remain disrupted and largely unavailable as the effects of a ransomware attack continue.
Parliament, police and prime ministerial networks have been affected for more than a week,
as have email systems, internet and online databases of schools, hospitals and other emergency services, as well as all government
services and departments. There's no word yet as to who might be responsible. The Sydney Morning
Herald suggests that the attacker's motivation is financial, but the government of Vanuatu is
remaining tight-lipped, expecting recovery to be completed soon, but it's not there yet,
and digital services to citizens remain
generally unavailable. Vanuatu isn't alone in facing ransomware issues. Australia's recent
troubles with Russian cyber criminal activity are well known. The U.S., as we've seen, has just
issued a joint advisory on one ransomware-as-a-service operation, and in the UK, the record reports that
most of the government's emergency COBRA sessions have been convened to deal with ransomware.
Ransomware also represents a growing threat to local governments. Suffolk County, New York,
located on Long Island, east of New York City, continues to recover from a ransomware attack
that disrupted services.
According to the Wall Street Journal, the county's systems have yet to be restored to normal operations more than two months after the initial attack was discovered on September 8th.
Local governments are attractive targets for criminals because they combine opportunity and
vulnerability. They hold large quantities of sensitive personal information on their citizens,
which draws criminals on the grounds that, after all, that's where the data is,
and they often remain poorly resourced and ill-prepared for an attack.
The Wall Street Journal quotes Chris Cruz, who worked as chief information officer for
San Joaquin County, California, before moving to the private sector as public sector CIO for
cybersecurity company Tanium, as stating,
Too often these attacks succeed because public schools, municipal governments,
and other small government agencies don't have the resources, staffing, tools, and expertise
necessary to put forth a proper defense.
And much of the technology local
governments rely on is old, even obsolescent, and so far beyond its end of life that patches
and updates are simply no longer available. According to CyberScoop, a forthcoming revision
to 2018's National Security Policy Memorandum 13 is expected to give the U.S. Department of Defense
enhanced authorities to conduct offensive cyber operations. The revision is said in large part
to address roles and missions, with the State Department playing a consultative role. A source
told CyberScoop that successes by U.S. Cyber Command have done much to solidify the Pentagon's role in
active cyber operations, stating, Cybercom has been able to notch a bunch of good wins,
justifying the argument that having more flexibility, being able to move faster,
really does help operations. Cyber Command has also, sources say, burnished its reputation by
effective support of Ukraine
against Russian cyber attacks during the present war. Moscow continues its long-range violent
strike campaign against Ukraine's infrastructure and population, but Russian cyber attacks still
aren't showing up. Russian ground forces are currently entrenching in defensive positions,
ground forces are currently entrenching in defensive positions, evidently hoping long-range and indiscriminate bombardment will redress battlefield failure through direct terrorism
against civilians. But effective cyber attacks? Not so much, at least for now and the last few
months. CISA released two industrial control system advisories yesterday, one for Red Lion Crimson, the other for Cradlepoint IBR600.
And finally, Google has prevailed in its court battle
against the operators of the Glooptibia criminal botnet.
Glooptibia, which might be Englished from the Russian as Udummy,
as Google explained in their announcement of victory,
a highly sophisticated botnet that used cryptocurrency blockchains to protect its command structure
and compromised millions of Windows devices.
The dispute began almost a year ago, last December,
when Google not only took down some of the botnet's infrastructure,
but also brought a U.S. federal lawsuit against Gloobtibia's proprietors.
The risk of this approach was that it might give Gloobtibia a way of enmeshing Google in the tangles of U.S. civil litigation.
The upside was the prospect of imposing real costs on criminal operators.
This week, Google won its case.
Google wrote,
on criminal operators. This week, Google won its case. Google wrote,
On Tuesday, the court agreed with Google and granted our motion for sanctions,
entering default judgment against the defendants to hold them responsible for attempting to mislead the court. In an extraordinary move, the court also issued
monetary sanctions against both the Russian-based defendants and their U.S.-based lawyer,
requiring the criminal actors behind Gloob Tibia to pay Google's legal fees. This step is
particularly important because it shows that there will be real monetary consequences for
engaging in this type of criminal activity. Google is not so naive as to think that this
is the end of Glooptibia, but they're probably right to say that Glooptibia has sustained enough reputational damage in the C2C markets
that they'll find a lot of the hoods who might otherwise become their customers taking their trade elsewhere.
Well done, Google.
Coming up after the break, Kevin McGee from Microsoft speaks about leveraging cybersecurity apprentices.
Our guest is Paul Georgie from XM Cyber, describing creative attack paths in enterprise networks.
Stick around. Microsoft Mechanics
www.microsoft.com Stick around. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. XM Cyber recently released research outlining security risks they've encountered on multiple
customers' networks, including multi-cloud hopping and third-party risk to Azure environments.
Paul Georgie is Director of Sales Engineering at XM Cyber, and I checked in with him for
details on their findings.
Yeah, so most organizations have a variation of multiple cloud services.
I think that if we look at what we see most commonly,
there's a mixture of maybe a little bit of Microsoft 365,
whether it's Azure Active Directory
or maybe a couple of like just Exchange Online,
but there's services within that
environment. And then maybe there's a little bit of the IaaS services within AWS and maybe a little
bit of GCP. So these large organizations have multiple clouds and it's not easy to replicate
security posture or security defenses around each one of these the same way. So when we look at how maybe an Azure Active
Directory account could be the start of the breach, and then within four or five stops end up
reading data from an S3 bucket with an AWS, there's not a lot of correlation of risk from
an Azure Active Directory account to an AWS S3 bucket. And what we're finding in our results is
there is a lot of correlation. It usually doesn't take in our results is there is a lot of correlation.
It usually doesn't take a lot of steps. And a lot of organizations are dealing with this risk and
not even aware of it. So because we're aware that most organizations are some sort of multi-cloud
variant, but still assessing risk maybe just within their own individual clouds and not really considering the risk
of how one entity could impact another entity.
That was a really interesting finding for us,
making sure people were aware of these risks
from multi-cloud because most large organizations
are some sort of variation of multi-cloud
and need to start assessing risk holistically
across all the entities
and not just within those individual cloud environments. And how do you propose they go about doing that? Yeah, so that's really where
attack path management comes in. Attack path management assesses the telemetry, whether it's
vulnerabilities, misconfigurations, or user activity, and assessing that telemetry and then
simulating what an attacker can do in that environment.
And not just within laptops or servers
or domain controllers,
but how something like a Lambda function
could play a role within AWS
to then provide additional privilege escalation
or additional assume role compromise capabilities
within different environments.
So that really is the heart of attack path management,
looking at all of your entities, all the configuration,
and then stringing together the realm of possibility
from an attacker's perspective,
identifying things like choke points.
If I know an entity's risk
to all the other assets in my environment,
I can identify it as a choke point
and remediate and prioritize risks tied to that entity
quicker than maybe an entity that there may beate and prioritize risks tied to that entity quicker than maybe
an entity that there may be a lot of risk tied to it, but the risk it introduces my
critical assets is much smaller.
So that's really the heart of attack path management is dealing with holistic entity
assessment and then stringing together the possibilities from an attacker's perspective.
And one of the other things you highlight in the report is risk to Azure environments,
particularly coming from third parties.
What did you find here?
Yeah, so we live in the world where third-party access is just,
it's something that we have to deal with.
Whether it is a partner, portal access,
maybe sometimes it's a contractor doing development work.
We know that we live in this world where there's going to be some sort of third-party access. Maybe sometimes it's a contractor doing development work. We know that we live in this world where there's going to be some sort of third-party access. But we're seeing these
risks start to manifest themselves within Colonial Pipeline, or is the contractor accessing VPN with
Kasaya? So we know that there are definitely these things that are coming up as risks that
are starting to play out in real attacks that we're seeing hit the news. But unfortunately,
what we're doing to address them is just doubling down on our old legacy
processes, more questionnaires. We're going to now start putting them in their own AWS account
instead of their own grouping. And that's not really the right approach. What we need to start
assessing is really the risk from those third parties and using this concept of assumed breach. And that is something that we do at XM Cyber is really
every breach point is the starting point of an attack. And then assuming those third parties
are an assumed breach entity, maybe it is just a disgruntled employee from that third party or
some sort of insider threat, but we need to assess all of the ways that third party could potentially introduce risk to my critical assets. And still we start looking at all the different ways that that could happen. I think we're going to just start seeing this more and more commonly appear in the news through these manifestations of public breaches like we've seen, unfortunately, last year or so.
fortunately, last year or so.
I mean, is that really sort of the through line through the things that this research has uncovered?
Is this that folks need to really take a look
at how they're assessing risk?
Yeah, I think that that is the main point of this document.
We call it the Attack Path Management Impact Report.
We're going to start releasing this pretty regularly,
but it is like our perspective
that we're sharing with every organization. And hopefully people start realizing that the way that we're doing
things, whether it's just legacy vulnerability management scanning, whether it's assessing risk
within the cloud, it's not working. And we need to holistically address our risk and assess all
of the entities within our organization and then string together those realms of possibilities from
an attacker's
perspective. So while we hope this report is informational and makes people more aware of
what's going on, we also like to introduce people to attack path management because I get the
pleasure of doing a lot of POCs and demos and you wouldn't believe how many people have never heard
of attack path management. And from my perspective, I think that it's something that it seems so obvious
and organizations have been doing in old ways,
like pen tests and stringing together
what happened during a breach
and learning from those exercises,
but never proactively running through those exercises
to determine how they could better defend
or architect better defenses
and respond more efficiently when they actually arise.
That's Paul Georgie from XM Cyber.
There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews. And I'm pleased to be joined once again by Kevin McGee.
He is the Chief Security Officer at Microsoft Canada.
Kevin, great to have you back.
I want to touch today on this continuing issue we have with the talent gap.
I know you have some thoughts on this
and perhaps some areas that are open for innovation.
Yeah, I think, thanks for having me.
First off, Dave, back on the show,
love to talk about this topic.
And we've talked about this a number of times,
innovative ways to address the talent gap.
And everyone's got different numbers.
I think ours is there's 3.5 million security jobs
currently open or projected to be open fairly soon. I'm not sure what the actual number is, but we know it's a lot. And we know we're going to have to do something different.
They're really well-prepared and they're aspiring to be cybersecurity professionals.
There's tons of jobs opening.
How can we not bridge that gap?
And I've often used the metaphor of an apprenticeship.
In accounting, you do an apprenticeship or internships, or doctors don't just immediately graduate and become doctors.
They have to do residencies.
We need something like that for our industry.
And it turns out down there in the U.S., you're doing something similar to this
and launching a pilot. And I'm very interested to see how it goes. What specifically are you
talking about here? So, a number of government departments, the Department of Labor, Commerce,
are working with NIST and some other partnerships in the community to design a program
partnerships in the community to design a program of apprenticeships and they're launching this as a pilot. So far of my understanding as of September 2nd with 75 days remaining in their program
they've had 1,961 cybersecurity apprenticeships have begun through 15 programs. What I love about
this is partnerships from different areas of the ecosystem coming
together, but leveraging existing and proven formats like the apprenticeship programs to
deliver some sort of solution to this problem. So will it work? Don't know. But it's a great
opportunity to really try at scale to see if we can find new ways to solve this problem.
Yeah. You know, something that I've heard from a lot of people trying to find their place
in the industry is that a lot of the folks out there who are hiring are looking for people who
are fully baked, you know, who come in with lots of experience. There's a tremendous amount of
demand for those people, but that companies are not investing in those early
stage employees the way that a lot of people think they should.
And I really find it comes down to a question of leadership.
We're not teaching leadership.
We're not teaching management to cybersecurity professionals.
We often promote the most technical person to the role of manager and then wonder why
that person doesn't succeed because they don't have the people skills to hire, develop, and really engage with employees.
So it's twofold.
One, I think we really have to do a much better job of training our managers, training our leaders, preparing younger people to take on roles as well that can bridge those gaps, that can have those skills to develop.
And then you're absolutely right.
We are competing for talent and just driving price up supply and demand kicks in. And it's at some point that that breaks.
So we need to be bringing in new people to the fold and any new programs that we can find that
are successful doing that are going to be incredibly helpful. Retraining programs,
tapping areas of the workforce that have never really looked at cybersecurity as a profession
can be great opportunities to do that. Is this something you've been doing with your own teams
at Microsoft, looking for folks with those non-traditional backgrounds? Yes, and I have a
history degree. We've talked about it before. I mean, I'm a non-traditional cybersecurity
professional. I think the only other president I often see is Jack Ryan,
who became the historian, turned security professional.
But we work with a number of colleges and universities.
In fact, Microsoft has a global program to invest in colleges and universities,
provide free training and free certifications,
and also education for the professors and teachers. But we're also working on the ground with organizations.
So I work with Toronto Metropolitan University has a retraining or second career program for women, which is excellent.
And we've hired a number of candidates that had technical backgrounds and non-technical backgrounds.
And when they can go through this intensive program that's very focused on building job skills, they can hit the ground running in
a career and become instantly productive. So great opportunities. They're not risks.
They're great opportunities, these programs to invest in for hiring, but also just to work with,
to volunteer time and assist to get them off the ground as well.
All right. Well, Kevin McGee,
thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out
this weekend's Research Saturday
and my conversation
with Larry Cashdaller from Akabai.
We're discussing KMSDbot, the attack and mine malware.
That's Research Saturday. Check it out.
The CyberWire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio,
Maria Varmatsis, Ben Yellen, Nick Bilecki, Gina Johnson, Bennett Moe, Catherine Murphy,
Janine Daly, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
Simone Petrella, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's