CyberWire Daily - IAM trends. RagnarLocker as a critical infrastructure threat. AI hype as phishbait. Updates on the hybrid war: leaks and hacks.
Episode Date: April 11, 2023Key trends in Identity Access Management. RagnarLocker and critical infrastructure. Cyber criminals capitalize on the AI hype. Updates on the leaked US classified documents, and speculation of whether... Russian hackers compromised a Canadian gas pipeline. Ben Yelin describes a multimillion dollar settlement over biometric data. Microsoft’s Ann Johnson from Afternoon Cyber Tea talking about cyber paradigm shifts with Samir Kapuria. And a welcome to GCHQ's new boss. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/69 Selected reading. 4 key trends from the Gartner IAM Summit 2023 (Venture Beat) Threat Actor Spotlight: Ragnarlocker Ransomware (Sygnia) From Chatgpt To Redline Stealer: The Dark Side Of Openai And Google Bard (Veriti) Biden administration doesn't know extent of classified Pentagon document leak (CBS News) Ukraine ‘alters counter-offensive plans’ after Pentagon leak (The Telegraph) Ukraine had to change military plans because of US Pentagon leak, source says (CNN) Leaked Pentagon documents claim that hackers breached a Canadian gas network. Here’s what to know. (Washington Post) Pro-Russia Hackers Say They Breached Canadian Pipeline, but Experts Are Skeptical (Wall Street Journal) Leaked US intel: Russia operatives claimed new ties with UAE (AP NEWS) Egypt secretly planned to supply rockets to Russia, leaked U.S. document says (Washington Post) How the Latest Leaked Documents Are Different From Past Breaches (New York Times) How U.S. friends and foes have responded to leaked Pentagon documents (Washington Post) Pentagon leaks: US seeks to mend ties after claims Washington spied on key allies (the Guardian) Pentagon Probe Under Way in Leaks Case (Wall Street Journal) Pentagon assessing damage after 'highly classified' US secrets leaked online (Breaking Defense) The Pentagon’s Purported Classified-Document Leak: The Biggest Takeaways and Questions So Far (Wall Street Journal) The ongoing scandal over leaked US intel documents, explained (Vox) Leaked documents a 'very serious' risk to security: Pentagon (AP NEWS) The Discord servers at the center of a massive US intelligence leak (CyberScoop) Social-Media Platform Discord Emerges at Center of Classified U.S. Documents Leak (Wall Street Journal) Why Leaked Pentagon Documents Are Still Circulating on Social Media (New York Times) Clues Left Online Might Aid Leak Investigation, Officials Say (New York Times Ukraine at D+411: US leaks remain under investigation. (CyberWire) New Director GCHQ announced (GCHQ) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Key trends in identity access management, Ragnar Lager, and critical infrastructure.
Cyber criminals capitalize on the AI hype, updates on the leaked U.S. classified documents,
and speculation of whether Russian hackers compromised the Canadian gas pipeline.
Ben Yellen describes a multi-million dollar settlement over biometric data.
Microsoft's Anne Johnson from Afternoon Cyber Tea talks
about cyber paradigm shifts with Samir Kapuria. And welcome to GCHQ's New Boss.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 11th, 2023.
Today marks Identity Management Day. We discuss trends in identity management and look at some expert commentary and advice on IAM.
VentureBeat reported that one of four key trends discussed at the 2023 Gartner IAM Summit this year
included the importance of adding identity threat detection and response
solutions to protect against cyber threats and breaches. Other trends included the implementation
of an identity-first approach to cybersecurity, the use of cloud infrastructure entitlement
management tools and identity management approaches, and the implementation of a
journey time solution for a streamlined user experience.
We've got some other industry observations on IAM on our website, cyberwire.com.
Signia today shared a blog detailing Ragnar Lager, a threat actor the security firm says
uses double extortion tactics since early 2020 and targets, among others, the critical infrastructure
sector. The blog says that the initial attack vector was a known vulnerability in an external
facing remote service. Many customized batch scripts were found intended to be used for
reconnaissance against Windows event logs and to deploy ransomware. The group used the remote manipulator system as
command and control, and remote access tool AnyDesk was also observed in use to lift data.
The use of these legitimate tools allows for the RagnarLocker group to fly under the radar.
Anticipation leads people to suspend their better judgment, and a new campaign of credential theft exploits excitement about the newest AI systems
not yet available to the general public.
This morning, Verity explained that several unknown actors are making false Facebook ads
which advertise a free download of AIs like ChatGPT and Google Bard.
Verity writes, these posts are designed
to appear legitimate using the buzz around open AI language models to trick unsuspecting users
into downloading the files. However, once the user downloads and extracts the file,
the redline stealer malware is activated and is capable of stealing passwords and downloading further malware onto the user's device.
Verity describes the capabilities of the Redline Stealer malware which, once downloaded,
can take sensitive information like credit card numbers, passwords, and personal information like user location and hardware.
Verity added,
like user location and hardware.
Verity added, the malware can upload and download files,
execute commands, and send back information about the infected computer at regular intervals.
Experts recommend using official Google or OpenAI websites
to learn when their products will be available
and only downloading files from reputable sources.
With the rising use of Google and Facebook ads as attack vectors,
experts also suggest refraining from clicking.
The U.S. continues to investigate the leaks of classified information
that appeared on Discord servers and have since circulated through social media,
especially in Russian channels.
The investigation is seeking to confirm, first,
that the leaks have stopped, second, to determine their authenticity, and third, to identify their
source. Some of the documents appear on preliminary evidence to have been altered,
CBS News reports. National Security Council spokesman John Kirby on Monday said,
we know that some of them have been doctored.
Many or most of them, however, seem to be genuine,
and the AP writes that the U.S. Department of Defense is taking them seriously.
While the leaks are not believed to contain operational plans,
according to CNN, Ukraine has indicated that the leaks have induced it
to make some alterations in its own
planning. Discord servers have shown themselves readily adaptable to the sharing, scraping,
and dissemination of sensitive information, CyberScoop reports. The publication also gives
some color to the nature of the leaks, stating, the leaked documents are photographs of briefing
slides that appear to have been folded up.
They're photographed mostly against what appears to be a low table.
In the background of some of the photographs can be seen a bottle of Gorilla Glue
and what appears to be a strap with the Bushnell brand,
a popular maker of outdoor optics and rifle scopes.
Other files, the Wall Street Journal reports, are photographs of paper
documents with folds in the paper visible in many of them. Since their initial posting, the images
have circulated through 4chan and various Russian social media accounts. So who leaked them? No one
knows so far, and as the New York Times reports, a large number of people had access to the compromised
information. There are some indications in the leaked files that a Russian threat actor has
claimed to have compromised a Canadian natural gas pipeline in an incident reminiscent of the 2020
Colonial Pipeline attack, but the claim is just that, a claim. Canadian authorities have declined to comment.
The Washington Post quotes a section of the leaked files,
a February intelligence report, which states,
A pro-Russia hacking group is receiving instructions from a presumed federal security service officer
to maintain network access to Canadian gas infrastructure and wait for further instruction.
The FSB officers anticipated a successful operation would cause an explosion at the gas distribution station.
If Zarya succeeded, it would mark the first time the intelligence community has observed a pro-Russia hacking group
execute a disruptive attack against Western industrial control systems.
Many experts regard the claims with skepticism. Zarya's record, such as it is, shows no ability
to conduct anything beyond nuisance-level attacks, nothing more sophisticated than
distributed denial-of-service operations. The group is thought to be an offshoot of the Cyber Spetsnaz Auxiliary, itself spawned from
Killnet. The Wall Street Journal cites cybersecurity experts who believe the claim looks like active
disinformation. Even if there were a breach, and that's far from confirmed, it seems likely that
only business systems would have been compromised. The Journal quotes Leslie Carhart, Director of Incident Response for North America at Dragos,
who explains,
There's a mountainous gap between getting access to control devices
in an industrial network
and actually being able to make something, and I quote,
explode.
That involves understanding chemical engineering,
understanding the process systems,
and understanding all of the safety
controls, human, mechanical, electronic, otherwise, that are involved in that specific configuration.
We've got some follow-up to reports of Kilnett's distributed denial of service action against NATO.
The Russian news source Lenta published an article yesterday alleging that during the DDoS attack, the hackers were
able to paralyze at a minimum 60% of the alliance's electronic infrastructure. Lenta also claims that
the hackers gained access to secret data from NATO countries. The Cyber Wire wrote to NATO asking for
comment, and a NATO official responded as follows. Cyberspace is contested at all times
and we face malicious cyber activity on a daily basis.
NATO takes this very seriously.
We remain vigilant and continue to adapt to evolving threats.
NATO and allies are strengthening our ability
to detect, prevent and respond to such activities.
We are currently experiencing denial of service attempts
against a number of NATO websites, and our experts are responding.
NATO's classified networks are not affected,
and there is no impact on NATO operations.
So, Lenta's claims that Kilnet had disabled some 60%
of NATO's electronic infrastructure seems overstated.
NATO's school Oberammergau, the most commonly mentioned victim of DDoS,
is not, we note, an operational command.
And finally, Britain's GCHQ has a new boss.
Anne Keast Butler has been appointed to succeed Sir Jeremy Fleming
as GCHQ's 17th Director.
Congratulations to Director Keast Butler, and good hunting.
Coming up after the break, Ben Yellen describes a multi-million dollar settlement over biometric
data.
Microsoft's Anne Johnson from Afternoon Cyber Tea speaks
about cyber paradigm shifts with Samir Kapuria. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Microsoft's Anne Johnson is host of the Afternoon Cyber Tea podcast right here on the Cyber Wire
Network. In a recent episode, she spoke with Samir Kapuria about cyber paradigm shifts.
Here's part of that conversation.
I am thrilled and lucky to be joined today by Samir Kapuria,
who is the Managing Director at Crosspoint Capital Partners
and a strategic leader investing in industry-changing innovation.
Samir has over 25 years of experience leading enterprise software,
consumer software, and managed service businesses in cybersecurity. He was previously the president
of Norton LifeLock, a global leader in consumer cyber safety, and under his leadership, he helped
scale the company to annual revenues exceeding $2.4 billion. Welcome to Afternoon Cyber Tea,
Samir. Thanks, Anne. It's great to be here.
There's a lot of economic turmoil.
There's geopolitical turmoil.
What do you think are the macro trends that are tracking across specifically the cybersecurity
industry?
You're right.
A lot has changed over the last year, and I could probably drain a whole kettle of tea
with you on this question alone.
But as you mentioned, the economic climate has companies looking at efficiency and spending in really creative ways. But I think a
lot of leaders have an appreciation for the importance of investing in cyber in a whole new
regard. Let me just break that down with a few key observations. The first one is if we take that
macro view you mentioned and pull back for a second,
damages from cyber attacks have grown to trillions of dollars.
And I think one of the reports I recently read said it has a trajectory to be over $10
trillion of annual damages in the next two years.
So that's definitely hitting the P&L and the bank accounts of both companies and individuals
in a serious way.
definitely hitting the P&L and the bank accounts of both companies and individuals in a serious way.
And staying on that macro view for a second, the total spend in cybersecurity is roughly $150 to $200 billion. So the balance of investment still has quite a long way to go before we see the size of the damages commensurate with the size of investment in protecting.
size of the damages commensurate with the size of investment and protecting.
Thing two, the geopolitical environment.
It's definitely demonstrated the rise of cyber weapons targeting critical infrastructure,
not being behind the curtain, so to speak, but being in the forefront.
So the underpinnings of day-to-day life is now being impacted in a serious way.
Keeping in mind that many of these cyber attacks don't just stay on target,
but start to roam beyond the coordinates that we're given.
When I talk to peers and customers and our partners about the challenges they're facing,
I hear some of the same concerns related to cyber hygiene and passwords and such,
but I also hear about this layering of challenges like new technology,
the pace of change, and those emerging threats I was just mentioning that aren't truly well understood. I'm curious what you're hearing
and what's some of the most pressing security challenges you're hearing from founders and from
other enterprise security leaders you speak with? Oh, I'm definitely hearing some of the same things
you are with that focus on the foundational elements of cyber hygiene. But I'm also hearing
a whole host of new challenges that are top of mind with folks. On the pace of technology facet
you just mentioned, one thing that keeps coming up is the surface area expansion we just spoke
about, specifically with IoT devices. Many of these devices, as you know, are the least secure part of the network, and they
don't have the compute power to necessarily protect themselves. But the volume of these devices is
growing at a fast pace. So it poses a challenge for orgs who are now starting to respond by
applying a zero-trust approach almost to IoT as part of their cyber defense strategy.
But I'd also take a step
back to emphasize something else, which is the trust part of cyber. You know, you and I have
been in this space for a long time. And if we look over the years, we've seen that people are
naturally trusting and attackers prey on that human characteristic with all sorts of social
engineering attacks. Let's change course a little.
The RSA conference is coming up soon,
and I know everyone's gearing up
for a really, really busy week.
The theme this year is Stronger Together,
which is just this amazing theme, especially right now.
So I've long said that cyber's a team sport
and we all need to work together
for a safer and more secure future.
Why do you think it's so important that we are elevating stronger together this year in particular?
Well said. Cyber security is a team sport. And I've been going to this conference for many years,
as you have as well. And it's bounced back even stronger than ever following the pandemic.
So the RSA conference is another reason I'm optimistic, to be honest with you,
about the industry, because we're seeing the community come together to solve bigger problems
in a more robust manner than ever before. And for full disclosure, Crosspoint Capital acquired a
significant interest in the RSA conference. So I have even more of a heightened sort of approach
to it. But like you said, the innovation is healthy and thriving.
But when people have come together in any facet of industry or life, they're able to collaborate
and breakthroughs happen. And so that's where I think that this theme of stronger together
is more appropriate now than ever before, because there are so many challenges on the horizon, but there's also
that equal enthusiasm of how
can we now collaborate? How do we share
more? And you haven't
seen that type of openness in our
community in a long time where
people are willing to share their experiences,
share their knowledge, share their talent
and bring it all together for the community
to sort of all boats rise
type approach. The Afternoon Cyber Tea Podcast to sort of all boats rise type approach.
The Afternoon Cyber Tea Podcast is part of the Cyber Wire Network.
You can find it wherever you find your podcasts.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast.
Ben, welcome back.
Good to be with you, Dave.
Interesting article here from the folks over at SC Media.
This is written by Jessica Davis.
And it's about Vimeo,
the online video platform,
kind of the,
maybe it's fair to say
they're Pepsi to YouTube's Coke.
Yeah, more like the RC Cola
to YouTube's Coke, but sure.
Probably, yeah,
in size-wise, certainly.
But Vimeo has agreed to pay
two and a quarter million dollars
in an AI-related biometric privacy lawsuit.
Can you unpack this for us, Ben?
What's going on here?
So it's important to know that one state in the country has a comprehensive biometrics privacy law, and that's the state of Illinois.
It's called the Illinois Biometrics Information Privacy Act. So many of these lawsuits that are really should
apply to every state in the union are brought under this Illinois statute. What happened here
is Vimeo purchased Magisto, which is a separate mobile application. Some individuals had uploaded
images on Magisto or across the web, and Vimeo has used those images without the user's consent
to generate artificial intelligence. So they're using people's biometric data to scan each and
every video and photo uploaded to Magisto. And once that photo or video is uploaded,
they are extracting geometric data relating to unique points and contours of each face. And that uses that data to create and store a template all without informing the user of that
practice. And that amounts to a collection of biometric information, which according to this
Illinois statute, requires actual knowledge on the part of the user. So I think this is a foundational lawsuit
because it shows that there are some consequences
of using people's facial features or biometric data
from photos that they upload online
and using that to generate AI.
And I think that's really the purpose of this Illinois statute
is to prevent this type of unauthorized use of people's personal and biometric data.
This article points out that Vimeo denies any wrongdoing tied to the allegation and yet writing a check for two and a quarter million dollars.
I mean, is that typical how the deals work in these sorts of things?
I mean, is that typical how the deals work and these sorts of things?
Yeah.
So under the Illinois statute, you can sue even without having actual proof that your biometric data has been stolen.
It can be a mere allegation of an injury or adverse event.
If you just feel that your rights have been violated, you have a cause of action under the statute for liquidated damages.
And the damages can be relatively hefty.
We're talking about $1,000 for each negligent violation and $5,000 for a reckless or intentional violation.
So from Vimeo's perspective, you both want to avoid negative publicity from a publicized
trial on this.
Mm-hmm.
And certainly, you probably don't know under this platform
whether you violated BIPA.
And in that respect, it makes sense to settle this
and pay this $2.25 million to the users
who have been harmed by this collection of data.
I think there's also kind of a due diligence angle here as well. You've got a
company, Vimeo, who purchases another company, Magisto. You would imagine that they would have
done a risk analysis of this very thing, but who knows? I mean, they probably should have, right?
Yeah. That is part of due diligence in any business acquisition is you want to understand potential legal liabilities.
And I don't know how apparent it was that Magisto was leveraging people's biometric information for its own purposes without the consent of the users.
But this certainly exposed Vimeo to significant legal liability under this Illinois statute.
And we're talking about a relatively long time period here.
The original lawsuit accused Magisto and Vimeo, after they purchased Magisto, of scraping
biometrics without proper notice and consent over a nine-year period between September
2014 and January of this year.
Wow.
So that is a lot of potential violations per user.
And if every single person in Illinois
could sign on to this class action lawsuit
or whomever has uploaded videos to Magisto,
we might get damages exceeding the $2.25 million
that are going to be paid out as part of the settlement.
And that might be one of the reasons
why Vimeo is trying to settle and make this go away. Can I ask you a legal nerdy question?
Always. How does this bump up against standing? How can you have standing in a case like this
if all you have is a feeling that perhaps you were harmed by this, but no proof?
Well, that was determined by the Illinois Supreme Court in a case
five years ago. Generally, you have to have some sort of actual alleged injury to bring a case.
Right. But the Illinois Supreme Court held that at least under this particular statute,
really a mere feeling can be the basis for an allegation. Now, in order to secure relief,
you still have to satisfy the requirements of standing.
So there has to be an actual injury
that is redressable by some type of action
on the part of the court.
I see.
And there has to be causation
between the alleged wrong and that injury.
Okay.
But getting your day in court
is much easier than it usually is.
I mean, usually you have to allege something
with a certain type of particularity. And the Illinois Supreme Court said that at least under
this statute, that's not the case. I see. So even just the specter of this going to trial could be
enough for Vimeo to say, yeah, okay, we're going to settle here. It's best to avoid getting messed up.
I think that's exactly right.
All right.
Well, thanks for explaining it to us.
Ben Yellen, always a pleasure.
Thank you.
Cyber threats are evolving every second, Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.