CyberWire Daily - Imposing costs and sending signals (and prominently naming Cozy Bear). More speculation about the Natanz explosion. And a shift in the criminal-to-criminal economy.
Episode Date: April 15, 2021The US announces a broad range of retaliatory actions designed to “impose costs” on Russia for its recent actions in cyberspace, prominently including both the SolarWinds supply chain compromise a...nd attempts to influence elections. More reports on the Natanz incident suggest that a buried bomb was remotely detonated. David Dufour from Webroot has a wakeup call on digital privacy. Our guest is Ganesh Pai from Uptycs on Mitre ATT&CK Evaluations. And IcedID is taking Emotet’s place in the criminal ecosystem. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/72 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. announces a broad range of retaliatory actions
designed to impose costs on Russia for its recent actions in cyberspace.
More reports on the Natanz incident suggest that a buried bomb was remotely detonated.
David DeFore from Webroot has a wake-up call on digital privacy.
Our guest is Ganesh Pai from Uptix on MITRE attack evaluations.
And ICE-ID is taking Emotet's place
in the criminal ecosystem.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Thursday, April 15, 2021.
Today's cyber news is dominated by this morning's announcement of a broad range of U.S. responses to Russian operations in cyberspace. The U.S. administration this morning announced the
long-expected set of measures designed to impose costs on Russian threat actors for both election
influence operations, for the SolarWinds compromise, and for other cyber campaigns.
The steps taken include sanctions and diplomatic expulsions, and of course, naming and shaming.
U.S. President Biden signed an executive order today intending, quote,
to demonstrate the administration's resolve in responding to and deterring the full scope of Russia's harmful foreign activities, end quote.
The White House statement frames the order as a signal that the United States will impose costs
in a strategic and economically impactful manner on Russia
if it continues or escalates its destabilizing international actions.
The objectionable Russian actions include efforts to undermine elections and democratic institutions,
and that elections not only in the U.S., but voting in unspecified allied countries.
It also includes various other
violations of international law, including respect for the territorial integrity of states.
Russia's continuing occupation of Ukrainian territory in Crimea is the principal offense
against territorial integrity. The White House cites the cooperation of the European Union,
the United Kingdom, Australia, and Canada in imposing sanctions against eight individuals and entities associated with that occupation.
lateral Russian provocations along the line of contact in eastern Ukraine, in occupied Crimea,
and along Ukraine's borders, the White House statement calls them, the administration made an unambiguous statement of support for Ukraine, quote, the transatlantic community stands united
in supporting Ukraine against as well as agreeing on the need for Russia to immediately cease its military buildup and inflammatory rhetoric.
End quote.
The White House, NSA, the FBI, and CISA all formally attributed the SolarWinds compromise
to Russia's foreign intelligence service, the SVR.
To make the attribution utterly clear, they cite the names industry has used to refer to its cyber operations,
APT29, Cozy Bear, and The Dukes. That attribution is offered with high confidence.
The administration notes that this software supply chain compromise gave the SVR the ability to
either spy on or disrupt more than 16,000 systems worldwide and that most of the affected systems belong to
the private sector. NSA's statement described mitigation of known vulnerabilities in the
SolarWinds Orion software supply chain, well-messed malware used against COVID-19 researchers,
and network attacks exploiting a VMware vulnerability. NSA's Cybersecurity Directorate tweeted a warning that
Russia's SVR is actively exploiting five publicly known vulnerabilities against U.S. and allied
networks. NSA's Director of Cybersecurity Rob Joyce joined us on the line earlier today and
provided this statement. Today, NSA released a joint advisory with the FBI and DHS's CISA.
We highlighted cyber vulnerabilities that have been the target of exploitation
by the Russian Foreign Intelligence Service, the SVR.
The vulnerabilities in today's release are part of the SVR's toolkit
to target networks across the government and private sectors.
We need to make SVR's job harder by
taking them away. NSA is urging rapid mitigation by system owners to make attempts at malicious
actions less likely to succeed. The SolarWinds incident is particularly troubling because it
was a software supply chain compromise that enabled organizations to be targeted easily
and at will. The White House thinks this should serve as a warning about the risks of using information
and communications technology and services supplied by companies that operate or store user data in Russia
or rely on software developments or remote technical support by personnel in Russia.
To address those risks, the U.S. government is considering action under Executive Order 13873,
the Better to Protect the Information and Communications Technology and Services Supply Chain, against Russian exploitation.
The U.S. State Department is expelling 10 Russian diplomats in connection with this activity, the AP reports.
The White House statement says the 10 come from Russia's diplomatic mission
in Washington and include representatives of Russian intelligence services.
And the U.S. Department of the Treasury announced today that it was sanctioning
16 entities and 16 individuals who attempted to influence the 2020 U.S. presidential election
at the direction of the leadership of the Russian government.
Four front media organizations associated with three Russian intelligence and security services are singled out as disinformation shops.
Southfront, the FSB, Newsfront, FSB, InfoRoss, GRU, and the Strategic Culture Foundation, SVR.
GRU, and the Strategic Culture Foundation, SVR.
Pursuant to today's executive order, Treasury now prohibits U.S. financial institutions from participating in the market for any bonds Russia might issue after this coming June 14.
Six Russian tech companies that support the Russian intelligence service's cyber programs
are being sanctioned.
And, of course, the actions taken by the U.S. today have implications for the evolution
of international norms of conduct in cyberspace.
The White House statement affirmed the importance of an open, interoperable, secure, and reliable
Internet, which it regards as a goal shared by most of the international community, U.S.
allies and partners in particular,
but which Russian actions undermine. To foster the development of a stable, secure cyberspace,
the White House outlined two actions. Quote, first, the United States is bolstering its
efforts to promote a framework of responsible state behavior in cyberspace and to cooperate
with allies and partners to counter malign cyber activities. End quote. An important part of that will involve training for policymakers and international lawyers
on the policy and technical aspects of publicly attributing cyber incidents.
The U.S. will begin organizing such training at the George C. Marshall Center in Garmisch, Germany.
The training will extend beyond the details of attribution and cover international norms of
conduct in cyberspace. Second, the White House says they are reinforcing their commitment to
collective security in cyberspace. This involves joint military training in Cyberflag 21-1,
a combined exercise that aims at improving
cyber defense capabilities and resilience. The UK, France, Denmark, and Estonia, at least,
will participate. The Jerusalem Post reports that the sabotage at Iran's Natanz uranium
enrichment facility, widely attributed to Israel by both the Iranian government and Israeli media,
was produced by a remotely detonated explosive device.
And finally, January's Imhotep takedown by law enforcement left a gap in the criminal ecosystem,
now being partially filled by the Iced ID gang, the Record reports. Iced ID began with familiar spam campaigns back in 2017,
distributing what the Record calls a classic banking trojan.
But it's evolved and now functions as a malware-as-a-service operation.
Calling all sellers. Thank you. showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Our own Rick Howard checked in with Ganesh Pai from Uptix for his views on MITRE ATT&CK evaluations.
Here's Rick Howard. I got the chance to talk to Ganesh Pai, the CEO of Uptix, an SQL-powered security analytics platform,
about his company's recent participation in the MITRE ATT&CK evaluation program.
This relatively new program from MITRE invites security vendors
to bring their solutions into an environment
so that the MITRE lab rats can throw actual adversary campaigns at them
to see if the vendor can detect and prevent them.
In this evaluation, MITRE deployed the ATT&CK campaigns
used by the adversary group FIN7, also known as Carbon Act,
a financially motivated threat group that has primarily targeted
the U.S. retail, restaurant, and hospitality sectors since mid-2015.
I asked Ganesh why he thought the MITRE attack campaign
was good for the industry.
It's one of those approaches where there is a third party who is neutral and
objective. They have a common evaluation criteria and they call it as MITRE ATTCK enterprise
evaluations. They set up an environment and they work with the vendors to say, do your best. We're
going to be doing this pre-canned set of things to do something malicious. And we'll see
how well your solution measures up against the framework. So they're doing two things. One,
giving you a nice framework so that everyone uses the same language. And second, they provide an
approach for evaluation where there's a third party objectively providing a quantifiable approach to
demonstrating value.
They don't rank stack you.
They just collect all the data as a part of their findings and present it.
And what's nice is they allow those who want to procure technology
to objectively evaluate the outcomes.
We placed a bet on this quantitative approach
to measure even the efficacy of a solution,
because given the number of vendors out there, we wanted to stand out.
And as I said, for us to show something demonstrable in a quantifiable way was important.
In these kinds of things, disagreements between the evaluator and the evaluated always happen.
I asked Ganesh about how Updix worked things out with Miner when they did.
They upfront said Carbonac and FIN7R,
the two techniques and tactics that we're going to be evaluating vendors against.
They also outlined that here is around 159 or 160
or that we expect you to hit relative to the number of detections.
When we actually went into the evaluation, our experience was actually very nice.
They were quite objective when there was any disconnect, and the disconnect was very straightforward.
We might not have set a flag right or tuned something because we had the ability to capture
the telemetry, but we may not have displayed a finding for one out of the 160 or something like that.
And they were nice enough to say that this is what we didn't visibly see on your screen.
We looked at it and said, look, here's this tuning flag, which was missing.
We set that right and we were fortunate that then they said, yeah, this looks good.
Other people's mileage might vary, but if we were to use our engagement with Mitro, it is a very pleasant and a very collaborative one to iron out any differences in opinion.
Clearly for a vendor, this is an investment in time and resources. I asked Ganesh what it took to get ready.
They outline what the set of techniques are as a series of columns which are laid out one after the other.
And then there is the notion of tactics given a technique for a given sub-tactic.
They can be 10 or 15 or even more approaches to doing the detection of that tactic.
If anybody has heard me speak before, you know that I'm a big fan of crafting prevention controls
for all known adversary behavior across the intrusion kill chain.
Unfortunately, most of us, vendors and practitioners alike, focus on the technical details of preventing malware and exploits and ransomware and not on defeating the actual adversary.
The MITRE ATT&CK evaluation program seems to be a step in the right direction.
I asked Ganesh if he thought going through this exercise would change how his engineering team adds new features to his products in the future.
The set of things that we came up for detecting Karbonac and FIN7 during the evaluations are fairly generic. The detection for each of the tactics have been coded in a way such that
if they get reformulated ever
to do a detection of another one,
it's not going to be a whole lot of work for us.
The engineering work and the three months that we put in
is generic enough that it gives
a return on investment for a long time to come.
I'm a fan of the MITRE ATT&CK evaluation program,
and it sounds like Ganesh and Uptix is too.
If you agree, it might be a good idea to encourage all of the vendors
you have deployed in your own security stack to participate in the next one.
You might even suggest that it will be a precondition
before you renew the contract at the next iteration.
That's the CyberWire's Rick Howard speaking with Ganesh Pai from Uptix.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatL are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by David DeFore.
He is the Vice President of Engineering and Cybersecurity at WebRoot.
David, always great to have you back.
Great to be here, David, as always. I wanted to touch on the recent hack we saw on Verkada
and how that was kind of a wake-up call when it
comes to, to folks' digital privacy. Um, what's, what, what thoughts do you have on that?
You know, I, I'm not going to kind of call out Verkada, uh, because they're the ones in this
instance, they got, they, they, they got caught with a, you know, an issue with a super admin,
um, uh, password. But I, I got to tell you, I promise you,
there are a lot of organizations with this same problem.
They just haven't been caught yet.
So I'm not necessarily saying, obviously, they did something wrong,
but I'm not saying that they're the only ones and we need to point a finger.
This is really another touchpoint, a time where we all need to be aware
of what's possible if If someone's able to
get into something and get, I mean, if you're not familiar, you know, they got access to 150,000
live cameras and they were showing footage for different organizations to media and stuff like
that. So it was a big deal, but we're all affected by this. Yeah. I mean, how do you come at something
like a hard-coded credential? I mean, is that
you have folks out there hunting for that proactively? Yeah. You know, this, and David,
you know, a lot of the engineers who work for me would laugh at this comment, but
I used to write code. And really what you've got to, believe it or not, this really starts with
the engineers. You have to have a good process in place that analyzes code,
that is ensuring you're not doing things like hard coding passwords.
Because when you're first bootstrapping something, trying to test something,
you really just want to quickly get things up and running.
But you've got to have peer reviews.
You've got to have code scans.
So it really starts there and then goes out from there at
different layers of ensuring that people are protected. Yeah, because isn't it accurate that
a lot of times those things get put in as part of the development process, again, for the convenience
of the developers, but then once it goes into production, it should be pulled out,
and that doesn't always happen. That's exactly what the case is. And a lot of times, David,
believe it or not, it's included for convenience in raw source code SDKs, and they say,
change this once you get it up and running so that you're safe. And a lot of programmers don't
take the time, even when you're using that third party tool so you're exactly right it's just a function of a lot of us want to get stuff working and
believe it or not security sometimes takes a back seat to stuff david we've never seen that before
right what are your thoughts for the folks downstream who found themselves victim of this
you know your your your classic sort of third party thing where, you know, I've
contracted with a company like Verkata and because they weren't doing things 100%, now, you know,
the footage of my factory floor is on the nightly news. That is the problem. And you've put it in a
nutshell. How do you verify? And, you know, just like in society where we want to go to the
grocery store, the pharmacist, you have to have trust at some level and these things will happen.
And then the question is, how do you recover from it? You know, you have to have processes in place
that vet your third parties and you're making sure that the tools you bring in are as secure
as possible because you can only do it as best as you can. And again,
that looks that that's that whole process, depending on the size of your organization.
Are you able to vet it? Can you can you you know, what's your exposure if the stuff gets out? Look,
if you have a factory floor and they're watching a guy drive a forklift, you're probably not worried
too much about it. But if you have a, you know, a customized manufacturing process where one of these cameras is watching that and it's intellectual property, you probably want to
make sure maybe you don't buy the cheapest available system out there. You need to make
sure there's something that's been vetted and potentially certified that it is secure.
Yeah. Yeah. It's such a, it's sort of an object lesson in this whole thing of the supply chain.
And, you know, from supply chain issues to embedded passwords, there's something for everybody here.
There absolutely is.
And it goes back to we have to trust, but we can verify.
And a lot of times cost gets in the way of that verification process.
And we just need to be aware of it.
And this goes for consumers as well, David.
I mean, people put stuff in their homes and they connect it to their Wi-Fi and they don't know what's going on.
They don't know if it's calling home to some country where they'd freak out if it was.
And you just have to spend more time understanding.
And it's easy not to because we all get busy yeah all right
well david defoe thanks for joining us hey great being here david
and that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It will save you time and keep you informed.
It's not just a job, it's an adventure.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening. We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.