CyberWire Daily - InfraGard data for sale. Cyberespionage warnings. Data sharing practices. Malicious drivers with legitimate signatures. Patch Tuesday. Task Force KleptoCapture indicts five Russian nationals.
Episode Date: December 14, 2022The FBI’s InfraGard user data shows up for sale. An update on Iranian cyber operations. NSA warns of Chinese cyber threats. Challenges in sharing data for threat detection and prevention. Legitimate...ly signed drivers are used in targeted attacks. Patch Tuesday addressed a lot of actively exploited issues. Tim Starks from the Washington Post Cybersecurity 202 shares his reporting on ICS vulnerabilities. Our guest is Mike Fey from Island with an introduction to the enterprise browser space. And the US indicts five Russian nationals on sanctions-evasion charges. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/238 Selected reading. FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked (KrebsOnSecurity) Would’ve, Could’ve, Should’ve…Did: TA453 Refuses to be Bound by Expectations (Proofpoint) APT5: Citrix ADC Threat Hunting Guidance (NSA) U.S. agency warns that hackers are going after Citrix networking gear (Reuters) NSA Outs Chinese Hackers Exploiting Citrix Zero-Day (SecurityWeek) Effect of data on Federal agencies' policies. (CyberWire) I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware (Mandiant) Driving Through Defenses | Targeted Attacks Leverage Signed Malicious Microsoft Drivers (SentinelOne) SAP Security Patch Day December 2022 (Onapsis) December 2022 Security Updates (Microsoft Security Response Center) December Patch Tuesday Updates | 2022 - Syxsense Inc (Syxsense Inc) Microsoft December 2022 Patch Tuesday fixes 2 zero-days, 49 flaws (BleepingComputer) Microsoft Squashes Zero-Day, Actively Exploited Bugs in Dec. Update (Dark Reading) Microsoft fixes exploited zero-day, revokes certificate used to sign malicious drivers (CVE-2022-44698) (Help Net Security) Microsoft Releases December 2022 Security Updates (CISA) Apple security updates (Apple Support) We finally know why Apple pushed out that emergency 16.1.2 update (Macworld) Why You Should Enable Apple’s New Security Feature in iOS 16.2 Right Now (Wirecutter) Apple Releases Security Updates for Multiple Products (CISA) Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518 (Citrix) State-sponsored attackers actively exploiting RCE in Citrix devices, patch ASAP! (CVE-2022-27518) (Help Net Security) Citrix Releases Security Updates for Citrix ADC, Citrix Gateway (CISA) VMware Patches VM Escape Flaw Exploited at Geekpwn Event (SecurityWeek) Experts detailed a previously undetected VMware ESXi backdoor (Security Affairs) VMware Releases Security Updates for Multiple products (CISA) Mozilla Releases Security Updates for Thunderbird and Firefox (CISA) Adobe Patches 38 Flaws in Enterprise Software Products (SecurityWeek) CISA Releases Three Industrial Control Systems Advisories (CISA) Five Russian Nationals, Including Suspected FSB Officer, and Two U.S. Nationals Charged with Helping the Russian Military and Intelligence Agencies Evade Sanctions (US Department of Justice) Russian Military and Intelligence Agencies Procurement Network Indicted in Brooklyn Federal Court (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The FBI's InfraGard user data shows up for sale.
An update on Iranian cyber operations.
NSA warns of Chinese cyber threats.
Challenges in sharing data for threat detection and prevention.
Legitimately signed drivers are used in targeted attacks.
Patch Tuesday addressed a whole lot of actively exploited issues.
Tim Starks from the Washington Post Cybersecurity 202 shares his reporting on ICS vulnerabilities.
Our guest is Mike Fay from Island with an introduction to the enterprise browser space.
And the U.S. indicts five Russian nationals on sanctions of Asian charges.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 14th, 2022.
CREBS on Security has some unpleasant news that goes to the challenges of vetting people for access.
The blog reports that someone using the hacker name USDOD, and whose avatar is the U.S. Department of Defense SEAL, but who's obviously unconnected
with the Pentagon, is offering an InfraGard user database for sale in the criminal market
breached. Now, InfraGard describes itself as a partnership between the Federal Bureau of
Investigation and members of the private sector for the protection of U.S. critical infrastructure.
So, any data it might hold is obviously of interest to crooks and the other miscellaneous
goons who are all over cyberspace. According to Krebs on Security, the attacker gained access
to InfraGard by applying for membership under a bogus identity. The blog states, USDOD said they gained access to the FBI's InfraGard system by applying for a new account
using the name, social security number, date of birth, and other personal details of a chief
executive officer at a company that was highly likely to be granted InfraGard membership.
The CEO in question, currently the head of a major
U.S. financial corporation that has a direct impact on the creditworthiness of most Americans,
told Krebs on Security they were never contacted by the FBI seeking to vet an InfraGard application.
Mr. USDOD says he's asking $50,000 for the data he's been able to pull.
He hasn't got that yet, and he's not surprised, given that the info is pretty basic stuff.
Still, it's a going-in position to start negotiations, and you never know.
In any case, he's snagged some invitations to security conferences.
One imagines he won't be stupid enough to show up and present his credentials
to the FBI, but again,
you never know.
To the certain personal knowledge
of our crime desk,
malefactors often, in fact,
do stupid things.
A classic example is a guy
wanted by the FBI
for a variety of offenses,
including facilitating gun trafficking,
who was stupid enough to go on the Johnny Carson show back in the 70s with a snake handling act. He'd evaded
capture until then, but some of the feds were apparently fans of the Tonight Show because this
particular act of carelessness earned the Cobra King a sabbatical in the Federal Correctional Complex in Allentown. They couldn't find him
until shortly after they'd heard, here's Johnny. Anyway, Krebs on Security elaborates on the
details of the offering. U.S. DOD said in their sales pitch that Pom Pom Porin, remember those
guys, would guarantee the transaction via the escrow
service they offer in the breached forum. So satisfaction guaranteed. Pompom Porin administrators
the breached forum, a market that's widely regarded as the functional successor to raid forums
closed back in April by the U.S. fededs. The incident suggests, obviously, inadequate vetting of applicants.
The FBI says it's aware of the matter and that an investigation is ongoing.
It's worth pointing out that if InfraGard can fumble vetting, maybe the rest of us can too.
Proofpoint this morning released research on what it calls aberrations in operations of the Iranian threat actor TA-453,
a group whose activity overlaps that of Charming Kitten, Phosphorus, and APT-42.
Proofpoint says,
A hallmark of TA-453's email campaigns is that they almost always target academics, researchers, diplomats, dissidents, journalists, human rights
workers, and use web beacons in the message bodies before eventually attempting to harvest
targets' credentials. Such campaigns may kick off with weeks of benign conversations
from actor-created accounts before attempted exploitation. Since 2020, however, TA-453 has selected victims from a wide range of sectors,
and it's used compromised accounts, malware, and confrontational lures in pursuing them.
Its new targets include medical researchers, realtors, and travel agencies. Proofpoint thinks,
with moderate confidence, that this activity reflects a flexible mandate to the Islamic
Revolutionary Guard Corps intelligence requirements. There's also a sub-cluster of the activity that
seems to support covert IRGC operations, including, disturbingly, apparent attempts to lure targets
into kidnapping traps. Sharper elbows all around. Yesterday, NSA released Citrix ADC threat
hunting guidance that warns of activity by APT-5. The advisory doesn't explicitly attribute APT-5
to China, although it does link it to UNC-2630 and manganese. But as Reuters observes, APT5 has long been strongly suspected of being
a Chinese intelligence threat group. Mandiant is among those who've registered that suspicion.
NSA's advisory offers guidance on file integrity and behavioral checks,
as well as YARA rules useful for detection. A survey commissioned by Splunk has found that 63% of public sector organizations
struggle with leveraging data to detect and prevent threats, compared to 49% of private
sector entities. The survey concludes that these difficulties of analyzing data directly impact
partnerships between the public and private sectors and their ability to share intelligence.
Despite the disparity in leveraging data for security, the survey found that public and
private sector organizations have very similar priorities for cybersecurity. The top three
cybersecurity priorities for both sectors are improving threat response and remediation
capabilities, improving detection of emerging threats,
and improving user security awareness.
Microsoft has taken steps to address the problem
of legitimately signed Microsoft drivers being used in targeted attacks,
stating,
Microsoft was recently informed that drivers certified
by Microsoft's Windows Hardware Developer Program
were being used maliciously in post-exploitation activity.
Microsoft has completed its investigation and determined that the activity was limited
to the abuse of several developer program accounts and that no compromise has been identified.
We've suspended the partner's seller accounts and implemented blocking detections to help protect customers from this threat.
The issue was discovered and disclosed by SentinelOne and Mandiant,
working in partnership with one another.
The threat actors, detected using the malicious drivers,
were doing so in an evident attempt to evade detection by security tools.
And of course, in full disclosure, we note that
Microsoft is a CyberWire partner. Yesterday was Patch Tuesday, and there was more going on than
we can conveniently describe here. We will say, however, that apart from that malicious driver
issue, a number of vendors fixed issues that are undergoing active exploitation in the wild.
a number of vendors fixed issues that are undergoing active exploitation in the wild.
You'll find a full set of references in today's Cyber Wire daily news briefing,
available on our website, thecyberwire.com.
The U.S. Department of Justice announced yesterday that five Russian nationals have been indicted in connection with violations of sanctions and export controls.
They're charged with conspiracy to defraud the
United States as to the enforcement of export controls and economic sanctions, conspiracy to
violate the Export Control Reform Act, smuggling, and failure to comply with the automated export
system relating to the transportation of electronics. The indictments are the result of work by Task Force KleptoCapture
and inter-agency group formed specifically to enforce sanctions and go after the corrupt
oligarchs who are so often responsible for their violation. Four of those indicted remain at large,
but one, whom justice calls a suspected officer with Russia's Federal Security Service, the FSB,
was arrested in Estonia last week and is awaiting extradition to the U.S.
And hey, you didn't even have to go on The Tonight Show.
Coming up after the break, Tim Starks from the Washington Post Cybersecurity 202 shares reporting on ICS vulnerabilities.
Our guest is Mike Fay from Island with an introduction to the enterprise browser space.
Stick around. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The humble web browser has come a long way since its original development in 1990
by British computer scientist Tim Berners-Lee.
Today, web browsers are essential tools for accessing the Internet
and are found on almost all computers and mobile devices.
And in our day-to-day work lives, a whole lot of information passes through them.
That reality has led to the development and deployment of enterprise browsers,
customized versions with enhanced security and control mechanisms.
Michael Fay is co-founder and CEO at enterprise browser provider Island,
and I checked in with him for some insights.
Well, I think we can all appreciate that the browser has become
the most widely deployed application on the planet. There's 5 billion consumers that use it,
but it's also the most widely deployed application in our enterprises, in our companies,
our organizations, our governments. And the reality is it is finally tuned and governed
by the needs of the consumer as it should be.
But when we bring that into the enterprise, we have a different set of requirements and desires
for it. And to date, we've treated it almost like a caged animal, backhauling its traffic,
breaking its encryption, putting DLP or data prevention controls all around it,
serving it up on virtual infrastructure,
all in the name of trying to make this application safe, secure,
easy to manage, and productive.
The enterprise browser stands to deliver a unique version of that,
specifically target it to provide a productive and safe
and great user experience for our organizations and employees.
productive and safe and great user experience for our organizations and employees.
What are some of the concerns that folks have when you talk to them about adopting something like this? You know, right away, it's, is this going to feel different? Or do I have to learn
something new? My user population in many cases is very, you know, large, and I don't want to
have to undergo that training. And so that's one of the things
people get really comfortable with quickly is this feels and acts like the browser you know and love.
It installs on your desktop just like every browser you've ever used. It's a little bit
faster, but it provides all these wonderful connection points back into the enterprise to
make our lives easier. And so that's one of the things we have to get through is, will my end users be negatively impacted? And the answer is no. They'll actually get a wildly more productive and viable
experience than they have to deal with today in most companies. What about the security side of
things? I imagine, of course, you probably have the ability to dial things in very specifically,
but does it work with third-party offerings as well?
Yeah. So at the end of the day, think of it as just a browser that's contributing
to the outcome. If you want to use some other control that you have in place today, you still
can. Now, granted, it does provide a lot of security controls better than things that are
sitting on the outside because it's natively a part of the application,
we don't have to do things like break its encryption
just to govern what website it goes to.
We don't have to force a whole networking path
just to make sure that a particular device
is configured correctly before it goes
to one of our SaaS applications.
But in a large enterprise that has, you know,
countless number of tools, capabilities, and dependencies, we can fit very nicely into those, but we can also start to simplify those stacks and remove a lot of repetitive and expensive controls.
What about for folks who are under regulatory regimes, who have to dot their I's and cross their T's when it comes to that? Are there enhanced capabilities for them?
There most definitely is.
We can literally govern anything that occurs in the browser.
So take screenshots, for example.
We have a lot of healthcare organizations struggling with protecting patient data, but
engaging in contract doctors.
We can provide the bridge that allows them to be open to those doctors that need
to be involved, but protect that crucial data. We can mask the data the doctor doesn't need to see,
like your social security number, maybe additional fields that aren't relevant to the problem at hand,
but then share with them the data in a way that it can't be accidentally stolen or misused.
So most definitely in those highly regulated, highly secured areas,
they're finding a lot of value from the enterprise browser space.
That's Michael Fay from Island.
And it is always my pleasure to welcome back to The Cyber Wire, Tim Starks.
He is the author of the Cybersecurity 202 at The Washington Post.
Tim, welcome back.
Always good to be here.
So this morning, you and your colleagues published an interesting report titled Severe Vulnerabilities Found in Most Industrial Controllers.
You got my attention here, Tim.
What's going on?
I'm glad.
We talked a little bit.
The headline was not what I wrote, and the editor changed it to that.
I was like, are people going to know what industrial controllers are?
But I was comfortable with what she did.
So yeah, industrial controllers are hard to describe,
and that's why I wasn't sure where I should put them in the headline. So yeah, industrial controllers are hard to describe.
And that's why I wasn't sure what I should put up in the headline.
The idea is that it's a little bit like it sounds, right?
It's a thing that controls industrial processes.
There's the kind of device that keeps
electricity plants or water treatment plants
safe and operational.
And Microsoft took a look at the systems of its customers and discovered that 75% of them had high severity,
unpatched vulnerabilities. So that's not great. How do we interpret that? I mean, you see a number like this, and for me, I think, and yet the lights are on, the water is flowing.
Is this a ticking time bomb situation?
Is this a breathless headline that we need to put some perspective on?
What's your take?
I think it's a little bit of both.
It's somewhere in between there, maybe.
I think it's a little bit of both.
Somewhere in between there, maybe.
The way I react to it is that attacking these kinds of controllers would be very, very bad for us,
for the people in the countries where they lived.
I mean, we saw...
This goes back to the Stuxnet worm, of course,
that demonstrates the power of these kinds of attacks
on these kinds of specific targets,
where Stuxnet was able to take down a bunch of nuclear facilities in Iran.
And we've seen attacks on this kind of thing knock down power in Ukraine.
We saw the threat of it happening in the United States when the Oldsmar, Florida plant,
where the water treatment facility,
someone was able to get in and briefly elevate the levels of lye to very high levels before someone at the plant caught it and kept it from really happening. But these are also the kind of
attacks that if somebody did it, there would be a lot of hell to pay in the United States.
So I think that it's an option for our adversaries,
but it's the kind of thing that if you're going to do it,
if you're in Russia or you're somewhere in any country,
you have to know that the United States is going to be very upset that you did it,
and there's going to be a reaction.
You've seen it with some of the ransomware gangs
when they attack Colonial Pipeline and JBS.
Suddenly, we put a lot of attention on them.
And it didn't go terribly well for them.
In some ways, they've reformed.
But it's something that's scary.
But if it happened, and it's not likely to happen,
there would be a big, big repercussion.
Yeah, in your article, you spoke with Bryson Bort
from security company Scythe.
His comments were interesting.
You want to share his insights?
Yeah, he said whenever he talks about industrial control systems,
he starts off by defining them.
What's an industrial control system?
And the answer is, it's any computer that's 20 years old or older.
And that's a defining trait of these industrial control systems and controllers.
For what it's worth, the controllers are the devices,
and then there are systems of them.
So I'm using the term a little bit interchangeably.
But what I'm getting at is, these devices are extremely old for the most part,
or systems are extremely old.
That makes them hard to update.
It makes it hard for them to run modern operating systems.
And they're hard to rip and replace.
They're systems that are very, very focused on just keeping things running
and keeping things going pretty well.
And they were not built with security in mind.
So they're not secure by design, as they say.
The other thing he told me is that there's a little bit of good work going on
over at the Department of Energy office that people call CESAR
on securing these systems.
Otherwise, a lot of the work that's going on in securing them
is very part of other things.
So, you know, you see CISA,
the DHS office,
invite people to
the joint collaborative environment.
And I guess the JCDC
is not the joint collaborative environment,
but you know what I'm talking about.
Inviting people to attend that from the industrial control system's world, but there aren't a whole lot of dedicated initiatives right now to solving the industrial control system's security problem.
Interesting.
One other thing I wanted to highlight, an article that you linked to in the Cyber 202.
cyber too. This is a bipartisan push by a couple of lawmakers who are trying to improve the cyber literacy of their colleagues. Yeah, that is something that I think they point out as needing
to happen. This is a congresswoman, Kathy McMorris-Rogers. She's probably going to end up
being the Energy and Commerce Committee chairwoman.
And Congressman Jim Himes, who's a prominent member of the House Intelligence Committee that I talk to from time to time on cyber issues, essentially saying that there need to be more
education, more hearings. And I think if you go back to many, many years ago
with Senator Ted Stevens famously referring to the internet
as a series of tubes,
you can see that the history of people needing to get up to speed on this
is real.
One thing I've noticed, though,
I think we talked about this last time we were chatting,
you have Congress members like Jim Langevin leaving,
who's been a big, big voice on cybersecurity in the Hill.
You have members like John Katko leaving, who's been a prominent voice on cybersecurity in the Hill.
It's concerning to lose that expertise, but one of the things that's positive is that the further along Congress gets, the younger the members get.
And that means they're more in tune with the internet
and what it means and they grew up with it more. That's a potentially very positive development
that I think the problem solves itself a little bit that way. But at the same time, it also requires
people focusing on this. And one of the things that's always been interesting about covering
the national security community is what do members of Congress get out of specializing in these things? When you're on
the House Intelligence Committee, maybe you have a satellite contractor in your district that,
you know, you can produce jobs and show jobs. Like, I was on the House Intelligence Committee,
helped to get this contract. But for the most part, it's hard to explain to your voters,
yeah, I'm spending a lot of time on cybersecurity because it's the kind of
thing that doesn't sell for a lot of the lawmakers. Interestingly enough, there was a congressman who
is no longer around who said that this was the number one or number two issue for his constituents.
So I think it might be a matter of a disconnect between the lawmakers and what they think their constituents want to talk about.
And that might be why we haven't seen much focus on it.
But I do think the more they pay attention, this kind of initiative that Himes and Morris Rogers are talking about takes off, that's also a positive.
Yeah. Well, it's reassuring to see that there's some self-awareness here, that it's an area in which they need to focus.
Tim Starks is the author of the Cybersecurity 202 at The Washington Post.
Tim, thanks so much for joining us.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. on and what that means for you and for Canada. This situation has changed very quickly. Helping
make sense of the world when it matters most. Stay in the know. Download the free CBC News app
or visit cbcnews.ca.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman, Trey Hester, Brandon Karpf,
Eliana White, Puru Prakash, Liz Ervin,
Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Pearl Terrio, Maria Vermatzis, Ben Yellen,
Nick Vilecki, Millie Lardy, Gina Johnson,
Bennett Moe, Catherine Murphy, Janine Daly,
Jim Hochite, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard,
Peter Kilby, Simone Petrella, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.