CyberWire Daily - Investigating VPN exploits, and the crooks and spies who use them. BadAlloc afflicts OT. Notes on cyberespionage. The criminal market for deepfakes.
Episode Date: April 30, 2021The US Government expands its investigation into Pulse Secure VPN compromises. Microsoft discloses its discovery of BadAlloc IoT and OT vulnerabilities. Someone’s distributing Purple Lambert spyware.... Chinese intelligence services seem to be backdooring the Russian defense sector. Financially motivated criminals are exploiting SonicWall VPN vulnerabilities. A look at the emerging criminal market for deepfakes. Josh Ray from Accenture Security on Why Cybersecurity Community Service Matters. Our guest Manish Gupta of ShiftLeft looks at cyber attacks on the CI/CD pipeline. And the World Health Organization attracted impersonators early this month. Again. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/83 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. government expands its investigation into Pulse Secure VPN compromises.
Microsoft discloses its discovery of bad alloc IoT and OT vulnerabilities.
Someone's distributing purple Lambert spyware.
Chinese intelligence services seem to be backdooring the Russian defense sector.
Financially motivated criminals are exploiting SonicWall VPN vulnerabilities.
A look at emerging criminal markets for deepfakes.
Josh Ray from Accenture Security on why cybersecurity community service matters.
Our guest Manish Gupta from Shift Left looks at cyber attacks on the CICD pipeline.
And the World Health Organization attracted impersonators early this month.
Again.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, April 30th, 2021. The U.S. government's investigation into possible compromises
accomplished through vulnerabilities in Pulse Secure VPN software is expanding.
CNN reports that at least five federal agencies appear to have been affected.
This represents the third major software supply chain compromise that's come to light in 2021,
the Voice of America notes.
Microsoft yesterday announced a set of memory allocation vulnerabilities they're tracking as bad alloc.
The vulnerabilities affect IoT and OT devices,
and they could be exploited either for remote code execution or to induce system crashes.
CISA has also published mitigation advice for Bad Alec.
The disclosure of Bad Alec should lend some urgency to the OT security, about which NSA cautioned the defense industrial base in yesterday's advisory.
cautioned the defense industrial base in yesterday's advisory. That advice was prompted by the SolarWinds compromise, but the concerns are broadly applicable to OT operators.
Kaspersky says it's detected Purple Lambert malware in a number of networks.
ITWire reports that this malware family has been associated with the CIA,
but the evidence is ambiguous, with some observers pointing out that the malware family has been associated with the CIA, but the evidence is ambiguous,
with some observers pointing out that the malware
may have been staged by rival foreign intelligence services.
The Lambert family has been gurgling around out there for a few years.
We're accustomed to thinking of cyber espionage
as hitting, for the most part, Western targets.
The reality is, of course,
far more complicated than that. Even the familiar adversaries of Western nations take wax at one
another. A useful corrective to this habitual way of thinking arrives today in the form of a report
by researchers at security firm Cyber Reason who describe a new APT they attribute to the Chinese
government. The company's Nocturnus team, while sorting through samples of Royal Road malware,
found signs that the operators behind it were also delivering the port door back door as a payload.
The target was Russian, and the method of approach was phishing.
Nocturnus researchers write, quote,
According to the phishing lore content examined, the target of the attack was a general director working at the Russian Design Bureau Nocturnist researchers write, And of course, while VPN exploits have recently been a worry
because of the way they've appeared in cyber espionage campaigns.
As so often happens, the hoods follow in the footsteps of the spooks,
which is what seems to be going on now with exploitation of unpatched SonicWall instances.
FireEye warned yesterday that it's observed an aggressive financially motivated group,
UNC-2447, exploiting one SonicWall VPN zero-day vulnerability.
The company reckons the threat a serious one, with evidence of tool-sharing by criminal groups.
Researchers at security firm Recorded Future have discerned a growing international criminal market for deepfakes.
Why do people care about this?
It's easy to think of deep fakes as primarily used
in more exotic forms of spoofing, say a faked video of President Putin doing celebratory jello
shots with First Lady Eleanor Roosevelt, thereby convincing people that the whole New Deal thing
was a Kremlin front from the get-go, and never mind the freaking anachronism. Sad. Or perhaps they could appear in the form of faked evidence
used in criminal show trials.
Or, in a more prosaic level,
they might be used for more effective social engineering,
better and more convincing business email compromises, for example,
or more compelling catfishing.
But there are also other, even more prosaic concerns about deepfakes. A criminal
market and such deceptive stuff might undercut commonly used modes of establishing one's identity.
Traditionally, people have seen three basic ways of establishing that they are who they say they
are. You can do this through something you know, and the most common form this takes is the password.
The security question is another. If you
know your grandmother's maiden name was Fifanella, or that your first pet was Blinky the Chameleon or
Finnegan the Goldfish, that you drove a Hillman Minx when you were in school, the assumption is
that, well, you're probably who you say you are. You can also do this through something you have,
like a hardware token, or in real life, maybe an ID card or a badge.
Or finally, you could establish your identity through something you are, that is, through one of the several biometric modalities, like your face, your fingerprint, or even your gait.
So, something you know, something you have, or something you are.
One of the reasons a criminal market in deepfakes is troubling
is that it might be used to undercut the third mode of identification, who you are.
This could erode trust in the biometric technologies that organizations use online.
If your fake face is out there, well, maybe some hood can use it to sign on somewhere as you, your own self.
Deepfakes are, in the view of Recorded Future's
insect group, fraud's next frontier. They used to be a repellent, but in most respects less
threatening kind of technology. The researchers say, quote, deepfake technology used maliciously
has migrated away from the creation of pornographic-related content to more sophisticated
targeting that
incorporates security bypassing and releasing misinformation and disinformation. Publicly
available examples of criminals successfully using visual and audio deepfakes highlights
the potential for all types of fraud or crime, including blackmail, identity theft, and social
engineering, end quote. The researchers found online markets catering especially to Anglophone and Russophone hoods,
but they also found a few hawking to speakers of Spanish, Turkish, and Chinese.
The deepfake products and services on offer include editing both pictures and video,
how-to tips, tutorials, exchanges of best practices,
free software downloads and photo generators, and news on advancing criminal technology.
The Insikt group says that much of the chatter online about deepfakes is of a relatively benign, technophile nature.
People interested in the topic are chatting and swapping stories.
But the researchers think that this is likely to turn ugly as a hobbyist's interest turns into a perception
that deepfakes have a lot of criminal potential.
The United Nations International Computing Center says
that with the help of Group IB,
it's taken down a scam campaign
that since April 7th has been impersonating
the World Health Organization.
Good for them, we say. Earlier this month, Group IB warned the UN organization that it had found
a bogus website impersonating WHO branding, where visitors were encouraged to answer a few simple
questions to earn a 200 euro reward on the occasion of World Health Day. And you can easily imagine the rest.
Sometimes it involved redirection to a scam website,
and at other times the capers signed unwitting victims up for a paid service.
Not healthy. Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
A key component of modern DevOps operations is the CICD pipeline. That stands for Continuous Integration, Continuous Delivery.
It's an approach that emphasizes automation.
Manish Gupta is CEO of ShiftLeft,
and he joins us with insights on
the CICD pipeline and how its use can help ensure security receives the attention it deserves.
All around us, innovation is being driven by software. Most of the companies now write
software. They write it ever faster because as end consumers, we have gotten into the habit of getting new feature
functionality every day.
Imagine your experience with Netflix or Google, for that matter.
The production of this software is a complex undertaking.
It goes through what is called CICD, continuous integration, continuous deployment, which
is a fancy way of saying that is a set of technologies that allow developers to develop quickly.
The other part is, you know, developers don't, the other reason why developers are able to do this far faster today than they were able to do this a decade ago is because there's a lot of what is called open source software or libraries that are out there.
of what is called open source software or libraries that are out there.
And so as a developer, for example, if I wanted to create a retail e-commerce site,
I don't need to go rewrite the software for a shopping cart.
You know, a library is available that I can just import into my application and voila, now I have that functionality.
So being able to choose these various libraries
for the end result that I want
makes developers very productive.
That broader notion is called the supply chain of software
in terms of what all components developers are using
to create that application.
You know, it strikes me that the CICD pipeline
is kind of like changing the oil in your
car while the engine is running. You know, that it just, there's a certain amount of complexity
there. And I don't know, are we taking away developers' ability to kind of stop and catch
their breath? Well, you are right.
But I think the situation is a little bit more complex
or involved, if I may,
because developers are compensated
for delivering functionality.
Very rarely is there an organization
that compensates or measures their developers
on how securely they're developing
the software.
That is part of the problem because the responsibility of security lies in a different team, which
is typically headed by the CISO or cybersecurity officer.
Within his or her domain is an application security team. Who has the responsibility?
So as you can see, there is almost a perverse logic.
We incent developers to write features that are faster,
and we don't measure or reward them on delivering security effectively.
And so they're not necessarily motivated to focus on security.
There is a completely different team, which is,
but then they don't develop software. And so all they can do is sort of inspect the software occasionally, find issues in it and inform developers to say, hey, look, here's a long
list of 100 things that are wrong. Please go fix it. And again, we have to go through the same
scenario where developers now have that list of 100 things,
plus all the other feature functionality that they've been asked to deliver by their VP of engineering.
And is it any surprise they almost always focus on the latter as opposed to the former?
And so what do you recommend here in terms of being able to secure that pipeline?
How do we do a better job of having those teams interact with each other?
First is, of course, just realizing that this is happening,
that the CICD is a new way of software development,
which is highly agile, that there are two very important personas here,
the developers who, for application security, have to
do 70% of the work because security
cannot fix issues for them.
All security can do is bring their level of expertise, broader knowledge about security
to prioritize issues.
So, first and foremost, as I'm just describing, hopefully you're getting the sense that we
need a platform that allows this collaboration to exist between these two parties.
Then the second thing is collaboration is all great, but if it is working against the very
requirements of a particular team, it's not going to get adopted. That's the second set of
attributes that we have to look for, we have to design for, which is developers moving fast.
Feature functionality drives revenue.
So that will always be the primary driver for every organization.
So how in this fast-paced CICD can we insert security, which requires novel technologies?
Unfortunately, we are still using application security tools that are at least 15 years old.
They were developed for a completely different era.
So we need newer solutions, newer technologies that leverage state-of-the-art innovation to deliver security very quickly and very efficiently within the CICD pipeline so as not to disrupt it.
That's Manish Gupta from Shift Left. There's so as not to disrupt it. Thank you. cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Josh Ray. He's a Managing Director and Global Cyber Defense Lead at Accenture Security. Josh, always great to have you back.
I want to touch today on something that I know is near and dear to your heart, and that's
community service, and particularly when it comes to spreading around your expertise with
cybersecurity.
Why is this something that it's worth spending your time on?
Why is this important to you?
Yeah, Dave, thanks for the question and thanks for having me back. And this is actually something I was talking to Sean Duffy, who looks after our advanced attack and readiness operations earlier today, actually.
And we were just discussing how fortunate we are to really be in a profession that has a strong sense of mission and also really values service to community. When I think about how cool it is that, you know,
we wake up every single day to try to make the world a safer place and fight
bad guys. I mean, it's, it's something that, you know, really,
I think the whole community can, can take,
take notice of and really appreciate.
And this is especially true when you're talking about vulnerability research.
I mean, this is a special community that has a massive amounts of passion for what they do and are really incredibly altruistic.
So when we look at what the security research and the vulnerability research folks have done over the last 10 years, they've really been at the forefront of this notion of giving back to the community and sharing their research.
Yeah, it really strikes me that there's a sense, as you say, of collaboration, that
there's an industry-wide recognition that overall, the more information we're able to
share and get out there, the better off and safer we'll all be.
Yeah, absolutely.
I mean, just thinking about it as the right thing to do,
right? And just by example, over the past couple of years, our own security researchers who operate
in this space have, I think, disclosed something over 200 vulnerabilities to product companies.
And this is not something that they were told to do. They did it because they were pursuing
their passion and really because they love doing
it. And I think as companies, we really need to start to embrace this notion of being altruistic
and giving back to the community and rewarding the behavior of these researchers more than just
kind of giving them recognition and figure out how do we actually make sure that we're really
fostering this talent in the community?
Well, let's dig into that.
I mean, as someone who is in a leadership position, how do you foster that amongst the people of your team?
How do you show them that this is something that you support them spending their time on?
Yeah, I think it's one of these things where you have to continuously challenge them and make sure that they have interesting things to do, right? They don't want to just solve the regular problems.
They want to solve problems that are incredibly difficult.
And if somebody tells them it's impossible, they're even more interested, right?
So making sure that they have the hardest problems to solve and making sure that they know that they are directly contributing to really
making the internet a safer place. What if somebody comes to you and says, you know,
Josh, I have a hunch on something and this might not lead anywhere, but, you know, I have a feeling
this is a pathway that I should go down. Is that the kind of thing that you would support?
Yeah, I think absolutely. And I mean, you know, as we've got folks that have kind of now the second
and third generation of security leaders kind of come up in this space, I think that's kind of a
realization that, you know, we've come, we have to give these folks time to breathe and kind of think
because it's that level of creativity that's going to not only
be good for business and their clients, but it's going to help retain that talent and help them
be better as professionals as well. All right. Well, Josh Ray, thanks for joining us. Thanks, And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
If you're looking for something to do this weekend, take a few moments and check out Research Saturday and my conversation with Jen Miller Osborne from Palo Alto Networks Unit 42. We're going to be
discussing their most recent ransomware threat report. That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Carrigan,
Carol Terrio, Ben Yellen, Nick Bilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.