CyberWire Daily - Joint advisory warns of Truebot. Operation Brainleaches in the supply chain. API key reset at Jumpcloud. More MOVEit vulnerability exploitation.
Episode Date: July 7, 2023US and Canadian agencies warn of Truebot. A look at "Operation Brainleaches." Jumpcloud resets API keys. An update on the MOVEit vulnerability exploitation. Andrea Little Limbago from Interos shares i...nsights on rising geopolitical instability. Our guest is Mike Hamilton from Critical Insight discussing what you need to know about NIST 2.0. OSCE trains Ukrainian students in cybersecurity. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/128 Selected reading. CISA and Partners Release Joint Cybersecurity Advisory on Newly Identified Truebot Malware Variants (Cybersecurity and Infrastructure Security Agency CISA) Increased Truebot Activity Infects U.S. and Canada Based Networks | CISA (Cybersecurity and Infrastructure Security Agency CISA) Operation Brainleeches: Malicious npm packages fuel supply chain and phishing attacks (ReversingLabs) Mandatory JumpCloud API Key Rotation (JumpCloud) JumpCloud resets admin API keys amid ‘ongoing incident’ (BleepingComputer) JumpCloud Says All API Keys Invalidated to Protect Customers (SecurityWeek) More organizations confirm MOVEit-related breaches as hackers claim to publish stolen data (TechCrunch) Important information about MOVEit Transfer cyber security incident | Shell Global (Shell Global) Shell Confirms MOVEit-Related Breach After Ransomware Group Leaks Data (SecurityWeek) OSCE helps future generation of Ukraine’s law enforcers and emergency personnel build skills for safe work in cyberspace (OSCE) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
U.S. and Canadian agencies warn of Truebot,
a look at Operation Brain Leaches, JumpCloud resets API keys, an update on the move at vulnerability exploitation, Andrea Little-Limbago from Interos shares insights on rising geopolitical instability.
Our guest is Mike Hamilton from Critical Insight, discussing what you need to know about NIST 2.0 and OSCE trains Ukrainian students
in cybersecurity.
I'm Dave Bittner with your CyberWire Intel briefing for Friday, July 7th, 2023.
The U.S. Cybersecurity and Infrastructure Security Agency and its partners, the FBI, the MS-ISAC, and the Canadian Center for Cybersecurity, have issued a joint cybersecurity advisory outlining a spike
in new variants of the TrueBot malware. In addition to using phishing campaigns,
threat actors are now using a vulnerability in the IT auditing software NetRix Auditor to deliver the malware. The advisory contrasts
the current wave of infestations with what's been seen in the past, stating, previous Truebot
malware variants were primarily delivered by cyber threat actors via malicious phishing email
attachments. However, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31-199,
a remote code execution vulnerability in the NetRix auditor application, enabling deployment
of the malware at scale within the compromised environment. The initial infections are established
through either social engineering or malicious redirection.
The advisory goes on to explain, based on confirmation from open source reporting and analytical findings of Truebot variants, the authoring organizations assess cyber threat
actors are leveraging both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31-199 to deliver new TrueBot malware variants. The advisory offers
extensive advice for risk mitigation, including detailed indicators and preventative measures
organizations can apply. CISA also urges organizations to exercise, test, and validate
their security program against the threat behavior displayed in conjunction with
Truebot's deployment. The joint advisory makes it clear that Trick-a-Bot is an information-stealing
kit used by the ransomware gang Klopp and other threat organizations to gain access to and
exfiltrate victims' sensitive data. Klopp is, as regular listeners will know, a Russian-speaking
gang motivated principally by profit but also given to acting against targets in states viewed as hostile by Moscow.
Effectively, they're privateers, and nowadays, states viewed as hostile by Moscow amount to a pretty rich target set.
In another issue affecting the software supply chain, researchers at Reversing Labs have discovered more than a dozen malicious packages in the NPM open source repository.
The packages are designed to target application end users while also supporting email phishing campaigns targeting Microsoft 365 users. The researchers note that this may be the first dual-use campaign in which malicious
open-source packages power both commodity phishing attacks and higher-end software
supply chain compromises. The packages impersonated legitimate NPN modules such as jQuery
and had around a thousand downloads before they were removed.
JumpCloud is resetting API keys for its clients' admins.
The company released a statement yesterday that said,
Out of an abundance of caution relating to an ongoing incident,
JumpCloud has decided to rotate all application programming interface keys
for JumpCloud admins.
These keys are used for authenticating a user or application
and are commonly used in IoT products.
The keys are static, which means they're stored on a system or device and have to be manually changed or rotated.
In some cases, changing a static key is referred to as rolling codes.
The API key rotation seems to specifically affect admins, as the company's instructions on its support page are geared towards them or command runners.
Details on what prompted the rotation are scarce, but for now, JumpCloud is urging customers to reset their API keys for enhanced security.
Shell Global has disclosed that it had sustained a data exposure incident via exploitation of the third-party MoveIt transfer vulnerability that has afflicted other organizations. The energy giant said that the incident was not a ransomware attack, but rather that some personal information relating to employees of the BG Group has been accessed without authorization.
Affected individuals are being notified.
Security Week writes that it's unclear what sorts of data have been compromised, stating,
Toll-free phone numbers where additional information can be obtained have been made available for
employees in Malaysia, South Africa, Singapore, the Philippines, UK, Canada, Australia, Oman,
Indonesia, Kazakhstan, and the Netherlands,
suggesting that affected people may be from these countries.
TechCrunch notes that while Shell has said it wasn't hit with ransomware,
the company may well have been the target of attempted extortion by the Klopp gang,
which has been behind most of the publicly known exploitation.
That need not have involved ransomware in the traditional sense,
that is, malware that renders the victims' files inaccessible until they pay,
and it may have amounted to a threat to dump stolen personal information.
This has indeed become commonplace,
as many crooks are now simply skipping the traditional encryption of victims' data.
Shell also isn't alone, as other recently affected organizations have come to light.
Higher education figures prominently among them,
as colleges and universities have seen data compromised through security incidents
affecting the National Student Clearinghouse
and the Teachers Insurance and Annuity Association of America.
Clearinghouse, and the Teachers Insurance and Annuity Association of America.
The Organization for Security and Cooperation in Europe, OSCE, is running cybersecurity training for Ukrainian university students preparing for careers in law enforcement or emergency response.
The OSCE's announcement explained that the training is in defensive operations,
stating, the training covers basics of cyber safety rules, including ways to protect personal data,
main threats and risks related to the use of email, social networks and other tools,
security tips for IT equipment, including mobile phones, features of malware and needed
physical measures to ensure protection of information resources. It's another example of the international support Ukraine has attracted in defending itself in cyberspace.
Coming up after the break, Andrea Little-Limbago from Interos shares insights on rising geopolitical
instability.
Our guest is Mike Hamilton from Critical Insight, discussing what you need to know about NIST 2.0.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Thank you. third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Version 2.0 of the NIST cybersecurity framework is imminent,
and many CISOs are eager to know how the updated framework may affect them and their organizations.
Mike Hamilton is founder and CISO for Critical Insight,
a managed detection and response and cybersecurity as a service company.
Previous to founding Critical Insight, Mike Hamilton served as CISO for the City of Seattle.
I checked in with him
for details of the NIST 2.0 cybersecurity framework. Well, the history is that this was
a project that was commissioned by the Obama administration, and NIST, the National Institute
of Standards and Technology, was tasked with creating a standard of practice framework that could be implemented by any
organization. And they successfully did this. So it is an outcome-based framework, meaning it's
not prescriptive. It doesn't say have this control in place. It says make this thing happen. And how
you do that is up to you. So if you're a small company, you may do it one way. If you are Lockheed,
you're going to do it a different way with lots of people and lots of tools, but just meet the
outcome. This revision is part of just the cycle of going back and looking at it and making some
adjustments that, to me, seem to be in line with the increasing regulatory pressure on critical infrastructure,
yet, because this is applicable to all organizations,
the language that's specific to critical infrastructure was taken out.
And I think that's really one of the main things about this new revision.
They're really trying to make it universal.
Well, before we dig into some of the details,
is it fair to say that the initial version
of NIST received high marks and was generally regarded as a good thing? Oh, absolutely. You know,
where it was recommended by the federal government to be used by critical infrastructure sectors,
it was pretty well adopted by lots of organizations, whether they were regulated
critical infrastructure or not,
because it is an outcome-based framework. And it does, if you modify it a little bit,
it can be your risk assessment tool to the extent that you are required to do an annual risk
assessment. And now even that's for insurance purposes, right? Insurance companies have become
the kind of universal regulators.
Well, everybody wants you to do an annual risk assessment, and this is a great way to do it. So,
yeah, there's been great uptake. So, I'm a CISO here, and I'm running my company,
doing my best to keep up, and I know this is coming. What are some of the things I need to know in terms of some of the changes here? Well, I'll tell you what's in and what's out.
in terms of some of the changes here?
Well, I'll tell you what's in and what's out.
So what's in, cybersecurity outcomes applicable to all organizations,
which is commensurate with what I just said about language that's specific to critical infrastructure has kind of been removed.
There's also a new section about govern, right?
In the original NIST 1.1, which is what we've been using,
there's identify, protect, detect, respond, recover, and they've
added govern to that as a separate focus area or domain
or whatever you want to call it, and removed the governance
areas from the identify domain and made that its own.
Also some from the protect functions as well, which is consistent with guidance from, for example, the SEC saying that, listen, we want you to have somebody on staff who is responsible and accountable. We want you to have board representation, et cetera, et cetera.
etc., etc. So both in terms of your own risk management where you need to get
fingerprints on things like accepting
risks, but also to be aligned with some
of the new regulatory guidance coming
out, govern is really important. So
detect, respond, and recover function,
detection and response of incidents is a
little more vigorously defined in there. And the new govern function covers
organizational context, risk management strategy, policies, procedures, roles, responsibilities,
everything you would think is in there. So that's largely what the ins and outs look like.
What's new are the supply chain risk management outcomes that they want, and this is
starting to be really ubiquitous. Recently,
Health and Human Services put out, I think it's NIST 800-66R2,
which talks about the fact
that if you're a covered entity in healthcare under HIPAA,
your incident response planning
needs to cover your third parties. And so all this is starting to congeal. It looks like there's
really some coordination behind this. Also, continuous improvement through a new improvement
category in the identify function or domain is there. They are leveraging the combination of
people process and technology to secure assets across all categories in the protect function.
Resilience is a new word that is showing up in the framework that wasn't there before through a new protect category.
Yeah. How do you anticipate the rollout of this happening here in terms of people adopting it and it becoming an expected standard?
Well, there are a couple of ways that can happen. And the one where the federal government has
leverage is in the critical sectors. And so new guidance has been provided to pipelines, water,
maritime ports through the Coast Guard, rail, aviation, smart cities. And they're not requiring
this, but it's being strongly advocated as your method of determining what your gaps are in
meeting the desired outcomes and therefore what your corrective action plan would look like.
And if you take that a step further, how you would budget for that.
This is the way that we use the tool with our customers.
We end up with a risk assessment, a corrective action plan,
and budgetary asks for all the gaps that we need to close.
And so I think for the critical sectors, it's going to be a no-brainer.
There's going to be uptake there.
When we start
talking about non-regulated or non-critical sectors where the government doesn't have that
kind of oversight, because there is a push by the federal government to make sure that when the
federal government buys something, it has an enormous power of the purse. And so they can hold organizations
they do business with to a standard, and this is becoming the standard. And if you are a business
that does business with someone who is a DOD contractor, this cascades down to you as well.
So of all of the standards of practice that you could pick out there,
this is the one that's the lightest touch, right?
Nobody would go voluntarily say, well, we're going to align with NIST 800-53.
It's 15 pounds of paper that's only applicable to federal agencies.
Or the ISO standard, right?
That's really, or a high trust.
Those are really, really heavy lifts.
ISO standard, right? That's really, or a high trust. Those are really, really heavy lifts.
This is the gateway drug to starting to manage your security program appropriately. And so I think because of some of the things the federal government's doing with the national cybersecurity
strategy and wielding the power of the purse, I think there's going to be a lot of uptake.
What is your take on this? Do you feel as though this is the right thing at the right time?
Are you pleased with what they've come out with here?
Oh, absolutely.
I think, well, starting with the Obama administration and coming up with the NIST framework and making that available to everyone, I mean, that was great.
great. But some of the things that the federal government is doing now that align with that, as I mentioned, not only
using the purchasing power of the federal government to say,
if your product isn't secure, we're not going to buy it. That makes all the sense
in the world. So I think that
this has been a really good thing in combination
with a lot of things that are going on now.
In the beginning, it was like, well, it's another standard of practice.
You know, it's a burrito.
It's a tostada, right?
The ingredients are the same.
The packaging is a little different.
Now it's emerged as something more.
And I think it's got a lot to do with that national cybersecurity strategy.
That's Mike Hamilton from Critical Insight.
There's a lot more to this conversation.
If you want to hear more,
head on over to the CyberWire Pro
and sign up for Interview Selects, where you'll get access to this and many more extended interviews.
And it is always my pleasure to welcome back to the show Andrea Little-Limbago. She is Senior Vice President for Research and Analysis at Interos.
Andrea, always great to welcome you back.
I want to discuss with you today looking at where we find ourselves when it comes to global politics and policy
and how that affects folks in cybersecurity.
I know it's a big topic, but I'm counting on you to bring it home for us here.
What are your insights?
Yeah, it is a big topic, but it also is one that I think
is not getting quite as much attention as it should.
And there's a whole range, I think, to your point,
of issues on the global front
that have direct implications for cybersecurity.
One would be the growing data privacy laws
and cybersecurity laws are being passed
throughout the globe.
And in many regards, that's welcome news
for better data protection.
But in some cases, that leads to greater data access,
depending on where you are.
And so that's where the notion of data sovereignty comes into play, where you have localized data policies and laws.
And in many cases, requiring data storage, for instance, within the sovereign territory.
And that can come with some risks.
And those risks really are overlaid with the geopolitical situation, where if your data is required to be stored in a country,
for instance, that might be an adversary
to where you are located, say, in the US or in Europe,
then that's going to put your data at potentially greater risk
if it's stored in an adversarial country.
So I think that's one big trend that we're seeing,
is just the notion of digital authoritarianism,
where governments are trying to get greater control and leveraging everything from spyware and disinformation
to national policies to enable access to data and data storage to have greater control over that
data. So we're seeing that occur on the one hand. And then on top of that, we're also seeing
decent increase in instability and protests across the globe. As we're seeing areas of democratic decline, we are seeing people push back against that.
But what goes along with that very often is a wave of disinformation
and various kinds of cyber attacks can correspond with the broader instability that may happen.
And one irrelevant example is in the recent French protests that have been going on.
We also saw pro-Kremlin hackers attack the parliament around the same time.
I'd argue that that's not coincidence that that happens during times of instability.
We also see during times of elections, greater cyber attacks and disinformation campaigns really causing a lot more instability within countries.
So you see that going on as well, where this instability is basically exacerbated due to the cyber threat
landscape. What about the instability in a platform itself? And I'm thinking specifically
of Twitter here, where, you know, I think for a long time, we kind of knew what we had with
Twitter. We knew what it was good at and what it was bad at, and we knew how to navigate it. And it seems like, you know, lately with the new
management there, that there's been a whole lot of chaos injected into that. And as a global
provider of information, it seems to me that's got to have an effect on things as well.
I think it does. And what's interesting is really the,
I think there's a big transition going on in the social media landscape as well.
So I'd argue, you know, a year ago,
especially in the security community,
we leveraged Twitter a lot for information,
but we also have seen a massive exodus from Twitter
in the cybersecurity community with some of these shifts.
And so it's no longer the source of information
that it once was.
And given that, and I think that's happened in different spots, that there are communities
that no longer view Twitter as that source of information.
So they're looking elsewhere.
And one of the key places many people are looking at is TikTok.
And so we see that going on as far as Congress reviewing whether to ban TikTok.
And we see across states, within the United States, many state governments are banning the use of TikTok by its employees for security concerns.
So that's also another side of it where you do still see Twitter being used a bit, but I think that's decreased.
But it still is definitely a concern, and different parts of the globe depend on different social outlets, social media outlets.
And so they are definitely still being leveraged. And even, you know, Facebook is still
quite a big source of information globally. I think we see it maybe not as prominent in the
U.S. as it once was, but in many countries it still is a main source of information. And that's
where we still see plenty of disinformation campaigns, plenty of malvertising and so forth. So it's still very
much so is a platform that can be abused to help prompt and instigate greater instability.
You know, as we track the ups and downs around the globe, when it comes to the rise and fall
of democracy and communication and
disinformation. Is it fair to say that right now we're in a little bit of a trough here?
I hope we've reached the low point.
That's a good way to spin it. That's a positive spin. I love it.
That would be great if we reached the rock bottom of it
and we're now going to be back moving in a better direction.
But it has.
It's been on decline for about 15 years.
That alone is a big source of instability.
But I do think, on the one hand,
we're seeing a lot more protests against governments.
And that's everywhere from, if you remember,
the protests in Canada last year
that blocked some of the roots in between the U.S. and Canada.
India had enormous protests over the last few years.
I'd like to think that's indicative of greater engagement,
which is what democracy requires.
And so on the one hand, the protests do lead to some instability.
We see it in Peru, in Nigeria, we see it in France right now.
But ideally, it will hopefully lead to some instability. We see it in Peru, Nigeria, we see it in France right now. But ideally, it will hopefully lead to stronger democracies through greater civil engagement.
That is the optimistic take on that, but it's going to be a challenge. I mean, we do still see
authoritarianism spread. We see authoritarian-leaning parties gaining greater control
across governments in Europe, for instance.
It is still very much a concern, but I do think there's greater awareness.
And I think this, again, is where we're seeing more and more democracies start to collaborate together to help offset the authoritarian spread.
And that's a great thing.
We've seen greater collaboration across democracies over the last few years
than we had seen arguably in the previous 10 to 20 years. And I think that's, you know, hopefully been an unfortunate wake-up call
from Russia invading Ukraine, was a democracy starting to work together in new and innovative
ways to help counter some of the spread of authoritarianism. Yeah. All right. Well,
Andrea Little-Limbago, thanks so much for joining us. All right. Thank you, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
With TD Direct Investing, new and existing clients could get 1% cash back.
With TD Direct Investing, new and existing clients could get 1% cash back.
Great. That's 1% closer to being part of the 1%. Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31st, 2025.
Visit td.com slash dioffer to learn more.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Thomas Etheridge from CrowdStrike.
We're discussing their work, Business as Usual, Falcon Complete MDR, Thwart's novel Vanguard Panda Tradecraft.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500
and many of the world's preeminent
intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people.
We make you smarter about your team
while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin
and senior producer Jennifer Ivan.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.