CyberWire Daily - Log4j issues persist. Konni RAT found in New Year’s greetings. Hacktivism or state-directed cyber action? Moscow worries about Mr. Klyushin’s knowledge. The Show-Me-Too-Much State.
Episode Date: January 4, 2022It’s going to take time, vigilance, and attention to detail to manage the Log4j risks. A North Korean APT is trying to install the Konni RAT into Russian diplomats’ devices. More hacktivist-lookin...g incidents follow the anniversary of Iranian General Soleimani’s death. Other, self-inflicted, software supply chain incidents. The Kremlin is said to be worried about what Mr. Klyushin might tell the Americans who’ve got him in jail. Ben Yelin on the tension between ephemeral messaging apps and the public’s right to know. Mr Security Answer Person John Pescatore joins our show. And the Show-Me state needs to rethink all that showin’. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/11/2 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
It's going to take time, vigilance, and attention to detail to manage the log for J-Risks.
A North Korean APT is trying to install the Kony Rat into Russian diplomat's devices.
More hacktivist-looking incidents follow the anniversary of Iranian General Soleimani's death.
Other self-inflicted software supply chain incidents.
The Kremlin is said to be worried about what Mr. Klyushin might tell the
Americans who got him in jail. Ben Yellen on the tension between ephemeral messaging apps and the
public's right to know. Mr. Security Answer person John Pescatori joins the show. And the From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, January 4th, 2022. The Log4J vulnerabilities continue to represent a difficult software supply chain risk,
one that's proving complex and resistant to any quick and easy solutions.
Microsoft yesterday updated its guidance for preventing, detecting, and hunting for exploitation of the Log4J2 vulnerability.
It's clear, sobering, and worth attention.
In brief, Microsoft's researchers have been seeing ongoing exploitation across the full range of threat actors,
from intelligence services down to low-level grifters using commodity tools. The vulnerabilities represent, in sum,
a complex and high-risk situation for companies across the globe.
That risk extends beyond applications that use vulnerable libraries
to any service that use such applications.
Redmond concludes,
Due to the many software and services that are impacted and given the pace of updates,
this is expected to have a long tail for remediation, requiring ongoing sustainable vigilance, end quote.
A note in full disclosure, Microsoft is a CyberWire partner, but we'd think this guidance worth a look, even if they weren't.
worth a look, even if they weren't. The good news, as the Washington Post sees it this morning,
is that both companies and government agencies seem to be taking the issue seriously and have been more on top of things than they were, for example, in the earlier shell shock and
heartbleed incidents. May the vigilance be as ongoing and sustainable as possible.
Since the effects of vulnerabilities
in software libraries can cascade so rapidly, dark reading sees an object lesson in the Log4J
incident. The experience should lend more impetus to making software bills of materials the norm.
We have more coverage of the Log4J affair on the Pro section of our website, thecyberwire.com.
The DPRK's isolation would lead one to think that North Korean APTs are interested in targeting most countries,
and that seems to be the case.
Cluster 25 reports finding a New Year's virtual greeting card screensaver packed as a zip file.
It's directed at Russian diplomats, and it carries Pyongyang's familiar Kony remote-access Trojan rat as its payload.
The tactic may seem too obvious, too dopey for anyone to fall for, but, as Recorded Future points out,
it's a good bet somebody will, because almost always, well, somebody does.
Inattention, fatigue, misplaced trust, curiosity, all of these and more at work in the social engineer's favor.
And be honest, who among us hasn't been tempted in one of those moments of weakness to take a peek?
It's worth noting that this isn't a one-off attempt.
to take a peek. It's worth noting that this isn't a one-off attempt. Cluster 25 says the greeting with the fishhook is the most recent in a series of North Korean attempts to compromise Russian
diplomatic targets. Hackeread says that the Israeli Hebrew-language news outlet Ma'ariv
had its Twitter account compromised briefly with a message similar to the one Jerusalem Post received in a website defacement.
The content injected in both cases warned of vengeance
for the death of Quds Force Commanding General Qasem Soleimani
in a U.S. drone strike two years ago.
It's unclear which group specifically was responsible for either incident,
but alignment with Iranian policy seems obvious enough.
Reuters reports that Iranian President Ebrahim Raisi yesterday demanded the trial of former
U.S. President Trump and Secretary of State Pompeo for the murder of Soleimani,
which the U.S. has characterized as a legitimate battlefield killing.
Failing such a trial, President Raisi said,
Muslims will take our martyrs' revenge.
End quote.
The list of people President Raisi wants to see face justice
is longer than just two.
Iranian Prosecutor General Mohammad Jafar Montaresi says
Iran's complaint to authorities in nine countries,
identifying 127 suspects, 24 of whom are U.S. nationals.
Some revenge will be kinetic, and the Wall Street Journal reports that it seems to have begun,
as irregulars aligned with Tehran have conducted a drone strike in Baghdad and intercepted an Emirati-flagged ship.
and intercepted an Emirati-flagged ship.
But cyberattacks of the kind seen this week against the Jerusalem Post and Maharib are easy, low-risk forms of retribution as well.
Log for J represents a big, serious, and difficult-to-manage supply chain risk,
but there are other lower-grade risks, too.
Bleeping Computer notes 1.
Copying and pasting commands found on a website.
They cite a proof-of-concept offered by Gabrielle Friedlander,
founder of the security training platform Wiser.
It's easy, of course, but the problem is that the website could very well be having you copy a very different command from the one you saw
and that you
thought would make your task easier. And of course, that other command might be malicious,
or at least might not have your best interests at heart. If copy you must, then Bleeping Computer
recommends pasting what you've copied into a text editor first, where any shenanigans and bogosity will be more evident.
Vladislav Klyushin, a Russian tech oligarch whom Swiss authorities extradited to the U.S.
on December 18th, is again in the news. The charges in the U.S. warrant involve trading
securities on the basis of non-public information obtained through hacking,
essentially an outsider's form of insider
trading of companies that don't want him on the inside in the first place. Bloomberg, however,
reports that his arrest and time in U.S. custody is proving a significant worry for the Kremlin.
Mr. Klyushin is credibly believed to be in possession of information, perhaps documents,
outlining a number of Russian
intelligence operations that range from Fancy Bear's prance through the 2016 U.S. elections
to the attempted assassination by nerve agent of GRU defector Sergei Skripal in 2018.
The Russian government is believed to be concerned about the intelligence trove Mr. Clutian might be induced
to give the Americans. M13 describes itself as a company that specializes in IT solutions for
media monitoring. It employs a staff of more than 100 developers, linguists, media analysts,
and other experts who have necessary skills and expertise in creating powerful and commercially successful automated tools for monitoring and media analysis.
It counts a number of Russian organizations among its customers,
the Presidential Administration of the Russian Federation, the Government of the Russian Federation,
federal ministries and agencies, regional state executive bodies, commercial companies, and public organizations.
regional state executive bodies, commercial companies, and public organizations.
And Mr. Klyushin is generally thought to be as well-connected as his company's client list would suggest.
Bloomberg quote sources who think Mr. Klyushin's having been permitted to vacation in Switzerland represents a major security failure on the part of the Russian organs.
security failure on the part of the Russian organs. Finally, if you are given to seeing wheels within wheels, you can consult the Daily Mail, unrestrained as usual, which is running a
screamer headline to the effect that Putin fears Kremlin insider extradited from Switzerland to US
may have defected. That's defected, capital D, capital E, capital F, capital E, capital C, capital T, capital E, capital D.
No exclamation point, so what's up with that?
Are the mail's editors asleep at their keyboards?
Anyway, what's known is that Mr. Cleution is in U.S. custody
and that he was a very well-connected guy back in the old homeland.
custody and that he was a very well-connected guy back in the old homeland. And finally,
remember the story that broke back in October when the St. Louis Post-Dispatch found a misconfigured website belonging to Missouri's Department of Elementary and Secondary Education?
And apparently, the department had put a lot of teachers' social security numbers on a publicly accessible web page.
All you had to do was view page source or inspect on the web page, and there they were.
The Post-Dispatch informed the Department of Elementary and Secondary Education before they published
to give the state agency an opportunity to fix its data privacy issue before other people knew about it.
This sort of thing is normally thought
of as responsible disclosure, but Missouri Governor Parson didn't see it that way.
He ordered an investigation and urged the prosecution of the reporter and the newspaper
and the newspaper's corporate masters for hacking, for breaking into an IT system.
We contacted the governor's office back then to see what law
he believed had been broken, but we've received no response. Anywho, last week, Governor Parson
said again that he expected the reporter to be prosecuted now that the highway patrol had
concluded its investigation and turned the results over to the responsible Cole County prosecutor.
We contacted Governor Parson's office again because that seemed the fair thing to do
and asked again for the governor's views on what law had been broken and how.
We didn't get a response this time either, but Governor Parson is widely quoted as saying this,
quote,
If somebody picks your lock on your house for whatever reason,
it's not a good lock, it's a cheap lock, or whatever problem you might have, they do not
have the right to go into your house and take anything that belongs to you, end quote. The
analogy seems wayward at best. A better one would be something like this. If you forgot to put clothes
on and went out to the store in a state of nakedness,
the other shoppers would have the right, perhaps the duty, to say,
friend, put some pants on.
Even in the show-me state, sometimes y'all just show too much dad-blamed much.
Know what I mean?
And we hope the reporter responsible for the story has control-ued himself into a Pulitzer.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. at blackcloak.io.
There comes a point in just about everyone's cybersecurity journey where you're just not sure who to turn to,
whether it's a technical question, an executive decision,
or perhaps even an affair of the heart.
John Pescatori has been in the cybersecurity world for a while now,
has been around the block a few times,
has seen a few things, and lived to tell the tale.
He joins us to help answer your questions
in this occasional segment we call Mr. Security Answer Person.
Mr. Security Answer Person
Mr. Security Answer Person
Hi everybody, I'm John Pescatori, the Security Answer Person.
With this segment, we're going to try to answer some of those questions about the crazy terminology we see used in cybersecurity
or things you might see vendors doing or the threat actors doing or consultants doing.
I've worked in cybersecurity a long time.
I went out of college and joined NSA, a secret service, early on in my career.
And then for 14 years, I was a lead security analyst at Gartner.
And then for over nine years, the director of emerging security trends at SANS.
And lots of questions come up over those years on a lot of interesting topics and a lot of crazy terminology we use in cybersecurity.
We're going to take a shot at answering some of your questions in this segment.
Today's question is, earlier this year, all my security product vendor incoming emails switched from pitching anti-ransomware products to zero-trust products.
What the heck is going on, and could zero-trust ever actually be a good thing?
That's a great question.
For many years, I've done the grocery shopping for the AnswerPerson family, and we've been buying the same brand of breakfast cereal for many years.
And we've been buying the same brand of breakfast cereal for many years.
But I've noticed that periodically the front of the box would tout gluten-free for a while and then high in antioxidants or no added sugars.
But the ingredients on the side of the box would stay the same.
As far as all the pescatories could tell, the taste never changed.
And if you left it in the milk too long, it still got soggy.
Marketeers with MBA degrees like to call this brand freshening,
but I like to call it buzzword surfing.
Companies selling products want to try to differentiate from other nearly identical products that do all the same things
because they're trying to avoid commoditization, where prices get driven down.
So they jump on the latest buzzwords over and over again.
Of course, pretty quickly, every vendor has done the cut and paste of buzzword N to replace buzzword N-1,
and they are back to the starting line. Time to freshen up again. So let's zero in on zero trust.
But first, pardon me for a little bit more of Mr. Answer Person-splaining.
When internet connectivity first began to show up in businesses, attackers took advantage and
havoc ensued. The Morris worm way back in 1989 was an early example.
That took down 30% of the Internet at the time.
This resulted in the development of the firewall
to block everything not explicitly allowed,
and for a very short period of time, life was good.
However, probably the very next day,
businesses found they absolutely needed new ports opened
and new services exposed to the Internet,
and holes had to be punched through the firewalls.
And attackers had a great time, leading to the damaging slammer, blaster, code red nimda worms of 2001 and 2003,
and security folks began to add many, many more layers of security and having to rinse and repeat and keep doing it from there.
As threats evolved, by the way, this is where the term spending in depth, I mean
security in depth, came from. In 2004, a group of CISOs created something called the Jericho Form
and pushed the concept of de-perimeterization, which was based on the idea that all endpoints
should be able to protect themselves without relying on a perimeter firewall and that only
secure protocols should be used. This sounded good,
but of course in the real world, Windows kept having constant critical vulnerabilities show up.
Sysadmins kept making mistakes in setting up PCs and servers, and there wasn't a chance in hell
that any real business could keep every endpoint safe without some form of external protection.
The Jericho forum faded away. But that did lead to the concept of network access control,
the idea that any time a device connected to the network,
it should be checked to see if it was dangerous or vulnerable
before allowing it to access an internal network.
Unfortunately, next standards battles erupted between Microsoft.
Windows internal is an active directory of the answer.
And Cisco, iOS features and switches and VPNs will solve all problems from the network, causing many implementation issues since pretty much everyone was forced to use Microsoft software and Cisco networks.
In 2010, Forrester essentially extended the basic ingredients of network access control and mixed in an emulsion of Jericho Forum tidbits and published a research note using the very catchy name of Zero Trust. It was briefly
the buzzword du jour, but quickly ran into the same real-world issues that de-perimeterization
hit. The bottom line is Zero Trust is only doable after you have implemented all the other security
basics. For example, if users are still using reusable passwords, you can't trust identity
since phishing attacks succeed so often. If you don't have a high-accuracy asset inventory,
strong change management,
and granular privilege and application security controls,
you can't trust that the endpoints aren't already compromised and dangerous.
You must do the foundational essential security hygiene steps
before you can even think about zero trust.
Zero trust can only be the endgame, not the starting point.
For example, in 2011, Google started working towards defining how they could achieve something
like zero trust and what Google now calls BeyondCorp. It took several years for them to even
define what that meant across Google and then five more years to develop and improve the processes
needed to implement something close to zero trust. Not many companies have the resources
and staff Google does, however. So to finally answer the question, in President Biden's May
2021 executive order, one element specifically said government agencies were required to, quote,
develop a plan to implement zero trust architecture, unquote, and overall use the zero trust term 11
times, almost twice as frequently
as it mentioned moving to multi-factor authentication which as i mentioned has to be a
precursor to reaching zero trust and which all of us know in security is the single most important
thing we can do to improve security but from that executive order flowed all that zero trust brand
freshening spam that you've been seeing but not to worry in 2022 we're sure to have a new buzzword
coming along.
I'm betting on security turmeric.
Mr. Security Answer Person.
Thanks for listening.
I'm John Pescatori, Mr. Security Answer Person.
Mr. Security Answer Person.
We hope you enjoyed Mr. Security Answer Person. to submit your own question to Mr. Security Answer Person, email us at questions at thecyberwire.com.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. data and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
and joining me once again is ben yellen he's from the university of maryland center for health and homeland security and also my co-host over on the caveat podcast hello ben hello dave uh interesting
story from the washington post this is written by steve thompson, and it's titled, Maryland Governor Larry Hogan's
Messages to State Employees, Self-Destruct in 24 Hours. What's going on here, Ben?
So the governor of our great state of Maryland has been using an app called Wicker,
which deletes all communications after 24 hours. The concern here is that this violates public
records retention laws. That's why this
is a legal and policy question. It seems like the governor was mostly using this to let off steam.
The Washington Post obtained some of the communications and it was, you know, things
that you might hear in a private text conversation, complaining about bad media reports,
saying that he's being covered unfairly,
criticizing individual reporters.
It's the type of thing that you would see on your own company's Slack channel,
talking about your boss or your worst client or something.
The problem is there are laws that at least theoretically allow the public
to access those communications if they are in the public domain.
So the governor's spokesman said that they paid for the application
through the governor's private campaign account, which is fine.
But he also said that his communications were mostly among private individuals,
so people who didn't have government jobs.
Notably, that means that some of the communications were who didn't have government jobs. Notably, that means that some
of the communications were with people who had
government jobs, and according to this article,
they were talking about public matters
in some of those communications, including
response to the
COVID-19 pandemic.
That's where those records laws really
come into play. Records
laws,
they're not really well-suited for an age where communications
are deleted after 24 hours, because you can challenge, you know, the fact that a government
record hasn't been released, but then you have to go through a whole judicial process that
necessarily involves, you know, discovering something about the communication in question.
discovering something about the communication in question.
And if that communication's been permanently deleted,
then you're sort of out of luck.
Which leads me to believe that we might need to update our records laws to be more responsive to these types of scenarios
where you have people using these applications
potentially to skirt around these public communications regulations.
Yeah.
I guess part of me wonders about in the old days, the good old days of telephone calls with landlines and so on and so forth, Perhaps a public records law like this
would be able to pull the phone records,
but really all you would get from that
would be the metadata.
Who I called, when, how long,
but you wouldn't get the contents of the conversation.
Right.
And I don't know that I think it should be fair game
for every one of my text messages to be discoverable.
Right.
You're also not a public official.
No, no, no.
Right.
What I'm saying, even if I was a public official, in an era where text messaging has taken over much of what we used to make phone calls for or even private conversations, have we gone a little too far?
I understand the need for transparency among our,
our public officials, but at the same time, I talked to any politician, talk to any business
person. A lot of what gets done are the side conversations and they're necessary that they,
they have to, sometimes you have to be able to have a private conversation to get things done.
And I realized that that can get you into sticky areas.
But I don't know.
I just wonder if we're going a little too far with this.
What do you think?
Yeah.
You know, in my personal opinion, I kind of think we might have gone a little bit too far.
Yeah.
Sometimes you get public information requests and they're going to reveal, you know, what seems like embarrassing gaffes from politicians
or business leaders. And really, to me, it's just, you know, all of us in our private communications
with people have moments of levity, moments where we're making fun of somebody, you know,
moments when we're using language we may not, you know, otherwise use. Right. And, you know, it just happens to be that if you are in the public sector, if you're in the government, those communications can be made public and can be used to embarrass you.
And it can also lead to further investigations.
So, yeah, I kind of think it has been a little overzealous.
The laws still do exist, though.
think it has been a little overzealous. The laws still do exist, though. So, you know, I think it is the responsibility for individual government officials to make sure they're complying with
those records retention statutes. But, you know, just speaking as a human being, I, yeah, I do
think, you know, I don't need to see every single Larry Hogan communication about a mean Washington Post reporter.
I don't think that's necessarily in the public interest.
Yeah.
Do you suppose that we could find a situation where these sorts of ephemeral messaging apps are prohibited for use from public officials where they just can't use them?
That's hard to say. I mean, we've now had a couple of states. It also happened in Missouri. They
were using a similar application and there was an attorney general investigation. This was the
governor, the former governor who was using this application. But, you know, without access to the
communications, you can't really prove a violation of a statute. So it didn't really go anywhere.
You know, because of that,
I don't think we're going to see any outright bans.
It just wouldn't be worth it for legislators.
It's a loophole, Ben.
They found a loophole.
They found a loophole.
Now, I would not be surprised if we saw some proposals,
you know, especially in the state of Maryland
or in the state of Missouri,
trying to highlight the fact that the government
used this encrypted application.
So yeah, I mean, if you're an enterprising legislator
and you happen to be a good troll,
now might be a time to abolish banning communications
on apps like Wicker among public officials in Maryland.
Not suggesting that, I'm just saying it might happen.
Right, okay.
All right, well, again, the article's over on the Washington Post,
written by Steve Thompson.
Maryland Governor Larry Hogan's messages to state employees,
self-destruct in 24 hours.
Ben Yellen, thanks for joining us.
Thank you. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.