CyberWire Daily - Log4Shell exploited by criminals and intelligence services. Private sector offensive cyber capabilities. Noberus ransomware used in double-extortion attacks. Squid Game phishbait.
Episode Date: December 16, 2021Log4Shell is exploited by criminals and intelligence services. Private sector offensive cyber capabilities are on par with nation-states. Noberus ransomware is used in double-extortion attacks. Malek ...Ben Salem from Accenture looks at cyber twins. Our guest is Tom Kellermann from VMware with reaction to CISA’s Binding Operational Directive. And Squid Game phishbait. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/240 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Log4Shell is exploited by criminals and intelligence services.
Private sector offensive cyber capabilities are on par with nation states.
Noberis ransomware is used in double extortion attacks.
Malek Ben-Salem from Accenture looks at cyber twins.
Our guest is Tom Kellerman from VMware with reactions to Sys' binding operational directive.
And Squid Game Fish Bait.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 16th, 2021. DeSite, in a long and glum piece on the implications of the log for shell vulnerability,
points out that the term affected can be ambiguous, particularly when it appears in phrases like not affected.
What counts as affected?
It's not necessarily synonymous with attacked, breached, or even vulnerable.
If you've had to devote time and resources to inventorying your software for a specific vulnerability, there's a sense in which you've been affected,
even if at the end of it all you've found nothing. There have been reports of log-for-shell
exploitation by both gangs and intelligence services. The crooks and spies have been up
and at them this week. Haaretz reports, citing sources at Checkpoint, that Iranian operators
had by yesterday sought to compromise seven Israeli governmental and commercial targets using log-for-shell exploits.
Both Microsoft and Mandiant have warned of Chinese and Iranian exploitation of the vulnerability, the Wall Street Journal sums up, adding that Microsoft also reports seeing North Korean and Turkish attempts to take advantage of Log4J.
The Chinese embassy in Washington told the journal that they're opposed to cyber attacks of any kind.
The embassy also pointed out that it was a Chinese company that first discovered the issue and disclosed it to Apache.
In fairness to Beijing, they're right about that second point.
Alibaba's cloud security team found and reported the problem on November 24th.
In some respects, however, nation-state exploitation seems almost a case of a dog not barking.
The journal quotes CrowdStrike's senior vice president of intelligence Adam Myers to that effect,
quote,
Adam Myers to that effect, quote, it's a surprise it's not more widespread. The question that everyone is asking is, what aren't we seeing? End quote. Mandiant also expects to see more
nation-state exploitation, quote, we expect threat actors from additional countries will
exploit it shortly if they haven't already. In some cases, state-sponsored threat actors will
work from a list of prioritized targets that existed long before this vulnerability was known.
In other cases, they may conduct broad exploitation and then conduct further post-exploitation activities of targets as they are tasked to do so.
And one of those dogs that's not obviously barking?
Well, not dogs, but in this case, bears.
Russian state actors, BGR observes, are noticeably not being mentioned in dispatches.
Google's Project Zero concludes that companies are now able to develop offensive cyber capabilities
once thought to be within reach of only a few nation-states.
In their
recently published research into NSO group Pegasus Exploits, Project Zero writes, quote,
based on our research and findings, we assess this to be one of the most technically sophisticated
exploits we've ever seen, further demonstrating that the capabilities NSO provides rival those
previously thought to be accessible to only a handful of nation-states.
And it's not just Apple products. Quote, Citizen Lab was able to recover these Pegasus exploits
from an iPhone, and therefore this analysis covers NSO's capabilities against iPhone.
We are aware that NSO sells similar zero-click capabilities which target Android devices.
End quote. They haven't got target Android devices, end quote.
They haven't got any Android samples, but maybe you do, quote,
Project Zero does not have samples of these exploits, but if you do, please reach out, end quote.
Project Zero worked on a sample of NSO Group's forced entry tool obtained by Citizen Lab
in the course of its investigation of a zero-click
iMessage exploit used earlier this year against a Saudi activist. Apple's security engineering
and architecture group cooperated with Project Zero on the technical analysis.
Symantec has an update on ALF v. Black Cat Ransomware Group, in which the researchers describe
the Noberis ransomware the group's campaign uses.
Noberis, which exists in at least three versions,
is unusual in that it's written in Rust.
It's commonplace that it's in use in double extortion scams.
IBM says that Squid Game remains popular fish bait,
much used against fans of the Netflix series.
IBM recommends that businesses address these campaigns with employee awareness training.
ZDNet reports that Amazon Web Services experienced a brief disruption yesterday.
Unlike last week's disruptions, which centered on AWS's US East 1 region,
yesterday's are said to have affectedS. West 1 and 2 regions.
The AWS Service Health dashboard this morning
shows all North American services operating normally.
French police have arrested a man on charges
related to laundering more than 19 million euros
in ransomware payments, according to the record.
The U.S. Federal Reserve is moving in many areas of monetary policy, but yesterday, Federal Reserve Chairman Jerome Powell
told CNBC that cyber attack represented the most significant threat to financial stability.
And finally, to return briefly to Log4Shell, it's worth noting that many official bodies have issued warnings and guidance on it.
Among those is the U.S. Federal Bureau of Investigation.
If you've been hit by a Log4Shell exploit, they'd like to hear about it, and your input will be a contribution to intelligence concerning the way the vulnerability is being exploited.
They'll also render assistance
insofar as their resources permit. As the Bureau puts it, quote, as always, we stand ready to assist
any impacted entities, end quote. Now, we know the internet, and we know the sort of social media
funsters who inhabit its InfoSec precincts. I mean, when even NSA's cybersecurity boss is vamping with funny Karen
and Kat memes about the pronunciation of Log4J, well, it's just a barrel of monkeys out there.
By the way, very funny, Mr. Joyce. But please, don't pester the FBI to tell them that your
impacted entities include your wisdom teeth or your colon. We know, we know, LOL, even roll full and LMAO,
but come on, you don't need mad hermeneutical skills
to get that the Bureau means organizations or natural persons
affected by log-for-shell exploitation and not teeth or sections of your GI tract.
They're not in the tooth-pulling or constipation relief business,
so get serious, kids. We're looking at you, InfoSec boys and girls. Sometimes impacted
is even more ambiguous than affected. Alles klar, Herr Kommissar?
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
CISA Director Jen Easterly recently issued a binding operational directive titled
Reducing the Significant Risk of Known
Exploited Vulnerabilities. The directive mandates that federal agencies mitigate vulnerabilities in
their networks and is one of the first actions taken by CISA's newly formed Joint Cyber Defense
Collaborative. Tom Kellerman is head of security strategy at VMware, one of the private sector
members of the Joint Cyber Defense Collaborative.
It's historic. It's game-changing. It's a recognition by CISA that U.S. federal agencies
as a whole, as well as their partners, must harden their systems because, frankly, the last year has
really been the year of the zero-day exploit. And more and more often than not, these systems are successfully penetrated by these exploits that have been developed by the four rogue nation-states
who manifest much of the cyber attacks against the U.S. So in your estimation, what happens next?
How are the various agencies throughout the federal government going to react and respond to this?
Well, they have 60 days, according to the directive,
and hopefully they are automating their vulnerability management processes
and hardening those systems as we speak.
Frankly, you know, the United States is dealing with an insurgency in American cyberspace,
one that has been stoked by rogue nation states,
but more importantly, one that is facilitated by the lack of hardening of those critical systems.
When you think about the various government agencies, is there at all a situation of kind
of haves and have-nots? Are there going to be certain agencies that are better prepared to
take this on than others? Yes. I mean, some agencies are more
sophisticated and have more capability as well as manpower than others. That being said,
vulnerability management should be something that the majority of federal agencies should be able to
pursue and achieve without great consequence or disruption to operations for that matter.
You know, this directive really is a seminal action taken by CISA, but more importantly,
it's the first action taken with the Joint Cyber Defense Collaborative, of which VMware is a seminal action taken by CISA, but more importantly, it's the first action taken with
the Joint Cyber Defense Collaborative, of which VMware is a proud member and partner.
Yeah, let's talk about that a little bit. I mean, what does VMware bring to the table,
and why is this something that you all want to be a part of?
It's our commitment to civilizing and securing American cyberspace. We were one of 15 companies that were asked to join because we literally have created the fabric
by which many critical infrastructures are dependent upon,
from vSphere all the way through Horizon,
all the way through Workspace ONE.
We realize that we are responsible for securing our own environment,
but also assisting the federal government in securing theirs.
And I think the JCDC is an unprecedented group that is responsible for sharing information with one another, but also collaborating in the fight against not only
exploit code and vulnerabilities, but the fight against ransomware, which has become
pandemic per se in American cyberspace. What do you hope that things will look like on the
other side of this? You
know, six months from now, after this has had some time to take effect and settle in,
where do you suppose we'll be? Well, hopefully hardening government systems will allow us to
get a leg up on an adversary that's burrowed in over the past few years and allow us to begin
to conduct proactive cyber threat hunting and really push back and contain this type of insurgency that has been ongoing within federal infrastructure as well as corporate America's infrastructure.
You know, the first step in securing systems in cyberspace is a recognition that, you know, 100% prevention is not possible.
But there are some basic tenets of cyber hygiene that must be followed in order to prevent these types of infections.
And part of that is really hardening those systems against exploitable vulnerabilities.
You know, you mentioned that the Joint Cyber Defense Collaborative is really a new effort
and potentially a game changer here. How so? How is this really set up to really move the needle?
Well, you know, Director Easterly challenged the private sector,
particularly the major players, technology players in the private sector, to demonstrate commitment
to securing American cyberspace and also to securing their own systems from attack,
given that they provide the majority of technology, infrastructure, and fabric to the majority of corporations and federal agencies.
We proudly joined that to show our commitment in that regard, to show how we will share information
with the government related to vulnerabilities, how we will do a better job of fighting ransomware,
both against our customer base, but also generically the landscape. And I really think
it's one of the more significant
public-private partnerships that's ever been established to secure cyberspace.
Yeah, it really strikes me that this is an effort where private organizations, certainly,
who day-to-day might be competitors with each other, when the call was put out,
they agreed to join together for a common cause.
Exactly that. We recognize and appreciate our responsibility to help secure the greater
cyberspace United States and also to work with and collaborate with our competitors,
as well as the U.S. government to do just that. That's Tom Kellerman from VMware. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Malek Ben-Salem.
She's the Technology Research Director for Security at Accenture.
Malek, it is always great to have you back.
I wanted to touch base with you today on a publication that you and your colleagues have put out in the world,
and it's called Cyber Digital Twins, and it has to do with security vision.
What can you share with us today?
Thank you, Dave. Yeah, the Security Vision is a publication that the Cyber Lab publishes every
year. And this year, the focus was on cyber digital twins. Now, let me start by defining
what a digital twin is for our listeners. So digital twin is basically a virtual representation that serves
as the real-time digital counterpart of a physical object or process. Now, this concept has been
introduced a long time ago, but practically, I think the first practical definition of a digital twin originated from NASA
when they were attempting to improve the physical model simulation of a spacecraft in 2010. But
today, with the proliferation of IoT devices, of smart manufacturing, of devices for augmented reality, this concept is gaining notoriety.
You know, that's the digital twin.
Along with that, the cyber digital twins started to emerge.
And what exactly is that?
Yeah, so cyber digital twins allow, you know, security professionals basically to create that digital replica of every system,
of every machine or IoT device. And that replica can be used for the simulation of cyber attacks,
for vulnerability exploitations, etc., to detect any potential threats before the physical device leaves the production line.
And the same concept can be extended to environments where we have smart manufacturing, for instance,
or in resources companies for smart drilling or any other capabilities that have those types of functionalities.
Well, help me understand here.
that have those types of functionalities.
Well, help me understand here.
So is this, for example, if I'm a manufacturer of some IoT device,
is this a way of me basically running simulations before I send this out into the world?
Absolutely, yeah.
So it helps basically, it provides various benefits.
Through that simulation, there is an abstraction that happens,
or there's an analysis of the firmware running on the device that would have to happen.
And then with that analysis, you can abstract the software running on that device
and then start simulating cyber attacks against that firmware.
Are there any particular areas that this is best suited for?
Yes. So as we mentioned, any smart device, smart manufacturing processes,
those are probably the target or the best areas.
But I think eventually we'll see this proliferate
as more of our systems,
let's say OT processes become more AI enabled.
I think we're going to see more use of,
you know, cyber digital twins there as well.
Is there a safety component here as well?
And I'm thinking in manufacturing plants, you know, any of those heavy industrial kinds of places. This could be useful there. technology allows is very beneficial, whether it's for cyber attacks or for cyber attacks that
have a safety implication. And so where do we stand now? Is this something that is still in
the lab or is it out there in the real world? What's the timeline for seeing more widespread use?
So the digital twin technology is being adopted. Again, through
this publication, we've done some research and we've surveyed a number of CISOs and technology
executives. And many of them, around 60% or even higher, I don't recall the exact number, but they are at least using this technology somewhere within their enterprise.
Now, the Cyber Digital Twins, that's an emerging technology that's very tightly linked to the Digital Twin, but it's following soon after.
It's following soon after.
And so I think we're going to see more adoption of that technology because it enables the simulation of attacks.
It basically empowers security teams to predict the attacks
against these IoT devices or these cyber physical devices.
And obviously with that, it helps them scale, I guess, more. It helps them
cover more attacks. And I think one of the other main benefits, if you think about these
manufacturing, or if you think about the designers of these smart devices, where they have to share
IP or share the software and the firmware running on the device for another company to simulate and
to assess and to test or to manufacture, by having a cyber digital twin abstract what's running on the device, they no longer have to share the IP itself, but they can share this model that's abstracting what's advantage of the simulation,
of the attacks,
while protecting their intellectual property.
Ah, I see.
All right, well, fascinating stuff for sure.
The publication is Cyber Digital Twins.
Malik Ben Salem, thanks for joining us. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.