CyberWire Daily - Looking toward tomorrow’s Russo-American talks about the Ukraine crisis. A memorandum gives NSA oversight authority for NSS. A look at the C2C markets.
Episode Date: January 20, 2022As Russian forces remain in assembly areas near the Ukrainian border, the US and Russia prepare for tomorrow’s high-level talks in Geneva. NATO members look to their cyber defenses. US President Bid...en issues a Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems. Notes on C2C markets. Mirai is exploiting Log4j flaws. Verizon’s Chris Novak shares insights on Log4j challenges. Our guest is Ryan Kovar from Splunk with a look at the year ahead. And Olympic athletes heading to China? Better grab that burner phone. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/13 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
As Russian forces remain in assembly areas near the Ukrainian border,
the U.S. and Russia prepare for tomorrow's high-level talks in Geneva.
NATO members look to their cyber defenses.
U.S. President Biden issues a memorandum on improving the cybersecurity of national security,
Department of Defense, and intelligence community systems.
Notes on C2C markets.
Mirai is exploiting Log4J flaws,
Verizon's Chris Novak shares insights on Log4J challenges, our guest is Ryan Kovar from Splunk
with a look at the year ahead, and Olympic athletes heading to China? Better grab that burner phone.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, January 20th, 2022. Despite Russian statements placing little hope in diplomacy, and despite Moscow's expectation of receiving a formal response to its soft ultimatum sometime today,
the New York Times reports that U.S. Secretary of State Blinken
still plans to meet Russian Foreign Minister Lavrov in Geneva tomorrow.
U.S. President Biden said at a news conference yesterday that he expects Russian President Putin to direct incursions into Ukraine.
The New York Times quotes him as saying, quote,
My guess is he, President Putin, will move in. He has to do something, end quote.
In answer to a question about Russian intentions
and why threats of sanctions should be expected to deter further incursions into Ukraine,
President Biden said,
Well, because he's never seen sanctions like the ones I promised will be imposed if he moves, number one.
the ones I promised will be imposed if he moves, number one.
Number two, we're in a situation where Vladimir Putin is about to, we've had very frank discussions, Vladimir Putin and I,
and the idea that NATO is not going to be united, I don't buy.
I've spoken to every major NATO leader.
We've had the NATO-Russian summit.
We've had other, the OSCE has met, etc.
And so I think what you're going to see is that Russia will be held accountable.
That recording was made by C-SPAN at yesterday's media availability.
President Biden also indicated that Russia could be expected to test NATO resolve.
The answer is that I think he still does not want any full-blown war, number one.
Number two, do I think he'll test the West, test the United States and NATO as significantly as he can?
Yes, I think he will.
As significantly as he can, yes, I think he will.
But I think he'll pay a serious and dear price for it that he doesn't think now will cost him what it's going to cost him.
And I think he'll regret having done it.
President Biden saw challenges in maintaining NATO unity, saying, quote,
It's very important that we keep everyone in NATO on the same page.
That's what I'm spending a lot of time doing.
There are differences.
There are differences in NATO as to what countries are willing to do,
depending on what happened, the degree to which they're able to go, end quote.
President Biden's suggestion that minor incursions might not lead the U.S.
to exact as serious and dear a price as major incursions would,
struck some observers as introducing a deliberate element of ambiguity. But White House Press Secretary Jen Psaki subsequently issued a statement clarifying the U.S. position on the
crisis over Ukraine in a way that seems to resolve any such diplomatic ambiguity. It's brief and
clear enough to warrant quoting in full,
quote,
President Biden has been clear with the Russian president.
If any Russian military forces move across the Ukrainian border,
that's a renewed invasion,
and it will be met with a swift, severe, and united response
from the United States and our allies.
President Biden also knows from long experience
that the Russians have
an extensive playbook of aggression short of military action, including cyber attacks and
paramilitary tactics, and he affirmed today that those acts of Russian aggression will be met with
a decisive, reciprocal, and united response. End quote. This will not be received as a positive
response to the Russian government's proposals for resolving the crisis.
Those proposals would have required an extensive and public treatment by NATO from the forward defense of its eastern member nations.
Ukraine is not a member yet, and forestalling Ukrainian admission to NATO is a central Russian objective.
Ukrainian admission to NATO is a central Russian objective.
Note that the White House statement refers to aggression short of military action, including both cyber attack and paramilitary operations, that is, plausibly deniable action by proxies,
irregulars, or special forces, and promises not a proportional or asymmetric response,
but a reciprocal response.
promises not a proportional or asymmetric response, but a reciprocal response.
CISA has urged organizations to take steps to shore up their defenses in advance of possible Russian cyber operations.
Last week's data-wiping attacks against Ukrainian targets
are seen, according to Bleeping Computer, as a bellwether.
The drive, says the U.S. government's assessment,
is that such attacks could produce widespread damage to U.S. infrastructure.
U.S. President Biden yesterday morning signed National Security Memorandum NSM-8,
Memorandum on Improving the Cybersecurity of National Security, Department of Defense,
and Intelligence Community Systems, which specifies how Executive
Order 14-028, Improving the Nation's Cybersecurity, will apply to national security systems,
most of which are operated by the Department of Defense and the Intelligence Community Systems.
It brings these systems' cybersecurity under the supervision of the National Security Agency, and it gives NSA
authority to issue binding operational directives to the organizations that operate the systems.
The White House fact sheet that accompanied NSM-8 says, quote, this directive is modeled on the
Department of Homeland Security's binding operational directive authority for civilian
government networks, end quote.
And the expectation is that NSA will learn from the cybersecurity and infrastructure security agency's experience
in securing the federal civilian networks it oversees.
NSM-8 lays out a 180-day timeline with appropriate milestones
for NSA to formulate guidance and for the affected
agencies to complete and report compliance. Russia is not mentioned in NSM-8, but the timing
and context of the memorandum clearly suggest that it was issued with current threats from
Russia in mind. The White House fact sheet ticks off the customary list of administration
accomplishments by way of providing background, quote,
And internationally, the Biden administration has rallied G7 countries to hold accountable nations who harbor ransomware criminals,
updated NATO cyber policy for the first time in seven years,
and brought together more than 30 allies and partners to accelerate our cooperation in combating cybercrime, NSM-8's major near-term provisions touch upon cloud migration,
zero-trust architecture, multi-factor authentication, and cryptographic interoperability.
Not all of the memorandum's directions are focused on near-term risk management.
There is, for example, some discussion of the implications of quantum computing on cryptography,
but it's the near-term measures that have drawn the most attention.
Cobalt Strike has been seen frequently in recent criminal attacks.
Researchers at BlackBerry report that a malware subscription service,
Prometheus TDS, and TDS would be Traffic Direction System,
makes extensive use of Cobalt Strike and its offerings.
The service is being hawked in Russian-language criminal-to-criminal markets.
Its principal use is to stage large-scale phishing campaigns
that redirect victims to malicious landing pages.
Mirai is back.
Security firm Akamai has found the Mirai botnet exploiting Log4J to attack SolarWinds and ZyZle devices.
Microsoft warned of the potential problem, the record reports, and so SolarWinds issued a patch on Tuesday.
ZyZle has also updated its products to address the issue.
Engineering and Technology describes how botnet scalping has become a preferred criminal method of money laundering.
Buy stuff from online markets with ill-gotten cash and then resell that stuff,
and the money assumes the legal, if not the moral,
appearance of being clean. Security firm Netacea told the publication that scalperbots are, for
now, legal, although there's some movement in the U.S. Congress to pass legislation that would
outlaw this particular kind of thing. NextGov reports that the U.S. government is considering shifting responsibility
for pipeline cybersecurity from the Transportation Security Administration to the Department of
Energy. Industry complained that they were insufficiently consulted when TSA was responding
to fallout from the Colonial Pipeline hack, and the House Energy and Commerce Committee is
evaluating a proposed bill that would create a self-regulatory body along the lines of the North American Electric Reliability Council that would work under the supervision of the Department of Energy's Federal Energy Regulatory Commission.
opened consultation on measures to formulate cybersecurity professional standards.
The goal would be to help organizations understand the kind of skills they need in the people they're hiring and to help education and training institutions
develop ways of qualifying people to fill the jobs the labor market is looking for.
Comments will be open through March 20th of this year.
And finally, if you're a bobsledder, a biathlete, a skeleton racer,
or any other member of the U.S. Olympic team competing in China this winter,
the U.S. Olympic Committee recommends you bring a burner phone in with you
and then burn it upon departure.
Security Week quotes the committee as saying,
quote,
Assume that every device and every communication,
transaction, and online activity will be monitored. Devices may also be compromised
with malicious software designed to compromise the device and its future use, end quote.
So bring that burner.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Ryan Kovar is a distinguished security strategist at Splunk,
and I checked in with him for insights on what's got his attention as we face the coming year.
Like most security professionals, he thinks ransomware is here to stay in the near term, but it's not all bad news.
I think there's a lot more awareness around the value of backups.
There's a lot of discussion that I've read around the fallacy that decryption works.
There's been some great stories that I've actually heard on CyberWire over the last year or so
of organizations paying for the decryption key and it's still taking two or three or four weeks
for them to actually decrypt the ransomware. And so at some point, are you better off just
biting the bullet and restoring from backups than you are trying to decrypt and recover in place. So I believe compared to three years ago where folks might not have realized that
the old standard of just having good backups is an effective ransomware strategy,
I think that has changed and that's much more conscious for organizations, for CISOs, and for
network defenders. So moving beyond ransomware, what other things are on your radar for the coming
year? Perhaps not surprisingly, with some bias over the last 375 days or so, I'm still somewhat
focused on supply chain. My team did some research on supply chain attacks last year. I've been
working on more things around this concept put forward by Enisa around the concept of supplier
and consumers
and that people should be looking at their organization
from different lenses of responsibility.
And I feel like if you're able to identify
if you are a supplier of software
or a consumer of software,
in many organizations,
I would argue any Fortune 1000 and above organization
is both a supplier and a consumer of software.
People should start looking at how they're defending their networks a little bit differently. fortune 1000 and above organization is both a supplier and a consumer of software people should
start looking at how they're defending their networks a little bit differently and i think
that's something that's going to come up more and more is this you know the software supply chain
it's just it's coming up often it's coming up frequently and it's getting more news and i don't
think that's going away is there anything in your estimation that isn't getting the attention that it deserves, that people aren't focused on, that leaves you scratching your head?
It's very wonky, and I've already alluded to it a bit, but the software bill of materials work that's being done by legislators, I think, is going to change the world in unexpected ways.
And I'm often drawn to the comparison of when Walmart required barcodes. When Walmart
required barcodes as the largest consumer of products in the world, everyone had to have them.
If the federal government makes a decision on requiring an SBOM for the purchase of software,
the trickle-down effects on that will be startling. And every software vendor just
about in the world will have to start having a SBOM available for the federal government, which then, in my opinion,
will have a trickle down to commercial entities asking to see the SBOM. Then you're going to have
questions going further into cyber insurance, where cyber insurance is going to be asking for
verification of SBOMs and all sorts of areas like that. And I think those are things that we could
look at, and we'll see a
big change in the future. How about for you personally? Are you heading into this year
with a sense of optimism or pessimism or practicality? Where do you sit?
I am in a practical mindset, probably. I don't think it's going to be worse than the last year.
I don't think it's going to be much better. I year. I don't think it's going to be much better.
I think things like Log4J have shown how vulnerable some areas of our entire infrastructure are. And if I was an adversary, I'd probably be digging into GitHub and looking at some really in-the-weeds libraries right now, as I'm sure people are.
now as I'm sure people are. But I think Log4J also showed how a global event can really unite an entire community of getting data out quickly. And we have a little bit of a reflex from that
from SolarWinds. And so I hate to say practice makes perfect, but we certainly did better as
an entire holistic community, in my opinion, for Log4J or Log4Shell than we did for SolarWinds.
And that does bring me some hope.
And I look at things like CISA.
I'm a huge fan of what's been done at CISA, JCDC,
all these outreach programs.
There's just things in place now that a year ago
were only dreamed of, two years ago weren't even thought of.
And that brings me a lot of hope
for that private-public partnership aspect.
That's Ryan Kovar from Splunk.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default- default deny approach can keep your company safe
and compliant.
And I'm pleased to be joined once again by Chris Novak.
He is the Global Director of the Threat Research Advisory Center with Verizon.
Chris, it is always great to have you back.
You know, I don't think it's surprising to anybody to say a hot topic lately has been log for J, log for shell.
And I just want to check in with you to get your take on where we stand with this.
What's your outlook here?
It's been a wild ride.
I'll tell you, I swear we can set the calendar sometimes by the events that pop up.
And this one is no surprise here.
I think the reality of it is that what we're seeing around Log4J and for Shell, talk with a lot of organizations.
And the challenges that it seems
many still are facing. You know, if you break up, you know, your large enterprises, your medium-sized
businesses, and then, you know, maybe even your small businesses, the largest enterprises, I'd say
they've got a pretty good understanding, if not a great understanding of what this is, what it
entails, and how they're going to deal with it. They probably have dealt with things like this before.
And many people may say, okay, that's great.
Then we've got our bases covered.
But the reality of it is if you kind of look at it like a pyramid,
we're talking about that top of the pyramid that's probably got a pretty good handle on this problem,
but that is the smallest piece of it, right?
As we move down the pyramid, the challenge we face is the maturity is not there.
And what a lot of organizations seem to be struggling with is even understanding where
they might have it, if they might have it, right? You know, when solar winds happened,
a lot of organizations could fairly readily and easily determine whether or not it's an
application that they use or that they have. They might be able to go through procurement logs and
figure out if they've ever purchased it or whatnot.
Log4j, essentially it's a component in something else.
So it's not something you're ever going to see
on your procurement list.
And it's really going to come down to,
you know, how mature are you with things like
asset and application inventories
or your ability to scan for the inclusion
of this kind of code within other
applications that you might use? What sort of questions should I be asking? You know, if I'm
that medium-sized business and somebody comes knocking on my door and says, hey, you know,
we're providing services here to scan the things that you use to audit your vulnerability to log
for J, how should I respond to an offer like that?
Well, I mean, I think, you know, it's a great point.
And to be honest, we're having a lot of those conversations
with organizations today.
And, you know, typically the way it starts with is
first just understanding, does the organization
have a familiarity of what this vulnerability is?
You know, some of us who are in the industry
might be thinking, wow, you've got to be living under a rock not to know what this is. But again, you know, you kind of have to take a step back and
look at this and understand not everybody is watching this kind of stuff day in and day out,
whether they should be is another story, but they're not. And so the first piece is, I think,
just educating, you know, kind of that audience of this is what the vulnerability is. This is how it
works. This is some examples of where this vulnerability has been known to live. Here are some applications
that you might have heard of, but the reality of it is this is open source and it could be part of
any and many other applications that you may have. And I think a key thing in terms of any
engaged conversation around, you know, scanning or assessments of your log4j susceptibility, if you will, really has to happen around things like what kind of environment do you run and what does that organization's scanning or assessment have the ability to tackle, right?
If you're a largely Windows shop, are there tools and scanning technologies set up for that?
scanning technologies, you know, set up for that. If you have a mixed environment of say,
you know, Windows, Linux, Unix, Mac OS, whatever may be, you know, what does that environment look like and what are their capabilities look like there? You know, I always suggest, you know,
ask for templates, ask for examples of the output. What can I expect to get out of an assessment or
a scan that a vendor might do. Show me some finished products.
Even if it's just a redacted version of a report, give me a sense of what it is that
I'm going to get out of it.
Because I think when you look at things like the Log4J issue, it's not going to just be
let me scan and find it.
But really, when we look at this, we look at it as a multi-step approach.
It's going to be, do you have it in your environment? If you have it, can we determine whether or not it has been
exploited? And then if it's been exploited, you then have to go the next step to figure out
where did it go after that? Do we have any sense at this point,
how long a tail this is going to have? What we're in for over the long haul?
Ooh, a crystal ball kind of question. I know it's not fair, is it?
No, no, I love them. They're fun nonetheless. You know, to be honest, I'm going to go out on a limb
and say that I think this one is going to be hanging out there probably for the better part
of two years. And I think the reason why I say that, to be honest, is I think you have an incredible
amount of awareness about this
problem right now, and it's on everybody's mind, everybody who is wanting and choosing to pay
attention to it. But like anything, there is a subset of the population that is not wanting or
choosing to pay attention to it, or they are distracted by other things. And again, it's not
to say this isn't an important thing. It may just be an organization may be in the middle of something
else, right?
They're having financial troubles.
They're dealing with COVID issues.
They're dealing with labor issues.
They're dealing with, you know, employees in many countries.
And this may just not be the thing that's getting all of their attention.
And so what I think is going to happen is we're going to see these, you know, kind of
almost like a wave that's going to go up and down over time over the next couple of years
as this gets hammered out. And I think the other thing too, kind of going back to our earlier part
of the conversation that you're going to face is lots of organizations are not even going to be
aware that it exists as a problem in some of the applications that they use. So they may not even
recognize it to find it and address it for, you know, six months, a year, or maybe even more. And I think the other
thing that's worth highlighting here too is that a lot of organizations, I think, have a
misunderstanding that, well, the solution is just patching. And patching is part of the solution,
but the challenge also is this is being heavily exploited. We see a tremendous amount of activity
across our network
or when we're doing monitoring of organizations where they're being tested for this vulnerability
right now. Patching, it's kind of like locking your front door. After you've locked it, someone's
probably not going to walk in. But if it's been wide open for a month or a year, who knows how
many people are already inside when you decide to
lock it, right? Nobody new comes in after you lock it, but if they're already in, have already
exploited it, may already have brought other malware in the environment. At that point,
you've just stopped future exploitation. You also need to do some level of due diligence
to determine whether or not the problem has already made its way in.
Yeah. All right. Well, Chris Novak, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland at the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Thanks for listening.
We'll see you back here tomorrow. Thank you. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.