CyberWire Daily - Managing messaging in a hybrid war.Anti-Tehran hacktivism and Tehran-sponsored cyber ops. Rebranding as sanctions evasion. A threat to firmware. CISA warns of Confluence exploits.
Episode Date: June 3, 2022Moscow wants attention to be paid to its messengers. Western support for Ukraine in cyberspace. US remains on alert for Russian cyberattacks. Iran: anti-government hacktivism and Tehran-sponsored cybe...r ops. Rebranding as sanctions evasion. A gangland threat to firmware. Johannes Ullrich from SANS on security of browsers caching passwords. Dave Bittner sits down with Perry Carpenter to discuss his new book, "The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer,''co-author was Kai Roer.. And CISA adds an Atlassian issue to its Known Exploited Vulnerabilities Catalog. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/107 Selected reading. Russia summons heads of U.S. media outlets, warns of 'stringent measures' (Reuters) US confirms military hackers have conducted cyber operations in support of Ukraine (CNN)Â Advancing security across Central and Eastern Europe (Google)Â US Justice Department Braces for More Russian Cyberattacks (VOA) Russia, backed by ransomware gangs, actively targeting US, FBI director says (Cybersecurity Dive)Â Exiled Iran Group Claims Tehran Hacking Attack (SecurityWeek) Exposing POLONIUM activity and infrastructure targeting Israeli organizations (Microsoft Security)Â To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions (Mandiant) Russia-Linked Ransomware Groups Are Changing Tactics to Dodge Crackdowns (Wall Street Journal)Â Conti Targets Critical Firmware (Eclypsium) Atlassian: Unpatched critical Confluence flaw under attack (Register)Â CISA Adds One Known Exploited Vulnerability (CVE-2022-26134) to Catalog (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Moscow wants attention to be paid to its messengers.
Western support for Ukraine in cyberspace.
U.S. remains on alert for Russian cyber attacks.
Iran, anti-government activism, and Tehran-sponsored cyber ops.
Rebranding as sanctions evasion.
A gangland threat to firmware.
Johannes Albrecht from the SANS Institute on security of browsers, caching passwords.
Dave Bittner sits down with Perry Carpenter to discuss his new book, The Security Culture Playbook,
An Executive Guide to Reducing Risk and Developing Your Human Defense Layer,
co-authored by Kai Rohr. And CISA adds an Atlassian issue to its known Exploited From the CyberWire studios at DataTribe, I'm Trey Hester with your CyberWire summary for Friday, June 3rd, 2022. Russia wants the rest of the world to take its official and semi-official sources seriously
and wants the world to treat Russia's outlets and their output with proper respect.
Reuters quotes Foreign Ministry spokeswoman Maria Zakova as saying,
If the work of the Russian media, operators, and journalists is not normalized in the United States,
the most stringent measures will inevitably follow.
To this end, on Monday, June 6th, the head of the Moscow offices of All American Media
will be invited to the press center of the Russian Foreign Ministry
to explain to them the consequences of their government's hostile line in the media sphere.
We look forward to it.
End quote. The commander of U.S. Cyber Command, General Paul Nakasone, told Sky News this week that, quote, we've conducted a series of operations across the full spectrum, offensive, defensive,
and information operations. End quote. And that clearly was not an off-the-cuff remark.
CNN reports that, quote,
a spokesperson for the command did not dispute the accuracy of the article,
but declined to elaborate on what the command's operations in Ukraine have entailed, end quote.
A senior U.S. official, speaking anonymously with CNN,
said that the U.S. was comfortable letting Moscow know that the U.S.
has been active against Russian interests in cyberspace.
It complicates an already difficult war for Russia and induces considerable uncertainty
into Russian planning. They're not sure what the U.S. is capable of or willing to do,
and they're uncomfortable with not knowing. The Western private sector has also made
contributions to defense against Russia's threat against Eastern and Central Europe.
Google Today published an overview of the steps it has taken to help improve security in the region.
The company's announcement expresses gratitude for the peace prize it received from Ukraine's
government at Davos, and then discusses its activity elsewhere. Quote,
To build on our efforts, we are expanding our cybersecurity partnership and investment in Central and Eastern Europe.
Last month, a delegation of our top security engineers and leaders met with organizations and individuals in Czechia, Poland, Lithuania, and Latvia.
They trained high-risk groups, distributed security keys, engaged in technical discussions with government experts, and supported local businesses in shoring up their
defenses, end quote. In addition to intelligence reporting by Google's threat analysis group,
the company has also provided direct security support to individuals and organizations at
particular risk, quote. To help address these threats, our high-risk user team conducted
workshops throughout the region for dozens of non-governmental organizations,
publishers, and journalists, including groups and individuals sanctioned by the Kremlin.
We distributed around 1,000 security keys, the strongest form of authentication,
and trained over 30 high-risk user groups on account security. We also launched, in collaboration with Jigsaw, the Protect Your Democracy Toolkit, which provides free tools and
expertise to democratic institutions and civil society. We heard directly from high-risk
organizations like the Kashmir Polaski Foundation, the International Center for Ukrainian Victory,
NGOs supporting refugees and exiled activists, and leading publishers across Europe who told
us how critical Google's no-cost security tools like the Advanced Protection Program and Project Shield are keeping them safe online.
We are grateful for their valuable insights to inform future product development.
While the crippling Russian cyberattacks against infrastructure that were widely feared have not
materialized, the U.S. Justice Department remains focused on the cyber threat from Russia. Quote, at DOJ, we're particularly focused right now on the cyber threat from Russia.
End quote. The Voice of America quotes Matthew Olson, head of the Justice Department's National
Security Division. Quote, and we are bracing for the possibility of more attacks. End quote.
A great deal of the Russian combat load in cyberspace is being carried
by Moscow-aligned cybercriminal gangs, especially extortionists. AFP reports that an Iranian
dissident hacktivist group, the People's Mujahideen of Iran, has claimed to have taken control of some
municipal websites in Tehran and to have also gained access to the city's surveillance cameras.
There's no independent confirmation of their claims.
Much of the hacktivists' operations consisted of defacing websites to display images of MEK leadership.
Microsoft announced late yesterday that it disrupted a cyber operation against Israeli organizations
mounted by the Lebanon-based group Redmen, Trax's Polonian,
and associates with Iran's Ministry of Intelligence and Security.
The campaign targeted OneDrive users, and Microsoft says it, quote,
suspended more than 20 malicious OneDrive applications created by Polonium actors,
notified affected organizations, and deployed a series of security intelligence updates
that will quarantine tools developed by Polonium operators. End quote.
Mandiant researchers yesterday described efforts by criminal gangs,
for the most part russophone gangs and notably Evil Corp,
to rebrand themselves in an effort to evade sanctions imposed by the U.S. government.
The Wall Street Journal explains that U.S. sanctions have made it more difficult
for victims to pay ransom without themselves violating the law,
and the gangland hope is that rebranding will amount to sufficient misdirection
to keep the ransom payments flowing. Eclipsium researchers yesterday described
an attempt by Conti operators to develop ways of exploiting the firmware of Intel processors.
In addition to the classical attacks that target UEFI and BIOS directly, attackers are now targeting the Intel Management Engine, or the Intel Converged Security Management Engine.
The Intel Management Engine is a physical microcontroller that is part of the chipset of modern Intel-based systems.
It supports a variety of capabilities, such as out-of-band management.
such as out-of-band management, end quote.
Eclipsium found evidence of the attempt as it sifted through Conti chatter obtained and leaked early in Russia's war against Ukraine by dissatisfied Ukrainian collaborators with the Cybergang.
And finally, yesterday, the U.S. Cybersecurity and Infrastructure Security Agency, or CISA,
added a Confluence server and data center remote code execution vulnerability
to its known exploited vulnerabilities catalog. CISA explains, quote, versions of Confluence
server and data center contain a remote code execution vulnerability that allows for an
unauthorized attacker to perform arbitrary code execution, end quote. This one requires immediate
action under Binding Operational Directive 22-01.
CISA has told U.S. federal executive civilian agencies to, quote,
immediately block all internet traffic to and from Atlassian's Confluence server and data center products until an update is available and successfully applied, end quote.
They have until close of business today to do so and report compliance.
This is the shortest deadline we've seen CISA impose under BOD 22-01.
Atlassian, which credits Flexity researchers with finding and reporting this issue, rates the vulnerability as critical.
The company said in an update posted this morning,
We suspect that security fixes for supported versions of Confluence will begin to be available for customer download within 24 hours.
Do you know the status of your compliance controls right now? Like, right now?
Like right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more Dave sat down with Perry Carpenter to discuss his new book, The Security Culture Playbook,
an executive guide to reducing risk and developing your human defense layer, co-authored by Kai Rohr.
Here's Perry.
So first, my co-author Kai Rohr is an internationally well-known guy that has been studying security culture for most of his career.
And so one of the things that we wanted to do with that is kind of merge our voices because Kai is well-known for his research into security culture.
I'm pretty well-known in my research for awareness and
behavior. And as we come together, we can start to paint a lot more complete picture. But the other
thing that really prompted this is nuance that's in the subtitle of the book. And I know it's a
really, really long subtitle, but there are three critical things in it that we tried to pack in.
really, really long subtitle, but there are three critical things in it that we tried to pack in.
Number one is an executive guide. And so, this is meant not necessarily for the practitioner,
but for the audience of a board of directors or a CIO or a CEO that really needs to understand that security culture is important. It's something that lives and breathes in every
organization, whether you know it or not. And so the question becomes, how intentional are you
about the security culture that you have? How sustainable is that? What do you need to do about
it? And so that executive piece is really critical. And our hope is that an executive
picks that up, reads the first few chapters, and then says, oh, yeah, we need to do something intentional with this.
And then they hand it down to the person that can implement the vision that's explained there.
The second piece that's in the title is reducing risk.
And that really comes down to the fact that the entire reason that security exists isn't for the sake of security.
And the entire reason that security awareness exists isn't for the sake of security. And the entire reason that security awareness exists
isn't for the sake of security.
It's actually to reduce risk in an organization
and make the risk tolerable
so that the organization can go forward
and do the business that they've been formed to do.
And so this is all about risk reduction
and up-leveling the conversation
to that executive
level or board of directors level. And then that last piece is developing your human defense layer.
And so this is about the human side of things, because one of the charts that we show early on
is that there's a lot of spending that happens on the technology side of security. Every year,
we spend more and more on that,
but data breaches are still going up.
And when you look at the Verizon DBIR and other reports,
the reason that we see the data breaches continue to go up has to do with the human side of things.
And so our argument is that we need to put more intention on that
so that we can then reduce risk.
Can we take a quick step back
and talk about the notion of security culture itself?
I mean, one of the things you explore in the book is this idea that security culture has a specific set of dimensions.
Yeah, you mentioned that we have different dimensions that we break security culture up into,
and this is drawn from the social sciences.
So we believe that you can measure any type of culture with this. But specifically, we're looking at the
security-related nuance. And so we break security culture into seven different dimensions,
attitudes, behaviors, cognition, communication, compliance, norms, and responsibilities.
And one of the interesting things that we say in that is,
yeah, as we measure that,
we can see whether you're strong
or you're weak in different areas.
But that doesn't mean that all is lost
or all is gained
if you see one of those data points.
So if you look at your aggregated
security culture score
and you're concerned about that,
you don't have to tackle all seven of those
because each of these has a gravitational effect on the other. If you're influencing cognition
and giving people the right information to make the right decisions at the right time,
you're probably also influencing their attitudes and you're definitely influencing their behaviors
if you see that come to pass. So you can strategically focus on one,
two, or three of these, and you're going to be pulling the others along the way. There's another
key thing that comes out in this book, and that is, and this is another reason behind why we
created it in the first place, is there's a lot of and has been a lot of talk about, quote-unquote, security culture for years.
And people are using that phrase in articles and journals and conference presentations and everything else.
The thing that was missing, though, is an actual definition of it.
We at KnowBefore, so this is separate from Kai and I, our employer at KnowBefore,
commissioned a study with Forrester a couple years ago.
And what we wanted to understand was, do people really know what security culture is and do they value it?
And we found that 94% of people value security culture.
They believe that it's an important thing to reduce risk in their organization.
They believe that it's an important thing to reduce risk in their organization.
But then we started to ask the more nuanced question of, what do you believe security culture is?
And what we found was a shocking fragmentation of what people believe it actually is.
Some people believe security culture is following policies.
Other people believe that it's the establishment of a security awareness program.
Other people believe that it's the establishment of a security awareness program. Other people believe that it's shared responsibility across an organization.
So the funny thing is, is that somebody like me could stand on a stage and say security culture is important and everybody in the room can be nodding their heads.
Everybody believes that they're agreeing to the same thing, but everybody actually having a different conclusion of what that means. That's Perry Carpenter discussing his new book, The Security Culture
Playbook, an executive guide to reducing risk and developing your human defense layer. There's a lot
more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up
for Interview Selects, where you get access to this and many more extended interviews. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant. And I'm pleased to be joined once again by Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, it's always great to welcome you back.
You know, something that I try to share with as many people as I can
is the utility and usefulness of things like password managers.
There are a lot of choices out there today,
and we want to talk today about some of the options.
Yeah, so there are really two big options that you typically have available.
There are third-party add-on software that you can buy.
There's also some free options that you can install.
And then many web browsers have their own built-in password manager that you can use.
The problem is a little bit that the quality of these options really varies a lot.
And these password managers themselves, of course, are a big target.
Whenever you're assembling a lot of important data in one spot while it becomes a target. We recently ran into a case with Google Chrome
where during an incident, one of our Monterey's handlers here,
Xavier, he ran into this.
They figured out that the attacker compromised
an administrator's workstation
and then was able to use passwords
that the administrator had stored within Google Chrome.
And I always tell people, use password managers, and you definitely should.
I'm not saying don't use password managers.
The alternative is way worse, kind of, of using password managers these days.
But it turned out that actually Google Chrome in particular here is not really all that careful in how they're saving these passwords.
The passwords are encrypted, so that sounds good.
But whenever you're dealing with encryption at rest, the next question is, where did they store the encryption passphrase key that's being used here?
And it turns out in this case it was actually stored in the clear in a different file.
So relatively simple for an attacker and well-documented how to do this, where an attacker was able
to take that key, decrypt the passwords, and have access to all the passwords stored in
Google Chrome.
Is this, I mean, general advice for browsers, or are there differences between the various
browsers of how they approach this?
It's really a little bit all over how they approach it.
And now browsers like Firefox and Google Chrome, they try to do it a little bit in an operating
system agnostic way.
So they don't necessarily use the facilities built into the operating system.
Safari, which is like iOS, macOS only,
it uses the built-in keychain that these operating systems offer,
and that provides some additional security.
In Firefox, you do have the option to enter a master passphrase
as you're setting up the browser,
and it is then being used to encrypt a key, so that provides for some additional security.
But overall, browsers usually aren't as careful as these password managers, in particular,
once you start using the browser. Where is the password stored? Is it stored in memory,
somewhere in the clear? Are these passwords stored in the clear? A lot of the password managers have thought this through better and
clear out memory after it's no longer being used. Same if you're doing like copy-paste with your
clipboard. A lot of the third-party password managers, for example, will clear out the clipboard after a minute or after some time
to limit the exposure of passwords and clipboards. In general, you probably should try to use a
third-party password manager. It gives you, of course, some other advantages like some cross-application
synchronization, sometimes some synchronization across devices. That's also nice to have.
You don't have to pay a lot of money for these password managers.
Some of them are expensive, some of them are free.
Typically, you have to pay for the synchronization feature.
That's what they usually get you.
In general, it's probably worth the effort to set up these applications.
If that's too much work for you, then yeah, sure,
please use at least the built-in password manager.
Yeah, it's my experience
that with a third-party password manager,
it's a little bit of work, as you say,
to get it set up.
But once you've got it up and running,
it's pretty seamless.
And definitely, in my mind,
worth the investment of both time and money.
I think so too, but not everybody
may have the ability to set these up, these password managers.
So in that case, you're probably better off
just using the browser built-in password manager.
At the very least, the attacker still needs
to compromise your system,
which is probably a higher hurdle to overcome
than breaching a random website
where you're using the same password you're using for your online banking.
Yeah. All right. Well, good advice. Johannes Ulrich, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out this weekend's episode of Research Saturday,
where Dave Bittner sits down with Scott Fanning of CrowdStrike. They discuss their work on Lemonduck Target Docker for crypto mining operations.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, Thank you. Joe Kerrigan, Harold Theriault, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Trey Hester filling in for Dave
Bittner. Thanks for listening. We'll see you back here next week. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.