CyberWire Daily - Microsoft Exchange Server hacks officially attributed to China. Indictment in industrial espionage case. Entities List expands. Abuse of NSO Group’s Pegasus tool reported.
Episode Date: July 19, 2021Allied governments formally attribute exploitation of Microsoft Exchange Server to China’s Ministry of State Security. A US Federal indictment names four MSS officers in conjunction with another, lo...ng-running cyberespionage campaign. The US Department of Commerce adds six Russian organizations to the Entities List. The Pegasus Project outlines alleged abuse of NSO Group’s intercept tool. Thomas Etheridge from CrowdStrike on the importance of real-time response, continuous monitoring and remediation. Our guest is Neha Joshi from Accenture on solving the cybersecurity staffing gap and how to stand up a successful, diverse security team. And there’s hacktivism in Southeast Asia. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/137 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Allied governments formally attribute exploitation of Microsoft Exchange Server
to China's Ministry of State Security.
A U.S. federal indictment names four MSS officers in conjunction with another long-running cyber espionage campaign.
The U.S. Department of Commerce adds six Russian organizations to the entities list.
The Pegasus Project outlines alleged abuse of NSO Group's intercept tool.
Thomas Etheridge from CrowdStrike on the importance of real-time response, continuous monitoring, and remediation. Our guest is Neha Joshi from
Accenture on solving the cybersecurity staffing gap and how to stand up a successful, diverse
security team. And there's hacktivism in Southeast Asia.
From the CyberWire studios at DataTribe, I'm Dave Bittner the concurrence of the other five eyes,
NATO, Japan, and the European Union,
formally attributed an attack on Microsoft Exchange Server to China's Ministry of State Security.
The attribution has long been expected.
On May 2nd, Microsoft itself had
attributed the incident to Hafnium, which it identified as a state-sponsored threat actor that
operates from China. NSA, CISA, and the FBI have issued a joint cybersecurity advisory this morning
on behalf of the U.S. government that outlines the basis for the attribution, the tactics, techniques, and procedures the Ministry of State Security employed,
and a range of suggested mitigations.
So far, the official attribution to China involves no additional sanctions
or other imposition of costs directed specifically at Beijing's actions in this case.
The Washington Post reports, with some officials suggesting,
that it marks a setting of expectations of how nation-states are expected to behave in cyberspace.
Some observers have seen the absence of new measures imposed against China
as evidence that Beijing still enjoys a free ride with respect to bad behavior in cyberspace,
a free ride that, for example, Russia doesn't enjoy.
This seems overstated.
There is, of course, the general odium expressed by most of the civilized world,
which would count at least as naming and shaming.
But, of course, many governments are shameless,
and most are shameless to some extent, at least from time
to time, and it's unlikely that international complaint alone would be likely to restrain
Chinese intelligence and security services misbehavior. But to say that China receives
a free pass for its activities is to overstate matters. The long-running campaign to exclude on security grounds Chinese hardware
manufacturers, notably but not exclusively Huawei and ZTE, from participating in 5G infrastructure
build-out is one example of imposition of costs. So are indictments of Chinese intelligence
personnel. The U.S. Justice Department today published an indictment, unsealed Friday,
of four Chinese nationals working for the Hainan Province Ministry of State Security,
known by its acronym HSSD, a provincial arm of the Ministry of State Security.
Between 2011 and 2018, the accused individuals are charged with supervising an extensive campaign to steal intellectual property from foreign companies and universities.
They cast a wide net.
The targets allegedly included research into the Ebola virus and vaccines against it,
work on submersible vehicles, autonomous vehicle R&D, proprietary chemical formulas, and research into genetic sequencing.
The threat group has been called by industry, many names, among them APT40, Bronze Mohawk,
Fever Dream, Gadolinium, Helsing, Mudcarp, and, our personal favorite, Kryptonite Panda.
The list of countries whose IP was prospected for Chinese strategic and economic advantage
included the U.S., Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia,
South Africa, Switzerland, and the U.K.
The grand jury returned an indictment on two counts,
conspiracy to damage a protected computer and conspiracy to commit economic
espionage. The indictment is long but worth reading for the historical detail and insight
into the tactics the alleged conspirators employed. To continue with discussion of imposition of
costs, the U.S. has expanded sanctions against some Russian outfits for their activities in
cyberspace. The Commerce Department's Bureau of Industry and Security has added six Russian organizations to
the entities list. Placement on the entities list restricts the named person's or organization's
ability to trade with the U.S. Posted to the Federal Registry this morning, the revised and
expanded entities list is unlikely to exhaust the retaliatory
measures the U.S. will probably take against Russian cyber activity, in particular recent
ransomware attacks by Russian gangs. Forbidden Stories Pegasus Project yesterday published,
with the cooperation of some 16 other news organizations worldwide, the results of a long-running collaborative investigation of NSO Group.
From a leaked list of over 50,000 phone numbers NSO clients selected for surveillance,
investigators determined that 180 journalists in at least five countries were targeted.
The Pegasus Project's report said,
quote,
The Pegasus Project's report said, quote,
forbidden stories and Amnesty International had access to a leak of more than 50,000 records of phone numbers that NSO clients selected for surveillance, end quote.
NSO's government clients involved in the surveillance include Bahrain, Morocco, Saudi Arabia,
India, Mexico, Hungary, Azerbaijan, Togo, and Rwanda.
India, Mexico, Hungary, Azerbaijan, Togo, and Rwanda.
NSO disputes allegations of involvement,
saying that it doesn't see any connection between itself and the leaked list of targeted phones.
But the company, which has been much criticized in the past for its willingness to sell to governments with dubious human rights records,
called the possibility that its Pegasus tool had been misused
disturbing. The Washington Post quotes the company as expressing an intention to investigate.
NSO Group is an Israeli company, and its exports are, the New York Times says,
approved by the Israeli Ministry of Defense, which encouraged sales to Arab states that
had long been hostile to Israel until they began to see a common adversary in Iran.
Any sort of rapprochement between Israel and Muslim-majority states, whether in security, trade, or in full normalization of relations,
is seen by many as damaging to the interests associated with the Palestinian cause.
to the interests associated with the Palestinian cause.
Moves toward closer ties on the part of governments in the Gulf and in Southeast Asia have spurred, a study by Radware concludes,
Aps Bedil, a hacktivist campaign staged from Malaysia and Indonesia.
This campaign antedates the publication of the Pegasus Project.
As Radware describes it,
of the Pegasus Project. As Radware describes it, quote, attacks performed under Abdel-Badil are considered a political response to the Israeli ambassador to Singapore, stating in June that
Israel is ready to work toward establishing ties with Southeast Asia's Muslim-majority nations.
Malaysia, which is over 60% Muslim and supports Palestine, has a significant presence of hacktivist and Palestinian
militants. As a result of this call to establish ties, hacktivists in the region began targeting
Israeli assets in June with a series of DOS attacks, data leaks, and defacement campaigns.
The group condemns the proposal to establish ties and reiterates their ongoing support of Palestine with digital
attacks. The group behind the campaign is known as Dragon Force Malaysia.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
There are, by all accounts, a lot of unfilled cybersecurity job positions out there,
tens of thousands in the U.S. alone. What does having all those empty positions do
for our readiness as a nation, and how do we go about closing the gap? Neha Joshi is Global Growth
and Strategy Lead for Accenture Security, and she joins us with these insights. I was literally just
speaking to a CISO in Europe yesterday, and he said he has 40 unfilled roles on his team, right? We saw there's a recent article
from CBS that according to CyberSeek, there's 500,000 open cybersecurity positions in the US
alone. So we have an issue with open positions for cybersecurity skills. And the obvious thing
is that means that we're increasing our risk, but how? It means that we don't have
cybersecurity professionals present in enough rooms, right? Especially early enough in the
decision-making processes. So business decisions are happening without security considerations.
How do you suppose organizations can put the word out to non-traditional talent that this could be an opportunity for them, that cybersecurity organizations are interested in what they bring to the table, the type of thinking that they have, the experience from the other types of work that they've done?
I think it's important to not just say it, but show it.
not just say it, but show it, right? It's important to highlight, for example, if one organization is trying to put that message out and say, okay, we really are very open to this. We want to have
non-traditional talent. Don't just say that, but also show some of the talent that they have
internally that fall into that category and highlight those individuals and then highlight their stories,
right? Highlight how they have excelled within the organization, how the organization has invested
in them, and how they have grown within their own roles and positions to make really significant
impact. Because I think when you show that it's not just marketing speak, it's not just a
talk track, but it's really a true investment that the organization stands behind it.
That's when it comes to life. And that's when people believe it. And actually, they want to
be part of that, right? They want to join that organization because they feel that's somewhere
where they can truly thrive.
The organizations that you've seen who are successful at this, what do they have in common? What are the things that they're doing that make this work?
For me, that's really about diversity across a team. Again and again, in every research article
on this, every dimension of business, it shows that diverse groups of people
make better decisions, have better results. And when I'm saying diversity, it's thought processes,
it's gender, race, sexual orientation, veterans, neurodiversity, education, socioeconomic
backgrounds, right? There are so many different facets of diversity. And bringing those teams together so that they can really achieve the best results makes the difference. Celebrating those differences on a team and celebrating what they can accomplish together that no one of them could have alone is what I've seen that to be successful. You know, you want people that are creative
problem solvers whenever new problems arise, but who are also okay with some of that mundane
grunt work, that research that's required in cybersecurity, right, to go solve those problems.
And I think it's about assessing how those teams come together and complement each other and challenge each
other to be able to actually be successful and produce better outcomes and better results.
Yeah, it strikes me as being something that I could see being a challenge from a leadership
point of view. But as you mentioned, the results really speak for themselves.
Study after study shows a more diverse team yields better results.
Absolutely. Absolutely.
And I think when leaders invest in it, they will see the outcomes themselves.
And they'll see the outcomes for their team, but also for the individuals on that team.
It can be mind-blowing, honestly, of what you can see happen.
That's Neha Joshi from Accenture Security.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default And joining me once again is Thomas Etheridge.
He's Senior Vice President of Services at CrowdStrike.
Thomas, it's always great to have you back.
I want to touch today on the importance of real-time response, continuous monitoring, and remediation.
Kind of get your take on those three elements.
What can you share with us today?
Absolutely.
Thanks, Dave.
I appreciate having me on again.
One of the things that we want to make sure we communicate is the repetitive nature of incidents.
No longer can organizations think about an incident as a one-time event.
an incident as a one-time event. In fact, in our annual frontlines report last year, we reported that in 68% of the organizations that reached out to us for incident response help, those
organizations suffered another intrusion attempt within the following 12-month period. So organizations
are susceptible to secondary, even third breach attempts after they've responded to an incident.
Sometimes it's with the same threat actor that's trying to regain access.
And other times it's with a completely different threat actor looking to take advantage of access maybe that they've been unable to close.
maybe that they've been unable to close.
Yeah, I mean, that really leads me to the next question I was going to ask you,
which is how often do folks find themselves being hit by the same actor?
Even if somebody closes up a way in, if they have things of interest,
is it common for you all to see the same threat actor making another run at them?
When threat actors realize that they may have the ability to pivot within the environment to another, say, an unprotected part of the environment or to leverage living off the land techniques to remain stealthy and hidden from the customer security tooling and protocols.
That's where we see threat actors make additional attempts at exploiting access that they may have gained in the customer's environment. And that's why we preach kind of the ability to detect, investigate, and remediate those incidents as quickly as possible.
Thus, the real-time response, continuous monitoring, and efficient remediation.
Those are so critical in incident response and recovery these days.
When you're walking into a new situation, sort of evaluating someone that you might
be doing business with for the first time, do you find that most folks have one of these areas more covered than others?
Actually, Dave, what we're seeing is quite the opposite.
In our 2020 services report that I just mentioned, we outlined some of the industry averages
for detection, investigation, and remediation.
investigation and remediation. What we see in practicality is most organizations take around 120 hours to detect a threat, about 11 hours to investigate, and about 31 hours to remediate.
All total, that's around seven days. That's just not good enough. Threat actors are moving at much faster paces. They're measured in minutes
and hours, not days. So it's incumbent upon organizations to think about that 110-60 rule
that we've discussed previously. And some of the capabilities that we've been able to bring to
market, such as our Falcon Complete offering, drives more structure towards those metrics.
So we're able to actually detect within a minute, investigate within six minutes on
average, and then be able to remediate that threat within 29 minutes.
And that gives the customer a bigger advantage in terms of stopping the tide from these threats.
All right. Well, Thomas Etheridge, thanks for joining us.
My pleasure. Thanks, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security Huff.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
And check out the Recorded Future podcast, which I also host.
The subject there is threat intelligence.
And every week we talk to interesting people about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.