CyberWire Daily - More APT activity. Brigading, Mass Reporting, and Coordinated Inauthentic Behavior. CISA names the CSAC members. Cybercriminals sentenced. A whistleblower with an ulterior motive?
Episode Date: December 2, 2021An APT is exploiting Internet-facing instances of ServiceDesk Plus. Meta releases its end-of-year Adversarial Threat Report, and adds “Brigading” and “Mass Reporting” to “Coordinated Inauthe...ntic Behavior” as activities that will get accounts shut down. CISA names the first members of its Cybersecurity Advisory Committee. Sentencing, American and Russian style. Malek Ben Salem has a look at cyber resilience. Our guest is PJ Kirner from Illumio with a look ahead to 2022. And an alleged false whistleblower is under indictment, and under arrest. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/230 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An APT is exploiting internet-facing instances of Service Desk Plus.
Meta releases its end-of-year adversarial threat report.
CISA names the first members of its Cybersecurity Advisory Committee,
sentencing American and Russian style.
Malek Bensalem has a look at cyber resilience.
Our guest is PJ Kerner from Illumio with a look ahead to 2022.
And an alleged false whistleblower is under indictment and under arrest.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 2nd, 2021.
Palo Alto Network's Unit 42 describes a campaign by an advanced persistent threat, no nation identified as responsible,
exploiting a zero-day in Zoho ManageEngine Service Desk Plus.
Unit 42 estimates that there are about 4,700 internet-facing Service Desk Plus instances worldwide.
About 2,900 of them, some 62%, are regarded as vulnerable to exploitation.
The report represents an update to earlier revelations of a nation-state campaign that's been exploiting Zoho software.
The U.S. Cybersecurity and Infrastructure Security Agency, CISA, issued a joint advisory about AD Self-Service Plus on September 16,
about AD Self-Service Plus on September 16th,
subsequently updated on November 22nd,
in which it warned that the threat actors were taking advantage of vulnerabilities
to pursue targets in academic institutions
and defense contractors,
and some organizations in the transportation,
information technology, manufacturing,
communications, and finance sectors.
The APT appears to be collecting information.
The campaign would represent a cyber espionage effort.
The advice CISA offered then remained sound. Don't expose this software to the internet.
Facebook's parent Meta yesterday released its end-of-the-year adversarial threat report.
It concentrates on what Meta calls
coordinated inauthentic behavior, brigading, and mass reporting. Coordinated inauthentic behavior
is familiar, but brigading and mass reporting deserve some explanation. Brigading involves an
adversarial network whose participants cooperate to mass comment, mass post, or engage in other types of repetitive mass behaviors to harass others or silence them,
which sounds like trolling scaled to an industrial size.
Mass reporting, also characterized as involving an adversarial network,
occurs when, quote,
people work together to mass report an account or content to get it
incorrectly taken down from our platform, end quote. That is, people combine to falsely allege
violations of policy in an attempt to get someone banned from Facebook or any other meta platform.
The reporting in this case is reporting in the sense of diming someone out to the platform.
reporting in the sense of diming someone out to the platform.
Meta took down four coordinated inauthentic behavior networks in China, Palestine, Poland, and Belarus.
One network in Italy and France was disabled for brigading, and one network in Vietnam
was removed for mass reporting.
CISA has named the first members of its Cybersecurity Advisory Committee.
The agency describes the advisory committee as, quote,
comprised of the nation's leading experts on cybersecurity, technology, risk management, privacy, and resilience.
They bring a diverse set of experiences and perspectives
and will impanel a set of subcommittees focused on addressing key focus areas, end quote.
The appointments just announced
represent the first 23 members. The CSAC may ultimately have up to 35 members. The advisory
committee was established in June of this year and was designed to bring the CISA director advice on
cybersecurity from the perspective not only of industry but also of state, local, and tribal governments.
CISA says that committee members with subject matter expertise in various critical infrastructure sectors
participate in the development, refinement, and implementation of recommendations, policies, programs,
planning, and training pertaining to CISA's cybersecurity mission.
The CSAC will also form subcommittees as the CISA director decides.
Subcommittees would study special topics of importance to the agency's mission.
Alexander Krasishkin, one of the founders and the effective leader of a bulletproof hosting service that catered to cyber gangs,
bulletproof hosting service that catered to cyber gangs, has been sentenced by the U.S. District Court for the Eastern District of Michigan, Southern Division, to a term of five years on
a RICO beef. Mr. Grichishkin took a guilty plea to one count of conspiracy to engage in a racketeer
influenced corrupt organization. His co-defendants, who also pleaded guilty, were sentenced earlier.
The U.S. Attorney's Sentencing Memorandum outlines the services Grichishkin's operations provided.
He and his colleagues were in the infrastructure business and delivered the IP addresses,
domains, and servers their gangland customers used, as Bleeping Computer lists them,
quote, to distribute malware, host phishing kits,
breach targets networks, build botnets, and steal banking credentials.
The malware they supported forms a familiar list, Zeus, SpyEye, Citadel, and Blackhole.
The Financial Services Information Sharing and Analysis Center, the FSISAC, informed the court that SpyEye and Zeus alone cost banks
about $111 million in 2011 alone, and that FSISAC regards that figure as a low estimate.
Since TASS has expressed President Putin's interest in and commitment to international
cooperation against cybercrime, a Russian court case provides an example of what that commitment looks like.
A Russian court passed sentence on Maxim Zhukov for coding he did for the Fin7 gang.
Mr. Zhukov received, the record reports, a one-year suspended sentence and a year's probation.
Let that be a lesson to him and others like him.
It probably already is.
And finally, not all whistleblowers, apparently, should be taken at face value. The U.S. Department
of Justice yesterday announced the indictment and arrest of Mr. Nicholas Sharp, formerly employed
by Ubiquiti Networks on four counts of computer-related crime.
The Verge has a useful summary of the case.
Back in January, Ubiquiti, which makes prosumer routers and access points,
notified users that it had sustained a data breach
in the course of which unauthorized parties may have accessed company information.
In March, a whistleblower told media outlets
that matters were far worse
than Ubiquity had let on and that it had covered up a catastrophic data breach. That whistleblower
was apparently Mr. Sharp, and if the Fed's indictment is borne out at trial, since of course
Mr. Sharp is entitled to a presumption of innocence, he was not only responsible for the initial data breach itself,
but also for using his whistleblowing to ratchet up extortion pressure on the company. According
to reporting from The Verge, quote, the first count charges him with transmitting a program
to a protected computer that intentionally caused damage, which carries a maximum sentence of 10
years in prison. The second count charges transmission of an interstate threat,
which carries a maximum sentence of two years in prison.
The third count charges wire fraud,
which carries a maximum sentence of 20 years in prison.
The fourth count charges the making of false statements to the FBI,
which carries a maximum sentence of five years in prison.
The maximum potential sentences are prescribed by
Congress and are provided here for informational purposes only, as any sentencing of the defendant
will be determined by the judge, end quote. Note to any faux whistleblowers, next time try the
caper from a Russian jurisdiction. The American feds are just humorless. is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks,
and connected lives.
Because when executives
are compromised at home,
your company is at risk.
In fact,
over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
As we find ourselves on final approach toward the end of 2021 and the new year ahead,
it's good to take stock of the year we've had and look ahead at what's yet to come.
PJ Kerner is Chief Technology Officer at security firm Illumio, and I checked in with him for his insights on the year ahead.
and I checked in with him for his insights on the year ahead.
I think zero trust is one of those kind of terms that have been out there and people have been talking about. And, you know, we saw the Biden mandate around the federal government doing
zero trust. I think what's interesting is people trying to figure out what it is and also how to get started.
We've seen larger, more mature organizations try and figure out what a strategy was, but I think it's something we all need to do.
Everybody has to have a starting place.
Everybody has to have something to do to show your boss or your board that you are on the zero trust path.
And I think that's going to be a thing that's going to change in 2022. People start figuring
that out and there'll be more small success stories around zero trust.
So kind of a snowball rolling down the hill, whereas people see others having success with it
becomes, I don't know, more important for them to get on board.
it becomes, I don't know, more important for them to get on board.
The one challenge around zero trust, it seems kind of daunting because it is a strategy you apply.
And like, what am I going to be done with zero trust?
Like, well, you might never be.
It's a strategy you're going to use for the rest of time.
So it is about how you get started.
I think it's about finding quick wins and starting the journey.
And I think that's what will happen.
People will figure that out.
What about ransomware? That's certainly been top of mind for a lot of folks this year. Do you think
we're going to see progress in the year ahead? I think so. I mean, there's much more awareness
around it for sure. You know, one other thing that Zero Trust does bring around is this assume
breach mentality, which I think is an important kind of construct. It's assume they're already inside, right? And they might be, you know,
they might have a foothold here and a foothold there. How do you adapt your security posture
when you assume they're already, you know, they're already there, right? You've already
been breached, right? And I think that mentality will yield stories about people found stuff, how they found stuff, how they sort of prevented it, how they sort of kept it on the periphery.
And again, I think that will lead to more people learning about what to do, office as things tend to normalize after COVID-19. To what degree do you think that's going to affect things? Are we going to see an increase in collaboration? What are your thoughts there?
is there was kind of, during COVID,
we were all working from home.
In certain places, there was a bump up in productivity because people sometimes focus and kind of isolation
can actually help you be more productive in things.
But what I think clearly dropped off
was the creativity and the collaboration.
So the collaboration, which is what fuels
kind of creative processes and so on, and that did not sort of work over Zoom or video conferencing, right? So I think
where we need that creativity, it's across all industries. All industries need it. But that'll
be part of why people are coming back to the office and some of the value that people get.
They'll remember what that was, why that hallway conversation that sparked this, these two people who happen to never talk to each other to talk
to each other and come up with something interesting. I think we'll all realize what
we've been missing and people will kind of run and flock to, you know, those who need that will
come back. Are you generally optimistic coming into the new year? Do you think we're on the right path here?
It's always good.
I'm kind of an introspective kind of person, right?
I like to, even at the end of every year, I kind of like to take stock of what worked
and what didn't work during that year and sort of look to the next year and say, well,
OK, what could I do better?
look to the next year and say, well, okay, what could I do better?
And a lot of us have looked to ourselves and had those moments,
and we're forced to have those moments.
So to me, being introspective leads to, well, in a lot of cases, can lead to kind of positive outcomes about how to do better in the coming year.
So, yeah, I am optimistic.
That's PJ Koerner from Illumio.
Cyber threats are evolving every second
and staying ahead is more than just a
challenge. It's a necessity.
That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Malek Ben-Salem.
She is the Technology Research Director for Security at Accenture.
Malek, it's always great to have you back. You and your colleagues recently released a report titled The State of Cyber Resilience.
And I thought this would be a good opportunity to dig into that report.
What can you share with us today? Yeah, glad to be back, Dave. This is a report that Accenture
publishes on a yearly basis. And we look at the state of cybersecurity resilience every year.
So this year, we surveyed about 5,000 global CSOs and CISOs about the practices of cybersecurity within their organizations.
You know, some of the findings that I could share about that report is that we found
that 85% of these CISOs agree that the cybersecurity strategy is now developed
with business objectives or aligned to business
objectives. And that's a great number. I mean, we've been within the security community, we've
been, you know, doubting for aligning security objectives with business objectives. And that
has not been typically the case. We see that, you that this is changing. And now growth objectives and market
share objectives are really driving the cybersecurity strategy. Yeah, that's an interesting
number there. I mean, I suppose it's like steering that battleship. It doesn't happen quickly,
but it's good to hear that we're on a better road to achieving that goal.
Exactly. Exactly. No, that's great news. Now, on the other hand, more than 80% of CISOs
do mention that staying ahead of attackers is still a constant battle for them and that the cost basically is unsustainable.
That's compared to 69% last year.
So it seems like staying ahead of attackers is becoming even more of a challenge this
year.
Yeah.
When we say the cost is unsustainable, any insights there?
They're just having trouble getting the resources
from the powers that be or what can you unpack from that? Yeah, getting the resources is one,
although most of these CISOs do actually mention that their budgets have increased.
But I think the mere number of attacks that they're undergoing is increasingly growing.
So on average, they see 270 attacks per company, and that's more than a 30% increase over 2020.
So a significant increase in cyber attacks, which makes this battle or this sustaining the cost basically unsustainable.
To what degree do you think we may also be seeing better detection here that,
you know, attacks that flew under the radar may no longer do that?
Yeah, that's a great question. Actually, there's probably some of that. And we see that across two groups.
Basically, when we surveyed these CISOs, we looked at how they align their security strategy
with business strategy.
But we looked at how effective they are in detecting attacks, how long it takes them
to detect attacks, et cetera.
And we see that two groups, mainly one group that we call the cyber champions,
are really effective in detecting these attacks. They can block a lot of the attacks
by the fact that they can detect them early. So there's probably some of that going on.
But also, I think overall in 2020, we've seen an increase in attacks, especially the ones that are driven by third parties.
So supply chain, software risk, that's more of a concern for our clients this year.
I see.
So where do you suppose this puts us as we head into the next
year? Is there a sense of optimism or where do people land? I think there is a sense of optimism.
Obviously, there are the challenges as usual, and one of them is adopting the cloud securely.
We've seen a lot of companies move to the cloud over the past of a concern for them.
There's a challenge there. And I think companies like Accenture can definitely help with that
because the tools are available, right? Because we have so many things available to
make that journey secure for our clients.
Right, right. So there's no need to go at it alone anymore. There's plenty of
providers who can hold your hand on that journey these days.
Exactly.
All right. Well, Malik Ben Salem, thanks for joining us. Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. The Cyber Wire podcast is proudly produced in Maryland out of the startup
studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and
technologies. Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Thanks for listening. We'll see you back here tomorrow. Thank you. adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can
channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.