CyberWire Daily - More on how the US will implement its new National Cybersecurity Strategy. Emissary Panda and Mustang Panda are back. Responding to phishing. Royal ransomware. Water utility security.
Episode Date: March 3, 2023Implementing the US National Cybersecurity Strategy. The US National Cybersecurity Strategy was informed by lessons from Russia's war. Two threat actors from China up their game. Responding to a phish...ing campaign. #StopRansomware: Royal Ransomware. CISA releases five ICS advisories. Sameer Jaleel, Kent State University Associate CIO on closing functionality gaps and creating a safer digital environment for students.Johannes Ullrich from SANS on establishing an "End of Support" inventory.EPA issues a memo on water system cybersecurity. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/42 Selected reading. National Cybersecurity Strategy (The White House) US cyber leaders discuss the new National Cyber Strategy. (CyberWire) Biden vows to wield ‘all instruments’ in fighting cyberthreats (Defense News) Chinese state-backed hackers Iron Tiger target Linux devices with new malware (Tech Monitor) Chinese hackers use new custom backdoor to evade detection (BleepingComputer) Scam alert: Trezor warns users of new phishing attack (Cointelegraph) FBI and CISA Release #StopRansomware: Royal Ransomware | CISA (Cybersecurity and Infrastructure Security Agency CISA) CISA Releases Five Industrial Control Systems Advisories | CISA (Cybersecurity and Infrastructure Security Agency CISA) EPA Takes Action to Improve Cybersecurity Resilience for Public Water Systems (US EPA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. national cybersecurity strategy was informed by lessons from Russia's war.
Two threat actors from China up their game.
CISA releases five ICS advisories.
Samir Jalil, Kent State University Associate CIO, on closing functionality gaps and creating a safer digital environment for students.
Johannes Ulrich from SANS on establishing an end-of-support inventory.
And the EPA issues a memo on water system cybersecurity.
From the CyberWire studios at DataTribe, I'm Trey Hester filling in for Dave Bittner
with your CyberWire summary for Friday, March 3rd, 2023.
release of the U.S. National Cybersecurity Strategy yesterday morning, the Center for Strategic and International Studies held a launch event that saw two major federal players in
cyberspace come together for a discussion, the acting National Cyber Director Kemba Walden
and the Deputy Assistant to the President and Deputy National Security Advisor for Cyber and
Emerging Technology, Ann Neuberger. Walden expressed the intent of the strategy, saying,
quote, we have to lean into making what we have defensible, end quote. She noted that the SolarWinds incident brought increased
federal attention to cybersecurity and helped it achieve the kind of recognition that earned
remediation in the American Rescue Plan. She noted the importance of modernization and also pointed
out that modernization is a complex process. Quote, IT modernization is a dynamic process.
It has to keep going.
It has to be baked into how we think about security.
End quote.
Ann Neuberger emphasized cooperation for security.
She said, quote,
A secure cyberspace is something that we must do arm in arm.
End quote.
Discussing last November's White House counter-ransomware initiative,
she noted that this global summit saw many nations convene to work together against ransomware.
Feedback from the participants showed the importance of international dialogue,
and of course, cooperation goes on at the national as well as the international level.
Both Neuberger and Walden emphasized the importance of U.S. interagency collaboration.
The U.S. national cybersecurity strategy was shaped in part by lessons learned from observing
Russia's hybrid war against Ukraine. The emphasis on resilience, close partnerships with industry,
and forward engagement with a threat were among the features of the strategy influenced by the
conduct of that war. The national cybersecurity strategy was not shy about identifying the threat
in cyberspace,
and the familiar four intentional bad actors were specifically identified—Russia, China, Iran, and North Korea.
As the strategy put it,
The governments of China, Russia, Iran, North Korea, and other autocratic states with revisionist intent
are aggressively using advanced cyber capabilities to pursue objectives that run counter to our interests and broadly accepted international norms.
End quote.
One of the four adversary nations, China, is again in the news for cyber espionage.
Emissary Panda and Mustang Panda, two Chinese threat groups with connections to Beijing's intelligence services,
have improved their tools and are actively engaging targets.
have improved their tools and are actively engaging targets.
Trend Micro reports that Iron Tiger, their name for Emissary Panda, APT27,
has updated its SysUpdate malware family, extending its reach to Linux systems.
The APT has also adopted a novel method of command and control.
Quote,
Iron Tiger has also added a feature that has not been seen before in this malware family,
CNC communication through DNS text requests. While DNS is not supposed to be a communication protocol, the attacker abuses this protocol to send and receive information, end quote.
The group continues to concentrate on Southeast Asia, but has also prospected targets in Europe
and the Americas. Tech Monitor notes that the interests of Iron Tiger lie for
the most part with governments, defense companies, and infrastructure. ESET is following developments
in Mustang Panda's activities, especially its deployment of a novel and specially designed
bare-bones backdoor. Mustang Panda's operations have increased over the course of Russia's war
against Ukraine, collecting intelligence in the interest of Beijing.
ESET states that the victimology is unclear, after noting signs of unusual interest in Bulgaria and Australia, but most of the group's interests appear to center in Europe. Quote, the decoy
file names are in line with the group's other campaigns that target European political entities.
End quote. Trezor wallet seed recovery page. Trezor says there's no evidence that there's been a real breach, and the company says it will never contact customers via phone calls or text messages.
It's not clear how the attackers obtained Trezor's customer contact information,
but Bleeping Computer points out that a similar phishing campaign targeted the company's customers
after attackers stole marketing lists from MailChimp in March of 2022.
marketing lists from MailChimp in March of 2022. CISA and the FBI yesterday issued a joint advisory on Royal Ransomware. Royal is noteworthy for its ability to disable various antivirus tools
in the course of exfiltrating data in its double extortion attacks. Royal's operators have also
been marked by their disposition to target, quote, numerous critical infrastructure sectors,
including, but not limited to, manufacturing, communications, health care and public health care, and education, end quote.
The gang has been known to demand ransom payments between $1 million and $10 million.
The advisory includes a comprehensive overview of Royal's tactics, techniques, and procedures,
of its indicators of compromise, and of mitigations that organizations can deploy
to help them weather an attack with royal ransomware.
CISA yesterday released five industrial control system advisories.
The affected products are by Mitsubishi Electric, Bicels, RIDL, and Medtronic. Users of the systems
should consult with advisories and apply the updates and mitigations in accordance with
vendor instructions. And finally, we close with another regulatory development.
The U.S. Environmental Protection Agency has issued a memorandum to the appropriate state authorities outlining measures designed to improve the cybersecurity of water and wastewater systems.
on the memo says that it, quote, conveys EPA's interpretation that states must include cybersecurity when they conduct periodic audits of water systems, called sanitary surveys, and highlight
different approaches for states to fulfill this responsibility, end quote. And of course,
the state governments are not on their own. The EPA is providing technical assistance and
resources to assist states and water systems as they work towards implementation of a robust cybersecurity program. We'll have more as the story develops over the
coming week. Coming up after the break, Dave Bittner sits down with Samir Jalil to discuss
closing functionality gaps and creating a safer digital environment for students.
Dave also sits down with Johannes Ulrich from SANS to discuss and support inventory.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
Samir Jalil is Associate CIO at Kent State University, a position he's held for about a year now.
He started out as a student at Kent State and later worked there as an application developer.
Since taking the CIO role, a big part of Samir Jalil's focus has been on closing functionality gaps and creating a safer digital environment for students.
That is easier said than done.
Like many organizations, they were faced with a collection of legacy systems and applications
still in regular use throughout the university.
The plan was to start to rewrite some of the critical applications, mission critical ones
specifically, which requires us to do a profiling exercise of everything we have in the portfolio to understand what do we rewrite, what do we combine, because needs
show up over periods of time, over years, and then there are piecemeal application solutions
developed.
Do they need to remain separate?
No, they can be combined.
So these kind of analysis happened over time while we were creating new value in the platform as well.
So we actually caused a little bit of a problem, even with the platform in the beginning, leading us to realize, especially leading me to realize, that the tool is only one part of the equation.
Having a strategy, having a plan is equally, if not more important.
To now, where we have a healthy solution architecture
practice that determines where the solution should happen. We have the possibility of custom
solutions, but we also have invested in key enterprise technologies. Why are we not seeing
the solution happen there when 80% of the function is happening there before we determine we're going to write a custom solution for that.
I mean, it's really fascinating as you take us through the process.
Because simultaneous to all of this,
I mean, you've still got to be providing the things
that your students, your professors, your staff people need there.
You're kind of changing the oil while the engine is still running.
Exactly. That's a great analogy.
And this really came to light during the pandemic, right?
So how do you do maintenance type of work, which is what I would call the rewrite type of work.
If I take a step back, it all starts with an engagement with the business stakeholder,
asking them, did you know you have 15 applications that cater to various needs for your business
unit? They usually don't. And so we give them a high-level overview, and then we ask them for
their future plans. And we will weigh in and tell them, here is an opportunity to combine these
systems into one system.
And sometimes they say, you know what, just leave it alone. It's working for us. Don't change it.
We don't need any new functionality. Only time we will intervene and say, okay, but we're still going to rewrite it into new technology because that is an outdated technology and we don't want
that to be the one vulnerability in our portfolio that gets exploited.
So we very seldom leave things alone if it is in an outdated framework, because that's the times we live in today.
So I imagine, I mean, part of this, as you're describing it, is not just technical, but it's diplomacy as well.
For sure. I think that's kind of the direction forward.
I think the times when there's an IT department
and anything related to technology they will determine
is outdated if not behind us.
Everything has a technology lean to it.
And so we are trying to get that point across
as the central IT unit at the institution,
that we want to have regular conversations with the various business units
to understand what they see coming,
because they are making technology decisions all the time,
and it's not being deferred to us anymore.
Yeah.
And really turning your organization within the university itself as an enabler rather than that stereotypical department of no.
Yes. This was a big driver for us producing that RFP because we had a backlog for two years.
And an average lightweight project would take us several months to produce
because we would start from zero every time.
With the low-code platform,
the lowest time I can produce an application is one day.
And that application still has institutional authentication,
prefabricated all these modules,
and there's a lot of reuse,
which is part of the vision in that RFP,
we're able to accelerate our development. So yesterday and past years, we would call it a
backlog. Today, we call it a roadmap because we're looking forward, right? If I'm being very literal,
they're not very different, a backlog and a roadmap. But we are able to do these things quickly.
And this, again, came to light in the pandemic
because we didn't know what we would need,
taking things that happened on-premise in person
and trying to create a remote experience on the fly.
We really tested our abilities to create things
without a heads-up, with limited oversight even in some cases.
Whatever you can produce is good for us was what we would get,
and we were able to produce some really neat innovative technologies
that we fortunately don't have to use anymore.
So even that doesn't bother us because it comes together quickly,
and then we can kind of jettison it after the utility is over.
For you as a leader, how much of this is nurturing that sense within your team
that sometimes it's okay to go down that road even if it doesn't lead anywhere?
It's okay to experiment.
Yeah, it's a big mindset shift.
I mean, the first mindset shift, again, taking a step back,
was when you look at low code. If you're really in love with writing code, it's a deterrent, right? Low code
immediately implies you're not coding as much. And we had to confront that, that we're a higher
ed institution. We're not here to feel good about optimizing 50 lines of code into 10. That's not what the rest of the institution
sees as value. So we have to be solution providers and quickly. And can you take pride in that,
that you go sit across from a group of faculty members or students or deans, listen to what
they're struggling with, and then come back with a potential solution that will improve that problem for them.
That's who we need.
And getting our developers to see themselves as that person, that personality,
was the hill we had to climb for a period of time.
But we're there now and we're thriving.
That's Samir Jalil from Kent State University. And I'm pleased to be joined once again by Johannes Ulrich. He is the Dean of
Research at the SANS Technology Institute and also the host of the ISC Stormcast podcast.
Johannes, it's always great to welcome you back.
Hey, thanks for having me, Dave.
So I saw recently that both Windows 7 and Windows 8.1 had reached the end of their support.
And you make the point that this is something that folks really need to keep an eye on when
it comes to their overall inventory, yes?
Yeah, definitely.
And it's one of those things that may be relatively straightforward
with things like Windows.
It's well-publicized, but there are lots of devices,
lots of software that you have.
And recently, for example, there were yet another set of vulnerabilities
in these Cisco RV routers.
And it's sort of a small business line that Cisco has or had at some point.
And myself and others are sometimes complaining,
hey, Cisco, aren't you going to publish any updates for that?
And then you read closer, and yeah, last time they actually sold these,
I think it was in 2016 or 2018.
sold these, I think, was in 2016 or 2018.
So it's not unreasonable that Cisco kind of just stopped supporting them at some point.
And I think what we often forget is that
devices like this, they have an expiration date.
And while it's not kind of printed on the device
when you buy it, there is an implied expiration date
and you have to be ready for that.
So you have to keep a calendar entry
or whatever it takes, a spreadsheet,
some kind of fancy, costly inventory management software
if you can afford it, that will alert you
let's say a year ahead or half a year ahead
depending on the device.
We probably should replace that device
because the vendor is no longer offering any updates for it.
And realistically speaking, if you have a 10-year-old router in some dusty corner underneath your desk,
what are the chances that it will just go up in smoke one of these days?
So may as well get ahead of that and replace those devices.
And once it's cheap, it's just the cost of doing business, something that you have to account for
when you're getting the device in the first place.
It strikes me that there's that old saying, if it ain't broke, don't fix it. But that doesn't
necessarily apply to things that are software-driven. Because as you and I have spoken about many times,
over time, vulnerabilities can be exposed.
And so a piece of a device that may have been secure
or perceived as being secure over time,
it may no longer be.
Yeah, right.
It's not like an old wine.
It doesn't get better with time, kind of.
Right.
Love it, love it.
So you just have to throw out.
The problem sometimes is, like I said, Windows, Cisco,
those companies are fairly straightforward about their policies here.
In particular with companies targeting more home users or small business users,
it may not be as easy to figure out what that expiration date is.
That may be something that vendors could improve.
It would be nice to have that printed on the box when you get it.
But at least have some web page or something to say, okay, if you buy a device today, we
guarantee for the next five years, it would be sort of a reasonable time, you'll get updates.
But beyond that, who knows kind of what will happen.
Maybe we'll decide to extend it a little bit.
That happens sometimes.
But at least you have a guaranteed goodbye date.
And after that, you're basically taking some risks.
You probably want to schedule five years from now
if you probably need to get a new device.
I think of the things that just kind of, as you were saying,
hang out and you just sort of forget.
They blend into the background,
things like printers and security cameras.
They can be doing their thing for a decade or more,
and nobody thinks twice about it.
And I have to admit,
I have like an old security camera in the closet.
I really like it.
It's a very fancy one.
It's 15 years old now.
Doesn't do modern TLS at all and such.
But hey, you know, it still works. It's still a fun toy to play with.
Right, right. Every now and then you wave to the foreign actors who are monitoring it, right?
Yeah, exactly.
As you walk by.
All right. Well, Johannes Ulrich, thanks so much for joining us. It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's The Cyber Wire. For links to all of today's stories,
check out our daily briefings at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technology.
This episode was produced by Liz Ervin
and senior producer Jennifer Ivan.
Our mixer is me,
with original music by Elliot Peltzman.
The show was written by John Petrick. Our executive editor is Peter Kilpie,
and I'm Trey Hester filling in for Dave Bittner. Thanks for listening. We'll see you back here
next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.