CyberWire Daily - No cyber blues on Super Tuesday.
Episode Date: March 6, 2024CISA says Super Tuesday ran smoothly. The White House sanctions spyware vendors. The DoD launches its Cyber Operational Readiness Assessment program. NIST unveils an updated NICE Framework. Apple patc...hes a pair of zero-days. The GhostSec and Stormous ransomware gangs join forces. Cado Security tracks a new Golang-based malware campaign. Google updates its search algorithms to fight spammy content. Canada's financial intelligence agency suffers a cyber incident. On our Industry Voices segment, our guest Amitai Cohen, Attack Vector Intel Lead at Wiz joins us to discuss cloud threats. Moonlighting on the dark side. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, our guest Amitai Cohen, Attack Vector Intel Lead at Wiz and host of their Crying Out Cloud podcast, joins us to discuss cloud threats. Learn more in Wiz's State of the AI Cloud report. Selected Reading No security issues as Super Tuesday draws to a close, CISA official says (The Record) Biden administration sanctions makers of commercial spyware used to surveil US (CNN Business) US DoD launches CORA program to revolutionize cybersecurity strategy (Industrial Cyber) Unveiling NICE Framework Components v1.0.0: Explore the Latest Updates Today! (NIST) Update your iPhones and iPads now: Apple patches security vulnerabilities in iOS and iPadOS (Malwarebytes) Watch out, GhostSec and Stourmous groups jointly conducting ransomware attacks (Security Affairs) Hackers target Docker, Hadoop, Redis, Confluence with new Golang malware (Bleeping Computer) Google is starting to squash more spam and AI in search results (The Verge) Cyberattack forces Canada’s financial intelligence agency to take systems offline (The Record) Cyber Pros Turn to Cybercrime as Salaries Stagnate (Infosecurity Magazine) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA says Super Tuesday ran smoothly.
The White House sanctions spyware vendors.
The DOD launches its Cyber Operational Readiness Assessment Program.
NIST unveils an updated NICE framework.
Apple patches a pair of zero days.
The GhostSec and Stormus ransomware gangs join forces.
Cato Security tracks a new Golang-based malware campaign.
Google updates its search algorithms to fight spammy content.
Canada's Financial Intelligence Agency suffers a cyber incident.
In our Industry Voices segment, our guest Amitai Cohen, Attack Vector Intel lead at WIZ,
joins us to discuss cloud threats and moonlighting on the dark side.
It's Wednesday, March 6th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thank you all for joining us here today.
It is great to have you with us.
A senior official from the Cybersecurity and Infrastructure Security Agency reported no security issues during the close of Super Tuesday,
marking a smooth day for the presidential primary calendar's biggest day. The official confirmed
there were no known, credible, or specific threats to election operations, reinforcing
confidence in the election process and its ongoing administration. With presidential
nominating contests taking place
in over a dozen states, Super Tuesday served as a crucial test of the U.S. election infrastructure
ahead of the November general election. Despite prior warnings from national security officials
about potential cyberattacks or influence operations by foreign adversaries, possibly
using generative artificial intelligence,
the day proceeded without any significant security disruptions.
The Biden administration sanctioned several software vendors, including individuals and
companies within the Intellexa consortium, accused of aiding repressive regimes in spying on U.S. officials, journalists, and human rights activists.
This marks the first U.S. sanctions against sellers of commercial spyware,
highlighting concerns over its use in privacy invasions and human rights abuses globally.
The sanctions prevent U.S. entities from engaging with the targeted individuals and companies.
from engaging with the targeted individuals and companies.
Intellexa's Predator spyware, sold to various governments,
has been implicated in spying activities against U.S. government officials and in facilitating human rights violations.
The U.S. aims to curb the commercial spyware industry,
having previously banned federal agencies from using such technology,
and imposed visa restrictions on individuals involved in the spyware sector.
The initiative emphasizes the U.S.'s commitment to combating the misuse of surveillance technologies worldwide.
The U.S. Department of Defense has officially launched its Cyber Operational Readiness Assessment,
CORA, program after a successful nine-month pilot.
Transitioning from a compliance-based approach to one which emphasizes operational readiness,
CORA aims to assure mission integrity by providing continuous holistic assessments
of cybersecurity within the DoD information network. The program focuses on validating technologies
and enhancing the DoD's ability to monitor, assess, and mitigate risks.
CORA prioritizes minimizing adversarial risks by using MITRE attack mitigations
and developing risk-based metrics to concentrate efforts on high-risk areas.
The program is designed to enhance decision-making for commanders
and directors by offering a more precise understanding of cyber terrain and security
posture. Furthermore, CORA's agile process allows for adjustments based on new orders,
policies, or the evolving threat landscape, ensuring a robust cybersecurity foundation across all DoD networks.
NIST's National Initiative for Cybersecurity Education, also known as NICE,
unveiled the first official revision of its Comprehensive Workforce Framework since 2017.
The updated framework refines the structure of cybersecurity roles
and the crucial task, knowledge, and skill statements
that define professional requirements in the field. The update introduces 11 competency areas
and updates the core 52 work roles. The full overhaul aims to more accurately mirror the
dynamic nature of cybersecurity work and talent insights. The revision saw over 2,000 task, knowledge, and skill statements refined
with a significant focus on removing redundancies and enhancing clarity. These changes underscore
a commitment to adaptability and precision in defining what cybersecurity professionals do
and need to know. Accessibility and user-friendliness have also been prioritized,
with the release of new Excel workbooks and a machine-readable JSON file planned for later this year.
This approach signals a software-like versioning strategy for future updates,
indicating ongoing refinement and responsiveness to our profession's needs.
For industry professionals, the NICE framework serves as a critical tool
in navigating the
cyber talent landscape and enhancing workforce readiness. Stay tuned later this month when we'll
publish a full-length special edition with the leadership at NIST NICE about the new updated
framework. Apple has issued a security update for iOS and iPadOS to address two exploited zero-day vulnerabilities, which allow attackers
to bypass memory protections and potentially gain complete control over targeted iPhones.
These vulnerabilities were used alongside an unpatched flaw or malicious app for exploitation.
Users are advised to update to iOS 17.4 or iPadOS 17.4.
The vulnerabilities involve memory corruption issues addressed with improved validation
affecting Apple's real-time operating system, RTKit, across various devices.
Cisco Talos researchers report that the GhostSec and Stormus ransomware gangs
have partnered to launch a global ransomware
campaign via a new ransomware-as-a-service operation named STMX GhostLocker. Targeting
multiple countries, the collaboration offers a range of services to affiliates, including paid,
free, and data sale or publication options. The campaign has impacted organizations across numerous countries,
including Israel, where GhostSec has targeted industrial systems and critical infrastructure.
The GhostLocker 2.0 ransomware, developed in Go, marks an evolution in their tools,
threatening data leakage if victims do not engage within seven days.
The operations command and control server was located in Moscow,
and the ransomware builder provided to affiliates includes features for persistence,
target selection, and detection evasion.
Hackers are exploiting misconfigured servers using Apache Hadoop Yarn,
Docker, Confluence, or Redis through a new Golang-based malware campaign
discovered by Cato Security.
This malware automates the identification
and exploitation of vulnerable hosts,
leveraging old vulnerabilities,
notably in Atlassian Confluence, for code execution.
The campaign involves Bash scripts
and Golang ELF binaries for initial compromise,
leading to cryptocurrency mining, persistence, and reverse shell setup. Four novel Golang payloads
designed to scan for and exploit services on specific ports have been identified. Notably,
the malware includes debug information and unobfuscated strings, simplifying reverse engineering.
Despite this, these payloads remain largely undetected by antivirus engines on VirusTotal.
The campaign, potentially starting in December 2023,
highlights the importance of securing server configurations to prevent these sorts of intrusions.
Cato Security has provided a detailed analysis and indicators of compromise
for further protection against this threat.
Google is implementing updates to its search ranking algorithms
aimed at reducing what it describes as unhelpful content by up to 40%.
They say the updates specifically target content that merely summarizes other
content, a common practice in SEO and increasingly produced by AI tools, as well as tactics that
manipulate search rankings. Google's adjustments focus on three types of spammy behavior,
the mass production of low-quality articles, site reputation abuse, where reputable sites host spammy content,
and expired domain abuse, where high-ranking but abandoned domains are filled with poor content to exploit their search rankings.
Google is providing a 60-day grace period for sites engaged in reputation abuse to amend their practices,
while the other changes are effective
immediately. Fintrack, Canada's financial intelligence agency, took its corporate systems
offline following a cyber incident this past weekend. The incident, which did not involve
Fintrack's intelligence or classified systems, has prompted the agency to collaborate with federal partners,
including the Canadian Centre for Cybersecurity, to safeguard and restore its systems.
As a precaution, the agency disconnected its corporate systems to protect their integrity.
The nature and motivation behind the cyber incident remain undisclosed, similar to recent
cyber attacks on the Royal Canadian Mounted Police and Canada's
Foreign Ministry, which also experienced breaches involving personal information.
Coming up after the break, my conversation with Amitai Cohen,
a tech vector intel lead at WIZ.
We're discussing threats in the cloud.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
In today's sponsored Industry Voices segment,
my conversation with Amitai Cohen, Attack Vector Intel Lead at WIZ.
Our discussion centers on threats in the cloud.
So the Wizz research team in general is mainly in charge of the content within the Wizz product,
meaning that we're the ones building the various threat detection and risk detection rules.
My team specifically is in charge of dealing with emerging threats.
That means that whenever there's a new high-profile vulnerability or something that's attacking cloud
customers in particular, then we spring into action and make sure that our product is well-positioned
to detect everything that's going on there and make sure that our customers might ideally don't
have to deal with this in the first place by just having good risk management in their environments.
I think folks who follow cybersecurity are aware of Wiz as being in that category of a cybersecurity unicorn,
you know, a tremendous amount of growth.
You're on the research side of the team.
And I'm curious, how does the research side contribute to the overall mission of the organization?
Wiz is a very product-oriented company.
So all of the activity of the threat research team at the end of the day pours into the product.
The product itself, what makes it successful at doing what it does,
is the development efforts and the research and development efforts.
does is the development efforts and the research and development efforts. But the differentiator of the research is to basically add the rules on top of the various engines that our developers
are building. Whether that's the agentless scanning, whether that's our dynamic scanner,
which is an unauthenticated network scanner, whether it's the WIS sensor, all of these things
need to have detection rules built into
them that are looking for malicious activity, that are looking for potential risks. And that's
what the threat research team is mainly in charge of. I see. Now, I would be remiss to not mention
that you are yourself a host of a podcast. It's titled Crying Out Cloud, which is brilliant.
It's titled Crying Out Cloud, which is brilliant.
You talk about cloud security news stories and those sorts of things.
I'd love to know what are some of the stories that you've been covering recently that have really caught your attention?
I will say that the most interesting things I think that we cover are whenever nation-state activity comes to light that has been targeting cloud environments, among other things.
Recently there was
the Midnight Blizzard case
that targeted Microsoft. Prior to
that there was also the
Storm 0558 that also targeted
Microsoft. Occasionally you also
have Iranian actors
doing data destruction
operations in the cloud, kind of like I think
was Peach Sandstorm a few months ago. I think those are the most interesting and eye-catching
things. They aren't necessarily the ones affecting the most cloud customers, though. I mean,
they're definitely the most dangerous when they succeed, and especially if they're targeting
companies like Microsoft or any other sort of critical infrastructure of the internet.
But I think the most important things we cover are actually the things that are affecting
a wide range of customers like cybercrime actors that are slowly targeting more and
more of the cloud environments like Scattered Spider, things that are taking advantage of,
shall we say,
novel and more sophisticated lateral movement paths in the cloud.
As you look at some of the stories that you have been covering there,
have there been any surprises, anything unexpected in your coverage?
I think I'll say that I'm, how would you say that I'm sadly surprised, rather than positively surprised, at how things tend to repeat themselves.
Like it's often companies making the same mistakes as other companies have already made, or vulnerabilities being discovered in internet-facing devices that have already been discovered, or at least variants of them have been discovered in other devices.
So what I'm surprised by is how much
a lot of the industry isn't learning enough
from each other and learning from their mistakes.
That's an interesting insight.
You and your colleagues there recently came out
with your State of AI in the Cloud report.
I would love to dig into that.
What are some of the highlights
that you covered there in that publication?
I don't think this will
be surprising to anyone, but
maybe I've already
been working on
this so long that I'm
immune to being surprised by it. But
our data shows that around 70%
of cloud customers are
already using some form of managed AI service.
Things like Bedrock, SageMaker, Azure OpenAI.
And the growth rate is enormous.
It's something like 40% month over month in terms of how many instances of these services customers are deploying in their environments.
Like how many machines they have active in their environments that are sourced from these services customers are deploying in their environments, like how many machines they have active in their environments
that are sourced from these services,
which kind of shows that this is being adopted really fast.
Just to give you a comparison,
something that is much more well-established and well-known
is, for example, Kubernetes.
So managed Kubernetes is standing at around 80% of cloud customers that are using it.
So that's only 10% away. And this is a much newer service and it's a lot less tested.
So I think that's really interesting and it kind of shows how much customers are excited by this
technology. Yeah, that is interesting. What specifically are the AI applications that people are applying to their cloud infrastructures? What are folks finding that it is best suited to help with?
risks, and that's kind of been our chief focus in what we've been calling AI SPM or AI Security Posture Management. So we're mostly looking at how these services are introducing risks into
customer environments that weren't there before. For example, if they're using training data
to build their AI models, and this training data contains, for example,
cloud credentials that might lead to other places
in the environment.
Or if they're putting training data into cloud storage
and that cloud storage happens to contain other things
that shouldn't be there.
For example, we recently found a case
where Microsoft's AI researchers were using a public cloud storage account
to store training data for one of their AI models,
and that was meant to be publicly exposed.
It was just part of sharing data with a larger community,
but that same storage account also contained a bunch of stuff
that it shouldn't have, like chats between the researchers and secrets,
and it was also writable anonymously, meaning that anyone could have connected to it and modified the contents. So we're less focused on how customers are using
these services, like what sort of applications they're building, and we're more focused on the
security aspects at the moment.
Wow. I'm curious, in the time that you have spent working with cloud infrastructure,
the cloud threat landscape, and really being there to see these trends evolve over time,
are there any recurring themes or patterns that you're tracking here?
So I think that much like many other vendors are seeing in other areas, like even in on-prem, compromised credentials seem to be a really big theme.
Like a lot of the threat activity that we're seeing in customer environments at the moment
is based on credentials being compromised either from the cloud environment itself. For example,
if there's a bucket or a
virtual machine that's affected by a vulnerability and that contains a cloud credential or an SSH
key or something like that, and threat actors are essentially exploiting those vulnerabilities,
stealing the keys, and then using them to connect back to the cloud environment.
Or it could be end users being compromised and having stealer malware installed on their devices
and stealing the keys from there.
So a lot of credentials being compromised
and being used to target cloud environments.
And looking at a lot of the incidents,
the major incidents that have happened
over the past, I think, two years or so,
especially the really interesting ones like supply chain attacks on big software companies,
the initial access is almost always end-user compromise.
A developer laptop gets compromised because they fell for a phishing attack, for example.
So oftentimes, the root cause of the incident isn't even in the cloud itself.
It's sort of a human error or on-prem issue.
Given the unique view that you have on these cloud environments
and the experience that you have there at Wiz,
what are your words of wisdom here?
I mean, what are your tips for the folks who are out there
fighting the good fight every day,
looking to defend their cloud infrastructure,
what would your recommendations be?
I think it's really important to have observability.
There are a lot of open source tools that you can use
if you're a really small business.
Then it goes without saying,
there are a lot of open source tools you can use
to get a lot of value
that also gives you good observability
into your environment.
You've got to have a really good secret scanner,
because again, if you want to make sure that your credentials won't be compromised,
then you can't leave them scattered about,
not in your code repositories and not in your cloud environment.
So you've really got to have a good secret scanner.
There are plenty of open source secret scanners as well.
And I think it's really important to have, in particular,
especially in larger environments, to have, in particular, especially in larger
environments, to have a graph view of your environment. Because as the sages have said
many times in the cybersecurity industry, attackers think in graphs, right? So I think
that would be the most fitting approach for the cloud as well. I think the cloud also
lends itself to a more graphical view because it's very object-oriented
and you can sort of scatter your applications
across multiple objects.
It's very highly abstracted
just because the cloud providers
sort of lend themselves to that sort of type of thinking.
So yeah, so observability, secret scanning,
and graphical representation or any other type of abstraction, depending on how your brain works, I guess.
I know you and your colleagues there at Wiz have had some pretty interesting projects that you all have been working on.
What can you share with us about that?
I can talk about a few things. One is a while ago, we launched a website called CloudVolnDB,
which is basically our attempt to do enumeration,
like what NVD and MITRE's CVE project do for software vulnerabilities.
We want to do the same thing for cloud vulnerabilities.
And cloud vulnerabilities often don't get CVEs.
The reason they remain interesting, even if they're no longer exploitable,
for example, if any of the CSPs
has some vulnerability
allowing cross-tenant access,
for example,
oftentimes they'll fix it on their end
and customers don't have to do anything.
The reason it remains interesting
and the reason that it's important
to sort of document these things
and have them available for research
kind of goes back to what I was saying before
about how I kind of wish the industry would learn more
from each other's mistakes,
is that oftentimes you'll have the exact same vulnerabilities
across different cloud service providers.
So, you know, it's sometimes even like a year apart.
And, you know, in our own vulnerability research,
sometimes we found vulnerabilities
in certain pieces of software
that were being used by many different vendors at once.
And all of their implementations
were essentially affected by the same issue,
just for different reasons.
And I think it's really important to do that.
It's also kind of a good measurement
of where we stand in terms of security, because it would be nice to do that. It's also kind of a good measurement of where we stand in terms
of security, because it would be nice to see the graph slowly trending downwards in terms of
the critical vulnerabilities affecting the cloud. It's also important, I think, for transparency
reasons to make sure that people understand that when issues are discovered that affect the cloud,
that they're handled properly and don't have long-term impact.
Other than that, we've also really recently launched a new website called
the Cloud Threat Landscape, which is where we've been documenting all of our information and all
of our research about cloud incidents. This is something we kind of felt was missing, and we had
been maintaining this for about a year prior to publishing it.
And we eventually decided that there's enough meat in there
and there's enough things of interest in there
that it's worth kind of sharing this with the world
and making it publicly available.
So it's literally like our own internal threat intelligence database,
just the parts of it that we can make public
because they're based on public information.
So you can find their incidents affecting cloud environments or potentially affecting
cloud environments.
You can find the techniques that threat actors are using, what kind of technologies they
like to target.
For example, one interesting thing you can check for is what are
the technologies that are most targeted? What are the technologies that are most involved in
cloud security incidents, for example? Our thanks to Amitai Cohen from Wizz for joining us. Thank you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Whether you own a bustling hair salon,
a painting company that just landed a big job,
or the hottest new bakery in town.
You need business insurance that can keep up with your evolving needs.
With flexible coverage options from TD Insurance,
you only pay for what you need.
Get a quote in minutes from TD Insurance today.
TD, ready for you.
Straighten up and fly right.
Straighten up and fly right. Straighten up and fly right.
Straighten up and fly right.
Cool down, Papa, don't you blow your top.
Ain't no use in... And finally, research from the Chartered Institute of Information Security, CSEC,
reveals an alarming trend of cybersecurity professionals
potentially moonlighting as
cybercriminals to supplement their incomes. This insight was obtained by analyzing dark web job
adverts with the assistance of a former police officer. The study highlighted three groups on
underground sites, experienced IT and cybersecurity experts, newcomers seeking work
and training, and professionals from non-IT industries all offering services for illicit
activities. The research warns that stress and inadequate compensation in cybersecurity roles
might drive skilled individuals towards cybercrime, citing Gartner's prediction that 25% of security leaders
will exit the industry by 2025 due to work-related stress.
To combat this, CSEC CEO Amanda Finch urges the industry
to improve salaries and working conditions to retain talent
and prevent a potential increase in the workforce joining cybercriminal activities.
Stay in school, friends. Straighten up and fly right.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people.
We make you smarter about your team
while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.