CyberWire Daily - Patch Tuesday notes. Cyber mercenaries described. Voice security and fraud. CISA’s update to its Zero Trust Maturity Model. Updates on Russia’s hybrid war against Ukraine.
Episode Date: April 12, 2023Patch Tuesday update. Another commercial surveillance company is outed. Voice security and the challenge of fraud. CISA updates its Zero Trust Maturity Model. Effects of the US intelligence leaks. Our... guest Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, outlines CISA's role in the cybersecurity community. André Keartland of Netsurit makes the case for DevSecOps. Russian cyber auxiliaries believed responsible for disrupting the Canadian PM's website. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/70 Selected reading. Patch Tuesday overview. (CyberWire) DEV-0196: QuaDream’s “KingsPawn” malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia (Microsoft Threat Intelligence) Threat Report on the Surveillance-for-Hire Industry (Meta) Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers (The Citizen Lab) Voice Intelligence and Security Report (Pindrop) CISA Releases updated Zero Trust Maturity Model (Cybersecurity and Infrastructure Security Agency) CISA Releases Zero Trust Maturity Model Version 2 (Cybersecurity and Infrastructure Security Agency CISA) A leak of files could be America’s worst intelligence breach in a decade (The Economist) Interagency Effort Assessing Impact of Leaked Documents, Strategizing Way Forward (U.S. Department of Defense) What we know about the Pentagon document leak (Axios) The ongoing scandal over leaked US intel documents, explained (Vox) Pentagon leak threatens Biden's foreign policy doctrine ahead of overseas trip (Axios) Schumer calls for all-senator briefing on leaked Ukraine documents (The Hill) The key countries and revelations from the Pentagon document leak (Washington Post) Exclusive: Leaked U.S. intel document claims Serbia agreed to arm Ukraine (Reuters) Up to 50 UK special forces present in Ukraine this year, US leak suggests (the Guardian) Egypt denies leak about supplying Russia with 40,000 rockets (Al Jazeera) DDoS attacks block PM Trudeau’s web site (IT World Canada) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
We've got a Patch Tuesday update.
Another commercial surveillance company is outed.
Voice security and the challenge of fraud.
CISA updates its zero-trust maturity model.
Effects of the U.S. intelligence leaks.
Our guest, Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA,
outlines the agency's role in the cybersecurity community.
Andrei Kirtland of NetShirt makes the case for DevSecOps.
And Russian cyber auxiliaries are believed responsible
for disrupting the Canadian Prime Minister's website.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 12th, 2023.
Music
We begin with a quick note about Patch Tuesday, which this month was yesterday.
Companies addressed a large number of vulnerabilities, some of which are undergoing active exploitation.
Fortinet released 21 vulnerability advisories.
Siemens and Schneider Electric patched 38 vulnerabilities.
Adobe patched 38 vulnerabilities, Adobe patched 56 vulnerabilities, Apple and Microsoft rolled out their latest security updates, and CISA has issued another round of advisories.
Do take a look at the updates. You'll find a summary on our website.
of Toronto's Citizen Lab announced the discovery that a hitherto little-remarked Israeli firm,
Quadream, has been selling its surveillance platform to governments in Europe, North America,
the Middle East, and Southeast Asia. And we note that little-remarked doesn't mean unnoticed.
Facebook's parent, Meta, this past December took note of the company in its threat report on the surveillance for higher industry. Microsoft characterizes Quadream as a private sector offensive actor,
and the company has had partners as well as customers. One of these partners is a contentious one. Its activity, now attributed to the company, had been tracked as DEV Dev0196. The product it sells is known as RAIN, that's R-E-I-G-N,
and Microsoft calls the malware the platform deploys against iOS targets as King's Pawn.
The company amounts to a cyber mercenary operation in Microsoft's view, and it sells both services
and tools to its government customers. Microsoft explains,
they sell hacking tools or services through a variety of business models, including access
as a service. In access as a service, the actor sells full end-to-end hacking tools
that can be used by the purchaser in cyber operations. The PSOA itself is not involved in any targeting or running of
the operations. Citizen Lab, which cooperated with Microsoft in the investigation, says that
Quadream's targets have included journalists, political opposition figures, and at least one
NGO worker. The business keeps as low a profile as possible. Citizen Lab says,
Many are accustomed to thinking of NSO Group and its Pegasus product
when the topic of commercial spyware vendors comes up,
but it's bigger than just one company, as this note indicates.
The researchers conclude with the observation that the commercial surveillance market is shifting and evolving and is larger than any single company.
Voice technology company Pindrop has released their yearly Voice Intelligence and
Security Report, which analyzed 5 billion calls and 3 million fraud catches within financial
institutions, insurers, and the like. The report found that states imposing restrictions on
biometrics had double the chance of experiencing fraud. Financial institutions were also observed
to have a 53% year-over-year increase in fraud in the fourth quarter of 2022, given that there
was financial uncertainty. Retail has also been found to have high rates of fraud, with one in
every 347 calls identified as fraudulent. Interactive Voice Response, or IVR, has also been observed to be a
target, with data from the dark web leveraged and tested in the IVR to identify high-value accounts
and attack them. CISA yesterday updated its Zero Trust Maturity Model, including recommendations
from public commentary and increasing the government's zero-trust capabilities.
The agency wrote yesterday that the zero-trust approach is designed by the agency as
an approach where access to data, networks, and infrastructure is kept to what is minimally required
and the legitimacy of that access must be continuously verified.
The agency has recognized that the architectures implemented by different organizations
have different maturity levels and come from different starting points.
This maturity model has added a new stage called Initial,
which can be used to identify maturity for each pillar.
This updated model is said to provide a gradient of implementation across the pillars,
which allow for the advancement of zero-trust architecture within agencies.
The five pillars are identify, devices, network, data, and applications and workloads.
Chris Butera, Technical Director for Cybersecurity at CISA, said,
As one of many roadmaps, the updated model will lead agencies through a methodical process and transition toward greater zero-trust maturity.
While applicable to federal civilian agencies, all organizations will find this model beneficial to review and use to implement their own architecture.
The source and effect of recent U.S. intelligence leaks remains under investigation, but it's increasingly become clear that compromised files, whatever manipulations may have altered them for purposes of disinformation and however opportunistic their collection appears to have been, represent a major problem for the U.S. Ukraine isn't deterred by the leaks, which contain relatively little information about
operational plans, and so Kyiv remains confident of the ultimate success of its spring offensive.
The Department of Defense and other U.S. government agencies are also working to
contain any damage the leaks may have done to relations with friendly countries.
The Washington Post has a summary of the nations mentioned in the
documents. Many observers are struck by the degree of access to the Russian government
U.S. intelligence services appear to have achieved. U.S. senators have called for a
full briefing on the incident, the Hill reports, and they're likely to receive that briefing.
and they're likely to receive that briefing.
And finally, Canada is receiving the attention of Russian cyber auxiliaries.
A DDoS attack interrupted the availability of Canadian Prime Minister Trudeau's official website for a few hours yesterday.
According to IT World Canada, the attack appears to have been timed to coincide with the government's meeting today with Ukrainian Prime
Minister Denis Shmiel. Service was restored by 2 p.m. Eastern time yesterday. The Prime Minister
addressed the outage at a press conference, saying, as you know, it's not uncommon for
Russian hackers to target countries as they're showing steadfast support for Ukraine, as they
are welcoming Ukrainian delegations or leadership to visit,
so the timing isn't surprising.
But in case anyone was wondering,
Russia being able to bring down an official Government of Canada webpage for a few hours
is in no way going to dissuade us from our unshakable support of Ukraine.
of Ukraine.
Coming up after the break,
Eric Goldstein,
Executive Assistant Director for Cybersecurity at CISA,
outlines his agency's role
in the cybersecurity community.
Andre Kertland of NetShirt
makes the case for DevSecOps.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Many organizations embraced DevOps,
short for development and operations,
as an effective method of increasing the speed and quality of their software development and delivery.
That's all well and good,
but it's led many security folks to say,
not so fast. DevSecOps is where you need to be, including security as a primary element of your
development process from the get-go. Andre Kirtland is a solutions architect at NetShuret,
and I spoke with him about the benefits of a DevSecOps approach.
And I spoke with him about the benefits of a DevSecOps approach.
So what we're starting to see a lot is that people are starting to adopt DevOps,
which is obviously a combination of dev and ops.
So they've got integrated processes to not just get their apps written,
but to get them deployed into production.
What we're still seeing a lot, though, is that people aren't taking security seriously.
They're paying lip service to it, trying to do the minimum. Common approach that I see is people leaving security
right to the end. So they write their whole app and then they say, okay, what do we need to do
to make it secure? And there's also a very common attitude that security is somebody else's job.
So they might depend on some infosec department or an external consultant to come
in and wave a magic wand and make their app secure. And you're not getting that the dev
teams necessarily do that work from the start. And that's the whole story of measurement drives
behavior. So if your dev team is being measured on how fast can they get the code out the door,
how good's the functionality they can build into the app,
how good's the app's performance or reliability,
but they're not being measured on how secure is the app,
then they're not really going to pay a lot of attention
to the security aspects.
And what are the issues there?
I mean, if you do save security for the last thing,
what are some of the issues that can come into play there?
The problem is that you can get vulnerabilities security for the last thing. What are some of the issues that can come into play there?
The problem is that you can get vulnerabilities that get baked into the app during the dev process. So for instance, people might make use of a library that contains vulnerabilities in itself
that got inherited from somewhere else. And they don't even know that there's insecure code that
they've now put into their application. Or they make the application work,
but they don't pay attention to things like the identity, the authentication, the authorization.
And now you've got that they have insecure methods for how people actually log on and
use the application. Very common that we see apps that make use of things like service accounts that
are absolute poison in an environment because if that service account gets compromised,
then that service account could be used to attack your own environment.
We even see cases still where inside of the source code or in the configuration files,
you've got things like usernames and passwords and certificates and other credentials,
and anybody that manages to get access to that source code can go and in clear text read
that information and again use it to attack your environment. So there's a lot of things that you
should be looking out for and if you don't then you end up with an insecure application and
unfortunately if you only discover that you're insecure when you get ransomware or somebody steals your data, then
you could be in deep trouble.
Well, if we're looking at DevSecOps, how do we incentivize organizations to give the security
equal weight over the dev and the ops?
As I said, it comes down to measurement drives behavior to a certain extent.
So you're going to need that right at the top of the organization.
So CXO level, CIO, EO, CSO, that they need to decide that security is important.
They need to understand what is the impact to their organization if the application isn't
adequately secure.
What could happen if data gets stolen, if there's a breach.
And of course, there's plenty of case studies of how businesses have gone under, been destroyed
because they had inadequate security and an application got breached.
So your first step is you've got to have awareness and acceptance at executive level, and they
need to then become executive sponsors for a program to introduce security. Training and knowledge is part of it, but you have to basically change developer culture
to a certain extent. Your developers are always going to care more about functionality, making
the application cool than about making it secure. So you can also supplement them by embedding security into your project, having dedicated security people involved in the whole process from beginning to end, and have people testing your application with a security mindset or a security goal from the beginning.
you need to try and get right in the beginning of your process of developing your application.
When you're still architecting and you're making your decisions about how your application is ultimately going to be constructed,
at that point, you need to already be thinking about ultimately how is this application going to be made secure.
And it's at that point that you could and should be doing things like threat modeling,
and you should be getting opinions about what are possible things that can go wrong.
And the people that you shouldn't just ask your developers, what are the potential security
risks?
At this point, you go and consult external professionals.
You maybe do some pen testing.
If you're upgrading an existing application, get vulnerability assessment done against it.
Get external code review.
And then use that to go and base your plans for how you improve.
How do you convince your developers that this is something worth spending time on?
Or even collaborating with the security folks?
How do you get them to adopt that mindset?
It's really difficult and it does take time.
Education is a big part of it.
And unfortunately, the same way that you're training your end users
not to click on emails with phishing links in them,
you're going to have to take your devs through a process like that.
What I've seen helps is that when they actually practically see
examples of how code gets breached, hackathons
is one method that we've used where you get a dev team, you get them to write some code,
you give them some parameters that are possibly going to lead to something insecure, and then
you get somebody to go pen test it and find vulnerabilities and come back and say, okay,
look at this, but not from
a point of view of you're stupid.
We want to make you look bad, but take this as a learning moment.
Take this as an opportunity to see how vulnerabilities in your code can lead to insecure applications.
And it's at that point where you need to ensure that the people that the developers report to, their bosses, have also bought in
so that when they're evaluating the effectiveness of the development work,
that they're already also acknowledging the importance of security
and they're measuring the people on security aspects
when they're evaluating how good they're doing at their dev job.
That's André Kirtland from NetSharet.
And I am pleased to welcome to the show Eric Goldstein.
He is Executive Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency.
Eric, welcome to the show.
Thanks so much, Dave. It is great to be here.
And thanks to you and your team for all you do to keep us informed every day.
Well, it is certainly our pleasure.
I would love to start out by just for folks who may not be completely familiar with the mission there at CISA, can you
give us a little description of what exactly it is that you and your colleagues there are charged
with? Of course. We at CISA have a really remarkable mission, which is we are a voluntary
trust-based agency with the mission to advance our nation's cybersecurity. And we do that in a few ways. As we look across
our federal civilian government, we exercise some pretty remarkable authorities and resources to
gain persistent visibility into threats targeting our government and drive really timely action
to reduce risk. But we also know that adversaries are targeting businesses, critical infrastructure,
But we also know that adversaries are targeting businesses, critical infrastructure, state and local partners every day. And so we work in concert with the cybersecurity community, with industry, with researchers, with the operators of critical infrastructure to make sure that we're advancing adoption of the right practices that secure both the enterprises that are being attacked and the products that we're all using every day.
Why was CISIS spun up in the first place?
What prompted the creation of the agency?
You know, it's a really great question, Dave.
If we think a little bit about CISIS history,
we are, of course, an operational component of the Department of Homeland Security, or DHS.
And when DHS was first created, from the very early days,
there was a focus on critical infrastructure,
on the services,
the functions, the assets that are critical to every American's way of life. And over time,
we realized in the department that the initial focus of securing critical infrastructure was on terrorism, on physical threats. And while that remains important, we have seen over time
adversaries,
whether nation states or criminal groups, begin to also focus on cyber means as a way to undermine,
degrade, render inoperable a critical infrastructure or steal information for
financial or geopolitical gains. And so over time, we saw DHS invest more and more in the
cybersecurity arm of the department until four years ago,
we saw Congress really say, you know, this requires a fully formed, mature operational
component like other components in DHS, like FEMA or TSA to really stand up and engage
in this mission in a strategic and ongoing way,
recognizing that not only do cyber threats remain resonant,
but they are only getting more significant as increasingly every aspect of our lives
depends on the internet and our technologies and our adversaries recognizing that dependency,
take advantage of it at every turn.
And what are the tools that you and your
colleagues there have at your disposal to make this mission a reality? You know, the number one
tool that we have is partnerships. I'll get into that a bit more in a moment, but it does bear
noting that we had different tools with different stakeholders with whom we work. And so looking
at the federal civilian agencies, we actually have the ability to deploy our own technology, our real time, understand the prevalence of different asset types,
vulnerabilities, misconfigurations, and adversary activities, and that we can actually direct
federal agencies to take actions to reduce risk that we identify. Now, those, we'll call them
compulsory authorities, are really only resident with our work with federal civilian agencies.
And so across the broader nation,
you know, we really work in a trust-based partnership with the cybersecurity community, with product providers, and with owners and operators of critical infrastructure.
We have a large regional field force every day is knocking on doors, advancing guidance,
advancing best practices. We have grant programs for state and local entities to improve their
cybersecurity. And really, our goal is to be a trusted voice for the cybersecurity community
so that we're advancing adoption of the right practices at the right time to reduce the most
risk per dollar. And again, doing that in a way that is based on an understanding of what the
adversaries are doing, how they are exploiting technology across Americans' network,
and in a way that every enterprise can rely on to make the best use of their secure security dollars.
You know, as the agency has taken its place in the cybersecurity community, it struck me that a big part of what you all are doing, the way that you have wielded your influence,
has been very much using a carrot
approach rather than a stick. Do you think that's an accurate description?
It absolutely is. And it really is foundational to our model here at CISA. You know, what we've
found is it's almost never the case that an organization doesn't implement the right security
control, doesn't invest in security, or has a breach
because they didn't want to do the right thing. It's often the case because they lacked resources,
they made a business decision that led to a negative security outcome, or maybe even they
lacked the right information. And so our goal at CISA is to really be the ally of the security
community to inject our voice, our expertise, our perspective
into those business conversations
that enable the right investment for pro-security outcomes
and help the voice of those CISOs,
those practitioners be amplified
so that in every organization,
they're making those decisions
that lead to improved security
and also to help us ask the right questions,
to help us focus less on perhaps the initial access vector and talk a bit more about, well, was the most change. But we believe we can do a lot of that work in a voluntary, trust-based manner,
even as, of course, other partners across government may leverage their unique authorities
to drive change through regulation or other means.
What's your message to our listeners who may be considering some kind of collaboration with CISA?
considering some kind of collaboration with CISA?
The most important message is that there is no organization that can secure their own enterprise alone, whether it is the Fortune 100, the largest federal agencies, our military
or civilian governments.
And we all have unique capabilities to bring to bear, unique authorities, unique visibility.
And one role that CISA has,
in part through a piece of our organization
that we call the Joint Cyber Defense Collaborative,
is to bring together partners to say,
what piece of the puzzle do we each have
about what adversaries are doing,
what controls actually work to defeat them,
and let's drive the right investment in the right way
so that we can look
back five, 10 years from now and see a security environment where we have less intrusions.
The intrusions that do exist are less impactful, and we have a lot more trust in the technology
that we are using for all of our functions of everyday life.
Eric Goldstein is Executive Assistant Director for Cybersecurity at CISA.
Mr. Goldstein, thank you so much for joining us.
Thank you, Dave. It was my pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and
technologies. This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester, with original music by Elliot Peltzman. The show was written by
John Petrick. Our executive editor is Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.