CyberWire Daily - Patch Tuesday notes. Mr. Mudge goes to Washington. Joint warning of IRGC cyber activity. No major developments in the cyber phases of Russia’s hybrid war (but Ukraine is sounding confident).
Episode Date: September 14, 2022Patch Tuesday notes. The US Senate Judiciary Committee hears from the Twitter whistleblower. Joint warning of IRGC cyber activity. Rob Boyce from Accenture on cybercriminals weaponizing leaked ransomw...are data. Chris Novak from Verizon describes his participation in the CISA Advisory Board. And Ukraine reiterates confidence in its resiliency. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/177 Selected reading. Adobe Patches 63 Security Flaws in Patch Tuesday Bundle (SecurityWeek) Microsoft Releases September 2022 Security Updates (CISA) Microsoft's September Patch Tuesday fixes five critical bugs (Computing) Microsoft Raises Alert for Under-Attack Windows Flaw (SecurityWeek) SAP Security Patch Day September 2022 (Onapsis) Apple Releases Security Updates for Multiple Products (CISA) Apple fixes eighth zero-day used to hack iPhones and Macs this year (BleepingComputer) Apple Will Let You Remove Rapid Security Response Updates in iOS 16 (Mac Rumors) Data Security at Risk: Testimony from a Twitter Whistleblower (United States Senate Committee on the Judiciary) Twitter Employees Have Too Much Access to Data, Whistleblower Says (Wall Street Journal) Twitter whistleblower reveals employees concerned China agent could collect user data (Reuters) Security failures cause ‘real harm to real people’ (Washington Post) Twitter whistleblower testifies to Congress, calls for tech regulation reforms (The Record by Recorded Future) The Search for Dirt on the Twitter Whistle-Blower (The New Yorker) Whistle-Blower Says Twitter ‘Chose to Mislead’ on Security Flaws (New York Times) Twitter whistleblower says site put growth over security (Computing) Written Statement of Peiter (“Mudge”) Zatko United States Senate Judiciary Committee September 13, 2022 (Katz Banks Kumin) What we learned when Twitter whistleblower Mudge testified to Congress (TechCrunch) How China became big business for Twitter (Reuters) Twitter whistleblower exposes limits of FTC’s power (Washington Post) Twitter Whistle-Blower Testimony Spurs Calls for Tech Regulator (Bloomberg) Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations (CISA) Ukraine’s Cyberwar Chief Sounds Like He’s Winning (WIRED) DDoS attacks on financial sector surge during war in Ukraine, new FCA data reveals (PR Newswire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Patch Tuesday notes,
the U.S. Senate Judiciary Committee hears from the Twitter whistleblower, a joint warning of IRGC cyber activity.
Rob Boyce from Accenture on cyber criminals weaponizing leaked ransomware data.
Chris Novak from Verizon describes his participation in the CISA advisory board.
And Ukraine reiterates confidence in its resiliency.
From the CyberWire studios and Data Tribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, September 14th, 2022.
Some quick notes on Patch Tuesday before we move on to the usual fair of threats and vulnerabilities.
This week, Microsoft, Apple, SAP, and Adobe have all rolled out patches and software upgrades.
Consult vendors for details.
And the U.S. Cybersecurity and Infrastructure Security Agency yesterday released five industrial control system advisories.
Again, users should consult your vendors for information on mitigations. Yesterday, the U.S. Senate Judiciary Committee
heard testimony from Peter Mudge Zatko,
now familiarly known as the Whistleblower,
on his allegations of privacy and security problems at Twitter.
The committee chair, Senator Durbin, Democrat of Illinois,
and the committee's ranking member, Senator Grassley, Republican of Iowa,
expressed their concerns about Twitter. and the committee's ranking member, Senator Grassley, Republican of Iowa,
expressed their concerns about Twitter.
Both were concerned about data security and privacy.
Senator Durbin wanted Twitter to do more to censor hate speech and misinformation.
Senator Grassley warned of Twitter's potential exploitation by foreign intelligence services.
Zatko, whom we'll henceforth refer to by his handle Mudge,
described his responsibilities when he was part of Twitter's executive team and explained why he was testifying. From November 2020 until January 2022,
I was a member of Twitter's executive team. In my role, I was responsible for information security,
team. In my role, I was responsible for information security, privacy engineering, physical security,
information technology, and Twitter global support. I'm here today because Twitter leadership is misleading the public, lawmakers, regulators, and even its own board of directors.
regulators, and even its own board of directors.
What I discovered when I joined Twitter was that this enormously influential company
was over a decade behind industry security standards.
The company's cybersecurity failures make it vulnerable to exploitation,
causing real harm to real people.
He complained that the company's executive team
chose to disregard warnings of security problems, preferring instead to mislead the board,
its employees, its customers, the public, and legislators. Perverse incentives operated to
drive the executives in that direction and enmeshed the company in two basic problems.
in that direction and enmeshed the company in two basic problems.
Mudge said, I brought concrete evidence of these fundamental problems to the executive team and repeatedly sounded the alarm of the real risks associated with them.
And these were problems brought to me by the engineers and employees of the company themselves.
The executive team chose instead to mislead its board, shareholders, lawmakers, and the
public instead of addressing them.
This leads to two obvious questions.
Why did they do that?
And what were the problems and vulnerabilities identified?
And that's what I'm here to talk about.
So first, why did they do that?
To put it bluntly, Twitter leadership ignored its engineers
because key parts of leadership lacked the competency to understand the scope of the problem.
But more importantly, their executive incentives led them to prioritize profits over security.
Senator Durbin was concerned about the limitations of informed consent and asked whether the wordy end-user license agreements actually amount to
realistic consent. Senator Grassley pursued his inquiry about an espionage threat with questions
about the range and accessibility of the personal information Twitter collects. In his response,
Mudge brought up an interesting point about Twitter's engineering culture and the infrastructure
that supports it. Twitter doesn't maintain a
distinct development or testing environment. So Twitter has engineers and non-engineers.
Twitter does not have, at least when I was there, which was up until January of 2022,
does not have a testing environment or a development or staging environment.
This is an oddity. This is an exception to the norm. Most companies will
have a place where you test your software, where you build it, where you make sure it's working
the way you want it to. Think about somebody building an airplane and saying, like, I'm going
to put it in a wind tunnel. I'm going to build it in an environment. I'm not going to put passengers
on it, put it in the air, and then figure out how to build it or tweak the engines at that point. Twitter just has the production environment, the running systems,
the live data. When you become an engineer, which is half of the company are engineers,
you are by default given some access to this live production environment. You are doing your
testing. You are doing your work on live systems and live data, irrespective of where you
are in the world as an engineer. It became clear in the questions and answers that the senators
and the whistleblower all regarded Twitter as having been compromised by foreign intelligence
services. China, India, and Saudi Arabia are all thought to have succeeded in placing agents on
Twitter's payroll.
Mudge said, in effect, that the company had no way of finding such insider threats,
constraining their activity, or remediating the damage they might have done.
Other than the person who I believed with high confidence to be a foreign agent placed in a position from India,
agent placed in a position from India and from it was only going to be from an outside agency or somebody alerting Twitter that somebody already existed
that they would find the person what I did notice when we did know of a person
inside acting on behalf of a foreign interest as an unregistered agent.
It was extremely difficult to track the people. There was a lack of logging and an ability to
see what they were doing, what information was being accessed, or to contain their activities,
let alone set steps for remediation and possible reconstitution of any damage.
Senator Klobuchar, Democrat of Michigan, wanted to know how willing Twitter was to knuckle under
from requests by foreign governments to censor content.
She made particular mention of Russia, and Mudge saw this particular risk as a function of executive incentives,
inability to manage data, and self-delusion
about the governments in question. I understand to be it out of a frustration of the inability
to perform, and this kind of goes into content moderation, which we talked about before, and
while that wasn't my main ballywick, and I've been informed I shouldn't go into details about
conversations I've had with
Twitter Council, there was a, we don't really have the ability and tools to do things correctly.
This is a lot of work. It's not, you know, driving our main executive incentive goals. Is there a way
that we can simply punt? And since they have elections, doesn't that make them a democracy?
Senator Blumenthal, Democrat of Connecticut,
wanted to know how high up in Twitter management the decisions to mislead government regulators,
Mudge alleges, were taken. To the CEO, I do not know to what level inside the board.
They did not know because of misrepresentation or chose not to push. There was general comment on Twitter's alleged indifference to U.S. regulatory risk,
including those imposed by the consent decree
Twitter entered into with the U.S. Federal Trade Commission.
It was clear from the senators' questions and comments
that they thought the FTC's authorities and resources
were unequal to the task of regulating large social media platforms like Twitter.
Whether this might be addressed by reforms surrounding the FTC
or by the creation of an entirely new agency was unclear.
All of these were discussed.
There may be an international model ready at hand, however.
For all of its apparent indifference to the consequences the FTC might bring,
However, for all of its apparent indifference to the consequences the FTC might bring,
Zatko said that Twitter took French regulators much more seriously than they did American agencies.
Thus, Gallic regulatory teeth may be better adapted to keeping big tech on the straight and narrow than the Yankee choppers so far seem to be.
CISA and its partners have added their warning to those that have drawn attention
to Iranian cyber activity this week. The Islamic Revolutionary Guard Corps has continued to exploit
known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft
Exchange vulnerabilities, the authoring agencies have observed these APT actors
exploiting VMware Horizon Log4J vulnerabilities for initial access.
Exploitation of known vulnerabilities is a long-standing practice.
The concentration on extortion is somewhat more novel for an Iranian threat actor.
CISA says, the actors may encrypt data for ransom and or exfiltrate data. The actors may sell the data or use the exfiltrated data in extortion operations
or double extortion ransom operations,
where a threat actor uses a combination of encryption and data theft
to pressure targeted entities to pay ransom demands.
A full set of indicators of compromise, advice on mitigation,
and a set of preventative best practices accompany the alert.
Cyber operations proper have remained relatively quiet, or at least inconsequential, during Ukraine's current counteroffensive,
although there are reports from the UK and elsewhere of a continued uptick in distributed denial-of-service attacks against financial services.
continued uptick in distributed denial of service attacks against financial services.
And finally, Wired this morning published an interview with Yuri Shihol,
director of Kiev's equivalent of CISA.
He offers a moderately encouraging picture of the war from Ukraine's point of view.
Russia has moved into a phase of cyber war in which it's largely targeting softer civilian targets.
The director stated,
He's also at pains to stress that Russian cyber operations represent a threat to nations other than Ukraine, stating, the whole civilized world needs to recognize that the threat
goes beyond Ukraine. Cyberspace has no boundaries. If there's any attack perpetrated against the
cyberspace of one country, by default it's affecting and attacking other countries as well.
Coming up after the break, Rob Boyce from Accenture on cyber criminals weaponizing leaked ransomware data, and Chris Novak from Verizon describes his participation
in the CISA advisory Board. Stick around.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it
comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. at blackcloak.io.
Robert Boyce is Global Lead for Cyber Crisis and Incident Response Services at Accenture.
And I recently spoke with him about some research he and his colleagues published tracking how cyber criminals are weaponizing leaked ransomware data for follow-up
attacks. So we've seen, and then this, honestly, this is personally fascinating to me. So I love
talking about this. But we have, you know, we've had this string of ransomware attacks for the last,
you know, couple of years now, and it's been, you know, pretty heavy with the affiliate programs
and all of that. And so what we've now started to research is we took a look
at the top 20 leak sites. And those leak sites are with all the victim data that has been published
through there. And we started to see a really interesting trend that after a company has had
their data disclosed, the attackers are now going through that data
to learn as much as they can about the people, the profile, the inner business workings of an
organization, and then leveraging that for very sophisticated business email compromise attacks.
So again, business email compromise, not new, but they're able to get so much fidelity in the data
that's been disclosed from the victims of ransomware that they can now, with much more certainty, execute a better business email compromise
attack because they have so much data.
Really fascinating.
Is your sense that this is a second round of adversaries here?
That different groups are combing through this?
Or might it be the same group coming back for more? Yeah, it's, I mean, great question. It could be
either. I think we've just been so focused on the threat of ransomware that we basically,
once we get through that and we do the investigation, we, you know, we go through
the forensics, we help maybe recover business operations, that we all congratulate ourselves and job done, let's go back to business.
And then we've really not had the foresight to think about, well, all that data that was just released, what could people do with that?
And we're seeing the attackers actually index the data, doing basically their own big data analytics on what they're being able to get so that they could create this.
So it could be the same adversaries.
what they're being able to get so that they could create this. So it could be, you know,
it could be the same adversaries. It could be, you know, a second set of adversaries that have now just thought, what can we do with this data? So it's hard to say. We haven't seen a real
correlation there yet, but yeah, it's just still interesting to me. Yeah. As a defender,
is it in your best interest to also gather up this data and catalog it yourself to see where your weak spots may be?
Yeah, so I find most organizations do that as part of the IR process because they need to understand the data that could have been stolen or was stolen.
Or when it does get disclosed, I find most organizations do go and retrieve their own data or have someone do that for them, and they have to go through it.
But what I'm not seeing is them take any action based on that.
that for them and they have to go through it. But what I'm not seeing is them take any action based on that. So they may take a look at saying, okay, these user accounts may have been used as
part of the attack or these email addresses may have been disclosed, but they very rarely, well,
they will change the passwords typically, but they very rarely will take any additional actions on
say, putting additional monitoring on those email addresses that were disclosed as an example, or,
you know, or really looking into what business processes may be
impacted by the data that was taken and lost to think through this type of attack scenario.
So they usually have it, but they're not typically thinking about what the implications could be
outside of standard privacy or other regulations that they need to comply to.
Is that the primary take-home then, or are there other action items here as well?
I mean, there's always the standard follow-up actions from a breach that people need to,
like the basic hygiene. But when we're talking about the data aspects, again, outside of the
requirement to disclose or the requirement to notify either customers, employees, et cetera.
Yeah, they're not really thinking about that. And quite honestly, Dave, I'm not even,
I mean, it would take quite a sophisticated partner to be able to think through like,
what are all the possibilities that people could do with this data if they'd have it? So yeah,
I think the take-home would be, obviously, do the basic hygienes, given the data
that was lost and what your obligations are. But now we're starting to see the emphasis really
needs to be put on thinking through the additional business implications of that data, what could be
used with it, what types of processes may have been disclosed as well. So yeah, it's just definitely
going to have to be a lot more thought put into that than there has in the past.
Do organizations need to worry about some of the liability
and regulatory consequences of something like this?
Yeah, for sure.
I mean, they're usually pretty well in tune
with their regulatory obligations related to data,
whether it's privacy or whatever additional regulations may exist, depending on their
industry and what those may be.
And they're usually very well coached by their internal and outside counsel on what those
obligations are and what they have to do.
So I find that that's pretty well known.
It's the other data that people just aren't putting two and two together to really, you know, like, for example, the procurement data or the being even able to get enough procurement data to know when a standard
payment is made to a specific vendor, who initially, who makes that payment typically,
who authorizes it, who executes it, where it goes. And so when you know that pattern,
it's much easier to say then, well, I'm going to impersonate the employee or the partner and start a new transfer because it's within the bounds of the pattern.
So it's really super sophisticated.
Yeah.
Even just knowing the internal rhythms and cadence that a company uses.
Correct.
Yeah.
That's why it becomes fascinating.
Yeah, it really is.
Yeah, absolutely. All right. Well, Rob Boyce, thanks for joining us.
And I'm pleased to be joined once again by Chris Novak.
He is Managing Director for Security Professional Services at Verizon.
Chris, always great to welcome you back.
I want to talk about some stuff that you are active in, in addition to your work there at Verizon.
You are actually an advisory board member with the Cybersecurity and Infrastructure Security Agency.
Can you give us some insights on what it's like to be part of that group?
Sure, yeah. I would say, honestly, it's maybe not to be too cliche, but kind of a dream come true.
I've always looked at opportunities in which we can take what we learn in cyber and share it with
others. You know, even going back to the early days of working at Verizon,
we put together things like the Data Breach Investigations Report. And the real
genesis behind that was, how do we share what we see, what we learn, what we know with the
community at large to try to make everybody safer, right? The concern is there's no restrictions or
rules on how the threat actors operate, collaborate, and share. And we need to do everything we can to, you know, similarly collaborate and share and
understand what it is that we see in the threat landscape that we can all use to better defend
and protect ourselves.
And in that advisory capacity, that's one of the things that I'm deeply passionate about
is how can we take what it is that, you know, we're seeing and bring that to, you know,
for example, some of the
investigations that the Cyber Safety Review Board within CISA are working on, and how do we take
that experience and build on that? How do we actually develop new recommendations or other
ways in which we can help our friends in the government mature what it is that they might be
doing, help our partners in critical infrastructure,
secure that, because by virtue of securing that, we're essentially making the world a safer place
for you and me. And then also, how does that, you know, how does that expand from there out to the
broader, you know, public and private sector interests? You know, when Chris Krebs was part
of spinning up the agency, and then of course, now Jen Easterly at the helm.
These public-private partnerships have really been a focus.
And I think for a lot of folks on the outside, that's a bit of a shift.
What's the cultural reality as part of this of melding the government and the private sector?
Yeah, it's been an absolute pleasure to work with Jen and her entire team there.
And I think the public-private partnership, I think, is extraordinarily valuable.
And actually, interestingly, as I started doing more work with CISA and the CSRB, one of the things I found was lots of other entities are reaching out going, hey, might that be something that these other entities might be interested in starting up?
You know, the Australian government is interested.
The UK government is interested.
Lots of them are going, hmm, maybe a public-private partnership similar to what CISA is doing would be good for them as well, right?
And I think it's important because I think if you look at anything through just one lens, and, you know, I think we all kind of deep down understand this,
all kind of deep down understand this, but if you only look at it through one lens, it's that biased or the bias of that one view that is going to lead the way of how you act and how you operate.
You know, if we only look at things through the lens of the way a government agency sees it,
that may have a bias to how we react, respond, and make recommendations. If we only look at it
through private sector, you know, financial services or manufacturing or health care, those are all going to have biases as well. And not necessarily that the bias is bad, but that the bias doesn't necessarily take consideration of what the full really make sure that we're taking everybody's
interest, all the constituents, all the stakeholders, and ultimately anybody that could be at risk of a
cyber attack, taking those concerns into consideration when we make recommendations for improvements.
And what do you bring back to your colleagues at Verizon? The time that you spend on this board,
what insights are you able to carry back? Well, I think a couple
of things. One is it's always insightful and interesting to work with some of my peers at
other private sector organizations. So there's a handful of us also on the board from Microsoft,
Google, and others. And so seeing and hearing what they're experiencing and bringing that back and
say, hey, these are things that we should look at or consider, or these might be other ways that we can partner better with some
of our peers because we're hearing some of the challenges that they have and there may be
solutions or ways in which we've addressed it. And then similarly on the government side of things,
you know, I think, you know, sometimes people are maybe a little bit intimidated just at the
sheer size of, quote, government. There's so much there, and it works in so many different ways. Knowing what some of those challenges are and saying, hey, you know
what, this may be a way that we can work better as a partner, better as a contributor, and better as
a collaborator. So knowing where, you know, CISA or DHS or anyone else in government may have
challenges that they need help in addressing, you know, we're all on the same defender team,
so to speak. So bringing that back and saying,
how can we help solve for that?
For me, that's been very eye-opening
and same for my team.
Is your sense that this sort of arrangement,
this sort of committee could be a model
for other areas of government
when it comes to cybersecurity,
those sorts of things?
Absolutely, I do.
Yeah, I think honestly, those sorts of things? Absolutely, I do.
Yeah, I think honestly, that public-private partnership, I think, ultimately is critical to success because so many of the entities that I see and talk to, whether they be government
or private sector, they're rarely ever limited in scope to just that.
The government is constantly having to work with the private sector, right?
It doesn't just work with government, right?
At the end of the day, it really serves the people.
And the same thing with the private sector.
They may largely be, say, a B2B entity, but at the end of the day, they're going to be subject to government regulations.
They're going to at some point touch government data or government systems, or they're going to want to pick up a government contract. And so that collaboration I see as being very, very important. And I expect
that it's going to kind of ripple out. I think as people see some of the successes that CISA has had,
I mean, for example, the CSRB investigation of Log4J, I think was extraordinarily successful.
And I think CISA and the CSRB got a lot of kudos for that.
I expect that others are going to look at that and say, how do we take this and how do we
replicate this in other places? All right. Well, Chris Novak, thanks for joining us.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast
is proudly produced in Maryland
out of the startup studios
of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.