CyberWire Daily - “RedEcho’s”activity in India’s power grid is described. US report on Khashoggi murder declassified SolarWinds compromise inquiry updates. Ill-intentioned SEO. President’s Cup winner announced.
Episode Date: March 1, 2021Chinese cyber engagement with Indian critical infrastructure is reported: the objective isn’t benign from India’s point of view, but exactly what the objective is, specifically, remains a matter o...f speculation. The US Governemnt declassifies its report on the murder of Saudi journalist Jamal Khashoggi. The SolarWinds supply chain compromise remains under investigation, with an intern making a special appearance. Maligh search engine optimizations. Rick Howard shares hash table opinions on Google Cloud. Josh Ray from Accenture on Cybercrime and the Cloud. And congratulations to the winner’s of CISA’s President’s Cup. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/39 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Reports of Chinese cyber engagement with Indian critical infrastructure.
The U.S. government declassifies its report
on the murder of Saudi journalist Jamal Khashoggi.
The SolarWinds supply chain compromise remains under investigation
with an intern making a special appearance.
Maligned search engine optimizations.
Rick Howard shares hash table opinions on Google Cloud.
Josh Ray from Accenture on cybercrime and the cloud.
And congratulations to the winners of CISA's President's Cup. on Google Cloud, Josh Ray from Accenture on Cybercrime and the Cloud, and congratulations
to the winners
of CISA's President's Cup.
From the CyberWire studios
at DataTribe,
I'm Dave Bittner
with your CyberWire summary
for Monday, March 1st, 2021.
Threat intelligence firm Recorded Futures Insict Group reports that an apparent Chinese cyber sabotage group they're tracking as Red Echo has been active against India's
infrastructure. Red Echo is a new name because despite some apparent links to other Chinese APTs,
identification remains unclear. The group may have been staging potential attacks with a view
to holding India's electrical power grid at risk. Recorded Future puts it this way,
quote, potential pre-positioning of network access to support Chinese strategic objectives,
with some attendant speculation about signaling supportive influence operations or as a precursor
to kinetic escalation. They go on to say, quote, infrastructure tracked as Axiomatica Simptot, which encompasses shadow pad command and control
servers, to target a large swath of India's power sector. Ten distinct Indian power sector
organizations, including four of the five regional load dispatch centers responsible for operation
of the power grid through balancing electricity supply and demand, have been identified as targets in a concerted campaign
against India's critical infrastructure.
Other targets identified included two Indian seaports.
End quote.
Recorded Future does say it expects further such activity
as long as Sino-Indian tensions remained high,
but it's worth noting that Recorded Future's conclusions
are more tentative than those reached by the New York Times and various media outlets in India,
and the report should be received in the spirit of relative circumspection in which the researchers seem to have offered it.
That cyber-sabotage of a power grid would have great potential for disruption is clear.
As Control Global points out, one need look no further than the consequences of the Texas
ice storms last month to see the possibilities. Whatever happened in India, the incident would
seem to point out the difficulties in deterrence and signaling in cyberspace. If indeed the staging
represents an attempt on Beijing's part to signal to India that its power grid is at risk, for example,
that signaling would seem to have come at the cost of blowing the means of access to that grid.
The U.S. government late Friday released a long-anticipated intelligence report
on the murder of Saudi journalist Jamal Khashoggi, declassified by the Director of National
Intelligence. The report's executive summary is
direct and succinct. Quote, we assess that Saudi Arabia's crown prince Mohammed bin Salman approved
an operation in Istanbul, Turkey to capture or kill Saudi journalist Jamal Khashoggi. We base
this assessment on the crown prince's control of decision-making in the kingdom, the direct
involvement of a key advisor and members of Mohammed bin Salman's protective detail in the
operation, and the Crown Prince's support for using violent measures to silence dissidents abroad,
including Khashoggi. Since 2017, the Crown Prince has had absolute control of the Kingdom's security
and intelligence organizations, making it highly unlikely that Saudi officials would have carried out an operation of this nature without the crown
prince's authorization, end quote. As one would expect, the report frames its conclusions largely
in terms of a priori probability and takes care not to reveal intelligence sources and methods,
but it was widely believed at the time
that U.S. intelligence services had collected signals and cyber intelligence that pointed to
the direct involvement of Saudi intelligence services in the murder. The Washington Post
reports that the Biden administration will not impose direct sanctions on the Saudi crown prince.
Secretary of State Antony Blinken said at a news conference that, quote,
the relationship with Saudi Arabia is bigger than any one individual, end quote, and that appears
to be the way the administration stands with the Crown Prince, at least even as it discusses a
recalibration, that's recalibration, not, as the State Department stresses, a rupture of relations with the Kingdom of Saudi Arabia.
According to Politico, the State Department did impose more than 70 visa restrictions on other
persons involved in the killing, and the Treasury Department announced sanctions against the former
deputy head of Saudi intelligence services and on members of the group deemed responsible for
Khashoggi's murder.
The White House is facing some pressure from congressional Democrats,
in particular, The Washington Post reports, to take more direct action against Crown Prince Mohammed bin Salman.
The effects of the SolarWinds supply chain compromise
continue to spread through U.S. government agencies.
Wired writes that the metaphorical body count
now includes NASA and the FAA.
So how did all this happen in the first place?
Investigation continues,
and current and former SolarWinds executives
are blaming an intern for setting up
the now-famous bad password, SolarWinds123,
which CNN reports was out loose on the internet for several years before it was detected.
Sure, it's a bad password, but that finding a password would have been sufficient
to give the sort of access necessary to the whole shebang of a major supply chain compromise seems surprising.
Still, bad password, and apparently some weak supervision of that intern.
Sophos describes the GOOT loader infection framework, which is not only expanding its payloads,
but using a novel approach to search engine optimization to bring its criminal bait to the attention of potential victims.
bring its criminal bait to the attention of potential victims. The payloads currently being served up by GOOT Loader include the GOOT Kit Banking Trojan, Kronos, Cobalt Strike, and R-Evil
Ransomware. And finally, late Friday, the U.S. Cybersecurity and Infrastructure Security Agency
announced the winner of its President's Cup Cybersecurity Competition. Congratulations to the cyberspace capability engineers
from the 780th Military Intelligence Brigade
who took this year's honors.
And joining me once again is Rick Howard.
He is the CyberWire's chief security officer, also our chief analyst,
but more important than any of that, he is the host of the CSO Perspectives podcast,
which is part of CyberWire Pro.
Rick, this week you are concluding a two-part miniseries on securing the Google Cloud platform.
And I know you've been talking to our Hashtable
members about GCP. Where do we stand when it comes to folks preferring Google Cloud over the other
two big providers like Amazon and Microsoft? Well, you know, Dave, you would think that
question would be simple to answer, wouldn't you? As with all things security, and I guess most things in general, it isn't.
And by the way, when I was in the Army back when muzzle-loading muskets were what the cool kids had, in one unit we gave memento plaques to all the departing soldiers, and we gave one to everybody.
And we put these engraved words in Latin.
Here it is.
You ready?
Nihil facula es.
And roughly translated, nothing is easy.
All right.
And that's sort of it.
Wow.
So upbeat.
Yeah.
You know, it wasn't a great unit.
What can I say?
Okay.
So that's the case when we're trying to decide where do we want to deploy our workloads into the cloud.
And to a person,
all of the CyberWire's
hash table members
were intrigued by the way
Google had implemented Zero Trust
with their BeyondCore architecture.
But the only member
that is actually trying it
is my old friend, Bob Turner,
the CISO for the University of Wisconsin
at Madison.
So are they all in there?
Are they putting the crown jewel workloads into
GCP or are they just doing a little dabbling? I would split the difference there. Bob doesn't
have his crown jewels in there because like most of the other hash table members, he's using AWS
for workloads and Office 365 for email and other things. But he got the opportunity to play with GCP when his university
joined a group research project with other universities, and that project is using GCP.
So in this episode, we talked with Bob about what he likes and dislikes about the Google
cloud environment and the journey his university went on to get there. But if you're looking for
the more compelling reason to listen to this episode,
you're going to want to listen to Bob's Midwestern sense of humor, because he defined some new words for me that I'd never heard of. I'm going to give you three. Go on. Conditions of weirdness,
or cow for short. Let that sink in. I love it. Yes. He's from Wisconsin, the dairy capital of
the world. So that's where that comes from.
Cyber shenanigans, which I really like, but my new favorite security phrase of all time is cyber cow tipping.
Yes, that's a thing.
And to find out what it means, you too will have to check out the latest episode of CSO Perspectives.
It's part of CyberWire Pro.
You can find it on our website, thecyberwire.com.
Rick Howard, thanks for joining us.
Thank you, sir.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And I'm pleased to be joined once again by Josh Ray.
He is a managing director and also the global cyber defense lead at Accenture.
Josh, it's great to have you back. I wanted to touch base with you today about the report that
you all recently put out. This is the Accenture Threat Intelligence Report, specifically some of
the areas in that report that are focused on cybercrime and the cloud. What can you share with
us today? Yeah, thanks, Dave. Accenture's Cyber Threat Intelligence team
actually just completed a two-year series of research
where they were really looking at deep and dark web activity
of actors targeting organizations in the cloud.
It might be a big surprise to your viewers,
but one of the most common ways that actors
are actually getting access to cloud environments
is through system misconfiguration
and publicly known unpatched vulnerabilities.
So hygiene comes back again
as much as it does on traditional IT infrastructure
as it does your cloud estate.
I think the thing that always gathers attention in the press
are when folks leave, for example, their AWS buckets
just hanging out there, open to everyone to view.
Is that sort of an edge case that attracts the most attention?
But I guess I'm trying to figure out how prevalent is that?
Is that the rare thing that attracts a lot of attention,
or is that an ongoing concern for people?
I would say it's an ongoing concern,
right? I mean, you know, we've seen actually massive amount of API key and credential theft,
exploited accounts that have been taken over that are being sold for access, but also insider
threats. So, you know, actors that are actively peddling, you know, access to, you know, their
corporate infrastructure,
unfortunately, as well.
What are some of the specific things that folks need to worry about as they continue this sort of ongoing transition to the cloud?
Yeah, it's a great question.
I mean, so, you know, obviously the data that's there is an attractive target,
especially for ransomware gangs who are looking to extort their victims.
But, you know, we help clients are looking to extort their victims.
But we help clients securely migrate to the cloud all the time. But what they have to understand is that the journey really doesn't end there. And once you get there, you still have to defend it.
You have to treat it as just the other part of your business that you need to look after.
And this means doing things like patching and ensuring that the native security controls are configured and applied correctly.
But one of the things that we really try to stress is that you can't stop there.
You have to conduct that intel-driven red team exercises and hunts,
and you have to have folks that conduct those really proper IR investigations in the cloud.
And Dave, I've seen really just a lot of examples
where a client's cloud estate, unfortunately,
is a visibility blind spot for them.
So one of the things that we're really focused on
is making sure that they have that proper logging enabled.
But this is also important to include
their application security logs, right?
And when they're doing that monitoring,
they're actually applying the right level of threat and intelligence use cases so they can
really focus on what's important to the business. How do you help people manage their threat
intelligence feeds, you know, to keep it from being just that kind of overwhelming firehose
of information? How can they dial it in? That's a really great question.
I mean, properly operationalizing your threat intelligence
is one of the things that I think a lot of organizations struggle with.
And the first thing that they do is they talk about it
as a threat intelligence feed,
when it should be looked at as really an extension of the capability.
But it also should be something that you have
a high degree of confidence and trust in.
So you really want to think about understanding strategically
what your threat exposure is, what types of threats are going to try to target you,
what are the TTPs that are being employed by those threats,
and then how does that trickle down operationally to the right types of security controls
and then the right types of tactical IOCs
or other type of vulnerability intelligence
that you need to help your operators
apply that intelligence most effectively.
So we really have to be able to look at it
at different governance levels
and take a very focused requirement-driven look
at what your organization needs to protect itself best
against the threats that are going to impact it the most.
How about the cloud providers themselves?
I mean, are they evolving the way that their own tools work, the way their interfaces work
to try to help people along with this to make it easier as they learn where the common sort
of blind spots are?
Yeah, I think they are.
I mean, especially with a lot of the cloud providers that we work with pretty frequently.
I mean, look, I think every platform or even product owner is continuing to take active steps and active measures to incorporate the latest and greatest.
But you really have to think about, in order to maximize that investment,
you really do need to have folks
that understand how to apply that product or platform
and those controls in the most operational manner.
And they're able to continually tweak those controls
based on the latest threat intelligence.
So it's not just a one-and-done type of evolution.
It's a continuous type of process that folks have to understand
they have to undertake.
All right. Well, Josh Ray, thanks for joining us.
Thank you, Dave. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
A taste of life.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment called Security, ha!
I join Jason and Brian on their show for a lively discussion
of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. Thank you. Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe
Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Ivan, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.