CyberWire Daily - Software supply chain threats. Recent Iranian cyber operations. Banking disclosure rules. ICS updates. UK, US announce closer cooperation in cyberops. A real, literal, evil maid?
Episode Date: November 19, 2021Software supply chain incidents: FatPipe, PyPi, and IT services generally. A look at recent Iranian operations. The US Federal Reserve publishes its disclosure rules for banks sustaining cyber inciden...ts. CISA issues a set of ICS advisories. Two of the Five Eyes announce plans for continued, even closer cooperation in cyberspace. Johannes Ullrich on attackers abusing "PAM" (Plug Authentication Modules). Our guest is Hatem Naguib, CEO at Barracuda Networks. And a real evil maid seems to have been out and about in Tel Aviv. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/223 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
We've got updates on software supply chain incidents,
a look at recent Iranian operations,
the U.S. Federal Reserve publishes its disclosure rules for banks sustaining cyber incidents,
two of the Five Eyes announce plans for continued, even closer cooperation in cyberspace,
Johannes Ulrich on attackers using plug authentication modules,
our guest is Hatem Naguib, CEO at Barracuda Networks,
and a real evil maid seems
to have been out and about in Tel Aviv. From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, November 19th, 2021.
Software supply chains are on people's minds this week, and as the week comes to a close,
we hear about some
particular threats that organizations would do well to be aware of. First, the FBI warns that
an APT group, with no further attribution, has been exploiting a zero-day in fat pipe software
since May, at least. Users are encouraged to apply the patches FatPipe issued this week.
If the unnamed APT can gain access to FatPipe's router clustering and load balancing products,
they can pivot from there to other targets where the primary interest lies.
Second, JFrog's security team found another software supply chain threat,
11 Python libraries behaving badly, stealing Discord tokens,
installing remote access shells, and so on. PyPy, the Python package index, has booted the libraries
from their portal. JFrog doesn't think that all 11 libraries are the work of a single hand,
as there are idiosyncratic differences in the coding that suggest various people at work.
Two of the troubling packages abused a relatively new technique, dependency coding,
in which attacks register packages with names likely to be used within closed networks.
In that case, the attacker's package might be pulled if the organization's packet came to be deleted
while the dependency tree had yet to be updated.
And third, in what amounts to a threat so much more extensive as to practically amount to a trend,
the Microsoft Threat Intelligence Center, Mystic, and the Microsoft Digital Security Unit, DSU,
published a report yesterday in which they warn of a significant increase in Iran's targeting of the IT sector.
Quote, Iranian threat actors are increasing attacks against IT services companies as a way to access their customers' networks.
This activity is notable because targeting third parties has the potential to exploit more sensitive organizations
by taking advantage of trust and access in a supply chain.
more sensitive organizations by taking advantage of trust and access in a supply chain. Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks
that aim to steal sign-in credentials belonging to downstream customer networks to enable further
attacks. The Microsoft Threat Intelligence Center and Digital Security Unit assess this is part of
a broader espionage objective to compromise
organizations of interest to the Iranian regime, end quote. One of the more interesting features
of this push is that it's adding targets to Iran's program that hitherto haven't figured
significantly in Tehran's intelligence strategy. While some of the countries being targeted are in fact important and traditional
rivals of Iran, notably Israel and the United Arab Emirates, others aren't. India, for example,
hadn't been of significant interest to Iran's intelligence services until this past summer,
but it clearly is now. That's not because of any burgeoning tension or regional rivalry, but simply because India has
become an important global IT hub. If you can compromise IT services in India, you have a good
chance of being able to pivot to targets of real immediate interest that may have Indian IT services
in their own supply chains. Much of the activity aims at credential theft in the interest of further
downstream compromise, which is where the real interest lies. Microsoft, we note in passing
disclosure, is a CyberWire sponsor. The report on Iranian operations against
software supply chains comes at a moment of heightened awareness of Tehran's cyber capabilities.
The U.S. Justice Department yesterday unsealed an indictment of two Iranian nationals,
Moussa Kazemi and Sajjad Kashian, on charges connected with disinformation operations.
The two men, both of whom work for an Iranian contractor, ran during the last U.S. election cycle.
The Justice Department announcement said in part,
quote,
As alleged, Qasimi and Kashian were part of a coordinated conspiracy
in which Iranian hackers sought to undermine faith and confidence
in the U.S. presidential elections.
Working with others,
Qasimi and Kashian accessed voter information
from at least one state's voters' database,
threatened U.S. voters via email,
and even disseminated a fictitious video that purported to depict actors fabricating overseas
ballots. End quote. Both men are of course not in custody, but as Justice observes, they'll spend
their days looking over their shoulders and carefully planning international travel to avoid countries that have extradition agreements with the U.S.
In any case, Iran is becoming an adversary the U.S. and others are taking more seriously in
cyberspace. Mandiant CEO Kevin Mandia gave CNBC a particularly gloomy assessment yesterday afternoon.
He said, quote,
Yesterday afternoon, the U.S. Federal Reserve issued its long-anticipated final rule on computer incident disclosures.
Effective May 1, 2022, banks will have 36 hours to notify regulators that they've sustained an incident that has materially affected,
or are reasonably likely to material effect, the viability of a banking organization's operations, its ability to deliver banking products and services, or the stability of the financial sector. Banks are also required
to notify customers as soon as possible of any incident likely to affect services for four or
more hours. GCHQ and U.S. Cyber Command have reaffirmed the long-standing Anglo-American commitment to cooperative cyber operations.
Meetings at Fort Meade, Maryland, headquarters of both NSA and U.S. Cyber Command,
included on the British side Director GCHQ Sir Jeremy Fleming and General Sir Patrick Sanders,
Commander of UK Strategic Command, and on the U.S. side,
General Paul Nakasone, Director of the U.S. National Security Agency and Commander of U.S.
Cyber Command. The leaders issued a joint statement with a short set of talking points,
quote, as like-minded allies for two centuries, the United Kingdom and the United States
share a close and enduring relationship.
Our two nations today face strategic threats in an interconnected digital world
that seems to undermine our shared principles, norms, and values.
We agree that strategic engagement in cyberspace is crucial to defending our way of life
by addressing these evolving threats with a full range of capabilities.
To carry this out, we will continue to adapt, innovate, partner, and succeed against evolving
threats in cyberspace.
We will achieve this by planning enduring combined cyberspace operations that enable
a collective defense and deterrence and impose consequences on our common adversaries who
conduct malicious cyberactivity.
As democratic cybernations, the UK and US are committed to doing so in a responsible way,
in line with international law and norms,
setting the example for responsible state behavior in cyberspace.
End quote.
The emphasis on deterrence and imposition of consequences on common adversaries is particularly noteworthy.
Sometimes insider threats show the convergence of cyber espionage and traditional espionage.
One such case, as close to a literal evil maid attack as one might wish to find, has surfaced in Israel, where Haaretz reports a cleaner working in the residence of Defense Minister Gantz
is charged with espionage for having offered to assist the Iranian cyber threat group Black Shadow.
According to Security Week, the Israeli security service Shin Bet said
that the accused spy failed to obtain any classified information. The accused, Omri Goran Gorachovsky,
is said to be an ex-con with an appropriate criminal record,
which has raised questions as to how he came to be hired in the first place.
The Times of Israel reports that Shin Bet is reviewing the ways
in which background checks are conducted.
There are probably lessons to be learned
for insider threat mitigation programs generally.
Whether there'll be new lessons or familiar ones remains to be seen.
If you look at the three traditional motives for betrayal
that counterintelligence officers remember by the acronym M.I.C.E.
for money, ideology, compromise, and ego,
and we know, we know, you skeptics are hollering,
hey, why does anybody do anything?
But still, the framework is a useful way of organizing security thinking.
Well then, Mr. Gorachovsky is said to have been motivated by money with a capital M.
Watch yourself, Insiders. is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
It is that time of year when people tend to start looking back at what this year has brought to try to help plan for the coming year.
It's been an active, accelerating year in cybersecurity with ransomware top of mind for many.
Hatem Naguid is CEO of Barracuda Networks, and he shares these insights.
Naguid is CEO of Barracuda Networks, and he shares these insights.
On the ransomware side, we've definitely seen the evolution of that attack,
both in its level of sophistication and I think in the scale with which it's being leveraged.
It's interesting, I think from a lot of our customers' perspective, they think,
and I think they have a frame of reference about the type of attacks that occur, that it's an individual hacker or somebody going in to try and
create the malfeasance that occurs within their environment. What we've clearly seen is the growth
of these almost corporate criminal gangs now that have been leveraging and weaponizing the
capabilities to deliver ransomware as a service.
And I think they've clearly taken advantage of what I would say is, at some level,
digital transformation. At other levels, a significant amount of transformation change
that's occurred at the customer base with COVID, people having to work from home,
moving to cloud for many capabilities,
and already stretched security organizations have to take more on in order to protect the
important assets that they manage for their customers.
And so with that, we've seen an increase in the number of attacks.
We've seen an increase in the size and amount of ransomware asks that
are coming in. And I think what we've also seen is a much broader number of targets being pursued
by this that has really, I think, surprised, unfortunately, some of these customers. But by
and large has been kind of the soft underbelly now starting to being taken advantage of by these criminal operations. I'm curious what you're seeing in
terms of your customers kind of turning those knobs, deciding where are they going to spend
their resources, their time, their attention for protecting themselves against these things?
Are those techniques evolving themselves?
Yeah, I think they are.
I think it's a really good question, actually.
I think customers have evolved
from what I would refer to as kind of the classic,
we'll put a firewall in an antivirus and a backup
as a security strategy,
to recognizing that they have to be as sophisticated or one step ahead of the
attackers, which means they have to look at multiple threat vectors and ensure that they've
got a comprehensive security strategy. What that's typically meant for them is to look at technologies
that allow them to put security closer to what would be referred to as the edge. And I mean edge not just from an infrastructure perspective, but from
the device, the person, and the application and where
it resides. And to be able to really look at the
behavioral aspects of what's happening for each of those elements. So a great
example of that is that we've seen a significant amount of our customers
leverage our Sentinel product, which allows for BEC anti-phishing and really looking at behavioral anomalies to determine when account takeovers have occurred and how to remediate against that versus just the classic gateway type of solution, which would look at something coming in.
Is it good or bad?
And then stop it.
which would look at something coming in, is it good or bad, and then stop it.
Similar types of things within the context of protecting against attacks for applications or attacks against the infrastructure.
Really building intelligence to understand what's happening and being able to provide
both intelligence back to the customers in terms of how to remediate it, but also delivering
that in an automated aspect.
I think one more thing I would
just add to that is that data has become significantly more important in terms of what
customers are storing and how they're storing it. So whereas before they would have looked at backup
as just an element of how do I make sure I'm managing all of the entities in my organization
and I've got them in some capability I can restore. Now it's become more important to understand, well, what exactly is sitting where?
Is my employee data also being backed up?
How am I managing the privacy concerns that I've got of my customers?
As you look ahead to the next year or so, is it more of the same?
Do you think there's going to be additional adjustments that need to be made?
Any thoughts on that?
Well, we're definitely seeing, I think, a broader cross-section of customers engaging more actively in addressing their security concerns.
You know, I think, you know, the industrial companies becoming targets, you know, companies that would typically not be considered the most technology sophisticated, so less prone to these types of challenges have now seen themselves become much more prone.
We've seen significant investment in education, SLED, government, which I think is a very positive sign. And I think what we're also seeing on two fronts, one is good cooperation in the industry
to help the customers deal with this. I think everybody sees security as an everybody problem
and not just one individual company is going to be able to address that. So you see the levels
of investments we're making, but you also see other companies making substantial investments
to ensure that they're providing the best capabilities from a security perspective.
That's Hatem Naguid from Barracuda Networks.
There's a lot more to this conversation.
If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. Thank you. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And joining me once again is Johannes Ulrich.
He's the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, always great to have you back.
I want to check in with you today about attackers who are abusing PAM,
that is, Plugable Authentication Modules.
What can you share with us today?
So PAM is a feature that's common to many
Unix and Unix-like operating systems. macOS, for example, uses it, and it allows you to configure
what kind of authorizations you accept, for example, to log into a system, to become an
administrator. So it's very flexible in that form. It allows for things like multi-factor authentication to be implemented very easily or support for specific hardware like YubiKeys.
The problem, of course, with flexibility is with a lot of flexibility comes a lot of responsibility and risk.
Attackers sometimes use this flexibility against you in order to gain persistent access to systems.
And so what are they doing here?
So in this case, they essentially reconfigure this PAM system. They either add additional
modules that will give them access. So if they are coming from a particular IP address,
if they're coming with a particular client, they're just provided access without asking for credentials.
But probably more sinister, there is a special PAM module called PAM Steal.
And, well, Steal, it's going to steal stuff.
It's going to steal your credentials.
Of course, these modules have access to the username and password that you typed in. And as a result, this module would just take this username and password
and save it to a simple text file for the attacker then to retrieve later.
And so what are your recommendations here,
both for not getting yourself infected in the first place,
but then mitigation as well?
Yeah, so in general, of course, this is something that an attacker
needs to have administrative or root access to a system in the first place in order to manipulate
this. But if that happens, then file monitoring is absolutely important here. So check these files
with some kind of file integrity tool to make sure that nobody is modifying these
configurations. Luckily, those files are very static, so it's not one of those set of files
that gets updated all the time. It's relatively easy to configure a file integrity tool to monitor
these files. All right. Well, Johannes Ulrich, thanks so much for joining us. Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Nicholas Boucher and Ross Anderson from the University of Cambridge.
We're going to be discussing their research on Trojan Source.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett
Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave
Bittner.
I will be off next week enjoying the U.S. Thanksgiving holiday with family and friends.
Trey Hester will be filling in on the mic.
Thanks for listening.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.