CyberWire Daily - Software supply chains, C2C markets, criminals, and cyber auxiliaries in a hybrid war. CISA releases its Stakeholder Specific Vulnerability Categorization (SSVC).
Episode Date: November 14, 2022Software supply chain risk. Cyber risk across sectors. CISA releases Stakeholder Specific Vulnerability Categorization (SSVC). Sandworm is back in Russia's hybrid war. Another wiper campaign from a Ru...ssian cyber auxiliary. Malek Ben Salem from Accenture shares thoughts on future-proofing cloud security. Rick Howard previews the latest CSO Perspectives show. And the Australian Federal Police say they know who hacked Medibank. (and the AFP says they have a good track record getting international criminals). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/218 Selected reading. Exclusive: Russian software disguised as American finds its way into U.S. Army, CDC apps (Reuters) Industries boost cyber defenses against growing number of attacks (Moodys) CISA Releases SSVC Methodology to Prioritize Vulnerabilities (CISA) Transforming the Vulnerability Management Landscape (CISA) Russian Sandworm hackers deployed malware in Ukraine and Poland (Washington Post) New “Prestige” ransomware impacts organizations in Ukraine and Poland (Microsoft) Microsoft links Russia’s military to cyberattacks in Poland and Ukraine (Ars Technica) Microsoft attributes ‘Prestige’ ransomware attacks on Ukraine and Poland to Russian group (The Record by Recorded Future) Wipe it or exfiltrate? How Russia exploits edge infrastructure to disrupt and spy during wartime (SC Media) Russia’s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless (WIRED) Russian military hackers linked to ransomware attacks in Ukraine (BleepingComputer) Information on cyberattacks of the group UAC-0118 (FRwL) using the Somnia malware (CERT-UA#5185) (CERT-UA) Ukraine says Russian hacktivists use new Somnia ransomware (BleepingComputer) Russian hacktivists hit Ukrainian orgs with ransomware - but no ransom demands (Help Net Security) Development of the Ukrainian Cyber Counter-Offensive (Trustwave) Australian Federal Police say cybercriminals in Russia behind Medibank hack (The Record by Recorded Future) Australia tells Medibank hackers: 'We know who you are' (TechCrunch) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A look at software supply chain risks and cyber risk across sectors.
CISA releases stakeholder-specific vulnerability categorization.
Sandworm is back in Russia's hybrid war.
Another wiper campaign from a Russian cyber auxiliary.
Malek Ben-Salem from Accenture has thoughts on future-proofing cloud security.
Rick Howard previews the latest CSO perspectives.
And the Australian Federal
Police say they know who hacked MetaBank.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Monday, November 14th, 2022.
Reuters reports that thousands of smartphone applications in Apple and Google's online stores contain computer code developed by a technology company, Pushwoosh.
A number of users, among them the U.S. Centers for Disease Control and Prevention,
thought that Pushwoosh was based in Washington,
when in fact its operations are centered in Russia.
CDC has now removed the software from seven of its apps.
The software also appeared in at least one mobile app used in the U.S. Army.
The Army removed it this past spring.
Reuters says there's no evidence that Pushwoosh collected or reported sensitive data to the Russian government,
but as a Russian company, it's obligated by law to cooperate
with the authorities on demand. Pushwush's founder denies the company misrepresented itself as being
anything other than a Russian business. So it's an a priori risk, but the story is interesting
insofar as it suggests the complexity of software supply chains and the difficulty in ensuring their security.
Moody's this morning published a look at cyber risk across various sectors.
While most sectors are seeing trends toward decentralization, more remote access, and of course further digitization of their operations, not all are equally exposed. The report states, critical infrastructure sectors
like electric, water, and other utilities have the highest risk exposure and a growing reliance
on digitization, but make up only a small share, about 3.5% of overall rated debt. That risk
doesn't mean these sectors are relatively poorly protected, but rather that the consequences of a successful attack could be severe and widespread.
The report concludes,
As of now, the sectors facing the lowest threat exposure happen to be the least digitized.
Coal mining, construction, oil field services, and paper and forest products.
And as organizations in recent years have accelerated
their move to digitized processes, information systems, and networks, that transformation
potentially leaves a door open for opportunistic hackers. Last Thursday, before the U.S. Veterans
Day holiday, the U.S. Cybersecurity and Infrastructure Security Agency released a Guide to the Stakeholder-Specific
Vulnerability Categorization, the SSVC, which it describes as a vulnerability management methodology
that assesses vulnerabilities and prioritizes remediation efforts based on exploitation status,
impacts to safety, and prevalence of the affected product in a singular system.
The SSVC is expected to provide important context organizations can use for vulnerability management.
Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA,
outlined the agency's goals in establishing the SSVC.
It fits into CISA's three-part approach to improving vulnerability
management. Goldstein explained, first, we must introduce greater automation into vulnerability
management, including by expanding use of the common security advisory framework. Second,
we must make it easier for organizations to understand whether a given product is impacted by a vulnerability through widespread adoption of vulnerability exploitability exchange.
Third, we must help organizations more effectively prioritize vulnerability management resources
through the use of stakeholder-specific vulnerability categorization, including
prioritizing vulnerabilities on CISA's known Exploited
Vulnerabilities Catalog. CISA will assess vulnerabilities and assign them one of four
actions. For the least severe, the agency will track them and would recommend remediating them
within standard timelines. Up one level in severity is what CISA calls TRAC, and TRAC has an asterisk after it.
In these cases, CISA monitors the vulnerability more closely for possible changes, but still recommends remediation within standard timelines.
The second most worrisome class of vulnerabilities is assigned to the Attend category.
attend category. These require attention from an organization's leaders who should request assistance or further information, and the vulnerabilities should be remediated sooner
than standard update timelines. And finally, the most severe vulnerabilities are assigned to the
act category. These vulnerabilities require even more extensive coordination and leadership involvement, and they should be remediated as soon as possible.
CISA has invited public input.
If you have comments, observations, or recommendations concerning SSVC,
they'd like to hear from you via email.
A familiar GRU cyber unit returns to make its presence felt in the war.
Researchers at Microsoft report that Sandworm, the GRU threat actor the company tracks as Iridium,
has deployed a new strain of ransomware, Prestige, against targets in Poland and Ukraine.
Prestige announced itself on October 11th in a series of coordinated attacks
against targets in the transportation and related
logistics sectors. Microsoft writes, the Prestige campaign may highlight a measured shift in
Iridium's destructive attack calculus, signaling increased risk to organizations directly supplying
or transporting humanitarian or military assistance to Ukraine. More broadly, it may represent an
increased risk to organizations in Eastern Europe that may be considered by the Russian state to be
providing support relating to the war. The attacks show a renewed willingness on the part of a
Russian intelligence service to attempt disruption in addition to collection. Ransomware as a tactic is well adapted to do both.
The Washington Post quotes Mandiant researchers who see this approach as an attempt by the GRU
to have its cake and eat it too. Mandiant senior analyst John Wolfram told the Post,
what that shows us is that the GRU was able to maintain access to a network of their specific choosing,
launch an attack and have an effect on that network,
maintain that access despite the wiper operation,
and launch another wiper operation at a moment of their choosing.
Russia had used wipers with some success early in the war, but those attacks soon ebbed.
They seem not to be returning.
It's not just the Russian intelligence services who are getting back into the wiper business.
Auxiliaries also appear to be mounting wiper campaigns against Ukrainian targets.
CERT-UA reports new activity on the part of the group ITRAX as U-0118, a Russian cyber auxiliary that styles itself either
from Russia with Love or the Z-Team. The initial attack spoofed the website of Famitek's legitimate
advanced IP scanner, and the malicious site offered a free download button. Pressing that
button, HealthNet Security says, directs the victim to a Dropbox account that hosts a version of the VDAL information stealer, misrepresented as Advanced IP Scanner.
The final stage of the attack deploys a recently developed version of Somnia ransomware.
Bleeping Computer reports that the Z-Team hasn't demanded ransom from its victims and indeed boasts that they've removed the possibility of decryption.
So, this series of Somnia infestations should be regarded as a wiper attack.
CERT-UA observes that Z-Team used other resources obtained in the criminal-to-criminal market,
notably the services of at least one unnamed initial access broker, and so the connection between cyber warfare and the criminal market, notably the services of at least one unnamed initial access broker,
and so the connection between cyber warfare and the criminal underground continues.
Trustwave's Spider Labs has published an account of how Ukraine's IT army developed from an ad hoc
group of hackers into an auxiliary cyber force aligned with the country's military objectives.
to an auxiliary cyber force aligned with the country's military objectives.
Their preferred tactic has been DDoS,
an attack technique that lends itself to automation and employment by a range of collaborating attackers.
Trustwave writes,
According to the information provided on the IT Army of Ukraine's official website,
the group has now become a well-organized operation with a coordinated team. So,
auxiliaries seem to have found a role on both sides in the present hybrid war.
And finally, the hoods who hit Metabank with a ransomware attack are preparing to up the ante
by releasing more stolen information. But the police may be getting closer to them.
According to TechCrunch, the Australian Federal Police say they know the individuals responsible for the ransomware attack and consequent data breach at MetaBank.
The AFP hasn't publicly named them, but it has said they're criminals located in and operating from Russia.
Other reports have associated the threat actors with the allegedly
defunct R-Evil criminal organization. AFP Commissioner Rhys Kershaw had a message for
the criminals, stating, We know who you are, and moreover, the AFP has some significant runs on
the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system.
For its part, the Russian embassy in Canberra expressed disappointment that the Australians haven't asked for the help of the Russian authorities. The embassy said Friday,
for some reason this announcement was made before the AFP even contacted the Russian side through
the existing professional channels of communications, we encourage the AFP to duly get in touch with the respective Russian law enforcement agencies.
Coming up after the break, Malek Ben-Salem from Accenture has thoughts on future-proofing
cloud security.
And Rick Howard previews the latest CSO Perspectives show.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families
24-7, 365 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Rick Howard.
He is the CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, always great to welcome you back.
Hey, Dave. So, on this week's CSO Perspectives show over on the subscription side of the CyberWire,
you have got what I can only describe as a pretty big get in terms of an interview.
Who's coming on the show? Andre Duran is the CEO of Ping Identity, and his company is routinely
grouped together as one of the leaders in the identity
and access management space,
along with other companies like Okta,
Microsoft, Oracle, and IBM.
But what's interesting is that he's been running
Ping Identity for over 20 years,
which, as you know, is not normal
in a Silicon Valley company.
No, I think just recently I was reading that
I think average tenure for folks like this is around five years.
It's exactly right.
So after 20 years, Mr. Duran is somewhat of a unicorn, you know.
So just for that, it's interesting to talk to him.
And as you can imagine, he has some thoughts about the direction
that identity and access management is going in the next five years or so. Correct me if I'm wrong here, but my sense is that I don't feel like there's been a
whole lot of groundbreaking innovation in this space for the past decade or so. I mean, I guess
we've got things like Face ID and Touch ID, but we're, you know, we're still rolling along with
usernames and passwords. Yeah, it's exactly right. And we talked about that in the interview.
And the way he describes it is that the identity and access management space has been slowly and
steadily building the infrastructure for major change, you know, kind of gaining gravity,
you might say. And he says that at a certain point, likely within the next five years or so,
it will reach a tipping point that will fundamentally shift how we do all this stuff.
So it's pretty exciting.
All right, I'll look forward to that.
So that is over on the pro side.
What episode are you publishing over on the public side?
Yeah, for just over a year now,
we've been publishing old episodes of CSO Perspectives
in a public feed with ads.
It's called CSO Perspectives Public.
So if our listeners hate ads as much as I do,
they should go subscribe right now to CyberWire Pro
and to get rid of, to get all of our content,
not just my shows, all of the shows ad-free, right?
So we published this episode in February of this year
on software supply chains.
Okay, so back then we were all a bit on our heels
from the Log4J situation, still in the midst of all that.
So software supply chains, yep, that adds up.
We do a little history here of software supply chain problems.
Log4J was not the first time the problem was serviced,
as you remember.
And we pinpointed the exact moment when the software supply chain became a thing
that we all need to consider in our InfoSec programs.
And then we discussed strategies like zero trust and tactics like SBOM,
software-available materials, that will reduce the probability of material impact
due to some Log4j-type issues in the future.
Well, before I let you go, what is the phrase of the week over on the WordNotes podcast? a material impact due to some log4j type issues in the future.
Well, before I let you go, what is the phrase of the week over on the Word Notes podcast?
This week, we're talking about pretexting. It's kind of, it's a great word, right? It's the bad guy art of concocting a believable story that will convince the victim, you Dave,
to give up something valuable.
Yes, I'm an easy mark.
People see me coming and they say, that guy, that's the guy.
He's our guy.
They don't have to concoct too much to get you, I guess is what we're saying.
No, no.
They just say, I don't know, free Star Wars stuff.
And I'm like, that's it.
It's all it takes.
All right.
Well, Rick Howard, thanks so much for joining us.
Thank you, sir. And I'm pleased to be joined once again by Malek Ben-Solem.
She is the Security Innovation Principal Director at Accenture. Malek, always great to welcome you back to the show.
I want to touch base with you today on cloud security
and some things that you're looking at when it comes to future-proofing it.
What can you share with us today?
Yeah, thanks, Dave.
So the race to cloud is well underway,
and it has been accelerated by the pandemic.
Many organizations who were reluctant about moving to the cloud has made their decision under the pressure of
people working remotely and under the needs of having flexible, scalable networks. So it was
an easy decision at that point. Other companies were driven by opportunities to
drive innovation. Others were looking for fulfilling the bigger picture of their digital
transformation. But along those lines, as Accenture, as we see our clients
you know, Accenture, as we see our clients making their decisions to move to the cloud,
we see basically two routes that clients can take.
The first is basically the direct route where, you know, if you will, you drive and learn.
And typically in this cloud journey, clients move to a primary cloud provider, and then their security focus is different than the second cloud journey, which is more of a, we call it the scenic route, which is more intense and intentional, where the client may decide to go to a hybrid model or to a multi-cloud environment.
And this journey is more complex,
but it can be longer-term and it can provide longer-term resilience.
In these journeys, if we think of cloud as,
or if you think of the cloud continuum from cloud all the way to edge and everything
in between, if we think of that as the map, then what we want is to have security as the
compass and have security guide us through this map, through our journey to the cloud.
Now, that's not always easy.
There are hurdles,
especially with respect to the existing security teams
that our clients have.
One thing we see is that security teams are hampered by the existing culture.
For instance, as network security adopts a zero-trust approach, that's a pivot from direct
control to a shared responsibility model. And that's not what security teams are used to, right? Security personnel is typically used to control, controlling the perimeter to limit access or who has access to technology.
They're not used to this adaptive, zero-trust-based approach.
So that would require a security culture shift within the organization.
Another thing that we see as an obstacle is the scarcity of skills.
So typically, existing security teams are security administrators.
They're dealing with securing infrastructure, managing vulnerabilities.
administrators, they're dealing with securing infrastructure,
managing vulnerabilities, they have network security skills,
maybe cyber defense teams.
But in a cloud environment, there's more need for,
let's say, developers who can work on identity and access management, for instance.
So it's a different set of skills that would be required.
That's a combination of security and development skills.
And then the third challenge we see is,
the software automation advances are outpacing security.
There are numerous tools that can help with developing code quickly.
We have low-code, no-code platforms that are helping developers produce even more, or even
average developers, average citizen developers produce more code. But we don't have that automation on the security side.
And so we need to develop more automated tools.
We need ways to automate security so that we can keep up with the pace of software automation.
Getting back to what you said about taking the direct route or the scenic route,
to what degree do you recommend one taking the direct route or the scenic route. To what degree do you recommend
one or the other? I mean, is it different for each organization based on their history and
what they're trying to accomplish? Yeah, absolutely. That's a great question.
I think there are a number of factors that can influence that choice. One of them is industry specific. Some industries may be more likely of taking
one route versus the other. For instance, the banking industry moved to a secure cloud,
but their driver or the issues they've encountered were more regulatory and compliance-related.
So that could have driven the route they've taken versus other industries who are much more focused,
perhaps on innovation or maybe clients who have certain customer engagement models may consider a different route.
So let's say if you are engaging directly with customers
through a digital platform.
So if you are a client engaging directly with customers
through a digital platform like Uber or Airbnb,
that carries different risks
than managing numerous suppliers or payment processes in a business-to-business context.
And so that may dictate which route you want to take.
So another factor might be location.
Your geographic footprint can influence which route you may want to take.
which route you may want to take.
For instance, you may be required to use a sovereign cloud or you may be required to use just one cloud
as opposed to having a hybrid cloud model.
So all of those factors do really influence
which route or which journey is best suited for these clients.
All right. Well, interesting insights.
Malek Ben Salem, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, Ha!
I join Jason and Brian on their show for a lively discussion
of the latest security news every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed.
The Cyber Wire podcast
is a production of N2K Networks,
proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building
the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Liz Urban, Rachel Gelfand,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Maria Vermatzis, Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Catherine Murphy,
Janine Daly, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, Simone Petrella, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com That's ai.domo.com