CyberWire Daily - Some guidance from the US government (including device security labels). Supply chain security. Developments in the cyber underworld (including a gang with some perverse integrity).
Episode Date: July 18, 2023The US Federal government issues voluntary security guidelines. Possible privilege escalation within Google Cloud. An APT compromises JumpCloud. FIN8 reworks its Sardonic backdoor and continues its sh...ift to ransomware. Ben Yelin looks at privacy legislation coming out of Massachusetts. Our guest is Alastair Parr of Prevalent discussing GDPR and third party risk. And some noteworthy Russian cyber crime–they don’t seem to be serving any political masters; they just want to get paid. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/135 Selected reading. Biden-Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers (The White House) The Biden administration announces a cybersecurity labeling program for smart devices (AP News)CISA Develops Factsheet for Free Tools for Cloud Environments (Cybersecurity and Infrastructure Security Agency CISA) Free Tools for Cloud Environments (CISA) NSA, CISA Release Guidance on Security Considerations for 5G Network Slicing (Cybersecurity and Infrastructure Security Agency CISA) ESF Members NSA and CISA Publish Second Industry Paper on 5G Network Slicing (National Security Agency/Central Security Service) Bad.Build: A Critical Privilege Escalation Design Flaw in Google Cloud Build Enables a Supply Chain Attack (Orca Security) Orca: Google Cloud design flaw enables supply chain attacks (Security | TechTarget) Google fixes ‘Bad.Build’ vulnerability affecting Cloud Build service (Record) JumpCloud discloses breach by state-backed APT hacking group (BleepingComputer) JumpCloud: A 'state-sponsored threat actor' compromised our systems (Computing) JumpCloud says nation-state hackers breached its systems | TechCrunch (TechCrunch) JumpCloud, an IT firm serving 200,000 orgs, says it was hacked by nation-state (Ars Technica) [Security Update] Incident Details - JumpCloud (JumpCloud) July 2023 Incident Indicators of Compromise (IoCs) (JumpCloud) FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware (Symantec by Broadcom) RedCurl hackers return to spy on 'major Russian bank,' Australian company (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. federal government issues voluntary security guidelines,
possible privilege escalation with Google Cloud,
and APT compromises JumpCloud.
Bin8 reworks its sardonic backdoor and continues its shift to ransomware.
Ben Yellen looks at privacy legislation coming out of Massachusetts.
Our guest is Alistair Parr, a prevalent discussing GDPR and third-party risk.
And some noteworthy Russian cybercrime.
They don't seem to be serving any political masters.
They just want to get paid.
I'm Dave Bittner with your CyberWire Intel briefing for Tuesday, July 18, 2023.
The U.S. federal government has issued some standards and guidelines that affect cybersecurity practices.
The NSA and CISA have issued guidance for 5G network slicing, that is the preparation of a set of logical networks that ride atop a common infrastructure.
The guidance, in their words, is intended to help foster communication
amongst mobile network operators, hardware manufacturers, software developers, non-mobile
network operators, systems integrators, and network slice customers in the hopes that it
may facilitate increased resiliency and security hardening within network slicing. CISA has also published a fact sheet
outlining free tools for cloud environments to help businesses transitioning into a cloud
environment identify proper tools and techniques necessary for the protection of critical assets
and data security. And just this morning, the White House has announced a cybersecurity labeling program for smart devices.
It's been anticipated for some time.
Under the proposed new program, consumers would see a newly created U.S. Cyber Trustmark
in the form of a distinct shield logo applied to products meeting established cybersecurity criteria.
established cybersecurity criteria. The goal of the program is to provide tools for consumers to make informed decisions about the relative security of products they choose to bring into
their homes. Manufacturers and retailers who have committed to the voluntary program
include Amazon, Best Buy, Google, LG Electronics, Logitech, and Samsung.
Google, LG Electronics, Logitech, and Samsung.
Orca Security reports a privilege escalation vulnerability,
bad.build in Google Cloud,
that could open the door to supply chain attacks by allowing an attacker to infect users and customers.
Orca wrote this morning,
As we have seen with these SolarWinds and recent 3CX and MoveIt supply chain attacks, this can have far-reaching consequences. Orca's report explains,
Any applications built from the manipulated images are then
affected with potential outcomes including denial of service attacks, data theft, and the spread of
malware. Orca security has alerted Google and Google has closed the vulnerability, but Orca
suggests that affected organizations pay close attention to the details of their instances.
Orca writes, to detect any possible malicious behavior. Applying the principle of least privilege and implementing cloud detection and response capabilities
to identify anomalies are some of the recommendations for reducing risk.
JumpCloud announced that its systems were breached
in a sophisticated attack conducted by a state-sponsored threat actor.
On June 27, they found unauthorized
access to a specific area of their infrastructure and determined that some of that access had begun
as early as June 22nd. They saw initially no evidence of an effect on customers, but they
took various precautions that included rotating credentials and rebuilding infrastructure in an effort to shore
up their network and perimeter. The company is convinced the attack was sponsored by a nation
state, but JumpCloud is unsure which state was behind the attack. In further forensic investigation,
JumpCloud discovered further unauthorized activity in the form of unusual activity
in the commands framework for a small
set of customers. In response, JumpCloud performed a force rotation of all of the admin API keys on
July 5th, the same day the unusual activity was discovered. As Ars Technica explains,
JumpCloud hosts a user base of over 200,000 organizations with 5,000 paying customers, including Cars.com, GoFundMe, and Foursquare.
JumpCloud also engaged its prepared incident response plan, including the participation of their incident response partner and notified law enforcement authorities.
law enforcement authorities. The Symantec Threat Hunter team has released a report detailing a new variant of the Sardonic backdoor associated with the cybercriminal gang Sysphinx, also known as
Fin8. This new variant of Sardonic is intended to deliver the Noberis ransomware. The Sysphinx
tool was discovered in 2022 when it was discovered delivering white rabbit ransomware.
Symantec explained that Fin8's shift toward ransomware was observed in 2021
after the gang infected several compromised systems in the financial sector with the Ragnar ransomware.
Symantec writes,
The Sysphinx group's move to ransomware suggests that the threat actors may be diversifying their focus in an effort to maximize profits from compromised organizations.
Symantec explains that the cybercrime gang has revised its tools, noting mainly that the newly reworked backdoor has been rewritten in C, as opposed to its previous version, which was written in C++. Additionally,
a new backdoor variant seems to be embedded indirectly into a PowerShell script, which
differs from its previous version, in which it featured an intermediate downloader shellcode
that downloads and executes the backdoor. Symantec concludes its report with a snapshot of the gang,
stating,
SysFynx continues to develop and improve its capabilities and malware delivery infrastructure,
periodically refining its tools and tactics to avoid detection. The group's decision to expand from point-of-sale attacks to the deployment of ransomware
demonstrates the threat actor's dedication to maximizing profits from victim organizations.
The tools and tactics detailed in this report serve to underscore how this highly skilled
financial threat actor remains a serious threat to organizations. And finally, Integritas.
That's what we've heard the Roman legionnaires would say to their centurion
to report that their armor and the rest of their gear was intact and in order,
and that they themselves were standing tall and looking good.
Integritas, one, whole, solid, consistent with one's duty,
or more generally with one's values.
That's integrity.
And it's worth remembering that there can be a kind of integrity even among criminals,
a bit of honor among thieves.
We've grown accustomed to seeing criminal gangs and hacktivists function
during the hybrid war Russia has unleashed against Ukraine
as either privateers or auxiliaries operating in the interest of one of the belligerents.
Usually that belligerent has been Russia,
and the extent to which the Russian security and intelligence agents
have made use of their country's criminal classes
is one of the striking features of the war in cyberspace.
It seems, however, that at least one Russian,
or at least Russophone, cybergang, Red Curl,
has continued to act in a purely
criminal fashion, not obviously working in the interest of any government. Researchers at FACCT,
which the record describes as an offshoot of Group IB, describe Red Curl's action against
both Russian and Australian targets. The gang's initial approach is through
phishing. Their goal isn't either the installation of ransomware or the threat of extortion through
doxing. Rather, Red Curl engages in commercial espionage, seeking to steal valuable business
information for subsequent resale in the C2C market. About half of Red Curl's attacks have hit Russian targets.
The other half have been distributed across Ukraine, Canada, and various European countries.
We grudgingly admit that there's something refreshing about a gang that's in it just to
get paid, not caring about national interest or glory. There's a kind of criminal integrity here.
It's a base and deplorable
integrity, but there's a consistency in their values. Still, we hope they receive some
approximation of justice and that some authority somewhere brings them to book. Whether it's the
FBI or the FSB, the police or the militia, it doesn't much matter. Good hunting, John or Jane Law, wherever
you may be. By the way, we hope that stuff about legionnaires and centurions and integritas is true.
Our historical desk is the source, and they usually get it right, but sometimes we wonder
if they get their Roman history from Tacitus or from watching reruns of Gladiator on Netflix.
In any case, integritas!
Coming up after the break, Ben Yellen looks at privacy legislation coming out of Massachusetts.
Coming up after the break, Ben Yellen looks at privacy legislation coming out of Massachusetts.
Our guest is Alistair Parr of Prevalent discussing GDPR and third-party risk.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
GDPR has been in effect for just over five years now. And in their 2023 third-party risk management study,
the team at security firm Prevalent looked at the impact of GDPR on the practice of third-party
management with its treatment of privacy as a core requirement. Alistair Parr is Senior Vice
President of Global Products and Delivery at Prevalent. What we are experiencing is an uptake in things such as
quantity of identified data breaches or impacts from a third party. And we actually allocate and
equate some of that to the fact that people have improved visibility. And that's a general trend
when you start looking at the general insights across the space is that we see increased volume of issues and incidents.
And that's down to the fact that there is a plethora of tools and technologies out there to
aggregate the data at scale that people didn't necessarily have several years ago.
So visibility is certainly improved, but people still have ultimately automation issues and
remediation issues across the space.
automation issues and remediation issues across the space.
It seems to me to be, on the surface anyway, to be such a daunting task, you know, because when you think about all of your third party suppliers, and then you think about their
suppliers, what do you recommend in terms of an approach to this, to break this down
into manageable pieces?
Completely agree.
So absolutely, the challenge is that it is,
typically we're talking thousands,
tens of thousands of third parties,
and it's a very daunting and overwhelming challenge.
So typically we see people reaching out,
trying to understand is,
how can I actually right-size that
into something that's manageable,
regardless of whatever automation tools that I have,
regardless of how engaged the third parties are or how accurate
the vendor inventory is, people ultimately need to understand is how can I right-size that
so I can invest what limited time and effort I have into the right areas.
And the people who are successful there, are there any common elements?
Yes, very much so. So the most successful third party risk and lifecycle programs that we see
tend to be fixated on the internal focus as much as they are the external. Of course,
vendor interactions is important, being able to aggregate the data and work with the third
parties to remediate core deficiencies and dependencies. But the internal aspect is equally
important. Being able to build up that vendor inventory with the business, getting the business and the stakeholders involved and ultimately invested in the program is foundational.
owned by the information security team, we are seeing circa 63% or 53% of the third-party relationships being owned by procurement or business owners, respectively. So there's a
sort of a seesaw approach where you need to have the buy-in and the vested capabilities and support
of the business in order to be able to drive the program effectively. And to what degree is this a technology issue
of having the right tools to come at this with
versus a personnel issue and training your employees, things like that?
I would say more often than not, it's a process first issue.
So the technologies are out there to supplement, support, automate,
and scale the processes.
But foundationally, if the processes aren't right in the case of who and how do we reach out to the third parties,
how do we react and interact with the data outputs that we get? It's very process-orientated. You
need the business involved, you need compliance, audit, procurement, the business owners, execs,
of course, and InfoSec and risk management all really working together and being a sort of a cohesive unit.
What are your recommendations for that security person who has to make the case for this to their board,
to the powers that be, to justify a program like this?
So one of the biggest challenges I think they face is the fact that it's not necessarily a revenue generating function.
It's a case of it's an insurance mechanism.
They're addressing and managing risk to a proportionate level so that things don't happen.
And what certainly helps is when you start seeing incidents and events occur where third parties have had data breaches or events,
and you've been able to detect it and react to it accordingly.
and you've been able to detect it and react to it accordingly.
So using legacy insurance mechanisms where you've been able to avoid adverse reputational damage from historical events is certainly useful.
But then also identifying how you can use the program to actually save through the procurement cycle.
So, for example, we've identified issues and incidents with operational resilience of third parties,
or their contracts aren't standing up. People using that leverage in the renegotiation cycle
to actually deliver better services, reduce cost, etc. So there is potentially a dollar element to
it as well. What do you suppose the future holds for third-party risk management? Where do you see us headed here? Good question.
So one of the long-standing headaches, I think, in third-party risk management is that interaction
between vendors and, of course, the business itself. There's a heavy reliance on things like
assessments. There's a lack of standardization on assessment structures, which isn't going away,
purely because each organization typically has
their own variants. In fact, over 70% of our customers alone, the hundreds of programs that
we manage, actually use custom content and assessments in their programs. That's not going
away. So what we start and what we expect to see is components such as AI, ultimately helping in translating and adapting various content sources
into the answers that we need. So programs don't care about assessments, they care about results,
they care about risks. So however we aggregate the data, whether it's SOC 2 reports,
whether it's proprietary policy documentation, as long as we can analyze it at scale and be able to
translate that into tangible risks and context,
that's very much where the entire third-party estate and environment is really going to head.
Yeah, it's a really interesting insight.
I mean, I think in particular that translation layer to be able to make your case to the board and to your colleagues is so important.
And yet I think it's my experience
that lots of folks still struggle with that.
Yes, absolutely.
So the ability to translate the technical language of risks
bar colors, you know, red is bad,
can be lost on some programs.
So you're absolutely right.
So when we tend to build KPIs and KRI material for the boards and the execs, it tends to be very much persona focused. We are looking at making sure that we've got the right data points that they're curious about and they're interested in, which help them understand, are they at risk?
That's Alistair Parr from Prevalent. their par from prevalent. And joining me once again is Ben Yellen. He's from the University
of Maryland Center for Health and Homeland Security, and also my co-host over on the
Caveat podcast. Ben, it's always great to have you back.
Good to be with you, Dave.
So interesting proposed legislation coming out of Massachusetts here when it comes to
the buying and selling of location data.
What's going on here, Ben?
So this law would be the first of its kind in a state legislature across the country.
Massachusetts lawmakers in both the state House and Senate
are weighing a near total ban on the buying and selling of location data
drawn from mobile devices in the state.
Other laws controlled by both Democratic and Republican legislatures
have passed broad data privacy legislation,
but this would be the first that would institute a near total ban
on buying and selling of this location data.
So one element of the law would institute a warrant requirement for law enforcement access to this data.
That's important.
It really codifies the Supreme Court's holding in the Carpenter decision from 2018, prevent warrantless searches of historical cell site location information.
Would this also prevent law enforcement from purchasing that data without a warrant?
It would.
Any law enforcement access without a warrant would be prohibited.
The broader prohibition that's outlined in this law, which I think is more significant,
is data brokers would be banned from buying and selling location information about state
residents without court
authorization. So there are limited exceptions in circumstances that would be useful to the consumer,
things like sharing location for ride-sharing purposes, for weather applications, etc. But the
law would be certainly the broadest in this country, and it would have a major impact.
There's a coalition of civil liberties and privacy groups that are in this country, and it would have a major impact. There's a coalition
of civil liberties and privacy groups that are supporting this legislation, thinking that it
could be a test case for broader nationwide legislation that would institute bans on buying
and selling location data. We've seen similar laws proposed at the federal level, though not
come anywhere close to being enacted to this point. But there's pretty broad opposition as well. There is a trade association
that spoke in opposition at a recent joint hearing on this bill. A lawyer named Andrew
Kingman, who was representing this trade association, the State Privacy and Security
Coalition, said that while they support heightened protections for certain types of personal data,
that this law is just overbroad. They should look at some other states, including neighboring
Connecticut, which passed a data privacy law, but didn't go as far as having an outright ban
on data brokers on buying and selling this data. Rather, it gives consumers the ability to opt out of sale. So it's still providing
consumers with a choice. If the consumers find the data that these companies are collecting
useful for their own purposes, then the consumer can consent to that type of collection. But I
think that certainly does not go far enough for some of these privacy and civil liberties advocates who see that not only are companies purchasing this data, but local police departments and federal agencies have also purchased location information and are using it for law enforcement purposes.
And that's kind of an end around of the Fourth Amendment that groups like the ACLU see as very dangerous.
Right. And there's a huge difference between an opt-in and an opt-out by default.
Oh, absolutely.
I mean, the opt-out means that you have to be technologically savvy enough
to take some action to opt out of it.
You can bet they'll hide it somewhere.
Oh, they'll hide it somewhere deep in the settings.
Right, exactly.
Your thumbs are going to get tired trying to find that page where you can
opt out. Whereas an opt-in, you know, that's really the reverse. It kind of goes back to a concept,
ironically, from a Massachusetts academic himself, Cass Sunstein, on the idea of a nudge,
that it makes a huge difference what the default is, because people are so unable or reluctant to take action to
either opt in or opt out that whether the default is opt in or opt out ends up making a huge
difference. Yeah. Interesting that this has also caught the attention of abortion rights advocates.
What's their interest here? Yeah. So abortion rights advocates have argued persuasively that
phone location data, particularly when it's
available for sale, could lead to state governments and state where abortions have been either
curtailed or prohibited entirely after the Dobbs decision last year to track people traveling out
of state seeking the procedure for the purpose of instituting or initiating prosecution. And that's certainly a valid concern for abortion
rights advocates. I think the fact that this data is widely available, that it could be accessed
without a warrant, that all it takes is a chunk of change to purchase the data, I think is
particularly dangerous for individuals seeking to travel out of state to obtain abortions.
And it's not just abortions that have raised particular privacy concerns.
They also mentioned this article, digital stalking, national security threats.
All of those things can present themselves as problems when data is available for sale.
So we have these kind of particular circumstances that have raised
concerns for these groups. I think that's part of the impetus behind the push for this legislation.
Is it likely, given the makeup of the Massachusetts legislature, that this will
move forward? What do you think? Yes, I would have to say the prognosis is quite positive.
The Massachusetts legislatures are dominated by Democrats. There's
like five Republicans in the entire Massachusetts state legislature. The current majority leader of
the Massachusetts state Senate is the sponsor of this piece of legislation. She testified for it
at the hearing. So you have a pretty powerful person aligned with this legislation. The governor
is a Democrat as well, though that doesn't really matter since the legislature has
veto-proof majorities. But yeah, the prognosis, I think, for this legislation is quite positive.
All right. Well, we'll keep an eye on that one. An interesting development for sure.
Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity. Thank you. and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.