CyberWire Daily - Tehran’s social engineering. CSRB reports on Lapsus$. Call for comment on open-source standards. Coping with a tight labor market. Two private sector incidents in Russia’s hybrid war.
Episode Date: August 11, 2023Charming Kitten collects against Iranian expatriate dissidents. The Cyber Safety Review Board reports on Lapsus$. A Call for comment on open-source, memory-safe standards. How NSA is coping with the c...yber labor market. Yandex is restructuring. The Washington Post’s Tim Starks joins us with the latest cyber security efforts from the DOD. Our guest is Dan L. Dodson, CEO of Fortified Health Security with insights on protecting patient data. And How Viasat was hacked. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/153 Selected reading. Germany says Charming Kitten hackers target Iran dissidents (Deutsche Welle) Cyber Safety Review Board Releases Report on Activities of Global Extortion-Focused Hacker Group Lapsus$ (US Department of Homeland Security) Review Of The Attacks Associated with Lapsus$ And Related Threat Groups Report (Cybersecurity and Infrastructure Security Agency CISA) Fact Sheet: Office of the National Cyber Director Requests Public Comment on Open-Source Software Security and Memory Safe Programming Languages (ONCD | The White House) Amid historic hiring surge, NSA considers hybrid, unclassified work options (Federal News Network) Exclusive: Fear of tech 'brain drain' prevents Russia from seizing Yandex for now, sources say (Reuters) Yandex co-founder Volozh slams Russia's 'barbaric' invasion of Ukraine (Reuters) Satellite hack on eve of Ukraine war was a coordinated, multi-pronged assault (CyberScoop) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Charming Kitten collects against Iranian expatriate dissidents.
The Cyber Safety Review Board reports on lapsus.
A call for comment on open source memory safe standards.
How NSA is coping with the cyber labor market.
Yandex is restructuring.
Washington Post's Tim Starks joins us with the latest cybersecurity efforts from the DOD.
Our guest is Dan L. Dodson, CEO of Fortified Health Security,
with insights on protecting patient data and how Viasat was hacked.
I'm Dave Bittner with your CyberWire Intel briefing for Friday, August 11, 2023.
Germany's BFV security service warns that Iran's charming kitten threat group is collecting against Iranian dissidents residing in Germany and elsewhere.
Both individuals and organizations are targets.
Charming Kitten has been paying particular attention to lawyers, journalists, and human rights activists since late 2022 at least.
The campaign is a social engineering effort.
Deutsche Welle characterizes
Charming Kitten's approach as spearfishing. The Iranian service first builds a target dossier
containing an inventory of the subject's interests and connections, then cultivates a relationship of
trust with the subject, and finally invites the target to a video chat in the course of which credentials are harvested.
The BFV recommends the customary cautions with respect to new and unknown online contacts.
For those of you playing threat group bingo at home,
Charming Kitten is also known as APT35, Phosphorus, Newscaster, and the Ajax security team.
35, Phosphorus, Newscaster, and the Ajax security team.
The U.S. Department of Homeland Security's Cyber Safety Review Board has released the findings of its investigation into the Lapsus group.
The report states,
the CSRB found that Lapsus and related threat actors use primarily simple techniques,
like stealing cell phone numbers and phishing
employees to gain access to companies and their proprietary data. Among its findings,
the board saw a collective failure across organizations to account for the risks
associated with using text messaging and voice calls for multi-factor authentication. It calls
for organizations to immediately switch to more secure, easy-to-use,
passwordless solutions by design. The report adds, to facilitate the transition to passwordless
authentication, the board recommends that the federal government develop and promote a secure
authentication roadmap for the nation. The roadmap should include standards, frameworks, guidance, tools, and
technology that can enable organizations to assess, progress, and implement leading practices
for passwordless authentication. The Cyber Safety Review Board is a relatively young organization.
It's modeled on the long-established National Transportation Safety Board, best known for its investigation
of commercial aviation mishaps. The LAPSIS investigation is a good example of what might
be expected from what seems destined to become an important organization.
The White House Office of the National Cyber Director is seeking input from the public and private sectors for comments on
open source software security
and memory safe programming
languages in order to develop
and implement long term and sustainable
policy solutions.
The ONCD
offered a clear statement of why
it's seeking input. The office
explained why open source software is
important, stating, in addition to its many benefits, the ubiqu explained why open-source software is important, stating,
in addition to its many benefits, the ubiquity of open-source software in commercial products,
government systems, and military platforms presents unique security risks. For this reason,
the White House established the Open Source Software Security Initiative,
an interagency working group with the goal of identifying policy solutions and channeling government resources to foster greater open-source software security across the ecosystem.
It also articulated three focus areas that need to be addressed.
First, increasing the proliferation of memory-safe programming languages.
Second, designing implementation requirements for secure privacy-preserving security attestations. And third, identifying and promoting focused areas for prioritization.
Responses are due by 5 p.m. on October 9, 2023. Share your insights with the National Cyber
Director. The U.S. National Security Agency is looking at ways to implement hybrid work and other incentives as it undergoes a major hiring surge, Federal News Network reports.
NSA Director General Paul Nakasone, speaking at the Center for Strategic and International Studies yesterday, said,
Studies yesterday said, we're going to hire probably half of our civilian workforce over the next five years because there was a tremendous demographic change with folks that had been hired
in the late 80s that had worked at our agency now becoming retirement eligible. Nakasone said of the
agency's Future Ready Workforce Initiative, it's looking at such things as how do we onboard our
personnel better? How do we take a look at well-being? how do we onboard our personnel better how do we take a
look at well-being how do we do hybrid work this idea of perhaps some of what we do doesn't always
have to be done in a skiff and then how do we take a look at our leadership development
yandex is restructuring the russian Google has a corporate parent registered in the Netherlands and listed on the NASDAQ,
but that's in the process of changing.
The Russian side of the business will be spun off from the parent company, Reuters reports.
Yandex had been one of the few Russian companies with realistic global ambitions,
but the war against Ukraine has changed that, and the reorganization will
effectively recognize that. The company's relationship with the Russian regime is
complicated. Arkady Voloz, Yandex co-founder and resident in Israel since 2014, holds both Russian
and Israeli citizenship. He stepped down from his position as CEO and gave up his seat on
the company's board last year after he was subjected to sanctions by the EU over Russia's
invasion of Ukraine. Yesterday, he sharply criticized the special military operation,
stating, Russia's invasion of Ukraine is barbaric and I am categorically against it.
I am horrified about the fate of people in Ukraine,
many of them my personal friends and relatives, whose houses are being bombed every day.
Although I moved to Israel in 2014, I have to take my share of responsibility for the country's
actions. Why hasn't Russia simply nationalized Yandex? Because, Reuters says, the Kremlin fears the brain drain it expects would follow such a move.
The Institute for the Study of War concludes that a crypto-nationalization of the company may be in progress.
The objectives are complex.
Control the domestic information space, reward Putin loyalists by handing assets over to them, and do all this
without driving out the tech talent Yandex represents. And finally, Russia's disruption
of Vyazat in Ukraine during the first days of the special military operation was the only Russian
cyber attack that came close to living up to pre-war fears of a digital bolt from the blue.
Vyassat's vice president and CISO, speaking at Black Hat, gave an account of how that attack was accomplished.
Cyberscoop reports that it was a more complex operation than has been generally appreciated.
It's widely understood that the attack used wiper malware against modems.
There was, however, a second phase designed to prevent restoration of service.
According to the report in Cyberscoop, not only did Russian hackers deploy the wiper malware,
they also flooded Viasat servers with requests that quickly overwhelmed their networks.
Viasat servers received more than 100,000 requests in a five-minute time span.
That meant that any time a modem would get kicked off the network,
it couldn't reconnect because the server could not respond.
This aspect of the campaign was discovered only later.
The attackers not only wanted the satellite comms down,
they wanted them to stay down.
Coming up after the break, The Washington Post's Tim Starks joins us with the latest cybersecurity efforts from the DoD.
Our guest is Dan L. Dodson, CEO of Fortified Health Security, with insights on protecting patient data.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Dan Dodson is CEO at Fortified Health Security, a cybersecurity firm focused on protecting the healthcare sector. They recently released their Mid-Year Horizon Report with insights to
help healthcare organizations protect patient data and strengthen their security posture.
I spoke with Dan Dodson for the details. Yeah, so I think one of the things that caught my eye
relative to the reported breaches, we've been looking at this data since 2017, writing the
Horizon Report. And over the last
couple of years, we've seen an increase in the number of reported breaches that include a
business associate. And this year, there was a 273% increase, first half of 23 over the first
half of 22. And I think what that really means is that organizations need to continue to invest and focus on third-party risk management, which is a hot topic in cybersecurity right now.
And this data just proves the importance of making sure that as we're exchanging data
to deliver clinical care, that we're focused on making sure that that's a secure way in
and outside of the healthcare hospital.
And what sort of specific things do you recommend for organizations to keep
on top of their third-party relationships? Yeah, I think the market has largely adopted
kind of the legal elements of it, Dave. A lot of organizations have business associate agreements
between the third parties. We've largely adopted that. I think now it's incumbent upon us to take that a step further and really
understand the cybersecurity posture of our partners to make sure that we can exchange data
securely. So my recommendation is to put in a thorough third-party management program that
includes evaluating and understanding risks on the third party's side, so to speak, and then making sure that
you understand what compensating controls, if any, that you need to put in place within your
own organization so that you can keep the data within the health systems safe and secure and
ultimately continue to deliver care. When you look at the data that you've gathered in this report,
what is the trend that you're tracking here?
Are things getting better? Is it getting worse? Are we staying the same? What does it look like?
Yeah, the data is showing us that the attacks are intensifying and the success of those attacks is
increasing. And so although there are areas where we've made progress, there's still a lot of work that has to be done to be able to
turn the tides and lower the number of incidences that are reported. But right now, it's on the
upswing. A hot topic for a lot of folks these days has been artificial intelligence and
tools like ChatGPT. Is that having effect on the healthcare vertical specifically?
Yeah, I think it is, Dave, in a couple of different ways.
And we talked about this in the mid-year report.
We also have some experts that are weighing in, former FBI, as well as other experts.
But I think the resounding theme would be that generative AI is here to stay.
And there's a lot of opportunity for success in a implementation of that type of
technology. But we need policies and we need process and we need to really understand the
use case and how we're going to be feeding data into these models so that we can make sure that
the results of it are not only secure, but also accurate. And so I do think that that type of technology
is here to stay. We're seeing lots of health systems begin to use this type of technology
and experiment on how it can help with identifying clinical needs within the health system and
looking at data. We just need to make sure that we're doing it responsibly.
And one of the things that the report touches on is the legislative process.
Where do we stand there in terms of the regulatory regime?
Yeah, the regulation around cybersecurity and healthcare, I don't think has ever had
as much momentum as it does now.
I mean, this really dates back to last fall when Senator Warner came out with a position around cybersecurity really being a patient safety issue.
And so where we stand today is there's a number of bills proposed in working through the legislation. moving towards either very strong guidance around cybersecurity and healthcare, or potentially a
minimal standard, which will basically require healthcare organizations to have a specific set
of cyber capabilities within their environment. We should expect those to work through the
legislative process in the second half of 23 into 24. And then the second part, which I think is
equally as important, is there's a lot of conversations around coupling that guidance
or minimal standard with some type of funding mechanism. As an industry, healthcare spends
significantly less than other industries on cybersecurity, primarily because the funds
within the healthcare environment are competing
against clinical priorities as well. And so there's a consensus that there needs to be some
level of funding, very similar to what came out with R and high tech around the digitization of
EHRs back in kind of the 2000s, mid 2000s. And I think we're going to see some funding and some regulations coming down the pipe.
Where do we stand with HIPAA? I mean, is there a consensus that it's not up to the task of the modern needs? I think to some degree, Dave, it does a job thinking about protecting patients
and their information. That said, I think now that healthcare is largely digitized, we need to expand
HIPAA to make sure that we're either directly or indirectly, most likely with additional
legislation, not necessarily a direct expansion of HIPAA, but we need to take it a step further
to safeguard care in these communities, right? I mean, we are seeing healthcare organizations
be down for multiple weeks and months. And quite frankly, as one of the most
powerful nations in the world, we can't afford to not be able to deliver care in our communities
because of a cyber event. So I think that there needs to be additional legislation around there
to create this type of guidance and standards so that we can reduce the impacts of these attacks.
You bring up a really good point. And as you and I are recording this today,
there's a healthcare system, I believe in California, that is down. And that leads to
patients being redirected to other facilities, which you can have delay of care. And so
we really are talking about potentially putting lives at risk here.
Absolutely. I think four or five years ago, there was a lot of focus around making sure that
we had the confidentiality and privacy covered. That is certainly important, but I think it goes
to the next level when we're disrupting care in these communities. I mean, healthcare exists to
protect patients, care for them. And when they can't do that because they're very reliant on technology
today to deliver care, these types of successful attacks are just devastating to care in these
communities and will no doubt lead to adverse effects on the care continuum for patients in
those communities. Well, based on the information that you all have gathered here, what are your
recommendations for the cybersecurity professionals who are charged with protecting folks in the healthcare
systems?
What sort of things should they be doing?
How should they be setting their priorities here?
Yeah, I think it starts with a robust risk assessment, Dave, to identify where there
are opportunities for improvement.
From there, I think it's a prioritization around how do we deploy the
limited capital we have for cyber to reduce the most amount of risk, right? And so there's this
balance between making sure that we are prioritizing not only on basis of risk, but also where we can
impact that risk. And so as we walk clients and health systems through that journey, we identify
where we can reduce the most amount of risk. And then kind of second and part and parcel to that is
lots of these healthcare organizations have cybersecurity tools implemented in their
environments, but they are not operationalized. There's no people and process consideration
around these technologies. And in order to really get the risk reduction that we're all hoping for and working towards,
you really have to consider the operational elements of people and process in addition to technology.
And that's where we often see organizations fall short.
That's Dan Dodson from Fortified Health Security.
And it is my pleasure to welcome back to the show Tim Starks. He is the author of the Cybersecurity 202 at the Washington Post.
Tim, welcome back.
Glad to be back.
So it is Black Hat Week, of course.
And I saw in the 202 that you made note of some interesting things the DOD announced at Black Hat this week.
What's going on?
Yeah, the first thing that they've announced,
and it's the biggest thing that they're involved in,
there's also a secondary thing that they're involved in.
So big week for DARPA,
the Defense Advanced Research Projects Agency,
which of course is the fascinating high-tech shop of the DOD
credited with partially making the internet become a thing.
Right.
Among other strange, sometimes diabolical inventions.
In this case, what they've done is they're hosting a competition
that they're calling the Artificial Intelligence Cyber Challenge.
And the idea is that they're going to have a competition
and invite folk to use AI to counter cyber attacks.
Of course, we know that AI has been feared
as a thing that will help cyber attacks.
This is what they're trying to do here
is they're trying to get people to harness its power for good.
And they'll be having some prize money.
They'll be having competitions
that's going to last over a couple of years
before it finally ends up with one big winner.
And those companies, some of which will be small businesses,
will be teaming up with all the big names in AI, like OpenAI and Microsoft, Google.
So it's kind of an interesting competition.
It's a little similar to something they did a few years back,
but it's much more explicitly focused on AI and less on just generalized machine hacking and has more of a prize money and has more of a focus in terms of working
with the companies that are already doing AI.
Yeah.
Earlier this week, I was talking with Rob Boyce from Accenture,
who's at Black Hat, and he was saying how impressed he was with the degree
to which the government has a presence there this year,
more than he'd ever seen before.
I mean, I guess this program speaks to that.
It does, and I feel like it's also kind of an upward swing
since I've been covering cybersecurity and heading out to Black Hat DEF CON week.
Not there this week, but in past years,
it felt like there's just this steady upward arc of the government being at those events.
And I think what you essentially said was true.
And the interesting thing is that's not even the only announcement this week at Black Hat from the government.
They're also doing something on open source and memory safe programming language.
So, yeah, and that's actually a much bigger,
in terms of the amount of agencies involved,
that's a bigger project where CISA's involved,
where DARPA is again involved,
where the Office of Management and Budget.
It's a wider project, if not a bigger one.
What are some of the details about that project?
Yeah, so this is a request for information,
which I always struggle to describe to readers,
but it's essentially a public call for,
hey, we're looking into this, give us your insights.
And it's two topics, open source security,
which of course has been an issue with Log4j
and some of the other big issues we've seen from time to time
on the vulnerabilities there.
They're also looking at memory-safe programming languages, which is, you know, I think last I'd done a check,
some people thought that 65% of the bugs that we deal with these days are related to these languages that are a little antiquated and aren't as safe to use.
So this is a thing that they're going to be asking for people to talk to them about in
the public sector, private sector, up through October 9th, I believe is the exact date.
Yeah.
Shifting gears a little bit with you here, we are, I guess, close enough now that we
can say we're heading into the back to school part of the calendar.
Yeah, yeah.
As a father of a son who's heading back to high school, I just got the word that it's time to buy school supplies.
And the White House had an event covering this with relation to cyber attacks.
And actually, the first lady attended.
Yeah, there were a lot of people there at the White House for that event.
The idea is
they're trying to put focus on it.
They're trying to get commitments from everyone
to devote money or projects to this.
Back to school is
one of the worst times for
cyber attacks, in fact.
The idea of the hackers is
to catch them off guard
and to... If you're looking at a time when things are disorganized,
new people are coming into jobs, back to school is a big time for that.
So a timely event for the White House to do that.
Yeah.
In reading your coverage, and I believe it was your colleague,
David DeMolfetta, who wrote the article about it,
I was surprised, I guess,
in that I'd never really thought about it, that school systems don't really have any reporting requirements and that many of them choose to not report when they have a cyber incident.
Yeah, that's something that could change very, well, not very soon. There's the law that Congress passed last
year to require reporting for critical infrastructure. And because in a roundabout
sort of way, schools are part of the government sector of critical infrastructure, they might be
subject to this. But that's a regulation that's a little ways off in terms of when it will actually
be finished. It's a regulation that has not been decided
exactly what the parameters will be.
Some of that was left up to CISA to decide.
So they might be subject to that in a couple years,
but right now they aren't, and there's no requirement.
And a lot of, you know, anybody who's a hacking victim
in some cases doesn't want to report it.
Maybe it would be better if they did,
but there's an embarrassment factor, there's a risk factor in terms of legal that maybe they're
worrying about. So maybe it's not right, but it is a fact of life sometimes that people who are
victims don't report. Yeah. All right. Well, Tim Starks is the author of the Cybersecurity 202 at
The Washington Post. Tim, thanks so much for taking the time for us today. Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday
and my conversation with Alex Delamotte from Sentinel Labs.
We're discussing their work,
Cloudy with a Chance of Credentials.
AWS targeting CredStealer expands to Azure and GCP. That's Research Saturday. Thank you. delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine
of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500
and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, Thank you. Producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Thank you. role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.