CyberWire Daily - The cautionary example of a hybrid war. SentinelOne finds a Chinese APT operating quietly since 2012. A hardware vulnerability in Apple M1 chips. And go, Tigers.
Episode Date: June 10, 2022Looking at Russia's hybrid war as a cautionary example. Russia warns, again, that it will meet cyberattacks with appropriate retaliation. (China says "us too.") NSA and FBI warn of nation-state cyber ...threats. SentinelOne finds a Chinese APT that's been operating, quietly, for a decade. "Unpatchable" vulnerability in Apple chips reported. We’ve got more interviews from RSA Conference, including the FBI’s Cyber Section Chief David Ring, ExtraHop’s CEO, Patrick Dennis. And the overhead projector said, “Go Tigers.” For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/112 Selected reading. Top Senate Democrats sound the alarm about Russian interference in the 2022 midterms (Business Insider) Russia says West risks ‘direct military clash’ over cyberattacks (NBC News) Russia, China, oppose US cyber support of Ukraine (Register) #RSAC: NSA Outlines Threats from Russia, China and Ransomware (Infosecurity Magazine) FBI official: Chinese hackers boost recon efforts (The Record by Recorded Future) Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years (SentinelOne) MIT researchers uncover ‘unpatchable’ flaw in Apple M1 chips (TechCrunch) New Jersey school district forced to cancel final exams amid ransomware recovery effort (The Record by Recorded Future) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Looking at Russia's hybrid war as a cautionary example,
Russia warns again that it will meet cyber attacks with appropriate retaliation.
China says, us too.
NSA and FBI warn of nation-state cyber threats.
Sentinel-1 finds a Chinese APT that's been operating quietly for a decade.
An unpatchable vulnerability in Apple chips has been reported.
We've got more interviews from RSA Conference,
including FBI's cyber section,
chief David ring and extra hop CEO,
Patrick Dennis and the overhead projector said go tigers.
From the cyber wire studios at data tribe, where we are happy to be back home in Maryland,
I'm Dave Bittner with your CyberWire summary for Friday, June 10, 2022.
Business Insider reports that 17 senators, all Democrats, have signed a letter to the Secretaries of Defense and Homeland Security, the Director of National Intelligence, and the
Directors of NSA and the FBI, asking that they give due attention to protecting the 2022 midterm
elections from Russian interference, whether that takes the form of cyber attack or disinformation.
They write,
As the Russian invasion of Ukraine has led to an increase in Russian disinformation
and warnings of potential cyber attacks,
we urge you to ensure that your agencies are prepared to quickly and effectively
counter Russian influence campaigns targeting the 2022 elections.
A statement from Russia's foreign ministry yesterday warned that Moscow will respond
to cyber attacks, Reuters reports. Director of the Department of International Information
Security of the Ministry of Foreign Affairs of Russia, A.V. Krutsky said, Rest assured, Russia will not leave aggressive actions unanswered.
All our steps will be measured, targeted in accordance with our legislation and international
law.
NBC News quoted the foreign ministry as accusing Washington of deliberately lowering the threshold
for the combat use of cyberweapons, and the consequences of a lower threshold means that escalation will be the fault of the West.
The Russians said,
The militarization of the information space by the West
and attempts to turn it into an arena of interstate confrontation
have greatly increased the threat of a direct military clash with unpredictable consequences.
A direct military clash would be kinetic combat. The proximate occasion of the Foreign Ministry's warning
appears to be this past weekend's website defacement of a second-tier Russian ministry's
webpage to display the motto Glory to Ukraine. The rest of the world wouldn't regard nuisance-level hacktivism as a casus belli,
but things look different from the Kremlin.
Mr. Krutsky explained,
I will emphasize what has already been said more than once.
State institutions, critical and social infrastructure facilities,
storage of personal data of our citizens and foreigners living in Russia are
being hit. Officials in the United States and Ukraine are taking responsible for the sabotage.
It is there that they categorically refuse to develop international legal foundations.
They do not seem to fully realize how dangerous aggressiveness and encouragement of gangsterism,
banditism, that is, banditry, in the field of information security.
China has also commented with disapproval on U.S. Cyber Command's General Nakasone's allusion
to having engaged in a full spectrum of cyber operations.
The Register reports that Foreign Ministry spokesman Zhao Lijian said,
the U.S. needs to explain to the international community how these hacking operations are consistent with its professed position of not engaging directly in the Russia-Ukraine conflict.
He went on to object to American cybersecurity assistance to third parties generally,
or as he put it, U.S. deployment of cyber military forces in some small
and medium-sized countries. Mr. Zhao warned small and medium-sized countries that accepting this
kind of American security help is dangerous. He said, these countries need to keep their eyes
wide open and beware whether such deployment could embroil them in a conflict they are not
looking for, observing that cyber conflict could easily escalate into kinetic, even nuclear, war.
The Register dryly notes that the two nations' very similar statements made on successive days
may not be coincidental. Speaking at the RSA conference, NSA Cybersecurity Director Rob Joyce
reiterated and updated warnings of the threat posed by both Russian and Chinese state-directed
cyber threat actors. InfoSecurity magazine says that Joyce paid particular attention to the
malware Russia deployed against Ukraine before and during its invasion.
He also noted that Chinese cyber espionage had grown in aggressiveness and rapacity.
Joyce has long warned of the threat Moscow and Beijing pose in cyberspace. He sees the Russian threat as immediate and acute, the Chinese threat as a long-term problem.
At an earlier RSA conference, he compared Russian
cyber operations to a hurricane, Chinese cyber ops to climate change. The FBI added its own
warnings of the cyber threat from China to the conference. The record quotes Elvis Chan,
assistant special agent in charge at the Bureau's San Francisco field office is saying, we've actually seen here in the San Francisco area an uptick in reconnaissance from Chinese
advanced persistent threat actors specifically. The Chinese operators are particularly interested
in industrial espionage. Chan says they're still looking to steal as much intellectual property as
they can. Researchers at Sentinel-1 have identified a Chinese cyber espionage threat group
they're calling Aoqin Dragon that's been unobtrusively at work for the past decade.
It's assessed as a small group that's been heavily active against Australian and Southeast Asian targets,
mostly government, telecommunications, and educational organizations.
The threat actor has used a variety of techniques to obtain access to its targets since 2013,
including document exploits and the use of fake removable devices.
Al-Chin Dragon has also used DLL hijacking, the MEDA-packed files, and DNS tunneling to evade post-compromise detection.
One of the hallmarks of the group's activity insofar as social engineering is concerned
has been a heavy use of pornographic fish bait. Sentinel-1 thinks there's a good chance that
Al-Chin Dragon has some association with the group Mandiant calls UNC-94.
has some association with the group Mandiant calls UNC-94.
TechCrunch reports that MIT researchers have found a hardware flaw in Apple's M1 chips.
The researchers have found that point authentication codes, PAC, a hardware security measure that protects against code injection and buffer overflow attacks,
can be bypassed in an exploit the researchers inevitably call Pac-Man.
Pac-Man combines memory corruption and speculative execution to guess Pac-values. There's a finite
number of possible Pac-values, which makes it possible in principle to brute force the values,
but Pac-Man also depends upon other exploits against which the M1 is protected,
and so it may not be as serious as it sounds. That appears to be Apple's view. TechCrunch
quotes the company's statement, based on our analysis as well as the details shared with us
by the researchers, we have concluded this issue does not pose an immediate risk to our users
and is insufficient to bypass operating system security protections on its own.
And finally, the borough of Tenafly, New Jersey,
is recovering from a ransomware attack it sustained.
The Tenafy public schools noticed an anomaly in their network
and shut them down as a preventative measure.
They subsequently found a ransomware infestation.
Since the schools were offline, Google Workspace, Google Classroom, Google Drive,
and the other online tools students had grown accustomed to were unavailable.
The schools had to cancel final exams,
but they reverted to old school instruction tech
to keep the lessons going.
The students found the overhead projectors especially cool.
The record quotes a school official as saying,
So good luck to Tenafly.
And we'll close by shouting a hearty Go Tigers
in the direction of Bergen County.
Have a good summer, Tenafly High School.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of
new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
Cybersecurity leaders are seeing unprecedented outreach and collaboration from federal agencies like CISA, NSA, and the FBI.
You'll often hear the phrase, cyber is a team sport,
with the acknowledgment that working together is the best way,
perhaps the only way, to meet the challenge of the threats we're seeing.
David Ring is section chief of the FBI Cyber Engagement Intelligence Section and FBI Cyber Division.
I caught up with him at the RSA conference.
FBI brings a lot to bear against the threat.
Of course, we work very closely with our critical partners in government, NSA, Cybercom, CISA,
to bring a whole government approach
to the broader threat environment
because, again, cyber's a team sport, right?
We hear that a lot,
and that's a mantra for the Bureau as well.
Our goal is to ensure that all of the resources
that the federal government has
are brought to bear against the threat.
And, you know, working with private sector,
it's critical that we bring those resources in as well
and that we're engaged early on.
I'm an old CT guy, right?
So I'll use CT language.
We try to go left to boom with these companies
and identifying avenues where we can share
two-way sharing of substantive information,
intelligence that can point us in the right direction
or we can point them in the right direction,
either one-on-one or more broadly. What do you say to folks who may find themselves,
I'm thinking particularly of those small and medium-sized businesses who may not think that they are up to the level where FBI engagement really makes sense. Is that something you're
looking to get past? It sure is. And frankly, when you look at the victim space,
those small and medium companies
are really where the victim space is, right?
Because they don't have the same resources
that these giants have.
And of course, we need to work
with very large corporations, companies,
infrastructure providers every single day
to make sure that we're working the threat effectively.
But from a day-to-day approach,
we have to identify
who our most systemically important partners are
in the private industry space.
And so those companies aren't always the huge ones
that everybody thinks about.
When we talk about some sensitive national security projects,
we talk about COVID vaccine development and things like that.
These are sometimes some smaller,
certainly medium-sized companies are very involved.
There are all sorts of sizes
of managed service providers out there that we need to identify and go out and have those
conversations with at the field office level. FBI's got 56 field offices across the country.
It's part of our value proposition in working with private sector and countering cyber threats.
We're a deployed workforce across the country and frankly across the world
where we can have a technically trained cyber agent
on somebody's doorstep in a very, very short timeframe.
We're talking hours versus days
in order to work with that organization.
And if it's incident response
or they're dealing with an incident
or it's just, hey, we've identified
that you guys are working on something that's really critical. If that information was
potentially disrupted or stolen, there's a national security implication, there's a public
safety implication. We need to be out there with you and working through kind of those threats and
we can work with you to identify where some of those vulnerabilities lie. It's really interesting to me to see, I guess what I describe as a real shift in approach for
organizations like the FBI. We're seeing it with CISA as well, with the outreach, even NSA, the
outreach to the community. Things aren't as insular as I think people thought they were. And I wonder,
you know, people might've had this notion of the kind of the big,
bad three-letter agencies, but it doesn't, it shouldn't be that way. I mean, these resources
are for folks to take advantage of. Yeah, I think that there's a stigma that we're, or a stereotype
that we're trying to get away from. You see, you know, in TV and movies, the FBI, braid jackets,
they're kicking down doors, they're carrying stuff out of
a building, they're putting up crime scene tape, and most organizations don't want that type of
presence out there when they're dealing with this. That's not what the FBI does when we respond to a
cyber incident. We take the cues from the victim organization, the targeted entity, and say,
hey, let's have a phone call. We have questions that we are going to ask that's going to help
us understand what you're dealing with, and hopefully we can provide information that we are going to ask that's going to help us understand what you're dealing with. And hopefully we can provide information that we have obtained via our investigations
and our work with intelligence community partners
and other government partners that can help you
deal with the situation that you have.
So our goal is to get away from that big, scary,
three-letter government agency stereotype
that sometimes exists out there and say,
no, we're truly here to help.
I know that that's an overused term. Hey, we're the FBI, we're here to help, but we truly are. And we're going to
engage as minimalist of a way that that organization needs, right? So we're not going to be rolling up
in 20 black suburbans and people pouring out and making a big show of it. We're not going to walk
out of the building with your servers, right? We're there to facilitate, assist, and inform rather than
be disruptive. What's your advice for folks who are looking to start that relationship,
to make that introduction? What's the best way for them to go about doing that?
Yeah, so the best way is at the most local level possible, right? So again,
56 field offices and hundreds of smaller sub offices that we call resident agencies across
the United States, work with your local contacts. It's out there. It's on the internet. You can
reach out to your local field office, have that initial outreach, look into InfraGard programs.
InfraGard is a public private sector partnership that the FBI works with at every field office.
They have their own chapters.
It's a method to get through the door and start talking to your local FBI contacts.
We have multiple agencies in field offices on cyber task forces where you've got local police, state police, other U.S. government agencies like Secret Service and others working
together, if you've got a contact in those organizations, they can feed you into the FBI
as well. But the best thing to do is pick up the phone or pull up the email and reach out to your
local FBI field office, and we'll reach back out to you and we'll start developing that relationship.
Oftentimes, that relationship blossoms. They feed us and feed folks back into my team here at headquarters where we can engage at a more national strategic level as well.
That's David Ring from the FBI. There's a lot more to this conversation. If you want to hear more,
head on over to CyberWire Pro and sign up for Interview Selects,
where you get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a
default-deny approach can keep your company safe and compliant.
It has been a busy, productive week at RSA Conference.
Crowds are certainly down from peak attendance years,
but by no means did the show feel under-attended.
In many ways, it felt like a bit of a reunion.
Patrick Dennis is CEO at ExtraHop, and we caught up yesterday as the conference was winding down. And so my observation was there were a lot of people here and somehow we've navigated to a place where this felt like an honest to goodness,
well attended, well put together conference.
People took practical steps and I had a great time.
Yeah, me too.
What are you hearing from customers that you've met with?
What sort of things are on their minds?
So first and foremost, and this was consistent,
I've talked to probably 30 customers
for somewhere between a half hour, 45 minutes each.
It's a pretty good sample.
International, big, small.
Without question, we're at the peak,
at least from what I've seen,
of tension between IT and security.
Businesses are getting pulled into transformation initiatives
super fast because of everything that's transpired in the world.
And at the same time, work from anywhere
has really challenged security teams,
as has just a number of advanced threats, labor, all those things.
And so there's a real tension there.
There's pressure to move a business forward really fast
and pressure for security teams to do that
in a way that keeps people safe and secure
and it's tense and it's hard.
How are they reacting to that tension, to that pressure?
What are they seeing on the other side of it?
So interesting, great question.
The other thing I would tell you is they're all very hopeful.
I've been through cycles here where I've not seen hope.
So even with that tension and that pressure,
I have a ton of great stories that came from customers
where they've been really successful.
I think it's getting really practical.
There have been years where security and IT
had trends and topics that were pretty big, maybe didn't land.
I had a lot of very practical conversations this week.
How can I make things better now?
How do I make things better for my people now?
What can I do to advance the business now?
So there is a sense of urgency.
I haven't seen quite like this any time in the past.
Do you have a sense that the security folks
are being supported by the higher-ups in the company,
that there's a recognition of the investment
that this requires?
I think that's 50-50.
So I feel pretty strongly about that particular topic.
We have a lot going on in the world. We're recording this, there's still a war going on
it's been going on for over 100 days
and we still have security professionals
that aren't getting the support that they need from their companies
to make sure, we use the CISA term
their shields are out
and there could never be a time where it's more obvious that people should at least be prepared to make sure, we use the CISA term, their shields are up.
And there could never be a time where it's more obvious that people should at least be prepared.
And so I think it's 50-50.
I spend a fair amount of my time as a CEO
trying to make sure we're asking customers
to do that for their teams.
I'm an interesting chair, right?
I'm the CEO of a security company, so we obviously
care about security, but I still have my fiduciary
obligation, my duty of care, and my
duty of loyalty to our business
as a security professional.
And I know what I have to do to support
my team, and I
don't think people around
the world are getting the same support that we offer
our team.
And it's probably 50-50.
It's still scary.
Do you sense that the relationship between IT and security is growing closer?
Is the mandate coming down or bubbling up
that that is where we need to go
and so the folks in those positions have to?
I can think of two conversations I had specifically
that I'm going to use as the reference point for this.
Okay.
One was a mid-level leader
that had identified he could get leverage
from the other group.
So he walked across the aisle and he said to IT,
hey, your network team could help me a little bit on security.
And my security folks know a little bit about a network.
Neither of us are fully staffed.
I'll help you a little bit if you help me a little bit.
And they've reworked almost their entire investigation workflow.
As a result of it, turned it entirely upside down.
They're using their IT network team almost as a kind of tier one.
They're kind of adding them to that layer.
Super effective.
That was a very, very savvy mid-level leader
that just saw a way to solve his problems.
I had one other conversation
where absolutely top-down,
very large financial services company,
top quartile CISO,
and was like,
hey, I want to know we have the best protection
that we can have.
We're going to bring these two teams together.
They're not going to do the same thing.
And we're not even going to organize them as one single team, but we're going to bring these two teams together. They're not going to do the same thing. And we're not even going to organize them as one single team,
but we're going to make them sit together
and kind of get the mission brief together,
and they're both going to have a role to play.
So I've seen it done both ways.
Is there a difference with,
if someone is spinning up an organization today,
a new entity,
are they coming at it from a different direction
than legacy companies?
Certainly that mid-leader example that I gave
is a newer organization, a little more greenfield.
So they're trying to build that workflow
kind of in an integrated way.
The other example is a legacy organization.
And I would argue that's a little bit more of like,
hey, they're having to break some glass
to put it back together again.
They're solving it with budget. So interesting, right? and I would argue that's a little bit more of like, hey, they're having to break some glass to put it back together again. I see.
They're solving it with budget.
So interesting, right?
Top down, you can put a budget lever on it,
and that CISO is using that budget lever a little bit with the two teams to say,
like, neither of you have quite enough,
but if you work together, you have plenty.
Right, right.
It was a creative solve.
Yeah, it's compelling.
Yeah.
As you and I are here together at the RSA conference,
we are just about midway through this year.
Hard to believe.
Gone fast.
Yeah, it really has.
What do you see on the horizon?
What do you think we're in for the rest of 2022?
So we're also at a point where people are talking about the financial outlook. So if we kind of go back to this situation that we're in,
which is maybe why it's unusual that I saw so much hope and optimism, right? We've also,
we've seen a pandemic, we've seen a war, we have some uncertainty in the financial outlook.
Mm-hmm. I think it's going to be a busy back half. I think it's going to be a busy back half. a war, we have some uncertainty in the financial outlook.
I think it's going to be a busy back half.
I think it's going to be a busy back half.
I don't exactly know which one of those dominoes is going to fall and how it's going to hit another domino,
but there's certainly enough in the forecast
to look out and say it's going to be really busy
for cyber professionals.
I think we're going to see some of the spillover probably from the war.
I think we're going to see some just pressure in markets.
That's always challenging for teams that are trying to find people to employ
and build a team and build tools and products and capabilities.
So I think there's going to be a lot of pressure in this back half.
It's going to be busy.
What's your advice to folks?
Having been here for these few days,
having the conversations you've had,
for the people out there who are trying to
up their security game,
any words of wisdom?
That tension I described between IT
and security does nobody good.
These leaders I described
that are finding ways to build bridges
between those two teams,
those people are better off.
Build the bridges, work together as a team.
If you can do that and be practical in this back half of the year,
facing some of the things we're going to face, you're going to be better off.
That's Patrick Dennis from ExtraHop. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday
and my conversation with Danny Anamides from Lumen's Black Lotus Labs. We're discussing
new developments in the WSL attack surface. That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand,
Liz Ervin, Elliot Peltzman, Trey Hester,
Brandon Karp, Eliana White, Haru Prakash,
Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Ivan, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.
Thank you.