CyberWire Daily - The Five Eyes have some joint advice on detecting, defending against, and responding to Log4j exploitation. Notes on ransomware, espionage, and cyber conflict.
Episode Date: December 22, 2021More criminals exploit vulnerabilities in Log4j. The Five Eyes issue a joint advisory on Log4j-related vulnerabilities, as other government organizations look into defending themselves against Log4she...ll. Ransomware updates. Russo-Ukrainian tensions rise, as does the likelihood of Russian cyberattacks against its neighbor. Uganda and NSO Group’s troubles. CISA issues six ICS advisories. Malek Ben Salem explains synthetic voices. Our guest is Dr. David Lanc from Ionburst on embracing Data Out protection. And some advice on how to be the family help desk and CISO during the holiday season. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/244 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
More criminals exploit vulnerabilities in Log4J.
The Five Eyes issue a joint advisory on Log4J-related vulnerabilities
as other government organizations look into defending themselves against Log4Shell.
Ransomware updates.
Russo-Ukrainian tensions rise, as does the likelihood of Russian cyberattacks against its neighbor.
Uganda and NSO groups troubles.
CISA issues six ICS advisories,
Malek Ben Salem explains synthetic voices,
our guest is Dr. David Lance from Ionverse on embracing data out protection,
and some advice on how to be the family help desk and CISO during the holiday season.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 22, 2021. Criminal organizations continue to make hay of the Log4J vulnerabilities.
The latest campaign to surface, VentureBeat reports, is using TellYouThePass, an older strain of ransomware that's been seen used mostly against Chinese targets
and that had been
relatively inactive until Log4Shell gave it fresh impetus. It now joins Consari and Conti.
Banking Trojans are also joining ransomware in the criminal exploitation of Log4Shell.
Cryptolamus confirms seeing the Drydex banking Trojan delivered as the payload of a Log4J exploit.
Bleeping Computer reports that the familiar Drydex and Meterpreter malware strains have now been observed hitting vulnerable systems.
Drydex, it's worth noting, has also served as a precursor to ransomware attacks.
The Five Eyes are offering advice on Log4J-related vulnerabilities.
CISA this morning announced, in conjunction with its domestic and international partners,
alert AA21-356A, mitigating Log4Shell and other Log4J-related vulnerabilities.
The advisory opens with an inventory of participants and an explanation of scope.
Quote,
The Cybersecurity and Infrastructure Security Agency,
the Federal Bureau of Investigation, National Security Agency,
Australian Cybersecurity Center, Canadian Center for Cybersecurity,
the Computer Emergency Response Team New Zealand,
the New Zealand National Cybersecurity Center,
and the United Kingdom's National Cybersecurity Center
are releasing this joint cybersecurity advisory
to provide mitigation guidance on addressing vulnerabilities in Apache's Log4J software library,
CVE-2021-44-228, known as Log4Shell, CVE-2021-45-046, and CVE-2021-45-105.
Sophisticated cyber threat actors are actively scanning networks to potentially
exploit Log4Shell, CVE-2021-45-046, and CVE-2021-45-105 in vulnerable systems.
According to public reporting, Log4Shell and CVE-2021-45-046 are being actively exploited.
The advice falls into three categories, identifying assets affected by Log4Shell and
other Log4J-related vulnerabilities, upgrading Log4J assets and affected products to the latest
version as soon as patches are available and remaining alert to vendor software updates,
and initiating hunt and incident response procedures to detect possible log4shell exploitation.
The advice is comprehensive, specific, yet brief enough to be readily actionable.
The government partners also, in view of the urgency of dealing with log4j issues,
list a number of private sector resources they think organizations would do well to consult.
And each of the I's has a point of
contact you can reach if you want to report an incident or receive official help. You don't
need to put them on speed dial, but it's a handy list to keep around. Belgium's Ministry of Defense
continues to deal with the aftermath of a log forll attack that led it to take down large sections of its network.
SC Magazine points out that while Belgium's MOD may be the first prominent government victim of
log-for-shell exploitation, such exploitation could reasonably be expected to be inevitable,
and it's likely that more official bodies will be hit using such exploits. There's still no
attribution of responsibility for the incident.
Both nation-state intelligence services and criminal organizations have exploited vulnerabilities
in Log4J.
ThreatPost, for example, has an account of the attack chain the Conti ransomware gang
is using to take advantage of Log4Shell.
U.S. Secretary of Homeland Security Mayorkas tweeted his department's expansion of its
bug bounty program to include Log4J, quote,
In response to the recently discovered Log4J vulnerabilities, DHS-GOV is expanding the
scope of our new HackDHS bug bounty program and including additional incentives to find
and patch Log4J-related
vulnerabilities in our systems. End quote. NCC Group's most recent monthly ransomware
report found Mespinosa and Lockbit, the two most prominent strains in use during November.
Mespinosa surged past Conti, which had formerly been ranked in the top two.
Mespinosa, as Bleeping Computer points out, is a double extortion play,
stealing data as well as encrypting it,
adding the threat of doxing to the initial damage of rendering data inaccessible.
Tensions remained high between Russia and Ukraine,
with NATO and others generally aligned with Ukraine.
Russian President Putin has
followed last week's ultimatum demanding that NATO stay out of Eastern Europe and the near abroad,
with a statement to the effect that Russia has nowhere to retreat on the issue. Reuters quotes
President Putin as saying, we will take adequate military technical response measures and react harshly to unfriendly steps.
Military technical response suggests cyber operations, possibly hybrid operations.
Ukraine has been preparing to defend itself against cyber attack,
and most particularly against attempts to disrupt its power grid.
Ars Technica describes how the Pegasus tool's use against U.S. diplomats in Uganda
has driven NSO to the brink of collapse. NSO groups sold Pegasus to Uganda's government in 2018.
By 2021, 11 U.S. diplomats and embassy employees working in or on Uganda had the intercept tool
installed in their phones. It's not clear whether the
installation was an operation of the Ugandan government or whether the tool got away from
the original customers and into other hands, but discovery of the surveillance seems to have been
the last straw for the U.S. government. While official sources wouldn't confirm that discovery
of Pegasus on State Department personnel phones precipitated
the U.S. decision to blacklist NSO, it does seem to have exhausted U.S. willingness to tolerate
the company's sales to customers likely to abuse Pegasus. It also had the effect of exhausting
Israeli patients with what had been a kind of national tech champion. There are simply too many other more important U.S.-Israeli bilateral issues,
and NSO Group was draining too much time and energy.
The U.S. Cybersecurity and Infrastructure Security Agency on Tuesday
issued six new industrial control system security advisories.
And finally, do people around the house treat you like the help desk?
Are you the one stuck with explaining to Uncle Louie how to do that scrolling thing the boys
at the VFW hall keep telling him about? Are you the person who's expected to remind Aunt Tonya
that the tweet she has on her phone isn't really an offer of free millions from that nice Mr. Musk
she's heard about? Sure you are. During
the holiday season, many of you will find yourself discharging the familiar, and let's be candid,
probably not entirely welcome office of family IT and security support. The Wall Street Journal
has a good discussion of how to fulfill the responsibility of that office as effectively
and relatively painlessly as possible.
So set up a password manager for them
and help them turn on two-factor authentication,
clear the junk out of their storage,
check their subscriptions,
and get rid of the ones they don't use, want, or remember.
They'll thank you for it, and best of all,
they won't be asking for your help quite so much going forward.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Dr. David Lank is chief evangelist at security firm Ionburst.
He advocates an approach called the data-out security paradigm,
a shift away from traditional perimeter protections.
Dr. David Lank joins us with these insights.
We're used to, and we've all been brought up with what I'd classify as perimeter in protection.
So we've been used to protecting people through access management devices, services through access management systems, and more laterally, IoT devices and endpoints.
and more laterally, IoT devices and endpoints.
And this is all to protect the concept of the network,
the defined network or the perimeter.
But increasingly, that perimeter is becoming much more variable,
whereas the cyber perimeter, it's in our houses, it's in our offices, it's in our shops and the malls, etc.
our houses, it's in our offices, it's in our shops and the malls, etc. So the concept of the adversary attacking our infrastructure has changed because he's no longer trying to attack
something that was fixed and easy to defend around a perimeter that used to be a firewall
in an office, in a data centre. It's now data that can be sitting in the cloud,
copied, something like that.
So the concept of data out protection
is to look at protecting data as a sovereign asset,
how we define that,
when in effect all other security has failed.
And so if someone is to embrace this notion of data out, what does that look like
from a practical point of view? What sort of things do they need to put in place?
What they need to think about is abstracting the way in which we protect data from the historic
sort of way in which we'd have done that, because data was an output of an application or it became the input of an
application for some sort of transformation or analysis or storage. Now that's been where we've
come from and again the concept historically of those applications being protected within an
organizational bound was quite well defined and the security models around that were quite well
defined. As we've moved to the cloud and we're considering edge, 5G and the world that's coming,
we must think of that differently. So instead of thinking of the application and the services
first, we need to start to think about, okay, let's think about data as our asset,
and this word sovereignty comes into, so whether it's at an organization level, an agency level,
or even a personal level, that data is the thing that remains yours, or your custodian of,
you will change applications. So instead of as in the past, where we would change an application,
applications. So instead of as in the past where we would change an application and then we'd have to have this huge ETL exercise, extract, transform and load to change all of our data formats from
the old application to the new, data will remain in effect in its form, secure, safe and what will
change is the application which will then integrate to that data through,
for example, an API layer. In the cloud, that would be the same as becoming S3 compatible.
So we change one application from another. And as long as it's S3 compatible, you can connect.
And so how can you achieve those goals and not introduce undue friction into the system, not slow down people who need to access that data?
Another great question.
So we're talking about the world of the cloud, although the cloud is a set of data centers around.
So it could be your own premise as well as if you're a large organization as well as using cloud facilities so this is where
the world of sassy can help i'm not a complete convert to sassy yet but i think it's it's got
great great it's it's got legs as they say in the old country here so think about cloud native so
you build cloud native software systems software systems. They are scalable.
They can be deployed at all edges,
which means you can put the data where data is needed.
You then start to look at the best of today's cloud technology,
high levels of parallelization.
So although I might have fragmented my data,
I can get that data back very, very quickly
in a way in which the end user certainly wouldn't notice a great latency difference.
The way I have it, and I tend to sell an analogy at times like this, I say, well, OK, how fast is or which is faster?
Usain Bolt running 100 meters or five Usain Bolts running 20 meters in parallel
because that's the technology we now have.
So you don't necessarily see that latency impact that's negative.
And because you're building in cloud-native technology
to integrate data through APIs,
through, for example, S3 compatibility,
the end-user behavior doesn't change
because we're talking about abstracting data away from the application layer
rather than it being embedded in the application layer
as it has been historically.
These are great considerations that people should be thinking
about. CISOs, CTOs, CIOs should be thinking about when they're thinking about cloud migration,
what does their cloud architecture of applications and data look like in the future to give them,
frankly, the best bang for their buck, the best security.
They don't want to be the guy going to the top floor to answer why there's been a data breach.
That's Dr. David Lank from Ion Burst.
Thank you. solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And joining me once again is Malek Bensalem.
She is the Technology Research Director for Security at Accenture.
Malek, always great to have you back.
I want to touch base today on something you and I have touched on before, and that is synthetic voices.
We see this coming up more and more in conversations about security, about deep fakes, and so on and so forth.
I will admit, as someone who has literally thousands of hours of his voice out in the public domain in high quality, this is something that has my attention.
out in the public domain, in high quality.
This is something that has my attention.
What as security professionals should we know about where we stand when it comes to synthetic voices these days?
Oh, boy.
Well, as you mentioned, Dave,
we did talk about this before when we talked about deepfakes.
And there was actually an attack in the wild
that used synthetic voice to impersonate a CEO, right?
And through that impersonation, another CEO was spearfished and was made to wire transfer more than $240,000 to the account of an attacker.
So that's an attack that we've seen in the wild
where these deepfake voice generators were used to create synthetic voice
based on a transcript.
More research happened.
The University of Chicago conducted more research around this topic, and they performed basically a large study to assess how vulnerable people are to these types of attacks and how vulnerable machines are to these types of attacks. So they had a user study of about 200 people
and used two systems to generate synthetic voice.
And basically, the humans were only able to distinguish
fake or synthetic voice from a real voice in 50% of the cases only.
Wow. Nevada, yeah. of the cases only. Wow.
Nevada, yeah.
So a coin flip.
Exactly.
That shows you how these deep learning-based machines
that are generating these fake voices,
how advanced are they becoming?
And so that's 50%.
If they're not familiar with a voice,
if it's a familiar voice,
detection improves.
So they're able to recognize
or distinguish fake from real
in 80% of the cases.
So that improves if you know the person.
But you can imagine
if this technology has improved to such an extent,
to this extent, that we're going to see more spam generated by these machines.
Right. I really want to reach you about your car warranty.
Exactly. Yeah.
Right. Right.
How many of these messages do you get every week?
I think I get all of them, yeah.
Yeah, so when we get to that point, or actually probably in that point,
what we typically do is we start relying on machines, right,
to filter out these messages for us.
And this is where the experiment gets interesting.
So they started evaluating various types of detectors
to distinguish whether the voice was fake or not.
And the problem is that most of the machines were fooled.
So all of the digital assistants that you know of,
they failed to recognize not only to recognize that the message they're getting is not originating from the owner of the device.
Right. You know, think about all of those digital assistants which are supposed to respond only to your voice, to your command.
So they fail to recognize that this is not you, but they even fail to recognize that this is not
a human talking to them. And I think the numbers were around 60%. In 60% of the cases, they totally
failed. And depending on the device, some of them, in 90% of the cases, they were not able to recognize that this was a fake voice or a synthetic voice.
So basically what that says is that, you know, the state of the art in terms of these machines
is not capable of helping us at least with that spam problem.
at least with that spam problem.
That's interesting.
I mean, to what degree do we think this has the potential to become a serious issue?
Well, I think looking at how technology has evolved and how attackers have been leveraging these technologies,
again, looking at email and spam and the use of natural language processing to automatically generate various
templates and versions of spam, I think we're going to see this, the same thing happen in the
voice or the sound sphere. So we're probably going to see more of that coming. And therefore,
as, you know, cyber defenders, we have to up our game
and we have to improve our ability
to detect these types of attacks.
All right.
Well, Malek Ben Salem,
or perhaps I should say Malek Ben Salem,
thank you for joining us. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.