CyberWire Daily - Tools, alerts, and advisories from CISA. Reply phishing scams. Cl0p goes everywhere with GoAnywhere. EW in the hybrid war, and shields stay up.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. A new tool from CISA helps secure Microsoft Clouds, JCDC, and pre-ransomware notification. CISA releases six ICS advisories. Plop goes everywhere, exploiting Go Anywhere.

Starting point is 00:02:13 Russian electronic warfare units show the ability to locate Starlink terminals. Betsy Carmelite from Booz Allen Hamilton on the DOD's Zero Trust Journey. Analysis of the national cybersecurity strategy from our special guests, Adam Isles, principal at the Chertoff Group, and Steve Kelly, special assistant to the president and senior director for cybersecurity and emerging technology with From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 24th, 2023. We begin today with some stories from CISA, the U.S. Cybersecurity and Infrastructure Security Agency. First, the agency has released a tool to help detect malicious activity in Microsoft Azure,

Starting point is 00:03:25 Azure Active Directory, and Microsoft 365 environments. Called the Untitled Goose Tool, in what's apparently a whimsical play on the Cretan Liars Paradox, this Python-based tool has been developed in conjunction with Sandia National Laboratory. It's intended to serve as a robust and flexible hunt and incident response tool. Untitled Goose Tool is available on CISA's GitHub repository. CISA's Joint Cyber Defense Collaborative is also cultivating its pre-ransomware notification capability. JCDC explains, with pre-ransomware notifications, organizations can receive early warning and potentially evict threat actors before

Starting point is 00:04:06 they can encrypt and hold critical data and systems for ransom. The JCDC is a public-private sector information sharing organization established by CISA in 2021. JCDC Associate Director Clayton Romans explained in a blog post yesterday that pre-ransomware notifications are possible due to tips from the cybersecurity research community, infrastructure providers, and cyber threat intelligence companies about potential early stage ransomware activity. Romans added that since the start of 2023, we've noticed over 60 entities across the energy, healthcare, water, wastewater, education, and other sectors about potential pre-ransomware intrusions, and we've confirmed that many of them identified and remediated the intrusion before encryption or exfiltration

Starting point is 00:04:58 occurred. And of course, CISA continues to release industrial control system advisories. Of course, CISA continues to release industrial control system advisories. Yesterday, it published six of them. Users and administrators are, as always, urged to review the advisories, assess their systems, and apply recommended upgrades and mitigations. A phishing campaign is impersonating Microsoft with emails that alert the recipient of an unusual sign-in to their Microsoft account, according to Avanon. The emails inform the user that their account has been logged into from an IP address in Moscow and encourage the user to click a button to report the suspicious activity.

Starting point is 00:05:39 The report says, By clicking send, the user thinks they are reporting this activity for IT to investigate. Instead, the message goes directly to the hacker. This is where social engineering starts. The hacker will reply to the message, asking the end user for login information to safeguard the account. That, of course, is the opposite of what will happen. The scam's deceptive simplicity and the easy interaction make it effective. The Russophone gang behind CLOP continues to make a widespread pest of itself.

Starting point is 00:06:13 A campaign in which the CLOP gang has exploited Fortra's go-anywhere managed file transfer tool has caused the compromise of data from a wide range of victims. Major financing firms, energy companies, and even governments worldwide have seen breaches due to the gang's exploitation of the zero-day vulnerability. The remote code execution vulnerability in the MFT software, tracked now as CVE-2023-0669, was first reported by Krebs on Security on February 2nd. Fixes for the vulnerability followed on the 7th. However, it had already been too late by that point as data had been stolen.

Starting point is 00:06:53 Many organizations have come forward revealing that they were victimized by this series of breaches. The record reports that the government of the City of Toronto, Canada and British conglomerate Virgin UK's rewards club, Virgin Red, all experienced data exposure. Bleeping Computer wrote Thursday that another British organization, the United Kingdom's Pension Protection Fund, was impacted by the zero-day. Several victims were located in Canada, with a financial post reporting yesterday

Starting point is 00:07:23 that Canadian movie chain Cineplex said that it was hit in the attack, and SC Magazine is also confirming that major Canadian financing firm Investment Quebec was impacted. Procter & Gamble was added to the gang's leak site, and Saks Fifth Avenue confirmed an attack, according to TechTarget. These may be added to previously disclosed incidents at Hitachi Energy and Rio Tinto. Over in Russia's hybrid war, some traditional electronic warfare tactics have resurfaced. Starlink terminals used by Ukrainian forces are proving increasingly vulnerable to focused application of traditional electronic warfare by Russian forces. Defense One reports that Ukrainian units employing the system

Starting point is 00:08:10 are being subjected to both jamming and geolocation by Russian electronic warfare units. Despite the failure of major Russian cyberattacks to work damage to Western infrastructure, utility dive reports, the U.S. Cybersecurity and Infrastructure Security Agency remains on guard against the possibility of Russian reprisals in the form of cyberoffensives against the nuclear power sector in particular. CISA Executive Director Brandon Wales said Wednesday that a combination of effective defense, deterrence, and decisions by the Russian government itself have all contributed to the lack of effect on critical infrastructure. Wales stated,

Starting point is 00:08:52 recognizing that an invasion was likely, we were getting industry ready for potential attacks here at home. We have not seen that. We have not seen successful attacks on the United States from Russia from the Russian government, and I think that is a credit to the work of both government and industry partnering together to make sure that those are much harder to achieve. Activist auxiliaries have certainly been active in the Russian interest, but only at the proverbial nuisance levels. Criminal activity by Russian gangs, which might be characterized as privateering, given the toleration and protection it receives from Moscow,

Starting point is 00:09:31 has continued at a high level, particularly with respect to ransomware attacks against poorly protected organizations. Security Boulevard has an account of what the deception specialists Lupovist learned from decoys it built and in place to attract a range of Russian threat actors. The privateers continue to show up in a big way. Coming up after the break, Betsy Carmelite from Booz Allen Hamilton on the DOD's Zero Trust Journey and analysis of the national cybersecurity strategy from our special guests, Adam Isles, principal at the Chertoff Group, and Steve Kelly, special assistant to the president. Stay with us.

Starting point is 00:10:32 Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way

Starting point is 00:11:14 to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak.

Starting point is 00:12:11 Learn more at blackcloak.io. The Biden administration recently released their National Cybersecurity Strategy, which, in their words, aims to secure the full benefits of a safe and secure digital ecosystem for all Americans. For our upcoming CyberWire special edition covering the National Cybersecurity Strategy, we've got two special guests. Adam Isles is a principal at the Chertoff Group, the security firm founded by former Secretary of the Department of Homeland Security, Michael Chertoff. Previously, Adam served as the Deputy Chief of Staff at DHS.

Starting point is 00:12:56 Our second special guest is Steve Kelly. Steve Kelly serves as Special Assistant to the President and Senior Director for Cybersecurity and Emerging Technology with the National Security Council. We've got a segment from that special edition for you today, beginning with the Chertoff Group's Adam Isles. There is very loudly and clearly an emphasis on a fuller use of existing regulatory authorities and maybe the need for some new authorities to apply a set of kind of minimum expected cybersecurity practices across critical infrastructure sectors. There's a sense that what's historically been largely a voluntary approach isn't generating the outcomes that we need to defend the country and make it cyber resilient.

Starting point is 00:13:42 And so what we're seeing here is certainly a focus around we have existing, whether it's safety or security regulatory authorities, let's make sure there's a cyber component to those. And in fact, right, we saw not even a day after the cybersecurity strategy was released, the Environmental Protection Agency come out with new guidance to state EPAs, basically saying, when you're doing inspections of public water systems, here's what you need to be asking about

Starting point is 00:14:13 from a cybersecurity perspective. And I expect we'll see that trend kind of percolate across into other regulatory agencies as well. I mean, TSA has already come out and announced, and they haven't divulged the specifics of it, but an emergency amendment to aircraft and airport regulations to add in additional cybersecurity expectations. I think something that's caught a lot of people's eye

Starting point is 00:14:42 is this notion that we're going to see an emphasis on liability for software. Yes. And again, this is not a new thought, but it is the administration saying in a formal way, you know, we stand behind this. I mean, the Cyberspace Solarium Commission talked about it. We really want software providers to be doing, particularly the providers of security technologies, is to be designing their systems to be secure by design and to incentivize them to do that by having them own more of the liability for whatever reason they are. The interesting thing in this space is there are lots of compliance frameworks that are out there and best practice frameworks. And we think in the context of federal agencies around things like NIST special publication 800-53, when we're thinking about compliance frameworks that are well-known in the private sector, we think about ISO 27001, SOC 2.

Starting point is 00:15:41 Those frameworks don't really necessarily get to the level of detail on what good software lifecycle security practices look like. And so we're talking about a potential liability shift coupled with, well, let's think about what a modern software security lifecycle framework looks like, and let's try and get people to conform to that. And so you see, coupled with this idea of liability shift, also the focus around using procurement authorities to try and drive, for instance, the software providers that are selling to the federal government to kind of attest to conformance with a framework like the SSDF. Software makers need to be taking appropriate steps to ensure that their products are built safe and secure. That's Steve Kelly. He's special assistant to the president and senior director for cybersecurity and emerging technology at the National Security Council staff. What we've experienced in the past is that building a complex software product like an operating system, for instance, is incredibly cumbersome.

Starting point is 00:16:49 It involves an incredible volume of code that's being written and assembled. Creating secure software is no easy feat. We recognize that. But this administration, under the executive order that was signed early on, 1402A, doubled down on making sure that we have secure software development practices being used in creating software that the government is buying for its own uses. And that includes things like some foundational work done by NIST on creating secure software development practices and standards around that. And then also making sure that we've got transparency into what components are in software. Because a software maker doesn't just write brand new code. Oftentimes, there are components that are borrowed and adapted from other places, including open source software projects. And so it's important to make sure that you understand what's under the hood in a software product

Starting point is 00:17:48 and that all the pieces that are in there are being updated and security flaws are being addressed over time. And so one thing that has been problematic in the past, especially for small users and small businesses, is that when you purchase a software product, you click through an end-user licensing agreement, which in many cases waives your ability to seek redress if there's a flaw in the product and it causes a harm. We want to make sure that the software makers are using all of the industry standard best practices for creating secure products. And that as a result of that, that would create kind of a liability safe harbor for them. And so we want to encourage people to use best practices in creating software products from the start. And to do all the right things to make sure that these products are as secure

Starting point is 00:18:45 as they can reasonably be at the time of their release and that over time that those products are being patched and maintained in an appropriate way. That's the theme behind that section. And frankly, it's a strong message and it's caused a lot of interest and concern by some. And it's kind of an opening of a conversation on how do we make sure that our software products are safe and secure by design and that they are maintained over time. And that helps to manage.

Starting point is 00:19:16 That's one big piece of managing the nation's risk. Much more to my conversation with the Chertoff Group's Adam Isles and Special Assistant to the President Steve Kelly in our upcoming special edition on the National Cybersecurity Strategy. Be sure to look for it this weekend in your CyberWire podcast feed. And I'm pleased to be joined once again by Betsy Carmelite. She's a principal at Booz Allen Hamilton. Betsy, it is always great to welcome you back to the show. One of the things that you take care of there at Booz Allen Hamilton is you are the Federal Attack Surface Reduction Lead, which is a long way of saying I think you help some of the folks in the Fed and the DOD for protecting their assets. I want to talk today about zero trust and particularly how the DOD

Starting point is 00:20:18 is coming at that. Let's start off with some basics here. I mean, for folks who may not be familiar, what are we talking about with zero trust? Sure, sure. So we've talked a bit in the past about zero trust and really what it requires. We're looking at that assume breach mindset. We're looking at approaching zero trust as a longer journey toward defense and protecting networks. And then also the mindset shift that is required when adopting a zero trust architecture or reference model. And so, as you know, we've talked a lot about that

Starting point is 00:20:56 since the executive order was released. But more recently, let's go back to November 2022 when the Department of Defense officially unveiled a zero trust strategy and roadmap. And it laid out how the DoD components should direct their cybersecurity investments and efforts in the coming years. What are the goals that they've laid out here for themselves? So there are two types of goals. There is a targeted zero trust level.

Starting point is 00:21:27 are two types of goals. There is a targeted zero trust level. So, quote unquote, it's to reach that target level of zero trust maturity over the next five years. And it requires a minimal set of activities they need to do by 2027. The advanced zero trust level is for the highest level of protection taking you beyond 2027. And so there are also four strategic goals that come along with that. The first is zero-trust culture adoption. DoD information systems are secured and defended. Technology acceleration occurs. And then zero-trust enablement and the approach to zero trust enablement includes 45 separate capabilities organized around seven pillars. Those pillars

Starting point is 00:22:14 are users, devices, networks and environments, applications and workloads, data, visibility and analytics and automation and orchestration. Then furthermore, there are 91 activities to get to the targeted zero trust level and 61 advanced level activities. Wow. Well, in terms of this journey, I mean, what makes this an important milestone along the way? So I think for two reasons. Many organizations ask those foundational questions such as, what is zero trust and where do I start? Those questions still are occurring after the EO because it's such a monumental undertaking. The strategy will go a long way towards helping DoD components to answer those beyond the executive order. And second, the level of details provided in the breakdown of all of those capabilities and activities really provide clarity

Starting point is 00:23:12 where it previously did not exist. It's truly a path to follow. Do you have any specific examples you could share? Yeah, so if we look at under the user pillar in one of the zero-trust capabilities, it's conditional user access. It has both targeted and advanced levels to achieve. And so the target state-associated activities are, there are a couple there, application-based permission and organizational MFA. The advanced level would require enterprise roles and permissions and rule-based dynamic access. So the first should be prioritized in the short term.

Starting point is 00:23:53 And then the advanced activities have a longer path according to that DoD timeline. So why is this the moment for this? I mean, what makes this relevant now and where do you suppose we're headed? We see adopting a zero-trust strategy as a key step toward defending one battle space. And I'll explain that one battle space. We need to see the cyber threat landscape in the same way our adversaries see it. It's one battle space. And when adversaries devise strategies for digital conflict, they don't view the U.S. federal government or the defense and intelligence communities, public infrastructure, private industry as separate targets to our adversaries. We are a holistic target-rich

Starting point is 00:24:45 environment that's one connected battle space. So the pivot to zero trust and the pursuit of widespread connectivity come now as the U.S. prepares for a potential fight with China or Russia. And these are powers capable of intercepting military chatter and extracting sensitive information from systems. And those systems are thought to be secure, but as with zero trust, the mindset is to assume breach. And then both with zero trust and international cooperation, they are both foundational to the Pentagon's joint all-domain command and control philosophy. And that envisions interlinked forces and databases across land, air, sea, space, cyber, all around the globe. I'm curious, you mentioned the timeline.

Starting point is 00:25:40 How much of this is aspirational and how much does the DOD actually have teeth here that they can enforce a timeline? Well, I think what's going to be key around enforcing the timeline is measuring the success and putting metrics behind it. And so we understand the Zero Trust Program Management Office will develop and deploy a metrics-based approach, as do most organizations. But really adhering to those SMART objectives, specific, measurable, achievable, relevant, and time-bound, that can be used to measure goal progress. I think that's going to make it achievable. I think that's going to make it achievable. And, you know, just recognizing how each of the components are going to go down this journey by 2027. I think sharing information back and forth among those components to know where have successes been achieved in that accelerated way and learning from each other in that process. I think that'll be achievable.

Starting point is 00:26:46 All right. Well, Betsy Carmelite, thanks for joining us. Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.

Starting point is 00:27:29 Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Jerome Segura, senior threat researcher at Malwarebytes. We're discussing his work, WordPress Sites Backdoored with AdProd Plugin. That's Research Saturday. Check it out. The Cyber Wire podcast is a production of N2K Networks,

Starting point is 00:28:16 proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester, with original music by Elliot Peltzman. The show was written by John Petrick. Our executive editor is Peter Kilby, and I'm Dave Bittner.

Starting point is 00:28:38 Thanks for listening. We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

CyberWire Daily - Tools, alerts, and advisories from CISA. Reply phishing scams. Cl0p goes everywhere with GoAnywhere. EW in the hybrid war, and shields stay up.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.