CyberWire Daily - Unmasking the xzploitation.
Episode Date: April 1, 2024The xz backdoor sets the open source community back on its heels. AT&T resets passwords on millions of customer accounts. Researchers track a macOS infostealer. Poland investigates past internal use o...f Pegasus spyware. The latest Vultur banking trojan grows trickier than ever. We note the passing of a security legend. On our Solution Spotlight, N2K President Simone Petrella talks about “Bits, Bytes, and Loyalty: How to Improve Team Retention” with Yameen Huq of the Aspen Institute. A ghost ship trips Africa’s internet. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Solution Spotlight, N2K President Simone Petrella talks about “Bits, Bytes, and Loyalty: How to Improve Team Retention” with Yameen Huq of the Aspen Institute. Selected Reading What we know about the xz Utils backdoor that almost infected the world (Ars Technica) AT&T resets account passcodes after millions of customer records leak online (TechCrunch) Info stealer attacks target macOS users (Security Affairs) Poland launches inquiry into previous government’s spyware use (The Guardian) Vultur banking malware for Android poses as McAfee Security app (Bleeping Computer) Ross Anderson, professor and famed author of ‘Security Engineering,’ passes away (The Record) A Ghost Ship’s Doomed Journey Through the Gate of Tears (WIRED) Swapping scripts nightmare. (N2K) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Crew 8 arrives at the International Space Station.
The sky is no longer the limit.
What goes up must come down?
Space race heats up.
Whoa, whoa, whoa, whoa, whoa.
Hang on. Stop, stop.
Wait a minute.
Wait a minute. Liz, why am I talking about the space race heats up. Whoa, whoa, whoa, whoa, whoa. Hang on. Stop, stop. Wait a minute. Wait a minute.
Liz, why am I talking about the space race heating up?
Oh, my God.
We have the wrong script.
Dave, this is the wrong script.
It's the wrong script.
We mixed up the T-minus and the cyberwire scripts.
This is the worst case scenario.
Hang on.
I can fix this.
Okay, no problem.
Just take your time.
That is a lot of typing just to move one folder into another folder.
Liz, is everything okay?
Yeah, um, this thing is broken.
I can't fix this.
I think we need to bring in the T-minus people.
All right, well, here, I'll just call Maria.
Hey, Maria, we seem to have mixed up scripts.
Yeah, I kind of noticed that.
Well, I can move the T-minus script over to the right folder,
and maybe you can move the CyberWire script over to the right folder on your side.
Brilliant, that works.
All right, have a great show. Thanks for your help.
Ta-ta, talk to you soon.
All right, Liz, I think we have it figured out.
Hang on, I almost got it.
Just one more second.
No, Liz, I really think we got it.
Can we just, uh, let's take it from the top
and start the music over again.
Uh,
yeah, yeah, okay. Yeah, I think
you're right, actually. Um, the magic yeah, okay. Yeah, I think you're right, actually.
The magic has been restored.
The XZ backdoor sets the open source community back on its heels.
AT&T resets passwords on millions of customer accounts.
Researchers track a macOS info stealer.
Poland investigates past internal use of
Pegasus spyware. The latest
vulture banking trojan grows trickier
than ever. We note the passing of
a security legend. On our
Solution Spotlight, N2K President
Simone Petrella talks about bits,
bytes, and loyalty. How to improve
team retention with Yamine Hook
of the Aspen Institute.
And a ghost ship trips Africa's internet.
Today is April 1st, 2024.
I'm Dave Bittner, and I'm no fool.
This is your CyberWire Intel briefing.
Heading into this past weekend, revelations began to spread about an unknown party exploiting the Libel ZMA compression library, also known as XZ,
which forms a critical component of the OpenSSH toolkit used to remotely manage millions of servers worldwide.
This manipulation of XZ didn't stem from a flaw in OpenSSH itself,
but rather from a makeshift solution adopted by certain Linux distributions to facilitate its integration with SystemD, an orchestration service.
The exploit began to unfold in October 2021,
when a new contributor, ostensibly named Gia Tan,
with no discernible digital footprint prior,
began making significant contributions to the XZ library.
This development came at a crucial time as Lossie Collin, the project's sole maintainer,
was reportedly struggling with health issues and finding it challenging to keep up with the maintenance demands.
The arrival of Gia Tan, therefore, appeared to be a timely boon.
However, the subsequent appearance of several accounts,
likely sock puppets,
applying pressure on Colin to cede control,
hints at a premeditated plan
to infiltrate and manipulate the project from within.
By early 2023, it appears Colin relented,
paving the way for Giacchino to spearhead the project's maintenance.
This transition culminated in February 2024,
with Xi'atan stealthily embedding a backdoor within one of the build scripts of XZ.
Preliminary analyses suggest that this backdoor specifically targeted
the pre-authentication cryptographic functions of OpenSSH,
introducing a master-key-like vulnerability that potentially
allowed attackers to gain unauthorized access to any server running the compromised versions of XZ.
The subtlety and sophistication of this backdoor suggest a level of expertise and patience
uncommon among ordinary hackers or even dedicated cybercriminals.
This was not the work of a hobbyist looking for a quick thrill or a hacker seeking instant gratification.
This exploit took multiple years to successfully deploy.
The meticulous planning, execution, and subsequent efforts
to distribute the compromised XZ library across various Linux distributions
indicate a professional operation, likely state-sponsored.
The discovery of this backdoor by Andres Freund,
a Postgres developer at Microsoft,
reportedly occurred almost serendipitously.
Freund was investigating unrelated SSH latency issues
when he stumbled upon the minor bug introduced by the backdoor code,
a flaw that ultimately led to the scheme's unraveling.
This incident has sparked a broader discussion on the vulnerabilities inherent in the open-source
software ecosystem, particularly concerning the relationships between unpaid maintainers
and the commercial entities that benefit from their work.
Critics argue that the exploitation of XZ underscores the exploitative dynamics at play,
with open-source maintainers often left unsupported
despite their contributions to critical infrastructure and software dependencies.
However, the issue may be more nuanced.
Many foundational open-source projects developed decades ago by individual enthusiasts don't require frequent updates beyond occasional bug fixes.
This stagnation can lead to a disengagement, not just from the maintainers but from the broader community, including corporate entities that rely on these projects.
including corporate entities that rely on these projects.
Proposals have emerged from within the tech industry,
suggesting enhanced governance models for open-source projects,
including mandatory code reviews, succession planning, and service-level agreements.
Still, such measures might not address the root of the problem,
a sophisticated threat landscape that individual maintainers or governance reforms cannot adequately counter. The XZ backdoor incident illustrates a critical counterintelligence
challenge, one that likely falls within the purview of governments and major corporations
equipped with extensive surveillance and threat detection capabilities.
As the open-source community grapples with the implications of this breach,
it's clear that the response cannot simply be to demand more from maintainers.
Instead, the onus is on the corporations and governments
that benefit from open-source software
to invest in the resources and infrastructure needed
to protect against sophisticated cyber threats.
This involves not only monitoring and vetting critical dependencies,
but also developing advanced detection capabilities
that can anticipate and neutralize threats
before they compromise the digital ecosystem.
AT&T has reset millions of customer passcodes
after a leak of data containing encrypted account passcodes
was reported by TechCrunch. The leaked data, dating back to 2019 or earlier, affected around
7.6 million current and 65 million former AT&T account holders. This action follows a claim of
a data breach involving 73 million records, which AT&T had previously denied.
The data includes sensitive customer information such as names, addresses, and social security
numbers. Security researcher Sam Chickenman Crowley demonstrated that the encrypted passcodes
could be reverse-engineered using surrounding personal information found in the leaked dataset.
engineered using surrounding personal information found in the leaked dataset.
AT&T has launched an investigation and plans to contact affected current and former customers.
Researchers at Jamf Threat Labs have uncovered macOS-targeting InfoStealer malware distributed via malicious ads and rogue websites.
One notable attack involved a sponsored ad misleading users
searching for ARK browser to a fake site, which only opens via a sponsored link to evade detection.
The site offers a download for ARK containing malware signed ad hoc to bypass gatekeeper
warnings. This malware variant, akin to Atomic Stealer, uses XOR encoding to avoid detection and targets login credentials, credit card details, and crypto wallet data.
Another attack enticed victims with direct messages, posing as individuals wanting to schedule meetings via a fraudulent site.
similarities between these stealers and previously documented ones suggest a focused effort to exploit macOS users,
especially within the cryptocurrency sector, for financial gain.
Poland has initiated an investigation into the previous government's use of Pegasus spyware,
following revelations of its deployment against opposition figures and potential misuse by officials.
The inquiry, led by the new Justice Minister Adam Bodnar, aims to identify those targeted and explore legal actions, including financial compensation. Pegasus, known for its capability
to infiltrate mobile phones and access encrypted messages, has been implicated in surveillance activities across
various countries. The investigation comes after the Civic Platform Party, victims of the alleged
spying, gained power. The Parliamentary Commission is set to delve into the extent of Pegasus's use
and its legality amid concerns over the judiciary's awareness of the surveillance
tool's capabilities and the potential for awareness of the surveillance tool's capabilities
and the potential for systemic abuse in surveillance approval processes.
A new version of the Vulture banking trojan for Android exhibits advanced remote control features
and enhanced evasion techniques.
Initially spotted in 2021, Vulture has evolved using dropper apps on Google Play for distribution.
It now employs a sophisticated infection chain involving smishing and deceitful phone calls,
tricking victims into downloading a trojanized McAfee security app containing the malware.
This version introduces capabilities like file management, misuse of accessibility services, app blocking,
and deceptive notifications, alongside improved stealth through encrypted communications
and payload decryption mechanisms. Researchers emphasize the malware's rapid development
and advise Android users to download apps exclusively from reputable sources
and scrutinize app permissions to prevent
infections. Ross Anderson, a renowned professor of security engineering at the University of
Cambridge and an influential figure in computing, passed away late last week. Known for his extensive
research in fields like machine learning, cryptographic
protocols, and hardware reverse engineering, Anderson's contributions have left a significant
mark on the academic and engineering communities. He was a recipient of the British Computer
Society's Lovelace Medal in 2015 and authored multiple editions of the seminal textbook
Security Engineering.
Renowned for his advocacy for privacy and security, as well as his commitment to education,
his passing is a significant loss for the community.
I had the pleasure of interviewing him for our Research Saturday program back in November of 2021.
May his memory be a blessing for all who knew and loved him. Buy hot yoga. Too sweaty. We could go skating. Too icy. We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat.
Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
On our latest Solutions Spotlight, our own N2K president, Simone Petrella,
speaks with Yamin Hook of the Aspen Institute about Bits, Bites, and Loyalty,
how to improve team retention.
So, Aspen Digital, which is a program under the Aspen Institute,
just recently published a new paper, and it's called Bits, Bites, and Loyalty,
How to Improve Team Retention.
and it's called Bits, Bytes, and Loyalty,
How to Improve Team Retention.
Now, before we get into the real meat and bones of the study,
this study is the result of work with the U.S. Cybersecurity Group.
Can you tell us a little bit about that group,
what it is, and how that group contributes?
It's an awesome group, right?
It's a mix of folks from predominantly industry,
but also from civil society as well.
You know, your think tanks, universities, et cetera.
What it basically is, is a cross-section of experts who we regularly consult with
on the research that we do, right?
So, you know, we put out papers regularly.
In this case, we're talking about
the workforce development and retention paper.
Just right before this,
we had a paper come out on AI and cybersecurity from a scenario
planning perspective that was also developed with our collaboration with the U.S. group
as well.
So that's kind of the focus of the group there.
So, you know, right now we consulted with this group, but also more specifically, we
have a subset of talented individuals that we call the Education and Workforce Coalition.
So those discussions are really what fed the ultimate outcome of this paper.
Now, what inspired the team to research and write on cyber talent and workforce, you know, attrition and retention at this particular time?
You know, these discussions began, you know, over a year ago.
And, you know, as with any of our papers, we're very exploratory in the beginning, right?
We look at a couple of different options as to where we see the, you know, if think tanks
have something that we can call market demand, right?
Where, you know, where can we help, you know, our broader community?
There was a lack of focus on retention specifically.
And what that means is, A, convincing your best especially to stay,
but also being it, you know, worth your while too, right? Being able to upskill and upgrade
their talents accordingly, making sure you can have them be as productive as they can be when
they work on your team. You know, in our initial discussions with our working group and the surveys
that we put out into various organizations, we really found that like that was kind of the missing piece. And being able to articulate, you know, why is retention such a problem in the
cybersecurity industry? And what we can do to address the underlying issues is a key way that
we can contribute to solving this problem. Yeah, that's a great point, since we certainly know we
spend so much time focusing on the gap and how we get more people into the field, but we spend less time sometimes thinking about how do we keep them?
How do we kind of like give them a career journey and a path? What are some of the key findings in
this study for those who may not have had a chance to read it yet? Yeah, absolutely. So I'll take you
kind of a high-level overview and, you know obviously, I encourage every listener to read the paper as well. So,
you know, really, a high level, right? What is the problem? Why did we write the paper in the
first place, right? And it's workforce retention. And I think I'll give two specific stats that we
found in our research, which is that 70% of the, you know, folks in a survey have said that they
have talent shortages, right, due to various reasons. But two of the key ones highlighted are workload and burnout, right?
And the second stat I'll give that kind of compliments that also is that there's a large number of people who just leave not only their companies,
but the cybersecurity field more broadly, right?
So there's over 30% of folks surveyed are talking about, you know, I'm thinking about leaving the field entirely, right?
And that's a huge, you know, it's a huge waste of like potential right these people can contribute
a lot especially if we give them the right you know training and education that they need to be
able to do that and then there's the fact that off in a lot of places the opportunities aren't high
enough either it's one of those things where like if you don't invest enough it's almost kind of
worse than like not investing at all in a weird way, right?
Because if you give them a little bit of talent and then they decide that you're not actually putting enough into them, then they'll dip.
And then you've kind of lost what little you've put in in the first place, right?
So there's a bit of a, you got to like really commit to workforce development as a project for your company as opposed to like a hobby or a side thing.
as opposed to like a hobby or a side thing.
Yeah, and what I think is really interesting also about this study
is that you don't just point to the problems,
but you come up with,
the group has really proposed
some not only recommendations specifically
that employers and organizations can look to employ
to boost the retention of their workforces,
but you also outline some of the benefits
of kind of investing in those types of activities.
What are some of the,
do you have to human highlight
some of the recommendations
that seem to be the most kind of biggest bang
for lowest back or what would those be?
Yeah, absolutely.
So I think, you know,
we highlight these recommendations
and I think we did a pretty good job of listing out some specific details as well.
Right. That's still like what we saw in industry, too.
So if I had to highlight a couple, I would say, you know, better benefits.
Right. And what that means is, you know, obviously people hear that a lot of people just think like, oh, like boost salaries and like nothing against that.
Right. I don't think anyone will complain about a salary increase.
And I think that's a critical part of that compensation package.
But also, you know, additional benefits in the space of, you know, educational opportunities,
right, to be able to upskill, pursue both internal and external certifications.
Wellness programs that really offer flexibility for families, right?
Things like child care and things like that, that would really help, you know,
not only make the employees' lives easier,
but also help them bring their full self
to the workplace more easily.
And then lastly, the third one I would highlight
is communication, right?
In any successful workforce development
or retention program,
you need to have well-designed spaces for feedback, right?
And there's not like a magic way to do it.
I think every company is going to have their own focus, but obviously surveys can be a big part of that, especially if you have a
particularly large organization, but also, you know, office hours and things like that too.
And the last thing I'll add to that piece there is that communications has to have action,
like linked to it. So that's kind of the high-level solutions.
That brings up another great point. What are the benefits of kind of taking and implementing some
of these recommendations? And what do employers, like what will they get out of, what's the return
on their investment if they take some of these recommendations and put them into action?
And is it something that they were seeing that there is some desire to get behind?
Yeah, absolutely. So to me, like, whenever we work on any paper, it's for my thinking has always been like, let's appeal to like people's self-interest, right? So what we found in our conversations is
very specific, you know, tangible benefits to doing this kind of work, right? Obviously,
there's the aspect that you save money, right, from a cost perspective.
If people leave, you have to replace them, you have to spend more time, you know, training and upskilling. In a lot of cases, it takes quite a while before someone even generates enough value
to offset that cost, right? So you want to be able to make sure you do that. The second is obviously
like these kinds of growth opportunities, especially the ones around education, they
improve people's productivity, right?
So you're also getting more out of your team.
So being able to create that environment is very critical too.
Really what this gets at is not just the improvements in productivity, but also resilience, right?
Your organization will be more nimble if you're able to create these kinds of programs that help employees operate more effectively.
But to be clear, because you said this point at the beginning, you have to kind of make a concerted investment in actually doing it and doing it right.
The reason I point that out, because I think about how many companies and employers I've spoken to and worked with over the past
where they say, well, we got feedback from employees.
We saw that the satisfaction survey was very low.
They said they didn't have access to training.
So like we just said like, hey, we're going to give everyone a stipend.
And then we don't track or encourage or direct like how it's used.
It just becomes like, hey, we think we answered what you wanted because we threw money at
the problem, but we didn't actually kind of provide any direction along with it.
Is it fair to say like that's a good step,
but that's probably not kind of getting to where you guys are recommending?
No, that's a great point.
You know, my own experience kind of comports with this, right?
Like when you're consulting for projects in cybersecurity, especially in this space, you always provide like a very clear roadmap about how to implement these changes in a thoughtful way, right?
And clients that don't do that will end up feeling like, well, like this isn't getting me what I wanted.
And it's like, well, you didn't do the right things in the first place, right?
So it's on you.
It's like, well, you didn't do the right things in the first place, right?
So it's on you.
You know, in our paper at the very end, we actually highlight, right, like what constitutes a good program.
And we do that from both an abstract perspective and a concrete one.
You have to be able to track these things to be able to understand whether or not they're working.
You can find a link to the Aspen Institute's report in our show notes. Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a
default-deny approach can keep your company safe and compliant.
And finally, we have the unlikely tale of the Rubimar, a seemingly inconspicuous cargo ship,
which became the centerpiece of a significant cybersecurity saga.
As told by Wired, back in February, the ship fell prey to a missile attack in the strategic Bab al-Mandeb Strait,
orchestrated by Iranian-backed Houthi rebels.
Bab al-Mandeb Strait, orchestrated by Iranian-backed Houthi rebels. After the attack,
the Rubimar, now crippled and crewless, was left to the mercy of the sea currents.
The vessel's trailing anchor turned into an instrument of cyber destruction when it damaged three critical internet cables laid on the sea floor. This damage resulted in a significant drop
in internet connectivity,
affecting millions of users from the shores of East Africa to the bustling cities of Vietnam.
The story of the Rubemar serves as a cautionary tale about the vulnerabilities of our global
connectivity and the need for vigilance and protection against both conventional and
unconventional threats. The incident not only disrupts internet service, but also presents a complex puzzle involving maritime navigation,
international politics, and cybersecurity, illustrating the challenges of safeguarding
critical infrastructure in an increasingly interconnected world. Undersea cables,
anchors dragging through them, sharks gnawing on them, submarines tapping into them
Where's Aquaman when you need him?
And that's The Cyber Wire
For links to all of today's stories, check out our daily briefing at thecyberwire.com
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.