CyberWire Daily - Updated mitigations for ProxyNotShell. Lloyd’s investigates cyber incident. Killnet hits US state government sites. Election security. Credential theft. Verdict in Uber breach case.
Episode Date: October 6, 2022Microsoft updates mitigations for ProxyNotShell. Lloyd's of London investigates a suspected cyberattack. Killnet hits networks of US state governments. The FBI and CISA weigh in on election security. ...Credential theft in the name of Zoom. Tim Eades from Cyber Mentor Fund on the move to early-stage investing in times of war and recession. Our guest is Nick Lumsden of Tenacity Cloud on cloud infrastructure sprawl. The former security chief at Uber was found guilty in a case involving data breach cover-up. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/193 Selected reading. Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server (Microsoft Security Response Center) Microsoft updates guidance for ‘ProxyNotShell’ bugs after researchers get around mitigations (The Record by Recorded Future) Microsoft Updates Mitigation for Exchange Server Zero-Days (Dark Reading) Microsoft updates mitigation for ProxyNotShell Exchange zero days (BleepingComputer) Lloyd's of London investigates possible cyber attack (Reuters) Insurance giant Lloyd’s of London investigating cyberattack (The Record by Recorded Future) Russian-speaking hackers knock US state government websites offline (CNN) Malicious Cyber Activity Against Election Infrastructure Unlikely to Disrupt or Prevent Voting (FBI and CISA) FBI: Cyberattacks targeting election systems unlikely to affect results (BleepingComputer) Zoom: 1 Phish, 2 Phish Email Attack (Armorblox) Former Uber Security Chief Found Guilty of Obstructing FTC Probe (Wall Street Journal) Former Uber security chief convicted of covering up 2016 data breach (Washington Post) Uber’s Former Security Chief Convicted of Data Hack Coverup (Bloomberg) Former Uber Security Chief Found Guilty of Hiding Hack From Authorities (New York Times) Former Uber CISO Joe Sullivan Found Guilty Over Breach Cover Up (SecurityWeek) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Microsoft updates mitigations for proxy not shell.
Lloyds of London investigates a suspected cyber attack.
Killnet hits networks of U.S. state governments.
The FBI and CISA weigh in on election security.
Credential theft in the name of Zoom.
Tim Eads from the Cyber Mentor Fund on the move to early stage investing in times of war and recession.
Our guest is Nick Lumsden of Tenacity Cloud on cloud infrastructure sprawl.
And the former security chief at Uber was found guilty in a case involving a data breach cover-up.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, October 6th, 2022. Microsoft has updated its data system for the two Exchange Server zero-day vulnerabilities,
CVE-2022-41040 and 41082, that have been exploited in proxy not-shell attacks.
Dark reading describes the motivation for the updates.
Researchers had determined that the mitigations in their initial form
would be too easy for attackers to bypass.
The major insurance marketplace Lloyd's of London
is investigating what it believes may have been a cyber attack on its networks.
Reuters quotes Lloyd's terse statement,
There's no attribution yet, and indeed not much information about the nature of
the attack, but Reuters and The Record note that Lloyd's has been a prominent supporter of sanctions
against Russia during the present war. The Record observes, Lloyd's representatives would not say if
it was a ransomware attack or explain who may have been behind the incident. It has been one
of the most notable supporters of sanctions against Russia
since the country's government decided to invade Ukraine earlier this year.
So, suspicion of a Russian cyber attack is in this case a matter of a priori probability
of speculation informed by track record and imputation of motive.
On the other hand, absence of evidence isn't evidence of absence either.
But in this case, it's too soon to tell.
Another story clearly does involve Russian operators.
Kilnet, the Russian hacktivist group,
nominally independent but obviously acting on behalf of Moscow's security services,
has knocked some U.S. state government services offline, CNN reports.
Colorado, Kentucky, and Mississippi at least were affected,
with some services sporadically rendered unavailable yesterday in DDoS attacks.
Kentucky's Board of Elections was one of the sites disrupted.
The story is still developing, but the effects of
the attacks don't seem to have risen above a nuisance level. Killnet has hitherto been best
known for conducting DDoS attacks against lightly defended targets in European countries Russia
deems too friendly to Ukraine. The U.S. FBI and CISA have issued a public service announcement stating that cyber activity is unlikely to disrupt or prevent voting in the U.S.
The statement reads,
As of the date of this report, the FBI and CISA have no reporting to suggest cyber activity has ever prevented a registered voter from casting a ballot,
compromised the integrity of any ballots cast, or affected the
accuracy of voter registration information. Any attempts tracked by FBI and CISA have remained
localized and were blocked or successfully mitigated with minimal or no disruption to
election processes. The Bureau and CISA reassure the public that measures are in place to ensure the integrity of the vote against potential cyberattacks.
Their advisory states,
The public should be aware that election officials use a variety of technological, physical, and procedural controls to mitigate the likelihood of malicious cyberactivity.
malicious cyber activity, things such as phishing, ransomware, denial of service, or domain spoofing,
affecting the confidentiality, integrity, or availability of election infrastructure systems or data that would alter votes or otherwise disrupt or prevent voting. Their advisory says,
given the extensive safeguards in place and distributed nature of election infrastructure,
the FBI and CISA
continue to assess that attempts to manipulate votes at scale would be difficult to conduct
undetected. Bleeping Computer notes that the most pressing threat to elections are influence
operations, especially influence operations on social media. That's a threat of a different kind,
however, not a threat to counting the vote or ensuring that ballots cast are properly registered and tallied.
Armor Blocks released a blog today detailing a credential phishing attack impersonating Zoom.
Researchers report that the attack had a socially engineered payload that bypassed Microsoft Exchange email security and targeted over
21,000 users before armor blocks stopped the attack. The phishing email said that there were
two unread messages to be checked on Zoom with a malicious link for the call to action button,
as well as a malicious link for the unsubscribe button. The call to action button, if clicked,
would lead to a fake landing
page that appeared to be a Microsoft landing screen. Victims were prompted to enter their
Microsoft account credentials to view the messages. This attack leveraged a well-known brand's identity
in order to harvest credentials, utilizing Zoom's legitimate logos and branding to instill a sense of trust.
It's worth noting it did not involve any compromise of Zoom itself. The hackers also
used social engineering, such as the email title and design, to induce a sense of urgency.
The attack bypassed all Microsoft Exchange email security measures and used a valid domain that received a reputation score of trustworthy
with only one infection reported in the past 12 months.
And finally, former Uber security chief Joe Sullivan
has been found guilty of covering up a 2016 data breach
as well as concealing information on a felony from law enforcement, Security Week
reports. The month-long trial resulted in a verdict that could put Sullivan in prison for
up to eight years, a maximum of five years for the obstruction charge and a maximum of three
for a misprision charge. The New York Times reports that it took more than 19 hours to reach a verdict in the case for the jury of six men and six women.
David Angeli, an attorney for Mr. Sullivan, comments with disappointment on the verdict, stating,
While we obviously disagree with the jury's verdict, we appreciate their dedication and effort in this case.
Mr. Sullivan's sole focus in this incident and throughout his distinguished career
has been ensuring the safety of people's personal data on the Internet.
Benjamin Kingsley, an assistant U.S. attorney, said during closing arguments that Mr. Sullivan
took many steps to keep the FTC and others from finding out about it.
This was a deliberate withholding and concealing of information.
It's thought unlikely that the sentence
will be anything close to the maximum,
but it's a striking sign
of how seriously federal authorities
are taking cases related to data breaches.
After the break, Tim Eades from the Cyber Mentor Fund on the move to early stage investing in times of war and recession.
Our guest is Nick Lomstead from Tenacity Cloud
on cloud infrastructure sprawl.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. Data storage is cheap, it's fair to say.
And these days, as organizations move more and more of their business to the cloud,
often making use of multiple cloud providers,
it's easy to understand the challenge of keeping tabs on all that data.
Nick Lumsden is CTO and co-founder at Tenacity Cloud,
and he provides insights on preventing cloud sprawl.
Cloud sprawl is the unintentional expansion of infrastructure over time.
And it especially becomes a problem as changes increase, which has happened just due to infrastructure turning into software.
due to infrastructure turning into software.
So changes that used to be quarterly or monthly have now become, 20 years later,
dozens or hundreds of changes a day,
sometimes thousands in really sizable organizations.
And also we've opened up the number of people
that can make changes.
It used to be in the hands of someone
who was a deployment manager
or someone who administered a system.
And now it's, if you write software, like myself, you can be making changes all the time via the software because infrastructure is
now code and it's now a part of the software. And this has resulted, you know, that expansion
of responsibility and, you know, kind of take time dilation into effect there. And you end up with resources that are deployed and infrastructure
that just continue to linger long after they were useful, or sometimes they weren't even useful,
they were a mistake. And they just sit out there as a tax surface on and on and on forever and ever.
Do we have a certain amount of empathy for folks who find themselves in this situation?
a certain amount of empathy for folks who find themselves in this situation?
Of course, because I'm one of those folks.
You know, 25 years in managing infrastructures, writing software.
If there's a mistake to be made, I've made it. I've definitely created data sprawl in organizations where we were doing data analytics.
And suddenly there's terabytes of data that's replicated and forgotten about.
Even if it's secure, if you're not paying attention, that's a problem.
Make effort to go clean that up. And I totally empathize with the pace of change
and also, frankly, that there's just not enough folks to do the work and to meet the demands of most organizations.
I can honestly say, in IT or in technology, I have yet to meet the person that is paired with exactly the amount of work that needs to get done in a given day.
It's usually twice as much or more, and they're trying to pick what the priority is.
So what's the fundamental issue here?
I mean, how should folks come about
getting their arms around this?
Well, I think there's a couple of things to consider.
First of all is understanding that over time,
this problem gets a whole lot worse.
And so when you start your cloud journey,
whether you're starting, you're in the middle of,
or you've already transitioned
and you're now living in the cloud, at all points in that journey, it's important to sort of get your arms around this issue, though maybe there's different approaches in each of those scenarios.
It's not about just the human element of, we need to have the engineer go clean it up.
There's so many hands in that pot and there's so many more important
things for them to do, really making sure that we have tooling to help us with it.
Whether that's being on the path towards DevOps, which helps turning infrastructure into code
and keeping it consistent, that's one way.
It doesn't do the whole thing, whole trick, but it's one way.
But also having platforms that help you discover what's going on inside your environment, actually looking at utilization,
understanding what's been disassociated
to the environment,
what's no longer being utilized,
what's been abandoned or orphaned
from its original use.
Just understanding that can start to learn
the context of an app
and really understand all the components,
all the assets,
and give the user indication as to,
hey, you should go look here.
Or even go insofar as to say,
hey, let me auto-optimize this for you.
Let me inject into your dev channel
what needs to be cleaned up.
So I think there's a number of approaches you can take.
Certainly, we at Tenacity are working on this problem.
We look at the problem of optimization in the cloud as kind of a core issue.
And we pull in the metadata about cloud environments, analyze them, and try to get really, really, really smart and smarter and smarter every day about what sorts of indicators there are that the infrastructure is out of use and needs to be optimized in order to help the world, both from
optimize your cloud and reduce attack surface, but also it helps optimize cost. It's a win-win-win
all the way around. Are there any common elements that you see with organizations that have a handle
on this that are doing things right? So it depends on what scale the organization is at.
Those organizations that are at scale,
the enterprise and upper mid-market,
they likely have an initiative that's driven
from executive level.
And they may even have teams built around this
that are focused on the optimization puzzle,
focused on the security footprint from a tax surface perspective
that really understand cloud, really understand security ops and fin ops
and how the two come together.
And so there's a concerted effort there.
And you're going to see them leveraging AI tools, analytics tools, tools that are really
going to help them do better in their business. And Tenacity is one of those tools. At the mid
and smaller market, when you look at those organizations that are still trying to get to
scale, or maybe are startups that are moving quickly. It's about getting your arms around this problem early
on and knowing what key metrics you need to watch before it gets out of control. I can tell you that
every organization we've ever deployed into has had places, has had room for optimization.
In some of the most egregious,ious were spending five and six figures a month
on infrastructure that was just laying around.
And they couldn't believe it when it was found or when it was detected.
It was no way. There's no way that's happening.
And of course, it was happening and it was cleaned up
and the environment was made safer, more secure, and better optimized.
and the environment was made safer, more secure, and better optimized.
But there just wasn't a key metric around, say, QA or dev resources.
Why has their budget quadrupled over the past year? That would be a key indicator that there's some sprawl going on.
That's Nick Lumsden from Tenacity Cloud. And I'm pleased to be joined once again
by Tim Eades. He is the co-founder of the Cyber Mentor Fund and CEO at vArmor.
Tim, it's always great to welcome you back.
Great to be here, Dave.
You know, these are certainly interesting times on the global stage
as we look at a war and the possibility of recession.
How does that affect the investors out there? How do they look at this sort of thing?
That's a great question. It's amazing. Last year, obviously, valuations reached crazy high
numbers in security, particularly in private companies where the valuations and the multiples
were off the charts. I think the right place to go at that time was to go,
it's a bit like the opposite in politics.
When valuations go crazy high, we go crazy low.
Cybermental Fund has invested in 29 companies
over the last three years or so.
And we believe in the crazy guy that wants to start something new
that has incredible domain permission that's curious and kind.
And we will lean into those young emerging startups because they want to break out that the legacy tools are showing their age and they want to do something different.
And so those are the people that we've been investing in over the last few years because as these valuations get completely carried away and they raise so much money, hundreds of millions, 200 million, 300 million on a round of funding, which is essentially like a private IPO.
My orientation is always to lean into the young, up-and-coming startup, do what you can to help mentor and provide guidance and get these new technologies to market so that we can better secure the country, better secure the
enterprises within it, and give these entrepreneurs a better chance of success. And so, yeah, it got
out of control with the valuations last year. And I think even this year, it's been a little bit
like whiplash. At the RSA show earlier this year, everybody was doom and gloom. But in the last few
weeks, you've seen crazy valuations come back
with talent raising 100 million and stuff like that.
It's like on a series A.
So there's so much money floating around
in the investor community still.
I think good discipline is always required.
But in times like these, you should go low.
You should help these young early stage startups and seed is
a better place to be. Seed and Series A. What's your advice for those people who are looking to
make a splash, for that person who thinks they have that great idea that's going to help make
the world a better place in this environment? Are there any specific things they should be doing to
make themselves more attractive to investors like yourself?
Another great question.
Yeah, I think we invest in people early on and teams early on with domain expertise.
You know, understanding your domain expertise, whether it's industrial controls or authentication or understanding how mainframes roll over and fail over.
Whatever it may be, the domain expertise of the founders is absolutely critical.
The passion and the knowledge of that is, you just can't build a company without that.
And so that's the biggest one.
Lean on that.
Be articulate about that.
Understand what the problem is that you're trying to solve in industry.
Make sure that doing nothing
is not an option for the customer,
that they can't just sit there and do nothing.
Focus on a meaningful problem.
Focus on a growing problem
that they have incredibly good
and deep domain permission for,
that when you talk to a customer,
they have to do something about it.
And by doing that,
you lean into the right VCs,
such as CyberMentor Fund that does this early stage mentoring,
and you will always get funding in that scenario.
You know, we've seen some stories come out that there have been a number of companies who have been going through some rounds of layoffs.
How concerning is that to you?
How do you read that?
I don't think that's concerning at all.
I think you have to tighten your belt.
You have to understand your burn rate,
your cash runway.
And I think managing to that
is a really smart and shrewd thing to do.
I think frugal companies always go further.
So it doesn't concern me at all.
I think it's healthy, to be really honest.
Because we don't know how long the war in Ukraine is going to happen,
what's going to happen with China and Taiwan.
We don't know how long it will take to get control of inflation.
So, yeah, tighten your belt, be frugal, lean in, look after your
customers, and you'll be fine. All right. Well, Tim Eades, thanks for joining us. Thanks, Dave.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The Cyber Wire podcast is proudly produced in Maryland out of
the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Bilecki, Gina Johnson, Bennett Moe, Catherine Murphy, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.