CyberWire Daily - White House adds its voice to CISA’s Shields Up, warning of the possibility of Russian cyberattacks. New malware strains described, new criminal attack techniques observed.
Episode Date: March 22, 2022White House warns of large-scale Russian cyberattacks. Browser-in-the-Browser attacks. New Conti affiliate described. Android malware “Facestealer” described. Android malware “Facestealer” des...cribed. Microsoft and Okta investigate possible Lapsus$ attacks. Arid Gopher is out in the wild. Our guest is Swathi West of Barr Advisory on opportunities for the underrepresented in cybersecurity. Joe Carrigan wonders if we can’t just get rid of passwords once and for all. And advancing censorship by finding “extremism” and “Russophobia” in Meta’s platforms. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/55 Selected reading. Russia's hybrid war with Ukraine: strategy, norms, and alliances (The CyberWire) Statement by President Biden on our Nation’s Cybersecurity (The White House) FACT SHEET: Act Now to Protect Against Potential Cyberattacks (The White House) Statement from CISA Director Easterly on Potential Russian Cyberattacks Against the United States (CISA) Press Briefing by Press Secretary Jen Psaki and Deputy NSA for Cyber and Emerging Technologies Anne Neuberger, March 21, 2022 (The White House) Statement from Secretary Mayorkas on Cybersecurity Preparedness (US Department of Homeland Security) Conti Affiliate Exposed: New Domain Names, IP Addresses and Email… (eSentire) New Phishing toolkit lets anyone create fake Chrome browser windows (BleepingComputer). New Browser-in-the Browser (BITB) Attack Makes Phishing Nearly Undetectable (The Hacker News) Arid Gopher: Newest Micropsia Malware Variant (Deep Instinct) Spyware dubbed Facestealer infects 100,000+ Google Play users (Pradeo) Okta confirms investigation into potential breach (The Record by Recorded Future) Microsoft investigating alleged Lapsus$ hack of Azure DevOps source code repositories (Computing) Russian War Report: Meta officially declared “extremist organization” in Russia (Atlantic Council) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The White House warns of large-scale Russian cyber attacks,
browser-in-the-browser attacks,
a new Conti affiliate is described,
Android malware face-stealer,
Microsoft and Okta investigate possible lapsus attacks,
arid gopher is out in the wild,
our guest is Swati West of Bar Advisory
on opportunities for the underrepresented in cybersecurity,
Joe Kerrigan wonders if we can't
just get rid of passwords once and for all, and advancing censorship by finding extremism and
russophobia in meta's platforms. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 22, 2022.
The U.S. is directly warning that large-scale Russian cyberattacks against American and other Western targets are likely.
Russia says it's not going to happen.
NBC News quotes Kremlin spokesperson Dmitry Peskov,
The Russian Federation, unlike many Western countries,
including the United States, does not engage in state-level banditry.
Most others are not so sure. President Biden yesterday issued a general warning to U.S.
organizations that intelligence suggests a coming Russian cyber campaign.
This is a critical moment to accelerate our work to improve domestic cybersecurity
and bolster our national resilience.
I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs
we've imposed on Russia alongside our allies and partners. It's part of Russia's playbook.
Today, my administration is reiterating those warnings based on evolving intelligence
that the Russian government is exploring options for potential cyber attacks, end quote. An
accompanying fact sheet stresses the importance of familiar best practices and offers an aspirational
set of longer-range policy prescriptions. A brief statement from the U.S. Cybersecurity and
Infrastructure Security Agency indicated that CISA would rapidly share information and mitigation guidance to help organizations, large on how to protect their networks, and they should report anomalous cyber activity and or cyber incidents to report at CISA.gov or to an FBI field office.
The U.S. administration hasn't said in detail what the evolving intelligence was showing.
Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger said at a media briefing yesterday that more had been shared with sectors most directly at risk.
She said, quote,
You've seen the administration continuously lean forward and share even fragmentary pieces of information we have to drive and ensure maximum preparedness by the private sector.
maximum preparedness by the private sector.
So, as soon as we learned about that,
last week we hosted classified briefings with companies and sectors who we felt would be most affected,
and provided very practical, focused advice.
End quote.
The briefings and warnings issued yesterday were intended to raise that broader awareness
and to raise that call of action.
She added, quote,
There's no evidence of any, of any specific cyber attack that we're anticipating for.
There is some preparatory activity that we're seeing,
and that is what we shared in a classified context with companies who we thought might be affected.
And then we're lifting up a broader awareness here in this, in this warning, end quote.
So there's more than a priori possibility underpinning the warning, but the threat remains a preparatory phase.
Browser-in-the-browser attacks, or Bit.B attacks, are being observed in the wild, bleeping computer reports.
Bit.B attacks use pre-made templates to create fake but realistic Chrome pop-up windows
that include custom address URLs
and titles that can be used in phishing attacks, creating fake browser windows within real browser
windows to create convincing phishing attacks. The technique is thought to be readily scalable,
and it should be expected to have a popular run in the criminal-to-criminal markets.
eSentire reports finding a new Conti affiliate
it's found engaged in two operations. Quote, the speed and efficacy of both the intrusion actions
and the infrastructure management indicate automated, at-scale deployment of customized
Cobalt Strike configurations and its associated initial access vectors. Customization choices
include legitimate certificates, non-standard CS ports, and malleable command and control. And quote. theft of Facebook credentials, and say it's affected about 100,000 users. Google is purging
FaceStealer from the Play Store. The principal vector has been an application, CraftsArt
Cartoon Photo Tools, that makes connections to a Russian server.
As Microsoft continues to investigate an apparent attempt on some of the company's Azure DevOps
source code by the Lapsus
group, Okta discloses that it's investigating the possibility that it too may have come under
attack by the Brazilian gang. Deep Instinct describes a new member of the Micropsia malware
family. They call it Arid Gopher. Note that it's written in Go and say that it's operated by APTC-23,
Arid Viper, a threat group interested mainly in Middle Eastern targets.
And finally, Reuters reports that a Russian court has officially found that
Facebook's corporate parent, Meta, was guilty of extremist activity,
and thus its operations in Russia will be severely curtailed. Facebook
and Instagram are out, but WhatsApp can stay, for now. In its defense, Meta argued that not only
was it not extremist, but that it was in fact opposed to Russophobia, but the court foreseeably
found otherwise. There's no word on whether Meta will appeal, but doing so would seem to be an
exercise in futility. Once a Russophobe, always a Russophobe, especially if a Moscow court says
you're the one. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Swati West is healthcare and privacy manager at Bar Advisory.
She earned a master's degree in aerospace engineering
before pivoting to healthcare privacy and compliance.
I recently spoke with her about taking a seat at the table and mentoring the next generation of cybersecurity professionals.
I mentor a couple women from women in cybersecurity organizations.
It is amazing, and they come from different facets of life.
They do come from different careers. And we always have these
discussions, right? I'm not able to discuss in a team meeting that I want to say. So I think
having that seat at the table, I know that's emerging. Everyone's talking about that,
having a CISO chair at the board meetings to having a say at a team meeting, right? I think
women inherently, we have that imposter syndrome where like, oh,
we're not good enough. So I think we do still struggle with that. And I think, you know,
opening up and having those leaders to be like, hey, what do you think? Taking a step back and
be like, hey, what do you think? Or do you have anything to say? Like, that's how we bring in
different perspectives to the table. And that's how we can grow as an organization or just the world in general.
So I think helping each other, I would say.
So I totally agree.
I think that stats are a little bit scary, but I do see with at least the women I talk
to, they do still have that.
Oh, I don't think I'm good enough.
I mean, no one's good enough, right?
Everyone's learning.
Everyone's Googling what's happening in the world.
So I think it is more of like being in that leadership, just taking a step back and be like, hey, what's your perspective that you bring into the table?
So I think thinking about that would really help in this time of need.
What's your own personal experience?
When you were transitioning from engineering to security and privacy, did you find people welcoming?
What was your own personal journey there?
Yeah, yeah. So I started, like I said, aerospace. I looked for jobs. And then United Health Group
is where first I started my career. And with the security and everything like that, I learned,
like I said, in the job itself. But it was scary. I'm not going to lie, because when we did audits,
I was an auditor then, used to go ask all these questions. But I moved to Cardinal after the
whole auditor side of things, and I actually learned how much it goes into security. It is
so hard. I mean, we don't bring in any revenue. It's kind of a different mindset, right? Oh, you're just wasting money sitting on the table or something like that.
So that changed from 2015.
There was a struggle first in my career to be like, hey, no, this is important, right?
I mean, penetration test is important or scan is important or we have to do certain things.
Timeout's important if you're in the healthcare industry.
So from that to 2022, I mean, healthcare data is most expensive data that's out
in the world. And you see there are more data breaches that's out in the world. I mean,
Colonial Pipeline, you see Kronos that happened recently. So everything that's happening changed
the tone. So I would say initially, when I first started my career into cybersecurity,
there was a lot of learning, there was a lot of teaching that went into it. But now I think there's a lot acceptance in the world. Like, yes, this is
important. We have to do certain things because, you know, we create that panic. We created a lot
of panic when Colonial Pipeline happened. So they know, everyone knows that it's important. It's
just not breaches, like not affecting an organization. It's going to affect everyone.
So I think for security professionals now, there's a lot of understanding that happened.
So it took a while for me, but now I think we're in a space that everyone accepts this
is important and we have to do the right thing for everyone else in the world.
What's your advice for that young woman who's coming up through college or maybe someone
who's older and considering a career change, do you have any words of wisdom there to encourage them to hang in there?
Yes.
I always go by this.
The one thing I tell is don't be intimidated.
I'm sure even a CEO or CIO or CTO, they'll still have to learn something.
Everyone's always learning.
So don't be intimidated
to take that first step. And it is not as old traditional way of like thinking it's a ladder.
It is a jungle gym, like Cheryl said in a book, Lean In. So I would say, just if you have an
opportunity, take it, learn. And there's so many other certifications or self-learning, just knowing
the terms, right? Knowing those terms help. And my first job, I did a lot of learning before the job
or interviews to just learning what's going on in the world, just talking about a breach. And if
you're interested in that and be like, why did this happen, right? That curiosity. So that's
what I would say to these all these young women or
anyone changing career, just have the curiosity to learn and you'll succeed.
That's Swati West from Bar Advisory.
Thank you. suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting story came by.
This is from Wired, written by Lily Hay Newman,
and it's titled, A Big Bet to Kill the Password for Good.
Oh, we can hope.
I know.
So what's going on here, Joe?
So the FIDO Alliance is saying that they have an idea here.
The FIDO Alliance is a large alliance of companies.
FIDO stands for Fast Identity Online.
Yeah. And
the idea is we're going to
get rid of passwords
and essentially just use cell phones
for authenticating people to their devices.
Hmm. Or to
their accounts, rather, not to their devices.
So because cell phones are so ubiquitous
and they have all these security features built into them now, Or to their accounts, rather, not to their devices. So because cell phones are so ubiquitous,
and they have all these security features built into them now,
the secure enclave, the processors that are capable of doing these cryptographic algorithms,
why not leverage that to make a secure way to log on that doesn't involve passwords?
So we've reached the point now where, thanks to all those things,
again, the ubiquity of these devices, also the fact that they have biometric capabilities. Yeah, that's right.
Big thing is, for example, I have a Microsoft Authenticator on my phone. When I log into my
Microsoft account, my personal Microsoft 365, the home and business account, a home and student,
that's what it is.
I don't use a password to authenticate to that.
I use my Microsoft Authenticator app to get access to my Microsoft account.
And they essentially say, we're about to send you a code on your phone.
And on my phone, there's a code.
And before I can access it, I have to push my thumbprint, put my thumbprint on this terrible Google Pixel 6 fingerprint reader.
Okay.
I don't know why they changed it.
The one in the Pixel 3 was so much better.
This one's awful.
But you digress.
But I digress, right.
Once I've authenticated biometrically, I can enter the right code, and I'm into my Microsoft account.
Right. There has been no password exchanged.
Yeah, yeah. And it's
great. I mean, when it works, it works great. I'm similarly, you know, if I have the opportunity to
enable like Face ID, which I use, I use an iOS device. I'm all in on that. You know, it seems
strikes me as being secure enough, but boy, is it convenient. Yeah. And Face ID is actually a really, really
good biometric authentication device. Yeah. I mean, it doesn't just take a picture of your face
and see if that's you, right? See if it matches some model that it has. It has two cameras.
It takes a 3D image of your face, right? It checks to make sure that there's a pulse flowing through
your face. Yeah. It actually does that. I mean, that's's a pulse flowing through your face.
It actually does that.
I mean, that's one of the things it looks for by examining the red part of the spectrum that comes through.
And then it authenticates you.
So you can't make a 3D model of somebody's face
and show it to the camera.
That won't work.
You can't use it on a dead person.
That won't work either.
There's all kinds of different... Oh, and it on a dead person. That won't work either. Right.
There's all kinds of different,
oh, and it does a lot of checking on eye movement as well.
Yeah, yeah.
It's remarkable.
All these things are great,
you know, but I've said my piece
on this show
and on Hacking Humans
about biometrics.
So I won't go into that
and bore everybody with that again.
But it's interesting.
This article also talks about
how this data is kept in the cloud, right?
And it's secured on the cloud.
It's encrypted.
So when you need to get access to it, you have access to it.
Right.
You get a new device or you lose your phone or it's damaged or something like that, it's relatively easy to get up and running again.
Right.
The one concern I have about this is that it shifts the focus to the iCloud account, right?
So if I can trick you out of your iCloud account, I can get access to a lot of stuff that you have.
Well, I don't know how Face ID works, but like the biometrics on this phone, I just got this Pixel 6 a couple months ago.
Yeah.
And when I had to set up my biometrics on here, it wasn't, oh, we have your biometrics on file.
Let's see if they match. It was, let's go ahead and set up new biometrics for here. It wasn't, oh, we have your biometrics on file. Let's see if they match.
It was, let's go ahead and set up new biometrics for you, Joe,
because this is a new sensor.
So physically, it's a different device and needs me to reenter it.
So that information is not stored in the cloud.
It's stored in the device, I think.
Yeah, yeah.
Same thing, yeah.
I mean, like on iOS devices, it's in the secure enclave,
so it doesn't go to the cloud.
Like your actual biometrics don't go there.
Right. And that's probably by design.
Yeah, absolutely.
And it's probably a good design decision as well.
But it doesn't stop somebody from getting access to your Google or Apple account and then setting up biometrics
and then having the secure enclave on the phone say, yep, these biometrics are good.
Yeah. What do you suppose the transition is going
to look like here though? As, as if, if indeed we're going to move away from passwords, there's
going to be a transitional period. And if there's one thing we know, uh, it's how people feel about
change. Yeah. They hate it. Yeah. Um, uh, it's, it's, here's what I like to see is, uh, passwords
be listed as deprecated authentication means, right? We don't, you know,
like we do in software development, when we have an old function or method in a library that's no
longer used anymore, that gets marked as deprecated, right? Which means it goes on your to-do list of
stop using that, start using the new one. Right. And do that with this authentication means,
in the new one.
Right.
And do that with this authentication means, right?
Get rid of your password and change to this new FIDO standard
and be on board with it
because we're deprecating passwords.
Right.
We're going to give you escalating warnings over time.
Right.
That time's running out.
New accounts, when they set up,
they have to use the FIDO device, right?
Or the FIDO standard.
So if our new accounts don't give you, don't. So if our new accounts don't even give you the option
of going with the password.
Yep.
Alright, well it's an interesting article.
Again, this is over on Wired, written by
Lily Hay Newman, talking
about this new white paper that the FIDO
Alliance has put out.
Joe Kerrigan, thanks for joining us. My pleasure, David.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karpf, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can
channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.