At a glance.
- National Cyber Force will impose costs.
- Children's privacy protections in social media.
- US State Department re-establishing cyber bureau.
- Update: SVR's software supply chain campaign.
UK government plans to hack the hackers.
Sir Jeremy Fleming, director of Britain’s signals intelligence agency, announced that the UK plans to use its newly established National Cyber Force to go on the offensive with ransomware gangs. Gizmodo explains that the cyber force will effectively “hunt” these cybercriminals, hacking into and disabling the groups’ servers in order to disrupt their operations. Fleming explained, “The reason [ransomware] is proliferating is because it works...criminals are making very good money from it and are often feeling that [it’s] largely uncontested.” The announcement comes on the heels of reports that the US used a similar strategy to hack the servers of the REvil cybergang, responsible for this year’s massive attack on software company Kaseya.
Australia and US focus on children’s data privacy rights.
Australia announced on Monday that it plans to require social media platforms to obtain parental consent for all users under sixteen, Reuters reports, and failure to comply could result in multimillion dollar penalties. If passed, the draft legislation, called the Online Privacy Bill, will put Australia among the toughest countries when it comes to protecting the data of minors on social media. Attorney-General Michaelia Cash stated, "We are ensuring [Australians'] data and privacy will be protected and handled with care...Our draft legislation means that these companies will be punished heavily if they don't meet that standard."
Meanwhile, stateside, executives from YouTube, TikTok, and Snap appeared at a hearing yesterday where the social media platforms’ child privacy efforts underwent scrutiny from the US Senate Commerce Committee’s consumer protection panel. Bloomberg explains that the hearing comes in the wake of the Facebook Papers, leaked documents which revealed that the social media giant was putting profits ahead of the privacy rights of its users, including minors. Now other platforms are left with the obligation to prove that they’re not doing the same. In his opening remarks, subcommittee co-leader Richard Blumenthal explained, “Being different from Facebook is not a defense. What we want is not a race to the bottom, but really a race to the top.” TikTok, which has faced allegations that it shares its data with the Chinese government, detailed the child protections it has implemented recently, which include disabling direct messaging feature for young users, prohibiting certain videos, photos, and web links, and the removal of 11 million suspected underage accounts from April to June 2021.
US State Department creates new digital policy bureau.
CNN reports that the US State Department will this week re-establish a new bureau focused on cyberspace and digital policy. Secretary of State Tony Blinken announced the intentions in an email sent to department employees yesterday: “This structure will provide us with greater leadership and accountability to drive the diplomatic agenda with the interagency and abroad, and build on the extraordinary work that is already taking place across the Department.” The bureau will have three main areas of concentration -- international cybersecurity, international digital policy, and digital freedom, State Department spokesperson Ned Price said on Monday. The department also plans to appoint an envoy focused on critical and emerging technology.
More comment on SVR's software supply chain campaign.
As we noted yesterday, Microsoft has determined that the threat group responsible for the SolarWinds incident, Nobelium (a.k.a APT29 and Cozy Bear), is continuing to launch supply chain attacks, this time focusing on technology services companies including cloud services providers. The Russia-linked cybergang is apparently unintimidated by the Biden administration’s efforts to hamper their activities, as Mandiant’s vice president of intelligence analysis John Hultquist told the Hill, “They have intelligence requirements that they are tasked with fulfilling, and they are unlikely to be deterred from doing that, that’s their job.” Security Week reports that Mandiant has detected downstream targets in North America and Europe, and the research firm offers suggestions for remediation strategies for entities that might be in the cybercriminals’ crosshairs.
Troy Gill, Senior Manager of Threat Intelligence at Zix | AppRiver sees the challenge of software supply chain attacks as a case of the abuse of legitimate services:
"Supply chain attacks continue to make headlines in 2021 and it seems that Nobelium continues to be a common thread. It all started when the Nobelium hacking group compromised the distribution systems for SolarWinds’ Orion IT network management platform followed by a spear-phishing email campaign Microsoft alerted to in May of this year. Now, the threat actor is relying on spray-and-pray credential stuffing and phishing to steal legitimate credentials and gain privileged access by attacking resellers and technology service providers that customize, deploy and manage cloud services.
"Earlier this year, the Biden administration reacted to supply chain attacks by releasing the “Executive Order on Improving the Nation’s Cybersecurity” that contains language with the purpose of securing the U.S. federal government’s software supply chain. The executive order leverages supply chain security as part of a broader effort to modernize the U.S. federal government’s cybersecurity and requires that federal agencies adopt zero-trust architecture and uphold this new security model by implementing security best practices such as encryption and MFA. This was a step in the right direction to protecting and defending organizations from such attacks, but there are steps organizations must take themselves.
"These attacks underscore how threat actors continue to misuse legitimate services to help their campaigns evade detection. Traditional email security solutions will not protect them against these sophisticated attacks. In response, organizations need to upgrade their email security posture with a solution that’s capable of scanning incoming correspondence for campaign patterns, malware signatures, IP addresses, and other threat behaviors. This analysis should occur in real time so that legitimate correspondence can reach its intended destination without delay.”
Saryu Nayyar, CEO of Gurucul, expects no let-up in Russian cyberespionage:
“Not content with resting on its laurels in the wake of the largely successful SolarWinds attack, Russian state actors have been pursuing further attacks on US tech companies, as well as government agencies and think tanks. While relatively few of these attacks have succeeded, even one success is too many.
“Every organization, no matter what their purpose, has to do a better job of protecting their assets. You can’t rely on “security by obfuscation” or security by cloud providers if you’re serious about keeping attackers out. A program of data collection and analytics, coupled with real time risk assessment is the only way to protect yourself against threats.”
Josh Brewton, vCISO at Cyvatar, is unsurprised by Russia's failure to live up to undertakings that agreed to norms of conduct in cyberspace:
“Russia’s broken promises should come as no surprise. Adversarial countries continue to make empty promises, all while funding offensive operations around the globe. With this, there has been an exponential increase of attacks attempted by nations and their state-sponsored counterparts over the last year. It has become abundantly clear there are alternative methods to traditional warfare to destabilize economies and administrations alike.
“The U.S. attempts to remedy deficiencies within the Defense Industrial Base(DIB) by enforcing new or increased forms of compliance, namely, the Cybersecurity Maturity Model Certification(CMMC). The CMMC no longer allows organizations to operate as part of the DIB with glaring vulnerabilities masked with the promise of getting fixed. You will need to become certified and maintain the required level of security or cease your operations with the government.
“While this covers a large swath of organizations, it leaves the question of those with no direct relationship with the government. The private sector vulnerability will start to be corrected by the increased use of vendor risk management and basic security requirements required baked into contractual agreements between organizations. Few can afford to have a security breach occur within their organization or any organization they do business with. The increased pressure in the private sector between partners will drive a simple choice; comply with the required security baseline or experience client churn and the loss of future clients.”
Demi Ben-Ari, CTO and Co-Founder of Panorays, sees this form of supply chain compromise as simply an instance of continuing to play a winning hand:
“When cybercriminals find an attack method that works, they stick with it. So it’s not surprising that the Nobelium threat group, which was responsible for the massive SolarWinds supply chain attack last year, is continuing to target downstream customers through their service providers in order to inflict maximum damage. Rather than exploiting vulnerabilities or security flaws, the group is now using methods such as credential stuffing, phishing and API abuse to gain access to systems.
"The good news is that organizations can help prevent these kinds of attacks by implementing security best practices including enabling MFA and minimizing access privileges. To accomplish this rapidly and effectively, however, it's crucial to have a robust and automated third-party security management program in place to assess supply chain partners, close cyber gaps and continuously monitor for any issues.”