At a glance.
- Suspected Discord papers’ source arrested.
- CISA Updates its Zero Trust Maturity Model.
- Cozy Bear sighting.
- Patch news.
- Crime and Punishment.
- Courts and Torts.
- Policies, procurements, and agency equities.
- Mergers and acquisitions.
- Investments and exits.
- Research developments.
Suspected source of leaked US intelligence has been arrested.
Airman 1st Class Jack Teixeira was arrested at his home yesterday in connection with his alleged role in the leak of classified information over Discord. The 21-year-old cyber transport systems specialist is, or was, assigned to the Massachusetts Air National Guard's 102nd Intelligence Wing at Otis Air National Guard Base on Cape Cod. An Airman 1st Class is a junior enlisted rank, an E-3, the equivalent of a US Army Private First Class or a US Navy Seaman. The New York Times observes that how Airman Texieira obtained access to the range of classified information he's alleged to have shared under his nom-de-hack OG with the even younger members of his Discord Club remains unclear. The investigation continues, and according to Reuters Discord is cooperating with the authorities. For further information regarding the Discord Papers see, The CyberWire Pro.
CISA updates its Zero Trust Maturity Model.
CISA yesterday updated its Zero Trust Maturity Model, including recommendations from public commentary and increasing the government’s zero trust capabilities. This updated model is said to provide “a gradient of implementation” across the pillars, which allow for the advancement of zero trust architecture within agencies. The five pillars are: “Identity, Devices, Network, Data, and Applications and Workloads.” Chris Butera, Technical Director for Cybersecurity at CISA, said “As one of many roadmaps, the updated model will lead agencies through a methodical process and transition towards greater zero trust maturity. While applicable to federal civilian agencies, all organizations will find this model beneficial to review and use to implement their own architecture.” For more on CISA's Zero Trust Maturity Model see, The CyberWire Pro.
Cozy Bear sighting.
CERT Polska, Poland's cybersecurity authority, warns that APT29, the unit of Russia's SVR foreign intelligence service that's also tracked as Cozy Bear and NOBELIUM, is actively pursuing diplomatic targets in many nations, principally NATO members. The campaign's goal is espionage, and its approach is spearphishing. "In all observed cases, the actor utilised spear phishing techniques. Emails impersonating embassies of European countries were sent to selected personnel at diplomatic posts. The correspondence contained an invitation to a meeting or to work together on documents. In the body of the message or in an attached PDF document, a link was included purportedly directing to the ambassador's calendar, meeting details or a downloadable file." Polish authorities recommend that organizations implement configuration changes to protect themselves from Cozy Bear's ministrations.
Russia, Ukraine Disinformation.
Russia's attempts to normalize the occupation and annexation of Ukrainian territory continue. "On 5 April 2023, Russian President Vladimir Putin chaired a full session of Russia’s Security Council, the first such event since October 2022," the UK's MoD reported Sunday. "The main report was presented by Interior Minister Vladimir Kolokoltsev, and discussed reconstruction, law enforcement and public order in the illegally-annexed areas of Ukraine. The choice of Kolokoltsev as the main speaker is likely an attempt by the Kremlin to portray the situation in those territories as being normalised. In reality, much of the area remains an active combat zone, subject to partisan attacks, and with extremely limited access to basic services for many citizens."
The Russian cyber auxiliary KillNet claimed it had conducted a massive attack on NATO infrastructure last weekend. It claimed responsibility for alleged DDoS attacks on various organizations in the energy grid on its Telegram page. Along with the DDoS attack it also published a list of usernames and passwords for two Nato commands on its website. KillNet wrote “The personnel are using super secret passwords: the incredibly complex - 123456, and the more complex 12345678.” NATO commented the following “We are currently experiencing Denial of Service attempts against a number of NATO websites, and our experts are responding. NATO’s classified networks are not affected and there is no impact on NATO operations.”
The Atlantic Council offers some context for reports of Russian public opinion about the war. It's difficult to gauge. "A ruthless clampdown has made it increasingly difficult and dangerous for dissenting voices to be heard. Nevertheless, opposition figures continue to question the true levels of public backing for the invasion, while insisting that large numbers of Russians are either opposed or indifferent. The real situation within Russian society is certainly far more complex than the Kremlin would like us to believe, but today’s suffocating atmosphere means there is little reason to expect an increase in visible anti-war activity any time soon." The piece assesses support for President Putin and his war as broad, but more tepid than Moscow represents it. There is a prominent minority of ultra-nationalists, represented most obviously by the milbloggers. Within the armed forces, themselves, however, morale is seen as shaky. For information on Russia’s continued disinformation campaigns see, The CyberWire Pro.
Patch news.
Patch Tuesday came and went and it brought a myriad of vulnerability patches. FortiNet released 21 vulnerability advisories, Siemens and Schneider Electric patched 38 vulnerabilities, Adobe patches 56 vulnerabilities, Apple and Microsoft rolled out their latest security updates, and CISA has issued another round of advisories. SecurityWeek wrote on Patch Tuesday itself (April 11th) Siemens and Schnieder electric patch 38 vulnerabilities with Siemens patching “CVE-2023-28489, a critical vulnerability affecting Sicam A8000 series remote terminal units (RTUs), which are designed for telecontrol and automation in the energy supply sector.” Onapsis reported on 24 SAP security patches writing “SAP Business Client now supports Chromium version 111.0.5563.65 which fixes seventy-one vulnerabilities in total, including two Critical and thirty-two High Priority vulnerabilities. More information for Patch Tuesday, see The CyberWire Pro.
Crime and punishment.
A distributed denial-of-service (DDoS) attack interrupted the availability of Canadian Prime Minister Trudeau's official website for a few hours this week. According to IT World Canada, "The attack appears to have been timed to coincide with the government’s meeting today with Ukrainian Prime Minister Denys Shmyhal." Service was restored by 2:00 PM ET on Tuesday.
Monday Microsoft and the University of Toronto's Citizen Lab announced the discovery that a hitherto little-remarked Israeli firm, QuaDream, which Microsoft characterizes as a "private sector offensive actor (PSOA)," has been selling its surveillance platform to governments in Europe, North America, the Middle East, and Southeast Asia. The company amounts to a cyber mercenary operation, in Microsoft's view, and it sells both services and tools to its government customers.
Courts and torts.
A group of nurses in Oregon is suing the Chicago based CommonSpirit Health alleging that the company underpaid them as a result of the company’s ransomware attack last year. The Wall Street Journal writes that “Payments to around 2,000 nurses and other staff members at the two Oregon hospitals were affected by the cyberattack, said Richard Myers, an attorney from law firm Bennett Hartman Attorneys at Law LLP who represents the nurses.”
The Wall Street Journal reported that the U.S. Department of Commerce is considering an enforcement action “under its online-security rules against Kaspersky Lab, a Russian cybersecurity company that has long faced accusations of posing a threat to the U.S., according to people familiar with the matter.” Separately, American Banker reports that “Carrie Tolstedt, Wells Fargo's former head of its community bank, entered a "not guilty" plea at an arraignment hearing on Friday.” Tolsted is being accused in federal court for obstructing a bank examination because she “failed to disclose to federal bank examiners the number of Wells Fargo employees who had been fired or resigned for opening millions of bank accounts without customer authorization.”
Policies, procurements, and agency equities.
CNN reports that Sarah Huckabee Sanders, the Governor of the US state of Arkansas, has signed a bill requiring social media sites to verify a user’s age and if they are under 18, require consent of a parent or legal guardian. This follows a related bill passed last month in Utah that comes after widespread criticisms of social media access and impacts continue to mount. “While social media can be a great tool and a wonderful resource, it can have a massive negative impact on our kids,” said Sanders at a press conference prior to the bill’s signing.
Rob Joyce, head of the US National Security Agency’s (NSA) Cybersecurity Directorate, spoke at CrowdStrike's Government Summit yesterday, and during his address he emphasized the dangers of artificial intelligence. While he acknowledged that AI can not yet single handedly carry out cyberattacks, the tech can make human-led attacks faster and more destructive. He said that machine learning and chatbots are "the tools that are going to flow and increase the pace of the threat. It's not going to generate the threat itself." However, he notes, AI tech can also be used in much the same way by the good guys to defend against attacks. Alluding to NSA’s plans to capitalize on the positive aspects of AI, he stated, "So for the next year we are going to be very focused: what tools come out that will... give us the advantage as defensive folks."
Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA) also spoke at the CrowdStrike Government Summit Tuesday, and she announced that the agency plans to release its secure by design principles this week. CyberScoop notes that an important tenet of the US’s recently released national cybersecurity strategy is placing more responsibility on larger tech companies by urging them to incorporate cybersecurity principles into their products at the design stage.
Mergers and acquisitions.
Networking giant Cisco has announced plans to acquire Israeli cloud security company Lightspin, CRN reports. "Cisco and Lightspin together will be able to meet their shared goal of helping customers modernize their cloud environments with end-to-end security and observability, from build to runtime," said senior vice president of engineering for emerging technologies and incubation at Cisco, Vijoy Pandey. The financial details were not disclosed, and this acquisition follows Cisco's earlier acquisition of another cloud security startup, Valtix.
Cradlepoint, part of Ericsson, has announced its acquisition of cloud security platform provider Ericom Software. The company said that the acquisition of Ericom's technologies will enable Cradlepoint to launch their "Cradlepoint NetCloud Threat Defense cloud service, expanding the company’s mobile-capable and router-integrated SASE and zero trust portfolio of solutions for fixed-site, remote worker, in-vehicle and IoT use cases."
Investments and exits.
Decision and intelligence solutions company Quantexa has raised $129 million in Series E funding, the company reports. The funding round was led by GIC, with investments from prior investors Warburg Pincus, Dawn Capital, British Patient Capital, Evolution Equity Partners, HSBC, BNY Mellon, ABN AMRO Ventures, and AlbionVC. This investment for the London-based company, now valued at $1.8 billion (which puts them at unicorn status), comes on the heels of their acquisition of Dublin-based natural language processing (NLP) and AI provider Aylien. “After closing our Series D investment round, Quantexa has been on a transformational journey, accelerating the growth of our global software business and firmly establishing our leadership position in the emerging Decision Intelligence category. In a challenging market we have doubled our ARR, our user base, and continue to penetrate new markets and industries. This infusion of capital will fuel further innovation, diversification, and expansion, and opens exciting options for our future," said Vishal Marria, chief executive of Quantexa.
Cybereason, an advanced detection and response provider for enterprises, has raised $100 million in funding from SoftBank Corp, Security Week reports. The funding, the company says, will be used for worldwide growth, as well as further development on their XDR, EDR, and EPP solutions. For more investments and exits news, see the CyberWire Pro.
Research developments.
In this week's research news, Unit 42 released a report on April 5th about a new malware campaign using a malware they call CryptoClippy. The campaign which targets Portuguese speakers “aims to redirect cryptocurrency away from legitimate users’ wallets and into wallets controlled by threat actors instead.” Sam Sebetan, an independent cyber security analyst working with CISA (the US Cybersecurity and Infrastructure Security Agency), posted his discover of "a series of critical vulnerabilities in Nexx’s smart device product line." Check Point is tracking a new strain of ransomware called “Rorschach,” which “is one of the fastest ransomware observed, by the speed of encryption.” Proofpoint's report last week on Winter Vivern (also known as TA473) described the Russian threat actor's exploitation of a Zimbra vulnerability, CVE-2022-27926 to gain access to Zimbra-hosted webmail portals from with the threat actor can gain access to NATO organizations involved with support for Ukraine. And finally, Sysdig reports a wave of proxyjacking against devices vulnerable to Log4j exploitation for remote code execution. For a deeper look into this week's developments in cyber research, check out the CyberWire's Pro Research Briefing.