At a glance.
- The fate and effects of a supply chain compromise.
- Cyberespionage: China, Russia, and North Korea.
- Lessons from a hybrid war.
- Major data breaches.
- CPU vulnerabilities.
MOVEit-connected supply chain issues aren't over.
Reuters puts the tally of organizations breached in ways traceable to MOVEit vulnerability exploitation at six-hundred and counting, and cites experts who say that many more breaches, possibly thousands more, are likely in the future. The Cl0p gang began exploiting Progress Software's MOVEit on May 27th. Progress realized something was amiss and began investigating on May 28th. On May 30th it had learned enough to issue a warning, and on May 31st Progress made a patch available. That exploitation continues illustrates the complexity and interdependence of software supply chains, and of the difficulty of getting users to patch promptly and effectively.
2020 Chinese penetration of Japan's defense networks reported.
The Washington Post reports, on the basis of recently obtained information from US and Japanese sources, that in the fall of 2020 the US NSA discovered a major Chinese penetration of classified Japanese defense networks. "The hackers had deep, persistent access and appeared to be after anything they could get their hands on — plans, capabilities, assessments of military shortcomings, according to three former senior U.S. officials, who were among a dozen current and former U.S. and Japanese officials interviewed, who spoke on the condition of anonymity because of the matter’s sensitivity." Reuters says that Japan was unable or unwilling to confirm whether information had been compromised. The incident complicated US-Japanese defense cooperation, especially intelligence-sharing, which has grown closer as China adopts an increasingly assertive policy in East Asia.
North Korean cyberespionage against a Russian aerospace firm.
Reuters reports that North Korean operators have successfully penetrated NPO Mashinostroyeniya, a rocket design bureau headquartered in a Moscow suburb. The apparent industrial espionage wasn't deterred by Russia's attempts to cultivate closer relations with Pyongyang, which it views as a potential supplier of ammunition and other matériel for the war against Ukraine. Pyongyang seems to have welcomed Russia's friendly overtures, but a growing comradely spirit is no match for the advantages the DPRK sees in industrial espionage.
Cyber phases of Russia's hybrid war (as seen by Ukraine).
Victor Zhora, deputy chairman and chief digital transformation officer at Ukraine's State Service of Special Communication and Information Protection (SSSCIP)--effectively Kyiv's cybersecurity lead--said at Black Hat that Russian cyber ops would continue long after the end of kinetic combat. "Russia will continue to be dangerous in cyberspace for quite a long period, at least until a complete change of the political system and change of power in Russia, converting them from an aggressor to a country which should pay back for all they've done in Ukraine and also in other countries," the Register quoted him as saying.
Zhora divides Russian cyber operations into five phases:
- Preparation. This began on January 14th, 2022, with WhisperGate wiper malware deployed against IT infrastucture and culminating in denial-of-service attacks that included, by Zhora's reckoning, the cyberattack against Viasat services. The influence campaign of this phase sought to induce fear, to get Ukrainians to "expect the worst."
- Disruption. This phase, beginning in late February and continuing through the end of March 2022, was marked by wiper and distributed denial-of-service attacks.
- Targeted attacks against infrastructure. This third phase, beginning in April 2022, saw a lower cyber optempo, but more sophisticated, more targeted attacks against infrastructure, including but not limited to the power grid.
- Cyber attacks coordinated with kinetic strikes. The second half of 2022 was marked by cyberattacks that sought to hit critical infrastructure (especially water and power) while it was stressed by missile strikes. It culminated just before the new year.
- Cyberespionage. The war is currently in this phase, marked by a shift away from destructive attempts and toward collection and cyberespionage.
All five phases have seen influence operations conducted in Russia's interest.
Lessons in resilience from Ukraine's experience of hybrid war.
US Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly discussed what the US and others have learned from Ukraine's resistance to Russia's hybrid war. The CISA head summarized what the present war has taught the world about to build cyber resilience: "Doing the work up front to prepare for a disruption, anticipating that it will in fact happen, and exercising not just for response but with a deliberate focus on continuity and recovery, improving the ability to operate in a degraded state and significantly reducing downtime when an incident occurs." She explained that this will require conscious attention to, first, risk assessment (including the classic elements of vulnerability, likelihood, consequence, and threat), second, resilience planning (which should include realistic testing), and, finally, continuous improvement and adaption (because the adversary learns and evolves, and the defender must do so as well).
The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
Charming Kitten collects against Iranian expatriate dissidents.
Germany's BfV security service, the Bundesamt für Verfassungsschutz, warns that Iran's Charming Kitten threat group (also known as APT35, Phosphorus, Newscaster, and the Ajax Security Team) is collecting against Iranian dissidents residing in Germany and elsewhere. Both individuals and organizations are targets. Charming Kitten has been paying particular attention to lawyers, journalists and human rights activists since late 2022 at least.
Data exposure at the Police Service of Northern Ireland.
The Police Service of Northern Ireland (PSNI) has disclosed that the private data of all 10,000 of the force's serving officers and staff were accidentally leaked to the public when an employee made an error in responding to freedom of information (FoI) request. BBC News explains that on August 3 a member of the public simply asked for the number of officers at each rank and the number of staff at each grade. Instead of simply responding with the requested numbers, a PSNI employee supplied a detailed Excel spreadsheet complete with the officers' names, ranks, and locations, which was then published on a public FoI website. When the error was discovered two-and-a-half hours later, PSNI had the info taken down, but it’s unclear who might have seen the data during that window. As CNN notes, the leak is especially troubling because Northern Ireland police are regularly the targets of violence due to conflict over British rule in the region.
UK Electoral Commission breached.
The UK's Electoral Commission issued a public notification of an attack on electoral systems. It's an old incident, identified in October of 2022 and believed to have been in progress since August of that year. Taken in isolation, the Commission thinks the information doesn't pose much risk to individuals, but, of course, combined with other sources of personal data it might. The Commission says it's taken steps to improve security.
Vulnerable CPUs.
Several generations of Intel’s x86 processors are vulnerable to a data leak flaw called “Downfall,” CyberScoop reports. Daniel Moghimi, a computer security expert at the University of California, San Diego, and Google found that an attacker running one application could exploit the flaw to “steal passwords, encryption keys, and other sensitive data” from another application. Intel said in a statement that the attack “would be very complex to pull off” outside of “the controlled conditions of a research environment,” but it did issue firmware updates and advice on mitigation.
AMD processors also exhibit a vulnerability of their own. BleepingComputer reports that all AMD Zen CPUs are vulnerable to a hardware flaw that “can leak privileged secrets and data using unprivileged processes.” Researchers at ETH Zurich discovered the flaw and created an exploit called “Inception” that “creates an infinite transient loop in hardware to train the return stack buffer with an attacker-controlled target in all existing AMD Zen microarchitectures.
The US Cyber Safety Review Board reports on Lapsus$.
The US Cyber Safety Review Board released the findings of its inquiry into the Lapsus$ Group this week. A group of teenagers used "simple techniques to evade industry-standard security tools that are a lynchpin of many corporate cybersecurity programs," and were able to compromise about forty well-resourced organizations. "The Board saw a collective failure across organizations to account for the risks associated with using text messaging and voice calls for multi-factor authentication." The full report offers recommendations into how this kind of threat might be better managed.
Patch news.
Adobe has released patches for thirty vulnerabilities affecting Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020, SecurityWeek reports. Adobe states, “These updates address critical, important, and moderate vulnerabilities. Successful exploitation could lead to application denial-of-service, security feature bypass, memory leak, and arbitrary code execution.”
Microsoft has issued patches for thirty-three products, SecurityWeek reports. The company also released a “defense-in-depth update” to block the attack chain for an actively exploited Windows Search remote code execution vulnerability (CVE-2023-36884).
For more on Patch Tuesday, see CyberWire Pro.
Crime and punishment.
INTERPOL this week took down the phishing-as-a-service (PaaS) platform 16shop. It wasn't a big crew. Indonesian police arrested "its operator and one of its facilitators;" Japanese authorities arrested another facilitator. The takedown was an international operation that saw INTERPOL cooperate with the Indonesian National Police, the Japanese National Police, and the US FBI. It was also an instance of public-private cooperation. INTERPOL acknowledged support from the Cyber Defense Institute, Group-IB, Palo Alto Networks Unit 42 and Trend Micro, and Cybertoolbelt.
Interpol also took action against the notorious Nigerian Black Axe criminal cult, known for financial crimes that run to business email compromise, romance scams, inheritance scams, credit card fraud, tax fraud, and money laundering. Operation Jackal, with the cooperation of law enforcement in twenty-one countries, shut down more than two-hundred criminal bank accounts and confiscated more than €2 million (US$2.2 million). It also identified 1110 suspects and was responsible for one-hundred-three collars.
A joint Polish-US operation seized the Lolek bulletproof hosting provider this week. The Record reports that the US Federal Bureau of Investigation (FBI) and the Internal Revenue Service (IRS) were joined in the action by he Regional Prosecutor's Office in Katowice and the Central Bureau for Combating Cybercrime in Krakow.
Courts and torts.
As companies grapple with GDPR compliance, Cooley offers a do-it-yourself estimation guide for those who wish to calculate the fines they might face under the EU's data protection regulations.
Policies, procurements, and agency equities.
US President Biden issued an Executive Order establishing a new national security program regulating tech investments in “countries of concern," with China specifically called out in an annex. The EO focuses on products critical to military, intelligence, surveillance, or cyber-enabled capabilities and covers tech in three tech sectors: semiconductors and microelectronics, quantum information technologies, and artificial intelligence. The White House said, “This program will seek to prevent foreign countries of concern from exploiting U.S. investment in this narrow set of technologies that are critical to support their development of military, intelligence, surveillance, and cyber-enabled capabilities that risk U.S. national security.”
On Thursday the US Department of Defense announced the establishment of a task force on generative artificial intelligence. The task force is charged with "harnessing the power of artificial intelligence in a responsible and strategic manner."
The White House also this week announced plans for federal and private industry initiatives focused on bolstering the digital defenses of K-12 learning institutions. The announcement states that In recent years hackers have increasingly targeted schools, and in eight US K-12 school districts were impacted by cyberattacks in the 2022-2023 school year alone, disrupting school operations and leaking sensitive personal and administrative data.
The US Department of Homeland Security (DHS) announced it will be allocating $375 million to state and local governments through the State and Local Cybersecurity Grant Program (SLCGP). The $1 billion program is in year two of its four-year run and is focused on helping state, local, and territorial governments bolster their cyber resilience in the face of increased ransomware attacks. Cybernews reports that last year, all but two states and territories requested funding, and this year governments have until October 6 to apply for the program.
On Friday of last week, the US Cybersecurity and Infrastructure Security Agency (CISA) released its FY2024-2026 Cybersecurity Strategic Plan, a roadmap for the agency’s cybersecurity mission over the next three years. In alignment with the National Cybersecurity Strategy, the plan highlights three main goals: addressing immediate threats, hardening the terrain, and driving security at scale. CISA explains that the plan aligns “nine objectives to specific enabling measures and measures of effectiveness to drive accountability.” The Executive Summary of the plan states, “As we progress toward these goals, we must embody the hacker spirit, thinking creatively and innovating in every aspect of our work. The ongoing work of CISA’s workforce—our threat hunters, vulnerability analysts, operational planners, regionally deployed cybersecurity advisors, and others—epitomize this collaborative spirit.”
The US National Institute of Standards and Technology (NIST) has been working to update its Cybersecurity Framework (CSF), and the first draft of the CSF 2.0 was released this week, NextGov reports. Perhaps the biggest change is that a sixth pillar, “Govern,” has been added to the document's five initial functions of “Recover,” “Identify”, “Respond,” “Detect,” and “Protect.” Other changes include more clarity about assessing improvements in a system’s cybersecurity, and more emphasis on integrating other guidance documents like the Artificial Intelligence Risk Management Framework and Secure Software Development Framework.
Fortunes of commerce.
Boston-based Rapid7 announced a round of layoffs this week. The Boston Business Journal reports that a "restructuring" will eliminate four-hundred-seventy jobs, which comes to 18% of the company's workforce. The company also plans to close several offices.
TechCrunch reports that the British cybersecurity firm NCC Group, headquartered in Manchester, also announced "a small number" layoffs as it continues a retrenchment that began in February with cuts of a hundred-twenty-five employees, roughly 7% of its UK and US workforce. How many employees will be affected by this latest round is so far unknown.
Okta plans to enter the Indian market, establishing a new office in Bengaluru.
Labor markets.
An essay in Help Net Security by Jim Broome, President and CTO of DirectDefense, argues that one way of addressing cybersecurity labor shortages is to rethink credentialism. In some respects, he maintains, it's useful to think of cybersecurity as a blue collar trade as opposed to a highly credentialed white collar profession. That doesn't mean it's easy work, simply that the kind of training and development the workforce needs may be more like an apprenticeship than a course of university study.
Mergers and acquisitions.
Deloitte Australia has acquired managed detection and response firm ParaFlare. According to Accountants Daily, "Deloitte said ParaFlare would help offer around-the-clock threat detection, cyber threat intelligence, incident response, recovery, and remediation."
Ohio-based technology consultancy Centric Consulting has acquired The Mako Group, a cyber risk management firm headquartered in Indianapolis.
Palo Alto, California-based zero-trust security company Rubrik has acquired data security posture management platform provider Laminar.
New Zealand-based technology solutions provider Theta has acquired cybersecurity consultancy Cybersmart, Reseller News reports.
Check Point, headquartered in San Carlos, California, announced a definitive agreement to acquire security service edge (SSE) shop Perimeter 81 for about $490 million
Investments and exits.
San Francisco-based cyber risk platform provider Resilience has raised $100 million in a Series D round led by Intact Ventures and Intact Insurance’s underwriting companies, with participation from Lightspeed Venture Partners, General Catalyst, and Founders Fund.
Palo Alto, California-based application security company Endor Labs has raised $70 million in a Series A round from a "group of investors including Lightspeed Venture Partners (LSVP), Coatue, Dell Technologies Capital, Section 32, and over 30 industry-leading CEOs, CISOs, and CTOs." The company says the funding "will help Endor Labs create effective application security programs that don’t impose a productivity tax on developers."
San Francisco-headquartered autonomous security company Horizon3.ai has raised $40 million in a Series C round led by Craft Ventures, with participation from Signal Fire. The company says the funding "will be used to build out Horizon3.ai’s enterprise-wide, proactive security platform, expand channel and partner presence and meet the growing demand of customers worldwide."
Mountain View, California-headquartered application security posture management firm Tromzo has raised $8 million in an oversubscribed seed round led by Venture Guides, Alumni Ventures, Uncorrelated Ventures, and participation from existing investors.
Dropzone AI announced a $3.5 million seed round led by Decibel Partners, with participation from Pioneer Square Ventures Fund. Dropzone specializes in the development of autonomous AI security agents.
Sweet Security, based in Tel Aviv, has raised $12 million in a seed round, the investment led by Glilot Capital Partners, with participation by CyberArk Ventures and a group of angel investors.
New York-based security awareness training startup Jericho Security has raised $3 million in a pre-seed funding round led by Era, with participation from Lux Capital, FoundersXFund, MetaLabs, Alcove, Textbook, Alumni Venture Group, and Thorntree. According to VentureBeat, "The funding from the pre-seed round will be used to expand Jericho Security’s product offerings, grow its team and scale its operations globally."
Egyptian cybersecurity firm Buguard has raised $500,000 in a seed round led by led by A15, with participation from angel investors, TechCabal reports.
Kivera has announced a $3.5 million seed round as it enters the US market and moves its headquarters from Sydney to New York. The funding came from General Advance, Round 13 Capital, and several angel investors. Kivera specializes in mitigating cloud security risks.
Virginia-based HushMesh has raised $5.2M Technical.ly reports. The startup specializes in automated encryption key management.
Pistachio, formerly CYBR, headquartered in Oslo and specializing in defense against AI threats, has announced a €3.25M funding round, Arctic Startup reports, led by Signals Venture Capital.
Palo Alto-based identity-security shop Veza has received strategic investments from Capital One Ventures and ServiceNow Ventures that bring the company’s total financing to $125 million.
Data security posture management firm Symmetry Systems, based in San Mateo, California, has raised, SecurityWeek reports, $17.7 million in an insider funding round.
San Francisco-based Rootly, which offers an "enterprise-grade incident management platform," has raised $12 million in a Series A round led by Renegade Partners, with participation by Google Gradient Ventures and XYZ Ventures.
Osano has closed a $25 million Series B round led by Baird Capital, with participation by Jump Capital, LiveOak Venture Partners, Next Coast Ventures, TDF Ventures, and First Ascent Ventures. Osano, based in Austin, Texas, offers a data privacy platform.
For more business news from the cyber sector, see CyberWire's Pro Business.
And security innovation.
The AI Cyber Challenge, AIxCC for short, will be led by the Defense Advanced Research Projects Agency (DARPA). The goal of the challenge is to “leverage advances in AI to invent the next generation of cybersecurity defenses for today’s digital society.” It’s a public-private partnership. DARPA will be working with Anthropic, Google, Microsoft, OpenAI, the Linux Foundation, the Open Source Security Foundation, Black Hat USA, and DefCon to run the challenge. The first round of applications is due next month. The White House issued its own announcement of the challenge as well, lending the program high-level support.