The CyberWire Daily Podcast 4.19.21
Ep 1314 | 4.19.21

Codecov may have sustained a supply chain attack. Natanz sabotage update. Big data gangs. Protecting ransomware gangs. Counterretaliation in the SolarWinds affair.

Transcript

Dave Bittner: Another supply chain incident surfaces. The Natanz sabotage seems to have landed a punch but not a knockout blow against Iran's nuclear program. China's big data gangs and their place in the criminal economy. Tolerating ransomware gangs in Russia? Betsy Carmelite looks at the intersection of 5G and zero trust. Rick Howard is focusing on finance and fraud in the latest season of CSO Perspectives. And Russia's counterretaliation for U.S. sanctions in the SolarWinds affair.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Monday, April 19, 2021. U.S. authorities are investigating an incident affecting the software auditing company Codecov, Reuters reports. It amounts to another potential supply-chain compromise, specifically of the firm's Bash Uploader. BleepingComputer says Codecov became aware of the problem on April 1 when customers notified them that they'd spotted suspicious activity and that attackers seem to have been active since January, when they began stealing developers' credentials. Codecov has published a security update with remediation advice and a history of how the incident unfolded. Quote, "On Thursday, April 1, 2021, we learned that someone had gained unauthorized access to our Bash Uploader script and modified it without our permission. The actor gained access because of an error in Codecov's Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script," end quote. The company says it secured and remediated the affected script and undertook an investigation with the support of a forensic firm Codecov brought in. Preliminary results say that, quote, "Beginning January 31, 2021, there were periodic, unauthorized alterations of our Bash Uploader script by a third party, which enabled them to potentially export information stored in our users' continuous integration environments. This information was then sent to a third party server outside of Codecov's infrastructure," end quote. Codecov says three categories of data and services are potentially affected. Once more, quote, "Any credentials, tokens or keys that our customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed, any services, data stores and application code that could be accessed with these credentials, tokens or keys and the git remote informatie to Codecov in CI," end quote. Codecov recommends that its users reroll all their affected credentials, tokens and keys. Reuters notes that some early reaction has compared the Codecov compromise to the SolarWinds incident. Both represented attacks on the software supply chain. 

Dave Bittner: The Jerusalem Post reports that Iran has acknowledged that the explosion at its Natanz uranium enrichment facility, in fact, disabled a large number of centrifuges but also records speculation that the action against Natanz, which is widely held to have been organized by Israel's Mossad, fell short of a knockout blow to Iran's weapons program, which Iran denies having. For its part, Iran says it's got a suspect in the sabotage, which appears to have been a bomb, that their suspect has fled abroad and that they've asked Interpol to track him down. Interpol could not confirm to the BBC that they had the suspect on their fugitive watch list. And with this, we conclude our coverage of the Natanz story, unless some unknown cyber angle should develop. 

Dave Bittner: Intel 471  has published a report on the Chinese criminal market for big data. It's large, well-structured and marked by clear organizational hierarchies and division of labor. It's worth noting that this particular underworld does not seem to be thriving with the encouragement or tolerance of the domestic government. Chinese police appear to investigate and arrest gang members and their customers when they can find them. As Intel 471 puts it, quote, "Chinese authorities reportedly adopted measures to crack down on the illegal big-data trade and tighten regulations governing personal data and privacy. A series of regulatory measures regarding internet privacy protection and the security of personal information reportedly was introduced by the Cyberspace Administration of China, in addition to the large-scale crackdown," end quote. 

Dave Bittner: What's that? What government would connive with organized crime? Well, many believe the Russian government would. The New Zealand website Stuff has a long account of how Evil Corp and other ransomware gangs operate under the sufferance of the Russian government. Observation of Russophone dark web chatter by the security firm Advanced Intelligence picks up such comments as, Mother Russia will help; love your country and nothing will happen to you. Ransomware can be strategically damaging, and gangs like Evil Corp studiously avoid action against Russia and closely allied targets in parts of the former Soviet near abroad. 

Dave Bittner: And finally, as expected, in a customary tit-for-tat, Russia expelled 10 U.S. diplomats over the weekend. It's a counter-retaliation for Washington's expulsion of 10 Russian diplomats last week, Deutsche Welle reports. Baseball fans will recognize an analogy - when their pitcher plunks one of yours, your pitcher is going to throw some chin music in the next inning. This is expected. The U.S. took the action as part of its response to the SolarWinds supply chain compromise, an operation the U.S. intelligence community has attributed to Russia's SVR foreign intelligence service. The Kremlin also expelled three Polish diplomats after Warsaw rejected the same number of Russian personnel on Thursday. Euronews says that Poland ejected the three Russian diplomats in response to what the Polish government characterized as Russia's hostile actions. The US Cyber Command and the Cybersecurity and Infrastructure Security Agency last week released what they described as samples of Russian malware used in the incident, but Russian authorities continue to maintain, the Moscow Times reports, that the U.S. attribution of the SolarWinds incident to Russia is nonsense. 

Dave Bittner: It's entirely possible that both sides of the dispute may take additional action. Russian sanctions wouldn't, as Deutsche Welle reports, have the sort of effect on the U.S. economy that American sanctions would have on Russia's, but that doesn't mean that Moscow is without resources, short of combat and short of hacking. One possible response, the expression of which Deutsche Welle attributes to Fyodor Lukyanov, a foreign policy expert at the Russian International Affairs Council, is closer diplomatic and economic cooperation with China. Lukyanov said, quote, "Closer cooperation with China on coordinating actions to contain the United States will develop more quickly now as the Chinese are interested in that," end quote. In spite of Moscow's economic clout falling short of what Washington can muster, Lukyanov says that Russia has ample capabilities to stimulate changes in the world order. Such cooperation has been under discussion for some months, as both Russia and China have been subjected to U.S. and other Western sanctions in response to state-directed hacking. 

Dave Bittner: And it is my distinct pleasure to welcome back to the show Rick Howard. He is the CyberWire's chief security officer, also our chief analyst. Rick, welcome back. 

Rick Howard: Thank you, sir. It's good to be back. 

Dave Bittner: It's been a couple weeks, and you've got some exciting news that you're bringing with you today. 

Rick Howard: Yeah. Thanks, Dave. Here's what's happened. For the last couple weeks, "CSO Perspectives" has been on a hiatus, getting ready for a season five. But I'm happy to announce that the first episode of that season goes out today. And for the entire season, we are tackling an issue that I've been debating with other security executives for well over a decade. Are the - you ready for this? Because it's a good one, right? 

(LAUGHTER) 

Dave Bittner: OK. Bracing myself. Go ahead. 

Rick Howard: Yeah, go ahead, hold on - OK? - strap in. So here it is. Are the strategies that security practitioners pursue different because of the vertical they reside in or because the digital environment we are charged to protect is somehow, you know, not traditional, like IoT environments or supply chain arrangements, those kinds of things? In other words - OK? - if we're in the financial vertical or the health care vertical or the - even the energy vertical, is our collection of strategies different? So this episode, we're going to focus on the financial vertical, and we brought in some hundred-pound brain financial experts, all right... 

Dave Bittner: (Laughter). 

Rick Howard: ...To have a sit at the Hash Table and discuss it with us. 

Dave Bittner: Wow. OK. Well, I mean, that's not all. Of course, CSO Perspectives is on the Pro side of CyberWire. So that's our subscription side. So if you're not a subscriber, you won't be able to access it. But you're doing something on the free side today as well. 

Rick Howard: Yeah, that's right. So for those of our listeners who have yet to pony up for a CyberWire Pro subscription, you know - and by the way, what are you waiting for? 

Dave Bittner: (Laughter) That's right. 

Rick Howard: Because, you know, you and I talk about those week after week, and I know that they are feeling intrigued and curious about what we are discussing on the side of the CyberWire offering. 

Dave Bittner: Yeah. Well, they're feeling left out. They're feeling left out. 

Rick Howard: Yeah, yeah. They feel like they need to, you know, do something, right? 

Dave Bittner: Sure. Sure. 

Rick Howard: OK. All right, so maybe not enough to plop down their hard-earned cash to get a taste of it. So we have a deal for them. We are releasing episodes from Season 1 starting today on the free side so that they can get a sense of what the podcast is all about. And this first episode is on SASE. And, you know, say it with me, Dave - SASE. You know, I just... 

Dave Bittner: SASE - yes, yes. 

Rick Howard: (Laughter) It's one of my favorite topics, right? 

Dave Bittner: Yeah, yeah. 

Rick Howard: And I think the listeners will get a lot out of it. And as they listen to Season 1 episodes each week, they can decide if they want to be with the cool kids who are listening to the most up-to-date shows over on Season 5 (laughter). 

Dave Bittner: (Laughter) Right. Right, or slumming with me and the rest of the gang over here on the free side, right? 

Rick Howard: (Laughter) Yeah, you guys. OK? 

Dave Bittner: (Laughter) Yeah. OK, I see. I see how it is. 

Rick Howard: We're throwing a bone to you guys, all right? So (laughter). 

Dave Bittner: All right. I see how it is. All right. So, Rick Howard, welcome back. CSO Perspectives, again, is over on CyberWire Pro. Do check it out. I have to say it is good stuff and well worth your time. Rick, thanks for joining us. 

Rick Howard: Thank you, man. 

Dave Bittner: Today, I want to reach out to those members of our audience who are students or serve in the military. Did you know that the CyberWire has special CyberWire Pro subscription offers just for you? Well, you do now. Because of your student or military status - that's active or reserve military status - you are able to subscribe to CyberWire Pro or CyberWire Pro Plus at a significant discount. That means you can unlock access to our focus briefings, exclusive podcasts, quarterly analyst calls, premium articles and much more. To learn more, visit thecyberwire.com/pro and click on the contact us button in the academic or government and military box. That's cyberwire.com/pro and then click contact us in the box that applies to you, and we'll hook you up. 

Dave Bittner: And I'm pleased to be joined once again by Betsy Carmelite. She's a senior associate at Booz Allen Hamilton. Betsy, it's always great to have you back. You know, you and I recently were chatting about zero trust architecture, and I wanted to explore that a little further, specifically as we're starting to see the build out and adoption of 5G. How does that all play into zero trust? 

Betsy Carmelite: Sure. Where zero trust can be applied here as a security approach, again, those tenants of assuming breach, never trust, always verify, use least-privileged access. Where this applies to nascent 5G technology is getting out ahead with risk reduction now in a mission-centric context. So while 5G technology is in development now, the security components and requirements will not be fully understood or inherently applied until the networks are actually deployed. 5G networks will introduce new pathways of attack and expand the attack surface for organizations. And another concern very much at the forefront of everybody's mind in the security industry now is the protection of the supply chain and really the supply chain for 5G network hardware. 

Dave Bittner: So at the basic building-block levels of 5G itself, concerns with that? 

Betsy Carmelite: Sure. So when we talk about the 5G mission-centric approach to zero trust, one of the things we talk about is looking specifically at how an organization plans to adopt 5G across the enterprise. And if we look at the Department of Defense as an example, consider its enterprise and it can be really overwhelming. It will have to work through worldwide existing 5G infrastructure, and it will assume those worldwide 5G applications are untrusted and will have vulnerabilities. With 5G adoption in the IoT environment, adversaries could, for example, exploit IoT security gaps to sabotage missions and equipment, compromise operational security and jeopardize the lives of military leaders and war fighters. And so we have to assume breach in these cases. This is where we see the need for the security culture and the mindset shift to zero trust coming in to protect our military service, women and men and infrastructure and where we see the NSA urging adoption of zero trusts for critical networks, which does include DOD and national security system networks. 

Dave Bittner: Can you help me understand to mean how in this - the context in which, you know, 5G is not merely, you know, 4G but one faster? 

Betsy Carmelite: So to that question, Dave, I wanted to refresh on some of the points about 5G that I touched on before as a starting point before we jump into an example. 5G is really the convergence of the physical device realm and the digital environment at scale. So it's the consumer level and at the critical infrastructure level. Because of this convergence and scale, security has to be part of the design because any breach or attack, and we would be looking at a high-impact, high-probability event. And finally, 5G may be gaining popularity over 4G, as we can see from advertising and discussion in the media. But 5G is really in its nascent stage. So now is the time to prepare for a secure application of 5G zero trust before pervasive adoption in the coming four to five years. 

Dave Bittner: I think it's - for me personally, it's something I'm really finding myself challenged at wrapping my head around. Can you give us an example? 

Betsy Carmelite: Sure, sure. So let's stay on this Department of Defense example, a scenario that we've been working with - through. That would require, again, these concepts, use of least-privilege access and never trust, always verify, is the insider threat. So imagine a disgruntled military service person working in a DOD smart warehouse where equipment, some of it maybe sensitive communications equipment, is deployed and maintained. That person may want to modify data being processed on a military logistics system. And specifically in the 5G example, let's say it's with the multi-access edge computer - that's the MEC deployment - at that warehouse. For context, MEC distributes data and computation intensive tasks to resources across the radio interfaces. So the person could modify the data on the MEC. And the scenario could be to indicate the equipment is not available, might be delayed and, in turn, falsely communicates that a unit's operationally unprepared, causes mission sabotage, possibly compromises the operational security of a mission, among other impacts, like, you know, knowing the unit's movements or changing the plan - their plans as a result. 

Dave Bittner: And so zero trust would help us how? 

Betsy Carmelite: Yeah, so in this case, a mitigation could be to limit the service person's data access based on security policies. So that's where the use least-privileged access comes in. And so look at the user role, the device attributes that that person uses to reduce the chance of unauthorized access to the MEC. And then the modification of the data could also trigger the need to validate and ensure the data being processed. Is the same warehouse data that was reported from the smart sensors in the 5G network in the smart warehouse. It could trigger the use of artificial intelligence or machine learning to monitor and detect deviations in equipment availability or volume in that warehouse. And it could flag suspicious changes for investigation. So that's the concept of never trust, always verify. 

Dave Bittner: All right. Well, fascinating stuff. Betsy Carmelite, thanks so much for joining us. 

Betsy Carmelite: You're welcome, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. No matter how you slice it, it comes up peanuts. Listen for us on your Alexa Smart speaker, too. Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security Hah! I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.