The CyberWire Daily Podcast 4.30.21
Ep 1323 | 4.30.21

Investigating VPN exploits, and the crooks and spies who use them. BadAlloc afflicts OT. Notes on cyberespionage. The criminal market for deepfakes.

Transcript

Dave Bittner: Are you a hiring manager or recruiter? Could you benefit from a cost-efficient and easy way to train your new staff in cyber? We know that it can be expensive and time-consuming to ramp up new hires. That's why CyberWire Pro is available at a discount to large groups so that you and your team can get up to speed and stay there. CyberWire Pro brings the most important information in a concise and easily retainable way, all while saving you time. Contact us to get your special group pricing at thecyberwire.com/contactus. That's thecyberwire.com/contactus.

Dave Bittner: The U.S. government expands its investigation into Pulse Secure VPN compromises. Microsoft discloses its discovery of BadAlloc IoT and OT vulnerabilities. Someone's distributing Purple Lambert spyware. Chinese intelligence services seem to be back-dooring the Russian defense sector. Financially motivated criminals are exploiting SonicWall VPN vulnerabilities. A look at emerging criminal markets for deepfakes. Josh Ray from Accenture Security on why cybersecurity community service matters. Our guest, Manish Gupta from Shift Left, looks at cyberattacks on the CI/CD pipeline. And the World Health Organization attracted impersonators earlier this month again. 

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 30, 2021. 

Dave Bittner: The U.S. government's investigation into possible compromises accomplished through vulnerabilities in Pulse Secure VPN software is expanding. CNN reports that at least five federal agencies appear to have been affected. This represents the third-major software supply chain compromised that's come to light in 2021, the Voice of America notes

Dave Bittner: Microsoft yesterday announced a set of memory allocation vulnerabilities they're tracking as BadAlloc. The vulnerabilities affect IoT and OT devices. And they could be exploited either for remote code execution or to induce system crashes. CISA has also published mitigation advice for BadAlloc. The disclosure of BadAlloc should lend some urgency to the OT security about which NSA cautioned the defense industrial base in yesterday's advisory. That advice was prompted by the SolarWinds compromise. But the concerns are broadly applicable to OT operators. 

Dave Bittner: Kaspersky says it's detected Purple Lambert malware in a number of networks. iTWire reports that this malware family has been associated with the CIA. But the evidence is ambiguous, with some observers pointing out that the malware may have been staged by rival foreign intelligence services. The Lambert family has been gurgling around out there for a few years. 

Dave Bittner: We're accustomed to thinking of cyber-espionage as hitting, for the most part, Western targets. The reality is, of course, far more complicated than that. Even the familiar adversaries of Western nations take whacks at one another. A useful corrective to this habitual way of thinking arrives today in the form of a report by researchers at security firm Cybereason, who describe a new APT they attribute to the Chinese government. The company's Nocturnus Team, while sorting through samples of RoyalRoad malware, found signs that the operators behind it were also delivering the PortDoor backdoor as a payload. The target was Russian. And the method of approach was phishing. Nocturnus researchers write, quote, "According to the phishing lure content examined, the target of the attack was a general director working at the Russian Design Bureau, a Russian-based defense contractor that designs nuclear submarines for the Russian Federation's Navy," end quote. 

Dave Bittner: And, of course, while VPN exploits have recently been a worry because of the way they've appeared in cyber-espionage campaigns, as so often happens, the hoods follow in the footsteps of the spooks, which is what seems to be going on now with exploitation of unpatched SonicWall instances. FireEye warned yesterday that it's observed an aggressive, financially motivated group UNC2447, exploiting one SonicWall VPN zero-day vulnerability. The company reckons the threat a serious one with evidence of tool-sharing by criminal groups. 

Dave Bittner: Researchers at security firm Recorded Future have discerned a growing international criminal market for deepfakes. Why do people care about this? It's easy to think of deepfakes as primarily used in more exotic forms of spoofing, say, a fake video of President Putin doing celebratory Jell-O with first lady Eleanor Roosevelt, thereby convincing people that the whole New Deal thing was a Kremlin front from the get-go. And never mind the freakin' anachronism - sad. Or, perhaps, they could appear in the form of faked evidence used in criminal show trials. Or, in a more prosaic level, they might be used for more effective social engineering, better and more convincing business email compromises, for example, or more compelling catphishing. 

Dave Bittner: But there are also other, even more prosaic concerns about deepfakes. A criminal market in such deceptive stuff might undercut commonly used modes of establishing one's identity. Traditionally, people have seen three basic ways of establishing that they are who they say they are. You can do this through something you know. And the most common form this takes is the password. The security question is another. If you know your grandmother's maiden name was Fifinella or that your first pet was Blinky the Chameleon or Finnegan the goldfish, that you drove a Hillman Minx when you were in school, the assumption is that, well, you're probably who you say you are. You can also do this through something you have, like a hardware token or, in real life, maybe an ID card or a badge. Or, finally, you could establish your identity through something you are. That is, through one of the several biometric modalities like your face, your fingerprint or even your gait - so something you know, something you have or something you are. 

Dave Bittner: One of the reasons a criminal market in deep fakes is troubling is that it might be used to undercut the third mode of identification who you are. This could erode trust in the biometric technologies that organizations use online. If your fake face is out there, well, maybe some hood can use it to sign on somewhere as you, your own self. 

Dave Bittner: Deepfakes are, in the view of Recorded Future's Insikt Group, frauds' next frontier. They used to be a repellent but, in most respects, less threatening kind of technology. The researchers say, quote, "deepfake technology used maliciously has migrated away from the creation of pornographic-related content to more sophisticated targeting that incorporates security, bypassing and releasing misinformation and disinformation. Publicly available examples of criminals successfully using visual and audio deepfakes highlights the potential for all types of fraud or crime, including blackmail, identity theft and social engineering," end quote. 

Dave Bittner: The researchers found online markets catering especially to Anglophone and Russophone hoods, but they also found a few hawking to speakers of Spanish, Turkish and Chinese. The deepfake products and services on offer include editing both pictures and video, how to tips, tutorials, exchanges of best practices, free software downloads and photo generators and news on advancing criminal technology. The Insikt Group says that much of the chatter online about deepfakes is of a relatively benign technophile nature. People interested in the topic are chatting and swapping stories. But the researchers think that this is likely to turn ugly as a hobbyist's interest turns into a perception that deepfakes have a lot of criminal potential. 

Dave Bittner: The United Nations International Computing Center says that with the help of Group IB, it's taken down a scam campaign that, since April 7, has been impersonating the World Health Organization. Good for them, we say. Earlier this month group, IB be warned the U.N. organization that it had found a bogus website impersonating branding where visitors were encouraged to answer a few simple questions to earn a 200 euro reward on the occasion of World Health Day. And you can easily imagine the rest. Sometimes, it involved redirection to a scam website. And at other times, the capers signed unwitting victims up for a paid service - not healthy. 

Dave Bittner: A key component of modern DevOps operations is the CI/CD pipeline that stands for continuous integration, continuous delivery. It's an approach that emphasizes automation. Manish Gupta is CEO of ShiftLeft. And he joins us with insights on the CI/CD pipeline and how its use can help ensure security receives the attention it deserves. 

Manish Gupta: All around us, innovation is being driven by software. Most of the companies now write software. They write it ever faster because, as consumers, we have gotten into the habit of getting new feature functionality every day. Imagine your experience with Netflix or Google, for that matter. The production of this software is a complex undertaking. It goes through what is called CI/CD - continuous integration, continuous deployment, which is a fancy way of saying that is the set of technologies that allow developers to develop quickly. 

Manish Gupta: The other part is, you know, developers don't - the other reason why developers are able to do this far faster today than they were able to do this a decade ago is because there is a lot of what is called open source software or libraries that are out there. And so as a developer, for example, if I wanted to create a retail e-commerce site, I don't need to go rewrite the software for a shopping cart. You know, a library's available that I can just import into my application, and voila, now I have that functionality. 

Manish Gupta: So being able to choose these various libraries for the end result that I want makes developers very productive. That broader notion is called a supply chain of software in terms of what all components developers are using to create that application. 

Dave Bittner: You know, it strikes me that the CI/CD pipeline is kind of like changing the oil in your car while the engine is running. You know, that it just - there's a certain amount of complexity there. And I don't know. And - are we taking away developers' ability to kind of stop and catch their breath? 

Manish Gupta: Well, you are right. But I think the situation is a little bit more complex or involved, if I may, because, you know, developers are compensated for delivering functionality. Very rarely is there an organization that compensates or measures their developers on how securely they're developing the software. And that is part of the problem because the responsibility of security lies in a different team, which is typically headed by the CSO or cybersecurity officer. And within his or her own domain is an application security team who has the responsibility. 

Manish Gupta: As you can see, there is a - almost a perverse logic. We incent developers to write features ever faster, and we don't measure or reward them on delivering security effectively. And so they are not necessarily motivated to focus on security. There is a completely different team which is, but then they don't develop software. And so all they can do is sort of inspect the software, occasionally find issues in it and inform developers to say, hey, look, here is a long list of hundred things that are wrong. Please go fix it. 

Manish Gupta: And again, we have to go through the same scenario where developers now have that list of hundred things, plus all the other feature functionality that they're being asked to deliver by their VP of engineering. And is it any surprise they almost always focus on the latter as opposed to the former? 

Dave Bittner: And so what do you recommend here in terms of being able to secure that pipeline? How do we do a better job of having those teams interact with each other? 

Manish Gupta: Yeah. So first is, of course, just realizing - right? - that this is happening, that the CI/CD is a new way of software development which is highly agile. There are two very important personas here, the developers who for application security have to do 70% of the work because security cannot fix issues for them. All security can do is bring their level of expertise, broader knowledge about security to prioritize issues. So first and foremost, as I'm just describing, hopefully you are getting the sense that we need a platform that allows this collaboration to exist between these two parties. 

Manish Gupta: Then the second thing is collaboration is all great, but if it is working against the very requirements of a particular team, that's not going to get adopted. So that's the second set of attributes that we have to look for, we have to design for, which is developers moving fast. Feature functionality drives revenue, so that will always be the primary driver for every organization. So how in this fast-paced CI/CD can we insert security which requires novel technologies? Unfortunately, we are still using application security tools that are at least 15 years old. They were developed for a completely different era. So we need newer solutions, newer technologies that leverage state-of-the-art innovation to deliver security very quickly and very efficiently, even in the CI/CD pipeline, so as not to disrupt it. 

Dave Bittner: That's Manish Gupta from ShiftLeft. There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews. 

Dave Bittner: And joining me once again is Josh Ray. He's a managing director and global cyber defense lead at Accenture Security. Josh, always great to have you back. I want to touch today on something that I know is near and dear to your heart, and that's community service, and particularly when it comes to spreading around your expertise with cybersecurity. Why is this something that it's worth spending your time on? Why is this important to you? 

Josh Ray: Yeah. Dave, thanks for the question. And thanks for having me back. And, you know, this is actually something I was talking to Sean Duffy, who looks after our advanced attack and readiness operations earlier today, actually. And we were just discussing how fortunate we are to really be in a profession that has a strong sense of mission and also really values service to community. When I think about how cool it is that, you know, we wake up every single day to try to make the world a safer place and fight bad guys, I mean, it's something that, you know, really, I think, the whole community can take notice of and really appreciate. 

Josh Ray: And this is especially true when you're talking about vulnerability research. I mean, this is a special community that has massive amounts of passion for what they do and are really incredibly altruistic. So when we look at what the security research and the vulnerability research folks have done over the last 10 years, they've really been at the forefront of this notion of giving back to the community and sharing their research. 

Dave Bittner: Yeah. It really strikes me that there's a sense, as you say, of collaboration, that there's an industry-wide recognition that, overall, the more information we're able to share and get out there, the better off and safer we'll all be. 

Josh Ray: Yeah, absolutely. I mean, just, you know, thinking about it as the right thing to do, right? And just by example, over the past couple of years, our own security researchers who operate in the space have, I think, disclosed something over 200 vulnerabilities to private companies. And this is not something that they were told to do. They did it because they were pursuing their passion and really because they love doing it. And I think, as companies, we really need to start to embrace this notion of being altruistic and giving back to the community and rewarding the behavior of these researchers more than just kind of giving them recognition and figure out, how do we actually make sure that we're really fostering this talent in the community? 

Dave Bittner: Well, let's dig into that. I mean, as someone who is in a leadership position, how do you foster that amongst the people of your team? How do you show them that this is something that you support them spending their time on? 

Josh Ray: Yeah. I think it's one of those things where you have to continuously challenge them and make sure that they have interesting things to do, right? They don't want to just solve the regular problems. They want to solve problems that are incredibly difficult. And if somebody tells them it's impossible, they're even more interested, right? So making sure that they have the hardest problems to solve and making sure that they know that they are directly contributing to really making the Internet a safer place. 

Dave Bittner: What if somebody comes to you and says, you know, Josh, I have a hunch on something. And this might not lead anywhere, but, you know, I have a feeling this is a pathway that I should go down. Is that the kind of thing that you would support? 

Josh Ray: Yeah, I think, absolutely. And, I mean, you know, as we've got folks that have kind of now the second and third generation of security leaders kind of come up in the space, I think that's kind of a realization that, you know, we've come - we have to give these folks time to breathe and kind of think because it's that level of creativity that's going to not only be good for business and the clients, but it's going to help retain that talent and help them be better as professionals as well. 

Dave Bittner: All right. Well, Josh Ray, thanks for joining us. 

Josh Ray: Thanks, Dave. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. If you're looking for something to do this weekend, take a few moments and check out "Research Saturday" and my conversation with Jen Miller-Osborn from Palo Alto Networks Unit 42. We're going to be discussing their most recent ransomware threat report. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire our team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.