The CyberWire Daily Podcast 11.19.21
Ep 1463 | 11.19.21

Software supply chain threats. Recent Iranian cyber operations. Banking disclosure rules. ICS updates. UK, US announce closer cooperation in cyberops. A real, literal, evil maid?


Dave Bittner: We've got updates on software supply chain incidents. A look at recent Iranian operations. The U.S. Federal Reserve publishes its disclosure rules for banks sustaining cyber incidents. Two of the Five Eyes announced plans for continued, even closer cooperation in cyberspace. Johannes Ullrich on attackers using Plug Authentication Modules. Our guest is Hatem Naguib, CEO at Barracuda Networks. And a real evil maid seems to have been out and about in Tel Aviv.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 19, 2021. 

Dave Bittner: Software supply chains are on people's minds this week, and as the week comes to a close, we hear about some particular threats that organizations would do well to be aware of. First, the FBI warns that an APT group with no further attribution has been exploiting a zero-day in FatPipe software since May at least. Users are encouraged to apply the patches FatPipe issued this week. If the unnamed APT can gain access to FatPipe's router clustering and load balancing products, they can pivot from there to other targets where the primary interest lies. 

Dave Bittner: Second, JFrog's security team found another software supply chain threat - 11 Python libraries behaving badly, stealing Discord tokens, installing remote access shells and so on. PyPi, the Python Package Index, has booted the libraries from their portal. JFrog doesn't think that all 11 libraries are the work of a single hand, as there are idiosyncratic differences in the coding that suggests various people at work. Two of the troubling packages abused a relatively new technique - dependency coding, in which attacks register packages with names likely to be used within closed networks. In that case, the attacker's package might be pulled if the organization's packet came to be deleted while the dependency tree had yet to be updated. 

Dave Bittner: And third, in what amounts to a threat so much more extensive as to practically amount to a trend, the Microsoft Threat Intelligence Center, MSTIC, and the Microsoft Digital Security Unit, DSU, published a report yesterday in which they warn of a significant increase in Iran's targeting of the IT sector. Quote, "Iranian threat actors are increasing attacks against IT services companies as a way to access their customers' networks. This activity is notable because targeting third parties has the potential to exploit more sensitive organizations by taking advantage of trust and access in a supply chain. Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to downstream customer networks to enable further attacks. The Microsoft Threat Intelligence Center and Digital Security Unit assess this is part of a broader espionage objective to compromise organizations of interest to the Iranian regime," end quote. 

Dave Bittner: One of the more interesting features of this push is that it's adding targets to Iran's program that hitherto haven't figured significantly in Tehran's intelligence strategy. While some of the countries being targeted are, in fact, important and traditional rivals of Iran - notably, Israel and the United Arab Emirates - others aren't. India, for example, hadn't been of significant interest to Iran's intelligence services until this past summer, but it clearly is now. That's not because of any burgeoning tension or regional rivalry but simply because India has become an important global IT hub. If you can compromise IT services in India, you have a good chance of being able to pivot to targets of real immediate interest that may have Indian IT services in their own supply chains. Much of the activity aims at credential theft in the interest of further downstream compromise, which is where the real interest lies. Microsoft, we note in passing disclosure, is a CyberWire sponsor. 

Dave Bittner: The report on Iranian operations against software supply chains comes at a moment of heightened awareness of Tehran's cybercapabilities. The U.S. Justice Department yesterday unsealed an indictment of two Iranian nationals, Musa Kazemi and Sajjad Kashian, on charges connected with disinformation operations the two men, both of whom work for an Iranian contractor, ran during the last U.S. election cycle. The Justice Department announcement said in part, quote, "as alleged, Kazemi and Kashian were part of a coordinated conspiracy in which Iranian hackers sought to undermine faith and confidence in the U.S. presidential elections. Working with others, Kazemi and Kashian accessed voter information from at least one state's voters database, threatened U.S. voters via email, and even disseminated a fictitious video that purported to depict actors fabricating overseas ballots," end quote. 

Dave Bittner: Both men are, of course, not in custody, but as justice observes, they'll spend their days looking over their shoulders and carefully planning international travel to avoid countries that have extradition agreements with the U.S. 

Dave Bittner: In any case, Iran is becoming an adversary the U.S. and others are taking more seriously in cyberspace. Mandiant CEO Kevin Mandia gave CNBC a particularly gloomy assessment yesterday afternoon. He said, quote, "they're operating with efficiency, they're operating with malware that can be updated," adding that, "they have a framework where they can update their malware super fast, so they can be very efficient, leapfrogging our defenses as they learn," end quote. 

Dave Bittner: Yesterday afternoon, the U.S. Federal Reserve issued its long-anticipated final rule on computer incident disclosures. Effective May 1, 2022, banks will have 36 hours to notify regulators that they've sustained an incident that has materially affected - or are reasonably likely to material affect - the viability of a banking organization's operations, its ability to deliver banking products and services or the stability of the financial sector. Banks are also required to notify customers as soon as possible of any incident likely to affect services for four or more hours. 

Dave Bittner: GCHQ and U.S. Cyber Command have reaffirmed the longstanding Anglo American commitment to cooperative cyber operations. Meetings at Fort Meade, Md., headquarters of both NSA and U.S. Cyber Command, included, on the British side, Director GCHQ Sir Jeremy Fleming and General Sir Patrick Sanders, Commander of U.K. Strategic Command, and, on the U.S. side, General Paul Nakasone, Director of the U.S. National Security Agency and Commander of U.S. Cyber Command. 

Dave Bittner: The leaders issued a joint statement with a short set of talking points. Quote, "As like-minded allies for two centuries, the United Kingdom and the United States share a close and enduring relationship. Our two nations today face strategic threats in an interconnected, digital world that seems to undermine our shared principles, norms, and values. We agree that strategic engagement in cyberspace is crucial to defending our way of life, by addressing these evolving threats with a full range of capabilities. To carry this out, we will continue to adapt, innovate, partner and succeed against evolving threats in cyberspace. We will achieve this by planning enduring combined cyberspace operations that enable a collective defense and deterrence and impose consequences on our common adversaries who conduct malicious cyberactivity. As democratic cyber nations, the U.K. and U.S. are committed to doing so in a responsible way - in line with international law and norms, setting the example for responsible state behavior in cyberspace," end quote. 

Dave Bittner: The emphasis on deterrence and imposition of consequences on common adversaries is particularly noteworthy. 

Dave Bittner: Sometimes insider threats show the convergence of cyber-espionage and traditional espionage. One such case, as close to a literal evil maid attack as one might wish to find, has surfaced in Israel, where, Haaretz reports, a cleaner working in the residence of Defense Minister Gantz is charged with espionage for having offered to assist the Iranian cyberthreat group Black Shadow. According to SecurityWeek, the Israeli security service Shin Bet said that the accused spy failed to obtain any classified information. The accused, Omri Goren Gorochovsky, is said to be an ex-con with an appropriate criminal record, which has raised questions as to how he came to be hired in the first place. The Times of Israel reports that Shin Bet is reviewing the ways in which background checks are conducted. There are probably lessons to be learned for insider threat mitigation programs generally; whether they'll be new lessons or familiar ones remains to be seen. 

Dave Bittner: If you look at the three traditional motives for betrayal that counterintelligence officers remember by the acronym MICE - for money, ideology, compromise and ego - and we know, we know, you skeptics are hollering, hey, why does anybody do anything? - but still the framework is a useful way of organizing security thinking. Well, then Mr. Gorochovsky is said to have been motivated by Money with a capital M. Watch yourself, insiders. It is that time of year when people tend to start looking back at what this year has brought to try to help plan for the coming year. It's been an active, accelerating year in cybersecurity, with ransomware top of mind for many. Hatem Naguib is CEO of Barracuda Networks, and he shares these insights. 

Hatem Naguib: On the ransomware side, we've definitely seen the evolution of that attack, both in its level of sophistication and, I think, in the scale with which it's being leveraged. It's interesting. I think, from a lot of our customers' perspective, they think - and I think they have a frame of reference about the type of attacks that occur - that it's, you know, an individual hacker or somebody going in to try and create the malfeasance that occurs within their environment. 

Hatem Naguib: And what we've clearly seen is the growth of these almost corporate criminal gangs now that have been leveraging and weaponizing the capabilities to deliver ransomware as a service. And I think they've clearly taken advantage of what I would say is, you know, at some level, digital transformation, at other levels, a significant amount of transformation change that's occurred at the customer base with COVID - people having to work from home, moving to cloud for many capabilities. And already-stretched security organizations have to take more on in order to protect the important assets that they manage for their customers. 

Hatem Naguib: And so with that, we've seen an increase in the number of attacks. We've seen an increase in the size and amount of ransomware asks that are coming in. And I think what we've also seen is a much broader number of targets being pursued by this that has really, I think, surprised, unfortunately, some of these customers but by and large has been kind of the soft underbelly now starting to being taken advantage of by these criminal operations. 

Dave Bittner: I'm curious what you're seeing in terms of your customers kind of turning those knobs, deciding where are they going to spend their resources, their time, their attention for protecting themselves against these things. Or are those techniques evolving themselves? 

Hatem Naguib: Yeah, I think they are. I think it's a really good question, actually. I think customers have evolved from what I would refer to as kind of the classic, we'll put a firewall in and antivirus and a backup as a security strategy to recognizing that they have to be, you know, as sophisticated or one step ahead of the attackers, which means they have to look at multiple threat vectors and ensure that they've got a comprehensive security strategy. 

Hatem Naguib: What that's typically meant for them is to look at technologies that allow them to put security closer to what would be referred to as the edge - and I mean edge not just from an infrastructure perspective, but from the device, the person and the application and where it resides - and to be able to really look at the behavioral aspects of what's happening for each of those elements. So a great example of that is that, you know, we've seen a significant amount of our customers leverage our Sentinel product, which allows for BEC anti-phishing and really looking at behavioral anomalies to determine when account takeovers have occurred and how to remediate against that versus just the classic gateway type of solution, which would look at something coming in, is it good or bad and then stop it. 

Hatem Naguib: Similar types of things within the context of protecting against attacks for applications or attacks against the infrastructure, really building intelligence to understand what's happening and being able to provide both intelligence back to the customers in terms of how to remediate it, but also, you know, delivering that in an automated aspect. I think the one more thing I would just add to that is that data has become significantly more important in terms of what customers are storing and how they're storing it. So whereas before they would have looked at backup as just an element of how do I make sure I'm managing all of the entities in my organization and I've got them in some capability I can restore, now it's become more important to understand, well, what exactly is sitting where. Is my employee data also being backed up? How am I managing the privacy concerns that I've got of my customers? 

Dave Bittner: As you look ahead to the next year or so, is it more of the same? Do you think there's going to be additional adjustments that need to be made? Any thoughts on that? 

Hatem Naguib: Well, we're definitely seeing, I think, a broader cross-section of customers engaging more actively in addressing their security concerns. You know, I think, you know, the industrial companies becoming targets - you know, companies that would typically not be considered the most technology sophisticated, so less prone to these types of challenges - have now seen themselves become much more prone. We've seen significant investment in educations-led government, which I think is a very positive sign. 

Hatem Naguib: And I think what we're also seeing on two fronts - one is good cooperation in the industry to help the customers deal with this. I think everybody sees security as an everybody-problem and not just, you know, one individual company is going to be able to address that. So you see the levels of investments we're making, but you also see other companies making substantial investments to ensure that they're providing the best capabilities from a security perspective. 

Dave Bittner: That's Hatem Naguib from Barracuda Networks. There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for "Interview Selects," where you get access to this and many more extended interviews. And joining me once again is Johannes Ullrich he's the Dean of Research at the SANS Technology Institute and also the host of the ISC Stormcast podcast. Johannes, always great to have you back. I wanted to check in with you today about attackers who are abusing PAM - that is pluggable authentication modules. What can you share with us today? 

Johannes Ullrich: So PAM is a feature that's common to many Unix and Unix-like operating systems - macOS, for example, uses it. And it allows you to configure what kind of authentications you accept, for example, to log in to a system, to become an administrator. So it's very flexible in that form. It allows for things like multi-factor authentication to be implemented very easily or support for specific hardware like YubiKeys. The problem, of course, with flexibility is with a lot of flexibility comes a lot of responsibility and risk. Attackers sometimes use this flexibility against you in order to gain persistent access to systems. 

Dave Bittner: And what - so what are they doing here? 

Johannes Ullrich: So in this case, they essentially reconfigure this PAM system. They either add additional modules that'll give them access - so if they are coming from a particular IP address, if they're coming with a particular client, they're just provided access without asking for credentials. But probably more sinister, there is a special PAM module called PAM Steal. And, well, steal - it's going to steal stuff. It's going to steal your credentials. Of course, the - these modules have access to the username and password that you typed in. And as a result, this module will just take this username and password and save it to a simple text file for the attacker then to retrieve later. 

Dave Bittner: And so what are your recommendations here, both for not getting yourself infected in the first place, but then mitigation as well? 

Johannes Ullrich: Yeah. So in general, of course, this is something - an attacker needs to have administrative or root access to a system in the first place in order to manipulate this. But if that happens, then file monitoring is absolutely important here. So check these files with some kind of file integrity tool to make sure that nobody is modifying these configurations. Luckily, those files are very static. So it's not one of those set of files that gets updated all the time. It's relatively easy to configure a file integrity tool to monitor these files. 

Dave Bittner: All right. Well, Johannes Ullrich, thanks so much for joining us. 

Johannes Ullrich: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Be sure to check out this weekend's Research Saturday and my conversation with Nicholas Boucher and Ross Anderson from the University of Cambridge. We're going to be discussing their research on Trojan Source. That's Research Saturday. Check it out. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. I will be off next week enjoying the U.S. Thanksgiving holiday with family and friends. Tre Hester will be filling in on the mic. Thanks for listening.