The CyberWire Daily Podcast 12.2.21
Ep 1470 | 12.2.21

More APT activity. Brigading, Mass Reporting, and Coordinated Inauthentic Behavior. CISA names the CSAC members. Cybercriminals sentenced. A whistleblower with an ulterior motive?


Dave Bittner: An APT is exploiting internet-facing instances of ServiceDesk Plus. Meta releases its end-of-year Adversarial Threat Report. CISA names the first members of its Cybersecurity Advisory Committee. Sentencing, American and Russian style. Malek Ben Salem has a look at cyber resilience. Our guest is PJ Kirner from Illumio with a look ahead to 2022. And an alleged false whistleblower is under indictment and under arrest.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 2, 2021. 

Dave Bittner: Palo Alto Networks' Unit 42 describes a campaign by an advanced persistent threat - no nation identified as responsible - exploiting a zero-day in Zoho ManageEngine ServiceDesk Plus. Unit 42 estimates that there are about 4,700 internet-facing ServiceDesk Plus instances worldwide. About 2,900 of them, some 62%, are regarded as vulnerable to exploitation. 

Dave Bittner: The report represents an update to earlier revelations of a nation-state campaign that's been exploiting Zoho software. The U.S. Cybersecurity and Infrastructure Security Agency, CISA, issued a joint advisory about ADSelfService Plus on September 16, subsequently updated on November 22, in which it warned that the threat actors were taking advantage of vulnerabilities to pursue targets in academic institutions and defense contractors and some organizations in the transportation, information technology, manufacturing, communications and finance sectors. 

Dave Bittner: The APT appears to be collecting information. The campaign would represent a cyber-espionage effort. The advice CISA offered then remains sound. Don't expose this software to the internet. 

Dave Bittner: Facebook's parent Meta yesterday released its end-of-year Adversarial Threat Report. It concentrates on what Meta calls coordinated inauthentic behavior, brigading and mass reporting. Coordinated inauthentic behavior is familiar, but brigading and mass reporting deserve some explanation. 

Dave Bittner: Brigading involves an adversarial network whose participants cooperate to mass comment, mass post or engage in other types of repetitive mass behaviors to harass others or silence them, which sounds like trolling scaled to an industrial size. 

Dave Bittner: Mass reporting, also characterized as involving an adversarial network, occurs when, quote, "people work together to mass report an account or content to get it incorrectly taken down from our platform," end quote. That is, people combine to falsely allege violations of policy in an attempt to get someone banned from Facebook or any other Meta platform. The reporting in this case is reporting in the sense of diming someone out to the platform. 

Dave Bittner: Meta took down four coordinated inauthentic behavior networks in China, Palestine, Poland and Belarus. One network in Italy and France was disabled for brigading, and one network in Vietnam was removed for mass reporting. 

Dave Bittner: CISA has named the first members of its Cybersecurity Advisory Committee. The agency describes the advisory committee as, quote, "comprised of the nation's leading experts on cybersecurity, technology, risk management, privacy and resilience. They bring a diverse set of experiences and perspectives and will empanel a set of subcommittees focused on addressing key focus areas," end quote. The appointments just announced represent the first 23 members. The CSAC may ultimately have up to 35 members. 

Dave Bittner: The advisory committee was established in June of this year and was designed to bring the CISA director advice on cybersecurity from the perspective not only of industry, but also of state, local and tribal governments. CISA says that committee members, with subject matter expertise in various critical infrastructure sectors, participate in the development, refinement and implementation of recommendations, policies, programs, planning and training pertaining to CISA's cybersecurity mission. The CSAC will also form subcommittees as the CISA director decides. Subcommittees would study special topics of importance to the agency's mission. 

Dave Bittner: Aleksandr Grichishkin, one of the founders and the effective leader of a bulletproof hosting service that catered to cyber gangs, had been sentenced by the U.S. District Court for the Eastern District of Michigan, Southern Division, to a term of five years on a RICO beef. Mr. Grichishkin took a guilty plea to one count of conspiracy to engage in a Racketeer Influenced Corrupt Organization. His co-defendants, who also pleaded guilty, were sentenced earlier. 

Dave Bittner: The U.S. Attorney's sentencing memorandum outlines the services Grichishkin's operation provided. He and his colleagues were in the infrastructure business and delivered the IP addresses, domains and servers their gangland customers used, as BleepingComputer lists them, quote, "to distribute malware, host phishing kits, breach targets' networks, build botnets and steal banking credentials." 

Dave Bittner: The malware they supported forms a familiar list - Zeus, SpyEye, Citadel and Blackhole. The Financial Services Information Sharing and Analysis Center, the FS-ISAC, informed the court that SpyEye and Zeus alone cost banks about $111 million in 2011 alone and that FS-ISAC regards that figure as a low estimate. 

Dave Bittner: Since TASS has expressed President Putin's interest in and commitment to international cooperation against cybercrime, a Russian court case provides an example of what that commitment looks like. A Russian court passed sentence on Maxim Zhukov for coding he did for the FIN7 gang. Mr. Zhukov received, The Record reports, a one-year suspended sentence and a year's probation. Let that be a lesson to him and others like him. It probably already is. 

Dave Bittner: And finally, not all whistleblowers, apparently, should be taken at face value. The U.S. Department of Justice yesterday announced the indictment and arrest of Mr. Nickolas Sharp, formerly employed by Ubiquiti Networks, on four counts of computer-related crime. 

Dave Bittner: The Verge has a useful summary of the case. Back in January, Ubiquiti, which makes prosumer routers and access points, notified users that it had sustained a data breach in the course of which unauthorized parties may have accessed company information. In March, a whistleblower told media outlets that matters were far worse than Ubiquiti had let on, and that it had covered up a catastrophic data breach. 

Dave Bittner: That whistleblower was apparently Mr. Sharp. And if the Fed’s indictment is borne out at trial - since of course, Mr. Sharp is entitled to a presumption of innocence - he was not only responsible for the initial data breach itself, but also for using his whistleblowing to ratchet up extortion pressure on the company. 

Dave Bittner: According to reporting from The Verge, quote, "the first count charges him with transmitting a program to a protected computer that intentionally caused damage, which carries a maximum sentence of 10 years in prison. The second count charges transmission of an interstate threat, which carries a maximum sentence of two years in prison. The third count charges wire fraud, which carries a maximum sentence of 20 years in prison. The fourth count charges the making of false statements to the FBI, which carries a maximum sentence of five years in prison. The maximum potential sentences are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge," end quote. 

Dave Bittner: Note to any faux whistleblowers - next time, try the caper from a Russian jurisdiction. The American Feds are just humorless. 

Dave Bittner: As we find ourselves on final approach toward the end of 2021 and the new year ahead, it's good to take stock of the year we've had and look ahead at what's yet to come. PJ Kirner is chief technology officer and security firm Illumio, and I checked in with him for his insights on the year ahead. 

PJ Kirner: I think zero trust is one of those kind of terms that have been out there and that people have been talking about. And, you know, we saw the Biden mandates around federal government doing zero trust. I think what's interesting is people trying to figure out what it is and also how to get started. We've seen kind of larger, again, more mature, you know, organizations to try and figure out what a strategy was. 

PJ Kirner: But I think it's something we all need to do. And so everybody has to have a starting place. Everybody has to have a something to do to sort of show your boss or your board that you are on the zero-trust path. And I think that's going to be a thing that's going to, you know, change in 2022. When people start figuring that out, there will be more small success stories around zero trust. 

Dave Bittner: So kind of a snowball rolling down the hill, whereas people see others having success with it becomes - I don't know - more important for them to get on board. 

PJ Kirner: The one challenge around zero trust - it seems kind of daunting, like, because it is a strategy you apply. And like, when am I going to be done with zero trust? Well, you might never be. It's a strategy you're going to use for the rest of time. So it is about how you get started. I think it's about finding quick wins and starting the journey, and I think that's what will happen. People will figure that out. 

Dave Bittner: What about ransomware? That's certainly been top of mind for a lot of folks this year. Do you think we're going to see progress in the year ahead? 

PJ Kirner: I think so. I mean, there's much more awareness around it, for sure. You know, one other thing that zero trust does bring to mind is this assumed breach mentality, which I think is an important kind of construct. It's assume they're already inside, right? And they might be - you know, they might have a foothold here and a foothold there. How do you adapt your security posture when you assume they're already, you know, there, right? You've already been breached, right? 

PJ Kirner: And I think that mentality will yield stories about people found stuff, how they found stuff, how they sort of prevented it, how they sort of kept, you know, it on the periphery. And again, I think that will lead to more people learning about what to do - potentially what to do to sort of stop those, you know, large disasters. 

Dave Bittner: You know, people are going to be heading back to the office as soon as things tend to normalize after COVID-19. To what degree do you think that's going to affect things? Are we going to see an increase in collaboration? What are your thoughts there? 

PJ Kirner: So my thoughts about, you know, what has sort of happened is there was kind of - you know, during COVID, you know, there was - you know, we were all working from home. In certain places, there was a bump up in productivity because people sometimes focus and kind of, you know, isolation can actually help you be more productive in things. But what I think clearly dropped off was the creativity and the collaboration - so the collaboration, which is what fuels kind of creative processes and so on. And that did not sort of work over, you know, Zoom or video conferencing, right? 

PJ Kirner: So I think where we need that creativity - it's across all industries. All industries, you know, need it. You know, but that would be part of why people are coming back to the office and some of the value that people get. They'll remember what that was, why that hallway conversation that sparked this, these two people who happen to never talk to each other to talk to each other and come up with something interesting. I think we'll all realize what we've been missing. And people will kind of run and flock to - you know, those who need that will come back. 

Dave Bittner: Are you generally optimistic coming into the new year? Do you think we're on the right path here? 

PJ Kirner: It's always good - I'm kind of an introspective kind of person, right? I like to - even at the end of every year, I kind of like to take stock of, like, what was - you know, what worked and what didn't work, you know, during that year - and sort of look to the next year and say, well, OK, what could I do better? And a lot of us have, you know, looked to ourselves, you know, and had those, you know, moments and were forced to have those moments. So to me, being introspective leads to - well, in a lot of cases can lead to kind of positive outcomes about how to do better in the coming year. So yeah, I am optimistic. 

Dave Bittner: That's PJ Kirner from Illumio. 

Dave Bittner: And I'm pleased to be joined once again by Malek Ben Salem. She is the technology research director for security at Accenture. Malek, it's always great to have you back. You and your colleagues recently released a report titled The State of Cyber Resilience, and I thought this would be a good opportunity to dig into that report. What can you share with us today? 

Malek Ben Salem: Yeah. Glad to be back, Dave. This is a report that Accenture publishes on a yearly basis, and we look at the state of cybersecurity resilience every year. So this year, we surveyed about 5,000 global CSOs and CISOs about the practices of cybersecurity within their organizations. 

Malek Ben Salem: We know - some of the findings that I could share about that report is we found that 85% of these CISOs agree that the cybersecurity strategy is now developed with business objectives or aligned to business objectives. And that's a great number. I mean, we've been - within the security community, we've been, you know, touting for aligning security objectives with business objectives, and that has not been typically the case. 

Dave Bittner: Yeah. 

Malek Ben Salem: Now we see that, you know, this is changing. And now, growth objectives and market share objectives are really, you know, driving the cybersecurity strategy. 

Dave Bittner: Yeah, that's an interesting number there. I mean, I suppose it's like, you know, steering that battleship. It doesn't happen quickly. But it's good to hear that we're on a better road to achieving that goal. 

Malek Ben Salem: Exactly. Exactly. You know, those are - that's great news. 

Dave Bittner: Yeah. 

Malek Ben Salem: Now, on the other hand, 80% - more than 80% of CISOs do mention that staying ahead of attackers is still a constant battle for them and that the cost, basically, is unsustainable. That's compared with 69% last year. So it seems like, you know, staying ahead of attackers is becoming even more of a challenge this year. 

Dave Bittner: Yeah. When we say the cost is unsustainable, any insights there? They're just having trouble getting the resources from the powers that be or - what can you unpack from that? 

Malek Ben Salem: Yeah, getting the resources is one. Although, you know, most of these CISOs do actually mention that their budgets have increased. But I think the mere number of attacks that they are undergoing is increasingly growing. So on average, they see 270 attacks per company, and that's more than a 30% increase over 2020. So a significant increase in cyberattacks, which makes this battle or this - sustaining the cost basically unsustainable. 

Dave Bittner: To what degree do you think we may also be seeing better detection here; that, you know, attacks that flew under the radar may no longer do that? 

Malek Ben Salem: Yeah, that's a great question, actually. There's probably some of that, and we see that across two groups. Basically, when we surveyed these CISOs, we looked at how they align their security strategy with business strategy, but we looked at how effective they are in detecting attacks, how long it takes them to detect attacks, et cetera. And we see that, you know, two groups - mainly one group that we call the cyber champions - are really effective in detecting these attacks. You know, they can block a lot of the attacks by the fact that they can detect them early. So there's probably some of that going on. 

Malek Ben Salem: But also, I think overall in 2020, we've seen an increase in attacks, especially the ones that are driven by third parties. So supply chain software risk, that's more of a concern for our clients this year. 

Dave Bittner: I see. So where do you suppose this puts us as we head into the next year? Is there a sense of optimism or where do people land? 

Malek Ben Salem: I think there is a sense of optimism. Obviously, there are the - you know, challenges as usual. And one of them is adopting the cloud securely. We've seen a lot of companies, you know, move to the cloud over the past, you know, few years, but that trend has accelerated over last year, and the pandemic obviously has accelerated that. But a majority of the CISOs that we've surveyed mentioned that adopting the cloud securely is still of a concern for them. There is a challenge there, and I think companies like Accenture can definitely help with that because the tools are available, right? 

Dave Bittner: Right. 

Malek Ben Salem: Because we have so many things available to make that journey secure for our clients. 

Dave Bittner: Right, right. So there's no need to go at it alone anymore. There's plenty of providers that can hold your hand on that journey these days. 

Malek Ben Salem: Exactly. Exactly. 

Dave Bittner: Yeah. All right. Well, Malek Ben Salem, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.