The CyberWire Daily Podcast 12.16.21
Ep 1480 | 12.16.21

Log4Shell exploited by criminals and intelligence services. Private sector offensive cyber capabilities. Noberus ransomware used in double-extortion attacks. Squid Game phishbait.

Transcript

Dave Bittner: Log4Shell is exploited by criminals and intelligence services. Private sector offensive cyber capabilities are on par with nation-states. Noberus ransomware is used in double-extortion attacks. Malek Ben Salem from Accenture looks at cyber twins. Our guest is Tom Kellermann from VMware with reactions to CISA's Binding Operational Directive. And "Squid Game" phishbait.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 16, 2021. 

Dave Bittner: Die Zeit, in a long and glum piece on the implications of the Log4Shell vulnerability, points out that the term affected can be ambiguous, particularly when it appears in phrases like not affected. What counts as affected? It's not necessarily synonymous with attacked, breached or even vulnerable. If you've had to devote time and resources to inventorying your software for a specific vulnerability, there's a sense in which you've been affected, even if at the end of it all you've found nothing. 

Dave Bittner: There have been reports of Log4Shell exploitation by both gangs and intelligence services. The crooks and spies have been up and at 'em this week. Haaretz reports, citing sources at Check Point, that Iranian operators had by yesterday sought to compromise seven Israeli governmental and commercial targets using Log4Shell exploits. Both Microsoft and Mandiant have warned of Chinese and Iranian exploitation of the vulnerability, The Wall Street Journal sums up, adding that Microsoft also reports seeing North Korean and Turkish attempts to take advantage of Log4j. 

Dave Bittner: The Chinese Embassy in Washington told the Journal that they're opposed to cyberattacks of any kind. The embassy also pointed out that it was a Chinese company that first discovered the issue and disclosed it to Apache. In fairness to Beijing, they're right about that second point. Alibaba's (ph) Cloud security team found and reported the problem on November 24. 

Dave Bittner: In some respects, however, nation-state exploitation seems almost a case of a dog not barking. The Journal quotes CrowdStrike's senior vice president of intelligence, Adam Meyers, to that effect. Quote, "it's a surprise it's not more widespread. The question that everyone is asking is, 'what aren't we seeing,'" end quote. 

Dave Bittner: Mandiant also expects to see more nation-state exploitation. Quote, "we expect threat actors from additional countries will exploit it shortly, if they haven't already. In some cases, state-sponsored threat actors will work from a list of prioritized targets that existed long before this vulnerability was known. In other cases, they may conduct broad exploitation and then conduct further post-exploitation activities of targets as they are tasked to do so," end quote. 

Dave Bittner: And one of those dogs that's not obviously barking - well, not dogs, but in this case, bears - Russian state actors, BGR observes, are noticeably not being mentioned in dispatches. 

Dave Bittner: Google's Project Zero concludes that companies are now able to develop offensive cyber capabilities once thought to be within the reach of only a few nation-states. In their recently published research into NSO Group Pegasus exploits, Project Zero writes, quote, "based on our research and findings, we assess this to be one of the most technically sophisticated exploits we've ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation-states." 

Dave Bittner: And it's not just Apple products. Quote, "Citizen Lab was able to recover these Pegasus exploits from an iPhone, and therefore, this analysis covers NSO's capabilities against iPhone. We are aware that NSO sells similar zero-click capabilities which target Android devices," end quote. They haven't got any Android samples, but maybe you do. Quote, "Project Zero does not have samples of these exploits, but if you do, please reach out," end quote. 

Dave Bittner: Project Zero worked on a sample of NSO Group's FORCEDENTRY tool obtained by Citizen Lab in the course of its investigation of a zero-click iMessage exploit used earlier this year against a Saudi activist. Apple's Security Engineering & Architecture group cooperated with Project Zero on the technical analysis. 

Dave Bittner: Symantec has an update on ALPHV BlackCat ransomware group, in which the researchers describe the Noberus ransomware the group's campaign uses. Noberus, which exists in at least three versions, is unusual in that it's written in Rust. It's commonplace that it's in use in double-extortion scams. 

Dave Bittner: IBM says that "Squid Game" remains popular phishbait, much used against fans of the Netflix series. IBM recommends that businesses address these campaigns with employee awareness training. 

Dave Bittner: ZDNet reports that Amazon Web Services experienced a brief disruption yesterday. Unlike last week's disruptions, which centered on AWS's U.S.-East-1 region, yesterday's are said to have affected the U.S.-West-1 and 2 regions. The AWS Service Health Dashboard this morning shows all North American services operating normally. 

Dave Bittner: French police have arrested a man on charges related to laundering more than 19 million euros in ransomware payments, according to The Record. 

Dave Bittner: The U.S. Federal Reserve is moving in many areas of monetary policy, but yesterday, Federal Reserve Chairman Jerome Powell told CNBC that cyberattack represented the most significant threat to financial stability. 

Dave Bittner: And finally, to return briefly to Log4Shell, it's worth noting that many official bodies have issued warnings and guidance on it. Among those is the U.S. Federal Bureau of Investigation. If you've been hit by a Log4Shell exploit, they'd like to hear about it, and your input will be a contribution to intelligence concerning the way the vulnerability is being exploited. They'll also render assistance insofar as their resources permit. As the Bureau puts it, quote, "as always, we stand ready to assist any impacted entities," end quote. 

Dave Bittner: Now, we know the internet, and we know the sort of social media funsters who inhabit its infosec precincts. I mean, when even NSA's cybersecurity boss is vamping with funny Karen and cat memes about the pronunciation of Log4j, well, it's just a barrel of monkeys out there. By the way, very funny, Mr. Joyce. 

Dave Bittner: But please, don't pester the FBI to tell them that your impacted entities include your wisdom teeth or your colon. We know, we know - LOL, even ROFL and LMAO, but come on. You don't need mad hermeneutical skills to get that the Bureau means organizations or natural persons affected by Log4Shell exploitation and not teeth or sections of your GI tract. They're not in the tooth-pulling or constipation-relief business, so get serious, kids. We're looking at you, infosec boys and girls. Sometimes, impacted is even more ambiguous than affected. Alles klar, herr kommissar? 

Dave Bittner: CISA director Jen Easterly recently issued a binding operational directive titled "Reducing the Significant Risk of Known Exploited Vulnerabilities." The directive mandates that federal agencies mitigate vulnerabilities in their networks and is one of the first actions taken by CISA's newly formed Joint Cyber Defense Collaborative. 

Dave Bittner: Tom Kellermann is head of security strategy at VMware, one of the private sector members of the Joint Cyber Defense Collaborative. 

Tom Kellermann: It's historic. It's game changing. It's a recognition by CISA that U.S. federal agencies as a whole, as well as their partners, must harden their systems because, frankly, the last year has really been the year of the zero-day exploit. And more and more often than not, these systems are successfully penetrated by these exploits that have been developed by the four rogue nation-states who manifest much of the cyberattacks against the U.S. 

Dave Bittner: So in your estimation, what happens next? How are the various agencies throughout the federal government going to react and respond to this? 

Tom Kellermann: Well, they have 60 days, according to the directive. And hopefully, they are automating their vulnerability management processes and hardening those systems as we speak. Frankly, the - you know, the United States is dealing with an insurgency in American cyberspace, one that has been stoked by rogue nation-states but, more importantly, one that is facilitated by the lack of hardening of those critical systems. 

Dave Bittner: When you think about the various government agencies, are - is there at all a situation of kind of haves and have-nots? Are there going to be certain agencies that are better prepared to take this on than others? 

Tom Kellermann: Yes. I mean, some agencies are more sophisticated and have more capability as well as manpower than others. That being said, vulnerability management should be something that the majority of federal agencies should be able to pursue and achieve without great consequence or disruption to operations, for that matter. You know, this directive really is a seminal action taken by CISA, but more importantly, it's the first action taken with the Joint Cyber Defense Collaborative, of which VMware is a proud member and partner. 

Dave Bittner: Yeah, let's talk about that a little bit. I mean, what does VMware bring to the table, and why is this something that you all want to be a part of? 

Tom Kellermann: It's our commitment to civilizing and securing American cyberspace. You know, we were one of 15 companies that were asked to join because we literally have created the fabric by which many critical infrastructure are dependent upon, from vSphere all the way through Verizon all the way through Workspace ONE. We realized that we are responsible for securing our own environment, but also assisting the federal government in securing theirs. And I think the JCDC is an unprecedented group that is responsible for sharing information with one another, but also collaborating in the fight against not only exploit code and vulnerabilities, but the fight against ransomware, which has become pandemic per se in American cyberspace. 

Dave Bittner: What do you hope that things will look like on the other side of this? You know, six months from now, after this has had some time to take effect and settle in, where do you suppose we'll be? 

Tom Kellermann: Well, hopefully, hardening government systems will allow us to get a leg up on an adversary that's burrowed in over the past few years and allow us to begin to conduct proactive cyberthreat hunting and really push back and contain this type of insurgency that has been ongoing within federal infrastructure as well as corporate America's infrastructure. You know, the first step in securing systems in cyberspace is a recognition that, you know, 100% prevention is not possible, but there are some basic tenants of cyber hygiene that must be followed in order to prevent these types of infections. And part of that is really hardening those systems against exploitable vulnerabilities. 

Dave Bittner: You know, you mentioned that the Joint Cyber Defense Collaborative is really a new effort and potentially a game changer here. How so? How is this really set up to really move the needle? 

Tom Kellermann: Well, you know, Director Easterly challenged the private sector, particularly the major players - technology players in the private sector, to demonstrate commitment to securing American cyberspace and also to securing their own systems from attack given that they provide, you know, the majority of technology infrastructure and fabric to the majority of corporations and federal agencies. We proudly joined that to show our commitment in that regard, to show how we will share information with the government related to vulnerabilities, how we will do a better job of fighting ransomware both against our customer base, but also, generically, the landscape. And I really think it's one of the more significant public-private partnerships that's ever been established to secure cyberspace. 

Dave Bittner: Yeah. It really strikes me that, you know, this is an effort where private organizations, certainly, who day to day might be competitors with each other - when the call was put out, they agreed to join together for a common cause. 

Tom Kellermann: Exactly that. We recognized and appreciate our responsibility to help secure the greater cyberspace of the United States and also to work with and collaborate with our competitors, as well as the U.S. government to do just that. 

Dave Bittner: That's Tom Kellermann from VMware. 

Dave Bittner: And I'm pleased to be joined once again by Malek Ben Salem. She's the technology research director for security at Accenture. Malek, it's always great to have you back. I wanted to touch base with you today on a publication that you and your colleagues have put out in the world, and it's called Cyber Digital Twins. And it has to do with Security Vision. What can you share with us today? 

Malek Ben Salem: Thank you, Dave. Yeah, the Security Vision is a publication that the Cyber Lab publishes every year. And this year, the focus was on cyber digital twins. Now, let me start by defining what a digital twin is... 

Dave Bittner: Please. 

Malek Ben Salem: ...For our listeners. So a digital twin is basically a virtual representation that serves as a real-time digital counterpart of a physical object or process. Now, this concept has been, you know, introduced, you know, a long time ago. But practically - I think the first practical definition of a digital twin originated from NASA when they were attempting to improve the physical model simulation of a spacecraft in 2010. But today, with, you know, the proliferation of IoT devices, of smart manufacturing, of devices for augmented reality, this concept is gaining notoriety. You know, that's the digital twin. Along with that, the cyber digital twins started to emerge. 

Dave Bittner: And what exactly is that? 

Malek Ben Salem: Yeah. So cyber digital twins allow, you know, security professionals basically to create that digital replica of every system of every machine or IoT device. And that replica can be used for the simulation of cyberattacks, for vulnerability exploitations, et cetera, to detect any potential threats before the physical device leaves the production line. And the same concept can be extended to, you know, environmental. We have smart manufacturing, for instance, or in, you know, resources companies for smart drilling or any other capabilities that have those types of functionalities. 

Dave Bittner: Well, help me understand here. So is this - for example, if I'm a manufacturer of some IoT device, is this a way of me basically running simulations before I send this out into the world? 

Malek Ben Salem: Absolutely, yeah. So it helps basically - it provides various benefits. Through that simulation, there is an abstraction that happens or, you know, there's an analysis of the firmware running on the device that would have to happen. And then with that analysis, you can abstract the software running on that device and then start simulating cyberattacks against that firmware. 

Dave Bittner: Are there any particular areas that this is best suited for? 

Malek Ben Salem: Yes. So as we mentioned, any smart device, smart manufacturing processes - those are probably the, you know, the target or the best areas. But I think eventually, we'll see this proliferate as more of our systems', let's say, OT processes become more AI-enabled. I think we're going to see more use of, you know, cyber digital twins there as well. 

Dave Bittner: Is there a safety component here as well? I'm thinking, you know, manufacturing plants, you know, any of those heavy industrial kinds of places, this could be useful there. 

Malek Ben Salem: Yeah, definitely. That will be another use case. Again, this capability - the simulation capability that this technology allows is very beneficial, whether it's for cyberattacks or for, you know, cyberattacks that have a safety implication. 

Dave Bittner: And so where do we stand now? Is this something that is still in the lab, or is it out there in the real world? What's the timeline for seeing more widespread use? 

Malek Ben Salem: So the digital twin technology is being adopted. Again, through this publication, we've done some research, and we've surveyed a number of CISOs and technology executives. And many of them, around 60% or even higher - I don't have the - I don't recall the exact number - but they are at least, you know, using this technology somewhere within their enterprise. 

Malek Ben Salem: Now, the cyber digital twins, that's an emerging technology that's, you know, very tightly linked to the digital twin. But it's following soon after. And so I think we'll - we're going to see more adoption of that technology because it enables, you know, this simulation of attacks. It basically empowers security teams - right? - to predict the attacks against these IoT devices or these cyber physical devices. And obviously, without it, you know, it helps them scale, I guess, more. It helps them cover more attacks. 

Malek Ben Salem: And I think one of other main benefits, if you think about these manufacturing - or if you think about the designers of these smart devices, where they have to share IP or share the software and the firmware running on the device for another company to simulate and to assess and to test or to manufacture, by having a cyber digital twin abstract - what's running on the device - they no longer have to share the IP itself. But they can share this model that's abstracting what's running on the device, thereby protecting their intellectual property. So they can get the advantage of the simulation, of the attacks, while protecting their intellectual property. 

Dave Bittner: Oh, I see. All right. Well, fascinating stuff for sure. The publication is Cyber Digital Twins. Malek Ben Salem, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.