The Five Eyes have some joint advice on detecting, defending against, and responding to Log4j exploitation. Notes on ransomware, espionage, and cyber conflict.
Dave Bittner: More criminals exploit vulnerabilities in Log4j. The Five Eyes issue a joint advisory on Log4j-related vulnerabilities as other government organizations look into defending themselves against Log4shell. Ransomware updates. Russo-Ukrainian tensions rise, as does the likelihood of Russian cyberattacks against its neighbor. Uganda and NSO Group's troubles. CISA issues six ICS advisories. Malek Ben Salem explains synthetic voices. Our guest is Dr. David Lanc from Ionburst on embracing data out protection. And some advice on how to be the family help desk and CISO during the holiday season.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 22, 2021.
Dave Bittner: Criminal organizations continue to make hay of the Log4j vulnerabilities. The latest campaign to surface, VentureBeat reports, is using TellYouThePass, an older strain of ransomware that's been seen used mostly against Chinese targets and that had been relatively inactive until Log4shell gave it fresh impetus. It now joins Khonsari and Conti. Banking Trojans are also joining ransomware in the criminal exploitation of Log4shell. Cryptolaemus confirms seeing the Dridex banking Trojan delivered as the payload of a Log4j exploit. BleepingComputer reports that the familiar Dridex and Meterpreter malware strains have now been observed hitting vulnerable systems. Dridex, it's worth noting, has also served as a precursor to ransomware attacks.
Dave Bittner: The Five Eyes are offering advice on Log4j-related vulnerabilities. CISA this morning announced, in conjunction with its domestic and international partners, Alert AA21-356A, mitigating Log4shell and other Log4j-related vulnerabilities. The advisory opens with an inventory of participants and an explanation of scope. Quote, "the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, National Security Agency, Australian Cyber Security Centre, Canadian Centre for Cyber Security, the Computer Emergency Response Team New Zealand, the New Zealand National Cyber Security Centre and the United Kingdom's National Cyber Security Centre are releasing this joint cybersecurity advisory to provide mitigation guidance on addressing vulnerabilities in Apache's Log4j software library: CVE-2021-44228, known as Log4shell, CVE-2021-45046 and CVE-2021-45105. Sophisticated cyberthreat actors are actively scanning networks to potentially exploit Log4shell, CVE-2021-45046 and CVE-2021-45105 in vulnerable systems. According to public reporting, Log4shell and CVE-2021-45046 are being actively exploited," end quote.
Dave Bittner: The advice falls into three categories: identifying assets affected by Log4shell and other Log4j-related vulnerabilities, upgrading Log4j assets and affected products to the latest version as soon as patches are available and remaining alert to vendor software updates, and initiating hunt and incident response procedures to detect possible Log4shell exploitation. The advice is comprehensive, specific, yet brief enough to be readily actionable. The government partners also, in view of the urgency of dealing with Log4j issues, list a number of private sector resources they think organizations would do well to consult. And each of the Eyes has a point of contact you can reach if you want to report an incident or receive official help. You don't need to put them on speed dial, but it's a handy list to keep around.
Dave Bittner: Belgium's Ministry of Defense continues to deal with the aftermath of a Log4shell attack that led it to take down large sections of its network. SC Magazine points out that while Belgium's MoD may be the first prominent government victim of Log4shell exploitation, such exploitation could reasonably be expected to be inevitable, and it's likely that more official bodies will be hit using such exploits.
Dave Bittner: There’s still no attribution of responsibility for the incident. Both nation-state intelligence services and criminal organizations have exploited vulnerabilities in Log4j. Threatpost, for example, has an account of the attack chain the Conti ransomware gang is using to take advantage of Log4Shell.
Dave Bittner: U.S. Secretary of Homeland Security Mayorkas tweeted his Department's expansion of its bug bounty program to include Log4j. Quote, "In response to the recently discovered log4j vulnerabilities, DHSgov is expanding the scope of our new HackDHS bug bounty program and including additional incentives to find and patch log4j-related vulnerabilities in our systems," end quote.
Dave Bittner: NCC Group's most recent monthly ransomware report found Mespinoza and Lockbit the two most prominent strains in use during November. Mespinoza surged past Conti which had formerly been ranked in the top two. Mespinoza, as BleepingComputer points out, is a double-extortion play, stealing data as well as encrypting it, adding the threat of doxxing to the initial damage of rendering data inaccessible.
Dave Bittner: Tensions remain high between Russia and Ukraine, with NATO and others generally aligned with Ukraine. Russian President Putin has followed last week's ultimatum demanding that NATO stay out of Eastern Europe and the Near Abroad with a statement to the effect that Russia has nowhere to retreat on the issue. Reuters quotes President Putin as saying, "We will take adequate military-technical response measures and react harshly to unfriendly steps." Military-technical response suggests cyber operations, possibly hybrid operations. Ukraine has been preparing to defend itself against cyberattack, and most particularly against attempts to disrupt its power grid.
Dave Bittner: Ars Technica describes how the Pegasus tool's use against U.S. diplomats in Uganda has driven NSO to the brink of collapse.
Dave Bittner: NSO Group sold Pegasus to Uganda’s government in 2018. By 2021, 11 U.S. diplomats and embassy employees working in or on Uganda had the intercept tool installed in their phones. It’s not clear whether the installation was an operation of the Ugandan government or whether the tool got away from the original customers and into other hands, but discovery of the surveillance seems to have been the last straw for the U.S. government.
Dave Bittner: While official sources wouldn’t confirm that discovery of Pegasus on State Department personnel phones precipitated the U.S. decision to blacklist NSO, it does seem to have exhausted U.S. willingness to tolerate the company’s sales to customers likely to abuse Pegasus. It also had the effect of exhausting Israeli patience with what had been a kind of national tech champion - there are simply too many other, more important U.S.-Israeli bilateral issues, and NSO Group was draining too much time and energy.
Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency on Tuesday issued six new industrial control system security advisories.
Dave Bittner: And finally, do people around the house treat you like the help desk? Are you the one stuck with explaining to Uncle Louie how to do that scrolling thing the boys at the VFW hall keep telling him about? Are you the person who’s expected to remind Aunt Tonya that the tweet she has on her phone isn’t really an offer of free millions from that nice Mr. Musk she’s heard about? Sure you are.
Dave Bittner: During the holiday season, many of you will find yourself discharging the familiar and - let's be candid - probably not entirely welcome office of family IT and security support. The Wall Street Journal has a good discussion of how to fulfill the responsibility of that office as effectively and relatively painlessly as possible. So set up a password manager for them, and help them turn on two-factor authentication. Clear the junk out of their storage. Check their subscriptions, and get rid of the ones they don’t use, want or remember.
Dave Bittner: They’ll thank you for it, and, best of all, they won’t be asking for your help quite so much going forward.
Dave Bittner: Dr. David Lanc is chief evangelist at security firm Ionburst. He advocates an approach called the data-out security paradigm, a shift away from traditional perimeter protections. Dr. David Lanc joins us with these insights.
David Lanc: We're used to - we've all been brought up with what I'd classify as perimeter-in protection. So we've been used to protecting people through access management, devices, services through access management systems, and more latterly IoT devices and endpoints. And this is all to protect the concept of the network, the defined network or the perimeter. But increasingly, that perimeter is becoming much more variable, whereas the cyber perimeter, it's in our houses. It's in our offices. It's in our shops in the malls, et cetera. So the concept of the adversary attacking our infrastructure has changed because he's no longer trying to attack something that was fixed and easy to defend - around a perimeter that used to be a firewall in an office, in a data center. It's now data that can be sitting in the cloud, copied, something like that. So the concept of data-out protection is to look at protecting data as a sovereign asset - how we define that - when, in effect, all other security has failed.
Dave Bittner: And so if someone is to embrace this notion of data-out, what does that look like from a practical point of view? What sort of things do they need to put in place?
David Lanc: What they need to think about is abstracting the way in which we protect data from the historic sort of way in which we'd have done that because data was an output of an application, or it became the input for an application for some sort of transformation around analysis or storage. Now, that's been where we've come from. And again, the concept historically of those applications being protected within an organizational boundary was quite well-defined under security models around. That was quite well - were quite well-defined.
David Lanc: As we've moved to the cloud and we're considering edge, 5G and the world that's coming, we must think of that differently. So instead of thinking of the application and the services first, we need to start to think about, OK, let's think about data as our asset. And this word sovereignty comes into it. So whether it's at an organizational level, an agency level or even a personal level, that data is the thing that remains yours or you're a custodian of. You will change applications. So instead of, as in the past, where we would change an application, and then we'd have to have this huge ETL exercise - extract, transform and load - to change all of our data formats from the old application to the new, data will remain in effect, in its form, secure, safe. And what will change is the application, which will then integrate to that data through, for example, an API layer. In the cloud, that would be the same as becoming S3 compatible. So we change one application from another, and as long as it's S3 compatible, you can connect.
Dave Bittner: And so how can you achieve those goals and not introduce undue friction into the system, not slow down people who need to access that data?
David Lanc: Another great question. So we're talking about the world of - really, the world of the cloud, although the cloud is a set of data centers around, so it could be your on premise as well as if you're a large organization, as well as using cloud facilities. So this is where the world of SASE can help. I'm not a complete convert to SASE yet, but I think it's got great - it's got legs, as they say in the old country here.
David Lanc: So think about cloud native. So you build cloud native software systems. They are scalable. They can be deployed at all edges, which means you can put the data where data is needed. You then start to look at the best of today's cloud technology, high levels of parallelization. So although I might have fragmented my data, I can get that data back very, very quickly in a way in which the end user certainly wouldn't notice a great latency difference. The way I have it - and I tend to sell an analogy at times like this. I say, well, OK, how fast is - or which is faster, Usain Bolt running 100 meters, or five Usain Bolts running 20 meters in parallel? Because that's the technology we now have. So you don't necessarily see that latency impact that's negative.
David Lanc: And because you're building cloud native technology to integrate data through, for example, through APIs, through, for example, S3 compatibility, the end user behavior doesn't change because we're talking about abstracting data away from the application layer, rather than it being embedded in the application layer as it has been historically. These are great considerations that people should be thinking about - CISOs, CTOs, CIOs should be thinking about. When they're thinking about cloud migration, what is their cloud architecture of applications and data look like in the future to give them, frankly, the best bang for their buck? In base security, they don't want to be the guy going to the top floor to answer why there's been a data breach.
Dave Bittner: That's Dr. David Lanc from Ionburst.
Dave Bittner: And joining me once again is Malek Ben Salem. She is the technology research director for security at Accenture. Malek, always great to have you back. I want to touch base today on something you and I have touched on before, and that is synthetic voices. We see this coming up more and more in conversations about security, about deepfakes and so on and so forth. I will admit, as someone who has literally thousands of hours of his voice out in the public domain in high quality, this is something that has my attention.
Malek Ben Salem: (Laughter).
Dave Bittner: What as security professionals should we know about where we stand when it comes to synthetic voices these days?
Malek Ben Salem: Oh, boy. Well, as you mentioned, Dave, we did talk about this before when we talked...
Dave Bittner: Yeah.
Malek Ben Salem: ...About deepfakes. And there was actually an attack in the wild that used, you know, synthetic voice to impersonate a CEO, right? And through that impersonation, another CEO was spear phished and was made to wire transfer more than $240,000 to the account of an attacker.
Malek Ben Salem: So that's an attack that we've seen in the wild, where these deepfake voice generators were used to create synthetic voice, you know, based on a transcript. More research happened was - the University of Chicago conducted more research in this - around this topic. And they performed basically a large study to assess how vulnerable people are to, you know, these types of attacks and how vulnerable machines are to these types of attacks. So they had a user study of about 200 people and used two systems to generate synthetic voice. And basically, the humans were only able to distinguish fake or synthetic voice from a real voice in 50% of the cases only.
Dave Bittner: Wow.
Malek Ben Salem: That - yeah. That shows you how...
Dave Bittner: So a coin flip.
Malek Ben Salem: Exactly.
Dave Bittner: Yeah.
Malek Ben Salem: That shows you how these, you know, deep learning-based machines that are generating, you know, these fake voices are - how advanced are they becoming? And so that's 50% if they're not familiar with a voice. If it's a familiar voice, you know, detection improves, so they're able to recognize or distinguish fake from real in 80% of the cases. So that improves if you know, you know, the person. But you can imagine, if this technology has improved to such an extent, to this extent, that we're going to see more spam, like, generated by these machines.
Dave Bittner: Right. I really want to reach you about your car warranty.
Malek Ben Salem: Exactly. Yeah (laughter).
Dave Bittner: Right, right.
Malek Ben Salem: How many of those messages do you get every week, right?
Dave Bittner: I think I get all of them, yeah.
Malek Ben Salem: Yeah. So, in - when we get to that point - or actually, we're probably in that point - what we typically do is we start relying on machines - right? - to filter out these messages for us. And this is where the experiment gets interesting. So they started evaluating various types of detectors to distinguish whether the, you know, voice was fake or not. And the problem is that most of the machines were fooled. So all of the digital assistants that you know of, you know, they failed to recognize - not only to recognize that the message they're getting is not originating from the owner of the device, right? You know, think about all of those digital assistants who are supposed to respond only to your voice...
Dave Bittner: Right.
Malek Ben Salem: ...To your command.
Dave Bittner: Yeah.
Malek Ben Salem: So they failed to recognize that this is not you, but they even failed to recognize that this is not a human talking to them. And I think the numbers were around 60%. You know, in 60% of the cases, they totally failed. And depending on the device, some of them - you know, in 90% of the cases, they were not able to recognize that this was a fake voice or a synthetic voice. So basically, what that says is that, you know, the state of the art in terms of these machines is not capable of helping us, at least with that spam problem.
Dave Bittner: That's interesting. I mean, to what degree do we think this has the potential to become a serious issue?
Malek Ben Salem: Well, I think looking at how technology has evolved and how attackers has been leveraging - have been leveraging these technologies - again, looking at email and spam and the use of natural language processing to automatically generate various templates and versions of spam - I think we're going to see this - the same thing happen in the voice or the sound sphere. So we're probably going to see more of that coming. And therefore, as, you know, cyber defenders, we have to up our game and we have to improve our ability to detect these types of attacks.
Dave Bittner: All right. Well, Malek Ben Salem - or perhaps I should say, Malek. Ben. Salam. Thank. You. For. Joining. Us.
Dave Bittner: One final note - we will be taking a break from our regularly published programs from Christmas Eve to New Year's Day. But not to worry, we still have an exciting lineup of great CyberWire Pro content that you won't want to miss, so stay tuned. And happy holidays, everyone.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.