The CyberWire Daily Podcast 3.22.22
Ep 1540 | 3.22.22

White House adds its voice to CISA’s Shields Up, warning of the possibility of Russian cyberattacks. New malware strains described, new criminal attack techniques observed.


Dave Bittner: The White House warns of large-scale Russian cyberattacks. Browser-in-the-Browser attacks. A new Conti affiliate is described. Android malware Facestealer. Microsoft and Okta investigate possible Lapsus$ attacks. Arid Gopher is out in the wild. Our guest is Swathi West of Barr Advisory on opportunities for the underrepresented in cybersecurity. Joe Carrigan wonders if we can’t just get rid of passwords once and for all. And advancing censorship by finding extremism and Russophobia in Meta’s platforms.

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for March 22, 2022. 

Dave Bittner: The U.S. is directly warning that large-scale Russian cyberattacks against American and other Western targets are likely. Russia says it's not going to happen. NBC News quotes Kremlin spokesperson Dmitry Peskov - "The Russian Federation, unlike many Western countries, including the United States, does not engage in state-level banditry," end quote. 

Dave Bittner: Most others are not so sure. President Biden yesterday issued a general warning to U.S. organizations that intelligence suggests a coming Russian cyber campaign. Quote, "This is a critical moment to accelerate our work to improve domestic cybersecurity and bolster our national resilience. I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook. Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks," end quote. An accompanying fact sheet stresses the importance of familiar best practices and offers an aspirational set of longer-range policy prescriptions. 

Dave Bittner: A brief statement from the U.S. Cybersecurity and Infrastructure Security Agency indicated that CISA would rapidly share information and mitigation guidance to help organizations, large and small, protect their systems. The Department of Homeland Security added, organizations can visit for best practices on how to protect their networks, and they should report anomalous cyber activity and/or cyber incidents to or to an FBI field office. 

Dave Bittner: The U.S. Administration hasn't said, in detail, what the evolving intelligence was showing. Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger said, at a media briefing yesterday, that more had been shared with sectors most directly at risk. She said, quote, "You’ve seen the administration continuously lean forward and share even fragmentary pieces of information we have to drive and ensure maximum preparedness by the private sector. So as soon as we learned about that, last week we hosted classified briefings with companies and sectors who we felt would be most affected, and provided very practical, focused advice," end quote. 

Dave Bittner: The briefings and warnings issued yesterday were intended to raise that broader awareness and to raise that call to action. She added, quote, "There is no evidence of any - of any specific cyberattack that we’re anticipating for. There is some preparatory activity that we’re seeing, and that is what we shared in a classified context with companies who we thought might be affected. And then we’re lifting up a broader awareness here in this - in this warning," end quote. So there's more than a priori possibility underpinning the warning, but the threat remains in a preparatory phase. 

Dave Bittner: Browser-in-the-browser attacks, or BitB attacks, are being observed in the wild, BleepingComputer reports. BitB attacks use premade templates to create fake but realistic Chrome popup windows that include custom address URLs and titles that can be used in phishing attacks, creating fake browser windows within real browser windows to create convincing phishing attacks. The technique is thought to be readily scalable, and it should be expected to have a popular run in the criminal-to-criminal markets. 

Dave Bittner: eSentire reports finding a new Conti affiliate it's found engaged in two operations. Quote, "The speed and efficacy of both the intrusion actions and the infrastructure management indicate automated, at-scale deployment of customized Cobalt Strike configurations and its associated initial access vectors. Customization choices include legitimate certificates, nonstandard CS ports and malleable command and control," end quote. 

Dave Bittner: Pradeo warns of an Android malware strain that's infested Google Play. The researchers call it Facestealer. Its main goal seems to be theft of Facebook credentials and say it's affected about 100,000 users. Google is purging Facestealer from the Play Store. The principal vector has been an application, Craftsart Cartoon Photo Tools, that makes connections to a Russian server. 

Dave Bittner: As Microsoft continues to investigate an apparent attempt on some of the company's Azure DevOps source code by the Lapsus$ group, Okta discloses that it's investigating the possibility that it, too, may have come under attack by the Brazilian gang. 

Dave Bittner: Deep Instinct describes a new member of the Micropsia malware family. They call it Arid Gopher, note that it's written in Go and say that it's operated by APT-C-23, Arid Viper, a threat group interested mainly in Middle Eastern targets. 

Dave Bittner: And finally, Reuters reports that a Russian court has officially found that Facebook's corporate parent Meta was guilty of extremist activity, and thus its operations in Russia will be severely curtailed. Facebook and Instagram are out, but WhatsApp can stay for now. In its defense, Meta argued that not only was it not extremist, but that it was in fact opposed to Russophobia. But the court foreseeably found otherwise. There's no word on whether Meta will appeal, but doing so would seem to be an exercise in futility. Once a Russophobe, always a Russophobe, especially if a Moscow court says you're the one. 

Dave Bittner: Swathi West is health care and privacy manager at Barr Advisory. She earned a master's degree in aerospace engineering before pivoting to health care privacy and compliance. I recently spoke with her about taking a seat at the table and mentoring the next generation of cybersecurity professionals. 

Swathi West: I mentor a couple women from women in cybersecurity organizations. It is amazing. And they come from different facets of life. They do come from different careers. And we always have these discussions, right? I'm not able to discuss in a team meeting that I want to say. So I think having that seat at the table - I know that's so - that's emerging. Everyone's talking about that - you know, having a CISO chair at the board meetings to, like, having a say at a team meeting, right? I think women - inherently we have that imposter syndrome. We're like, oh, we're not good enough. So I think we do still struggle with that. And I think, you know, opening up and having those leaders to be like, hey, what do you think? - taking a step back and be like, hey, what do you think? Or, do have anything to say? Like, that's how we bring in different perspectives to the table. And that's how we can grow as an organization or just the world in general. So I think helping each other, I would say. So I totally agree. 

Swathi West: I think that stats are a little bit scary. But I do see with at least the women I talk to - they do still have that, oh, I don't think I'm good enough. I mean, no one's good enough, right? Everyone's learning. Everyone's Googling what's happening in the world. So I think it is more of like being in that leadership, just taking a step back and be like, hey, what's your perspective that you bring in to the table? So I think thinking about that would really help in this time of need. 

Dave Bittner: What's your own personal experience? When you were transitioning from engineering to security and privacy, did you find people welcoming? What was your own personal journey there? 

Swathi West: Yeah. Yeah. So I started, like I said, aerospace. I looked for jobs. And then UnitedHealth Group is where first I started my career and with the security and everything like that. I learned, like I said, in the job itself. But it was scary. I'm not going to lie 'cause when we did audits - so I was auditor then - used to go ask all these questions. But I moved to Cardinal after the whole auditor side of things. And I actually learned how much it goes into security. Like it is so hard. I mean we don't bring in any revenue. It kind of a different mindset, right? Oh, you're just wasting money sitting on the table or something like that. 

Swathi West: So that changed from 2015. There was a struggle first in my career to be like, hey, no, this is important, right? I mean, penetration test is important. Or scan is important. Or we have to do certain things. Timeout's important if you're in the health care industry. So from that to 2022, I mean, health care data is most expensive data that's out in the world. And you see there are more data breaches that's out in the world. I mean, Colonial Pipeline, you see Kronos, that happened recently. So everything that's happening changed the tone. So I would say initially when I first started my career in cybersecurity, there was a lot of learning, there's a lot of teaching that went into it, but now I think there is a lot acceptance in the world, like, yes, this is important. We have to do certain things because, you know, we create that panic. We created a lot of panic when Colonial Pipeline happened. So they know - everyone knows that it's important. It's just not breach is, like, not affecting an organization, it's going to affect everyone. So I think for security professionals now, there is a lot of understanding that happens. So it took a while for me, but now I think we're in a space that everyone accepts this is important and we have to do the right thing for everyone else in the world. 

Dave Bittner: What's your advice, you know, for that young woman who's coming up through college or maybe someone who's older and considering a career change? Do you have any words of wisdom there to encourage them to hang in there? 

Swathi West: Yes. I always go by this. The one thing I tell is, don't be intimidated, right? I'm sure even a CEO or CIO, CTO - they'll still have to learn something. There's - everyone's always learning. So don't be intimidated to take that first step and it is not as old traditional way of, like, thinking it's a ladder. It is a jungle gym, like, you know, Sheryl said in a book, "Lean In." So I would say, you know, just if you have an opportunity, take it. Learn, and there's so many other certifications or self-learning - just knowing the terms, right? Knowing those terms help and my first job, I did a lot of learning before the job or interview. So just learning what's going on in the world, just talking about a bridge and if you're interested in that, and be like, why did this happen - right? - that curiosity. So, you know, that's what I would say to these - all these young women or anyone changing career, just have the curiosity to learn and you'll succeed. 

Dave Bittner: That's Swathi West from Barr Advisory. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting story came by - this is from Wired, written by Lily Hay Newman and it's titled, "A Big Bet to Kill the Password for Good." 

Joe Carrigan: Oh, we can hope. 


Dave Bittner: I know. So what's going on here, Joe? 

Joe Carrigan: So the FIDO Alliance is saying that they have an idea here. The FIDO Alliance is a large alliance of companies. FIDO stands for Fast Identity Online. 

Dave Bittner: Yeah. 

Joe Carrigan: And the idea is we're going to get rid of passwords and essentially just use cell phones for authenticating people to their devices - or to their accounts, rather, not to their devices. So because cell phones are so ubiquitous... 

Dave Bittner: Right. 

Joe Carrigan: ...And they have all these security features built into them now... 

Dave Bittner: Right. 

Joe Carrigan: ...You know, the secure enclave, the processors that are capable of doing these cryptographic algorithms... 

Dave Bittner: Yep. 

Joe Carrigan: ...Why not leverage that to make a secure way to log on that doesn't involve passwords? 

Dave Bittner: So we've reached the point now where, thanks to all those things, again, the ubiquity of these devices... 

Joe Carrigan: Right. 

Dave Bittner: ...Also the fact that they have biometric capabilities. 

Joe Carrigan: Biometric - that's right. 

Dave Bittner: Yeah. 

Joe Carrigan: Big thing is like, for example, I have a Microsoft Authenticator on my phone. When I log into my Microsoft account, my personal Microsoft 365, the home and business account - a home and student, that's what it is - I don't use a password to authenticate to that. I use my Microsoft Authenticator app... 

Dave Bittner: Right. 

Joe Carrigan: ...To get access to my Microsoft account. And they essentially say, we're about to send you a code on your phone. And on my phone, there's a code and before I can access it, I have to push my thumbprint - put my thumbprint on this terrible Google Pixel 6 fingerprint reader. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: I don't know why they changed it. The one on the Pixel 3 was so much better. This one's awful. 

Dave Bittner: But you digress (laughter). 

Joe Carrigan: But I digress, right. Once I've authenticated biometrically, I can enter the right code and I'm into my Microsoft account. 

Dave Bittner: Right. 

Joe Carrigan: There has been no password exchanged. 

Dave Bittner: Yeah. Yeah. And it's great. I mean, when it works, it works great. 

Joe Carrigan: Right. 

Dave Bittner: I, similarly - you know, if I have the opportunity to enable, like, face ID, which I use an iOS device, I'm all in on that. 

Joe Carrigan: Right. 

Dave Bittner: You know, it seems like - it strikes me as being secure enough, but boy, is it convenient. 

Joe Carrigan: Yeah, and face ID is actually a really, really good biometric authentication device, right? 

Dave Bittner: Yeah. 

Joe Carrigan: I mean, it doesn't just take a picture of your face and see if that's you - right? - see if it matches some model it has. It has two cameras. It takes a 3D image of your face, right? It checks to make sure that there's a pulse flowing through your face. 

Dave Bittner: Yeah. 

Joe Carrigan: It actually does that. I mean, that's one of the things it looks for... 

Dave Bittner: Yeah. 

Joe Carrigan: ...By examining the red part of the spectrum that comes through. And then it authenticates you. So you can't have somebody that's - you can't make a 3D model of somebody's face and show it to the camera. That won't work. You can't use it on a dead person. That won't work either. 

Dave Bittner: Right. 

Joe Carrigan: There's all kinds of different - oh, it does a lot of checking on eye movement as well. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: It's remarkable. All these things are great, you know, but I've said my piece on this show and on "Hacking Humans" about biometrics, so I won't go into that and bore everybody with that again. But it's interesting. This article also talks about how this data is kept in the cloud, right? And it's secured on the cloud. It's encrypted. So when you need to get access to it, you have access to it. 

Dave Bittner: Right. You get a new device or you lose your phone or it's damaged or something like that, it's relatively easy to get up and running again. 

Joe Carrigan: Right. The one concern I have about this is that it shifts the focus to the iCloud account, right? So if I can trick you out of your iCloud account, I can get access to a lot of stuff that you have. Well, I don't know how face ID works, but, like, the biometrics on this phone - I just got this Pixel 6 a couple months ago. 

Dave Bittner: Yeah. 

Joe Carrigan: And when I had to set up my biometrics on here, it wasn't, oh, we have your biometrics on file. Let's see if they match. It was, let's go ahead and set up new biometrics for you, Joe, because this is a new sensor. 

Dave Bittner: Right. 

Joe Carrigan: So physically, it's a different device and needs me to re-enter it. So that information is not stored in the cloud. It's stored in the device, I think. 

Dave Bittner: Yeah. Yeah. Same thing - yeah. I mean, and, like, on iOS devices, it's in the secure enclave, so it doesn't go to the cloud. 

Joe Carrigan: Right. 

Dave Bittner: Like, your actual biometrics don't go there. 

Joe Carrigan: Right, and that's probably by design. 

Dave Bittner: Yeah, absolutely. 

Joe Carrigan: And it's probably a good design decision as well. But... 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: ...It doesn't stop somebody from setting up - getting access to your Google or Apple account and then setting up biometrics and then having the secure enclave on the phone say, yep, these biometrics are good. 

Dave Bittner: Yeah. What do you suppose the transition is going to look like here, though, as - if indeed we're going to move away from passwords... 

Joe Carrigan: Right. 

Dave Bittner: ...There's going to be a transitional period. And if there's one thing we know, it's how people feel about change. 

Joe Carrigan: Yeah, they hate it. 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: It's - here's what I'd like to see... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Is passwords be listed as deprecated authentication means, right? We don't - you know, like we do in software development when we have an old function or method in a library that's no longer used anymore, that gets marked as deprecated - right? - which means it goes on your to-do list of stop using that, start using the new one. 

Dave Bittner: Right 

Joe Carrigan: And do that with this authentication means, right? Get rid of your password and change to this new FIDO standard and be on board with it because we're deprecating passwords. 

Dave Bittner: Right. We're going to give you escalating warnings over time that... 

Joe Carrigan: Right. Exactly. 

Dave Bittner: ...Time's running out (laughter). 

Joe Carrigan: The new accounts, when they set up, they have to use the FIDO device - right? - or the FIDO standard. 

Dave Bittner: So for new accounts, don't give you - don't even give you the option of going with... 

Joe Carrigan: Don't even give you the option of going with the password. 

Dave Bittner: Yep. Yep. Yep. All right. Well, it's an interesting article. Again, this is over on WIRED, written by Lily Hay Newman, talking about this new white paper that the FIDO Alliance has put out. Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.