The CyberWire Daily Podcast 6.3.22
Ep 1592 | 6.3.22

Managing messaging in a hybrid war.Anti-Tehran hacktivism and Tehran-sponsored cyber ops. Rebranding as sanctions evasion. A threat to firmware. CISA warns of Confluence exploits.


Tre Hester: Moscow wants attention to be paid to its messengers. Western Support for Ukraine in cyberspace. U.S. remains on alert for Russian cyberattacks. Iran - anti-government hacktivism and Tehran-sponsored cyber ops. Rebranding as sanctions evasion. A gangland threat to firmware. Johannes Ullrich from the SANS Institute on security of browsers caching passwords. Dave Bittner sits down with Perry Carpenter to discuss his new book, "The Security Culture Playbook: An Executive Guide to Reducing Risk and Developing Your Human Defense Layer," co-authored by Kai Roer. And CISA adds an Atlassian issue to its Known Exploited Vulnerabilities Catalog.

Tre Hester: From the CyberWire studios at DataTribe, I'm Tre Hester with your CyberWire summary for Friday, June 3, 2022. Russia wants the rest of the world to take its official and semiofficial sources seriously and wants the world to treat Russia's outlets and their output with proper respect. Reuters quotes Foreign Ministry spokeswoman Maria Zakharova saying, quote, "If the work of the Russian media - operators and journalists - is not normalized in the United States, the most stringent measures will inevitably follow. To this end, on Monday, June 6, the head of the Moscow offices of all American media will be invited to the press center of the Russian Foreign Ministry to explain to them the consequences of their government's hostile line in the media sphere. We look forward to it," end quote.

Western support for Ukraine in cyberspace. 

Tre Hester: The commander of U.S. Cyber Command, General Paul Nakasone, told Sky News this week that, quote, "We've conducted a series of operations across the full spectrum - offensive, defensive and information operations," end quote. And that clearly was not an off-the-cuff remark. CNN reports  that, quote, "a spokesperson for the command did not dispute the accuracy of the article but declined to elaborate on what the command's operations in Ukraine have entailed," end quote. A senior U.S. official, speaking anonymously with CNN, said that the U.S. was comfortable letting Moscow know that the U.S. has been active against Russian interests in cyberspace. It complicates an already difficult war for Russia and induces considerable uncertainty into Russian planning. They're not sure what the U.S. is capable of or willing to do, and they're uncomfortable with not knowing. The Western private sector has also made contributions to defense against Russia's threat against Eastern and central Europe. Google today published an overview of the steps it has taken to help improve security in the region. The company's announcement expresses gratitude for the peace prize it received from Ukraine's government at Davos and then discusses its activity elsewhere. Quote, "To build on our efforts, we are expanding our cybersecurity partnership and investment in central and Eastern Europe. Last month, a delegation of our top security engineers and leaders met with organizations and individuals in Czechia, Poland, Lithuania and Latvia. They trained high risk groups, distributed security keys, engaged in technical discussions with government experts and supported local businesses in shoring up their defenses," end quote. In addition to intelligence reporting by Google's Threat Analysis Group, the company has also provided direct security support to individuals and organizations at particular risk. Quote, "To help address these threats, our high-risk user team conducted workshops throughout the region for dozens of nongovernmental organizations, publishers and journalists, including groups and individuals sanctioned by the Kremlin. We distributed around 1,000 security keys - the strongest form of authentication - and trained over 30 high-risk user groups on account security. We also launched, in collaboration with Jigsaw, the Protect Your Democracy Toolkit, which provides free tools and expertise to democratic institutions and civil society. We heard directly from high-risk organizations like the Casimir Pulaski Foundation, the International Center for Ukrainian Victory, NGOs supporting refugees and exiled activists and leading publishers across Europe who told us how critical Google's no-cost security tools, like the Advanced Protection Program and Project Shield, are keeping them safe online. We are grateful for their valuable insights to inform future product development," end quote. 

And Western nations remain on alert for Russian cyberattacks.

Tre Hester: While the crippling Russian cyberattacks against infrastructure that were widely feared have not materialized, the U.S. Justice Department remains focused on the cyberthreat from Russia. Quote, "At DOJ, we're particularly focused right now on the cyberthreat from Russia," end quote. The Voice of America quotes Matthew Olson, head of the Justice Department's National Security Division - quote, "And we are bracing for the possibility of more attacks," end quote. A great deal of the Russian combat load in cyberspace is being carried by Moscow-aligned cybercriminal gangs, especially extortionists. 

Iran: anti-government hacktivism.

Tre Hester: AFP reports that an Iranian dissident hacktivist group, the People's Mujahedin of Iran, has claimed to have taken control of some municipal websites in Tehran and to have also gained access to the city's surveillance cameras. There's no independent confirmation of their claims. Much of the hacktivists' operations consisted of defacing websites to display images of MEK leadership. 

Iran: Tehran-sponsored cyber ops.

Tre Hester: Microsoft announced late yesterday that it disrupted a cyber operation against Israeli organizations mounted by the Lebanon-based group Redmond tracks as Polonium and associates with Iran's Ministry of Intelligence and Security. The campaign targeted OneDrive users, and Microsoft says it, quote, "suspended more than 20 malicious OneDrive applications created by Polonium actors, notified affected organizations and deployed a series of security intelligence updates that will quarantine tools developed by Polonium operators," end quote. 

Rebranding as sanctions evasion.

Tre Hester: Mandiant researchers yesterday described efforts by criminal gangs - for the most part, Russophone gangs, and notably Evil Corp - to rebrand themselves in an effort to evade sanctions imposed by the U.S. government. The Wall Street Journal explains  that U.S. sanctions have made it more difficult for victims to pay ransom without themselves violating the law, and the gangland hope is that rebranding will amount to sufficient misdirection to keep the ransom payments flowing. 

A gangland threat to firmware.

Tre Hester: Eclypsium researchers yesterday described an attempt by Conti operators to develop ways of exploiting the firmware of Intel processors. Quote, "in addition to the classical attacks that target UEFI and BIOS directly, attackers are now targeting the Intel Management Engine or the Intel Converged Security Management Engine. The Intel Management Engine is a physical microcontroller that is part of the chipset of modern Intel-based systems. It supports a variety of capabilities, such as out-of-band management," end quote. Eclypsium found evidence of the attempt as it sifted through Conti chatter obtained and leaked early in Russia's war against Ukraine by dissatisfied Ukrainian collaborators with the cybergang. 

CISA adds an Atlassian issue to its Known Exploited Vulnerabilities Catalog.

Tre Hester: And finally, yesterday, the U.S. Cybersecurity and Infrastructure Security Agency, or CISA,  added a Confluence Server and Data Center remote code execution vulnerability (CVE-2022-26134) to its Known Exploited Vulnerabilities Catalog.. CISA explains, quote, "versions of Confluent Server and Data Center contain a remote code execution vulnerability that allows for an unauthorized attacker to perform arbitrary code execution," end quote. This one requires immediate action under Binding Operational Directive (BOD) 22-01. CISA has told U.S. federal executive civilian agencies to, quote, "immediately block all internet traffic to and from Atlassian's Confluence Server and Data Center products until an update is available and successfully applied," end quote. They have until close of business today to do so and report compliance. This is the shortest deadline we've seen CISA impose under BOD 22-01. 

Tre Hester: Atlassian, which credits  Volexity researchers with finding and reporting the issue, rates the vulnerability as "critical." The company said, in an update posted this morning, quote, "we suspect that security fixes for supported versions of Confluence will begin to be available for customer download within 24 hours." 

Tre Hester: Dave sat down with Perry Carpenter to discuss his new book, "The Security Culture Playbook: An Executive Guide to Reducing Risk and Developing Your Human Defense Layer," co-authored by Kai Roer. Here's Perry. 

Perry Carpenter: So first, my co-author, Kai Roer, is an internationally well-known guy that has been studying security culture for most of his career. And so one of the things that we wanted to do with that is kind of merge our voices because Kai is well known is - for his research into security culture. I'm pretty well known in my research for awareness and behavior. And as we come together, we can start to paint a lot more complete picture. 

Perry Carpenter: But the other thing that really prompted this is nuance that's in the subtitle of the book. And I know it's a really, really long subtitle, but there are three critical things in it that we tried to pack in. No. 1 is an executive guide, and so this is meant not necessarily for the practitioner but for the audience of a board of directors or a CIO or a CEO that really needs to understand that security culture is important. It's something that lives and breathes in every organization, whether you know it or not. And so the question becomes, how intentional are you about the security culture that you have? How sustainable is that? What do you need to do about it? And so that executive piece is really critical. And our hope is that an executive picks that up, reads the first few chapters, and then says, oh, yeah, we need to do something intentional with this. And then they hand it down to the person that can implement the vision that's explained there. 

Perry Carpenter: The second piece that's in the title is reducing risk. And that really comes down to the fact that the entire reason that security exists isn't for the sake of security. And the entire reason that security awareness exists isn't for the sake of security. It's actually to reduce risk in an organization and make the risk tolerable so that the organization can go forward and do the business that they've been formed to do. And so this is all about risk reduction and up-leveling the conversation to that executive level or board of directors level. 

Perry Carpenter: And then that last piece is developing your human defense layer. And so this is about the human side of things because one of the charts that we show early on is that there's a lot of spending that happens on the technology side of security. Every year, we spend more and more on that, but data breaches are still going up. And when you look at the Verizon DBIR and other reports, the reason that we see the data breaches continue to go up has to do with the human side of things. And so our argument is that we need to put more intention on that so that we can then reduce risk. 

Dave Bittner: Can we take a quick step back and talk about the notion of security culture itself? I mean, one of the things you explore in the book is this idea that security culture has a specific set of dimensions. 

Perry Carpenter: Yeah. You mentioned that we have different dimensions that we break security culture up into, and this is drawn from the social sciences. So we believe that you can measure any type of culture with this. But specifically, we're looking at the security-related nuance. And so we break security culture into seven different dimensions - attitudes, behaviors, cognition, communication, compliance, norms and responsibilities. And one of the interesting things that we say in that is, yeah, as we measure that, we can see whether you're strong or you're weak in different areas, but that doesn't mean that all is lost or all is gained if you see one of those data points. So if you look at your aggregated security culture score and you're concerned about that, you don't have to tackle all seven of those because each of these has a gravitational effect on the other. If you're influencing cognition and giving people the right information to make the right decisions at the right time, you're probably also influencing their attitudes, and you're definitely influencing their behaviors if you see that come to pass. So you can strategically focus on one, two or three of these, and you're going to be pulling the others along the way. 

Perry Carpenter: There's another key thing that comes out in this book, and that is - and this is another reason behind why we created it in the first place - is there's a lot of and has been a lot of talk about quote-unquote "security culture" for years. And people are using that phrase in articles and journals and conference presentations and everything else. The thing that was missing, though, is an actual definition of it. We at KnowBe4 - so this is separate from Kai and I - our employer, KnowBe4, commissioned a study with Forrester a couple years ago. And what we wanted to understand was, do people really know what security culture is, and do they value it? And we found that 94% of people value security culture. They believe that it's an important thing to reduce risk in their organization. 

Perry Carpenter: But then we started to ask the more nuanced question of what do you believe security culture is? And what we found was a shocking fragmentation of what people believe it actually is. Some people believe security culture is following policies. Other people believe that it's the establishment of a security awareness program. Other people believe that it's shared responsibility across an organization. So the funny thing is, is that somebody like me could stand on a stage and say security culture is important, and everybody in the room can be nodding their heads. Everybody believes that they're agreeing to the same thing but everybody actually having a different conclusion of what that means. 

Tre Hester: That's Perry Carpenter discussing his new book, "The Security Culture Playbook: An Executive Guide to Reducing Risk and Developing Your Human Defense Layer." There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro, and sign up for Interview Selects, where you get access to this and many more extended interviews. 

Dave Bittner: And I'm pleased to be joined once again by Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the ISC "StormCast" podcast. Johannes, it's always great to welcome you back. You know, something that I try to share with as many people as I can is the utility and usefulness of things like password managers. There are a lot of choices out there today, and we want to talk today about some of the options. 

Johannes Ullrich: Yeah. So there are really two big options that you typically have available. There are third-party add-on software that you can buy. There's also some free options that you can install. And then many web browsers have their own built-in password manager that you can use. The problem is a little bit that the quality of these options really varies a lot. And the - these password managers themself, of course, are a big target. Whenever you're assembling a lot of important data in one spot, well, it becomes a target. 

Johannes Ullrich: We recently ran into a case with Google Chrome, where, during an incident, one of our volunteer handlers here, Xavier (ph), he ran into this. They figured out that the attacker compromised an administrator's workstation and then was able to use passwords that the administrator had stored within Google Chrome. And, yeah, I always tell people, use password managers, and you definitely should. I'm not saying don't use password managers. The alternative is way worse, kind of... 

Dave Bittner: Right. 

Johannes Ullrich: ...Of using password managers these days. But it turned out that, actually, Google Chrome in particular here is not really all that careful in how they're saving these passwords. The passwords are encrypted, so that sounds good. But whenever you're dealing with encryption address, the next question is, where did they store the encryption passphrase key that's being used here? And it turns out in this case, it was actually stored in the clear in a different file - so relatively simple for an attacker and well-documented how to do this, where an attacker was able to take that key, decrypt the passwords and have access to all the passwords stored in Google Chrome. 

Dave Bittner: Is this, I mean, general advice for browsers, or are there differences between the various browsers of how they approach this? 

Johannes Ullrich: It's really a little bit all over how they approach it. And now browsers like Firefox and Google Chrome - they try to do it a little bit in the operating system agnostic way, so they don't necessarily use the facilities built into the operating system. Safari, which is, like, iOS, Mac OS only - it uses the built-in keychain that these operating systems offer, and that provide some additional security. In Firefox, you do have the option to enter a master passphrase as you're setting up the browser, and it is then being used to encrypt a key. So that provides for some additional security. 

Johannes Ullrich: But overall, browsers usually aren't as careful as these password managers. In particular then, and once you start using the browser, where is the passphrase stored? Is it stored in memory, somewhere in the clear? Are these passwords stored in the clear? A lot of these password managers have thought this through better and no clear out memory outlets no longer being used. Same if you're doing like, copy-paste with your clipboard. A lot of the third-party password managers, for example, will clear out the clipboard after a minute or after some time to limit the exposure of passwords in clipboards. 

Johannes Ullrich: In general, you probably should try to use a third-party password manager. Gives you, of course, some other advantages, like some cross-application synchronization, sometimes some synchronization across devices. That's also nice to have. You don't have to pay a lot of money for those password managers. Some of them are expensive. Some of them are free. And typically, you have to pay for the synchronization feature. That's where they usually get you, kind of. In general, it's probably worth the effort to set up these applications. If that's too much work for you, then yeah, sure, please use at least the built-in password manager. 

Dave Bittner: Yeah. It's my experience that with a third-party password manager, you know, it's a little bit of work, as you say, to get it set up. But once you've got it up and running, it's pretty seamless and definitely, in my mind, you know, worth the investment of both time and money. 

Johannes Ullrich: I think so, too. But, you know, not everybody may have the ability to set these up, these password managers. So in that case, you're probably better off just using the browser built-in password manager. At the very least, the attacker still needs to compromise your system, which is probably a higher hurdle to overcome than breaching a random website where you're using the same password you're using for your online banking. 

Dave Bittner: Yeah. All right. Well, good advice. Johannes Ullrich, thanks for joining us. 

Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Don't forget to check out this weekend's episode of "Research Saturday," where Dave Bittner sits down with Scott Fanning of CrowdStrike. They discuss their work on "LemonDuck Target Docker For Cryptomining Operations." The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Tre Hester, filling in for Dave Bittner. Thanks for listening. We'll see you back here next week.