Cyber war: a continuing threat, a blurry line between combatants and noncombatants. Chinese cyberespionage and its “plumbing.” CISA adds Known Exploited Vulnerabilities. News from Jersey.
Dave Bittner: U.S. officials continue to rate the threat of Russian cyberattack as high. Civilians in cyberwar. Broadcast interference and propaganda. A joint CISA/FBI warning of Chinese cyber-espionage. What gets a vulnerability into the Known Exploited Vulnerabilities Catalog? Andrea Little Limbago from Interos and Mike Sentonas from CrowdStrike join us with previews of their RSA Conference presentations. And finally, some Jersey-based cyber campaigns. That's the bailiwick, not the Garden State.
Dave Bittner: From the RSA Conference in San Francisco, I'm Dave Bittner with your CyberWire summary for Wednesday, June 8, 2022.
US officials continue to rate the threat of Russian cyberattack as high.
Dave Bittner: U.S. cybersecurity officials speaking at the RSA Conference here in San Francisco have urged businesses not to grow complacent about the continuing threat of cyberattack. The Wall Street Journal quotes CISA's Jen Easterly as saying, I don't think we are out of the woods in terms of a threat at this point in time. We're only 100 days into this war. We know that it's part of the Russian playbook to use malicious cyberactivity, whether it's through a state-sponsored entity, whether it's through criminally aligned groups. Given the kinetic nature of the fighting, the brutality and the atrocities, there has been a lot of focus on that aspect of it, but there has also been a huge amount of cyberactivity from the Russians against Ukraine.
Dave Bittner: NSA's Cybersecurity Director Rob Joyce concurred. He said, what I can say is, from intelligence, the threat was and is real. The Russians have a capability that we need to be cautious about, and they are at a decision point of if or when they choose to apply that. An op-ed by Easterly and National Cybersecurity Director Chris Inglis published this week in CyberScoop also emphasized the continuing threat of Russian cyber operations.
Dave Bittner: Russia, for its part, sees aggression in cyberspace as largely an American phenomenon. A Washington Post analysis summarizes recent statements from Moscow warning that the U.S. must face the consequences if it continues what the Kremlin characterizes as a cyber campaign against Russia. Foreign Ministry Cyber Lead Andrei Krutskikh said, we do not recommend that the United States provoke Russia into retaliatory measures. A rebuff will certainly follow. It will be firm and resolute. However, the outcome of this mess could be catastrophic because there will be no winners in a direct cyber clash of states.
Dave Bittner: And the U.S. continues to detail Russia's use of cybercriminals as deniable privateers. The gangs amount to a force multiplier. Decipher quotes Matt Olsen, U.S. assistant attorney general for national security, who spoke about the issue at RSAC. He said, we know they're very focused on being able to establish persistent access to United States critical infrastructure, and they have a very sophisticated set of actors in their foreign intelligence service. They also have a force multiplier in the way they're able to co-opt the criminal groups. We're still seeing that trend of Russia cooperating with the criminal groups.
Dave Bittner: The Wall Street Journal notes that U.S. sanctions have presented the gangs with difficulties in monetizing their attacks, particularly their ransomware attacks, by interfering with their ability to receive and launder payments. But that's interference only with their ability to cash out, not their ability to go on the attack. Their role as combat multiplier is likely to continue.
Civilians in cyber war.
Dave Bittner: Western tech companies - notably Palantir, Google, Microsoft and SpaceX to list just a few - have played a significant part in delivering support to Ukraine in the cyber phases of the current war. Their role is an overt, legitimate and, so far as can be seen, defensive counterpart to the role being played by privateering gangs working on behalf of Russia.
Dave Bittner: But these and other activities also raise questions about how easy it will be to develop norms for cyber conflict along the lines of those that exist for armed conflict; that is, kinetic war. One of the principal tenets of the just war tradition is discrimination; that is, the obligation belligerents have to distinguish the military from civilians and to avoid civilian harm. Military targets are legitimate targets under the usages of war, but for the most part, civilian targets should be off limits to attack.
Dave Bittner: Wired notices, however, that the proliferation of tech, the ubiquity of smartphones may be eroding the military-civilian distinction. Civilians are using their devices, sometimes with apps dedicated to that purpose, to help Ukrainian forces keep track of Russian activities. Espionage, for example, is not protected by the laws of armed conflict. Is someone in a village who phones in a report acting as a spy and thus as a combatant? The question isn't entirely new, but the sheer quantity, the ready availability and the connectivity that consumer electronics now give people has given that question more importance and has rendered the answers murkier.
Broadcast interference and propaganda.
Dave Bittner: Over the weekend as Ukraine played Wales in a World Cup qualifying round, Russian operators replaced the game feed with the online television platform OLL.TV with what Ukraine's State Service of Special Communication and Information Protection called propaganda news by Russian mass media. The Russian news feeds, of course, featured tendentious coverage of the special military operation. OLL.TV halted the feed until it could eject the Russian content and resume normal broadcasting. The SSSCIP continues to express concern over disinformation, which it sees as a core Russian threat. GovInfoSecurity points to OLL.TV's Facebook page, which put the incident down to envious Russian soccer fans' resentment of Ukrainian success. They said, envious Russia is trying to spoil the viewing of the match of the national team for the 2022 World Cup. We are making every effort to neutralize the cyberattack as soon as possible.
Joint CISA/FBI warning of Chinese cyberespionage.
Dave Bittner: CISA and the FBI yesterday provided an overview of ongoing Chinese cyber-espionage activity against U.S. targets - Alert AA22-158A. Beijing's threat actors, the alert says, continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure. Their typical approach is to compromise unpatched network devices, especially small office or home office routers and network-attached storage devices. Compromised SOHO routers and NAS devices can then serve as additional access points to route command and control traffic and act as midpoints to conduct network intrusions on other entities. The threat actors' initial targets are commonly telecommunications or network service providers where they use the RouterSploit and Router Scan open-source framework to identify points of vulnerability. From there, they look for critical users and infrastructure, including systems critical to maintaining the security of authentication, authorization and accounting, obtain appropriate credentials and proceed to act like authorized users. The alert recommends 14 practices organizations should follow to render themselves harder targets, and the first of those is patching.
Dave Bittner: NSA's Rob Joyce told the Record, as he characterized the Chinese activity, this work is building the foundation that they can do all of their objectives. This is their plumbing.
Dave Bittner: CISA has also outlined the criteria it uses to select issues for inclusion in its Known Exploited Vulnerabilities Catalog. The three basic criteria are, first, the vulnerability must have been assigned a CVE identification; second, it must be, as the catalog name implies, undergoing active exploitation in the wild - no proofs of concept or thought experiments need apply; and third, there must be what CISA calls clear remediation guidance available. Shortly after noon today, CISA added 36 new vulnerabilities that meet these three criteria to its catalog. The U.S. federal agencies whose security CISA oversees must report remediation of all the issues by June 22.
Dave Bittner: And finally, the Jersey Evening Post reports that threat actors were using devices in Jersey they'd obtained control of to mount unspecified cyber operations against targets in Europe and North America. The Post says, Matt Palmer of the government's Cyber Emergency Response Team said between 5 and 13 compromised machines targeted computers in the United States, Germany and Hungary, although it is not known who was behind the attacks. Investigation and remediation are underway. Listeners take note - this is the Bailiwick of Jersey, not the U.S. state of New Jersey. It's the Channel Islands, not the Garden State. Forget about it.
Dave Bittner: Mike Sentonas is chief technology officer at CrowdStrike. And here at RSA Conference, he's co-presenter of a talk titled "Hacking Exposed: Next-Generation Tactics, Techniques and Procedures." He joins us with highlights from the presentation.
Mike Sentonas: George Kurtz and I, who were doing the presentation together, were thinking about what we wanted to do as part of the "Hacking Exposed" series. And basically, with the rise in popularity of containers and the use of containers, we wanted to explore that a little bit because a container escape is probably the worst-case scenario because an adversary could, in theory, exploit a containerized app's vulnerabilities or misconfiguration to breach its isolation boundary. So it is pretty serious. It's not that easy. But when it does happen, it's pretty severe. And we wanted to demonstrate that at RSA.
Dave Bittner: I should mention that the presentation is this coming Thursday, June 9. It's at 9:40 a.m. over at Moscone South. And it's titled "Hacking Exposed: Next-Generation Tactics, Techniques and Procedures." When we're talking about next generation, what do you put under that umbrella?
Mike Sentonas: Yeah, it's an interesting - I mean, from an attack technique perspective, like I said, we're focused on containers. And the reason why we kind of called it that is it's very different to a traditional attack where you're targeting a host machine or a piece of hardware directly. And what was interesting about this particular session that we're going to do, when we were planning the topic and we were planning through some ideas, our research team actually found a vulnerability. So we're using something that we submitted. It's got a CVE number, a risk rating of 8.8. So it's pretty high. And effectively, when that vulnerability is invoked, an attacker can escape from a Kubernetes container and then get root access to the host. And then at that point, they can move anywhere in the cluster.
Dave Bittner: Now, for folks who may not be all that familiar with Kubernetes containers, can you give us a little bit of the background there of why this is a specific threat?
Mike Sentonas: Yeah. So people obviously are probably more familiar with virtual machines. I'm sure, obviously, a lot of people listening in are very familiar with containers as well. But containers of virtual machines are very similar resource virtualization technologies. Virtualization is the process where a system has singular resources using RAM, CPU, disk, et cetera, networking. All of those capabilities can be virtualized and represented actually as multiple resources. But what's different about a container is where virtual machines virtualize an entire machine down to the hardware layers, containers only virtualize software layers above the operating system level - so very lightweight containers. Containers are very lightweight. They can execute. They contain software application. They - you know, they have dependencies. There's obviously pros and cons for using all of them. But obviously, in the case of what we're talking about here, the entire host can be compromised because of a problem in a container.
Dave Bittner: Can you give us a little sneak preview of some of the things that you're planning on covering?
Mike Sentonas: Yeah. So I'm going to go into a little bit of detail about the differences and a little bit more detail between virtual machines and containers, the pros and the cons. We're going to talk about container escapes, talk about the concept where processes in a container should be isolated from the container host. And if you circumvent, that's called container escape. And then we're going to talk a little bit about CRI-O, which is a container runtime engine that underpins Kubernetes. And so it's a lightweight alternative, if you will, to the better known containerd or a Docker-made runtime solution. It's used by Red Hat OpenShift. It's used by Oracle container engine. OpenSUSE Kubic uses it. So it's very, very popular. And we're going to go through a vulnerability where - in CRI-O, which basically causes this entire problem. So version 1.19 introduce support for CIS control. That allows the ability to set kernel options for pod, and that's where the problems kind of start. So we're going to show the hack, and then we're going to show some practical advice on how you can limit these sorts of issues from happening in the future and, of course, fix this one up specifically.
Dave Bittner: And what do you hope people come away from the presentation with?
Mike Sentonas: Yeah, it's a really good question, Dave, because I think, you know, when you look at security for containers, a lot of people really focus on detections, and they focus on security for the actual containers themselves. And a lot of the time, when we do incident response, we see that the underlying host was forgotten. And we want to make sure that people understand how these issues can happen, the scope of the problem, how severe they can be. And we want to give them some practical advice for, how do you, you know, detect these things in the future? How do you prevent them? How do you minimize your attack surface? How do you think about the host? And just make sure that if people aren't aware of these problems that happen - that can happen with containers, that they walk away with a few of those practical examples, and they can apply them back in their office.
Dave Bittner: From a personal point of view, any thoughts on being back together, face to face, here at the RSA Conference?
Mike Sentonas: It's a mixed feeling, to be honest with you. The last conference in 2020 was the week before COVID really took off in the U.S. - so yeah, the first time being back together. I think just everyone that I've spoken to, myself included, were just so excited to connect and spend a little bit of time together. Hopefully, everyone can do that safely and securely and, you know, no one gets COVID and takes it by hand, which is obviously the most important thing, to make sure everyone stays safe. But we're really, really excited to connect with everybody in person. It's long overdue.
Dave Bittner: That's Mike Sentonas from CrowdStrike.
Dave Bittner: Andrea Little Limbago is senior vice president of research and analysis at Interos. Her RSA Conference presentation is titled "A Data Faustian Bargain: An Analysis of Government-Mandated Data Access." We got together for a preview of her talk.
Andrea Little Limbago: You know, for decades now, companies have expanded their global footprint in various countries. And in many cases, they've had to make the bargain that, in exchange for market presence, they may or may not have to have data access as a component of it - so depending on what country they're in. And increasingly, it is a requirement that, for it to be located in a certain country, you're going to be underneath the regulations and requirements that a government can ask for data upon request with, you know, minimal accountability and oversight. And so it puts your data at quite a bit of risk in those kind of countries versus others that have more individual data protections and so forth. And so what I want to do is really look at the evolution of that and create a scale for countries that are protecting the data better, where companies, if they decide to have a global footprint in those countries, will not have to have as much of a security risk versus others where it is a much greater security risk for data access. And there basically is, you know, no need to hack into your - because you're required to hand over the data if they ask for it.
Dave Bittner: Right. Right. Can you give us an example of sort of the spectrum of what we're talking about? Like, can you - can we name names? Who's on either end of the spectrum?
Andrea Little Limbago: We can, yeah. And that's exactly a good way to think about it because it is a spectrum. It's 100% a spectrum where we've got China on one end, which, you know, not terribly surprising, where within their data privacy and security laws, although there are aspects along the lines for data privacy like data minimization and so forth, they also have a - you know, sort of a loophole for, oh, by the way, you know, if the government does ask you for data, you have to turn it over if you want to have a footprint in that country. And then so you have that on the one extreme, and there are many governments that are starting to include that aspect or other kinds of interesting tools, such as a required government certificate to be placed on all computers that basically provides a - you know, a person in the middle kind of attack or access to data. So that's on one end. And then there are a couple of different regulations that are popping up with different means to provide that data or access to that data.
Dave Bittner: Right.
Andrea Little Limbago: And then on the other end of the spectrum is something like the European Union's GDPR, where it has individual data protections and so forth and has much greater transparency and accountability and judicial oversight in case the government does ask for various kinds of data. So that's, you know, built into the index. I look at sort of a spectrum of areas where it's - you know, data could be turned over by governments but, you know, is there some sort of transparency and accountability? 'Cause that does make a big difference if there's judicial oversight as well 'cause, at the end of the day, almost every country, under the auspices of national security, will say, you do have to turn over data. And so from there, it's, you know, at - how much oversight is there? How often is it happening? Is it because - is it just, like, simply for a footprint there, or does it have to be, you know, some sort of, you know, event to actually prompt some of it? So there's a lot of different circumstances, and I try and tease out a lot of those different areas within the index.
Dave Bittner: When we look at a country like China, is it an all-or-nothing proposition?
Andrea Little Limbago: At the end of the day, there's no guarantee that they will ask you for your data if you're a company, and so you may be completely fine. But there is the...
Dave Bittner: The specter is always hanging over.
Andrea Little Limbago: The specter is always - that's exactly right. Yeah. It always will be there that they - that if you do have data, and they're - that gets back to some of the data localization, data sovereignty laws where data has to be stored in those countries.
Dave Bittner: Right.
Andrea Little Limbago: So if the data actually has to be stored there, they can request to access it. And that - and in some countries where the data localization requirements are there, it may not be such a big concern, such as, you know, within Canada, for instance, or some aspects of the EU and different kinds of data it requires to be stored there. But then conversely, having to have your data stored in China does pose a bigger threat for those kind of reasons. And given the - you know, the huge history of IP theft, you know...
Dave Bittner: Yeah. Yeah.
Andrea Little Limbago: It's not unprecedented.
Dave Bittner: Right.
Andrea Little Limbago: It's just wanting to be stolen.
Dave Bittner: Yeah.
Andrea Little Limbago: You'd have to start over.
Dave Bittner: I guess I'm wondering, you know, if you think about a big company like Apple with the huge manufacturing presence they have in China but also wants access to the huge market that is China, how do they straddle that and also have any legitimacy when they - when their messaging says they're leading with privacy?
Andrea Little Limbago: True. And that's exactly - so that's part of the Faustian bargain, right?
Dave Bittner: Yeah.
Andrea Little Limbago: For - that they - in exchange for market access, they're going to have their data at greater risk. And it is. It's completely, you know, orthogonal to the - every billboard we're seeing around RSA right now with the - you know, Apple is the leader in privacy.
Dave Bittner: Right.
Andrea Little Limbago: So it is something that I don't think there's been enough discussion of. And at the same time, we are seeing Apple start to explore a more diverse footprint, talking about moving some of their manufacturing to Vietnam, for instance. And so it'll be interesting to see what they do going forward because they have been fairly ingrained and fairly, you know, dependent, writ large, with the geographic concentration risk in that area. And so it'll be interesting to see going forward as they seek to diversify both because of, you know, range of export controls and also due to data and security risks.
Dave Bittner: You know, I mean, GDPR famously has global reach. Is this sort of policy thing the kind of thing that can, I don't know, extend even to things like treaties, you know, international agreements? Where do we stand with that?
Andrea Little Limbago: Yeah, they are increasingly. We're starting to see it. So even the NAFTA 2.0 has cross-border trade - or cross-border data flows as part of it. And so we are seeing, within various kinds of international agreements, cross-border data flows and specific components of that within, basically, trade treaties. So we are increasingly seeing that, which is really interesting. And in many cases, they actually contradict some of the actual country-specific data laws. And so they have to try and harmonize those within specific countries as well. So that's - a lot of different layers are going on. And it's through a variety of different areas where you're starting to see data and security and trade and industrial policy all starting to kind of merge together now.
Dave Bittner: Yeah. What are the take-homes for the presentation you're giving here? What do you hope people leave with?
Andrea Little Limbago: You know, I'm hoping that they leave - is that, really, we're heading into an area where, you know, the new normal is that we're seeing this dramatic dynamism in the regulatory environment for data right now. It's been fairly static for decades. And now, I mean, almost every week you're starting to see a new data policy pop up. And because - and in the U.S., there was - you know, a bipartisan agreement was just - was leaked as far as a data privacy law.
Dave Bittner: Right.
Andrea Little Limbago: So we'll see where that goes. Depending on those new regulations and depending on their firm's global footprint, their data is more or less at risk 'cause they need to think about - they're thinking about their data risks and looking at their cybersecurity risk strategies. They should think about their global footprint and those - the footprint of their suppliers and their main partners as well because those partners have their data. And if those partners are in those countries that might be more at risk, they really need to start thinking about how to secure that. It should inform their data minimization strategies, their access controls, all aspects of, you know, normal cyber hygiene that they should be considering. They need to consider this as well as, you know, sort of another layer on top of, you know, some of the complex environment they're already thinking about in the regards of cyber risk.
Dave Bittner: Yeah. All right. Well, Andrea Little Limbago, thanks for joining us.
Andrea Little Limbago: Thanks so much, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Racheal Gelfand, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.