The CyberWire Daily Podcast 10.4.22
Ep 1676 | 10.4.22

CISA issues Binding Operational Directive 23-01. LAUSD says ransomware operators missed most sensitive PII. Trends in API protection SaaS security. Making a pest of oneself in a hybrid war.


Dave Bittner: CISA issues a Binding Operational Directive. An LA school district says ransomware operators missed most sensitive PII. An API protection report describes malicious transactions. We've got analysis of cyber risk in relation to software-as-a-service applications. Joe Carrigan describes underground groups using stolen identities and deepfakes. Our guest is Eve Maler from ForgeRock on consumer identity breaches. And someone is making a nuisance of themself in Russia.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 4, 2022. 

CISA issues Binding Operational Directive 23-01.

Dave Bittner: Happy fiscal new year to all of our U.S. federal listeners. The first significant cyber policy of Fiscal Year '23 appeared yesterday. CISA opened the U.S. Federal Fiscal Year with Binding Operational Directive 23-01, Improving Asset Visibility and Vulnerability Detection on Federal Networks. The directive specifies desired outcomes for asset visibility and vulnerability detection without prescribing the steps federal executive civilian agencies need to take to comply. The key compliance deadline is April 3, 2023, by which time the organizations falling under CISA's tutelage will be expected to, first, perform automated asset discovery every seven days. 

Dave Bittner: Second, initiate vulnerability enumeration across all discovered assets, including all discovered nomadic or roaming devices - that means laptops - every 14 days. There's some wiggle room here for larger, more complex organizations, and CISA recognizes that it might not be possible to get full visibility in two weeks. Nonetheless, CISA says that enumeration processes should still be initiated at regular intervals to ensure all systems within the enterprise are scanned on a regular cadence within this window. 

Dave Bittner: Third, within six months of CISA publishing requirements for vulnerability enumeration performance data, all FCEB agencies are required to initiate the collection and reporting of vulnerability enumeration performance data, as relevant to this directive, to the CDM Dashboard. These data are of interest to CISA as a means of automating its oversight, and monitoring of agency's scanning performance. 

Dave Bittner: And fourth, by April 3, 2023, agencies and CISA, through the CDM program, will deploy an updated CDM Dashboard configuration that enables access to object-level vulnerability enumeration data for CISA analysts, as authorized by the Executive Order on Improving the Nation's Cybersecurity. Regular reporting will kick in at six, 12 and 18-month intervals. Again, it's CISA intention that the directive be understood as mission order, that there are many ways agencies can comply, and the precise methods and procedures they choose are largely up to them. 

LAUSD says ransomware operators missed most sensitive PII.

Dave Bittner: The Los Angeles Unified School District continues its recovery from the ransomware attack it first reported on September 5. The Wall Street Journal reports that the district says that the data taken by the criminals did not include student or staff psychiatric records, as had been rumored. The district says that the compromised data included little information on students or staff. 

API protection report describes malicious transactions. 

Dave Bittner: Cequence Security has published a report on API security, finding that 31% of the 16.7 billion observed malicious transactions in the first half of 2022 targeted unknown or unmanaged APIs, also known as shadow APIs. Cequence explains, shadow APIs are a particularly pernicious threat that can be categorized as OWASP API9, improper asset management abuse. Shadow APIs are a common problem in organizations that do not have proper inventory on their quality assurance and development API endpoints or their versioning system, and attackers can easily discover API endpoints that will interact with production data. Shadow APIs can also appear when endpoints are coded to accept variables or wild card inputs, either with the uniform resource identifier path or at the end. Attackers are able to easily find shadow APIs by analyzing a production API, which may be well protected, then simply fuzz or modify the values, enumerating through other API endpoints on different versions under different hostnames or simply accepting random characters at the end of the URI. The vast majority of malicious activity targeting APIs is powered by automation - for example, sneaker bots attempting to cop the latest dunks or Air Jordans, or stealthy attackers attempting a slow trickle of card-testing fraud on stolen credit cards to pure brute-force credential-stuffing campaigns. 

Analysis of cyber risk in relation to SaaS applications. 

Dave Bittner: Varonis released a report today detailing software-as-a-service applications and the cyber risks associated with them. The researchers analyzed 15 petabytes of data across 717 organizations across a number of industries. The researchers found that about 81% of companies analyzed had sensitive SaaS data exposed to the whole internet. The average company has 10% of cloud data exposed to every employee, 157 sensitive records exposed to the open internet through SaaS sharing features, 33 super administrator accounts - with over half of those accounts not utilizing multifactor authentication - and just over 4,400 user accounts without multifactor authentication. 

Dave Bittner: It was also discovered that there are over 40 million unique permissions across SaaS applications and over 12,000 Microsoft 365 sharing links. The most alarming statistic discovered was that 6% of an organization's cloud data was exposed to the entire internet. On average, each terabyte of data in an organization's cloud seems to contain more than 6,000 sensitive files, with nearly 4,000 folders shared with contacts outside of the organizations, with more than 2.1 million permissions. Microsoft 365 was also found to be a treasure trove of exposure, with 7% of companies having more than 10,000 exposed files. Alarmingly, there were 10 analyzed companies that had over 100,000 exposed files. Even more startling, one company had more than 1.5 million files exposed in Microsoft 365. In full disclosure, we note that Microsoft is a partner of the CyberWire, and we also note that this exposure is a matter of user configuration not of vulnerabilities in the software itself. 

Russian cyber operations have achieved nuisance-level effects.

Dave Bittner: Secureworks' State of the Threat report for 2022 is out, and it shares the widespread assessment that the effect of Russian cyber operations in the war against Ukraine has been confined to a nuisance level, stating the war against Ukraine has been revealing for Russia's cyber capabilities. At the outset of the conflict, there were wide fears of destructive attacks with wide-scale repercussions, as was seen with NotPetya in 2017. However, despite a steady cadence of cyber activity directed against Ukrainian targets, some of which is identifiably from Russian government-sponsored threat actors, no widely disruptive attacks have been successful. The most visible Russian threat group tracked by the CTU over the past year has been IRON TILDEN. This group is notable for spear-phishing attacks conducted primarily against Ukraine but also against Latvia's parliament in April. 

And someone is making a nuisance of themself in Russia.

Dave Bittner: And finally, if Russian hacking has been a nuisance as opposed to a war-winner, much the same can be said of hacking directed at Russian targets. In a communique delivered to the Kyiv Post, the National Republican Army - a group that identifies itself as a popular Russian organization devoted to the overthrow of President Putin's regime - said that it has executed a ransomware attack against Unisoftware, a large Russian tech firm. Unisoftware has a number of important clients - the federal tax service, the Ministry of Finance of the Russian Federation and the central bank of Russia among them. And the Kyiv Post said it was able to confirm that some of the data belonged to customers. The National Republican Army declined to say how much secondary access it had achieved but suggested that it had carried out related attacks against large Russian organizations. 

Dave Bittner: Infosecurity Magazine speculates that one of the secondary targets may have been the retailer DNS, which early this week disclosed a breach and offered reassurance and apologies to its customers. The attack, DNS said, originated outside of Russia. We emphasize that claims by and about the National Republican Army should be treated with caution and skepticism. The organization, control and even the very existence of the group have reasonably been questioned. That there's some cybercrime going on inside Russia is almost certainly true on grounds of a priori probability alone, but seeing the hand of a serious organized opposition group in that cybercrime probably involves a good deal of wishful thinking being carried out in the interest of Kyiv. 

Dave Bittner: Coming up after the break, Joe Carrigan describes underground groups using stolen identities and deepfakes. Our guest is Eve Maler from ForgeRock on consumer identity breaches. Stay with us. 

Dave Bittner: Researchers at identity management and security firm ForgeRock recently published their 2022 Consumer Identity Breach Report, detailing the impact data breaches have on consumers across a variety of industries and regions. For details from the report, I spoke with Eve Maler, chief technology officer at ForgeRock. 

Eve Maler: Here is the scary part for me. It looks to me, in the numbers, like bad actors have learned how to scale. So for one, we had 4.7 billion data records in the U.S. compromised last year. And that is, sad to say, a 37% increase over the previous year. We also saw 297% increase in username and password compromises. And so these are just indicators that, you know, things are sort of accelerating. And I think that's partly pandemic era and partly, you know, the consequences of digital transformation - kind of the downsides - and partly just, you know, bad actors learning how to kind of automate and scale to new heights, if you will. 

Dave Bittner: What sorts of things are you tracking in terms of what sectors are being targeted here? 

Eve Maler: We were able to look at the financial services industry, health care, social media. And one of the things we noticed was that health care was the most targeted industry for the third year in a row. The cost of a retail breach actually jumped up to $3.27 million. That's sort of average per breach. And that is a 63% increase from the prior year. And then financial services - the financial services industry saw 10% - maybe only, of all records breached by ransomware attacks - but experienced 22% of all phishing attacks that we saw last year. So there's, like, some consequences for, you know, industries that are important to all of us. 

Dave Bittner: And how do you explain these trend lines? I mean, is - are the threat actors getting more sophisticated, are we becoming better at reporting these things, or is it a mix of all that? 

Eve Maler: There are some imperatives starting to appear on the scene regulatorily (ph), to require reporting of data breaches. However, that's not something that we can really rely on yet. It's not, you know, something we can say, well, we've caught all of them. We can see everything. I think what it indicates is that cybercriminals are actually figuring out the tools to do what I call a one-two punch. So when you think about the number of credentials - so usernames and passwords - from breach one, they can be leveraged by a cybercriminal to perpetrate breaches two, three, four, five. And what they're doing is they're - those subsequent breaches often are - they're more data-rich. 

Eve Maler: So I'll just give you some numbers to put this into perspective. We had 45% of breaches last year containing a username and password versus 8% the prior year, which is really significant as an increase. What we saw around data-rich breaches - think about date of birth and Social Security number. We saw 60% of all records breached including either a Social Security number or date of birth or both. And that nearly doubled from the previous year. So I think it's evidence that we've got credentials, whether they were secured through - whether they're exfiltrated through unauthorized access of various sorts or whether there might have been a more targeted phishing attack, you're seeing those turned into greater power on the part of the bad actors. 

Dave Bittner: Well, so based on the information that you all have gathered here, what are your recommendations? How do we stem this tide? 

Eve Maler: Well, if cybercriminals are learning how to scale, we need to learn how to scale. And one of the best tools that you can apply is actually artificial intelligence, machine learning, heuristic checking. So artificial intelligence is a way that you can start to apply mitigations kind of in machine time versus human time. You know, we all have foibles. We all may be susceptible to social engineering attacks, phishing attacks. So if you can use artificial intelligence techniques - so we think of it as autonomous, ways to go autonomous. So autonomous identity to - is our approach for, you know, making sure that entitlements aren't overbroad so that you can help prevent lateral movement once a bad actor is in your system, or autonomous access, which is our way of gathering a diverse set of risk signals so that you can then make appropriate authorization decisions. So artificial intelligence is a fantastic tool. That's number one. 

Eve Maler: Number two, credentials are the really weak spot in this picture - usernames and passwords, particularly. And the world has changed a bit in the last year or so. We've got tools such as the FIDO2 standards, which enable, in the main, passwordless experiences of authentication that mean that if a password exists, it's not exposed as much to bad actors. And in a lot of cases you can start to get rid of that password in the authentication equation, for example, using a known device. And a lot of people have devices capable of this kind of passwordless interaction. And once the credentials are not there to be stolen, they can't be leveraged for the increasingly data-rich breaches. 

Dave Bittner: Are you optimistic that we can get a hold of this, that we may be headed in the right direction? 

Eve Maler: Yeah, I actually think so. I mean, the numbers were not looking good in 2021. At the same time, some of the technologies that have been able to help us mitigate these risks, tackle these risks have been on the upswing in 2022. So AI absolutely - you know, we really believe that identity is the right layer for unifying your systems of intelligence, whether it's threat intelligence, fraud intelligence, even customer intelligence. And - because you really have to infuse identity into your systems to make those good decisions, whether it's about authorization or even even upsell and cross-sell. And also, this move towards passwordless authentication becoming a kind of no compromises solution so that you can have great security and also a great experience - that's becoming ever more possible in the modern era. So I think that we have the tools to do a much better job going forward. 

Dave Bittner: That's Eve Maler from ForgeRock. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: So we talk a lot over on "Hacking Humans" about scams, of course. 

Joe Carrigan: Yes, we do. 

Dave Bittner: And one of the things that's caught - captured the imagination of people around the world is deepfakes. 

Joe Carrigan: Deepfakes. 

Dave Bittner: And I saw some research come by from the folks over at Trend Micro. Yes. There was an article they published titled "How Underground Groups Use Stolen Identities and Deepfakes." What's going on here, Joe? 

Joe Carrigan: Well, this is a pretty disturbing article, actually. It starts off talking about famous people, right? We have been seeing for years now - in fact, the one that comes to mind is the picture of Keanu Reeves, right? 

Dave Bittner: Yeah. 

Joe Carrigan: There's pictures of him out there, and somebody always photoshops a new shirt on him. 

Dave Bittner: OK. 

Joe Carrigan: Well, imagine taking that capability, but now you're creating videos of people. 

Dave Bittner: Right. 

Joe Carrigan: And they're endorsing products which they didn't endorse. And that has actually happened to one of our own here. Chris Sistrunk - who is a security person and well known, has a Twitter account - has been deepfaked into advertising and showing a product that he does not endorse. And the deepfake video is of him saying things he never said. 

Dave Bittner: Wow. 

Joe Carrigan: So it's - I mean, it's a scam product, I think. 

Dave Bittner: Yeah. 

Joe Carrigan: Even if it's a real product, this is remarkably unethical and probably illegal as well. Elon Musk has been targeted. There are videos of him endorsing some kind of financial scheme. And of course, Elon has never done this. 

Dave Bittner: Right. 

Joe Carrigan: It's remarkably disturbing. And there are people on these underground forums. There's a great post here that gives you an example of what they're talking about. Popular exchanges like Bitstamp or LocalCoins require a webcam link. Maybe anyone here able to bypass a webcam link and emulate a webcam, use a deepfake? Let me know. We'll pay for your help. So these people are looking for ways to essentially emulate a webcam, but instead of sending video stream of the webcam, send the video stream of a deepfake. And this is what it's come to now. And this is going to be possible. I can - this is technically possible right now. This article goes on to talk about how deepfakes can affect existing attacks and monetization schemes. One, they list here messenger scams. You know, you're on some messenger application. Somebody can call you. And a lot of times these have voice and video chat. Somebody can emulate the webcam and just send the deepfake feed. If the deepfake is good enough and fast enough to actually generate these things on the fly... 

Dave Bittner: Yeah. 

Joe Carrigan: ...It can be remarkably deceiving. 

Dave Bittner: Right. 

Joe Carrigan: Business email compromise is another good one. I want to be careful with the term business email compromise. A lot of times that term gets used as a catchall. 

Dave Bittner: Yeah. 

Joe Carrigan: And when I say business email compromise, I mean the actual compromising of business accounts - right? - like your Office 365 account. Remember that your Office 365 account is probably also where maybe you set - reset your Zoom credentials, right? So if somebody has access to some deepfake system that can feed into Zoom as a webcam, guess what? They can impersonate the CEO of your company and even be on his account if they've compromised the account. 

Dave Bittner: Right. Right. And I imagine you could, you know, say that, oh, I'm sorry the quality isn't better. My connection must be funny right now... 

Joe Carrigan: Sure. 

Dave Bittner: ...You know, that sort of thing. 

Joe Carrigan: Sure. Other ways of doing this - making accounts for money laundering. There are all kinds of ways that people try to verify your identity. So if your identity is faked in a video call and somebody opens an account in your name, they may be able to launder money through that. I don't know if that would cause legal problems for individuals that have been impersonated, but it certainly allows the crime to continue. 

Dave Bittner: Yeah. 

Joe Carrigan: It can also allow for hijacking of accounts and taking them over. There are two other things in here that I'm not really sure how I feel about them. There's - they list blackmail and disinformation campaigns. And I think this is a gate that swings both ways, right? I can create a deepfake of Dave Bittner doing something horrible. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? And then say, I'll - or then go tell the world, look how God awful Dave Bittner is. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: Or maybe I go out and do something that's terrible. And Dave goes, look how bad Joe is. And I go, that was a deepfake. Don't believe it. 

Dave Bittner: Oh, sure. Yeah. OK. 

Joe Carrigan: Right? So now I have plausible deniability here. 

Dave Bittner: Interesting. 

Joe Carrigan: So there are also social engineering attacks and hijacking of Internet of Things devices like your - if somebody can fake my voice, they might be able to use my Google Assistant - right? - which, good for them, I guess. If they want to try that, that's fine. Here's something that's really interesting. And I feel kind of a little bit vindicated here, Dave. For years I have been saying that biometrics are not good as a means of verification of a person because they are immutable. 

Dave Bittner: OK. 

Joe Carrigan: Right? And here we are now looking at deepfakes that are impersonating this. So your information is already out there for what you look like. If that information is leaked, you have no way of changing that. There's nothing you can do. You can sit there all you want and grunt and groan, but your face will never change from what it looks like. 

Dave Bittner: Right, right. 

Joe Carrigan: Right? So I think I feel a little bit of vindication reading this article. And that's the one upside. But everything else in here is just downside. 

Dave Bittner: What are some of the recommendations here that they have? 

Joe Carrigan: Excellent question. One, multifactor authentication approach for just about everything, particularly of your financial accounts. And I say use a hardware token, preferably one from the FIDO Alliance or maybe using - if you're up for it, using some kind of private key, public key or zero-knowledge proof-based authentication, like SQRL. Any of those are great. Those are very hard to duplicate and impersonate, and they're not biometric. One of the things they say here is organizations should authenticate the user with three basic factors - something the user has, something the user knows and something the user is - and make sure those something items are chosen wisely. Personnel training done with relevant samples - you know, the know your customer principle from financial organizations is very important. Deepfake technology is not perfect. There are certain red flags in an organization the staff should look for. I think that's an OK recommendation for now. Those red flags that are noticeable by people are going to go away very quickly. Those deepfake technologies are going to improve. And what needs to happen is there needs to be a technical solution in here because actually, deepfakes are pretty easy to spot from a technical standpoint, at least right now. 

Dave Bittner: Yeah. 

Joe Carrigan: So you can have something in the middleware that is looking at the video feed to say there's a good chance this video feed is being altered or not genuine. Right? Social media users should limit the exposure of high-quality personal images. I don't know how much of a good help that is - I mean, that the information's already out there. 

Dave Bittner: Right. 

Joe Carrigan: I mean, you can go out and shut it down, but somebody already has it. 

Dave Bittner: Right. 

Joe Carrigan: I keep my Facebook account locked down so nobody can see it. And all of my profile pictures are not of me. 

Dave Bittner: But if you're at a friend's birthday party and they... 

Joe Carrigan: Right. 

Dave Bittner: ...Post pictures of the group.... 

Joe Carrigan: Yeah. 

Dave Bittner: ...There you go. There you are. 

Joe Carrigan: If someone takes a high resolution picture of you with your hand up, they can actually get your fingerprint off that. 

Dave Bittner: Right. 

Joe Carrigan: We've seen research on that already. 

Dave Bittner: Yeah. 

Joe Carrigan: For verification of sensitive accounts - for example, bank or corporate profiles - users should prioritize the use of biometric patterns that are less exposed to the public, like irises and fingerprints. Again, I say, if that information is ever breached, then that information can be simulated as well. 

Dave Bittner: Yeah. 

Joe Carrigan: And again, it's information you can't change. 

Dave Bittner: Right. 

Joe Carrigan: Significant policy changes are required to address the problem on a larger scale. These policies should address the use of current and previously exposed biometric data like I just talked about. And they must also take into account the state of cybercriminal activities and how to prepare for the future. That's a good recommendation - preparing for the future. 

Joe Carrigan: There needs to be - at some way - at some point in time, we're going to have to move beyond all of this stuff, and we're going to have to go into some identity verification system that has revocable identities that are demonstrated by physical presence somewhere. And I think there's ways to do that, and I don't think that's impossible. I think that we could find lots of ways to. 

Dave Bittner: Yeah. All right, well, it's interesting research. Again, this is from the folks over at Trend Micro. It's titled "How Underground Groups Use Stolen Identities And Deepfakes." Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Catherine Murphy, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.