The CyberWire Daily Podcast 10.6.22
Ep 1678 | 10.6.22

Updated mitigations for ProxyNotShell. Lloyd’s investigates cyber incident. Killnet hits US state government sites. Election security. Credential theft. Verdict in Uber breach case.


Dave Bittner: Microsoft updates mitigations for ProxyNotShell. Lloyd's of London investigates a suspected cyberattack. Killnet hits networks of U.S. state governments. The FBI and CISA weigh in on election security. Credential theft in the name of Zoom. Tim Eades from the Cyber Mentor Fund on the move to early-stage investing in times of war and recession. Our guest is Nick Lumsden of Tenacity Cloud on cloud infrastructure sprawl. And the former security chief at Uber was found guilty in a case involving a data breach cover-up.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 6, 2022. 

Microsoft updates mitigations for ProxyNotShell.

Dave Bittner: Microsoft has updated its mitigations for the two Exchange Server zero-day vulnerabilities, CVE-2022-41040 and 41082, that have been exploited in ProxyNotShell attacks. Dark Reading describes the motivation for the updates. Researchers had determined that the mitigations in their initial form would be too easy for attackers to bypass. 

Lloyd's of London investigates suspected cyberattack.

Dave Bittner: The major insurance marketplace Lloyd's of London is investigating what it believes may have been a cyberattack on its networks. Reuters quotes Lloyd's terse statement. Lloyd's has detected unusual activity on its network, and we are investigating the issue. We have informed market participants and relevant parties, and we will provide more information once our investigations have concluded. There's no attribution yet and, indeed, not much information about the nature of the attack. 

Dave Bittner: But Reuters and The Record note that Lloyd's has been a prominent supporter of sanctions against Russia during the present war. The Record observes, Lloyd's representatives would not say if it was a ransomware attack or explain who may have been behind the incident. It has been one of the most notable supporters of sanctions against Russia since the country's government decided to invade Ukraine earlier this year. So suspicion of a Russian cyberattack is, in this case, a matter of a priori probability, of speculation informed by track record and imputation of motive. On the other hand, absence of evidence isn't evidence of absence, either. But in this case, it's too soon to tell. 

Killnet hits networks of US state governments.

Dave Bittner: Another story clearly does involve Russian operators. Killnet, the Russian hacktivist group, nominally independent but obviously acting on behalf of Moscow's security services, has knocked some U.S. state government services offline, CNN reports. Colorado, Kentucky and Mississippi, at least, were affected, with some services sporadically rendered unavailable yesterday in DDoS attacks. Kentucky's Board of Elections was one of the sites disrupted. The story is still developing, but the effects of the attacks don't seem to have risen above a nuisance level. Killnet has hitherto been best-known for conducting DDoS attacks against lightly-defended targets in European countries Russia deems too friendly to Ukraine. 

FBI and CISA offer an appreciation of election security.

Dave Bittner: The U.S. FBI and CISA have issued a public service announcement stating that cyberactivity is unlikely to disrupt or prevent voting in the U.S. The statement reads, as of the date of this report, the FBI and CISA have no reporting to suggest cyberactivity has ever prevented a registered voter from casting a ballot, compromised the integrity of any ballots cast or affected the accuracy of voter registration information. Any attempts tracked by FBI and CISA have remained localized and were blocked or successfully mitigated with minimal or no disruption to election processes. 

Dave Bittner: The Bureau and CISA reassure the public that measures are in place to ensure the integrity of the vote against potential cyberattacks. Their advisory states, the public should be aware that election officials use a variety of technological, physical and procedural controls to mitigate the likelihood of malicious cyberactivity - things such as phishing, ransomware, denial of service or domain spoofing - affecting the confidentiality, integrity or availability of election infrastructure systems or data that would alter votes or otherwise disrupt or prevent voting. 

Dave Bittner: Their advisory says, given the extensive safeguards in place and distributed nature of election infrastructure, the FBI and CISA continue to assess that attempts to manipulate votes at scale would be difficult to conduct undetected. BleepingComputer notes that the most pressing threat to elections are influence operations, especially influence operations on social media. That's a threat of a different kind, however, not a threat to counting the vote or ensuring that ballots cast are properly registered and tallied. 

Credential theft in the name of Zoom.

Dave Bittner: Armorblox released a blog today detailing a credential phishing attack impersonating Zoom. Researchers report that the attack had a socially engineered payload that bypassed Microsoft Exchange email security and targeted over 21,000 users before Armorblox stopped the attack. The phishing email said that there were two unread messages to be checked on Zoom, with a malicious link for the call-to-action button, as well as a malicious link for the unsubscribe button. The call-to-action button, if clicked, would lead to a fake landing page that appeared to be a Microsoft landing screen. 

Dave Bittner: Victims were prompted to enter their Microsoft account credentials to view the messages. This attack leveraged a well-known brand's identity in order to harvest credentials, utilizing Zoom's legitimate logos and branding to instill a sense of trust. It's worth noting it did not involve any compromise of Zoom itself. The hackers also used social engineering such as the email, title and design to induce a sense of urgency. The attack bypassed all Microsoft Exchange email security measures and used a valid domain that received a reputation score of trustworthy, with only one infection reported in the past 12 months. 

Former Uber security chief found guilty in case involving data breach cover-up.

Dave Bittner: And finally, former Uber security chief Joe Sullivan has been found guilty of covering up a 2016 data breach, as well as concealing information on a felony from law enforcement, SecurityWeek reports. The monthlong trial resulted in a verdict that could put Sullivan in prison for up to eight years - a maximum of five years for the obstruction charge and a maximum of three for a misprision charge. The New York Times reports that it took more than 19 hours to reach a verdict in the case for the jury of six men and six women. 

Dave Bittner: David Angeli, an attorney for Mr. Sullivan, comments with disappointment on the verdict, stating, while we obviously disagree with the jury's verdict, we appreciate their dedication and effort in this case. Mr. Sullivan's sole focus in this incident and throughout his distinguished career has been ensuring the safety of people's personal data on the internet. Benjamin Kingsley, an assistant U.S. attorney, said during closing arguments that Mr. Sullivan took many steps to keep the FTC and others from finding out about it. This was a deliberate withholding and concealing of information. It's thought unlikely that the sentence will be anything close to the maximum, but it's a striking sign of how seriously federal authorities are taking cases related to data breaches. 

Dave Bittner: After the break, Tim Eades from the Cyber Mentor Fund on the move to early-stage investing in times of war and recession. Our guest is Nick Lumsden from Tenacity Cloud on cloud infrastructure sprawl. Stay with us. 

Dave Bittner: Data storage is cheap, it's fair to say. And these days, as organizations move more and more of their business to the cloud, often making use of multiple cloud providers, it's easy to understand the challenge of keeping tabs on all that data. Nick Lumsden is CTO and co-founder at Tenacity Cloud, and he provides insights on preventing cloud sprawl. 

Nick Lumsden: Cloud sprawl is the unintentional expansion of infrastructure over time. You know, and it especially becomes a problem as changes increase, which has happened just, you know, due to infrastructure turning into software. So, you know, changes that used to be quarterly or monthly have now become, you know, 20 years later, dozens or hundreds of changes a day, sometimes thousands, in really, you know, sizeable organizations. 

Nick Lumsden: And, you know, also, we've opened up the number of people that can make changes. It used to be in the hands of someone who was a deployment manager or someone who administered a system, and now it's, you know, if you write software, like myself, you can be making changes all the time via the software because infrastructure is now code, and it's now a part of the software. And this has resulted - you know, that expansion of responsibility and - you know, kind of, you know, take time dilation and do effect there, and you end up with resources that are deployed in infrastructure that just continue to linger long after they were useful, or sometimes they weren't even useful. They were a mistake. And they just sit out there as attack surface on and on and on, forever and ever. 

Dave Bittner: Do we have a certain amount of empathy for folks who find themselves in this situation? 

Nick Lumsden: Of course, because I'm one of those folks, you know... 


Nick Lumsden: ...25 years in managing infrastructures, writing software. If there's a mistake to be made, I've made it. I've definitely created data sprawl in organizations where we were doing data analytics, and, you know, suddenly there's terabytes and - of data that's replicated and forgotten about. And, you know, it's - if you're not - even if it's secure, if you're not paying attention, that's a problem. You know, make effort to go clean that up. 

Nick Lumsden: And I totally empathize with the pace of change and also, frankly, that there's just not enough folks to do the work and to meet the demands of most organizations. I can honestly say in IT or in technology, I have yet to meet the person that is paired with exactly the amount of work that needs to get done in a given day. It's usually twice as much or more, and they're trying to pick what the priority is. 

Dave Bittner: So what's the fundamental issue here? I mean, how should folks come about getting their arms around this? 

Nick Lumsden: Well, I think there's a couple of things to consider. First of all is understanding that over time, this problem gets a whole lot worse. And so when you start your cloud journey - whether you're starting, you're in the middle of or you've already transitioned and you're now living in the cloud, at all points in that journey, it's important to sort of get your arms around this issue, though maybe there's different approaches in each of those scenarios. 

Nick Lumsden: It's not about just the human element of we need to have the engineer go clean it up. There's so many hands in that pot. And there's so many more important things for them to do - you know, really making sure that we have tooling to help us with it, whether that's being on the path towards DevOps, which helps, turning infrastructure into code and keeping it consistent. That's one way. Doesn't do the whole thing - whole trick, but it's one way - but also having platforms that help you discover what's going on inside your environments, actually looking at utilization, understanding what's been disassociated in the environment, what's no longer being utilized, what's been abandoned or orphaned from its original use, just understanding that can start to learn the context of an app and really understand, you know, all the components, all the assets, and give the user indication as to, hey, you should go look here, or even go in so far as to say, hey, let me auto optimize this for you. Let me inject into your dev channel, you know, what needs to be cleaned up. So I think there's a number of approaches you can take. 

Nick Lumsden: You know, certainly, we at Tenacity are working on this problem. We look at the problem of optimization in the cloud as kind of a core issue. And, you know, we pull in the metadata about cloud environments, analyze them and, you know, try to get really, really, really smart and smarter and smarter every day about what sorts of indicators there are that the infrastructure is out of use and needs to be optimized in order to help the world, both from a optimize your cloud and reduce attack surface, but also, it helps optimize cost. It's a win-win-win all the way around. 

Dave Bittner: Are there any common elements that you see with organizations that have a handle on this, that are doing things right? 

Nick Lumsden: So it depends on how - you know, it depends on what scale the organization is at. Those organizations that are at scale, the enterprise and upper mid-market - they likely have an initiative that's driven from executive level. And they may even have teams built around this that are focused on the optimization puzzle, focused on, you know, kind of the security footprint from attack surface perspective, that really understand cloud, really understand, you know, kind of security ops and FinOps and how the two come together. And so there's a concerted effort there. And you're going to see them leveraging AI tools, you know, analytics tools, tools that are really going to help them, you know, do better in their business. And Tenacity is one of those tools. 

Nick Lumsden: At the, you know, mid- and smaller market, when you look sort of at those organizations that are still trying to get to scale or maybe are startups that are moving quickly, it's about getting your arms around the kind of this problem early on and knowing what key metrics you need to watch before it gets out of control. I can tell you that every organization we've ever deployed into has had places - has had room for optimization. And some of the most egregious were, you know, spending five and six figures a month on infrastructure that were just laying around. And they couldn't believe it. 

Nick Lumsden: When it was found or when it was detected, it was, no way. There's no way that's happening. And, of course, it was happening. And it was cleaned up, and, you know, the environment was made safer, more secure and better optimized. But there just wasn't a key metric around, say, QA or dev resources. Why are - you know, why has their budget, you know, quadrupled over the past year? - that that would be a key indicator that there's some sprawl going on. 

Dave Bittner: That's Nick Lumsden from Tenacity Cloud. 

Dave Bittner: And I'm pleased to be joined once again by Tim Eades. He is the co-founder of the Cyber Mentor Fund and CEO at vArmour. Tim, it's always great to welcome you back. 

Tim Eades: Great to be here, Dave. 

Dave Bittner: You know, these are certainly interesting times on the global stage as we look at a war and the possibility of recession. How does that affect the investors out there? How do they look at this sort of thing? 

Tim Eades: That's a great question. You know, the - it's amazing. Last year, obviously, valuations reached crazy high numbers in security and particularly in private companies where, you know, the valuations and the multiples were off the charts. I think the right place to go at that time was to go - you know, it's a bit like the opposite of politics. When valuations go crazy high, we'll go crazy low. 

Tim Eades: Cyber Mentor Fund has invested in 29 companies over the last three years or so. And we believe in, you know, the crazy guy that wants to start something new, that has incredible domain permission, that's curious and kind. And we will lean into these young, emerging startups because they want to break out, that their legacy tools are showing their age, and they want to do something different. And so those are the people that we've been investing in over the last few years because as these valuations get completely carried away - and they raise so much money, hundreds of millions, 200 million, 300 million on a round of funding, which is essentially like a private IPO. 

Tim Eades: You know, my orientation is always to be - lean in to the young, up-and-coming startup. Do what you can to help mentor and provide guidance. And get these new technologies to market so that we can better secure the country, better secure the enterprises within it and give these entrepreneurs a better chance of success. And so, yeah, it got out of control with the valuations last year. And I think even this year, it's been a little bit like whiplash. 

Tim Eades: At the RSA show earlier this year, everybody was doom and gloom. But, you know, in the last few weeks, you've seen crazy valuations come back, with talent raising a hundred million and stuff like that; it's like - on a series A. So, you know, there's so much money floating around in the investor community still. I think good discipline is always required. But in times like these, you should go low. You should help these young, early-stage startups. And seed is the better place to be - seed and series A. 

Dave Bittner: What's your advice for those people who are looking to make a splash, for that person who thinks they have that great idea that's going to help make the world a better place? In this environment, are there any specific things they should be doing to make themselves more attractive to investors like yourself? 

Tim Eades: Another great question. Yeah. I think the - we invest in company - in people early on and teams early on with domain expertise. You know, understanding your domain expertise, whether it's industrial controls or authentication or understanding how mainframes roll over and fail over and whatever it may be, the domain expertise of the founders is absolutely critical. The passion and the knowledge of that is - you know, you just can't build a company without that. And so that's the biggest one. Lean on that. 

Tim Eades: Be articulate about that. Understand that what the problem is that you're trying to solve in the industry. Make sure that doing nothing is not an option for the customer, then they can't just sit there and do nothing. Focus on a meaningful problem. Focus on a growing problem that they have incredibly good and deep domain permission for that when you talk to a customer, they have to do something about it. And by doing that - you lean into the right VCs, set your cyber mentor from that, do this early-stage mentoring - and you will always get funding in that scenario. 

Dave Bittner: You know, we've seen some stories come out that - there have been a number of companies who have been going through some rounds of layoffs. How concerning is that to you? How do you read that? 

Tim Eades: I don't think that's concerning at all. I think you have to tighten your belt. You have to understand, you know, your burn rate, you know, your cash runway. And I think, you know, managing to do that is a really smart and shrewd thing to do. I think frugal companies always go further. So I'm not - it doesn't concern me at all. I think it's healthy, to be really honest - 'cause we don't know how long, you know, the war in Ukraine is going to happen, what's going to happen with China and Taiwan. We don't know the - you know, how long it will take to get control of inflation. So, yeah, tighten your belt; be frugal; lean in; look after your customers, and you'll be fine. 

Dave Bittner: All right. Well, Tim Eades, thanks for joining us. 

Tim Eades: Thanks, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin,  Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.