The CyberWire Daily Podcast 11.9.22
Ep 1701 | 11.9.22

A look back at midterm cybersecurity. Communications security lessons learned in Ukraine. Known Exploited Vulnerabilities and Patch Tuesday. Off-boarding deserves some attention.


Dave Bittner: U.S. midterm elections proceed without cyber disruption. Some communications security lessons are learned. CISA publishes new entries to its Known Exploited Vulnerabilities Catalog. We got some Patch Tuesday notes. Carole Theriault examines cross-border money laundering. The FBI's Bryan Vorndran offers guidance on how companies should think about their exposure in China. And a recent study finds reasons to be concerned about off-boarding.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 9, 2022. 

US midterm elections proceed without cyber disruption.

Dave Bittner: The U.S. midterm elections were completed yesterday. And while the votes are being counted, we can reach a preliminary assessment of whether there was any cyber activity that interfered with the voting. It appears that nothing much happened. Reuters reports that the U.S. midterm elections proceeded without unusual difficulty. A review of voting the morning after the election showed little evidence of cyberattacks and even less evidence of disruption. So little seems to have changed since we heard from senior CISA officials at their three media availabilities yesterday. As one of those officials said midday, we continue to see no specific or credible threat to disrupt election infrastructure. In particular, the official added, to be very, very clear, we have not seen any evidence of foreign influence affecting our election infrastructure. 

Dave Bittner: The FBI's assessment last week of distributed denial-of-service operations seems to have been borne out. WAPT reported some intermittent DDoS incidents late yesterday that had a minor impact on the Mississippi secretary of state's public website, but these had no effect on voting and were in any case quickly remediated. CISA officials said during their evening briefing yesterday that an unnamed Russian hacktivist group - and remember, in this context, that Russian hacktivists are best understood as auxiliaries for the Kremlin security and intelligence services - claimed responsibility in its Telegram channel for hitting the Mississippi secretary of state but that there wasn't enough evidence for attribution. Mississippi is the only state where CISA observed a sustained, albeit minor, outage, and this one affected only a public-facing website with no immediate connection to the voting. 

Dave Bittner: One county, Champaign County in downstate Illinois, reported outages and computer performance issues, but NBC Chicago reports said that the issues were quickly remediated without significant effect on voting. The tabulation machine outage in Maricopa County, Ariz., seems to have been a malfunction. A senior CISA official said yesterday evening that the agency had quickly investigated the Maricopa incident and found no indication of malfeasance. To put Champaign and Maricopa counties into proper perspective, consider that there are well over 3,000 counties in the United States. 

Dave Bittner: We received some notes from Cloudflare earlier today on what they'd observed during the voting. The secure networking company summarized their conclusions in a single sentence. There were no large-scale attacks this election. The state and local governments protected by the company's Athenian Project saw an increase in application-layer DDoS attacks over the first week of November that exceeded October's rates by only 3.4%, and that, in Cloudflare's experience, really doesn't amount to much. Remember, in this context, that state and local governments are the ones who actually conduct the elections. For political parties and campaigns, the story was different. Cloudflare for Campaigns, which protected these, saw a threefold increase of application-layer attacks over that same period. 

Dave Bittner: Counting the votes and certifying the results will take time, of course. That's not unusual. It's part of the normal process. It's also part of the unfortunate norm that there will be many bogus claims of cyber-meddling in the election. The disinformation phase of this election season has a ways to run. And we're looking at you, Internet Research Agency, and you too, Killnet. 

Communications security lessons learned. 

Dave Bittner: Speaking of hacking and hybrid conflict, BlackBerry has looked at the war against Ukraine and drawn some lessons for communications security.. They're old lessons, the kind that every war reteaches, but they're worth reviewing nonetheless. The central lesson is that one should expect one's communications to be intercepted. Whether the opposition can read them in time to use them depends upon the effectiveness and the general use of your encryption. BlackBerry points out that businesses, as well as armies, should keep this in mind. 

CISA publishes new entries to its Known Exploited Vulnerabilities Catalog.

Dave Bittner: CISA yesterday added seven new entries to its Known Exploited Vulnerabilities Catalog.. They include four issues in Microsoft products and three for Samsung mobile products. In accordance with Binding Operational Directive 22-01, U.S. federal civilian executive agencies have until November 29 to review their systems and take steps to secure them. As usual, CISA wants the agencies it oversees to apply updates per vendor instructions. 

Patch Tuesday notes. 

Dave Bittner: Microsoft yesterday released fixes to address sixty-eight issues in its products. By the SANS Institute's tally of these, 10 are critical. One was previously disclosed. And four are already being exploited. Users should check vendor security sites and, as CISA puts it, apply updates per vendor instructions. 

Infrastructure access and security study finds reasons to be concerned about off-boarding.

Dave Bittner: Teleport this morning released its  2022 State of Infrastructure Access and Security Report. The report details various challenges for DevOps, security engineering and other security professionals. In general, their findings indicate that organizations remain vulnerable to the threats former insiders pose. Respondents to Teleport's survey were asked how confident they were that, once an employee leaves their company, all of their access is revoked. Less than a quarter of those surveyed said that they had 100% confidence, and almost half of the companies are less than 50% sure of the lack of access. Fifty-seven percent of respondents also report that new security measures have been put in place that were not adopted by employees. So again, HR, think about your offboarding. 

Dave Bittner: Coming up after the break, Carole Theriault examines cross-border money laundering. The FBI's Bryan Vorndran offers guidance on how companies should think about their exposure in China. Stay with us. 

Dave Bittner: Once the bad guys get your money, which these days usually involves cryptocurrency, they have to figure out how to get that money into whatever currency they use locally. That often can involve cross-border money laundering. And our U.K. correspondent Carole Theriault files this report about that. 

Carole Theriault: The United Nations estimates that up to 2 trillion of cross-border money laundering takes place each year. And they say the possible social and political costs of money laundering, if left unchecked or dealt with ineffectively, are serious. As some of us know, organized crime can infiltrate financial institutions, acquire control of large sectors of the economy through investment or offer bribes to public officials and even governments. But the big question is how to address this. 

Carole Theriault: Well, greater information sharing and collaborative analytics among financial organizations could transform the detection of this criminal activity. But research suggests that this is hindered by the legal, technical and even ethical challenges involved in jointly analyzing sensitive information. And maybe what is needed is privacy-enhancing technologies, also known as PETs, as they could play a transformative role in fighting financial crime. Well, at least that's what the U.K. and U.S. governments are hoping for. 

Carole Theriault: Six months after their initial announcement, they are preparing to kick off prize challenges focused on advancing the maturity of privacy enhancing technologies to combat financial crime. So the plan is this. Innovators will be asked to develop a state-of-the-art, privacy-preserving, federated learning solutions - try and say that five times quickly - to help tackle the barriers to the wider use of these technologies. So in other words, figure out clever ways to bypass all the red tape in sending data to and from different geographies efficiently and legally - right? - in order to share insights, and do this all without compromising federal or organizational privacy. So it's a pretty tall order. 

Carole Theriault: As part of the Privacy-Enhancing Technology Prize challenges, innovators will be able to engage with regulators. So this includes the U.K. Financial Conduct Authority and the U.S. Financial Crimes Enforcement Network. And the challenges will be open to innovators on both sides of the Atlantic starting this summer. Challenge solutions will be showcased in the second Summit for Democracy, to be convened by President Joe Biden in early 2023. So do you think you have what it takes? Then I suggest you keep an eye on communiques from the U.K. and U.S. governments. This was Carole Theriault for the CyberWire. 

Dave Bittner: And I am pleased to welcome back to the show FBI cyber assistant director Bryan Vorndran. Bryan, welcome back. I want to touch with you today - high-level stuff here - some of the national security threats that you and your colleagues there at the FBI are tracking. What can you share with us today? 

Bryan Vorndran: Sure. Thanks, Dave. It's good to be back with you. You know, when we look at the national security threats from a cyber perspective, I think it's important for the audience to know that the ultimate goal is early detection, containment and eviction. And that's going to be a different message than ransomware, which we'll talk about later, which really should be a prevention. But in the national security nation-state space, it really should be early detection, containment and eviction. Undoubtedly, China is the most prolific threat. Their threat encompasses corporate espionage, destructive attacks, obviously influence operations and certainly an intelligence collection at scale, which we'll also mention here a little bit more in detail. 

Bryan Vorndran: When we go back to SolarWinds, specifically with Russia, we saw Russia's ability to target a handful of U.S. government agencies, but in doing that, they compromised an additional 18,000-plus companies and organizations. And it's just a really good reminder for all of us about Russia and other nation-states' patience and persistence to conduct these state-sponsored attacks. You know, I think for your audience and for organizational leaders, this supply chain threat and the third-party risk associated with it, it's just so important for executives to understand how technical and organizational interdependencies really increase the risk of potential exposure. 

Bryan Vorndran: You know, getting back to China a little bit, certainly the theft of intellectual property is always at the top of our mind. And what China does is, you know, they take this intellectual property that they steal, they run it through their vast holdings, through AI and attempt to monetize it. We have to look no further back than how they targeted U.S. universities during the COVID vaccine research period. And certainly we and others in the United States have no problem with sharing the results of our research, but we would want to do it on our terms because we've invested the time and the money to do it, and we don't want that stolen by someone. China obviously poses a threat with theft of AI technologies, machine learning, quantum computing, communication, clean energy, and the list goes on. We're also concerned about how state actors moonlight for personal gain, right? And when actors are uncontrolled, they have fewer constraints and they do do off-the-record work. And, you know, as an example, we have to look no further back than six months ago when China-sponsored hackers compromised six United States domains for a various set of reasons but including profit. 

Bryan Vorndran: And, you know, when we talk about nation-states, the last thing I'll mention is just what we refer to as access and furtherance of attacks. You know, in military circles, this is known as prepping the battlefield, but it's the pre-positioning of tools and capabilities to really maximize advantage. And those advantages are taken or executed upon when a specific red line is crossed. Very, very difficult to detect these access points in furtherance of attack - this just highlights the importance of pen testing and threat hunting. So while China and Russia certainly maintain high, high thresholds for kinetic action, others do not. And just as I round out this part of my comments, we have to look no further back than how the Iranians targeted Boston Children's Hospital within the last year as an example of indiscriminate targeting and lower thresholds for kinetic action. 

Dave Bittner: You know, we recently saw DOJ made some major announcements about the Chinese threat, making some indictments. What does that sort of messaging do on the global stage, putting them on notice that we're not going to stand for this sort of thing? 

Bryan Vorndran: You know, I think China's a really interesting conversation. And, you know, China does pose the broadest, most active, persistent espionage threat to corporations. But it's not just a cyberthreat. It's also a human threat. And, you know, companies and organizations that are based in the United States really do have to think about their exposure when doing business in China, right? And so the messaging coming out of DOJ continues to reemphasize this point that there is significant risk from the Chinese government, both through cyber vectors and through human vectors, to steal intellectual property and to cause harm to the United States. When we're talking in public about the China threat, you know, it's really important for businesses to know that the environment in China for them is really challenging. 

Bryan Vorndran: You know, the cost of Americans doing business seems to include blanket consent to state surveillance under the guise of security. And that's kind of a best-case scenario. In a worst-case scenario, it's accepting the risk that all of your sensitive information may be co-opted by the government. And so this isn't really hyperbole to us. In 2020, we identified that the Chinese government had forced U.S. companies to download tax software to comply with different, quote-unquote, "cybersecurity laws." And then the Chinese government stole from those companies using that mandated software. So, you know, we know that the market in China is an important one for American businesses, and only those businesses can understand their true risk proposition and risk profile. But they need to be very, very careful as they enter into that market. 

Dave Bittner: All right. Well, FBI Cyber Assistant Director Bryan Vorndran, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.