The CyberWire Daily Podcast 11.14.22
Ep 1703 | 11.14.22

Software supply chains, C2C markets, criminals, and cyber auxiliaries in a hybrid war. CISA releases its Stakeholder Specific Vulnerability Categorization (SSVC).


Dave Bittner: A look at software supply chain risks and cyber risk across sectors. CISA releases Stakeholder-Specific Vulnerability Categorization. Sandworm is back in Russia's hybrid war. Another wiper campaign from a Russian cyber auxiliary. Malek Ben Salem from Accenture has thoughts on future-proofing cloud security. Rick Howard previews the latest "CSO Perspectives." And the Australian Federal Police say they know who hacked Medibank.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 14, 2022. 

Software supply chain risk.

Dave Bittner: Reuters reports that thousands of smartphone applications in Apple and Google's online stores contain computer code developed by a technology company, Pushwoosh. A number of users, among them the U.S. Centers for Disease Control and Prevention, thought that Pushwoosh was based in Washington when, in fact, its operations are centered in Russia. CDC has now removed the software from seven of its apps. The software also appeared in at least one mobile app used in the U.S. Army. The Army removed it this past spring. Reuters says there's no evidence that Pushwoosh collected or reported sensitive data to the Russian government. But as a Russian company, it's obligated by law to cooperate with the authorities on demand. Pushwoosh's founder denies the company misrepresented itself as being anything other than a Russian business. So it's an a priori risk. But the story is interesting insofar as it suggests the complexity of software supply chains and the difficulty in ensuring their security.

Cyber risk across sectors.

Dave Bittner: Moody's this morning published a look at cyber risk across various sectors. While most sectors are seeing trends toward decentralization, more remote access and, of course, further digitization of their operations, not all are equally exposed. The report states, critical infrastructure sectors like electric, water and other utilities have the highest risk exposure and a growing reliance on digitization but make up only a small share - about 3.5% - of overall rated debt. That risk doesn't mean these sectors are relatively poorly protected but rather that the consequences of a successful attack could be severe and widespread. The report concludes, as of now, the sectors facing the lowest threat exposure happen to be the least digitized - coal mining, construction, oilfield services and paper and forest products. And as organizations in recent years have accelerated their move to digitized processes, information systems and networks, that transformation potentially leaves a door open for opportunistic hackers. 

CISA releases Stakeholder Specific Vulnerability Categorization (SSVC).

Dave Bittner: Last Thursday, before the U.S. Veteran's Day holiday, the U.S. Cybersecurity and Infrastructure Security Agency released a guide to the Stakeholder-Specific Vulnerability Categorization (SSVC), the SSVC, which it describes as a vulnerability management methodology that assesses vulnerabilities and prioritizes remediation efforts based on exploitation status, impacts to safety and prevalence of the affected product in a singular system. The SSVC is expected to provide important context organizations can use for vulnerability management. Eric Goldstein, executive assistant director for cybersecurity at CISA, outlined the agency's goals in establishing the SSVC. It fits into CISA's three-part approach to improving vulnerability management, Goldstein explained. First, we must introduce greater automation into vulnerability management, including by expanding use of the Common Security Advisory Framework. Second, we must make it easier for organizations to understand whether a given product is impacted by a vulnerability through widespread adoption of Vulnerability Exploitability eXchange. Third, we must help organizations more effectively prioritize vulnerability management resources through the use of stakeholder-specific vulnerability categorization, including prioritizing vulnerabilities on CISA's Known Exploited Vulnerabilities catalogue. CISA will assess vulnerabilities and assign them one of four actions. 

Dave Bittner: For the least severe, the agency will track them and would recommend remediating them within standard timelines. Up one level and severity is what CISA calls Track* - when Track has an asterisk after it. In these cases, CISA monitors the vulnerability more closely for possible changes but still recommends remediation within standard timelines. The second-most worrisome class of vulnerabilities is assigned to the Attend category. These require attention from an organization's leaders, who should request assistance or further information. And the vulnerabilities should be remediated sooner than standard update timelines. And finally, the most severe vulnerabilities are assigned to the Act category. These vulnerabilities require even more extensive coordination and leadership involvement, and they should be remediated as soon as possible. CISA has invited public input. If you have comments, observations or recommendations concerning SSVC, they'd like to hear from you via email. 

Sandworm is back in Russia's hybrid war.

Dave Bittner: A familiar GRU cyber unit returns to make its presence felt in the war. Researchers at Microsoft report that Sandworm, the GRU threat actor the company tracks as Iridium, has deployed a new strain of ransomware, Prestige, against targets in Poland and Ukraine. Prestige announced itself on October 11 in a series of coordinated attacks against targets in the transportation and related logistics sectors. Microsoft writes, the Prestige campaign may highlight a measured shift in Iridium's destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine. More broadly, it may represent an increased risk to organizations in Eastern Europe that may be considered by the Russian state to be providing support relating to the war. The attacks show a renewed willingness on the part of a Russian intelligence service to attempt disruption in addition to collection. Ransomware as a tactic is well-adapted to do both. 

Dave Bittner: The Washington Post quotes Mandiant researchers who see this approach as an attempt by the GRU "to have its cake and eat it, too." Mandiant senior analyst John Wolfram told the Post, "What that shows us is that the GRU was able to maintain access to a network of their specific choosing, launch an attack and have an effect on that network, maintain that access despite the wiper operation and launch another wiper operation at a moment of their choosing." Russia had used wipers with some success early in the war, but those attacks soon ebbed. They seem not to be returning.

Another wiper campaign from a Russian cyber auxiliary.

Dave Bittner: It's not just the Russian intelligence services who are getting back into the wiper business. Auxiliaries also appear to be mounting wiper campaigns against Ukrainian targets. CERT-UA reports new activity on the part of the group it tracks as UAC-0118, a Russian cyber auxiliary that styles itself either From Russia With Love or the Z-Team. The initial attack spoofed the website of Famatech's legitimate Advanced IP Scanner, and the malicious site offered a free download button. Pressing that button, Help Net Security says, directs the victim to a Dropbox account that hosts a version of the Vidal information stealer, misrepresented as Advanced IP Scanner. The final stage of the attack deploys a recently developed version of Somnia ransomware. BleepingComputer reports that the Z-Team hasn't demanded ransom from its victims and indeed boasts that they've removed the possibility of decryption. So this series of Somnia infestations should be regarded as a wiper attack. CERT-UA observes that Z-Team used other resources obtained in the criminal-to-criminal market, notably the services of at least one unnamed initial access broker. And so the connection between cyber warfare and the criminal underground continues. 

Development of Ukraine's auxiliary cyber offensive force.

Dave Bittner: Trustwave's SpiderLabs has published an account of how Ukraine's IT Army developed from an ad hoc group of hackers into an auxiliary cyber force aligned with the country's military objectives. Their preferred tactic has been DDoS, an attack technique that lends itself to automation and employment by a range of collaborating attackers. Trustwave writes, according to the information provided on the IT Army of Ukraine's official website, the group has now become a well-organized operation with a coordinated team. So auxiliaries seem to have found a role on both sides in the present hybrid war. 

Australian Federal Police say they know who hacked Medibank.

Dave Bittner: And finally, the hoods who hit Medibank with a ransomware attack are preparing to up the ante by releasing more stolen information. But the police may be getting closer to them. According to TechCrunch, the Australian Federal Police say they know the individuals responsible for the ransomware attack and consequent data breach at Medibank. The AFP hasn't publicly named them, but it has said there are criminals located in and operating from Russia. Other reports have associated the threat actors with the allegedly defunct REvil criminal organization. AFP Commissioner Reese Kershaw had a message for the criminals, stating, we know who you are. And moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system. 

Dave Bittner: For its part, the Russian Embassy in Canberra expressed disappointment that the Australians haven't asked for the help of the Russian authorities. The embassy said Friday, for some reason, this announcement was made before the AFP even contacted the Russian side through the existing professional channels of communications. We encourage the AFP to duly get in touch with the respective Russian law enforcement agencies. 

Dave Bittner: Coming up after the break, Malek Ben Salem from Accenture has thoughts on future-proofing cloud security. And Rick Howard previews the latest "CSO Perspectives" show. Stick around. 

Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief security officer and also our chief analyst - Rick, always great to welcome you back. 

Rick Howard: Hey, Dave. 

Dave Bittner: So on this week's "CSO Perspectives" show over on the subscription side of the CyberWire, you have got what I can only describe as a pretty big get in terms of an interview. Who's coming on the show? 

Rick Howard: Andre Durand is the CEO of Ping Identity, and his company is routinely grouped together as one of the leaders in the identity and access management space along with other companies like Okta, Microsoft, Oracle and IBM. But what's interesting is that he's been running Ping Identity for over 20 years, which, as you know, is not normal in a Silicon Valley company. 

Dave Bittner: No, I think - just recently I was reading that - I think average tenure for folks like this is around five years. 

Rick Howard: That's exactly right. So after 20 years, Mr. Durand is somewhat of a unicorn, you know? So just for that, it's interesting to talk to him. And as you can imagine, he has some thoughts about the direction that identity and access management is going in the next five years or so. 

Dave Bittner: Correct me if I'm wrong here, but my sense is that - I don't feel like there's been a whole lot of groundbreaking innovation in this space for the past decade or so. I mean, I guess we've got things like face ID and touch ID, but we're - you know, we're still rolling along with usernames and passwords. 

Rick Howard: Yeah, that's exactly right. And we talked about that in the interview. And the way he describes it is that the identity and access management space has been slowly and steadily building the infrastructure for major change, you know, kind of gaining gravity, you might say. And he says that at a certain point, likely within the next five years or so, it will reach a tipping point that will fundamentally shift how we do all this stuff. So it's pretty exciting. 

Dave Bittner: All right. I look forward to that. So that is over on the Pro side. What episode are you publishing over on the public side? 

Rick Howard: Yeah. For just over a year now, we've been publishing old episodes of "CSO Perspectives" in a public feed with ads. It's called "CSO Perspectives Public." So if our listeners hate ads as much as I do, they should go subscribe right now to the CyberWire Pro and to get rid of - to get all of our content - not just my shows; all of the shows - ad-free, right? So... 

Dave Bittner: Yeah. 

Rick Howard: We published this episode in February of this year on software supply chains. 

Dave Bittner: OK, so back then we were all a bit on our heels from the Log4j situation, still in the midst of all that. So software supply chains - yep - that adds up. 

Rick Howard: We do a little history here of software supply chain problems. Log4j was not the first time the problem has surfaced, as you remember. And we pinpointed the exact moment when the software supply chain became a thing that we all need to consider in our infosec programs. And then we discussed strategies like zero trust and tactics like SBOMs, software-bill-of-materials, that will reduce the probability of material impact due to some Log4j-type issues in the future. 

Dave Bittner: Well, before I let you go, what is the phrase of the week over on the "Word Notes" podcast? 

Rick Howard: This week, we're talking about pretexting. It's kind of - it's a great word, right? It's the bad guy art of concocting a believable story that will convince the victim, you Dave, to give up something valuable. 


Dave Bittner: All right, yes, I'm an easy mark. 

Rick Howard: (Laughter). 

Dave Bittner: People see me coming and they say, that guy, that's the guy. He's our guy. 


Rick Howard: Yeah, they don't have to concoct too much to get you... 

Dave Bittner: Nope. 

Rick Howard: I guess is what we're saying (laughter). 

Dave Bittner: No, no. They just say, I don't know, free "Star Wars" stuff... 

Rick Howard: (Laughter). 

Dave Bittner: ...And I'm - that's it, that's all it takes, you know. 

Rick Howard: (Laughter). 

Dave Bittner: All right. Well, Rick Howard, thanks so much for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And I'm pleased to be joined once again by Malek Ben Salem. She is the security innovation principal director at Accenture. Malek, always great to welcome you back to the show. I want to touch base with you today on cloud security and some things that you're looking at when it comes to future-proofing it. What can you share with us today? 

Malek Ben Salem: Yeah. Thanks, Dave. So the race to cloud is well underway, and it has been accelerated by the pandemic. Many organizations who were reluctant about moving to the cloud has made their decision under the pressure of, you know, people working remotely and under the needs of having flexible, scalable networks. So it was an easy decision at that point. Other companies were driven by opportunities to drive innovation. Others were looking for, you know, fulfilling the bigger picture of their digital transformation. But along those lines (laughter), as, you know, Accenture, as we see our clients making their decisions to move to the cloud, we see, basically, two routes that clients can take. The first is basically the direct route where, you know, if you all - you know, you drive and learn. And typically in this cloud journey, clients move to a primary cloud provider, and then their security focus is different than the second cloud journey, which is more of a - we call it the scenic route which... 

Dave Bittner: (Laughter). 

Malek Ben Salem: ...Is more intense and intentional, where, you know, the client may decide to go to a hybrid model or to a multi-cloud environment. And this journey is more complex, but it can be longer term, and it can provide - sorry, longer term resilience. In these journeys, we think - if we think of cloud as - or if you think of the cloud continuum, from, you know, cloud all the way to edge and everything in between, if we think of that as the map, then what we want is to have security as the compass and have security guide us through this map, through our journey to the cloud. Now, that's not always easy. There are hurdles, especially with respect to, you know, the existing security teams that our clients have. One thing we see is that security teams are hampered by the existing culture. For instance, as network security adopts a zero trust approach, that's a pivot from direct control to a shared responsibility model. And that's not what security teams are used to, right? Security personnel is typically used to control - controlling the perimeter, to limit access or who has access to technology. They're not used to this adaptive, zero trust-based approach. So that would require a security culture shift within the organization. 

Malek Ben Salem: Another thing that we see as a, you know, an obstacle is the scarcity of skills. So typically, you know, existing security teams are, you know, security administrators. You know, they're dealing with securing infrastructure, managing vulnerabilities, they have network security skills, maybe cyberdefense teams. But in a cloud environment, there is more and - there's more need for, let's say, developers who have - who can work on identity and access management, for instance. So it's a different set of skills that would be required that's a combination of security and development skills. And then the third challenge we see is, you know, the software automation advances are outpacing security. There are numerous tools that can help with, you know, developing code quickly. We have low-code, no-code platforms that are helping developers produce even more or even average developers, average citizen developers produce more code. But we don't have that automation on the security side. And so we need to develop more automated tools. We need ways to automate security so that we can keep up with the pace of software automation. 

Dave Bittner: You know, getting back to what you said about, you know, taking the direct route or the scenic route, to what degree do you recommend one or the other? I mean, is it different for each organization to - based on their history and what they're trying to accomplish? 

Malek Ben Salem: Yeah, absolutely. That's a great question. I think there are a number of factors that can influence that choice. One of them is industry-specific. You know, some industries may be more likely of taking one route versus the other. For instance, and, you know, the banking industry moved to a secure cloud, but their - you know, their driver or the issues they have encountered were more regulatory and compliance related. So that could have driven the route they've taken versus, you know, other industries who are much more focused perhaps on innovation or maybe clients who have certain customer engagement models may consider a different route. So let's say if you are engaging directly with customers through a digital platform. So if you are a client engaging directly with customers through a digital platform like Uber or Airbnb, that carries different risks than managing numerous suppliers or payment processes in a business-to-business context. And so that may dictate which route you want to take. So another factor might be location. Your geographic footprint can influence which route you may want to take. For instance, you may be required to use a sovereign cloud, or you may be required to use just one cloud as opposed to having a a hybrid cloud model. So all of those factors do really influence what - which route or which journey is best suited for these clients. 

Dave Bittner: All right. Well, interesting insights. Malek Ben Salem, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. 

Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.