The CyberWire Daily Podcast 11.18.22
Ep 1707 | 11.18.22

Government security advisories, and the difficulty of recovering from ransomware attacks. Authority for offensive cyber under deliberation. Google wins Glupteba suit.


Dave Bittner: CISA and its partners issue a joint advisory on the Hive ransomware-as-a-service operation. Ransomware continues to trouble governments internationally and at all levels. The U.S. Defense Department may see enhanced authority to conduct offensive cyber operations. Russian attacks on Ukrainian infrastructure remains kinetic as missiles show up, but cyberattacks don't. Kevin Magee from Microsoft speaks about leveraging cybersecurity apprentices. Our guest is Paul Giorgi from XM Cyber, describing creative attack paths and enterprise networks. And, hey, glupost, don't mess with Google's lawyers.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 18, 2022.

Joint Advisory on the Hive ransomware-as-a-service operation.

Dave Bittner: Yesterday afternoon, the FBI, CISA and HHS released a joint Cybersecurity Advisory on the Hive ransomware group. As of November 2022, the advisory says, over 1,300 companies have fallen victim to Hive ransomware, and the criminals using the ransomware as a service have received some $100 million in ransom payments. The advisory says, Hive ransomware follows the ransomware-as-a-service model in which developers create, maintain and update the malware, and affiliates conduct the ransomware attacks. From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors, including government facilities, communications, critical manufacturing, information technology, and especially health care and public health. 

Dave Bittner: What should organizations do? The advisory provides indicators of compromise and tactics, techniques and procedures identified through FBI investigations. Hive has exploited Microsoft Exchange Server vulnerabilities. The FBI, CISA and HHS have some recommended steps that can be taken against Hive. These include finding and ejecting Hive operators from networks, installing updates for operating systems, software and firmware as soon as possible, and requiring phishing-resistant multifactor authentication.

Ransomware continues to trouble governments.

Dave Bittner: The BBC reports that government networks in the Pacific island nation of Vanuatu remain disrupted and largely unavailable as the effects of a ransomware attack continue. Parliament, police and prime ministerial networks have been affected for more than a week, as have email systems, intranet and online databases of schools, hospitals and other emergency services, as well as all government services and departments. There's no word yet as to who might be responsible. The Sydney Morning Herald suggests that the attackers' motivation is financial, but the Government of Vanuatu is remaining tight-lipped, expecting recovery to be completed soon. But it's not there yet, and digital services to citizens remain generally unavailable. 

Dave Bittner: Vanuatu isn't alone in facing ransomware issues. Australia's recent troubles with Russian cybercriminal activity are well-known. The US as we've seen has just issued a Joint Advisory on one ransomware-as-a-service operation. And in the UK, the Record reports that most of the government's emergency COBRA sessions have been convened to deal with ransomware. Ransomware also represents a growing threat to local governments. Suffolk County, N.Y., located on Long Island, east of New York City, continues to recover from a ransomware attack that disrupted services. According to The Wall Street Journal, the county's systems have yet to be restored to normal operations more than two months after the initial attack was discovered on September 8. 

Dave Bittner: Local governments are attractive targets for criminals because they combine opportunity and vulnerability. They hold large quantities of sensitive personal information on their citizens, which draws criminals on the grounds that, after all, that's where the data is. And they often remain poorly resourced and ill-prepared for an attack. The Wall Street Journal quotes Chris Cruz, who worked as chief information officer for San Joaquin County, Calif., before moving to the private sector as public sector CIO for cybersecurity company Tanium as stating, "Too often, these attacks succeed because public schools, municipal governments and other small government agencies don't have the resources, staffing, tools and expertise necessary to put forth a proper defense." And much of the technology local governments rely on is old, even obsolescent and so far beyond its end of life that patches and updates are simply no longer available. 

Report: the US Defense Department is expected to receive expanded authority for offensive cyber operations.

Dave Bittner: According to CyberScoop, a forthcoming revision to 2018's National Security Policy Memorandum-13 is expected to give the U.S. Department of Defense enhanced authorities to conduct offensive cyber operations. The revision is said in large part to address roles and missions, with the State Department playing a consultative role. A source told CyberScoop that successes by U.S. Cyber Command have done much to solidify the Pentagon's role in active cyber operations, stating, CyberCom has been able to notch a bunch of good wins, justifying the argument that having more flexibility - being able to move faster - really does help operations. 

Dave Bittner: Cyber Command has also, sources say, burnished its reputation by effective support of Ukraine against Russian cyberattacks during the present war. Moscow continues its long-range violent strike campaign against Ukraine's infrastructure and population. But Russian cyberattacks still aren't showing up. Russian ground forces are currently entrenching in defensive positions, evidently hoping long-range and indiscriminate bombardment will redress battlefield failure through direct terrorism against civilians, but effective cyberattacks - not so much, at least for now and the last few months. 

CISA releases two ICS advisories.

Dave Bittner: CISA  released two Industrial Control System advisories yesterday - one for Red Lion Crimson, the other for Cradlepoint IBR600

Google’s lawyers chalk up a win against Glupteba.

Dave Bittner: And finally, Google has prevailed in its court battle against the operators of the Glupteba criminal botnet - Glupteba, which might be Englished from the Russian as, you dummy, as Google explained in their announcement of victory - a highly sophisticated botnet that used cryptocurrency blockchains to protect its command structure and compromised millions of Windows devices. The dispute began almost a year ago, last December, when Google not only took down some of the botnet's infrastructure but also brought a U.S. federal lawsuit against Glupteba's proprietors. The risk of this approach was that it might give Glupteba a way of enmeshing Google in the tangles of U.S. civil litigation. The upside was the prospect of imposing real costs on criminal operators. 

Dave Bittner: This week Google won its case. Google wrote, on Tuesday, the court agreed with Google and granted our motion for sanctions, entering default judgment against the defendants to hold them responsible for attempting to mislead the court. In an extraordinary move, the court also issued monetary sanctions against both the Russian-based defendants and their U.S.-based lawyer, requiring the criminal actors behind Glupteba to pay Google's legal fees. This step is particularly important because it shows that there will be real monetary consequences for engaging in this type of criminal activity. Google is not so naive as to think that this is the end of Glupteba. But they're probably right to say that Glupteba has sustained enough reputational damage in the C2C markets that they'll find a lot of the hoods who might otherwise become their customers taking their trade elsewhere. Well done, Google. 

Dave Bittner: Coming up after the break, Kevin Magee from Microsoft speaks about leveraging cybersecurity apprentices. Our guest is Paul Giorgi from XM Cyber, describing creative attack paths and enterprise networks. Stick around. 

Dave Bittner: XM Cyber recently released research outlining security risks they've encountered on multiple customers' networks, including multicloud hopping and third-party risk to Azure environments. Paul Giorgi is director of sales engineering at XM Cyber, and I checked in with him for details on their findings. 

Paul Giorgi: Yeah, so most organizations have a variation of multiple-cloud services. I think that if we look at what we see most commonly, there's a mixture of maybe a little bit of Microsoft 365, whether it's Azure Active Directory or maybe a couple of, like, just Exchange Online. But there are services within that environment, and then maybe there's a little bit of the IaaS services within AWS and maybe a little bit of GCP. So these large organizations have multiple clouds, and it's not easy to replicate security posture or security defenses around each one of these the same way. 

Paul Giorgi: So when we look at how maybe an Azure Active Directory account could be the start of the breach and then, within four or five stops, end up reading data from an S3 bucket with an AWS, there's not a lot of correlation of risk from an Azure Active Directory account to an AWS S3 bucket. And what we're finding in our results is there is a lot of correlation. It usually doesn't take a lot of steps, and a lot of organizations are dealing with this risk and not even aware of it. So because we're aware that most organizations are some sort of multicloud variant but still assessing risk maybe just within their own individual clouds and not really considering the risk of how one entity could impact another entity - that was a really interesting finding for us, making sure people were aware of these risks from multicloud because most large organizations are some sort of variation of multicloud and need to start assessing risk holistically across all the entities and not just within those individual cloud environments. 

Dave Bittner: And how do you propose to go about doing that? 

Paul Giorgi: Yeah, so that's really where attack path management comes in. Attack path management assesses the telemetry, whether it's vulnerabilities, misconfigurations or user activity, and assessing that telemetry and then simulating what an attacker can do in that environment and not just within laptops or servers or domain controllers but how something like a lambda function could play a role with an AWS to then provide additional privilege escalation or additional - assume role-compromised capabilities within different environments. 

Paul Giorgi: So that really is the heart of attack path management - looking at all of your entities, all the configuration and then stringing together the realm of possibility from an attacker's perspective, identifying things like choke points. If I know an entity's risk to all the other assets in my environment, I can identify it as a choke point and remediate and prioritize risks tied to that entity quicker than maybe an entity that - there may be a lot of risk tied to it, but the risk it introduces to my critical assets is much smaller. So that's really the heart of attack path management - is dealing with holistic entity assessment and then stringing together the possibilities from an attacker's perspective. 

Dave Bittner: And one of the other things you highlight in the report is risk to Azure environments, particularly coming from third parties. What did you find here? 

Paul Giorgi: Yeah. So we live in a world where third-party access is just - it's something that we have to deal with, whether it is a partner, portal access. Maybe sometimes it's a contractor doing development work. We know that we live in this world where there's going to be some sort of third-party access. But we're seeing these risks start to manifest themselves within Colonial Pipeline or as the contractor accessing VPN with Kaseya. So we know that there are definitely these things that are coming up as risks that are starting to play out in real attacks that we're seeing hit the news. But unfortunately, what we're doing to address them is just doubling down on our old legacy processes - more questionnaires. We're going to now start putting them in their own AWS account instead of, like, their own grouping. 

Paul Giorgi: And that's not really the right approach. What we need to start assessing is really the risk from those third parties and using this concept of assumed breach. And that is something that we do at XM Cyber - is really, every breach point is the starting point of an attack. And then assuming those third parties are an assumed breach entity - maybe it is just a disgruntled employee from that third party or some sort of insider threat. But we need to assess all of the ways that third party could potentially introduce risk to my critical assets. And until we start looking at all the different ways that that could happen, I think we're going to just start seeing this more and more commonly appear in the news through these manifestations of public breaches like we've seen the last - unfortunately the last year or so. 

Dave Bittner: I mean, is that really sort of the through line through the things that this research has uncovered - is that folks need to really take a look at how they're assessing risk? 

Paul Giorgi: Yeah. I think that that is the main point of this document we call the Attack Path Management Impact Report. We're going to start releasing this pretty regularly. But it is, like, our perspective that we're sharing with every organization. And hopefully people start realizing that the way that we're doing things - whether it's just legacy vulnerability management scanning, whether it's assessing risk within the cloud, it's not working. And we need to holistically address our risk and assess all of the entities within our organization and then string together those realms of possibilities from an attacker's perspective. 

Paul Giorgi: So while we hope this report is informational and makes people more aware of what's going on, we also like to introduce people to attack path management because I get the pleasure of doing a lot of PoCs and demos, and you wouldn't believe how many people have never heard of attack path management. And from my perspective, I think that it's something that - it seems so obvious and organizations have been doing in old ways like pen tests and stringing together what happened during a breach and learning from those exercises but never proactively running through those exercises to determine how they could better defend or architect better defenses and respond more efficiently when they actually arise. 

Dave Bittner: That's Paul Giorgi from XM Cyber. 

Dave Bittner: There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for "Interview Selects," where you'll get access to this and many more extended interviews. 

Dave Bittner: And I'm pleased to be joined once again by Kevin Magee. He is the chief security officer at Microsoft Canada - Kevin, great to have you back. I want to touch today on this continuing issue we have with the talent gap. I know you have some thoughts on this and perhaps some areas that are open for innovation. 

Kevin Magee: Yeah, I think that - thanks for having me, first off, Dave, back on the show. I love to talk about this topic, and we've talked about this a number of time - innovative ways to address the talent gap. And everyone's got different numbers. I think ours is there's 3.5 million security jobs currently open or projected to be open fairly soon. I'm not sure what the actual number is, but we know it's a lot, and we know we're going to have to do something different. And I've often found - and I work with a lot of universities and colleges to have some firsthand knowledge of this - that there's tons of graduates that are really well-prepared and that are aspiring to be cybersecurity professionals. There's tons of jobs opening. How can we not bridge that gap? And I've often used the metaphor of an apprenticeship. In accounting, you do an apprenticeship or internships. Or, you know, doctors don't just immediately graduate and become doctors. They have to do residencies. We need something like that for our industry. And it turns out, down there in the U.S., you're doing something similar to this and launching a pilot, and I'm very interested to see how it goes. 

Dave Bittner: What specifically are you talking about here? 

Kevin Magee: So the - a number of your government departments, the Department of Labor, Commerce, are working with NIST and some other partnerships in the community to design a program of apprenticeships. And they're launching this as a pilot. So far, my understanding is as of September 2, with 75 days remaining in their program, they've had 1,961 cybersecurity apprenticeships have begun through 15 programs. What I love about this is partnerships from different areas of the ecosystem coming together but leveraging existing and proven formats like the apprenticeship programs to deliver some sort of solution to this problem. So will it work? Don't know. But it's a great opportunity to really try at scale to see if we can find new ways to solve this problem. 

Dave Bittner: Yeah. You know, something that I've heard from a lot of people trying to find their place in the industry is that a lot of the folks out there who are hiring are looking for people who are fully baked, you know, who come in with lots of experience. Like, there's a tremendous amount of demand for those people - but that companies are not investing in those early-stage employees the way that a lot of people think they should. 

Kevin Magee: And I really find it comes down to a question of leadership. We're not teaching leadership. We're not teaching management to cybersecurity professionals. We often promote the most technical person to the role of manager and then wonder why that person doesn't succeed because they don't have the people skills to hire, develop and really engage with employees. So it's twofold. One, I think we really have to do a much better job of training our managers, training our leaders, preparing younger people to take on roles, as well, that can bridge those gaps, that can have those skills to develop. And then you're absolutely right. We are competing for talent and just driving price up. Supply and demand kicks in, and it's at some point that that breaks. So we need to be bringing in new people to the fold and any new programs that we can find that are successful doing that are going to be incredibly helpful. Retraining programs, tapping areas of the workforce that have never really looked at cybersecurity as a profession can be great opportunities to do that. 

Dave Bittner: Is this something you've been doing with your own teams at Microsoft, you know, looking for folks with those nontraditional backgrounds? 

Kevin Magee: Yes. And I have a history degree. We've talked about it before. I mean, I'm a nontraditional cybersecurity professional. I think the only other precedent I often say is, you know, Jack Ryan, who became a historian turned security professional. But we work with a number of college and university. In fact, Microsoft has a global program to invest in colleges and universities, provide free training and free certifications and also education for the professors and teachers. But we're also working on the ground with organizations. So I work with Toronto Metropolitan University - has a retraining or a second-career program for women, which is excellent. And we've hired a number of candidates that had technical backgrounds and nontechnical backgrounds. And when they can go through this intensive program that's very focused on building job skills, they can hit the ground running in their career and become instantly productive. So great opportunities. They're not risks. They're great opportunities, these programs to invest in for hiring but also just to work with, to volunteer time and assist to get them off the ground, as well. 

Dave Bittner: All right. Well, Kevin Magee, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Be sure to check out this weekend's "Research Saturday" and my conversation with Larry Cashdollar from Akamai. We're discussing "KmsdBot: The Attack and Mine Malware." That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.