The CyberWire Daily Podcast 3.3.23
Ep 1772 | 3.3.23

More on how the US will implement its new National Cybersecurity Strategy. Emissary Panda and Mustang Panda are back. Responding to phishing. Royal ransomware. Water utility security.


Tre Hester: The U.S. National Cybersecurity Strategy was informed by lessons from Russia's war. Two threat actors from China up their game. CISA releases five ICS advisories. Sameer Jaleel, Kent State University associate CIO, on closing functionality gaps and creating a safer digital environment for students. Johannes Ullrich from SANS on establishing an end of support inventory. And the EPA issues a memo on water systems cybersecurity.

Tre Hester: From the CyberWire studios at DataTribe, I'm Tre Hester, filling in for Dave Bittner, with your CyberWire summary for Friday, March 3, 2023. 

Implementing the US National Cybersecurity Strategy.

Tre Hester: Following the public release of the U.S. National Cybersecurity Strategy yesterday morning, the Center for Strategic and International Studies held a launch event that saw two major federal players in cyberspace come together for a discussion, the Acting National Cyber Director Kemba Walden and the Deputy Assistant To The President And Deputy National Security Adviser for Cyber and Emerging Technology, Anne Neuberger. 

Tre Hester: Walden expressed the intent of the strategy, saying, quote, "we have to lean into making what we have defensible," end quote. She noted that the SolarWinds incident brought increased federal attention to cybersecurity and helped it achieve the kind of recognition that earned remediation in the American Rescue Plan. She noted the importance of modernization, and also pointed out that modernization is a complex process. Quote, "IT modernization is a dynamic process. It has to keep going. It has to be baked into how we think about security," end quote. 

Tre Hester: Anne Neuberger emphasized cooperation for security. She said, quote, "a secure cyberspace is something that we must do arm in arm," end quote. Discussing last November's White House Counter Ransomware Initiative, she noted that this global summit saw many nations convene to work together against ransomware. Feedback from the participants showed the importance of international dialogue. And, of course, cooperation goes on at the national, as well as the international level. Both Neuberger and Walden emphasized the importance of U.S. interagency collaboration. 


The US National Cybersecurity Strategy was informed by lessons from Russia's war.

Tre Hester: The U.S. National Cybersecurity Strategy was shaped in part by lessons learned from observing Russia's hybrid war against Ukraine. The emphasis on resilience, close partnerships with industry and forward engagement with the threat were among the features of the strategy influenced by the conduct of that war. 

Two threat actors from China up their game.

Tre Hester: The National Cybersecurity Strategy was not shy about identifying the threat in cyberspace, and the familiar four intentional bad actors were specifically identified - Russia, China, Iran and North Korea. As the strategy put it, quote, "the governments of China, Russia, Iran, North Korea and other autocratic states with revisionist intent are aggressively using advanced cyber capabilities to pursue objectives that run counter to our interests and broadly accepted international norms," end quote. 

Tre Hester: One of the four adversary nations, China, is again in the news for cyber-espionage. Emissary Panda and Mustang Panda, two Chinese threat groups with connections to Beijing's intelligence services, have improved their tools and are actively engaging targets. Trend Micro reports that Iron Tiger, their name for Emissary Panda, APT27, has updated its SysUpdate malware family, extending its reach to Linux systems. The APT has also adopted a novel method of command and control. Quote, "Iron Tiger has also added a feature that has not been seen before in this malware family - C&C communication through DNS text requests. While DNS is not supposed to be a communication protocol, the attacker abuses this protocol to send and receive information," end quote. The group continues to concentrate on Southeast Asia, but HAS also prospected targets in Europe and the Americas. TechMonitor notes that the interests of Iron Tiger lie for the most part with governments, defense companies and infrastructure. 

Tre Hester: ESET is following developments in Mustang Panda's activities, especially its deployment of a novel and specially designed barebones backdoor. Mustang Panda's operations have increased over the course of Russia's war against Ukraine, collecting intelligence in the interest of Beijing. ESET states that the victimology is unclear, after noting signs of unusual interest in Bulgaria and Australia, but most of the group's interests appear to center in Europe. Quote, "the decoy file names are in line with the group's other campaigns that target European political entities," end quote. 

Responding to a phishing campaign.

Tre Hester: Crypto hardware wallet provider Trezor has warned of a major phishing campaign that targets its customers via phone calls, text messages and emails. The messages inform recipients that Trezor has recently suffered a security breach and instructs them to follow a link to secure their accounts. The link leads to a spoofed Trezor wallet seed recovery page. Trezor says there's no evidence that there's been a real breach, and the company says it will never contact customers via phone calls or text messages. It's not clear how the attackers obtained Trezor's customer contact information, but BleepingComputer points out that a similar phishing campaign targeted the company's customers after attackers stole marketing lists from MailChimp in March of 2022. 

#StopRansomware: Royal Ransomware.

Tre Hester: CISA and the FBI yesterday issued a joint advisory on Royal ransomware. Royal is noteworthy for its ability to disable various anti-virus tools in the course of exfiltrating data in its double-extortion attacks. Royal's operators have also been marked by their disposition to target "numerous critical infrastructure sectors, including but not limited to manufacturing, communications, health care and public health care and education," end quote. The gang has been known to demand ransom payments between 1 million and $10 million. The advisory includes a comprehensive overview of Royal's tactics, techniques and procedures, of its indicators of compromise and of mitigations that organizations can deploy to help them weather an attack with Royal ransomware. 

CISA releases five ICS advisories.

Tre Hester: CISA yesterday released five industrial control system advisories. The affected products are by Mitsubishi Electric, Baicells, Rittal and Medtronic. Users of the systems should consult with advisories and apply the updates and mitigations in accordance with vendor instructions. 

EPA issues a memo on water system cybersecurity.

Tre Hester: And finally, we close with another regulatory development. The U.S. Environmental Protection Agency has issued a memorandum to the appropriate state authorities outlining measures designed to improve the cybersecurity of water and wastewater systems. The agency's statement on the memo says that it, quote, "conveys EPA's interpretation that states must include cybersecurity when they conduct periodic audits of water systems, called sanitary surveys, and highlight different approaches for states to fulfill this responsibility," end quote. And of course, the state governments are not on their own. The EPA is providing technical assistance and resources to assist states and water systems as they work towards implementation of a robust cybersecurity program. We'll have more as the story develops over the coming week. 

Tre Hester: Coming up after the break, Dave Bittner sits down with Sameer Jaleel to discuss closing functionality gaps and creating a safer digital environment for students. Dave also sits down with Johannes Ullrich from SANS to discuss end support inventory. Stick around. 

Dave Bittner: Sameer Jaleel is associate CIO at Kent State University, a position he's held for about a year now. He started out as a student at Kent State and later worked there as an application developer. Since taking the CIO role, a big part of Sameer Jaleel's focus has been on closing functionality gaps and creating a safer digital environment for students. That is easier said than done. Like many organizations, they were faced with a collection of legacy systems and applications still in regular use throughout the university. 

Sameer Jaleel: The plan was to start to rewrite some of the critical applications, mission-critical ones specifically, which requires us to do a profiling exercise of everything we have in the portfolio to understand, you know, what do we rewrite? What do we combine, because needs show up over of periods of time, over years, and then there are piecemeal application solutions developed. Do they need to remain separate? No, they can be combined. So this kind of analysis happened over time while we were creating new value in the platform as well. So we actually caused a little bit of a problem even with the platform in the beginning, leading us to realize, especially leading me to realize, that the tool is only one part of the equation. Having a strategy, having a plan is equally if not more important. To now, where we have a healthy solution architecture practice that determines where the solution should happen, we have the possibility of custom solutions, but we also have invested in key enterprise technologies. Why are we not seeing the solution happen there when 80% of the function is happening there? Before we determine, we're going to write a custom solution for that. 

Dave Bittner: I mean, it's really fascinating as you take us through the process, I'm - because simultaneous to all of this, I mean, you've still got to be providing the things that your students, your professors, your staff people need there. You're kind of, you know, changing the oil while the engine is still running. 

Sameer Jaleel: Exactly. That's a great analogy. And this really came to light during the pandemic, right? So how do you do maintenance type of work, which is what I would call the rewrite type of work? If I take a step back, it all starts with an engagement with the business stakeholder, asking them, did you know you have 15 applications that cater to various needs for your business unit? They usually don't. And so we give them a high-level overview, and then we ask them for their future plans. And we will weigh in and tell them, here's an opportunity to combine these systems into one system. And sometimes they say - you know what? - just leave it alone. It's working for us. Don't change it. We don't need any new functionality. Only time we will intervene and say, OK, but we're still going to rewrite it in the new technology because that is an outdated technology and we don't want that to be the one vulnerability in our portfolio that gets exploited. So we are - we very seldom leave things alone if it is in an outdated framework, because that's the times we live in today. 

Dave Bittner: So I imagine - I mean, part of this, as you're describing it, is not just technical, but it's diplomacy as well. 

Sameer Jaleel: For sure. And I think that's kind of the direction forward. I think the times when, you know, there's an IT department and anything related to technology they will determine is outdated, if not, you know, behind us. Everything has a technology lean to it. And so we are trying to get that point across, as the central IT unit at the institution, that we want to have regular conversations with the various business units to understand what they see coming because they are making technology decisions all the time, and it's not being deferred to us anymore. 

Dave Bittner: Yeah. And really turning your organization within the university itself as an enabler rather than, you know, that stereotypical department of no. 

Sameer Jaleel: Yes, this was a big driver for us, producing that RFP because we had a backlog for two years and an average lightweight project would take us several months to produce because we would start from zero every time. With the low-code platform, the lowest time I can produce an application is one day. And that application still has institutional authentication, prefabricated all these modules. And there's a lot of reuse, which is part of the vision in that RFP. We're able to accelerate our development. So yesterday and past years, we would call it a backlog. Today we call it a roadmap because we're looking forward, right? If I'm being very literal, they're not very different, a backlog and a roadmap, but we are able to do these things quickly. And this, again, came to light in the pandemic because we didn't know what we would need, taking things that happened on premise in person and trying to create a remote experience on the fly. We really tested our abilities to create things without a heads-up with limited oversight, even, in some cases. You know, whatever you can produce is good for us was what we would get, and we were able to produce some really neat, innovative technologies that we fortunately don't have to use anymore. So even that doesn't bother us because it comes together quickly, and then we can kind of jettison it after the utility is over. 

Dave Bittner: For you as a leader, how much of this is nurturing that sense within your team that sometimes it's OK to go down that road, even if it doesn't lead anywhere? It's OK to experiment. 

Sameer Jaleel: Yeah, it's a big mindset shift. I mean, the first mindset shift, again, taking a step back, was when you look at low code. If you're really in love with writing code, it's a deterrent, right? Low code immediately implies you're not coding as much. And we had to confront that, that we're a higher ed institution. We're not here to feel good about optimizing 50 lines of code into 10. That's not what the rest of the institution sees as value. So we have to be solution providers and quickly. And can you take pride in that, that you go sit across from a group of faculty members or students or deans, listen to what they're struggling with and then come back with a potential solution that will improve that problem for them? That's who we need. And getting our developers to see themselves as that person, that personality was the hill we had to climb for a period of time. But we're there now, and we're thriving. 

Dave Bittner: That's Sameer Jaleel from Kent State University. 

Dave Bittner: And I'm pleased to be joined once again by Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the "ISC Stormcast" podcast. Johannes, it's always great to welcome you back. 

Johannes Ullrich: Hey. Thanks for having me, Dave. 

Dave Bittner: So I saw recently that both Windows 7 and Windows 8.1 had reached the end of their support. And you make the point that this is something that folks really need to keep an eye on when it comes to their overall inventory, yes? 

Johannes Ullrich: Yeah, definitely. And it's one of those things that may be relatively straightforward with things like Windows. It's well-publicized, but there are lots of devices, lots of software that you have. And you know, recently, for example, there were yet another set of vulnerabilities in these Cisco RV routers, a sort of a small business line that Cisco has or had at some point. And, you know, myself and others are sometimes complaining, hey, you know, Cisco, aren't you going to publish any updates for that? And then you read closer, and yeah, last time they actually sold these, I think, was 2016 or 2018. 

Dave Bittner: Yeah. 

Johannes Ullrich: And so, you know, it's not unreasonable that Cisco kind of just stop supporting them at some point. And I think what we often forget is that devices like this - they have an expiration date. And while it's not kind of, you know, printed on the device when you buy it, there is an implied expiration date. And you have to be ready for that. So you have to keep, you know, a calendar entry or whatever it takes a spreadsheet, some kind of fancy, costly inventory management software, if you can afford it, that will alert you kind of, let's say, a year ahead or half a year ahead, depending on the device. Hey, you know, we probably should replace that device because the vendor is no longer offering any updates for it. And, you know, realistically speaking, if you have a 10-year-old router in some dusty corner underneath your desk, what are the chances that it will just go up in smoke kind of one of these days? So may as well get ahead of that and replace those devices and was honestly cheap. It's something that you - it's just the cost of doing business, something that you have to account for when you're getting the device in the first place. 

Dave Bittner: Yeah, it strikes me that - you know, there's that old saying, you know, if it ain't broke, don't fix it. But that doesn't necessarily apply to things that are software driven, because as you and I have spoken about many times, over time, vulnerabilities can be exposed. And so a piece of - a device that may have been secure or perceived as being secure over time, it may no longer be. 

Johannes Ullrich: Yeah, right. It's not like an old wine. It doesn't get better with time, kind of. 

Dave Bittner: (Laughter) Right. Love it. Love it. 

Johannes Ullrich: And so you just have to throw out - the problem sometimes is, like I said, no, Windows, Cisco - those companies are fairly straightforward about their policies here. In particular with companies targeting more home users or small business users, it may not be as easy to figure out what that expiration date is. That may be something that vendors could improve. Would be nice to have that printed on the box when you get it, but at least have some webpage so if they say, OK, you know, if you buy a device today, we guarantee for the next five year would be sort of a reasonable time. You'll get updates. But beyond that, who knows kind of what'll happen? Maybe we'll decide to extend it a little bit. That happens sometimes. But at least you sort of have a guaranteed, you know, good-by date. And after that, you're basically taking some risks. And you probably want to schedule - about five years from now, you probably need to get a new device. Um. 

Dave Bittner: I think of the things that just kind of, as you were saying, hang out, and you just sort of forget. They blend into the background. Things like printers and security cameras - they can be doing their thing for a decade or more, and nobody thinks twice about it. 

Johannes Ullrich: Yeah. And I have to admit I have, like, an old security camera here in the closet I really like. It's a very fancy one. It's 15 years old now, doesn't do modern TLS at all and such and... 

Dave Bittner: (Laughter). 

Johannes Ullrich: But hey, you know, it still works. It's still a fun toy to play with, kind of (laughter). 

Dave Bittner: Right, right. Every now and then, you wave to the foreign actors who are monitoring it, right? 

Johannes Ullrich: Yeah, exactly. (Laughter). 

Dave Bittner: As you walk by. Yeah. All right. Well, Johannes Ullrich, thanks so much for joining us. 

Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our daily briefings at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is me, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Tre Hester, filling in for Dave Bittner. Thanks for listening. We'll see you back here next week.