The CyberWire Daily Podcast 3.24.23
Ep 1787 | 3.24.23

Tools, alerts, and advisories from CISA. Reply phishing scams. Cl0p goes everywhere with GoAnywhere. EW in the hybrid war, and shields stay up.


Dave Bittner: A new tool from CISA helps secure Microsoft clouds. JCDC and pre-ransomware notification. CISA releases six ICS advisories. Cl0p goes everywhere exploiting GoAnywhere. Russian electronic warfare units show the ability to locate Starlink terminals. Betsy Carmelite from Booz Allen Hamilton on the DOD's zero-trust journey. Analysis of the National Cybersecurity Strategy from our special guests, Adam Isles, principal at the Chertoff Group, and Steve Kelly, special assistant to the president and senior director for cybersecurity and emerging technology with the National Security Council.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 24, 2023. 

A CISA tool helps secure Microsoft clouds.

Dave Bittner: We begin today with some stories from CISA, the U.S. Cybersecurity and Infrastructure Security Agency. First, the agency has released a tool to help detect malicious activity in Microsoft Azure, Azure Active Directory and Microsoft 365 environments. Called the Untitled Goose Tool in what's apparently a whimsical play on the Cretan liar's paradox, this Python-based tool has been developed in conjunction with Sandia National Laboratory. It's intended to serve as a robust and flexible hunt and incident response tool. Untitled Goose Tool is available on CISA's GitHub repository. 

JCDC and pre-ransomware notification.

Dave Bittner: CISA's Joint Cyber Defense Collaborative is also cultivating its pre-ransomware notification capability. JCDC explains, with pre-ransomware notifications, organizations can receive early warning and potentially evict threat actors before they can encrypt and hold critical data and systems for ransom. The JCDC is a public-private sector information-sharing organization established by CISA in 2021. JCDC associate director Clayton Romans explained in a blog post yesterday that pre-ransomware notifications are possible due to tips from the cybersecurity research community, infrastructure providers and cyberthreat intelligence companies about potential early-stage ransomware activity. Romans added that since the start of 2023, we've noticed over 60 entities across the energy, health care, water, wastewater, education and other sectors about potential pre-ransomware intrusions. And we've confirmed that many of them identified and remediated the intrusion before encryption or exfiltration occurred. 

CISA releases six ICS advisories.

Dave Bittner: And of course, CISA continues to release industrial control system advisories. Yesterday, it published six of them. Users and administrators are, as always, urged to review the advisories, assess their systems and apply recommended upgrades and mitigations. 

Reply phishing.

Dave Bittner: A phishing campaign is impersonating Microsoft with emails that alert the recipient of an unusual sign-in to their Microsoft account, according to Avanan. The emails inform the user that their account has been logged into from an IP address in Moscow and encourage the user to click a button to report the suspicious activity. The report says, by clicking send, the user thinks they are reporting this activity for IT to investigate. Instead, the message goes directly to the hacker. This is where social engineering starts. The hacker will reply to the message, asking the end user for login information to safeguard the account. That, of course, is the opposite of what will happen. The scam's deceptive simplicity and the easy interaction make it effective. 

Cl0p goes everywhere exploiting GoAnywhere.

Dave Bittner: The Russophone gang behind Cl0p continues to make a widespread pest of itself. A campaign in which the Cl0p gang has exploited Fortra's GoAnywhere managed file transfer tool has caused the compromise of data from a wide range of victims. Major financing firms, energy companies and even governments worldwide have seen breaches due to the gang's exploitation of the zero-day vulnerability. The remote code execution vulnerability in the MFT software, tracked now as CVE-2023-0669, was first reported by Krebs on Security on February 2. 

Dave Bittner: 2nd. Fixes for the vulnerability followed on the 7th. However, it had already been too late by that point, as data had been stolen. Many organizations have come forward revealing that they were victimized by this series of breaches. The Record reports that the government of the city of Toronto, Canada, and British conglomerate Virgin U.K.'s rewards club, Virgin Red, all experienced data exposure. Bleeping Computer wrote Thursday that another British organization, the United Kingdom's Pension Protection Fund, was impacted by the zero-day. Several victims were located in Canada, with the Financial Post reporting yesterday that Canadian movie chain Cineplex said that it was hit in the attack, and SC magazine is also confirming that major Canadian financing firm Investissement Quebec was impacted. Procter & Gamble was added to the gang's leak site, and Saks Fifth Avenue confirmed an attack, according to TechTarget. These may be added to previously disclosed incidents at Hitachi Energy and Rio Tinto

Russian electronic warfare units show the ability to locate Starlink terminals.

Dave Bittner: Over in Russia's hybrid war, some traditional electronic warfare tactics have resurfaced. Starlink terminals used by Ukrainian forces are proving increasingly vulnerable to focused application of traditional electronic warfare by Russian forces. Defense One reports that Ukrainian units employing the system are being subjected to both jamming and geolocation by Russian electronic warfare units. 

Shields remain up.

Dave Bittner: Despite the failure of major Russian cyberattacks to work damage to Western infrastructure, Utility Dive reports, the U.S. Cybersecurity and Infrastructure Security Agency remains on guard against the possibility of Russian reprisals in the form of cyber offensives against the nuclear power sector in particular. CISA Executive Director Brandon Wales said Wednesday that a combination of effective defense, deterrence and decisions by the Russian government itself have all contributed to the lack of effect on critical infrastructure. Wales stated, recognizing that an invasion was likely, we were getting industry ready for potential attacks here at home. We have not seen that. We have not seen successful attacks on the United States from Russia, from the Russian government. And I think that is a credit to the work of both government and industry partnering together to make sure that those are much harder to achieve. Hacktivist auxiliaries have certainly been active in the Russian interest but only at the proverbial nuisance levels. Criminal activity by Russian gangs, which might be characterized as privateering given the toleration and protection it receives from Moscow, has continued at a high level, particularly with respect to ransomware attacks against poorly protected organizations. Security Boulevard has an account of what the deception specialists Lupovis learned from decoys it built and emplaced to attract a range of Russian threat actors. The privateers continue to show up in a big way. 

Dave Bittner: Coming up after the break, Betsy Carmelite from Booz Allen Hamilton on the DOD's zero-trust journey and analysis of the National Cybersecurity Strategy from our special guests Adam Isles, principal at the Chertoff Group, and Steve Kelley, special assistant to the president. Stay with us. 

Dave Bittner: The Biden administration recently released their National Cybersecurity Strategy, which, in their words, aims to secure the full benefits of a safe and secure digital ecosystem for all Americans. For our upcoming CyberWire special edition covering the National Cybersecurity Strategy, we've got two special guests. Adam Isles is a principal at The Chertoff Group, the security firm founded by former secretary of the Department of Homeland Security, Michael Chertoff. Previously, Adam served as the deputy chief of staff at DHS. Our second special guest is Steve Kelly. Steve Kelly serves as special assistant to the president and senior director for cybersecurity and emerging technology with the National Security Council. We've got a segment from that special edition for you today, beginning with the Chertoff Group's Adam Isles. 

Adam Isles: There is very loudly and clearly an emphasis on a fuller use of existing regulatory authorities and maybe the need for some new regulatory authorities to apply a set of kind of minimum expected cybersecurity practices across critical infrastructure sectors. There is a sense that what's historically been largely a voluntary approach isn't generating the outcomes that we need to defend the country and make it cyber resilient. And so what we're seeing here is certainly a focus around - we have existing, whether it's safety or security, regulatory authorities. Let's make sure there's a cyber component to those. And, in fact - right? - saw not even a day after the cybersecurity strategy was released, the Environmental Protection Agency come out with new guidance to state EPAs basically saying when you're doing inspections of public water systems, here's what you need to be asking about from a cybersecurity perspective. And I expect we'll see that trend kind of percolate across into other regulatory agencies as well. I mean, TSA has already come out and announced - and they haven't divulged the specifics of it, but an emergency amendment to aircraft and airport regulations to add an additional cybersecurity expectations. 

Dave Bittner: I think something that's caught a lot of people's eye is this notion that we're going to see an emphasis on liability for software. 

Adam Isles: Yes. And again, this is not a new thought, but it is the administration saying in a formal way, you know, we stand behind this. I mean, the Cyberspace Solarium Commission talked about it. What we really want software providers to be doing, particularly the providers of security technologies, is to be designing their systems to be secure by design and to incentivize them to do that by having them own more of the liability if, for whatever reason, they aren't. You know, the interesting thing in this space - right? - is there are lots of compliance frameworks that are out there and best practice frameworks. And we think in the context of federal agencies around things like, you know, NIST Special Publication 800-53, when we're thinking about, you know, compliance frameworks that are, you know, well known in the private sector, we think about ISO 27001, you know, SOC2. Those frameworks don't really necessarily get to the level of detail on what good software lifecycle security practices look like. 

Adam Isles: And so we're talking about, you know, a potential liability shift coupled with, well, let's think about what a modern, you know, software security lifecycle framework looks like and let's try and get people to conform to that. And so you see, coupled with this idea of liability shift, you know, also the focus around using procurement authorities to try and drive, for instance, the software providers that are selling to the federal government to, you know, kind of attest to conformance with, you know, a framework like the SSDF software makers. 

Steve Kelly: Need to be taking appropriate steps to ensure that their products are built safe and secure. 

Dave Bittner: That's Steve Kelly. He's special assistant to the president and senior director for cybersecurity and emerging technology at the National Security Council staff. 

Steve Kelly: What we've experienced in the past is that building a complex software product like an operating system, for instance, is incredibly cumbersome. It involves, you know, an incredible volume of code that's being written and assembled. Creating secure software is no easy feat. We recognize that. But this administration, under the executive order that was signed early on, 14028, we doubled down on making sure that we have secure software development practices being used in creating software that the government is buying for its own uses. And that includes things like some foundational work done by NIST on creating secure software development practices and standards around that, and then also making sure that we've got transparency into what components are in software. Because software maker doesn't just write brand-new code. Oftentimes, there are components that are borrowed and adapted from other places, including open-source software projects. And so it's important to make sure that you understand what's under the hood in a software product and that all the pieces that are in there are being updated and security flaws are being addressed over time. 

Steve Kelly: And so one thing that has been problematic in the past, especially for small users and small businesses, is that when you purchase a software product, you click through an end user licensing agreement, which in many cases waives your ability to seek redress if there's a flaw in the product and it causes a harm. We want to make sure that the software makers are using all of the industry standard best practices for creating secure products and that - as a result of that, then that would create kind of a liability safe harbor for them. And so we want to encourage people to use best practices in creating software products from the start and to do all the right things to make sure that these products are as secure as they can reasonably be at the time of their release and that, over time, that those products are being patched and maintained in an appropriate way. 

Steve Kelly: That's the theme behind that section. And frankly, it's a strong message, and it's caused a lot of interest and concern by some. And it's kind of an opening of a conversation on, how do we make sure that our software products are safe and secure by design and that they are maintained over time and that, you know, that helps to manage - that's one big piece of managing the nation's risk? 

Dave Bittner: There is much more to my conversation with the Chertoff Group's Adam Isles and special assistant to the president Steve Kelly in our upcoming special edition on the National Cybersecurity Strategy. Be sure to look for it this weekend in your CyberWire podcast feed. 

Dave Bittner: And I'm pleased to be joined once again by Betsy Carmelite. She is a principal at Booz Allen Hamilton. Betsy, it is always great to welcome you back to the show. One of the things that you take care of there at Booz Allen Hamilton is you are the federal attack surface reduction lead, which is a long way of saying, I think, you help some of the folks in the Fed and the DOD for protecting their assets. I want to talk today about zero trust and particularly how the DOD is coming at that. Let's start off with some basics here. I mean, for folks who may not be familiar, what are we talking about with zero trust? 

Betsy Carmelite: Sure. Sure. So we've talked a bit in the past about zero trust and really what it requires. We're looking at that assume breach mindset. We're looking at approaching zero trust as a longer journey toward defense and protecting networks and then also the mindset shift that is required when adopting a zero-trust architecture or reference model. And so, as you know, we've talked a lot about that since the executive order was released. But more recently, let's go back to November 2022, when the Department of Defense officially unveiled a zero-trust strategy and roadmap. And it laid out how the DOD components should direct their cybersecurity investments and efforts in the coming years. 

Dave Bittner: What are the goals that they've laid out here for themselves? 

Betsy Carmelite: So there are two types of goals. There is a targeted zero trust level. So, quote-unquote, "it's to reach that target level of zero trust maturity over the next five years." And it requires a minimal set of activities they need to do by 2027. The advanced zero trust level is for the highest level of protection, taking you beyond 2027. And so there are also four strategic goals that come along with that. The first is zero-trust culture adoption. DOD information systems are secured and defended. Technology acceleration occurs. And then zero trust enablement and the approach to zero trust enablement includes 45 separate capabilities organized around seven pillars. Those pillars are users, devices, networks and environments, applications and workloads, data, visibility and analytics and automation and orchestration. And then furthermore, there are 91 activities to get to the targeted zero trust level and 61 advanced-level activities. 

Dave Bittner: Wow. Well, in terms of this journey, I mean, what makes this an important milestone along the way? 

Betsy Carmelite: So I think for two reasons. Many organizations ask those foundational questions such as, what is zero trust, and where do I start? Those questions, you know, still are occurring after the EO because it's such a monumental undertaking. The strategy will go a long way towards helping DOD components to answer those beyond the executive order. And second, the level of details provided in the breakdown of all of those capabilities and activities really provide clarity where it previously did not exist. It's truly a path to follow. 

Dave Bittner: Do you have any specific examples you could share? 

Betsy Carmelite: Yeah. So if we look under the user pillar and one of the zero trust capabilities, it's conditional user access. It has both targeted and advanced levels to achieve. And so the target state-associated activities are - there are a couple - there are application-based permission and organizational MFA. The advanced level would require enterprise roles and permissions and rule-based dynamic access. So the first should be prioritized in the short term. And then the advanced activities have a longer path, according to that DOD timeline. 

Dave Bittner: So why is this the moment for this? I mean, what's - why is - what makes this relevant now? And where do you suppose we're headed? 

Betsy Carmelite: We see adopting a zero-trust strategy as a key step toward defending one battlespace, and I'll explain that one battlespace. We need to see cyber - the cyber threat landscape in the same way our adversaries see it. It's one battlespace. And when adversaries devise strategies for digital conflict, they don't view the U.S. federal government or the defense and intelligence community's public infrastructure, private industry as separate targets to our adversaries. We are a holistic, target-rich environment that's one connected battlespace. 

Betsy Carmelite: So the pivot to zero trust and the pursuit of widespread connectivity come now as the U.S. prepares for a potential fight with China or Russia. And these are powers capable of intercepting military chatter and extracting sensitive information from systems. And those systems are thought to be secure. But as with zero trust, the mindset is to assume breach. And then both with zero trust and international cooperation, they are both foundational to the Pentagon's joint all-domain command and control philosophy, and that envisions interlinked forces and databases across land, air, sea, space, cyber all around the globe. 

Dave Bittner: I'm curious - you know, you mentioned the timeline. How much of this is aspirational, and how much does the DOD actually have teeth here, that they can enforce a timeline? 

Betsy Carmelite: Well, I think what's going to be key around enforcing the timeline is measuring the success and putting metrics behind it. And so we understand the Zero Trust Program Management office will develop and deploy a metrics-based approach, as do most organizations. But really adhering to those SMART objectives - specific, measurable, achievable, relevant and time bound - that can be used to measure goal progress - I think that's going to make it achievable, and, you know, just recognizing how each of the components are going to go down this journey by 2027. I think sharing information back and forth among those components to know where have successes been achieved in that accelerated way and learning from each other in that process - I think that'll be achievable. 

Dave Bittner: All right. Well, Betsy Carmelite, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Be sure to check out this weekend's "Research Saturday" and my conversation with Jerome Segura, senior threat researcher at Malwarebytes. We're discussing his work "WordPress sites backdoored with ad fraud plugin." That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening. We'll see you back here next week.