IAM trends. RagnarLocker as a critical infrastructure threat. AI hype as phishbait. Updates on the hybrid war: leaks and hacks.
Dave Bittner: Key trends in Identity Access Management, RagnarLocker and critical infrastructure. Cyber criminals capitalize on the AI hype, updates on the leaked US classified documents, and speculation of whether Russian hackers compromised the Canadian gas pipeline. Ben Yelin describes a multimillion dollar settlement over biometric data. Microsoft's, Ann Johnson from "Afternoon Cyber Tea" talks about cyber paradigm shifts with Samir Kapuria. Ann, and welcome to GCHQ's new boss.
Dave Bittner: From the Cyberwire studios at Data Tribe, I'm Dave Bittner, with your cyberwire summary for Tuesday, April 11th, 2023.
Key trends in Identity Access Management.
Dave BIttner: Today marks Identity Management day. We discuss trends and identity management, and look at some expert commentary and advice on IAM. "Venture Beat" reported that one of four key trends discussed at the 2023 "Gartner IAM Summit" this year included the importance of adding identity threat detection and response solutions to protect against cyber threats and breaches. Other trends included the implementation of an identity first approach to cybersecurity, the use of cloud infrastructure entitlement management tools and identity management approaches, and the implementation of a journey time solution for a streamlined user experience. We've got some other industry observations on IAM on our Web site, cyberwire.com.
RagnarLocker and critical infrastructure.
Dave Bittner: Sygnia today shared a blog detailing RagnarLocker. A threat actor the security firm says uses double extortion tactics since early 2020, and targets among others the critical infrastructure sector. The blog says that the initial attack vector was a known vulnerability in an external facing remote service. Many customized batch scripts were found, intended to be used for reconnaissance against Windows event logs and to deploy ransomware. The group use the remote manipulator system as command and control and remote access tool, Any Desk was also observed and use to lift data. The use of these legitimate tools allows for the RagnarLocker group to fly under the radar.
Cyber criminals capitalize on the AI hype.
Anticipation leads people to suspend their better judgment, and a new campaign of credential theft exploits excitement about the newest AI systems not yet available to the general public. This morning Verity explained that several unknown actors are making false Facebook ads, which advertise a free download of AI's, like, ChatGPT, and Google Bard. Verity writes, "These posts are designed to appear legitimate, using the buzz around open AI language models to trick unsuspecting users into downloading the files. However, once the user downloads and extracts the file, the red line stealer malware is activated and is capable of stealing passwords and downloading further malware onto the user's device." Verity describes the capabilities of the red line stealer malware, which once downloaded, can take sensitive information, like, credit card numbers, passwords, and personal information, like, user location and hardware. Verity added, the malware can upload and download files, execute commands, and send back information about the infected computer at regular intervals. Experts recommend using official Google or open AI websites to learn when their products will be available and only downloading files from reputable sources. With the rising use of Google and Facebook ads as attack vectors, experts also suggest refraining from clicking.
Updates on the leaked US classified documents.
Dave Bittner: The US continues to investigate the leaks of classified information that appeared on Discord servers and have since circulated through social media, especially in Russian channels. The investigation is seeking to confirm first that the leaks have stopped, second, to determine their authenticity, and third, to identify their source. Some of the documents appear on preliminary evidence to have been altered, CBS News reports. National Security Council Spokesman, John Kirby on Monday said, "We know that some of them have been doctored. Many or most of them however, seem to be genuine." And the AP writes that the US Department of Defense is taking them seriously. While the leaks are not believed to contain operational plans, according to CNN, Ukraine has indicated that the leaks have induced it to make some alterations in its own planning.
Dave Bittner: Discord servers have shown themselves readily adaptable to the sharing, scraping, and dissemination of sensitive information, CyberScoop explains. The publication also gives some color to the nature of the leaks stating, "The leaked documents are photographs of briefing slides that appear to have been folded up. They're photographed mostly against what appears to be a low table. In the background of some of the photographs can be seen a bottle of Gorilla Glue, and what appears to be a strap with the Bushnell brand, a popular maker of outdoor optics and rifle scopes." Other files the Wall Street Journal reports are photographs of paper documents, with folds in the paper visible in many of them. Since their initial posting the images have circulated through 4Chan, and various Russian social media accounts.
Dave Bittner: So who leaked them? No one knows so far. And as the New York Times reports, a large number of people had access to the compromised information.
Report from the leaks: Russian hackers compromised a Canadian gas pipeline.
Dave Bittner: There are some indications in the leaked files that a Russian threat actor has claimed to have compromised a Canadian natural gas pipeline in an incident reminiscent of the 2020 Colonial Pipeline attack. But the claim is just that, a claim. Canadian authorities have declined to comment. The Washington Post quotes a section of the leaked files, a February intelligence report which states, "A pro Russia hacking group is receiving instructions from a presumed Federal Security Service officer to maintain network access to Canadian gas infrastructure and wait for further instruction." The FSB officers anticipated a successful operation would cause an explosion at the gas distribution station. If Zaria succeeded, it would mark the first time the intelligence community has observed a pro Russia hacking group execute a disruptive attack against Western industrial control systems.
Dave Bittner: Many experts regard the claims with skepticism. Zaria as record such as it is shows no ability to conduct anything beyond nuisance level attacks. Nothing more sophisticated than distributed denial of service operations. The group is thought to be an offshoot of the cyber Spetsnaz auxiliary, itself spawned from Killnet. The Wall Street Journal cites cybersecurity experts who believe the claim looks like active disinformation. Even if there were a breach, and that's far from confirmed, it seems likely that only business systems would have been compromised. The Journal quotes Leslie Carhart, Director of Incident Response for North America at Dragos, who explains there's a mountainous gap between getting access to control devices in an industrial network, and actually being able to make something, and I quote, explode. That involves understanding chemical engineering, understanding the process systems, and understanding all of the safety controls, human, mechanical, electronic, otherwise, that are involved in that specific configuration.
KillNet counts some coup against NATO (but not as much as it claims).
Dave Bittner: We've got some follow up to reports of Killnets distributed denial of service action against NATO. The Russian news source Lenta published an article yesterday, alleging that during the DDoS attack, the hackers were able to paralyze at a minimum 60% of the Alliance's electronic infrastructure. Lenta also claims that the hackers gained access to secret data from NATO countries. The Cyberwire wrote to NATO asking for comment, and a NATO official responded as follows, "Cyberspace is contested at all times, and we face malicious cyber activity on a daily basis. NATO takes this very seriously. We remain vigilant and continue to adapt to evolving threats. NATO and allies are strengthening our ability to detect, prevent, and respond to such activities. We are currently experiencing denial of service attempts against a number of NATO websites and our experts are responding. NATO's classified networks are not affected and there is no impact on NATO operations." So Lenta's claims that Killnet had disabled some 60% of NATO's electronic infrastructure seems overstated. NATO's school, Oberammergau, the most commonly mentioned victim of DDoS is not, we note, an operational command.
GCHQ has a new boss.
And finally, Britain's GCHQ has a new boss, and Keith Butler has been appointed to succeed Sir Jeremy Fleming [music] as GCHQ's 17th Director. Congratulations to Director Keith Butler, and good hunting.
Dave Bittner: Coming up after the break, Ben Yelin describes a multimillion dollar settlement over biometric data. Microsoft's Ann Johnson from "Afternoon Cyber Tea" speaks about cyber paradigm shifts with Samir Kapuria. Stay with us.
Dave Bittner: Microsoft's Ann Johnson is host of the "Afternoon Cyber Tea" podcast right here on the cyberwire network. In a recent episode, she spoke with Samir Kapuria about cyber paradigm shifts. Here's part of that conversation.
Ann Johnson: I am thrilled and lucky to be joined today by Samir Kapuria, who is the managing director at CrossPoint Capital Partners and a strategic leader investing in industry changing innovation. Samir has over 25 years of experience leading enterprise software, consumer software, and managed service businesses in cybersecurity. He was previously the president of Norton LifeLock, a global leader in consumer cyber safety. And under his leadership, he helped scale the company to annual revenues exceeding $2.4 billion. Welcomed to "Afternoon Cyber Tea," Samir.
Samir Kapuria: Thanks, Ann. It's great to be here.
Ann Johnson: There's a lot of economic turmoil. There's geopolitical turmoil. What do you think are the macro trends that are tracking across specifically the cybersecurity industry?
Samir Kapuria: You're right. A lot has changed over the last year. And I could probably drain a whole kettle a tea with you on this question alone. But as you mentioned, the economic climate has companies looking at efficiency and spending in really creative ways. But I think a lot of leaders have an appreciation for the importance of investing in cyber in a whole new regard. Let me just break that down with a few key observations. The first one is if we take that, that macro view you mentioned and pull back for a second, damages from cyber attacks have grown to trillions of dollars. I think one of the reports that I recently read said it has a trajectory to be over $10 trillion of annual damages in the next two years. So that's definitely hitting the P&L in the bank accounts of both companies and individuals in a serious way. And staying on that macro view for a second, the total spend in cybersecurity is roughly 150 to 200 billion. So the balancing of investments still has quite a long way to go before we see the size of the damages commensurate with the size of investment and protecting. Thing two, the geopolitical environment, it's definitely demonstrated the rise of cyber weapons targeting critical infrastructure, not being behind the curtain, so to speak, but being in the forefront. So the underpinnings of day to day life is now being impacted in a serious way. Keeping in mind that many of these cyber attacks don't just stay on target, but start to roam beyond the coordinates that were given.
Ann Johnson: When I talk to peers and customers and our partners about the challenges they're facing, I hear some of the, you know, the same concerns related to cyber hygiene and passwords and such. But I also hear about this layering of challenges, like, new technology, the pace of change, and those emerging threats I was just mentioning, that aren't truly well understood. I'm curious what you're hearing and what some of the most pressing security challenges you're hearing from founders and from other enterprise security leaders you speak with.
Samir Kapuria: Oh, I'm definitely hearing some of the same things you are with that focus on the foundational elements of cyber hygiene. But I'm also hearing a whole host of new challenges that are top of mind with folks. On the pace of technology fast that you just mentioned, one thing that keeps coming up is the surface area expansion we just spoke about, specifically with IoT devices. Many of these devices, as you know, are the least secure part of the network and they don't have the compute power to necessarily protect themselves. But the volume of these devices is growing at a fast pace. So it poses a challenge for orgs who are now starting to respond by applying zero trust approach almost to IoT as part of their cyber defense strategy. But I'd also take a step back to emphasize something else, which is the trust part of cyber. You know, you and I have been in this space for a long time. And if we look over the years, we've seen that people are naturally trusting and attackers prey on that human characteristic with all sorts of social engineering attacks.
Ann Johnson: Let's change course a little. The RSA conference is coming up soon, and I know everyone's gearing up for a really, really busy week. The theme this year is stronger together, which is just this amazing theme, especially right now. So I've long said that cyber is a team sport, and we all need to work together for a safer and more secure future. Why do you think it's so important that we are elevating stronger together this year in particular?
Samir Kapuria: Well said. Cybersecurity is a team sport, and I've been going to this conference for many years as you have as well. And it's bounced back even stronger than ever following the pandemic. So the RSA Conference is another reason I'm optimistic, to be honest with you, about the industry, because we're seeing the community come together to solve bigger problems in a more robust manner than ever before. And for full disclosure, Crosspoint Capital acquires significant interest in the RSA Conference, so I have even more of a heightened sort of approach to it. But like you said, the innovation is healthy and thriving. But when people have come together in any facet of industry or life, they're able to collaborate and breakthroughs happen. And so that's where I think that this theme of stronger together is more appropriate now than ever before, because there's so many challenges on the horizon. But there's also that equal enthusiasm of how can we now collaborate? How do we share more? And you haven't seen that type of openness in this- in our community in a long time where people are willing to share their experiences, share their knowledge, share their talent, [music] and bring it all together for the community to sort of all boats rise type of approach.
Dave Bittner: "The Afternoon Cyber Tea" podcast is part of the cyberwire network. You can find it wherever you find your podcasts.
Dave Bittner: And joining me once again, is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, and also my co host over on the "Caveat" podcast. Ben, welcome back.
Ben Yelin: Good to be with you, Dave.
Dave Bittner: Interesting article here from the folks over at SC Media. This is written by Jessica Davis. And it's about Vimeo, the online video platform, kind of the- I- maybe it's fair to say they're Pepsi to YouTube's coke. [Laughing]
Ben Yelin: Yeah, more like the RC Cola to YouTube's Coke, I'm sure.
Dave Bittner: Probably, yeah, in size wise, certainly. But Vimeo has agreed to pay two and a quarter million dollars in an AI related biometric privacy lawsuit. Can you unpack this for us, Ben? What's going on here?
Ben Yelin: So it's important to know that one state in the country has a comprehensive biometrics privacy law, and that's the state of Illinois. It's called the Illinois Biometrics Information Privacy Act. So many of these lawsuits that are really should apply to every state in the Union are brought under this Illinois statute. What happened here is Vimeo purchased Magisto, which is a separate mobile application. Some individuals have uploaded images on Magisto, or across the web. And Vimeo has used those images without the user's consent to generate artificial intelligence. So they're using people's biometric data to scan each and every video and photo uploaded to Magisto. And once that photo or video is uploaded, they're extracting geometric data relating to unique points and contours of each face. And that uses that data to create and store a template all without informing the user of that practice. And that amounts to a collection of biometric information, which according to this Illinois statute, requires actual knowledge on the part of the user. So I think this is a foundational lawsuit, because it shows that there are some consequences of using people's facial features or biometric data from photos that they upload online and using that to generate AI. And I think that's really the purpose of this Illinois statute is to prevent this type of unauthorized use of people's personal and biometric data.
Dave Bittner: This article points out that Vimeo denies any wrongdoing tied to the allegation, and yet writing a check for two and a quarter million dollars. I mean, is that typical how the deals work and these sorts of things?
Ben Yelin: Yeah. So under the Illinois statute, you can sue even without having actual proof that your biometric data has been stolen. It can be a mere allegation of an injury or adverse event. If you just feel that your rights have been violated, you have a cause of action under the statute for liquidated damages. And the damages can be relatively hefty. We're talking about $1,000 for each negligent violation, and $5,000 for a reckless or intentional violation. So from Vimeo's perspective, you both want to avoid negative publicity from a publicized trial on this, and certainly you probably don't know, under this platform, whether you violated HIPAA. And in that respect, it makes sense to settle this and pay this 2.25 million to the users who have been harmed by this collection of data.
Dave Bittner: I think there's also kind of a due diligence angle here as well. You've got a company, Vimeo, who purchases another company, Magisto. You would imagine that they would have done a risk analysis of this very thing. But who knows.
Ben Yelin: I mean, they probably should have, right?
Dave Bittner: Yeah. Yeah.
Ben Yelin: That is part of due diligence in any business acquisition as you want to understand potential legal liabilities. And I don't know how apparent it was that Magisto was leveraging people's biometric information for its own purposes without the consent of the users. But this certainly exposed Vimeo to significant legal liability under this Illinois statute. And we're talking about a relatively long time period here. The original lawsuit accused Magisto and Vimeo after they purchased Magisto of scraping biometrics without proper notice and consent over a nine year period, between September 2014 and January of this year.
Dave Bittner: Wow.
Ben Yelin: That is a lot of potential violations per user. And if every single person in Illinois could sign on to this class action lawsuit, or whomever has uploaded videos to Magisto, we might get damages exceeding the 2.25 million that are going to be paid out as part of a settlement. And that might be one of the reasons why Vimeo is trying to settle and make this go away.
Dave Bittner: Can I ask you a legal nerdy question?
Ben Yelin: Always.
Dave Bittner: How does this bump up against standing? How can you have standing in a case like this, if all you have is a feeling that perhaps you were harmed by this but no proof?
Ben Yelin: Well, that was determined by the Illinois Supreme Court in a case five years ago. Generally, you have to have some sort of actual alleged injury to bring a case.
Dave Bittner: Right.
Ben Yelin: But the Illinois Supreme Court held that at least under this particular statute, really a mere feeling can be the basis for an allegation. Now, in order to secure relief, you still have to satisfy the requirements of standing. So there has to be an actual injury that is redressablel by some type of action on the part of the court.
Dave Bittner: I see.
Ben Yelin: And there has to be causation between the alleged wrong and that injury.
Dave Bittner: Okay.
Ben Yelin: But getting your day in court is much easier than it usually is. I mean, usually you have to allege something with a certain type of particularity. And the Illinois Supreme Court said that at least under this statute, [music] that's not the case.
Dave Bittner: I see.
Ben Yelin: So --
Dave Bittner: So even just the specter of this going to trial could be enough for Vimeo to say, yeah, okay. We're going to settle here.
Ben Yelin: It's best to avoid- yeah. It's best to avoid getting messed up.
Dave Bittner: Interesting.
Ben Yelin: Yes, I think that's exactly right.
Dave Bittner: Yeah. All right. Well, thanks for explaining it to us, Ben Yelin. Always a pleasure.
Ben Yelin: Thank you.
Dave Bittner: And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at the cyber wire.com. The Cyberwire Podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of Data Tribe, where they're co building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Ervin and senior producer Jennifer Eiben. Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.