Record GDPR fine. Movements in the cyber underworld. FBI found to have overstepped surveillance authorities.
Dave Bittner: The EU fines Meta for transatlantic data transfers. FIN7 returns, bearing Cl0p ransomware. Python Package Index temporarily suspends new registrations due to a spike in malicious activity. Typo-squatting and TurkoRAT. UNC3944 uses SIM swapping to gain access to Azure admin accounts. A Turla retrospective. Rick Howard tackles workforce development. Our guest is Andrew Peterson from Fastly to discuss the intricate challenges of secure software development. And the FBI was found overstepping its surveillance authorities.
Dave Bittner: I'm Dave Bittner with your Cyberwire intel briefing for Monday May twenty second, 2023.
EU fines Meta for transatlantic data transfers.
Dave Bittner: The EU has levied a 1.2 billion Euro fine against Facebook's corporate parent Meta, the AP reports. Ireland's Data Protection Commission, which oversees the activities of US companies in Europe on behalf of the EU, handed down the fine. The commission judged there to be data transfers to US-based systems that violated the EU's General Data Protection Regulation. Meta calls the decision unjustified and says it will appeal. For now, Facebook services in Europe remain uninterrupted. The Wall Street Journal notes that the decision is likely to place pressure on Washington to arrive at some middle ground with the EU over data practices that would replace the defunct Safe Harbor agreement. Meta has until October to comply with the directives of the commission.
FIN7 returns, bearing Cl0p ransomware.
Dave Bittner: FIN7 has emerged from hibernation after an almost 2-year bearish snooze. The cybercrime gang has been seen deploying Cl0p ransomware, the Hacker News reports. Microsoft observed the gang's activity in April of this year, tracking them under the moniker "Sangria Tempest." The hackers, active again for the first time since late 2021, were observed using a variety of tools to gain hold of victim's systems before the deployment of the Cl0p ransomware, the Record reports. The group had previously been seen deploying REvil and Maze malware, and later DarkSide and BlackMatter ransomware. Security Affairs writes that the gang had been seen in previous years targeting restaurants, gambling, and the hospitality sector generally in the US, among a broad range of other victims.
Python Package Index temporarily suspended new user and new project registration due to a spike in malicious activity.
Dave Bittner: Python Package Index, PyPi, temporarily disabled new user sign-up and new uploading on its platform on Saturday due to a spike in malicious users and the malware they brought. PyPI writes that these types of third-party supply chain attack vectors are becoming more common among malware campaigns as they give threat actors access to more victims with less work. By attacking a third-party site and embedding malicious software in seemingly legitimate code, the actors are able to disseminate malware to would-be victims with less need to launch a full-scale campaign. PyPI have not released any specific details regarding this spike in malicious activity, but Computing reported this morning that the organization had restored access to its platform.
Typosquatting and TurkoRAT.
Dave Bittner: The cybersecurity community has noted an uptick in supply chain attacks. The 3CX attack in which threat actors corrupted updates to infiltrate various industries springs to mind. Another was reported last week by ReversingLabs, at attack in which threat actors utilized typo-squatting to convince developers to download their corrupted node-cookie proxy agent, which carried the TurkoRAT trojan malware. Typo-squatting, as CSO online explains, works by publishing legitimate software embedded with malicious code under a name that is only slightly varied from the original in hopes that it will be found when users are searching for the legitimate package. The researchers explained that this package included a 100MB file which contained TurkoRAT, an info stealer capable of credential harvesting with a built-in crypto-wallet grabber. This campaign seems to have affected a very small portion of the customer base, as the malware was only downloaded 1,200 times, compared to the legitimate version's 20 million downloads.
UNC3944 uses SIM swapping to gain access to Azure admin accounts.
Dave Bittner: A text-based phishing and sim swapping campaign has reeled in a victim. Researchers at Mandiant have tracked threat actor UNC3944 in its sim swapping campaign and infiltration of a Microsoft Azure administrator account. SIM swapping, as explained by Mozilla, is a social engineering technique in which attackers pose as service providers requesting identity verification for sim card activation to gain pin numbers, the last four digits of a social security number, or other sensitive information. The criminals use the compromised accounts to gain initial access and begin building persistence and gathering information. The attackers use a reverse SSH tunnel and utilize commercial off-the-shelf tools to avoid security measures and maintain persistence.
A Turla retrospective.
Dave Bittner: The FSB's Turla group recently saw a setback when the FBI and its international partners took down some of the threat group's infrastructure. The takedown prompted a retrospective in WIRED, which covers some of Turla's most notorious operations. The recent FBI-led action against infrastructure devoted to the distribution of Turla's Snake malware has been a blow to the FSB, but as WIRED points out, it would be unwise to count Turla out.
FBI found to have overstepped surveillance authorities.
Dave Bittner: And finally, the search history of one US federal agency may be far more embarrassing than any of ours. Reuters reports that a ruling Friday by the US Foreign Intelligence Surveillance Court finds that the Federal Bureau of Investigation improperly used a national database of foreign intelligence. The outlet writes that the Bureau accessed the database "278,000 times over several years, including on Americans suspected of crimes." According to the Record, the FBI was found to have improperly searched the communications of those who participated in the January 6, 2021 riot at the US Capitol, as well as the 2020 protests against police brutality following the death of George Floyd. The AP writes that the violations include improper searches of donors to a congressional campaign and predate a series of corrective measures that started in the summer of 2021 and continued last year. The data was accessible via the Foreign Intelligence Surveillance Act, that's FISA. Congress is currently divided on how to move forward with reauthorization of Section 702 of the Act, which allows for US intelligence agencies to conduct warrantless surveillance of non-US citizens abroad. The law is set to expire at the end of the year unless Congress reauthorizes it. This finding may complicate reauthorization.
Dave Bittner: Coming up after the break, Rick Howard tackles workforce development. Our guest is Andrew Peterson of Fastly to discuss the intricate challenges of secure software development. Stay with us.
Dave Bittner: Andrew Peterson is co-founder of Signal Sciences, recently acquired by Fastly. He's author of the book cracking security misconceptions where he advocates for ways to encourage non-security professionals to participate in organizational security.
Andrew Peterson: If I was to be a CSO and start a security group from the ground up, which a lot of my, you know, peers and friends have gone through, the question is where would I start? And how would I actually go about building out a program? And it's pretty daunting, right, to think about all those things. Most websites are comprised, or our mobile applications are comprised of many, many, many lines of code and it only takes a couple mistakes or bugs to potentially create some vulnerabilities in that code, which essentially is just inevitable. Right? Like if you're writing code, you have bugs in your code, and so it's inevitable that some of those bugs might create and expose vulnerabilities into that code. And so you know, on the technical side of why this stuff is extremely hard is that you imagine you just try to do that to basically create perfect code. Well, perfect code can't get created in the first place. Like, it's just not possible. Second, most companies or organizations are trying to make more code, right, as much as possible, in fact. Like they're trying to add new features or new things or new ways to connect to their customers, and most of the ways that they're trying to connect to their customers are over the internet. Point is there's tons, and tons, and tons of internet code that's getting created, and as a security professional, trying to keep up with that and just try to secure all of it inherently is a technical problem. It's incredibly hard.
Dave Bittner: How do you recommend folks come at that? I mean, is it a matter or prioritization? I mean, like you said, I mean, the notion itself can be overwhelming and yet it needs to be done.
Andrew Peterson: Yeah, you're building a security program, you're thinking about where you're investing your time, and I think people invest their time in the areas where they feel like they can make progress easily, and or the areas where they understand it. Like, and they understand how to secure things. So I think most security teams and security professionals have defaulted to those two things. Where can I make progress easily? And where are the areas of the security stack that I am familiar with and know? And so therein lies some of the sort of logistical problems I think that security professionals face when it comes to protecting code and protecting websites is that most security professionals background is not as a developer, and most security professionals background does not, you know, have a deep, deep, deep depth in coding. And then you know, so that covers the what they're familiar with part. And so they may just, by default, not be defaulting to working on those problems first or spending as much time in those areas. And then the second thing that, you know, a lot of security folks talk about this and it is not necessarily always front and center in the conversation, but most of the time, development teams and security teams don't necessarily get along well, and so you have this aspect of that job where can I make progress quickly on solving a problem area of security? Like, the answer to that if you're trying to think about protecting websites is typically no. There's a bunch of reasons for this, but like the shorthand version of this is that security people tend to try to make development teams and their lives harder by creating either testing frameworks, or let's just call it hoops that they have to jump through to be able to get their code out live, or they file a bunch of bugs against the code that is live that the developers then go need to fix. And that is really for potential problems and not necessarily ones that the developer may believe are actual problems or actual threats against the organization. So when you sort of put all those things together, I think that like protecting code and protecting especially even production websites has - I wouldn't say it's gone to the wayside, but it just moves down in priority in terms of where security folks are spending their time. And again, that's either for lack of familiarity, for hard to get things done, or just for the, you know, for the sheer problems that they're up against. So Dave, getting back to your question of like well, okay, so that's all the bad parts. Like what are the - let's shed some light on some of the good parts. When I started Signal Sciences and then, you know, we've combined forces with Fastly a couple years ago, the vision of why we started it in the first place is because we were on the other side of this. We were in-house and we were trying to build secure code at scale at a big online retail company called Etsy, and you know, we sort of realized that there were some real problems both logistically and technically. And we said look, the only way that we're really going to be able to have a meaningful impact on being able to solve these problems is number 1, being able to do accurate solutions at scale. But then number 2, we really had to put ourselves in the position of the development teams and say what is not going to make their lives harder? And what's going to make their lives easier to be able to integrate security into their day-to-day practices? And so when I talked to security professionals today and ask them what are the tools that they're looking to try to use and adopt and bring into their teams, I think usability is extremely high on the list of attributes that they're looking for and tools, way more so than efficacy. Usability and then - this is kind of a weird word. I don't even know if it's a word but installability [phonetic]. Right? Like the ability to get something up and running in their environment easily. So this concept of ease of use and ease of - or sort of fast time to value I think is probably the most important thing that - and these are things that we certainly focus on and these are part of why I think we've been able to have success with our customers and helping them protect their, you know, their websites and protect the internet is because we've tried to make using it and adopting it and installing it easy. Don't make them learn another tool. Like meet them where they're at with their own toolset so you know, instead of literally - this will be kind of a down in the weeds thing - but like a practical piece of this is to say where are developers looking for data on the production systems that they're working on or on the code systems they're working on? Great. Security tools should be integrating into that thing that they're working into, instead of saying you know, hey developer, here's a new tool that you need to learn and go, you know, go log into, and create a login for, and add this to your process. Nope. You got to take it to them. Like, you can't expect them to come to you.
Dave Bittner: That's Andrew Peterson. He's cofounder of Signal Sciences, which was recently acquired by Fastly.
Dave Bittner: And it is my pleasure to welcome back to the show Rick Howard. He is the Cyberwire's chief security officer and also our chief analyst, and the host of the CSO Perspectives podcast. Rick, we have the madness of the RSA conference behind us, and I'm assuming since you trotted into the studio here and sat down at the table right across from me, that this can only mean one thing, which is the next season of CSO Perspectives is on the launchpad.
Rick Howard: It is, indeed, my friend. We have successfully moved the interns from our alternate sanctum sanctorum studios underwater, by the way, below the San Francisco Bay Bridge and back to their home in Baltimore Harbor where they had been busy putting the last bits of varnish and paint for season 13 of the podcast.
Dave Bittner: Well, before we get to our podcast today, first I wanted to congratulate you on publishing your new book while we were at the conference. For our listeners, can you share the title with us again?
Rick Howard: It's called "Cybersecurity First Principles: A Reboot of Strategy and Tactics".
Dave Bittner: I'm hoping that you can share the story about your wife and daughter and their adventures in the RSA bookstore.
Rick Howard: Yeah, I love this story. I had a proud dad moment, Dave. You know, my youngest daughter Kimmie and my long-suffering wife, Kathy, they travelled with me to San Francisco that week and I did the RSA conference and they did the tourist thing. And they are not cyber people at all and have never attended a conference before, but when they heard that I debuted my book at the conference bookstore, without telling me beforehand, they social engineered their way past the security guards, found their way to the bookstore, and made fools of themselves telling customers to buy my book and I couldn't be more proud.
Dave Bittner: I love this story. I absolutely love this story. Worth mentioned too that your book sold out. Before your book signing, the book sold out.
Rick Howard: It so did. Yeah, it was a little disappointing. People came by and then I don't have a book for you, so we'll try to make up for it on the backend, I guess.
Dave Bittner: All right. Well, today, you are telling us about the first episode of the new CSO Perspective season over on the Cyberwire Pro side of the house. What do you have in store for us this season?
Rick Howard: So on this first episode, we're talking about workforce development and trying to close that 3.2 million and growing gap that exists today of open cybersecurity jobs that we can't seem to fill. And I realize that if you run the idea of training and hiring your staff through the lens of first principles, you discover that we as an info set community, haven't found the essence of the problem yet.
Dave Bittner: What do you mean by that?
Rick Howard: Well, the community has known about this growing gap for over a decade, now, and we've continued to see the gap grow, and yet we haven't changed how we hire and train as if, you know, we expect that somehow, we'll solve this problem by doing the same things over and over again that caused the problems in the first place.
Dave Bittner: Well, what is the first principle here that will help us close this gap?
Rick Howard: Well, from my perspective, the info-set community is enamored with hiring those superstars. You know, you know the ones, Dave. Somebody with 25 years of experience, a technician with 17 certifications, and an employee willing to work for $1.50 an hour. You know? No wonder we can't find anybody.
Dave Bittner: Right, right.
Rick Howard: So when the organization trains its own people, leadership is usually all for it, but we send the individual. You know, we pay upwards of say $3,000 or so for an employee to attend a class or a conference to get up to speed on some new thing. Most times, we ask the individual what he or she wants to learn, not as a training task, but as a perk for being part of the organization. And it occurred to me, we don't really have a team training strategy at all. We've focused on the individual and that's kind of counterproductive if you think about it. We shouldn't be thinking about hiring superstars. We should be thinking instead about buying down risk by building an info-set team in the aggregate that can pursue our first principal strategies. So in other words, not one person that knows it all, but a team that can do it together.
Dave Bittner: You know what this reminds me of? It reminds me of one of my favorite movies, which is Moneyball.
Rick Howard: Oh, yeah.
Dave Bittner: With Brad Pitt and Jonah Hill, came out, oh, gosh, 2011 or something like that, but based on the same - the book written by Michael Lewis. I mean is that the kind of thing that we're talking about, here?
Rick Howard: It is so Moneyball, Dave. I think that's what it is! So if you're not familiar with the movie you should go watch the movie. It is fantastic. The Oakland A's decided they couldn't afford to buy superstars anymore, so when they did a first principal analysis of how to win Major League Baseball games and decided that the most important state to base a team on was on base percentage. You get on base, and you earn runs, and then you win games. And what I'm talking about in this CSO Perspectives episode is how do you deploy the Moneyball idea to the cybersecurity workforce development plan?
Dave Bittner: All right, well that, ladies and gentlemen, is what we in the business call a tease. So I know I'm looking forward to checking out the episode. Rick Howard, thanks so much for joining us.
Rick Howard: Thank you, sir.
Dave Bittner: And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the find podcasts are listed. We'd love to know what you think of this podcast. You can email us at email@example.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the Cyberwire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Trey Hester with original music by Elliott Peltsman. The show was written by Rachel Gelfand. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.