Joint advisory warns of Truebot. Operation Brainleaches in the supply chain. API key reset at Jumpcloud. More MOVEit vulnerability exploitation.

Dave Bittner: US and Canadian agencies warn of Truebot. A look at "Operation Brainleaches." Jumpcloud resets API keys. An update on the MOVEit vulnerability exploitation. Andrea Little Limbago from Interos shares insights on rising geopolitical instability. Our guest is Mike Hamilton from Critical Insight discussing what you need to know about NIST 2.0. And OSCE trains Ukrainian students in cybersecurity.

Dave Bittner: I'm Dave Bittner with your CyberWire intel briefing for Friday, July 7th, 2023.

US, Canadian organizations warned of Truebot.

Dave Bittner: The US Cybersecurity and Infrastructure Security Agency and its partners (the FBI, the MS-ISAC, and the Canadian Centre for Cybersecurity) have issued a joint  Cybersecuritiy Advisory outlining a spike in new variants of the Truebot malware. In addition to using phishing campaigns, threat actors are now using a vulnerability in the IT auditing software Netwrix Auditor to deliver the malware. The advisory contrasts the current wave of infestations with what's been seen in the past, stating previous Truebot malware variants were primarily delivered by cyberthreat actors via malicious phishing email attachments. However, newer versions allow cyberthreat actors to also gain initial access through exploiting CVE-2022-31199, a remote code execution vulnerability in the Netwrix auditor application, enabling deployment of the malware at scale within the compromised environment. The initial infections are established through either social engineering or malicious redirection. The advisory goes on to explain, based on confirmation from open-source reporting and analytical findings of Truebot variants, the authoring organizations assess cyberthreat actors are leveraging both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 to deliver new Truebot malware variants." The advisory offers extensive advice for risk mitigation, including detailed indicators and preventative measures organizations can apply. CISA also urges organizations to exercise, test, and validate their security program against the threat behavior displayed in conjunction with Truebot's deployment. The Joint Advisory makes it clear that Trickbot is an information-stealing kit used by the ransomware gang Cl0p and other threat organizations to gain access to and exfiltrate victims' sensitive data. Cl0p is, as regular listeners will know, a Russian-speaking gang motivated principally by profit but also given to acting against targets and states viewed as hostile by Moscow. Effectively, they're privateers, and nowadays, states viewed as hostile by Moscow amount to a pretty rich target set.

"Operation Brainleaches" in the open-source supply chain.

Dave Bittner: In another issue affecting the software supply chain, researchers at ReversingLabs have discovered more than a dozen malicious packages in the NPM open-source repository. The packages are designed to target application end users, while also supporting email phishing campaigns targeting Microsoft 365 users. The researchers note that this may be the first dual-use campaign in which malicious open-source packages power both commodity phishing attacks and higher-end software supply chain compromises. The packages impersonated legitimate NPM modules such as jQuery, and had around 1,000 downloads before they were removed.

Jumpcloud rotates API keys.

Dave Bittner: Jumpcloud is resetting API keys for its clients' admins. The company released a statement yesterday that said, "Out of an abundance of caution relating to an ongoing incident, Jumpcloud has decided to rotate all Application Programming Interface keys for Jumpcloud admins. These keys are used for authenticating a user or application and are commonly used in IoT products. The keys are static, which means they're stored on a system or device and have to be manually changed or rotated. In some cases, changing a static key is referred to as 'rolling codes'". The API key rotation seems to specifically affect admins, as the company's instructions on its Support page are geared towards them or command runners. Details on what prompted the rotation are scarce, but for now, Jumpcloud is urging customers to reset their API keys for enhanced security.

Update: MOVEit vulnerability exploitation.

Dave Bittner: Shell Global has disclosed that it had sustained a data exposure incident via exploitation of the third-party MOVEit transfer vulnerability that has afflicted other organizations. The energy giant said that the incident was not a ransomware attack, but rather that "some personal information relating to employees of the BG Group has been accessed without authorization." Affected individuals are being notified. SecurityWeek writes that it's unclear what sorts of data have been compromised, stating, " Toll-free phone numbers where additional information can be obtained have been made available for employees in Malaysia, South Africa, Singapore, Philippines, UK, Canada, Australia, Oman, Indonesia, Kazakhstan, and the Netherlands, suggesting that affected people may be from these countries." TechCrunch notes that while Shell has said it wasn't hit with ransomware, the company may well have been the target of attempted extortion by the Cl0p gang, which has been behind most of the publicly known exploitation. That need not have involved ransomware in the traditional sense, that is, malware that renders the victim's files inaccessible until they pay, and it may have amounted to a threat to dump stolen personal information. This has indeed become commonplace, as many crooks are now simply skipping the traditional encryption of victims' data. Shell also isn't alone, as other recently affected organizations have come to light. Higher education figures prominently among them as colleges and universities have seen data compromised through security incidents affecting the National Student Clearinghouse, and the Teachers Insurance and Annuity Association of America.

OSCE trains Ukrainian students in cybersecurity.

Dave Bittner: The Organization for Security and Cooperation in Europe (OSCE) is running cybersecurity training for Ukrainian university students preparing for careers in law enforcement or emergency response. The OSCE's announcement explained that the training is in defensive operations, stating, "the training covers basics of cybersafety rules, including ways to protect personal data, main threats, and risks related to the use of email, social networks and other tools, security tips for IT equipment including mobile phones, features of malware and needed physical measures to ensure protection of information resources." It's another example of the international support Ukraine has attracted in defending itself in cyberspace.

Dave Bittner: Coming up after the break, Andrea Little Limbago from Interos shares insights on rising geopolitical instability. Our guest is Mike Hamilton from Critical Insight, discussing what you need to know about NIST 2.0 Stay with us.

Dave Bittner: Version 2.0 of the NIST cybersecurity framework is imminent, and many CISOs are eager to know how the updated framework may affect them and their organizations. Mike Hamilton is founder and CISO for Critical Insight, a managed detection and response in cybersecurity-as-a-service company. Previous to founding Critical Insight, Mike Hamilton served as CISO for the City of Seattle. I checked in with him for details of the NIST 2.0 cybersecurity framework.

Mike Hamilton: Well, the history is that this was a project that was commissioned by the Obama administration. And NIST, the National Institute of Standards and Technology, was tasked with creating a standard-of-practice framework that could be implemented by any organization, and they successfully did this. So it is an outcome-based framework, meaning it's not prescriptive. It doesn't, say, have this control in place. It says "make this thing happen," and how you do that is up to you. So if you're a small company, you may do it one way. If you are Lockheed, you're going to do it a different way with lots of people and lots of tools, but just meet the outcome. This revision is part of just the cycle of going back and looking at it and making some adjustments that, to me, seem to be in line with the increasing regulatory pressure on critical infrastructure. Yet, because this is applicable to all organizations, the language that's specific to critical infrastructure was taken out. And I think that's really one of the main things about this new revision. They're really trying to make it universal.

Dave Bittner: Well, before we dig into some of the details, is it fair to say that the initial version of NIST received high marks and was generally regarded as a good thing?

Mike Hamilton: Oh, absolutely. You know, where it was recommended by the federal government to be used by critical infrastructure sectors, it was pretty well adopted by lots of organizations, whether they were regulated critical infrastructure or not, because it is an outcome-based framework, and it does- if you modify it a little bit, it can be your risk assessment tool to the extent that you are required to do an annual risk assessment, and now even that's for insurance purposes, right? Insurance companies have become the kind of universal regulators. Well, everybody wants you to do an annual risk assessment, and this is a great way to do it. So yeah, there's been great uptake.

Dave Bittner: So I'm a CISO here, and I'm running my company, doing my best to keep up, and I know this is coming. What are some of the things I need to know in terms of some of the changes here?

Mike Hamilton: Well, I'll tell you what's in and what's out. So what's in, cybersecurity outcomes applicable to all organizations, which is commensurate with what I just said about language that's specific to critical infrastructure has kind of been removed. There is also a new section about govern, right? In the original NIST 1.1, which is what we've been using, there is identify, protect, detect, respond, recover, and they've added govern to that as a separate focus area or domain or whatever you want to call it, and removed the governance areas from the identify domain and made that its own, also, some from the protect functions as well, which is consistent with guidance from, for example, the SEC saying that, listen, we want you to have somebody on staff who is responsible and accountable. We want you to have board representation, etc., etc. So both in terms of your own risk management where you need to get fingerprints on things like accepting risks, but also to be aligned with some of the new regulatory guidance coming out, governance, really important. So detection- detect, respond and recover function, detection and response of incidents is a little more vigorously defined in there. And the new govern function covers organizational context, risk-management strategy, policies, procedures, roles, responsibilities, everything you would think is in there. So that's largely what the ins and outs look like. What's new are the supply chain risk management outcomes that they want, and this is starting to be really ubiquitous. Recently, Health and Human Services put out I think it's NIST 800-66r2, which talks about the fact that you- if you're a covered entity in healthcare under HIPAA, you need- your incident response planning needs to cover your third parties. And so, you know, all this is starting to congeal. It looks like there's really some coordination behind this. Also, continuous improvement through a new improvement category, and the identify function or domain is there. They are leveraging the combination of people, process, and technology to secure assets across all categories in the protect function. Resilience is a new word that is showing up in the framework that wasn't there before through a new protect category.

Dave Bittner: Yeah. How do you anticipate the rollout of this happening here in terms of people adopting it, and it becoming an expected standard?

Mike Hamilton: Well, there are a couple of ways that can happen, and the one where the federal government has leveraged is in the critical sectors. And so new guidance has been provided to pipelines, water, maritime ports, through the Coast Guard, rail, aviation, smart cities. And they're not requiring this, but they're- it's being strongly advocated as your method of determining what your gaps are in meeting the desired outcomes, and therefore what your corrective action plan would look like, and if you take that a step further, how you would budget for that. This is the way that we use the tool with our customers. We end up with a risk assessment, a corrective action plan, and budgetary asks for all the gaps that we need to close. And so I think, for the critical sectors, it's going to be a no-brainer. There's going to be uptake there. When we start talking about nonregulated or, you know, noncritical sectors where the government doesn't have that kind of oversight, because there is a push by the federal government to make sure that when the federal government buys something, it has an enormous power of the purse and so they can hold organizations they do business with to a standard, and this is becoming the standard. And if you are a business that does business with someone who is a DoD contractor, this cascades down to you as well. So of all of the standards of practice that you could pick out there, this is the one that's the lightest touch, right? Nobody would go voluntarily say, "Well, we're going to align with NIST 800-53. It's- you know, it's 15 pounds of paper that's only applicable to federal agencies. Or the ISO standard, right? That's really- or a high-trust. Those are really, really heavy lifts. This is the gateway drug to starting to manage your security program appropriately. And so I think, because of some of the things the federal government's doing with national cybersecurity strategy and wielding the power of the purse, I think there's going to be a lot of uptake.

Dave Bittner: What is your take on this? Do you feel as though this is the right thing at the right time? Are you pleased with what they've come out with here?

Mike Hamilton: Oh, absolutely. I think- well, starting with the Obama administration and, you know, coming up with the NIST framework and making that available to everyone, I mean, it was great. But some of the things that the federal government is doing now that align with that, you know, as I mentioned, not only the using the purchasing power of the federal government to say, you know, if your product isn't secure, we're not going to buy it. That just makes all the sense in the world. So, you know, I think that this has been a really good thing in combination with a lot of things that are going on now. In the beginning, it was like, "Well, this is another standard of practice." You know, it's a burrito; it's a tostada, right? The ingredients are the same. The packaging is a little different. Now, it's emerged as something more, and I think it's got a lot to do with that national cybersecurity strategy.

Dave Bittner: That's Mike Hamilton from Critical Insight.

Dave Bittner: There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro, and sign up for Interview Selects, where you'll get access to this and many more extended interviews.

Dave Bittner: And it is always my pleasure to welcome back to the show Andrea Little Limbago. She is Senior Vice President for Research and Analysis at Interos. Andrea, always great to welcome you back. I want to discuss with you today looking at where we find ourselves when it comes to global politics and policy and how that affects folks in cybersecurity. I know it's a big topic, but I'm counting on you to bring it home for us here. But what are your insights?

Andrea Little Limbago: Yeah, it is a big topic, but it also is one that I think is not getting quite as much attention as it should. And there's a whole range. I think to your point, of issues on the global front that have direct implications for cybersecurity. One would be, you know, that the growing data privacy laws and cybersecurity laws are being passed throughout the globe. And in many regards, that's welcome news for better data protection. But in some cases, that leads to greater data access, depending on where you are, and so that's where the notion of data sovereignty comes into play where you've localized data policies and laws, and in many cases requiring data storage, for instance, within the sovereign territory, and that can come with some risk. And that- those risks really are overlaid with the geopolitical situation, where if your data is required to be stored in a country, for instance, that might be an adversary to the where you are located, say in the US or in Europe. Then that's going to put your data at potentially greater risk if it's stored in an adversarial country. So I think that's one big trend that we're seeing is just, you know, the notion of digital authoritarianism where governments are trying to get greater control and leveraging everything from spyware and disinformation, to national policies to enable access to data and data storage, have greater control over that data. So we're seeing that occur on the one hand, and then on top of that, we're also seeing an increase in instability and protests across the globe. As we're seeing as areas of democratic decline, we are seeing people push back against that. But what goes along with that very often is a wave of disinformation and various kinds of cyberattacks can correspond with the broader instability that may happen. And, you know, one irrelevant example is in the recent French protests that have been going on. We also saw pro-Kremlin hackers attack the Parliament around the same time. You know, I argue that that's not coincidence that that happens during times of instability. We also see during times of elections, greater cyberattacks and disinformation campaigns, really causing a lot more instability within countries. So you see that going on as well, where this instability is basically exacerbated due to the cyberthreat landscape.

Dave Bittner: What about instability in a platform itself? And I'm thinking specifically of Twitter here, where, you know, I think for a long time, we kind of knew what we had with Twitter. We knew what it was good at and what it was bad at, and we knew how to navigate it. And it seems like, you know, lately with the new management there, that it's- there's been a whole lot of chaos injected into that. And as a global provider of information, it seems to me that's got to have an effect on things as well.

Andrea Little Limbago: I think it does. And what's interesting is really the- I think there's a big transition going on in the social media landscape as well. So I'd argue, you know, a year ago, especially in the security community, we've leveraged Twitter a lot for information. But we also have seen a massive exodus from Twitter from in the cybersecurity community with some of these shifts. And so it's no longer the source of information that it once was. And given that, and I think that's happened in different spots, that there are communities that no longer view Twitter as that source of information, so they're looking elsewhere. And, you know, one of the key places many people are looking at is TikTok, and so we see that going on as far as Congress reviewing whether to ban TikTok. And we see across states, within the United States, many government- state governments are banning the use of TikTok by its employees for security concerns, because that's also, you know, another side of it was where you do still see Twitter being used a bit, but I think that's decreased. But it still is definitely a concern, and different parts of the globe depend on different social outlets, social media outlets, and so they are definitely still being leveraged. And even, you know, Facebook is still quite a big source of information globally. I think we see it, maybe not as prominent in the US as it once was, but in many countries, it still is a main source of information, and that's where we still see plenty of disinformation, campaigns, plenty of malvertising, and so forth. So it still very much so is a platform that can be abused to help prompt and instigate greater instability.

Dave Bittner: As we track the ups and downs around the globe when it comes to the rise and fall of democracy and communication and disinformation, is it fair to say that right now we're in a little bit of a trough here?

Andrea Little Limbago: I hope we've reached the low point, and that we are going to --

Dave Bittner: That's a good way to spin it. That's a positive. That's a positive spin, and I love it.

Andrea Little Limbago: Yeah. That'd be great if we've reached the rock bottom of it and we're now going to be back moving in a better direction. But it has. It's been on decline for about 15 years. That alone is a big source of instability. But I do think, you know, on the one hand, we're seeing a lot more protests against governments, and that's everywhere from- if you remember the protests in Canada last year that blocked some of the routes in between the US and Canada.

Dave Bittner: Mm-hm.

Andrea Little Limbago: India had enormous protests over the last few years. I'd like to think that's indicative of greater engagement, which is what democracy requires. And so, on the one hand, the protests do lead to some instability. We see it in Peru and Nigeria. We see it in France right now. But ideally, it will hopefully lead to stronger democracies through greater civil engagement. That is the optimistic take on that, but it's going to be a challenge. I mean, we do still see authoritarianism spread. We see authoritarian-leaning parties getting greater control, you know, across governments in Europe, for instance. It is still very much a concern, but I do think there's a greater awareness. And I think this is, again, is where we're seeing more and more democracies start to collaborate together to help offset the authoritarian spread, and that's a great thing. You know, we've seen greater collaboration across democracies over the last few years than we had seen, you know, arguably in the in the previous 10 to 20 years. And I think that's hopefully been an unfortunate wake-up call from Russia invading Ukraine, is democracies starting to work together in new and innovative ways to help counter some of the spread of authoritarianism.

Dave Bittner: Yeah. All right. Well, Andrea, Little Limbago, thanks so much for joining us.

Andrea Little Limbago: All right. Thank you, Dave.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Thomas Etheridge from CrowdStrike. We're discussing their work, Business As Usual, Falcon Complete MDR Thwarts Novel VANDARD PANDA Tradecraft. That's "Research Saturday." Check it out. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your teams smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tre Hester with original music by Elliott Peltzman. The show was written by our editorial staff. Our Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.