Some guidance from the US government (including device security labels). Supply chain security. Developments in the cyber underworld (including a gang with some perverse integrity).
Dave Bittner: The US Federal government issues voluntary security guidelines. Possible privilege escalation within Google Cloud. An APT compromises JumpCloud. FIN8 reworks its Sardonic backdoor and continues its shift to ransomware. Ben Yelin looks at privacy legislation coming out of Massachusetts. Our guest is Alastair Parr of Prevalent discussing GDPR and third party risk. And some noteworthy Russian cyber crime–they don’t seem to be serving any political masters; they just want to get paid.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Tuesday, July 18th, 2023.
US Federal government issues voluntary security guidelines.
Dave Bittner: The US Federal government has issued some standards and guidelines that affect cybersecurity practices.
Dave Bittner: The US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued guidance for 5G network slicing–that is, the preparation of a set of logical networks that ride atop a common infrastructure. The guidance, in their words, is intended to “help foster communication amongst mobile network operators, hardware manufacturers, software developers, non-mobile network operators, systems integrators, and network slice customers in the hopes that it may facilitate increased resiliency and security hardening within network slicing.”
Dave Bittner: CISA has also published a factsheet outlining free tools for cloud environments, “to help businesses transitioning into a cloud environment identify proper tools and techniques necessary for the protection of critical assets and data security.”
Dave Bittner: And just this morning the White House has announced a cybersecurity labeling program for smart devices. It’s been anticipated for some time. “Under the proposed new program, consumers would see a newly created ‘U.S. Cyber Trust Mark’ in the form of a distinct shield logo applied to products meeting established cybersecurity criteria. The goal of the program is to provide tools for consumers to make informed decisions about the relative security of products they choose to bring into their homes.” Manufacturers and retailers who have committed to the voluntary program include Amazon, Best Buy, Google, LG Electronics U.S.A., Logitech, and Samsung Electronics.
Possible privilege escalation within Google Cloud.
Dave Bittner: Orca Security reports a privilege escalation vulnerability, "Bad.Build," in Google Cloud that could open the door to supply chain attacks by allowing an attacker to infect users and customers. Orca wrote this morning, “As we have seen with the SolarWinds and recent 3CX and MOVEit supply chain attacks, this can have far reaching consequences.“
Dave Bittner: Orca’s report explains, “By abusing this flaw that enables the impersonation of the default Cloud Build service account, an attacker can manipulate images in Google’s Artifact Registry and inject malicious code. Any applications built from the manipulated images are then affected, with potential outcomes including Denial-of-Service (DoS) attacks, data theft, and the spread of malware.”
Dave Bittner: Orca Security has alerted Google and Google has closed the vulnerability, but Orca suggests that affected organizations pay close attention to the details of their instances. Orca writes “The revoked permission wasn’t related to Artifact Registry, which turns the supply chain risk into a persistent one. In view of this, it’s important that organizations pay close attention to the behavior of the default Google Cloud Build Service Account to detect any possible malicious behavior. Applying the Principle of Least Privilege and implementing cloud detection and response capabilities to identify anomalies are some of the recommendations for reducing risk.”
APT compromises JumpCloud.
Dave Bittner: JumpCloud announced that its systems were breached in a sophisticated attack conducted by a state-sponsored threat actor. On June 27th they found “unauthorized access to a specific area of our infrastructure,” and determined that some of that access had begun as early as June 22nd. They saw, initially, no evidence of an effect on customers, but they took various precautions that included rotating credentials and rebuilding infrastructure in an effort to shore up their network and perimeter.
Dave Bittner: The company is convinced the attack was sponsored by a nation-state, but JumpCloud is unsure which state was behind the attack. In further forensic investigation Jumcloud discovered further unauthorized activity in the form of “unusual activity in the commands framework for a small set of customers.” In response, JumpCloud performed a force-rotation of all of the admin API keys on July 5th, the same day the unusual activity was discovered. Ars Technica explains, JumpCloud hosts a user base of over 200,000 organizations with 5,000 paying customers including Cars.com, GoFundMe, and Foursquare.
Dave Bittner: JumpCloud also engaged its prepared incident response plan, including the participation of their Incident Response partner, and notified law enforcement authorities.
FIN8 reworks its Sardonic backdoor and continues its shift to ransomware.
Dave Bittner: The Symantec Threat Hunter Team (STHT), part of Broadcom, has released a report detailing a new variant of the Sardonic backdoor associated with the cybercriminal gang Syssphinx [sis-finx] (also known as FIN8). This new variant of Sardonic is intended to deliver the Noberus ransomware.
Dave Bittner: The Syssphinx tool was discovered in 2022, when it was discovered delivering White Rabbit ransomware. Symantec explained that FIN8’s shift towards ransomware was observed in 2021 after the gang infected several compromised systems in the financial sector with the Ragnar ransomware. Symantec writes, “The Syssphinx group’s move to ransomware suggests the threat actors may be diversifying their focus in an effort to maximize profits from compromised organizations.”
Dave Bittner: Symantec explains that the cybercrime gang has revised its tools, noting mainly that the newly reworded backdoor has been rewritten in C, as opposed to its previous version which was written in C++. Additionally, the new backdoor variant seems to be embedded indirectly into a PowerShell Script, which differs from its previous version in which it “featured an intermediate downloader shellcode that downloads and executes the backdoor.”
Dave Bittner: Symantec concludes its report with a snapshot of the gang. “Syssphinx,” and again, you may know them as FIN8, “continues to develop and improve its capabilities and malware delivery infrastructure, periodically refining its tools and tactics to avoid detection. The group’s decision to expand from point-of-sale attacks to the deployment of ransomware demonstrates the threat actors’ dedication to maximizing profits from victim organizations. The tools and tactics detailed in this report serve to underscore how this highly skilled financial threat actor remains a serious threat to organizations.”
Russian cyber crime, but without obvious political allegiance.
Dave Bittner: And finally, integritas! That’s what we’ve heard the Roman legionnaires would say to their centurion, to report that their armor and the rest of their gear was intact and in order, and that they themselves were standing tall and looking good. Integritas, one, whole, solid, consistent with one’s duty, or more generally with one’s values. That’s integrity.
Dave Bittner: And it’s worth remembering that there can be a kind of integrity even among criminals. We've grown accustomed to seeing criminal gangs and hacktivists function, during the hybrid war Russia has unleashed against Ukraine, as either privateers or auxiliaries, operating in the interest of one of the belligerents. Usually that belligerent has been Russia, and the extent to which the Russian security and intelligence agents have made use of their country’s criminal classes is one of the striking features of the war in cyberspace.
Dave Bittner: It seems, however, that at least one Russian (or at least Russophone) cyber gang, RedCurl, has continued to act in a purely criminal fashion, not obviously working in the interest of any government. Researchers at F.A.C.C.T. [eff ay see see tee], which the Record describes as an "offshoot" of Group-IB, describe RedCurl's action against both Russian and Australian targets. The gang's initial approach is through phishing. Their goal isn't either the installation of ransomware or the threat of extortion through doxing. Rather, RedCurl engages in commercial espionage, seeking to steal valuable business information, for subsequent resale in the C2C market. About half of RedCurl's attacks have hit Russian targets. The other half have been distributed across Ukraine, Canada, and various European countries.
Dave Bittner: We grudgingly admit that there’s something refreshing about a gang that’s in it just to get paid, not caring about national interest or glory. There’s a kind of criminal integrity here. It’s a base and deplorable integrity, but there’s a consistency in their values. Still, we hope they receive some approximation of justice, and that some authority somewhere brings them to book. Whether it’s the FBI or the FSB, the police or the militia [mil-IT-see-YUH–the Russian police] doesn’t much matter. Good hunting, John Law, wherever you may be.
Dave Bittner: By the way, we hope that stuff about legionnaires and centurions and integritas is true. Our historical desk is the source, and they’ve usually got it right, but sometimes we wonder if they get their Roman history from Tacitus or from watching reruns of Gladiator on Netflix.
Dave Bittner: In any case, integritas!
Dave Bittner: Coming up after the break, Ben Yelin looks at privacy legislation coming out of Massachusetts. Our guest is Alastair Parr of Prevalent discussing GDPR and third party risk. Stay with us.
Dave Bittner: GDPR has been in effect for just over five years now in their 2023 third-party risk management study, the team at security firm, Prevalent, looked at the impact of GDPR on the practice of third-party management with its treatment of privacy as a core requirement. Alastair Parr is senior vice president of global products and delivery at Prevalent.
Alastair Parr: What we are experiencing is an uptick in things such as quantity of identified data breaches or impacts from a third-party. And we actually allocate and equate some of that to the fact that people have improved visibility and that's a general trend when you start looking at the general insights across the spaces that we see increased volume of issues and incidents and that's down to the fact that there is a plethora of tools and technologies out there to aggregate the data at scale that people didn't necessarily have several years ago. So visibility is certainly improved but people still have ultimately automation issues and remediation issues across the space.
Dave Bittner: It seems to me to be on the surface anyway, to be such a daunting task, you know, because when you think about all of your third-party suppliers, then you think about their suppliers, what do you recommend in terms of an approach to this? To break this down into management pieces.
Alastair Parr: Completely agree. So absolutely, the change is that it is typically we're talking thousands, tens of thousands of third parties and it's a very daunting and overwhelming challenge, so typically we see people reaching out trying to understand just how can I actually right size that into something that's manageable, regardless of whatever automation tools that I have, regardless of how engaged the third parties are, or how accurate the vendor inventory is, people ultimately need to understand is, how can I right size that so I can invest what limited time and effort I have into the right areas.
Dave Bittner: And the people who are successful there, are there any common elements?
Alastair Parr: Yes, very much so. So, the most successful third-party risk and life cycle programs that we see tend to be fixated on the internal focus as much as they are the external. Of course vendor interactions is important, being able to aggregate the data and work with the third parties to remediate core deficiencies and dependencies, but the internal aspect is equally important. Being able to build up that vendor inventory with the business, getting the business and the stakeholders involved and ultimately invested in the program is foundational. So one of the key findings that we found is that while I think it's circa 71 percent of programs are actually owned by the information security team, we are seeing circa 63 percent or 53 percent of the third party relationships being owned by the procurement or business owners respectively. So there's that sort of a seesaw approach where you need to have the buy-in and the vested capabilities and support of the business in order to be able to drive the program effectively.
Dave Bittner: And to what degree is this a technology issue, having the right tools to come at this with versus a personnel issue and you know, training your employees, things like that?
Alastair Parr: I would say, more often than not, it's a process first issue. So the technologies are out there to supplement, support, automate, and scale the process but foundationally if the processes aren't right in the case of who and how do we reach out to the third parties? How do we react and interact with the data outputs that we get? It's very process orientated, you need to business involved, you need compliance, audit, procurement, the business owners, execs of course, and risk management, all really working together and being a sort of cohesive unit.
Dave Bittner: What are your recommendations for that security person who has to make the case for this to their board or to the powers that be to justify a program like this?
Alastair Parr: So one of the biggest challenges I think they face is the fact that it's not necessarily a revenue generating function. It's a case of, it's an insurance mechanism that addressing and managing risk to a proportionate level so that things don't happen. And what certainly helps is when you start seeing incidents and events occur where third parties have had data breaches or events and you've been able to detect it and react to it accordingly. So using legacy insurance mechanisms where you've been able to avoid adverse reputational damage from historical events is certainly useful, but then also, identifying how you can use the program to actually save through the procurement cycle. So, for example, we've identified issues and incidents with operational resilience of third parties or their contracts aren't standing up. People using that leverage in the renegotiation cycle to actually deliver better services, reduce cost, et cetera. So there is a potentially a dollar element to it as well.
Dave Bittner: What do you suppose the future holds for third-party risk management? Where do you see us headed here?
Alastair Parr: Good question, so one of the long-standing headaches I think in third-party risk management is that interaction between vendors and of course the business itself. There's a heavy reliance on things like assessments, there's a lack of standardization on assessment structures, which isn't going away, purely because each organization typically has their own variance, in fact, over 70 percent of our customers alone, and the hundreds of programs that we manage, actually use custom content and assessments in their programs. That's not going away. So what we start, and we expect to see, is components such as AI ultimately helping in translating and adapting various content sources into the answers that we need. So programs don't care about assessments, they care about results. They care about risks. So however we aggregate the data, whether it's [inaudible] reports, whether it's proprietary policy documentation, as long as we can analyze it at scale and be able to translate that into tangible risks and context, that's very much where the entire third-party estate and environment is really going to head.
Dave Bittner: Yeah, it's a really interesting insight. I mean I think in particular that that translation layer to be able to make your case to the board and to your colleagues is so important, and yet I think, it's my experience that lots of folks still struggle with that.
Alastair Parr: Yes, absolutely. So the ability to translate the technical language of risks are colors, you know, red is bad, can be lost on some programs. So you're absolutely right. So when we tend to build KPIs and KRI material for the boards and the execs, it tends to be very much persona focused. We are looking at making sure that we've got the right data points that they're curious about and they're interested in, which help them understand are they at risk?
Dave Bittner: That's Alastair Parr from Prevalent.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, and also my co-host over on the "Caveat" podcast. Ben, it's always great to have you back.
Ben Yelin: Good to be with you, Dave.
Dave Bittner: So, interesting proposed legislation coming out of Massachusetts here when it comes to the buying and selling of location data. What's going on here, Ben?
Ben Yelin: So this law would be the first of its kind in a state legislature across the country. Massachusetts law makers in both the state House and Senate are weighing a near total ban on the buying and selling of location data drawn from mobile devices in the state. Other laws controlled by both democratic and republican legislatures have passed broad data privacy legislation but this would be the first that would institute a near total ban on buying and selling of this location data. So one element of the law would institute a warrant requirement for law enforcement access to this data. That's important, it really codifies the Supreme Court's holding in the Carpenter decision from 2018, prevent warrantless searches of historical cell site location information.
Dave Bittner: Would this also prevent law enforcement from purchasing that data without a warrant?
Ben Yelin: It would, any law enforcement access without a warrant would be prohibited.
Dave Bittner: Okay.
Ben Yelin: The broader prohibition that's outlined in this law, which I think is more significant is data brokers would be banned from buying and selling location information about state residents without court authorization. So there are limited exceptions in circumstances where it would be useful to the consumer, things like sharing location for ride sharing purposes, for whether applications, et cetera. But the law would be certainly the broadest in this country and it would have a major impact. There's a coalition of civil liberties and privacy groups that are supporting this legislation, thinking that it could be a test case for broader nationwide legislation that would institute bans on buying and selling location data. We've seen similar laws proposed at the federal level, though not from anywhere close to being enacted to this point. But there's pretty broad opposition as well. There's a trade association that spoke in opposition at a recent joint hearing on this bill. A lawyer named Andrew Kingman, who is representing this trade association, the state privacy and security coalition said that while they support heightened protections for certain types of personal data that this law is just over broad. They should look at some other states, including neighboring Connecticut, which passed a data privacy law but didn't go as far as having an outright ban on data brokers on buying and selling this data. Rather, it gives consumers the ability to opt out of sale. So it's still providing consumers with a choice. If the consumer finds the data that these companies are collecting useful for their own purposes, then the consumer can consent to that type of collection. But I think that certainly does not go far enough for some of these privacy and civil liberties advocates who see that not only are companies purchasing this data, but local police departments and federal agencies have also purchased location information and are using it for law enforcement purposes and that's kind of an end around of the Fourth Amendment that groups like the ACLU see as very dangerous.
Dave Bittner: Right. And this is a huge difference between an opt in and an opt out by default.
Ben Yelin: Oh, absolutely. I mean the opt out means that you have to be technological savvy enough to take some action to opt out of it.
Dave Bittner: You can bet they'll hide it somewhere.
Ben Yelin: Oh, they'll hide it somewhere deep in the settings, yeah.
Dave Bittner: Exactly.
Ben Yelin: You're phones are going to get tired trying to find that page where you can opt out. Whereas an opt in, you know, that's really the reverse. It kind of goes back to a concept, ironically from a Massachusetts academic himself, Cass Sunstein, on the idea of a nudge, that it makes a huge difference what the default is. Because people are so unable or reluctant to take action to either opt in or opt out that whether the default is opt in or opt out ends up making a huge difference.
Dave Bittner: Yeah. Interesting that this has also caught the attention of abortion rights advocates. What's their interest here?
Ben Yelin: Yeah, so abortion rights advocates have argued persuasively that phone location data, particularly when it's available for sale, could lead to state governments in states where abortions have been either curtailed or prohibited entirely after the Dobbs decision last year, to track people traveling out of state seeking the procedure for the purpose of instituting or initiating prosecution. And that's certainly a valid concern for abortion rights advocates. I think the fact that this data is widely available, that it could be accessed without a warrant, that all it takes is a chunk of change to purchase the data, I think is particularly dangerous for individuals seeking to travel out of state to obtain abortions. And it's not just abortions that have raised particular privacy concerns, they also mention this article, Digital Stalking, national security threats, all those things can present themselves as problems when data is available for sale. So we have these kind of particular circumstances that have raised concerns for these groups and I think that's part of the impetus behind the push for this legislation.
Dave Bittner: Is it likely given the makeup of the Massachusetts legislature that this will move forward? What do you think?
Ben Yelin: Yes, I would have to say the prognosis is quite positive. The Massachusetts legislatures are dominated by democrats, there's like five republicans in the entire Massachusetts state legislature. The current majority leader of the Massachusetts state senate is the sponsor of this piece of legislation. She testified for it at the hearing, so--
Dave Bittner: I see.
Ben Yelin: --you have a pretty powerful person aligned with this legislation. The government is a democrat as well, though that doesn't really matter since the legislature has veto proof majorities. But yeah, the prognosis I think for this legislation is quite positive.
Dave Bittner: Alright, well, we'll keep an eye on that one. An interesting development for sure. Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast, you can email us at email@example.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investments; your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer, Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening, we'll see you back here tomorrow.