A new joint advisory from the US and Australia. BackConnect evolution. Cl0p counts coup. Ransomware trends. DDoS for influence. It’s “dot-mil,” Nigel.
Dave Bittner: A joint warning on IDOR vulnerabilities. IcedID’s BackConnect protocol evolves over one year. Cl0p claims to have accessed data from another Big Four accounting firm. Ransomware victims increased significantly in 2023. Cyberattacks support influence operations. Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger joins us to discuss the Biden Administration's recent cyber initiatives. Eric Goldstein, Executive Assistant Director at CISA, looks at cybersecurity performance goals. And spelling counts.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Friday, July 28th, 2023.
Joint warning on insecure direct object reference.
Dave Bittner: The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and the US National Security Agency (NSA) have issued a joint advisory “to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities.”
Dave Bittner: So what is an insecure direct object reference anyway? It’s not as difficult to understand as the forbidding name might make it appear to be. In fact, that forbidding name is actually more informative than most. IDOR is, basically, what can happen when a web application or an application programming interface uses an identifier that grants direct access to an object in an internal database, but which fails to check for some form of access control or authentication. Thus it’s basically a programming error that fails to protect access to some object.
Dave Bittner: The advisory explains, “These vulnerabilities are common and hard to prevent outside the development process since each use case is unique and cannot be mitigated with a simple library or security function. Additionally, malicious actors can detect and exploit them at scale using automated tools. These factors place end-user organizations at risk of data leaks (where information is unintentionally exposed) or large-scale data breaches (where a malicious actor obtains exposed sensitive information).”
Dave Bittner: Has this actually happened? Yes it has. The three agencies point to three instances in which IDOR vulnerabilities were used to facilitate data breaches:
Dave Bittner: In October 2021, a global data leak took place, exposing mobile phone data, including text messages, call records, photos, and geolocation from numerous devices. The leak resulted from insecure 'stalkerware' apps, which collected and transferred data from the phones to a foreign server infrastructure. This server had an IDOR vulnerability known as CVE-2022-0732, which facilitated the exposure of the collected app data.
Dave Bittner: In 2019, a data breach incident affected a U.S. Financial Services Sector organization, leading to the exposure of over 800 million personal financial files. The compromised information included bank statements, bank account numbers, and mortgage payment documents.
Dave Bittner: Additionally, in 2012, a malicious cyber actor successfully obtained the personal data of more than 100,000 mobile device owners from a U.S. Communications Sector organization's publicly accessible website.
IcedID’s BackConnect protocol evolves over one year.
Dave Bittner: Team Cymru [KIM-ree] has released part 2 of their “Inside the IcedID BackConnect Protocol” series, in which they take a closer look into BackConnect (BC). BC is a protocol used transmit IcedID infection. “IcedID (also known as BokBot) started life in early 2017 as a banking trojan that later evolved to include dropper malware capabilities. These capabilities enable IcedID to download and deploy additional malware like Cobalt Strike, with recent infections leading to Quantum ransomware,” Team Cymru writes.
Dave Bittner: The researchers explain, “The use of the BC protocol is of particular interest to us, and remains a priority for our overall tracking of IcedID. Analyzing activity related to BC infrastructure provides a strategic view into threat actor activity and interests, as it is a window into what occurs after a successful infection and the victim was deemed valuable for their use.”
Dave Bittner: The threat’s evolving. The researchers at Team Cymru note that they have identified a possible connection between infected machines and a spamming campaign which represents “a potential double blow for victims, [as] not only are they compromised and incurring data / financial loss, but they are also further exploited for the purposes of spreading further IcedID campaigns.”
Cl0p claims to have accessed data from a third Big Four accounting firm.
Dave Bittner: Cl0p has posted data it claims to have hacked from Big Five accounting firm Deloitte, Cybernews and other outlets report. The gang says it exploited vulnerabilities in MOVEit to accomplish the data theft. It had earlier this month counted coup against PricewaterhouseCoopers (PWC) and Ernst & Young (EY). Deloitte acknowledged receiving Cl0p's attentions, but discounted the effect as negligible. A Deloitte spokesperson said, “Our analysis determined that our global network use of the vulnerable MOVEit Transfer software is limited. Having conducted our analysis, we have seen no evidence of impact on client data.” So there’s probably less to the attack than Cl0p would have everyone think. Still, this kind of nonsense is an ongoing irritant.
Report: Ransomware victims increased by 66% from Q1 to Q2 2023.
Dave Bittner: ReliaQuest has released a report ransomware trends for the second quarter (Q2) of 2023. The company’s study concludes that victim counts for Q2 have skyrocketed. They write, “In the second quarter of 2023, close to 1,400 organizations were named on ransomware and data-extortion websites. This marked a substantial increase (66%) from Q1 2023, which saw close to 850 affected organizations. What makes this increase even more impressive is that Q1 2023 had set the record for the most victims we ever recorded, but Q2 2023 shattered that record with 500 more. The number of organizations being named on ransomware websites has more than doubled over the past two quarters, highlighting a sudden growth in ransomware operations.”
Dave Bittner: ReliaQuest finds that Cl0p’s MOVEIt campaign was the most impactful of the campaigns in Q2, but also they note that it’s technically an extortion campaign as opposed to a ransomware effort strictly speaking. Cl0p has yet to encrypt the files they’re taking. If a double extortion campaign is one that both encrypts and steals data (with the threat of doxing), then Cl0p simply moves to stage two, skipping the encryption stage.
Dave Bittner: The cybercriminals with the highest victim count belong to LockBit, with close to 250 organizations being named in their ransom requests. The US continues to be the main target for cybercrime campaigns, with the UK, Germany, Canada, and France trailing by large margins. The sectors most heavily hit were science and technology (20.2%), manufacturing (19.6), and finance and insurance (10.5%).
Cyberattacks support influence operations.
Dave Bittner: Anonymous Sudan (a front for Russian intelligence services) has claimed responsibility for a cyberattack against Kenya's eCitizen portal. The East African reports that Kenya's ICT minister acknowledged an attack on the system, a place where Kenyans access government services online, but said that no data had been lost. The government was working to secure eCitizen and restore it to full operation. TechCabal has an account of the extent of the disruptions, which it characterizes as distributed denial-of-service (DDoS) attacks. The outlet also quotes the rationale Anonymous Sudan offered for the campaign: Kenya has “released statements doubting the sovereignty of [the Sudanese] government.” Here's a more likely explanation: Kenya's President William Ruto declined to attend the Russo-African summit, and gave as his reason the impropriety of appearing to support one side in Russia's war.
That’s Mali, not mil.
Dave Bittner: And finally, we’re not going to point fingers or cast stones here, because, y’know, that’s not our place, but gosh darnit, it’s dot mil, not dot em-ell. Dot mil is the top-level domain for the US military. Dot em-ell is the top-level domain for Mali.
Dave Bittner: So it’s like this. The Times of London harrumphed that “Ministry of Defence officials” in the United Kingdom” accidentally sent emails containing classified information to Mali, an African country with close links to the Kremlin, because of a typing error.” That is, they typed dot em-ell in the address, and off they went.”
Dave Bittner: His Majesty’s Ministry of Defence harrumphed back, “This report misleadingly claims state secrets were sent to Mali's email domain. We assess fewer than 20 routine emails were sent to an incorrect domain & are confident there was no breach of operational security or disclosure of technical data.” We say “harrumphed” but actually, literally, they tweeted it, or exed it, or whatever we’re supposed to be calling transmissions over the House of Musk’s social platform nowadays.
Dave Bittner: Javvad Malik, Lead Security Awareness Advocate at KnowBe4, commented sadly about the incident, “Human error contributes to most cyber incidents, and this is no exception. It is a stark reminder of how technical controls can't prevent all scenarios and security awareness and training is also a vital component in keeping organizations safe. With this kind of issue, it's also difficult to correctly ascertain whether an action was a mistake or deliberately malicious. Which is why creating a culture of security is so important, which constantly reinforces positive security behaviors not just for individuals but for the entire organization."
Dave Bittner: We’ll add a lesson we all tried to learn in grade school: spelling counts, kids.
Dave Bittner: Anyhoo, the MoD explained further, “An investigation is ongoing. Emails of this kind are not classified at secret or above.” This should be, insofar as the causes of the incident are concerned, the world’s shortest investigation. Here, we’ll do it for you, ally to ally. Finding: Someone fat-fingered their keyboard. Recommendation: Gadzooks, pay attention to your typing. Hit our tip jar and call it a day, MoD.
Dave Bittner: POLITICO’s headline points out, sternly, that Mali is a “Russian ally.” So OK, Mali isn’t an ally of Russia like the US is an ally of the UK. Think of the countries as just casually seeing each other, not actually dating, still less going steady.
Dave Bittner: Maybe it’s the odd place names. Mali has these in common with America, after all. Mali has Timbuktu, America has Kalamazoo. (Also Show-Low, Rabbit Hash, Skaggsville, Hohokus, Truth or Consequences, and Intercourse, to name just a few.)
Dave Bittner: Full disclosure: our editorial staff confesses to misspelling “Mali” as “Mail” no less than four times in the course of preparing this script. Hey, staff writers: spelling counts.
Dave Bittner: Coming up after the break, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger joins us to discuss the Biden Administration's recent cyber initiatives. Eric Goldstein, Executive Assistant Director at CISA, looks at cybersecurity performance goals. Stay with us. Anne Neuberger is Deputy National Security Advisor for Cyber and Emerging Technology. She joins us today to share information about several programs that have been coming out of the Biden White House. Deputy Neuberger, I'd like to start today by talking about the announcement that you all released recently. This has to do with labeling for consumer IOT devices. What do we need to know about this?
Anne Neuberger: We're trying to get at a really core hard problem in cybersecurity, which is, we need companies to build more secure products -- secure by design. We know Americans are really concerned about the security of products that they're bringing into their homes and offices. How do we link the two? So we're linking the two by having a US government cyber-Trustmark (a label) that consumers can start looking for on a device. Think about smart meters. Think about smart microwaves, smart climate control systems. If the companies producing that met a specific cybersecurity standard for the security of the product, for the ongoing updates and maintenance of that product, it will earn the right to bear that label. So essentially what we're trying to do is give Americans that peace of mind when they're shopping to say, if you see that label, you know that product is secure and it meets a government cybersecurity standard.
Dave Bittner: I've heard people describe it as a sort of energy star label for cyber.
Anne Neuberger: That's exactly the goal. So when you and I are shopping for a particular device, you know, we don't -- I'll speak for myself -- I don't necessarily know what make the details of why it's energy efficient, but I know when I see that energy star label on it that it is. And we have the same goal. Americans don't need to understand the detail of the, unless they really want to of why a specific smart TV is cybersecure, but they need the peace of mind that there is a secure option available for them when they're shopping online or in stores and when they're then bringing that product into their homes.
Dave Bittner: Now, my understanding is, at this point, the program is voluntary, but you have quite a number of organizations who've signed up to support this.
Anne Neuberger: It is indeed voluntary. Manufacturers and retailers were excited about it. So we had companies like Amazon, Best Buy, Google, LG Electronics, Logitech, and Samsung, all announcing support for the program, that they would be working to apply it to products meeting the established cybersecurity criteria. And, in fact, a part of the rollout included a showcase, where those companies brought the products they will be submitting to review and assessment to see if they meet the cybersecurity standard which MISA's created.
Dave Bittner: And when do you suppose we might see some of these labels on products?
Anne Neuberger: So the FCC, which will be running the program, has a very specific set of steps it needs to roll out. So they'll be rolling out something called a notice for rulemakings to get input from various stakeholders of, for example, how should we be testing these products against the standard that MISA's created? There's always this balance between how rigorous the testing is and the fact that we want to get many products to have this label, many products ready to be more secure. So they'll be taking input from the public, from stakeholders, about how to test products against the standard. They'll get that input in, based upon that, they will set those details of the program and finalize several final legal steps. Our goal is that, in 2024, there will be products on the shelf with this mark.
Dave Bittner: President Biden also recently reached out to a number of the big players in the artificial intelligence community and asked for a meeting to discuss commitments for them for safety for American citizens and, indeed, folks all around the world. What was that process like, and where do we stand coming out of that?
Anne Neuberger: Great questions. So the White House brought together seven leading AI companies last week following up on a meeting the president and vice president hosted here at the White House, where he assembles these companies and said, you have an obligation, you have a responsibility, to improve the trust and safety of your products, to ensure that they're safe before introducing them to the public. And then to ensure that the systems themselves are secure, by, for example, safeguarding the models against cyber and insider threats, and sharing best practices among the industry of that. And, finally, companies, you have the obligation to really earn Americans' trust, making it easier for users to tell if the video or the voice content is in its original form or it's been altered by AI. So those are the set of commitments that companies came together to make at the White House last week.
Dave Bittner: Again, similar to the labeling announcement, these are voluntary commitments. So the White House sees that as being a good first step here?
Anne Neuberger: The words you used are exactly right, Dave, these are a first step. In parallel, the government is working on an executive order that will, frankly, ensure that we're doing everything in our power to advance safe, secure, and trustworthy AI that manages risk and also ensures that we're leading the way in using AI where it does bring benefits to our societies, to our economy. So it's a bridge to that executive order and it's also a bridge to, as you know, the work Congress is doing led by Leader Shuler to put in place regulations on exactly these same issues, on trust and safety, on countering bias, on managing the risk to individuals and to our society.
Dave Bittner: Well, it's certainly been a busy few weeks out of the Biden White House here with the National Cybersecurity Strategy, the labeling announcement, and this AI commitment announcement. I understand you have something coming up as we come into the back-to-school season.
Anne Neuberger: Yeah. So first, we're trying to move at the pace of tech, Dave. So one of the areas, you know, that keeps me up at night, frankly, is the rise in ransomware attacks we've been seeing against schools and we've been seeing against hospitals. And the ransomware attacks we see against schools, both are disruptive. You know, last year around Labor Day, shout out a thanks to the FBI, who rapidly deployed a team to LA, because there was a ransomware attack against the school district. The superintendent, you know, reached out and was really concerned that the school might not be able to open right after Labor Day because of that. And it was just rapid efforts by the FBI, by LA, the school district, to recover, and they were indeed able to open. We've seen that ongoing throughout the year, not only the disruption but also the theft of sensitive data about students that's then released on the deep web. So we'll be having an event here at the White House the first week of August, bringing together school superintendents, bringing together teachers, bringing together key companies that produce texts for schools. A sector of education will be here, sector of Homeland Security key leaders, CISA, FBI, to announce to both discuss the problem set, announce a specific set of resources from various entities across US government to help schools, to really get schools ready not only for this year's school opening but for a set of resources to support them over the coming months, to improve the cybersecurity of schools, to really push back against the ransomware threat we're seeing.
Dave Bittner: Anne Neuberger is Deputy National Security Advisor for Cyber and Emerging Technologies. Deputy Neuberger, thanks so much for joining us. And joining me once again is Eric Goldstein. He is Executive Assistant Director at CISA. Eric, it is always great to welcome you back to the show. You know, one of the challenges that I think organizations face is measuring success. And I really wanted to touch base with you today about where we stand and where you think we're going when it comes to some of these cybersecurity performance goals.
Eric Goldstein: Thanks so much, Dave. It is wonderful to be back on with you. And it's really been an exciting few months for the Cybersecurity Performance Goals. You know, if we just pull back a few months to March of this year, we published the first version of the performance goals based upon a really clear message from the cybersecurity community, from owners and operators across sectors, which is, there is so much that we can do in cybersecurity. There are so many standards, guidance documents, best practices. Where do we start? And so the performance goals are intended to be a helpful answer to that question, at least a starting point to say, if I'm a small or medium organization, if I'm an under-resourced utility, for example, how do I prioritize my investment based upon impact, complexity, and cost? And so over the past few months, we've been marketing and we've been doing assessments based upon these performance goals across sectors. And now going forward, we're really focusing on doing these sector-specific performance goals, with nuances per sector, and then rolling out additional tools that make it easier for organizations to actually use the performance goals to assess gaps in their programs and figure out where to go next.
Dave Bittner: Can you give us some ideas of things you all have learned along the way?
Eric Goldstein: Absolutely. The first thing we've learned is that, right now, there are 38 performance goals. That felt to us when we built this like a reasonable number, but it turns out for many organizations, that's actually still too many. And so one of the things that we're excited to be working on now is a tool that we're going to roll out in the months to come that's going to walk organizations through their performance goals in a really user-friendly, easy-to-use way. And then say, based upon your maturity, based upon what you've done so far, here are the few investments that you might want to make next, and here are some resources from CISA, from other government partners, and from the private sector, that can help you get there. And really think, you know, if you're a local school district, if you're a small hospital, if you're a water utility, you might only be able to invest in two, three, four cybersecurity initiatives this quarter or even year. Where do you go with those limited resources to have the most impact on your security and resilience?
Dave Bittner: And what are you hearing back from the folks who are looking at these goals? I mean, my notion -- or my understanding, rather, is that, you know, CISA's approach to this is to be very collaborative, that this isn't, you know, the big bad government agency coming down on high and telling folks what they have to do.
Eric Goldstein: That's exactly right. You know, we released the first iteration of these goals in December of last year. We then got feedback from dozens of partners around the country on our GitHub page, which is still open for comment and feedback. We then released the next iteration in March. And we're still going out there soliciting feedback both on our GitHub page, as well as every time we have a discussion with a partner or do an assessment using our performance goal tool, part of that goal is to say, how are these working for you? Are these really helping you direct your investment towards the right place to reduce the most risk? And so we intend to keep rolling out new versions of these cross-sector performance goals even as we simultaneously work on sector-specific goals for those critical sectors that have unique risk environments or uses of technology where some more nuanced goals might be applicable.
Dave Bittner: And how do you and your colleagues there at CISA measure success when it comes to the implementation of these goals?
Eric Goldstein: That is such a good question. You know, there are really two ways to measure success. The first is just organizations who we know are using the performance goals. So, for example, we track the number of entities that have downloaded and used our free assessment tool. We track the number of assessments that are regional team members are delivering across the country. But we also know that adoption doesn't equal security. And so we are working both with our data visibility through, for example, our Attack Surface Management program, as well as with third-parties in the cybersecurity community to really figure out across every performance goal, what is the data that's available nationally on an anonymized, aggregate level to actually show change, to actually show, well, is the country getting better, for example, at mitigating known exploited vulnerabilities? Is the country getting better at adopting multifactor authentication for published accounts? That's data that even if we don't have it organically here at CISA, it's data that exists. And so we're developing these dashboards and way of tracking performance goal adoption nationally and across sectors so that we can actually show not just use of the performance goals but actual security change and whether or not that change is due to us evangelizing the performance goals. It doesn't matter because we're achieving the right security outcomes that we've accomplished as a country.
Dave Bittner: All right. Well, Eric Goldstein is Executive Assistant Director at CISA. Eric, thank you so much for joining us.
Eric Goldstein: Thanks so much, Dave. Always a pleasure.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com. Be sure to check out this weekend's Research Saturday for my conversation with Ashlee Benge, from ReversingLabs. We're discussing "Operation Brainleeches: Malicious npm packages fuel supply chain and phishing attacks." That's Research Saturday, check it out. We'd love to know what you think of this podcast. You can email us at firstname.lastname@example.org. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.