2022’s top exploited vulnerabilities are still a risk. Rilide in the wild. Abusing a legitimate tool. Malicious PyPi packages. A brief update on the cyber aspects of Russia’s hybrid war.

Dave Bittner: The Five Eyes warn against top exploited vulnerabilities. The Rilide info stealer in the wild. Malicious PyPI packages. Valerie Abend, Global Cyber Strategy Lead from Accenture, unpacks the Securities and Exchange Commission’s recently announced cyber regulations. In our Solution spotlight: Our own Simone Patrella speaks with Microsoft’s Ann Johnson on how Microsoft is attracting and retaining top cyber talent. And cyber attacks continue to gutter on both sides of Russia's war against Ukraine.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Friday, August 4th, 2023.

Five Eyes warning against top exploited vulnerabilities.

Dave Bittner: Yesterday intelligence services from the Five Eyes alliance came together to issue a comprehensive Cybersecurity Advisory (CSA), 2022 Top Routinely Exploited Vulnerabilities, aimed at highlighting the most critical vulnerabilities that had been consistently targeted and exploited by cyber attackers throughout the year. We highlight just a few, here.

Dave Bittner: At the top of the list was the Fortinet SSL VPN Vulnerability. This vulnerability had been a persistent target since 2020, underscoring the tendency of some organizations to lag behind in applying necessary patches and updates.

Dave Bittner: ProxyShell Vulnerabilities in Microsoft Exchange email servers ranked high on the hacker's leader board. These vulnerabilities, when exploited together, allowed remote code execution, making them an attractive target for cybercriminals.

Dave Bittner: Another noteworthy entry was the Zoho ManageEngine ADSelfService Plus Vulnerability , enabling unauthenticated remote code execution. The advisory highlighted its connection to an outdated third-party dependency, emphasizing the importance of up-to-date software practices.

Dave Bittner: The widely-used Atlassian Confluence Server and Data Center also made the list due to its susceptibility to unauthenticated arbitrary code execution. Governments and private companies relying on this web-based collaboration tool became potential targets.

Dave Bittner: One of the most infamous entries was the Log4Shell Vulnerability, which impacted Apache's Log4j library used in numerous products worldwide. The ability to execute arbitrary code and gain full system control made this vulnerability particularly enticing to malicious actors.

Dave Bittner: As the list demonstrated how several of these vulnerabilities continued to be exploited despite patches being available, the CSA emphasized the critical importance of promptly applying updates per vendor instructions to bolster cybersecurity defenses and protect organizations from potential threats.

Dave Bittner: It’s worth noting how many of the vulnerabilities continued to be exploited after patches were available. It suggests the effect that slow patching can have on an organization. As CISA so often says, “Apply updates per vendor instructions,” and, we might add, sooner rather than later.

Rilide info stealer in the wild.

Dave Bittner: Trustwave’s SpiderLabs describes a new version of the Rilide Stealer extension that’s targeting Chromium-based browsers. The researchers note that the malware “uses a creative way to work around the Chrome Extension Manifest V3 from Google which is aimed at blocking the installation of malicious extensions for chromium browsers.” Compared to earlier versions of Rilide, this variant “exhibits a higher level of sophistication through modular design, code obfuscation, adaptation to the Chrome Extension Manifest V3, and additional features such as the ability to exfiltrate stolen data to a Telegram channel or interval-based screenshot captures.”

Abuse of a legitimate tool.

Dave Bittner: Guidepoint Security outlines how the legitimate tool Cloudflare Tunnel (also known as “Cloudflared”) is being abused by threat actors. GuidePoint writes, “[Cloudflared] allows a TA to configure an environment in advance of an attack, then execute a single command from a victim machine to establish a foothold and conduct further operations. Since the Cloudflared execution only requires the token associated with the tunnel they’ve created, the TA can initiate these commands without exposing any of their configurations on the victim machine prior to a successful tunnel connection. Once the tunnel is established, Cloudflared obtains the configuration and keeps it in the running process.”

Malicious PyPI packages.

Dave Bittner: Researchers at ReversingLabs discovered twenty-four malicious packages in the Python Package Index (PyPI) open-source repository. The packages imitated three popular Python packages: “vConnector, a wrapper module for pyVmomi VMware vSphere bindings; as well as eth-tester, a collection of tools for testing ethereum based applications; and databases, a tool that gives asyncro support for a range of databases.”

Dave Bittner: The campaign began in late July, and the attackers keep posting new malicious packages daily as the older ones are removed: “In contrast to other, recent supply chain campaigns, such as Operation Brainleeches, the malicious packages that make up this campaign display evidence of a concerted effort to deceive developers. They achieve this by implementing the entire functionality of the modules they are imitating and standing up corresponding and linked GitHub projects that omit the malicious functionality found in the PyPI release package.”

Cyber attacks continue to gutter on both sides of Russia's war against Ukraine.

Dave Bittner: And, finally, a quick note on Russia’s hybrid war against Ukraine. Cyber action has recently been characterized by Russian cyberespionage, described by Microsoft (which, we note, is a CyberWire partner). That action, which used Microsoft Teams in phishing campaigns, is the most prominent of recent cyber operations, but there have been others. The Times of London describes ongoing disruption of Russian online services by Ukrainian hacktivist auxiliaries. This has been, as wartime hacktivism has tended to be, nuisance-level activity. For now, at least at the tactical level, both sides have been paying more attention to traditional electronic warfare, especially to jamming and target location. 

Dave Bittner: Coming up after the break, Valrie Abend, Global Cyber Strategy Lead from Accenture, unpacks the Security and Exchange Commission's recently announced cyber regulations. In our Solutions Spotlight, our own Simone Petrella speaks with Microsoft's Ann Johnson about how Microsoft is attracting and retaining top cyber talent. Stay with us.

Dave Bittner: The U.S. Securities and Exchange Commission recently grabbed headlines with new cybersecurity requirements for public companies. In particular, a requirement that cyber incidence by reported within four days of determination of material impact, has drawn a lot of attention. Valerie Abend is Global Cyber Strategy Lead at Accenture and I reached out to her for insights on the SCC's regulations starting with the four-day requirement.

Valerie Abend: It's not about four days of having an incident; the requirement is that you have a reasonably practical timeframe for determining whether or not an incident is material or not and you have a pretty good process end to do that which we should dig into. But it's really once you determine that something is material, you have four days to report it.

Dave Bittner: And has the SCC indicated that they'll be having scrutiny over this, so after an event to go in and say was the pathway towards the determination that this material was that reasonable and timely?

Valerie Abend: So, you've hit it spot on Dave. This is the thing, when you have an incident, that's when all these things become challenging, right? The final role for a regulator is not going to give you the example of what best practice looks like. It's not going to tell you exactly how your process should go. The problem will come when you have an incident and maybe you didn't think it was material and they come in and they realize it was material and the reporting didn't happen and you didn't have a really good process and the SCC says, "Show me all the documentation." Show me how you made that decision. Show me who was involved. How did you practice that so that you had a good process that you evolved over time based on the risk of your company and the threats it's facing, and that will be the challenge, is you know, a lot of folks who don't go through that process before they have an incident will be caught flatfoot.

Dave Bittner: I know another concern that's been voiced is this notion that organizations may have to reveal too much information, that in the process--in the timeliness of revealing that the incident has occurred, that that could be an opportunity for other attackers to take advantage of that intelligence.

Valerie Abend: So, SCC made some pretty significant changes between the proposed rule and what they ultimately voted out to be the final regulation. And one of the things that they changed, which I think was really, you know, smart was how much information? How much detail in this public filing you have to include about what was attacked; are you still vulnerable, so that you don't provide a roadmap, right, to the bad guys about what they should continue to attack you on or even attack others on. So, they did narrow what you have to disclose in the face of an incident and I think that was really smart and they got a lot of comment from, you know, public companies and, you know, from the industry about that exact thing; how do we do the right thing to provide shareholder transparency, but how do we also manage the risk of further exposure to that company or any other companies.

Dave Bittner: So, what are your recommendations then for folks who are in leadership positions at a public company, a CISA, maybe a board member, with these new rules, what sort of things should they be concerned with?

Valerie Abend: So, I think there are a few challenges. The first thing I would always say on this one is, because they did soften, you know, various provisions between what they had originally proposed versus what they voted as final; the first thing I say is, I think a lot of folks are going to sort of let their foot off the gas and I don't think that's a great plan. As we talked about earlier, when you have an incident, that's when you're going to get caught with like "Oh, we didn't really have a well-defined processes we thought we did." And that's not just on the incident materiality part, that's also on the sort of two other big areas of the regulation, one of which is, just your ongoing day-to-day cyber risk management processes. So, in the rule you have to disclose every year about how you're managing cyber risk. That's really smart. It doesn't require too much detail, but you know if you have an incident and in that you don't really have all your details really worked out and the SCC comes to do an investigation, that's order to have a challenge. And so, having a very strong cyber risk management framework with policies or procedures and clear ability, to actually quantifiably describe, what are your higher risks in the context of your specific business and how you're not just maturing your information security function, but actually holding all members of the C-suite accountable for their specific role in managing cyber risks. To me, that's going to be, you know, I think a big area that a lot of companies need to focus on. And not, if I were a CISO I would partner with my CEO to see how we can do that, particularly working with this management committee that's described in the rule so they're in the rule they actually tell the board that their job is to oversee this cyber risk management committee or an executive risk management committee that's handling cyber. And so, I would--if I were a CISO I would partner with the CEO and with the board to really strengthen that management committee, all the members of that committee; make sure it's clear what their responsibilities are and have very well-documented and practiced.

Dave Bittner: Yeah, in terms of broader trends of what this indicates in terms of like a trajectory that the SCC is indicating here, any thoughts on where we're heading with cyber security and public companies?

Valerie Abend: I think that what we're seeing is an increasingly complex regulatory landscape. As a matter of fact, the White House just released a request for information around regulatory harmonization and with an eye not just in what's happening in the United States, but internationally as well. And we have very different approaches in the United States versus Europe versus, you know, Asia-Pacific and other parts of the world in how we regulate generally, but specifically in cybersecurity. And that is a challenge. I think that's what--that's the reality. I don't see it changing. And so, as we look at not just the SCC, but other regulators are doing, so for example, CISA has, you know, a requirement for critical infrastructure to report; CISA also is able to share that information with other agencies; are they going to get a heads up to the SCC even before you do if you're experiencing an incident and have already reported that to CISA? So, I think that there are various issues around regulatory complexity that a lot of [inaudible] held companies need to consider going forward.

Dave Bittner: Valerie Abend is Global Cyber Strategy Lead at Accenture. You can hear and extended version of this conversation on the "Caveate" podcast. Do check it out.

Dave Bittner: In an occasional segment that we call "Solutions Spotlight," our own Simone Petrella speaks with Microsoft's Ann Johnson about how Microsoft is attracting and retaining top cyber talent.

Simone Petrella: Hello everybody. Today, I am joined with Ann Johnson, Corporate Vice-President from Microsoft. Microsoft has been leading the charge on talent and workforce development for years. In fact, Microsoft launched an initiative in 2021 to partner with community colleges given their broad reach to expand the cyber workforce by providing curriculum, training faculty, and providing scholarships. And the following year, expanded in support of building the cyber workforce globally as well, helping people in places like Columbia and India acquire cybersecurity and digital skills for in-demand jobs. Ann, thanks for joining us. How is that going almost two years later?

Ann Johnson: You know, it's just fantastic. Look, there's not enough cybersecurity professionals globally to protect public and private infrastructure. We're certainly not training or certifying enough cybersecurity students to close the gap, and we recognize that no one has a higher responsibility to address, you know, cybersecurity threats and emerging threats than tech companies. So, as you mentioned around the world, we've partnered with educational institutions, nonprofits, governments, and physicists to develop local cybersecurity skilling that meets the unique piece of their market. Also, we want to anchor that data of where the gaps are in cyber in each region of the world and each country, so our Cybersecurity Skills Initiative is now in 28 countries. To date, we've trained more than 400,000 professionals through a variety of channels including our Microsoft Learn Channel and people at Microsoft Learn can earn valuable security training certificates. We've trained through LinkedIn Learning courses, including systems administration, network security, and more for the courses and we are partnering with global educational institutions and nonprofits throughout the world for even greater impact. I want to give one example: In India, our Cyber Shikshaa program is working the close the gender gap in the cybersecurity field. Since its inception, it's trained 1250 women and employed more than 800 women. So, tremendous impact through the programs with the India program just being one highlight.

Simone Petrella: That's incredible. I think one thing that really has always stuck out to me is that, you know, in our current way just in the U.S. alone, for every two cyber jobs that are filled, one's sitting empty today, and Rick Howard and I were talking about this and kind of equated it to it's the equivalent of sending a team out into the baseball world series with six players instead of nine. And I thought that analogy was particularly interesting because we talked a lot around here about this concept of money ball, and the idea that organizations and employers aren't often looking at their talent through that team-based lens. Meaning, I'm curious when you think about those different roles, those career paths, and what's happening even within the Microsoft ecosystem, how do you all think about team skills and what's ultimately needed as a team to execute on your security strategy whether that's zero trust or intrusion kill train prevention, resilience, you name it?

Ann Johnson: Yeah, I think it's really important to think about all those as different career paths, right? And to think about the fact that when we have an event or something that happens internally, it's not just the cyber technical professionals that are joining the event. It's the cyber lawyers. It's folks that have finance backgrounds. It's folks that have communications backgrounds. It's folks that have partnership or business development backgrounds. And it takes all of that to solve any one problem. So, you need those deep technical experts, but you also need people to understand the business of cybersecurity. All of those roles are equally important in both solving the talent gap, but also in solving the problems that are inherent to the cyber industry.

Simone Petrella: Yeah, absolutely. And so, it goes with, you know, the saying "The other side of the coin" here is what are some of the challenges that you see in these initiatives and across others that are pervasive in the industry when it comes to us making a statistically significant gap in this talent shortage?

Ann Johnson: Look demand, you know, if you think about you know the tech industry right now and there's as we record this obviously there's been a lot of layoffs the first half of the year, but cyber talent remains in high demand. The studies tell us that by 2025 there's going to be 3-and-a-half million open cybersecurity jobs globally. That represents a 350% increase over the past 8 years, and demand for these jobs has driven by an average of 35% this year alone. There's a whole lot of demand out there and not enough people that are qualified to fill it. The second thing is, there's this lack of diversity, right? In the U.S., cybersecurity careers are still majority White, a majority male. We need to build a cybersecurity workforce that's larger and expanding the diversity inclusivity of the industry is one way to go, because at the end of the day, you want your teams to be as diverse as the problems you have to solve, but also there's this really pragmatic approach that says, "If we don't actually recruit more types of people into the industry, we're never going to solve the talent shortage." That requires a tremendous amount of intentionality in whatever programs we design, and we have to create more inclusive in supporting learning environments. We have to think about the language of cybersecurity; it's incredibly important. And we have to help people when they do get onboard to help them feel included so that we have cohorts, or that look like, you know, people want to see representation. The cohorts they work in need to look like them and sound like them.

Simone Petrella: Yeah, and I think that the word you used there is so appropriate. It's "intentionality." How do we have intentionality about the things that we're doing so that we can actually achieve those kinds of ultimate business goals? I think sometimes those sometimes get conflated, because we're just trying to hit the numbers without thinking about the actual kind of effects on overall resilience or how we can increase diversity and representation.

Ann Johnson: That's absolutely correct, and if we are not intentional about increasing representation, we're never going to fill the talent gap.

Simone Petrella: Yeah. Well, Ann thank you so much. I appreciate you taking the time to be with us today. Is there anything else that you want to cover that I didn't necessarily ask?

Ann Johnson: Security is a team sport. So, as much as Microsoft is working on these initiatives and we have a lot of them that are people and talent-related, so are our industry peers and I would encourage our peers and us to continue the work of being very intentional how we think about training, recruiting, and retaining cybersecurity talent across a broad breadth of, you know, folks with different backgrounds and if we do that together we have hope of actually resolving all the talent shortage.

Simone Petrella: Very well said. Thank you Ann, appreciate your time as always and hope to talk to you again soon.

Ann Johnson: Thank you so much for having me on.

Dave Bittner: That's Microsoft's Ann Johnson speaking with N2K's Simone Petrella.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the CyberWire.com. Be sure to check out this weekend's Research Saturday and my conversation with Aleksander Milenkoski from SentinelOne. We're discussing their work "Kimsuky Strikes Again." New social engineering campaign aims to steal credentials and gather strategic intelligence. That's Research Saturday, check it out. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.