Advice on security, from Washington, DC and Washington State. The Predator Files have bad news on privacy. Notes on the hybrid war. And LoveGPT is not your soulmate.
Tré Hester: NSA and CISA release a list of the ten most common misconfigurations along with Identity and access management guidelines. The Predator Files. Cyber cooperation between Russia and North Korea. Hacktivist auxiliaries hit Australia. Hacktivists and hacktivist auxiliaries scorn the application of international humanitarian law. The direction of Russian cyber operations. Dave Bittner speaks with Andrea Little Limbago from Interos to talk about geopolitics, cyber and the C-suite. Rick Howard talks with John Hultquist, Chief Analyst at Mandiant, at the mWISE 2023 Cybersecurity Conference about cyber threat intelligence. And, finally, adventures in catphishing: “LoveGPT.”
Tré Hester: I’m Tré Hester filling in for Dave Bittner with your CyberWire intel briefing for Friday, October 6th, 2023.
Tré Hester: We begin with some advice for organizations on staying secure. Some of it’s from Washington, and some of its from Redmond.
NSA and CISA release a list of the ten most common misconfigurations.
Tré Hester: First, the US Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) released a list of the ten most common and troublesome misconfigurations as gleaned from NSA and CISA Red and Blue team assessments, as well as through the activities of NSA and CISA Hunt and Incident Response teams. The report points to “default configurations of software and applications, improper separation of user/administrator privilege, and Insufficient internal network monitoring” as key areas of concern, among other common security failures. The report includes an extensive account of the consequences of each misconfiguration, and also guidance on how to configure systems so as to avoid them. Head over to cisa.gov to read it in full.
Identity and access management guidelines from CISA and NSA.
Tré Hester: And the US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have also released guidance on addressing challenges related to identity and access management, Nextgov reports. The guidance focuses on “technology gaps that limit the adoption and secure employment of multifactor authentication (MFA) and single sign-on (SSO) technologies within organizations.”
Tré Hester: The agencies offer the following recommendations for organizations to address the tradeoff between SSO functionality and complexity:
“Research into the development of a secure-by-default, easy to use, SSO system to address these gaps in the market. For example: Relying Party vendors could provide security configuration recommendations and their impact. Additionally, management of lifetime tokens such as ID token, Access Token, and Refresh Token should come with a reasonable secure default value which prevents abuse scenarios.
“IAM Vendors can aid in the detection of insecure implementations of identity federation protocols and work with the ecosystem to build awareness around these issues as well as improve the adoption of more secure uses of standards.”
Microsoft on resiliency.
Tré Hester: Microsoft has published its Digital Defense Report for 2023, finding that following basic security hygiene practices, such as implementing multifactor authentication, can prevent 99% percent of attacks. The report notes, “A threat- and risk-free environment is defined as an environment protected by proactive measures—through tools and technologies—to prevent ransomware. These include malware detection, endpoint detection and response, vulnerability management, security operations center enablement, the enforced blocking of unhealthy devices, and brute-force protection for operating systems.”
Tré Hester: The researchers also found that human-operated ransomware attacks have increased by 200% since September 2022, and between 80 and 90% of these attacks originate from unmanaged devices. Lockbit was the most common human-operated ransomware strain in 2023. The report adds, “Ransomware operators are also increasingly exploiting vulnerabilities in less common software, making it more difficult to predict and defend against their attacks.”
Tré Hester: In full disclosure, we note that Microsoft is a CyberWire partner.
The Predator Files.
Tré Hester: NSO Group's Pegasus intercept tool has attracted the most public attention, but one of its competitors in the spyware market, Predator, may have seen even wider and potentially more disturbing distribution. The EIC (European Investigative Collaborations, a journalistic consortium) reports that "European companies have been funding and selling cyber-surveillance tools to dictators for more than a decade with the passive complicity of many European governments. The preliminary peak of surveillance excesses was most recently reached by the Intellexa Alliance - an association of several European companies through which Predator software was supplied to authoritarian states. Activists, journalists and academics have been targeted, as have European and U.S. officials."
Cyber cooperation between Russia and North Korea.
Tré Hester: Cyfirma looks at the recent closeness between Moscow and Pyongyang and sees the potential for cooperation in offensive cyber operations. Such cooperation is easy and requires little coordination--Russia and North Korea share a common set of animosities, and both are already engaged against countries that are broadly hostile to the two regimes. The new friendship between the two countries hasn't, however, so far inhibited North Korean attempts to collect against Russian targets. Microsoft reports that "Despite the recent meeting between Putin and Kim Jong-Un, North Korea is targeting Russia, especially for nuclear energy, defense, and government policy intelligence collection."
Foreign Affairs calls the connection between Russia and North Korea part of the “axis of the sanctioned,” and they’re not wrong. It’s about common outlawry, which is really the only common ground here.
Hacktivist auxiliaries hit Australia.
Tré Hester: Australia's Department of Home Affairs was subjected to roughly five hours of distributed denial-of-service (DDoS) attack, which most news reports characterize as a "pro-Russian hacker group." Cyberdaily.au attributes the action to Noname057(16). The hacktivist auxiliary explained its purpose as retaliation for Australia's decision to send Slinger anti-drone technology to Ukraine. A post in Noname's Telegram channel said, “A state from the distant mainland of Australia decided to keep up with the global Russophobic trend and announced the transfer of the Slinger ‘drone killer system’ to Kyiv. It’s a shame (not really) that Australia doesn’t have systems in place to track our DDoS attacks! We remind the Australian authorities that it is necessary to solve the problems of their citizens first, and sucking up to Ukrainian neo-Nazis will only lead to an increase in the number of cyber attacks." The affected sites have now returned to normal operation.
Hacktivists and hacktivist auxiliaries scorn the application of international humanitarian law.
Tré Hester: An essay published by two officials of the International Committee of the Red Cross in which they outline the extension of international humanitarian law (and the laws of war) to cyberspace has been rejected contemptuously by hacktivists on both sides of Russia's war against Ukraine, according to the Record. Their reasoning, whatever their commitment, is essentially the same: they apply the realist maxim inter armes silent leges, that is, there are no legal restrictions on war. The rejection was especially sharp from Ukrainian hacktivist groups and Belarusian dissidents. (And there's also some inconsistency there--the rejection of rules of war accompanies denunciation of the Russian Red Cross for its alleged complicity in war crimes.)
The direction of Russian cyber operations.
Tré Hester: Microsoft has published an overview of the ways in which espionage is shaping the current state of cyber threats, concentrating on the activities of China, Russia, North Korea, and Iran. Of Russia, the report says, "Russian intelligence agencies have refocused their cyberattacks on espionage activity in support of their war against Ukraine, while continuing destructive cyberattacks in Ukraine and broader espionage efforts." Insofar as classical espionage is concerned, the Russian services are most interested in the UK, the US, and Poland, looking for insight into the direction of policy with respect to the war against Ukraine, and, tellingly, the progress of war crimes investigations.
Tré Hester: Influence operations seem increasingly coordinated with operations on the ground, and Russia is devoting a great deal of attention to the Ukrainian diaspora, seeking "to intimidate global Ukrainian communities and sow mistrust between war refugees and host communities in a range of countries, especially Poland and the Baltic states." And again, in full disclosure, we note that Microsoft is a CyberWire Partner.
Adventures in catphishing: “LoveGPT.”
Tré Hester: And finally, avast there, lovelorn–the heart wants what the heart wants, but come on, be careful.
Tré Hester: Avast has discovered a romance scam that’s using a tool the researchers are calling “LoveGPT,” which “provides vast functionality over several different dating platforms, providing the capability to create fake accounts, interact with victims, bypass CAPTCHA, anonymize the access using proxies and browser anonymization tools, and more.” The threat actor behind the campaign is also using ChatGPT to craft more convincing messages.
Tré Hester: LoveGPT’s developer appears to be based in Vietnam, and has been working on different versions of the tool for at least a decade. The developer added ChatGPT functionality to the tool earlier this year. The primary goal of the tool is “to create fake profiles on several dating platforms and to store/scrape data from the interactions with the platforms’ users, including their profile pictures, profile body texts, dates of communication, etc.”
Tré Hester: So sure, find love online–some of us around here have–but make sure it stands up IRL. You can do better than an imaginary friend. Really–you can do it.
Tré Hester: And what better time to do it than a long weekend? The suits have given us Monday off, because it’s the US Federal holiday of Columbus Day, also Indigenous Persons Day. If you’re as lucky as we are, enjoy the long weekend. In any case, we’ll be back as usual on Tuesday.
Tré Hester: Coming up after the break, Dave Bittner speaks with Andrea Little Limbago from Interos to talk about geopolitics, cyber, and the C-suite. Rick Howard talks with John Hultquist, Chief Analyst at Mandiant at the mWISE 2023 Cybersecurity Conference about threat intelligence. Stick around. [ Music ]
Rick Howard: A couple of weeks ago, Mandiant, now part of Google Cloud, hosted the mWISE Cyber Threat Intelligence Security Conference at the Washington, D.C. Convention Center. I ran into and old friend of mine, John Hultquist; these days he's the Chief Analyst at Mandiant, but he's been doing cyber threat intelligence his entire career in both the government and the commercial sector. After he left government service, he transitioned to the commercial sector as the Director of Cyber Espionage Analysis at iSIGHT Partners. FireEye eventually bought iSIGHT Partners the Mandiant bought FireEye and then finally, Google bought Mandiant. And John has been on that entire journey. Let's just say that he knows where all the skeletons are buried. And we had a wide-ranging discussion about the current state of cyber threat intelligence, the late great Kevin Mitnick, and the revelations this year from Chain Analysis, a commercial vendor about how Crypto money is not as anonymous as we all thought it was. I started by asking John if there was a single theme to the mWISE Conference this year.
John Hulquist: I've spent a lot of time with customers and that's honestly, it's super enlightening because I have my thoughts on what I think matters.
Rick Howard: Yeah.
John Hulquist: And then you go in the room and they're like, "This is what actually matters to me." And it's always great to sort of find where those two parts kind of connect. I think obviously the situation with the casinos in Las Vegas is the talk of the town or whatever you want to call it right now.
Rick Howard: Which is crazy, right?
John Hulquist: Yeah.
Rick Howard: I mean, okay it's a big deal for them, but.
John Hulquist: Yeah.
Rick Howard: Why is that more important than, I don't know --
John Hulquist: I mean that, I think those actors are sort of challenging a lot of the, you know, the ways that we do security, right? And -- and I will tell you that I've spent a lot of time working with casinos through the years and they are mature players.
Rick Howard: Yeah.
John Hulquist: They are.
Rick Howard: They know what they're doing.
John Hulquist: They have been doing securities since day one at the casinos, right? It's not an afterthought, it never was. And so, you know, it's really interesting to see, you know, an actor hated more than one of them and, you know, where we've been essentially trying to distill some of the lessons learned from that actor.
Rick Howard: Is there something we can just point to here like, you know, we've been doing cybersecurity for 30 years?
John Hulquist: Yeah.
Rick Howard: They took advantage of something that we have not been paying attention to?
John Hulquist: Well, you know, it's funny -- it's like everything old is new again, right? There are things that I think we thought about a longtime ago and maybe we didn't keep watching because adversaries change.
Rick Howard: Yeah, yeah.
John Hulquist: And we might now have kept our eye on the ball in certain things. Just like, by the way, there was a talk about USB malware, right, which was like the debate of my existence when I was in the government.
Rick Howard: Yeah.
John Hulquist: With, you know.
Rick Howard: All of us, yeah.
John Hulquist: With the agent ATZ situation. So, that everything old is new again. I think, you know, these are things that we thought of before, but it sort of refreshed a lot of our memory on a lot of these problems and it's good because we're going to start, you know, attacking some of these problems. So, the biggest one is their ability to social engineer -- it's exceptional, your English speakers. I keep talking about it's not that just they're English speakers, they're native English speakers. They're able to sort of develop a real familiarity with the people they talk to, and sort of emote in the language, right? There are differences between how people in Western Europe discuss things, right? And how the emote on the phone, right? And these guys are locked in and able to really convince somebody to help them. What that means is that you will -- a helpdesk will not only sort of, you know, allow them to get through these gateways that we've setup, but they'll almost pull them through because I think they like them, you know, they want to help them.
Rick Howard: So, we've gone back to a more social engineering as a skillset?
John Hulquist: A huge skillset.
Rick Howard: Yeah.
John Hulquist: And I think that it exposes the vulnerability and in just, you know, the way that we setup these helpdesks; probably how we incentivize them right? They're incentivized to be helpful, right that's something reviewed.
Rick Howard: Yeah, sure.
John Hulquist: Telling somebody no may not actually be in their interest, you know, economically, you know, if you work on the floor and we got to make sure that's not the case.
Rick Howard: I heard a story by Mitnick talking about helpdesk. He was saying that the way he would social engineer a target was that he would call in and help the helpdesk solve a problem, but he picked to be a contractor.
John Hulquist: Oh, wow.
Rick Howard: He'd solve the problem and then a week later he would call the helpdesk again and say, "Hey, I need you to fill out this."
John Hulquist: "You remember me?"
Rick Howard: "Do you remember me filling out this paperwork," right?
John Hulquist: Oh, wow yeah.
Rick Howard: And it's like yeah, so maybe we're coming back to those types of things.
John Hulquist: Yeah, I mean, the long play by the way is something we actually have seen from the other players, more in like the texts, you know, like an email message situation, like the Iranians and the South Koreans and you'll see them be social to somebody for like a month now. Before they ever bother to send that link or that attachment, but they're pulling people through, they're hitting these business process outsourcers that are like third parties that manage a lot of our data. And the other thing that's really important that they're doing is there's a focus on telecoms and SMS, and particularly the ability to overcome a second for that two factor, right, or the ability to get somebody send a reset code or something directly to a phone that they control. And it really proves that -- that we have to really rethink, you know, how much we rely on phone numbers as a reliable way to sort of authenticate somebody.
Rick Howard: Because we're still trying to get people to use two-factor.
John Hulquist: Right?
Rick Howard: On a project.
John Hulquist: We are so on this journey and I will say that I still, you know, I still think it's a speed bump, right?
Rick Howard: Yeah.
John Hulquist: But it's just not an enter -- like it's -- a speed bump is not like a doorway, right? Like it's not enough for an enterprise. Maybe for a certain -- for certain things it's enough, but if you know if you are trying to protect an enterprise, it's just it's probably not going to -- they probably won't do it.
Rick Howard: So, you were on this panel at the mWISE Conference, okay, it's called Cyber Intelligence in a Rapidly Changing World, and some big time luminaries on that panel. I'm not saying you are.
John Hulquist: No, yeah.
Rick Howard: But other people.
John Hulquist: There were other people there.
Rick Howard: Right.
John Hulquist: And we had some really interesting people on the panel who had spent a lot of time looking at crime from various aspects. Jackie from Chainanalysis I thought had a really interesting sort of view into the problem; she looks at the blockchain and she watches a lot of this movement. And one of the things she said is she's seen sort of a drop off in some of this -- the -- so many criminal actors and she attributes this to maybe some success and, you know, we're seeing zero days in the crime space now. And there's a thought that maybe some of -- there is actually an increasing barrier to entry. So, some of our defenses may actually be working. So, that's why we're talking about innovations here right? Or like.
Rick Howard: Yeah.
John Hulquist: A new problem instead of talking about "Oh, it's the same old thing we've seen a thousand times." We're actually talking about zero days and new ways to social engineer and people are defeating the second factor things and that's good. That means that some of the things that we're doing may actually be working which you never ever hear in this business.
Rick Howard: Well, you said Jackie is from Chainanalysis. I heard about Chainanalysis from Andy Greenberg's book.
John Hulquist: Yeah.
Rick Howard: "Tracers in the Dark."
John Hulquist: Yeah.
Rick Howard: And up until that point I think most of us thought that, you know, blockchain was anonymous.
John Hulquist: Yeah.
Rick Howard: And we knew probably could be broken, but they blew that idea completely out of the water.
John Hulquist: It's really strange.
Rick Howard: I know.
John Hulquist: Concept, because that's -- I think that was the first thing you heard about blockchain is that it would be anonymous and that doesn't seem to be the case at all.
Rick Howard: Well, I mean if you look at the design specs, it's supposed to be transparent.
John Hulquist: Yeah, it's really.
Rick Howard: It's transparency [multiple speakers].
John Hulquist: It's the opposite, I mean,
Rick Howard: Yeah.
John Hulquist: It's a transparent measure and it's given us a tremendous amount of insight in a lot of adversaries, not just the criminals -- well, not just the regular -- the good old fashioned criminals, but we also have like the North Koreans now and we can see the scale of their program and it's in the hundreds of millions.
Rick Howard: It's amazing, yeah.
John Hulquist: Yeah.
Rick Howard: Yeah.
John Hulquist: And it's going right into a nuclear weapons program.
Rick Howard: I think you and I are in the wrong buss, okay?
John Hulquist: Yeah, clearly yeah.
Tré Hester: That's Rick Howard and John Hulquist speaking at the mWISE 2023 Cybersecurity Conference. [ Music ]
Dave Bittner: And I'm pleased to be joined once again by Andrea Little Limbago. She is Senior Vice-President of Research and Analysis at Interos. Andrea it is always great to welcome you back. I want to touch base on geopolitics, something you and I talk about regularly, but also how that intersects with cyber of course, but the folks in the C-suite. What sort of insights do you have on that?
Andrea Little Limbago: Yeah, no thanks and you know there are areas that tend to be disconnected in most conversations, but what we're seeing at the C-suite level is a growing push both for greater cybersecurity domain expertise as well as geopolitical expertise, and that, you know, unfortunately Russian invasion of Ukraine kind of you know was the prompt, the enforcing function on that regard. However, that -- some of that discussion had started earlier fallowing the start of the U.S.-China trade war. It wasn't necessarily taken as seriously as it is now. It's been a good, you know, seven years since then, so the various kinds of sanctions and regulations and so forth really have just continued at a rapid pace. If nothing else, it's a compliance issue in many regards for some of these companies that c-suite needs to be aware of. But it is thinking about, you know, how can you build a resilient company any times of shifts and looking across, you know, the major shifts that are going on to really shape this new normal and current climate change is really one of them, the technological revolution that underway is one them, but a geopolitical landscape is shifting in ways that we have not seen for decades. And that is something that's starting to raise much more awareness and we have folks on the Board are starting to ask like "how are you trying to, "or "how are you building your company to be resilient against some of those shifts?"
Dave Bittner: And the folks side speak to, you know, always emphasize that you have to approach the c-suite in the language that they understand which tends to be risk, material risk to the business. And yet, everything it seems these days flows through cyber, I mean, even you know the social aspects of social media, you know, the -- we're coming up on an election season here and that, you know, that affects everything as well. Are we seeing a heightened awareness from the c-suite to focus on those elements?
Andrea Little Limbago: I saying a growing, I'm not sure I'd say heightened yet. I would go quite that far.
Dave Bittner: Right.
Andrea Little Limbago: And then to your point, I mean so much of the geopolitics and the risks associated with it are manifest through cyber. That's why we see so much of that interconnected. So, I think, you know, there's a rising awareness, you know, I think the World Economic Forum did, you know, what their findings from earlier this year that, you know, they did a polling of a bunch of, you know, executives and their best estimate was that there will be some sort of catastrophic cyber event in the next two years that is geopolitically motivated. And take that with a grain of salt, but it just shows that there is a heightened awareness at a minimum, whether they're actually doing something is a little bit different about it, but those that think the connectivity between geopolitics and cybersecurity and that having an impact on the businesses is something that just is growing in awareness. These are questions that are starting to pop up; we're hearing them a whole lot more. And so, we're starting to see some shifts in that regard. And I think what's interesting, and you mentioned social media, and that's -- you almost think about that as being like the frontend risks that are -- that we see like social media and some of the information and the various kind of - we've seen this information campaign started at companies already numerous times, so that's one component of it and the data security. And then some of the backend risks could be the, you know, hardware that we're seeing right now that's being in the companies and there's actually a really good book along the lines, because it separates it by frontend risks and backend risks for cyber and geopolitics that it's called "The Wires of War" by Jacob Helberg that I would recommend. Because I really like that framing, because it is sort of the software risks and the hardware risks and then the data goes along with it, and I don't think many companies are thinking about that like quite yet. And, you know, compliance is forcing some of them to when you have something like Huawei technology that is not allowed to be within their infrastructure, that's a forcing function of hardware side and then even some of the -- some of the software apps, but even just you know data security, data privacy laws are forcing as well. But I think that there -- it's still really [inaudible 00:20:57] I think when it's getting into business discussions.
Dave Bittner: Well, and we're seeing, you know, shifts of emphasis on bringing some core manufacturing back to the United States, your chip manufacturing things like that, and but then in the next breath you hear the folks leading that effort saying, well we don't have enough people here who are trained, and so it's going to take us longer than we thought it would; strong geopolitical implications there.
Andrea Little Limbago: No, it's huge. I mean, I was just reading I think the other day that the Taiwan semiconductor manufacturing, you know, the biggest semiconductor company was building a plant in Arizona and then it's getting delayed for that reason, for the inability to find all the labor that they need. So, there are, you know, it's one thing to -- it's way easier said than done. We are seeing the companies shift in that regard, but that we're also, I mean, we're also seeing in some cases that the governments were, corporate executives, talking about the risk on one side and then a different forum talking about how they're reinvesting say in China and growing a labor force or growing a like a new plant there. And so, it's very hard to see -- you can't have it both ways and I think some companies are trying to have it both ways right now because they've been able to, and that's you know especially in the area of supply chains, you know, they have grown globally absent of any thought about geopolitics for, you know, that's how -- that was globalization as it expanded over the last few decades, really didn't take geopolitics into consideration and now it has to. So, it's a really it's a -- it's a big mindset shift that I think is fully coming around. And for sure some industries are thinking about it a lot more than others.
Dave Bittner: Yeah, I just think in my day-to-day life, I mean for all of us, the number of items, consumer items, our mobile devices, our televisions, everything that comes through China. And so, I think about a company like Apple who we all rely on, you know, for even if you don't have an Apple device you know someone who does, they can't just pivot and find another manufacturer to with the scale and precision and you know all the things that they've come to expect that China can provide.
Andrea Little Limbago: Yeah, no I agree and then even if going down to the materials that go into those technologies, the critical minerals, that's really becoming another area of discussion in the feud between China and I'll say Australia and the U.S., the European countries. And so, that also becomes something that another area of concern is we're -- if we're trying to decouple, where to get the critical minerals needed to create the technologies.
Dave Bittner: Where do you suppose we're headed here? Are we -- are we on a trajectory of for the short-term of increased tension or are we at some sort of equilibrium, or where do you suppose we are?
Andrea Little Limbago: Oh, you know, I think a lot of it depends. I mean, we're at a new equilibrium for sure following.
Dave Bittner: Yeah.
Andrea Little Limbago: Russia's invasion of Ukraine, but with regard to China, so much depends on what China does towards Taiwan. I think we're at an equilibrium right now for the level of tensions that they're, you know, higher than they were several years ago and I don't foresee any rethinking of the sanctions on their major tech companies and their AI companies and so forth, there is the you know unethical labor conditions that they have also impacts the regulations of their companies. I mean, I don't see that going away or as shifting policy. I actually heard a recently a couple of congress folks calling for rethinking some of the policies for China, but I just can't imagine that happening, just given the wide-scale IP theft and we keep finding you know, there seems to be some new data breach linked back to China, so can't imagine that happening anytime soon, but really the unknown is China's behavior towards Taiwan. And that, for many people, has always been like "oh, that's in the distant future." I think more in the government for sure is planning for that more now and I think many of the companies are starting to think like what would happen then. You know, I think the Russian invading Ukraine was the forcing function on that, but I think some of the other aspects of the U.S.- China relations have further raised some concern.
Dave Bittner: Yeah. Alright, interesting times. Andrea Little Limbago, thanks so much for joining us. [ Music ]
Tré Hester: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com. Don't forget to check out this weekend's edition of "Research Saturday" when Dave Bittner sits down with Deepen Desai from Zscaler to take a look into DuckTail. We'd love to know what you think of this podcast. You can email us at email@example.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is me, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Tré Hester filling in for Dave Bittner. Thanks for listening. See you back here next week.