Ep 1941 | 11.3.23

In the offense-defense see-saw, the defense seems to be rising.

Transcript

Dave Bittner: An Apache vulnerability is being used to install ransomware. Exploitation of a Citrix vulnerability in the wild. The AP sustains a DDoS attack. HHS reaches settlement in a HIPAA data breach incident. More evidence of OSINT's reach. Andrea Little Limbago from Interos discusses the SEC and disclosure rules. In our Solution Spotlight, N2K’s Simone Petrella and Rick Howard speak with Ben Rothke about whether there really is an information security jobs crisis. And Microsoft draws a lesson from Russia's war: cyber defense now has the advantage over cyber offense.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Friday, November 3rd, 2023.

An Apache vulnerability is being used to install ransomware.

Dave Bittner: Huntress and Rapid7 have observed exploitation of a remote code execution vulnerability (CVE-2023-46604) affecting Apache ActiveMQ. The flaw is being used to deploy the HelloKitty ransomware. Apache released patches for the vulnerability on October 25th, and Rapid7 says the exploitation began two days later, on October 27th.

Dave Bittner: Rapid7 reported Wednesday, “The threat actor’s attempts at ransomware deployment were somewhat clumsy: In one of the incidents Rapid7 observed, there were more than half a dozen unsuccessful attempts to encrypt assets.” CVE-2023-46604, which has a CVSS score of 10, can “allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.”

Dave Bittner: And Huntress wrote yesterday, “Exploitation for this attack is trivial. There is a Metasploit module that automates exploitation for this attack. The Huntress team confirms that this module works like a charm against vulnerable instances of ActiveMQ.”

Exploitation of Citrix vulnerability in the wild.

Dave Bittner: The Citrix Bleed vulnerability (CVE-2023-4966) affecting NetScaler ADC and NetScaler Gateway remains under active exploitation. Citrix issued patches for the flaw early last month. NetScaler has offered advice on mitigation.

Dave Bittner: Mandiant has been researching the risk, and this morning updated its research into the exploitation: "Mandiant is currently tracking four distinct uncategorized (UNC) groups involved in exploiting this vulnerability. We have observed some lower degrees of confidence overlaps in post-exploitation stages among these UNC groups, like using the same recon commands and utilities available on Windows."

HHS reaches settlement in HIPAA data breach incident.

Dave Bittner: The US Department of Health and Human Services’s (HHS) Office for Civil Rights (OCR) has reached a $100,000 HIPAA (Health Insurance Portability and Accountability Act) settlement with a Massachusetts medical management company, Doctors’ Management Services, over a ransomware attack the company sustained in 2018.

Dave Bittner: HHS explained some of the background in the case. “On April 22, 2019, Doctors’ Management Services filed a breach report with HHS stating that approximately 206,695 individuals were affected when their network server was infected with GandCrab ransomware. The initial unauthorized access to the network occurred on April 1, 2017; however, Doctors’ Management Services did not detect the intrusion until December 24, 2018, after ransomware was used to encrypt their files. In April 2019, OCR began its investigation.

Dave Bittner: “OCR’s investigation found evidence of potential failures by Doctors’ Management Services to have in place an analysis to determine the potential risks and vulnerabilities to electronic protected health information across the organization. Other findings included insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, and a lack of policies and procedures in place to implement the requirements of the HIPAA Security Rule to protect the confidentiality, integrity, and availability of electronic protected health information.”

Dave Bittner: Doctors’ Management Services reported a data breach to HHS on April 22, 2019, stating that around 206,695 individuals were affected when their network server was infected with GandCrab ransomware. The breach, which occurred on April 1, 2017, went undetected until December 24, 2018, when ransomware was used to encrypt their files. An OCR investigation revealed potential failures in risk analysis, insufficient monitoring of health information systems, and a lack of policies to protect electronic protected health information, indicating non-compliance with HIPAA Security Rule requirements.

AP sustains DDoS attack.

Dave Bittner: Turning to some apparent news from Russia’s hybrid war against Ukraine, the Associated Press (the AP) has reported that its site, apnews.com, was intermittently unavailable Tuesday as it underwent a flood of traffic during what appears to have been a distributed denial-of-service (DDoS) attack.

Dave Bittner: Anonymous Sudan, a nominal hacktivist organization that's actually a front group for Russian intelligence and security services, announced in its Telegram channel that it intended to disrupt Western media, and informed speculation (as seen, for example, in Tech Monitor) holds it likely that this group was responsible for the attack on the AP. But the AP itself says it's been unable to conclusively attribute the incident to Anonymous Sudan.

Dave Bittner: And, in fairness, hacktivist auxiliaries do a great deal of woofing, handing out wolf tickets left, right, and center.

Dave Bittner: They’ve just claimed to have hit PayPal in a “test,” the CyberExpress reports. There are also some signs, according to FalconFeeds, that Anonymous Sudan may currently be pestering Yahoo News. Their site was down briefly, but is now back up.

Dave Bittner: So in this case of the AP, if you bet on form, it’s probably Anonymous Sudan.

More evidence of OSINT's reach.

Dave Bittner: Open source intelligence (OSINT) has shown its value in both of the major wars currently being fought, the war between Russia and Ukraine, and the conflict between Israel and Hamas. News organizations were able to extract a tolerably good picture of the Russian order of battle on the eve of the invasion from pictures posted to social media by Russian’s innocently showing trains loaded with armored vehicles passing through their towns enroute to staging areas.

Dave Bittner: Similar things are happening in the war between Hamas and Israel. NPR describes, in the course of reporting Israel's ground operations into Gaza, how such sources enable observers to track action on the ground. The principal sources of information in Gaza have been overhead imagery, provided by commercial satellites with a timeliness and resolution formerly available only to the best-equipped nation-states, and social media--video, reports, audio, and so on.

Dave Bittner: Neither overhead imagery nor (especially) social media content can't be naively accepted as ground truth, but it represents information that can be sifted, assessed, and analyzed. The New York Times provided an example of how they did this, albeit a little slowly, in the case of the explosion at the Gaza hospital, which the Times now thinks was caused by a wayward rocket launched against Israel from Gaza. Some of the analysis depends upon background knowledge (a crater too small to have been caused by a bomb), historical or geographical awareness (recognizing that images or video where taken at another time or place), and, finally, the esoteric but increasingly available skills of image interpretation–every journalist their own squint.

Microsoft draws a lesson from Russia's war: cyber defense now has the advantage over cyber offense.

Dave Bittner: In announcing its Secure Future Initiative, Microsoft sees Russia's hybrid war as having demonstrated that the advantage in cyberspace has swung from the offense to the defense. "The war in Ukraine has demonstrated the tech sector’s ability to develop cybersecurity defenses that are stronger than advanced offensive threats," the company writes. "Ukraine’s successful cyber defense has required a shared responsibility between the tech sector and the government, with support from the country’s allies. It is a testament to the coupling of public-sector leadership with corporate investments and to combining computing power with human ingenuity."

Dave Bittner: And Redmond thinks that AI promises even more to the defenders. "As much as anything, it provides inspiration for what we can achieve at an even greater scale by harnessing the power of AI to better defend against new cyber threats."

Dave Bittner: We note, in passing and in full disclosure, that Microsoft is a CyberWire partner.

Dave Bittner: The company has committed to improving cyber defense in these ways:

"First, we are taking new steps to use AI to advance Microsoft’s threat intelligence."
"Second, we are using AI as a gamechanger for all organizations to help defeat cyberattacks at machine speed."
"Third, we are securing AI in our services based on our Responsible AI principles."

Dave Bittner: So, in Redmond’s view, AI is likely to further enhance the defense, and so prove an ultimately benign family of technologies, if properly managed. Let’s hope so.

Dave Bittner: Coming up after the break, Andrea Little Limbago from Interos discusses the SEC and disclosure rules. In our Solution Spotlight, N2K's Simone Petrella and Rick Howard speak with Ben Rothke about whether there really is an information security jobs crisis. Stay with us. [ Music ] Ben Rothke works in information security at Tapad. He writes book reviews for the RSA blog and is a founding member of the Cloud Security Alliance and the Cybersecurity Canon. In today's Solution Spotlight, N2K's Simone Petrella and Rick Howard speak with Ben Rothke about whether or not there really is an information security jobs crisis.

Simone Petrella: We spend a lot of time on this segment talking with experts about ways they're addressing the cyber talent crisis, but today I want to tackle the issue, is the talent shortage really as bad as we think? To have this discussion, I'm joined today by Rick Howard, the CyberWire's Chief Analyst, and Ben Rothke, Senior Information Security Manager at Experian. Hi, gents, thanks for joining.

Ben Rothke: Hello.

Rick Howard: Hey, Simone. Thanks for doing this.

Simone Petrella: All right. Well, let's just jump right in. Ben, I know you've tackled this question. So is there really a cyber job shortage?

Ben Rothke: Yes, you know, but I think, you know, with a caveat. There's a lot of reports, press releases, etc., about millions of cybersecurity jobs. So the short answer is yes, it's definitely -- it's a great career path. There's a lot of openings, but it's not that people could take a crash course, get a high-paying job in information security.

Rick Howard: Darn, I wish -- really? I'm shocked, shocked, I say.

Ben Rothke: Okay [laughing]. I get calls, you know, weekly from parents, from people, "I want" -- you know, they've got college-aged kids, there's other people in IT that want to get into information security, and it's a great career, there's a lot of opportunity, but once again, it's not this magic bullet where you could take a boot camp and companies are going to be desperate for your services. I think that's the difference. I think one misnomer is, you know, thinking you can just do information security. Information security is built on top of IT. Information security is like a medical specialty. First, you do internal medicine, then you do your specialty. No one just goes straight into --

Simone Petrella: I've used that analogy for years, Ben. We're simpatico on that one. I thought you brought up something really interesting, which is that, like, the numbers are endemically over-reported, and it's something I have noticed in some of the things that we've seen in the datasets and something that's always struck me, I know, even when I think about the amount of federal cyber and defense cyber jobs that are being bid in the DMV alone, you know, I think about every contractor that's putting out reqs for the same job postings, if we're using that as the data point, I'm like, we've just quadruple counted, because everyone's putting up postings for the same singular role. It's just getting replicated four times.

Rick Howard: Yeah, I think the number is -- last time I looked, it was 3.5 million job openings, right? And it seems to grow every year. These are not entry-level jobs. What we're -- but I think that's our fault. We're the security professionals here, and for years, we've insisted that we're not going to hire newbies for a specific task. We've insisted that these new employees have, you know, 20 years' experience and 17 certs and, therefore, we don't hire them. I'm wondering what you think about that, is that we could be very judicious here, if we were smart about hiring newbies coming off the street and give them very specific things to do, and I wonder if that fixes the problem.

Ben Rothke: Yeah, I mean, it's -- I think it's a -- there's a lot of issues, a lot of things involved, and even getting back to that number, even, you know, I heard a figure, you know, a million job openings in the U.S., and if you think about it, you know, that would mean almost like 1% of Americans are in information security. Information security is -- it's broad. It's deep. So there's a lot of things going on. The short answer is, there is no quick fixes. It's just there's the supply, there's the demand, there's training aspects, and so there's a lot there. But yeah, there's a lot of different things going on, and there is no one thing to fix the shortage.

Simone Petrella: Right. I'm curious, though, because I -- it really sticks with me, too, in the work we've done around this idea of the, like, short-term realities and companies that kind of focus on "Here's what I need yesterday," and so I don't have the advantage or the luxury to invest in those training programs, so those upskilling programs, versus the reality that if we don't do those things, there is no way to ever grow this pool of talent regardless of what the actuarial number of shortfall of jobs is. So what has to happen culturally? And in, I assume, these large companies, they've got to lead the charge, from my perspective.

Ben Rothke: In the old days, we used to pay bills with -- in an envelope from the AAA. Their envelope said, I think, you know, "auto safety doesn't cost, it pays." I think so too with information security. It doesn't cost, it pays. It is an investment, and, you know, there was an incident --

Rick Howard: Yeah, but, Ben, we don't treat it that way as an industry.

Ben Rothke: Yeah, it's --

Rick Howard: You know, because, you know, my experience is, when we train employees, existing employees, we never do it with the idea that we're going to improve the team. That's not the primary consideration, right, is we're going to -- it's usually a perk. We're going to improve how well the team performs on our particular strategy, and that's a culture shift for all of us because none of us do it that way.

Ben Rothke: Yeah, as I said, you know, there's a lot, I mean, we need to invest in the people, you need to invest in the products and the technology and processes and all of these. So I think information security in some ways is really, you know, not that different from IT, from society as a whole, but as it has gotten to that point, you really can't ignore it anymore. I mean, in the last week, there's Clorox, there's Caesars, there's MGM, so companies are slowly getting it, but it's like the proverbial aircraft carrier. You know, these things are huge and big and, you know, you want to make a change and a turn, you know, it does take a while, but even with the new SEC guidance, that's changing things significantly. So in some ways, information security, we're inherently -- we always focus on risk and you always see, you know, the dangers in everything, so I think there is a lot of -- a lot of good things going on. Information security is now at the board level. There's a lot of investment, but it still can take a while to fix.

Rick Howard: The culture change, though, Ben, that I'm talking about, right, is that when you have a budget for training and it's earmarked for, you know, career progression, okay, that's the first thing that gets cut.

Simone Petrella: No, and Rick, I think you really said an operative word. It's what -- how is it tied to a strategy. Just having a budget, it's easy to cut a budget for training when it's a perk because that's what it's viewed as, is a perk, until you take away the perk, because you do that if it's not tied to a talent strategy, a people strategy.

Rick Howard: Or a, you know, not to toot my own horn, but a first principle cybersecurity strategy, right? So if your -- if your strategy is, I don't know, resilience, like it is here at the CyberWire, okay, we need people that know how to do resilience, and I could take budget decisions, resource decisions to the, you know, to Simone, my boss, and say, "You spend $3,000 on this, I can buy down risk with that," right, as opposed to, you know, it's Kevin getting a, you know, a pat on the back because he did a good job last week.

Ben Rothke: Yeah, I think that gets, you know, into the -- another issue, you know, is creating the, you know, return on security investment. If you're familiar with fair factor analysis of information risk, that's a great method to show and quantify that, but even getting those good numbers, that's an effort in and of itself, but yeah, a lot of things can't be cut. You know, no one says, "Hey, times are tough, you know, we've got to cut back on electricity. You know, we've got to cut back on plumbing," because, you know, you can't do that, and so too information security really is no different, I mean.

Simone Petrella: Right, but, you know, it's -- but it's really good point when you think about the amount of budgets that's spent on, especially the operating budget, spent on headcount, that is by far the largest amount of budget spend, is ultimately on people. So I want to leave us with this parting question. I'll give you both a chance to kind of answer it as a takeaway. If you were to identify one thing in sort of the low-hanging fruit that could start to change this culture paradigm and start to focus the industry on the long-term solutions, what would be your first starting point?

Rick Howard: I know what mine would be, but, Ben, what do you think?

Ben Rothke: Oh, I just say, you know, stop and, you know, figure -- you know, really understand, you know, what your IT issues are, you know, what your needs are, what your goals are, and understand how to, you know, get security involved in that.

Rick Howard: So I'll piggyback off that, right? I would call that "decide what your strategy and tactics are." But the first step in solving this problem, I think, is being able to assess your current workforce on how good they are at pursuing those strategies and tactics so you can make a decision about training resources in the future. That's what I would do.

Simone Petrella: That's great. Well, Ben, Rick, thank you so much for joining for this discussion. Always a ton of fun.

Rick Howard: Thanks, Simone. That was fun.

Ben Rothke: Thank you.

Dave Bittner: That's Ben Rothke speaking with N2K's Simone Petrella and Rick Howard. [ Music ] There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for "Interview Selects" where you'll get access to this and many more extended interviews. [ Music ] And I'm pleased to be joined once again by Andrea Little Limbago. She is Senior Vice President of Research and Analysis at Interos. Andrea, it is always great to welcome you back. I want to touch base on geopolitics, something you and I talk about regularly, but also how that intersects with cyber, of course, but the folks in the C-suite. What sort of insights do you have on that?

Andrea Little Limbago: Yeah, no, thanks, and they are areas that tend to be disconnected in most conversations, but what we're seeing at the C-suite level is a growing push, both for greater cybersecurity domain expertise as well as geopolitical expertise, and that, you know, unfortunately, Russian invasion of Ukraine, kind of, you know, what was the prompt, their forcing function on that regard, however, that -- some of that discussion had started earlier, following the start of the U.S.-China trade war but wasn't necessarily taken as seriously as it is now, and it's been a good, you know, seven years since then, so the various kinds of sanctions and regulations and so forth really have just continued at a rapid pace. If nothing else, it's a compliance issue in many regards for some of these companies in the C-suite needs to be aware of, but it is thinking about, you know, how can you build a resilient company in these times of shifts, and looking across, you know, the major shifts that are going on to really shape this new normal, and clearly, climate change will be one of them, the technological revolution that's underway is one of them, but the geopolitical landscape is shifting in ways that we have not seen for decades and that is something that's starting to raise much more awareness, and we have folks on the board are starting to ask me, "How are you trying to -- how are you building your company to be resilient against some of those shifts?"

Dave Bittner: The folks I speak to, you know, always emphasize that you have to approach the C-suite in the language they understand, which tends to be risk, material risk to the business, and yet everything it seems these days flows through cyber, I mean, even, you know, the social aspects of social media, you know, the -- we're coming up on an election season here, and that, you know, that affects everything as well. Are we seeing a heightened awareness from the C-suite to focus on those elements?

Andrea Little Limbago: I'd say a "growing." I'm not sure I'd say "heightened" yet.

Dave Bittner: Okay.

Andrea Little Limbago: I wouldn't go quite that far.

Dave Bittner: Right.

Andrea Little Limbago: And I think to your point, I mean, so much of the geopolitical -- politics and the risk associated with it are manifest through cyber and that's why we see so much of that interconnected, and so I think, you know, there's a rising awareness. You know, I think the World Economic Forum did it, you know, what they -- their findings from earlier this year, that, you know, they did a polling of a bunch of executives, and their best estimate was that there will be some sort of catastrophic cyber event in the next two years that is geopolitically motivated, and take that with a grain of salt, but it just shows that there is a heightened awareness that, at a minimum, whether they're actually doing something is a little bit different about it, but those -- the connectivity between geopolitics and cybersecurity and then that having an impact on the businesses is something that this is growing in awareness. These are questions that are starting to pop up. We're hearing them a whole lot more, and so we're starting to see some shifts in that regard. And I think what's interesting, and you mentioned social media, and that's -- you almost think about that as being like the front-end risks that are -- that we see, like social media and some of the information and the various kind of -- we've seen disinformation campaigns targeted at companies already numerous times, so that's one component of it, and the data security, and then some of the back-end risks could be the, you know, hardware that we're seeing right now that's being in the companies, and there's actually a really good book along the lines that kind of separates it by front-end risk and back-end risk for cyber and geopolitics that -- it's called "The Wires of War" by Jacob Helberg, I'd recommend, and I kind of really like that framing because it is sort of the software risk and the hardware risk and then the data that goes along with it, and I don't think many companies are thinking about that way quite yet. And, you know, compliance is forcing some of them to, when you have something like Huawei technology that is not allowed to be within your infrastructure, that's a forcing function of hardware side, and then even some of the software apps, but even just data security, data privacy laws are forcing as well, but I think it's still really nascent, I think, when getting into business discussions.

Dave Bittner: Well, and we're seeing, you know, shifts of emphasis on bringing some core manufacturing back to the United States, you know, chip manufacturing, things like that, but then, in the next breath, you hear the folks leading that effort saying, "Well, we don't have enough people here who are trained, and so it's going to take us longer than we thought it would." Strong geopolitical implications there.

Andrea Little Limbago: No, it's huge. I mean, I was just reading the other day that the Taiwan semiconductor manufacturing, biggest semiconductor company, was building a plant in Arizona and then it's getting delayed for that reason, for inability to find all the labor that they need. So there are -- it's one thing -- it's way easier said than done, but we are seeing the company shift in that regard, but we're also -- it's interesting, we're also seeing, in some cases, out of governments or corporate executives, talking about the risk on one side and then in a different forum talk about how they're reinvesting, say, in China and growing a labor force or growing a new plant, and so it's very hard to see -- you can't have it both ways, and I think some companies are trying to have it both ways right now because they've been able to, and that's, especially in the area of supply chains, you know, they've grown globally absent any thought about geopolitics for -- you know, that's how -- that was -- globalization as it expanded over the over the last few decades really didn't take geopolitics into consideration and now it has to, so it's a really -- it's a big mindset shift that I think is slowly coming around, and for sure, some industries are thinking about it a lot more than others.

Dave Bittner: Yeah, I mean, just think in my day-to-day life, I mean, for all of us, the number of items, consumer items, our mobile devices, our televisions, our -- everything, that comes through China, and so think about a company like Apple, who we all rely on, you know, for -- even if you don't have an Apple device, you know someone who does, they can't just pivot and find another manufacturer to -- with the scale and precision and, you know, all the things that they've come to expect that China can provide.

Andrea Little Limbago: Yeah, no, agreed, and then even going down to the materials that go into those technologies, the critical minerals, that's really becoming another area of discussion and dispute between China and, say, Australia or the U.S., the European countries, and so that also becomes some -- another area of concern is, where if we're trying to decouple where to get the critical minerals needed to create the technologies.

Dave Bittner: Where do you suppose we're headed here? Are we -- are we on a trajectory of, for the short term, of increased tension, or are we at some sort of equilibrium? Where do you suppose we are?

Andrea Little Limbago: Oh, yeah, I think a lot of it depends. I mean, we're at a new equilibrium, for sure, following Russia's invasion of Ukraine, but with regard to China, so much depends on what China does towards Taiwan. I think we're at an equilibrium right now for the level of tensions. They're, you know, higher than they were several years ago, and I don't foresee any rethinking of the sanctions on their major tech companies and their AI companies and so forth. There's the, you know, unethical labor conditions that they have that also impacts the regulations of their companies and I don't see that going away, or us shifting policy. I've actually heard recently a couple of Congress folks calling for rethinking some of the policies for China, but I just can't imagine that happening just given the wide-scale IP theft, and we keep finding, you know, there seems to be some new data breach link back to China, so I can't imagine that happening anytime soon, but really, the unknown is China's behavior towards Taiwan, and that, for many people, has always been like, "Oh, that's the distant future." I think more -- and the government, for sure, is planning for that more now, and I think many other companies are starting to think that what would -- what would happen then. You know, I think Russia invading Ukraine was a forcing function on that, but I think some of the other aspects of U.S.-China relations have further raised the concern.

Dave Bittner: Yeah, all right. Interesting times. Andrea Little Limbago, thanks so much for joining us. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with researchers from SentinelOne. They're sharing their work, Sandman APT, a mystery group targeting telcos with a LuaJIT toolkit. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]