International agreements, cyberespionage, and international tensions. New US DoD zero-trust office. State and local cybersecurity in the US. – The CyberWire

international-agreements,-cyberespionage,-and-international-tensions-new-us-dod-zero-trust-office-state-and-local-cybersecurity-in-the-us.-–-the-cyberwire

As you may know !

At a glance.

  • US joins the Paris Call.
  • FBI warns of Iranian cyberespionage.
  • Recent DPRK cyberespionage.
  • Ransomware and Financial Stability Act (H.R.5936) introduced into the US House.
  • The US Department of Defense will stand up an office to promote zero-trust implementation.
  • Reaction to the effects of the US infrastructure bill on state and local governments.
  • Rising tension in Eastern Europe can be expected to prompt a higher offensive cyber optempo.

US joins Paris Call.

US Vice President Kamala Harris has announced that American has joined the Paris Call for Trust and Security in Cyberspace, an eighty-country collaboration focused on advancing global cybersecurity efforts. Axios notes that Former President Trump refused to allow the US to support the Paris Call, and the shift demonstrates the Biden administration’s dedication to strengthening international cyberrelations. Security Week adds that the White House released a statement explaining the new partnership “includes working with like minded countries to attribute and hold accountable States that engage in destructive, disruptive, and destabilizing cyber activity.”

FBI alert warns Iranian hacker is hunting for data.

The US Federal Bureau of Investigation (FBI) is warning that a cybercriminal tied to Iran is looking to get his hands on bulk data from countries all over the world including the US, the Record by Recorded Future reports. He’s not targeting any particular industry, but is instead trawling the dark web for any data that could be leveraged to “conduct their own cyber operations against US organizations,” the FBI’s statement explains. The alert details techniques deployed by the threat actor in the past, such as enabling Remote Desktop Protocol (RDP) on target devices, or creating an RDP-scanning botnet using a network of compromised WordPress sites. To protect themselves, businesses who have suffered past data exposures are being advised to ensure compromised data can’t be abused for a future attack. FBI guidance includes patching previously compromised systems, resetting passwords, and safeguarding all systems exposed to the internet.

Kimsuky sets its sights on South Korean think tanks.

A North Korean threat group is targeting South Korean think tanks by using malicious Blogspot content as bait, ZDNet reports. The state-backed hacking group, which Cisco Talos researchers have identified as Kimsuky APT (aka Thallium or Black Banshee), has been launching attacks since June 2021 in an effort to deploy surveillance and theft malware on the devices of “South Korea-based think tanks whose research focuses on political, diplomatic, and military topics pertaining to North Korea, China, Russia, and the US.” The primary method of attack is the use of malicious Microsoft Office documents containing malicious VBA macros that download payloads from Blogspot, allowing the threat actors to scan target machines for files of interest. Talos explains, “The attackers knew exactly which files they were looking for. This indicates that the attackers have a deep understanding of their targets' endpoints, likely obtained from previous compromises.”

Proposed ransomware response rules for financial services.

The Ransomware and Financial Stability Act (H.R.5936) was introduced into the US House of Representatives yesterday. BleepingComputer reports that the measure would "require US financial institutions impacted by a ransomware attack to notify the Director of the Treasury Department's Financial Crimes Enforcement Network (FinCEN) with details on the attack and any associated ransom demands." The reports would not be publicly accessible, and, interestingly enough, the measure wouldn't outlaw paying ransom. Instead, it would require any organization that wished to pay ransom in excess of $100,000 to obtain a "Ransomware Payment Authorization" from FinCEN. Ilia Kolochenko, founder of ImmuniWeb, doesn't like the bill at all, seeing it as encumbering victims without addressing the causes of ransomware:

“I think the new bill is a disservice for American companies. The more bureaucracy we implement, the more arduous and inefficient a victim’s response will be. Sometimes, an undelayed payment of a ransom can prevent critical data from being placed on a Dark Web marketplace and then be acquired by nation-state threat actors. Today, virtually all ransom demands exceed $100,000 and thus will be subject to laborious approval requirements.

"Worse, the new bill tackles attack consequences instead of treating the root causes of ransomware. We need more cybersecurity programs in American colleges and universities, a unified data protection law on a federal level that would cover all industries in all US states, support and free cybersecurity training to SMEs, and an immediate budget increase for cyber law enforcement units who struggle to hire talent or even to buy forensic software. Prosecuting foreign hackers from extradition-proof countries and collecting intelligence about untraceable ransom payments will be unlikely to slow down the global pandemic of ransomware.”

The Pentagon's zero-trust cybersecurity office.

C4ISRNet reports that the US Department of Defense is going to stand up a new office next month in order to foster the implementation of zero-trust policies and practices across the Department. David McKeown, the Defense Department's CISO, characterizes the move as part of an ongoing response to the SolarWinds incident that compromised significant networks in late 2020 and early 2021. “We’ve redoubled our efforts, we’ve fought for dollars internally to get after this problem faster,” he said. “We’re standing up a portfolio management office that will ... rationalize all network environments out there, prioritize and set each one of them on a path of zero trust over the coming five, six, seven years.” The US has attributed the SolarWinds attack to Russian intelligence services. (Sputnik points out that Russia has denied any involvement.)

John Yeoh, Global Vice President of Research at the Cloud Security Alliance sees the move as an important step likely to affect Federal agencies generally:

"This new Zero Trust cybersecurity office is going to play a major role in helping federal agencies and the IT industry better understand Zero Trust as a strategy and how to implement it.

"Those that understand the basic philosophy of Zero Trust still don’t always know where to start. The IT ecosystem has become, and continues to be, more complex with the virtual tools and technologies that support us during the pandemic. This digital transformation is supported by a rise in the adoption of cloud solutions which is accompanied by an extended technology supply chain model.

"The office will succeed if it gives people an understanding into the layers of trust that must be made and maintained within this operating environment. Layers within the supporting technologies and supply chain include, but are not exclusive to, the connecting networks, supporting software interfaces and code, hardware components and location, and the identity and authorization of people, devices, and services that function across business or government operations.

"In addition to establishing layers of trust within this environment, these layers must be maintained by monitoring changes and behaviors within these trusted layers. A Zero Trust approach for establishing and maintaining trust will help better evaluate the risks throughout the digital ecosystem.

"CSA will support the new office by providing guidance on Zero Trust strategies that align with business and government operations. Educational guidance and training is being created around the tenets and architectures within the recognized layers of trust that must be made within the cloud environment."

Kurt Glazemakers, Chief Technology Officer of Appgate, agrees that establishing the office is a significant sign of the seriousness with which the Government views zero-trust:

"The government has realized after the Solarwinds attack that the current perimeter-based security controls no longer work against these modern and advanced threat vectors, like the Solarwinds attack. Zero trust is currently the only approach that would work against these new attack vectors, and they are setting up a special office to help the path towards Zero trust within the next 5-7 years.

"By creating a special cyber security office, it becomes clear this is their top priority now. For any enterprise or government that still relies on traditional perimeter defense methods, where an intruder can often move freely through a network after penetrating it, this should be a wake-up call."

Felipe Duarte Domingues, a security researcher also at Appgate, wrote that zero-trust is a natural response to supply-chain attacks:

“SolarWinds' attack revealed how lots of organizations, including government ones, are vulnerable to supply-chain attacks, and that after an initial breach, there aren't enough barriers in current infrastructures to stop the threats from spreading. Kaseya attack was another example, where attackers managed to infect lots of Kaseya customers attacking the VSA application. After the attackers get access through any "trusted" application, they can easily navigate through the network.

"ZeroTrust then becomes the natural solution for that. Only by segmenting the networks and assuming all connections can be compromised, you can detect an intruder in your network. ZeroTrust needs to be implemented in the core infrastructure, you must profile any device trying to connect in your network, use multi-factor authentication to ensure credentials are not compromised, segment networks creating isolated perimeters, and, most important, only provide access to what a user or a system needs to.

"By focusing on ZeroTrust, the Pentagon sends a clear message to cyber-criminals that they are taking cybersecurity seriously. This, along with Biden's memo published earlier this year, should be a wake-up call to all organizations that haven't adopted ZeroTrust yet. The best way to contain the damage from a Ransomware or a Spyware attack is to implement ZeroTrust.”

Implications of the US infrastructure bill for state and local government.

State and local governments have generally applauded the windfall they expect from the recently passed US infrastructure bill. TheHill summarizes reaction to the $1 billion expected to flow from the Federal Government to state and local cybersecurity programs. Tom Gann, Chief Public Policy Officer at McAfee Enterprise, sees the additional resources as important, especially given the vulnerability of state and local governments to cyber threats:

“State and local governments are among the most vulnerable organizations to cyberattacks, yet currently only 35% of states account for cybersecurity in their budgets. With stretched finances and often old technology, local officials clearly need the kind of help the recently passed bipartisan infrastructure package will provide. The $1 billion in state and local grant funding is one of the most important technology provisions of the package, and it will help strengthen the nation’s overall cyber posture.

"The bill also includes $42.45 billion for state and local grants to build out high-speed networks and funding to extend the Emergency Broadband Benefit. While broadband expansion is critical, especially for students, it’s also critical to secure schools themselves and the access between homes and schools, as K-12 schools have become an increasingly vulnerable target for ransomware attacks. One remedy is for the FCC to adjust the rules for E-rate so schools can devote funding to much-needed cybersecurity upgrades. With a change in the E-rate rules, K-12 schools could invest in basic cybersecurity protections and create cybersecurity training programs for teachers and staff.

"We applaud both chambers of Congress for their diligence in moving the infrastructure package forward, and we are eager to see President Biden sign it into law so state and local governments can begin deploying these critical funds.”

Mounting conflict between Russia and its neighbors could lead to increased cyber operations. 

Military Times reports that geopolitical tensions are intensifying at the Ukraine-Russia border, where the convergence of Russian troops and weaponry have Western officials worried about military action. Russian forces gathered at the border and in neighboring countries like Belarus earlier this year for training exercises, and though the training is over, the military presence is staying put, leaving Western officials fearing the Kremlin might be prepping for an attack. Military Times notes, Russia’s deputy U.N. ambassador Dmitry Polyansky indicated Moscow feels threatened by recent actions from Ukrainian and US warships in the Black Sea. 

Further complicating matters, BBC News adds that Polish Prime Minister Mateusz Morawiecki has accused Russian President Vladimir Putin and Belarusian President Alexander Lukashenko of collaborating to orchestrate a migrant crisis at the Polish-Belarusian border in retaliation for EU sanctions. Foreign Policy adds, Putin and Lukashenko met earlier this week to discuss plans for increased collaboration between the two countries, and as the Washington Post explains, Lushenko has already threatened to cut off critical natural gas pipelines to Europe if sanctions from the West continue. If past conflicts are any indication, the heightened political discord could foreshadow an upswing in cyber operations.

You know, I just wanted to mention that camDown is the only solution you need to block webcam hackers and that's no lie!