Welcome to this week’s edition of the Threat Source newsletter.
U.S. President Joe Biden’s proposed budget would include an 11 percent increase in the federal government’s IT budget, including a total of $10.9 billion for cybersecurity. On the surface — this is all great (we can save a discussion about the national debt and spending gap for a later time).
There‘s still a way to go before any of that money becomes real — a president’s proposed budget rarely gets passed as-is after layers of negotiation and Congressional votes. But this is a promising sign that the administration is ready and willing to invest more in cybersecurity to address holes in federal networks that are constantly being targeted. The FBI is already preparing to put that money to use to track down ransomware actors.
But I think it’s important to remember that money can’t solve all our security problems. It’s great to have the cash to invest in new technology, better equipment and more experts to be in the field. Those people still need the proper training, and the end users need to be continuously educated on the latest threats and scams that are likely to come their way. Regardless of how many millions are invested in a zero-trust framework, if the people implementing and overseeing that framework aren’t properly trained and educated, how likely is it that the zero-trust model will be effective?
A study released in the summer from the Information Systems Security Association (ISSA) found that the skills gap in cybersecurity worsened for the fifth year in a row in 2021. This means there continues to be a growing disparity between the skills cybersecurity teams have versus the resources they actually have on hand. Respondents to the survey noted a heavier workload, unfilled positions and worker burnout as the three main contributors to this gap.
An increase in federal funding can help resolve the issue of unfilled positions by, hopefully, increasing pay and benefits for prospective employees, possibly luring them into the cybersecurity space or encouraging them to stay in their roles. But it can’t solve burnout and heavy workloads overnight. That falls down to those workers’ managers and companies, nor does it help set up the appropriate training and education these cybersecurity teams need to use the new, shiny tools their companies are procuring for them.
So while we can celebrate this potential new financial windfall to the industry, I would hesitate to take a victory lap too soon before we address the soft skill issues that still face the security industry and end-users.
The one big thing
The next big cybersecurity shakeup is coming, whether we’re ready or not. Quantum computing is on the horizon, and any major breakthrough could change everything we know about encryption.
As Martin Lee wrote in our blog post this week, “Quantum technology in development by the world’s superpowers will render many current encryption algorithms obsolete overnight. When it becomes available, whoever controls this technology will be able to read almost any encrypted data or message they wish. … Although nobody knows when a powerful quantum computer will be available, we can predict the effects on security and prepare our defenses in advance.”
Why do I care?
The phrase “quantum computing” just sounds like a lot, I get it. But it’s not as confusing as it sounds. This is essentially the next wave of computing power that would make it easier for anyone who employs this technology to break current encryption algorithms and cause all sorts of trouble on the security landscape.
We know governments are already working on this technology, and there’s no real timeline for when it will be used out in the wild. And who knows how that timeline would change should the technology fall into the wrong hands. So, it’s important for anyone in the security space to keep an eye on developments in quantum computing and heed our various warnings about preparing to bolster our current encryption methods.
So now what?
Again, I’m just going to lift right from Martin here:
“At some point, many current encryption algorithms will become instantly vulnerable to whoever has developed a suitable quantum computer. In anticipation of this moment, organizations should look to extend the size of key public key encryption implementations beyond 3072 bits as interim protection. Where possible, systems should migrate to use AES-256 encryption and use SHA-384 or SHA-512 for hashing. Anyone implementing encryption software should consider the algorithm life span and provide users with the ability to change encryption strength and algorithm as necessary.”
Other newsy nuggets
The security world continues to watch the Spring4Shell vulnerabilities and consistently debate how serious it actually is. The Kenna Risk Score for CVE-2022-22965, one of the vulnerabilities part of this exploit in the Spring Framework for Java, is currently at maximum 100. This is an exceptionally rare score, of which only 415 out of 184,000 CVEs (or 0.22 percent) have achieved, reflecting the severity and potential effects of this vulnerability. This is vastly different than earlier reports that Spring4Shell was not actually that serious. Over the course of the week, more information was released on the exploit, with CISA adding it to its list of known exploited vulnerabilities, and Microsoft warning users that attackers were actively exploiting the vulnerabilities to target some of its cloud services. (Talos, ZDNet, Microsoft)
The U.S. State Department formally launched a new cyberspace and digital policy bureau, a sign that the Biden administration intends to increase cyber diplomacy efforts. The Bureau of Cyberspace and Digital Policy (CDP), in their own words, is “responsible for leading U.S. diplomacy on cyber and digital policy issues.” This comes at a crucial time when tensions are rising between the U.S. and Russia over Russia’s invasion of Ukraine. The past year has been marked with major state-sponsored ransomware attacks and precursor cyber attacks to the Ukrainian invasion. (Washington Post, State Department)
Despite a recent massive data leak, the Conti ransomware gang is still active and infecting targets. After a Ukrainian hacker first infiltrated Conti and leaked a trove of data and chat logs, defenders learned a great deal about the group’s tactics. But that hasn’t slowed down the ransomware actor, which continues to exploit publicly known vulnerabilities like Log4Shell. Researchers also found Conti deployed in a recent attack using the IcedID banking trojan. IcedID, first discovered in 2017, uses organizations’ contact email forms to send phony legal notifications to get users to click on malicious links and files. (CNN, ZDNet, TechTarget)
Can’t get enough Talos?
- Threat Spotlight: AsyncRAT campaigns feature new version of 3LOSH crypter
- Threat Advisory: Spring4Shell
- Talos Takes Ep. #90: Kenna Security 101
- Beers with Talos Ep. #119: If it walks like a BlackCat, meows like a BlackCat...
Upcoming events where you can find Talos
RSA 2022 (June 6 – 9, 2022)
San Francisco, California
Cisco Live U.S. (June 12 – 16, 2022)
Las Vegas, Nevada
Most prevalent malware files from Talos telemetry over the past week
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201
SHA 256: 1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0
Typical Filename: ntuser.vbe
Claimed Product: N/A
Detection Name: Auto.1A234656F8.211848.in07.Talos
SHA 256: 12459a5e9afdb2dbff685c8c4e916bb15b34745d56ef5f778df99416d2749261
Typical Filename: NirCmd.exe
Claimed Product: NirCmd
Detection Name: Win.PE.SocGholish.tii.Talos