CyberWire Daily - A few predictions, but today’s news is dominated by Cozy Bear’s supply chain attack on Solar Winds’ Orion Platform.
Episode Date: December 14, 2020FireEye traces its breach to a compromised SolarWinds update to its Orion Platform. CISA issues an Emergency Directive to get control of an attack that is known to have affected at least two Federal D...epartments. Rick Howard shares lessons from season three of CSO Perspectives. Betsy Carmelite from Booz Allen continues her analysis of their 2021 Cyber Threat Trends Report. And while reports attribute the supply chain attack to Russia’s SVR, Moscow says Cozy Bear didn’t do nuthin’. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/239 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
FireEye traces its breach to a compromised SolarWinds update to its Orion platform.
CISA issues an emergency directive to get control of an attack that's known to have affected at least two federal departments.
Rick Howard shares lessons from Season 3 of CSO Perspectives.
Betsy Carmelite from Booz Allen continues her analysis of their 2021 Cyber Threat Trends report.
And while reports attribute the supply chain attack to Russia's SVR,
Moscow says Cozy Bear didn't do nothing.
From the Cyber Wire studios at Data Tribe,
I'm Dave Bittner with your Cyber Wire summary
for Monday, December 14th, 2020.
The Washington Post's reporting on the FireEye breach says that FireEye and the U.S. Departments
of Commerce and the Treasury were successfully
breached through their network management system, a very widely used SolarWinds product. It seems
clear that Russia's SVR is responsible for the attack, in which FireEye lost some of its red
teaming tools. It's also increasingly clear that the initial compromise was a supply chain attack
and that a large number of other organizations were also affected.
SolarWinds disclosed over the weekend that it had become apprised
of a highly sophisticated manual supply chain attack
on SolarWinds Orion platform software builds
for version 2019.4.hf5 through 2020.2.1,
released between March 2020 and June 2020.2.1, released between March 2020 and June 2020.
This would appear to be the source of the FireEye breach,
which is now known to have not been confined to FireEye.
The attack involved the introduction of a backdoor into the Orion platform.
That backdoor was subsequently propagated in the form of a software update
that contained the malware. FireEye calls the backdoor was subsequently propagated in the form of a software update that contained the malware.
FireEye calls the backdoor sunburst. Microsoft Security Response Center has a detailed account
of how the malware functions. Both FireEye and Microsoft have upgraded their security products
to include measures for detecting and protecting against the attack. SolarWinds urges its customers to upgrade to Orion Platform version 2020.2.1 HF1
as soon as possible.
In response to the incident, late yesterday evening,
the U.S. Cybersecurity and Infrastructure Security Agency issued Emergency Directive 21-01,
outlining immediate steps federal agencies should take to protect themselves from attacks exploiting the back door.
The emergency directive has a deadline of noon today for agencies to complete the immediate remediation actions CISA requires.
The agency is particularly concerned to warn enterprises against the possibility of Kerber roasting,
an attack technique in which credentials are stolen from memory and then cracked offline. particularly concerned to warn enterprises against the possibility of Kerber roasting,
an attack technique in which credentials are stolen from memory and then cracked offline.
We'll have more on Emergency Directive 21-01 in this afternoon's pro-policy briefing.
Cozy Bear, also called APT-29 and a known unit of Russia's SVR Foreign Intelligence Service Service appears to have been behind the supply chain attack on SolarWinds
and therefore responsible for not only the FireEye breach, but the attacks on the U.S. Departments of Commerce and the Treasury as well, the Wall Street Journal reports.
Cozy Bear earned a reputation during operations against U.S. campaigns in 2015 and 2016
for being quieter and less obtrusive than its GRU cousin, Fancy Bear.
That seems to have been the case in the SolarWinds incident.
FireEye yesterday afternoon blogged that the threat actor's work
was characterized by a light malware footprint
using limited malware to accomplish the mission while avoiding detection
and by prioritization of stealth, going to significant lengths to observe and blend into normal network activity,
and high OPSEC, patiently conducting reconnaissance, consistently covering their tracks, and using difficult-to-attribute tools.
While SolarWinds itself believes that exploitation of the vulnerability appears to
have been narrowly targeted against a relatively short list of organizations, the potential risk
may be very widespread. SolarWinds customers include large corporations, government agencies,
and military services. As is its custom in such matters, Moscow denies having done anything and regrets, Reuters says, the U.S. rejection of bilateral cooperation.
Such calls for international cooperation, usually, although this time not yet accompanied by good citizen expressions of a desire to see and weigh the evidence, routinely accompany the Kremlin's protestations of innocence in such matters.
Gmail and other Google services experienced an outage early this morning.
Mountain View sent a text to its very large user base at 7.27 a.m. Eastern Time saying,
quote, we are aware that all Google functions are currently down.
We will send a communication when things are back up.
Thank you for your patience, end quote. The Google Workspace status dashboard noted the outage at 6.55 a.m.
and by 7.31 reported that Gmail at least had been restored for the majority of users.
The cause of the outage is so far unknown and still under investigation.
A Washington Post report suggests that Huawei's collaboration with companies to develop products that serve social control
extended beyond the work with Megvi that critics have called a Uyghur alarm.
Huawei describes that project as a test
and says it takes allegations that its products might be used for repression seriously,
especially since,
Huawei told the BBC, ethnic targeting would be contrary to the company's principles.
The company told The Post it's opened an investigation into the matter.
Among the 38 projects currently listed on a Huawei Chinese-language website,
down from a high of about 2,000 before the site was temporarily taken down and restored
is a product developed with Vickor that can alert authorities to the formation of crowds.
It can be set to trip by clusters of between 3 and 50 people.
Anyway, Huawei is investigating what it says in a subjunctive mood
would amount to a departure from the company's core commitment to non-discrimination, and so on.
The supply chain attack Cozy Bear executed through SolarWinds' Orion platform rightly dominated today's news,
but we'll close with a few reminders of where security firms think things are headed, generally speaking, in 2021.
are headed, generally speaking, in 2021. Recent speculation about the near future continues to see 2020's threats shaped by the conditions the COVID-19 pandemic has imposed on commerce,
work, and study. Orange Cyber Defense argues that the rewards the pandemic presents,
in the form of distributed workplaces, stressed organizations, and equally stressed individuals,
will tend to push cybercriminals in the direction of greater professionalism.
That trend is reinforced by the widespread availability
of more effective commodity attack tools and services.
Orange says, quote,
While highly critical attacks are still kind of rare,
we've seen in the past few years a massive shift from low to medium criticality
among the incidents we've recorded, reflecting the availability of fairly sophisticated attack tools End quote.
They're also seeing an increase in the level of insider threats, and they expect that to continue as well.
A Code 42 study reaches a similar conclusion about insider risk.
study reaches a similar conclusion about insider risk. Remote work, complicated new working arrangements, a looser grip on access control, and a lack of planning adequate to the sort of
improvisation organizations have been forced into all make their contribution. It's worth noting
that much, probably most, of the insider risk people worry about is unintentional and not
necessarily malicious. And data-rich, poorly resourced,
and defended organizations with large number of users in their networks will remain attractive
targets. Government technology suggests we think of elementary through high school education.
Thank you. winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. And joining me once again is Rick Howard.
He is the CyberWire's chief analyst, also our chief security officer.
Rick, great to have you back.
Hey, Dave.
Well, my hat is off to you.
You have done it, my friend.
You have made it to the end of the year.
And more importantly than that, you have completed your third season of CSO.
Yeah, I know, right?
CSO Perspectives.
I'm looking back at season three.
What are some of the big take-homes for you?
Well, first, you're so right, Dave.
And like the rest of your listeners, I am sure.
I'm ready to put this dumpster fire of a year behind us, right?
I know.
Yeah. And I'm so looking forward
to starting to begin to get back to normal sometime in 2021. So let's just keep our fingers
crossed about that. For season three, we covered a lot of ground on topics that I was either
ignorant on or before we started, or I had developed some misconceptions about these
ideas along the way that needed some tuning. And so my big takeaway, I think, is how the business of security has kind
of seeped out of the traditional and stovepipe InfoSec channels and spread across this entire
business in ways that I had not anticipated. How so? How do you mean that?
Well, for example, we did two episodes on SD-WANs.
And what's interesting is that SD-WANs is kind of an interesting networking idea
until you realize in order to make it viable for the enterprise, you have to secure it.
And the only way to secure it really is with some version of the SASE model or Secure Access Service Edge.
So that's all security for this kind of interesting networking idea.
Right, right. Yeah, I see your point. Now, my recollection is that you made a similar argument
about containers and serverless functions as well. That's right. And how these two ideas are
key components to the now 10 years old DevOps movement. But until the security professionals
squeeze into the discussion
and make it truly DevSecOps,
we're not going to make the enterprise more secure.
Yeah, I remember you saying that.
I also remember that you were talking about
how we might all start focusing on SOAR.
Now, just back up for a second.
What does SOAR stand for?
Yeah, I know.
I have to look it up every time I see the acronym. It stands for Secure Orchestration Automation and Response. And for those tools,
the immediate benefit was to automatically eliminate the tier one noise coming into the SOC.
You know, all these security stack devices generate all these alerts. And so we could
automate that process of handling them. But SOAR tools can do so much more than that, you know, and they can be used by the InfoSec teams to create their own
infrastructure as code projects for more efficiency and more speed.
So in order to make security a priority that goes across the entire business and not just have it be
technical silos, you know, buried underneath the CIO's organization.
Where should the chief security officer sit in terms of authority within the organization?
Well, for sure, the industry has no consensus answer to that point. But from talking to our
subject matter experts around the CyberWire's hash table, most feel the best practice for the
chief security officer is to be an
essential member of the organization's C-level leadership team.
Yeah.
Well, it's good stuff, Rick.
What's coming up next?
What do you have in mind for the next season?
Well, we've begun work on season four, and your listeners will be able to start hearing
those episodes appear somewhere in the week of January 11th.
In the meantime, sir, happy holidays to you.
And I guess I will talk to you next year.
Happy holidays to you too, Rick.
It's been a real treat having you join us this past year.
And I'm looking forward to what's to come.
Excellent. Thank you, sir.
Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Betsy Karmelite. She is a senior associate at Booz Allen Hamilton.
Betsy, it's great to have you back on the show. You and I have been going through some of the highlights of the 2021 Cyber Threat Trends Report
that you and your colleagues at Booz Allen Hamilton have released.
And I wanted to touch base on one of the things that was in there.
You touch on this notion of intelligent cybercrime,
the bad guys making use of things like artificial intelligence, evasion, things like that. What can you share with us there? Here we're looking at how
threat actors will use the same artificial intelligence that nearly all industries use
to revolutionize services, to develop AI-based tools to build malware that can reliably defeat
AI-based security solutions. So we see this as indeed the
next step in intelligent cybercrime for threat actors to remain undetected. In cybersecurity,
one of the most significant advances in AI has been in malware detection. So that's where we
move into this idea of evasion. Among the most mature of these AI security solutions is the use of machine
learning algorithms and antivirus engines. Malware developers have really sought to stay a step ahead
of the static signatures used in AV engines. They use tactics like polymorphic or self-modifying
malware, and that's led to exponential growth in the samples of that malware observed in the wild.
One of the most powerful tools in detecting this rise of previously unobserved malware
is the AI-based antivirus engine.
So the premise here is that we think threat actors will turn their sights on AI-enabled tools
to aid their malware development process.
For instance, incorporating AI-enabled tools to finalize malware payloads before use, like
encoders, packers, obfuscators used today.
We've seen some researchers demonstrate tools that can be used to defeat really the most
advanced AV systems.
So the takeaway here is that threat actor use of AI means that antivirus will
be less effective against malware that can be modified and difficult to detect. So really
beneficial if you're the attacker. Well, I mean, let's talk mitigations then. I mean, is it defense
in depth? You know, some of the old things. What are you all recommending from that point of view?
Yeah, really defense in depth
to limit these threats of malware payloads
specifically designed to defeat AI.
Organizations should implement a defense in depth strategy
to disrupt these attacks elsewhere in the kill chain.
We're looking at hardening internet-facing infrastructure,
again, training employees,
which can limit the likelihood of successful delivery.
Network security tools such as IDSs can be used to detect, command, and control traffic. The actual threat is targeting the underlying data models and associated intellectual property of creating the AI services.
We're concerned around that secret ingredient in the AI services not really being the algorithms, but the data used to build that trained model capable of producing true positive results.
So if that's stolen, basically you steal the model
and you save yourself the trouble of building it. Organizations really need to treat
and think of AI models as proprietary intellectual property
and protect them as they would any proprietary software.
Wow. Yeah, that's an interesting insight for sure.
All right, well Betsy Carmelite, thanks for joining us.
Thank you, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
The quicker, picker-upper.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, Ha! Listen for us on your Alexa smart speaker, too. which I also host. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Our amazing CyberWire team is Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.