CyberWire Daily - Accellion FTA compromise spreads. Ocean Lotus is back. LazyScripter seems to represent a new threat group. Notes from the SolarWinds hearings. New ICS threat actors.
Episode Date: February 24, 2021As more organizations are affected by the Accellion FTA compromise, authorities issue some recommendations for risk mitigation. Ocean Lotus is back, and active against Vietnamese domestic targets. Laz...yScripter is phishing with COVID and air travel lures. SolarWinds hearings include threat information, exculpation, and calls for more liability protection. Turkey Dog is after bank accounts. Joe Carrigan ponders the ease with which new security flaws are discovered. Rick Howard speaks with our guest Michael Dick from C2A Security on Automotive Security. And some new ICS threat groups are identified. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/36 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
As more organizations are affected by the Acelion FDA compromise,
authorities issue some recommendations for risk mitigation.
Ocean Lotus is back and active against Vietnamese domestic targets.
Lazy Scripter is fishing with COVID and air travel lures.
SolarWinds hearings include threat information, exculpation, and calls for more liability protection.
Turkey Dog is after bank accounts.
Joe Kerrigan ponders the ease
with which new security flaws are discovered.
Rick Howard speaks with our guest Michael Dick
from C2A Security on automotive security.
And some new ICS threat groups are identified.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 24th, 2021. Canadian aircraft manufacturer Bombardier yesterday disclosed that it had suffered a limited data breach accomplished through a third-party file-sharing application.
Some personal and other confidential information relating to employees, customers and suppliers was compromised, the company said.
Bombardier didn't identify the third-party application through which the breach was compromised, the company said. Bombardier didn't identify the third-party
application through which the breach was accomplished, but others have called it
Accelion's FTA. ZDNet and The Register both report that the Klopp ransomware gang posted
what appear to be Bombardier-designed documents on its leak site. A joint advisory from authorities in Australia, New Zealand, Singapore, the UK, and the US outlines the risks of the Accelion FTA compromise and recommends risk mitigation measures.
temporarily block internet access to and from any systems that host the software,
check for evidence of malicious activity,
and especially for the indicators of compromise included in the alert,
consider auditing FTA user accounts for unauthorized changes,
reset security tokens on the system,
and upgrade to the latest version of the Accelion product.
FTA is going to reach its end of life at the end of April.
CISA and its partners point out that migrating away from FTA before it gets to that point would be a good idea.
Amnesty International reports that Vietnam's Ocean Lotus cyber intelligence group
is surveilling dissidents in a renewed spyware campaign.
The spyware comes in Windows, Android, and macOS variants, and Amnesty's security lab
says the tool allows to fully monitor a compromised system, including reading and writing files
or launching other malicious programs.
Researchers at security firm Malwarebytes are tracking a new threat actor
they're calling LazyScripter that's targeting airlines and job seekers with malware-laden
phishing documents. In a report released this morning, Malwarebytes says the threat actor is
using the Octopus and Coedic rats, as well as Luminosity Link, RMS, Quasar, NJRat, and Remcos against its targets.
They're treating the group provisionally as a new player, despite some similarities between
its tactics, techniques, and procedures, and those used by other groups. LazyScripter uses GitHub to
host its malware. The group deleted two of its GitHub accounts in January
and then created a new one on Groundhog's Day, February 2nd. Lazy Scripter prefers to embed its
malicious executables in icons purported to be PDF, Excel, or Word files, as opposed to using
malicious office macros. The threat actor seems to have begun its operations in August of 2018.
It began by fishing people seeking to immigrate to Canada by offering them access to job-seeking
programs. That continued until January of 2020, when the fish bait changed to the shinier lure
of COVID-19 themes. Most recently, this past November, the group began to target the International Air
Transport Association and those airlines that use BSP-Link software to access IATA's billing
and settlement plan. That particular interest may be an enduring one. Malwarebytes says this
particular finding indicates that this actor is constantly updating its tool sets to target new systems
developed by IATA. So who exactly is Lazy Scripter? Russia's APT-28 and Iran's Muddy
Water espionage groups are both known to have used the coatic trojan, but in itself such
circumstantial evidence is less than dispositive. The researchers believe the
differences between the two groups are significant enough to warrant Lazy Scripter being tracked as
a new threat actor, and they don't attribute the activity to any particular nation-state.
For one thing, Lazy Scripter relies on a number of open-source tools,
while Muddy Water has shown a strong preference for bespoke malware.
while muddy water has shown a strong preference for bespoke malware.
Yesterday's hearings before the U.S. Senate Select Committee on Intelligence outlined the scope of the SolarWinds hack.
Reuters characterizes the testimony of the four companies who appeared, SolarWinds, Microsoft, FireEye, and CrowdStrike, as apologetic for their handling of the incursion.
and CrowdStrike, as apologetic for their handling of the incursion.
Seeking Alpha reports that CrowdStrike singled out Microsoft Windows' antiquated authentication architecture as enabling the cyber espionage campaign.
According to MarketWatch, Microsoft itself reiterated its belief
that the Russian operation involved over a thousand software engineers.
NextGov says SolarWinds recommends more liability protection,
suggesting that it found information sharing difficult
because companies fear being exposed to litigation
and that incident response would have proceeded more happily and effectively
without fear that collaboration with other organizations might get them sued.
It's worth noting, as others have
pointed out, that information sharing has for some time been protected by the Safety Act,
and especially the Cybersecurity Information Sharing Act of 2015. There's certainly litigation
over data breaches, and SolarWinds no doubt has considerable exposure, but it's not unclear how
information sharing
especially contributes to the famous rapacity of the plaintiff's bar.
RiskIQ reports on the activities of Turkey Dog,
a criminal operation that's targeting Turkish-speaking victims
with the Cerberus and Anubis banking trojans.
Turkey Dog's interests are obvious.
It's into fraud and banking account looting.
ICS security shop Dragos this morning released its annual report
on industrial control system security.
Among its general conclusions is that there's still only limited visibility
into industrial control systems,
and that detection, triage, and incident response
remain difficult to execute, and especially difficult to scale.
One of their specific findings has attracted attention.
Dragos analysts have identified four distinct new ICS activity groups that are principally
interested in the energy and manufacturing sectors. They call these groups Camasite, Stibnite, Talonite, and Venadonite.
Of these, Camasite is particularly interesting.
It's been working with the GRU's Sandworm unit against electrical power grids.
Camasite seems to have served as an access team for its GRU colleagues.
And finally, speaking of ICS security, CISA yesterday issued three
advisories for industrial control systems, one addressing Rockwell Automation Systems, two for
systems from Advantech. Those advisories come with remediations. If you operate those systems,
by all means, take a look. way of life. You'll be solving customer challenges faster with agents, winning with purpose, and
showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The CyberWire's own chief security officer, Rick Howard, has been talking to experts about
automotive security in terms of the near future of 5G and autonomous cars. Here's Rick.
of the near future of 5G and autonomous cars.
Here's Rick.
Michael Dick is the CEO of C2A Security,
an Israeli company that provides the automotive industry with end-to-end, in-vehicle cybersecurity protection.
Hi, this is Michael Dick speaking.
I asked him about the history of cybersecurity
in the automotive industry.
Traditionally, what's happened is that the cars, you know, were designed on technology
that was available 40 years ago.
CAN bus technology, for example, is one of the networks that runs in vehicles today.
CAN bus was developed, was invented by Bosch 40 years ago.
They never thought in those
days about security and so much
software and all this type of stuff.
And as time has gone on,
they've
added on more computers. Any new
feature that comes into the vehicle, they add another
computer. Today, in a car,
they call them ECUs,
electronic control units. Like a
high-end vehicle, you might have 200 ECUs, 200 computers in the vehicle,
because every new feature is a new computer that they put in to be able to control that new feature.
As with many business sectors, the automobile industry layered on new features and enhancements incrementally.
You know, it's becoming patch on patch on patch.
It's like, you know, in the software developers will call it spaghetti code.
There's so many wires and computers and it's becoming impossible for them, for the car
manufacturers and generally for the industry to manage this on this way.
You know, you can't take an old architecture and just keep on patching it for more and
more and more features.
Eventually, it just becomes, you can't manage it anymore.
But Michael does say that there has been some movement in a new direction.
So there's a lot of discussions now and developments on new architectures for vehicles.
Zonal type architecture, much fewer ECUs, much stronger computers
running multiple things in the vehicle.
But what's clear is that our very notion
of just what a car is
will fundamentally change.
Instead of it being a mechanical device
dependent on the human to control it
in some analog fashion,
it is moving towards becoming
a completely digital software platform on wheels
with high-end entertainment systems and a sensor package that is equivalent to a current-day F-35 jet fighter.
Yeah.
I've heard some people say that it's a mobile phone on wheels.
But I think as time goes on, the vehicle is becoming less and less mechanical.
From a software perspective, obviously, it's becoming more and more complicated and it's becoming like a software-defined vehicle.
In terms of security, we are just starting to see the automobile industry
begin to grapple with the same problems that their traditional
and stationary enterprise counterparts have been wrestling with for 25 years.
You know, you'll have, for example, firewalls in big businesses.
And it just goes without saying that you'll have some type of a configuration system
where you'll be able to, you know, you've got a new user, you want to open a port,
you need to do reconfiguration because there's some security violation, whatever it is, these
automatic configurators will allow you to do that and to deploy the software to the
endpoints that are needed, etc., all automatically.
We're going to have to do the same thing for vehicles.
They're going to become sophisticated software on wheels, we're seeing companies that are offering the automotive
ecosystem as you described.
They're offering services.
They say, oh, we can run this for you.
We can put a big team together that will be able to configure everything and make sure
that everything's safe on an ongoing basis, et cetera Which is, the car manufacturers are not used to this.
They don't have departments that are doing this.
They don't have tens of people that are doing this.
They're used to having one.
And you all thought managing and securing cloud environments was hard.
Doing it with a fleet of moving vehicles adds a nice little wrinkle to this already complex job
of securing things and still allowing them
to be useful. As Sir Austin Chamberlain said in 1936, describing a Chinese curse that he
totally just made up, may you live in interesting times. Indeed, sir.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute, also my co-host
on the Hacking Humans podcast. Hello,
Joe. Hi, Dave. How are you?
Doing well, thanks. There's an interesting article came by from the MIT Technology Review
written by Patrick Howell O'Neill, and it's titled, Google says it's too easy for hackers
to find new security flaws. What's going on here, Joe?
Well, the article sounds like they're complaining about how easy it is for hackers
because of tools or something, but it actually isn't that at all. It's actually because of
development practices. And they talked to Maddie Stone, who works at Google's Project Zero, and
they're talking about, she's talking about some vulnerabilities that were discovered in
Internet Explorer and how these vulnerabilities were discovered. They were all zero-day
vulnerabilities, but the first one was discovered in September of 2019. And once that one was
patched, there were subsequent discoveries in November of that year, January and April,
the following years, and at least five zero-day vulnerabilities being exploited from the same
bug class in short order. And further down in the
article, there's a quote from a man named John Simpson who works at Trend Micro who says,
in the worst case, a couple of zero days that I discovered were an issue of a vendor fixing
something on one line of code and literally on the next line of code had the exact same type
of vulnerability and they didn't bother to fix it. So what we're seeing
here is that these, uh, is people write code, right? And, and those people have coding practices.
So if you're doing something in code and you are doing it wrong, chances are that's a skill error,
right? Uh, a defect in skill. Not necessarily a defect in coding.
So if that coder continues to write that way,
that error is going to exist all over that application.
It's not just going to be in one place.
And that's kind of the crux of this article.
The article also focuses on patching these vulnerabilities.
Simpson from Trend Micro says, we can talk to her blue in the face, but if they're not doing the patch management, the patch updates properly,
if they're just going in and fixing the one bug and not looking or doing a code audit for all the other bugs that might be in there, they're never going to find them.
I think the problem is multilayered here.
First off, the development problem is multi-layered here. First off,
the development problem is what is the root of this. There are studies out there that show
when you have a defect in code, the cheapest time to fix that is before you start doing
integration testing. And software is so complex these days. Software is remarkably complex.
So many dependencies. Yeah, exactly. Not only is it complex, but we build software and we rely on tons of other libraries that we don't control as well.
Yeah, I mean, these libraries are like Lego blocks, you know, putting together your software.
And it makes total sense to use them.
Yeah, absolutely.
I've seen people say it's impractical to do it any other sense to use them. Yeah, absolutely.
I've seen people say it's impractical to do it any other way at this point.
But with that convenience
come certain vulnerabilities.
Well, that's an excellent point, Dave.
There really is no way
to build a large software program now
from the ground up.
I mean, I guess you can,
but it is very expensive
and it's a lot faster and cheaper to use the libraries that are already existing.
Yeah, yeah.
What do they get at here in this article in terms of mitigation or solutions to this issue?
Any suggestions that come out?
Dave, actually, at the end of the article, they talk about Apple,
who had some zero days in one of their iMessage phones. And instead of
narrowly approaching the specific vulnerability, the company went into the guts of iMessage,
they say. So essentially, it sounds like they did a full code review of the project to address these
fundamental structural problems that people were exploiting. That's probably what has to happen
for these projects
that are vulnerable, particularly with Internet Explorer. You know, Microsoft, this was a problem
that Microsoft had back in the 90s and the early 2000s, is that they were not really regarded as a
company that was good at security. I think that's changed. I think Microsoft does a much better job now,
but they still have that holdover from the Internet Explorer, which was just
never a really good browser, but it had a huge market share. Yeah. Yeah, but comparing Internet
Explorer to Apple's iMessage is not really a fair comparison. You're comparing Apple's to Microsoft's here. That's a pretty good joke.
Feel free to use that one. iMessage is probably a very small code base compared to Internet Explorer.
Internet Explorer is originally based on Mozilla, which was like Microsoft didn't own that to start
with. And it's a large, complicated program as opposed to a simple program that just sends you
messages and does end
to end encryption. And maybe that's the way we should go in the future is we don't build these
large monolithic programs anymore. We build small programs that do little things for us and the
users just collect these small programs and hopefully the small programs are more secure.
And give them the ability to maybe
interact with each other in a secure way. Yeah, absolutely. Much like Linux, the whole
Nix architecture, what they call Taco Bell programming, where you essentially use the
operating system and all the operating system tools to build functionality that you would have
to write code for in other operating systems.
Right, right. You have a limited set of ingredients, but with those, you can make many,
many different delicious food items. Exactly, yes.
All right. Well, again, the article's from the MIT Technology Review. It's titled,
Google Says It's Too Easy for Hackers to Find New Security Flaws.
Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Chocolate, caramel, and a surprising cookie crunch.
Listen for us on your Alexa smart speaker, too. Thank you. Thanks for listening.
We'll see you back here tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.