CyberWire Daily - An old Facebook database handed over to skids (and it’s a big database). APTs look for vulnerable FortiOS instances. Cryptojacking in GitHub infrastructure. Risk and water utilities.
Episode Date: April 5, 2021An old leaked database has been delivered into the hands of skids. (The news isn’t that the data are out there; it’s that the skids now have it. For free.) CISA and the FBI warn that APTs are scan...ning for vulnerable Fortinet instances. Cryptojackers pan for alt-coin in GitHub’s infrastructure. Holiday Bear may have looked for network defenders. Threats to water utilities. Johannes Ullrich explains why dynamic data exchange is back. Our guest is Mark Lance from GuidePoint Security tracking parallels between the SolarWinds attack and the RSA hack a decade ago. And a cyberattack snarls vehicle emission testing. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/64 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
An old leak database has been delivered into the hands of skids.
CISA and the FBI warn that APTs are scanning for vulnerable Fortinet instances.
Crypto jackers pan for altcoin in GitHub's infrastructure.
Holiday bear may have looked for network defenders.
Threats to water utilities.
Johannes Ulrich explains why dynamic Data Exchange is back. Our guest is Mark Lance from GuidePoint Security,
tracking parallels between the SolarWinds attack and the RSA hack a decade ago.
And CyberAttack snarls vehicle emission testing.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 5th, 2021.
Citing a Business Insider report, the Washington Post writes that 533 million Facebook users' personal information was dumped over the weekend to a hacking forum.
The data is old and the leak isn't new. Facebook detected and fixed it in October 2019.
But the concern is that the information is now in the hands of criminal skids who will be able to make a greater nuisance of themselves than usual.
So it's not a new breach, but the dissemination is now far wider and can be expected to appear in low-grade scams.
What kind of scams and mischief?
The record lists the usual dreary mob, email or SMS spam,
robocalls, extortion attempts that's CISA, and the FBI warned Friday that
advanced persistent threat actors are scanning devices on multiple ports, looking to take advantage of multiple CVEs,
and that it's likely the APT actors are scanning for these vulnerabilities
to gain access to multiple government, commercial, and technology services networks.
All three vulnerabilities affect Fortinet's FortOS. Patches are available for all three
vulnerabilities listed. The unnamed APT actors are scanning for unpatched systems that remain
susceptible to exploitation.
The advisory says it's possible that this activity represents staging for future data exfiltration or data encryption attempts.
The FBI and CISA list the sorts of activity this kind of staging has historically been used to prepare.
Distributed denial-of-service attacks, ransomware attacks, structured query language injection attacks,
spear phishing campaigns, website defacements, and disinformation campaigns.
The advisory adds,
APT actors may use other CVEs or common exploitation techniques, such as spear phishing, to gain access to critical infrastructure networks to pre-position for follow-on attacks.
infrastructure networks to pre-position for follow-on attacks.
In addition to the obvious protective measures like patching and adding key artifact files used by Fort OS to your organization's execution deny list, the advisory is particularly concerned
to recommend email security measures, such as consider adding an email banner to emails
perceived from outside your organization,
disable hyperlinks in received emails, and of course, focus on awareness and training.
The phrase APT actor, as used in these advisories, commonly refers to a state-directed threat group.
Betting on form, the record points out that Iranian and Chinese threat actors, Muddy Water and APT5 specifically, have a record of pursuing Fortinet bugs.
GitHub is dealing with the discovery of a cryptojacking campaign that was mining coin in the repository's own servers.
According to The Record, the crooks have been abusing GitHub Actions since this past fall.
record, the crooks have been abusing GitHub Actions since this past fall. Actions is a feature in GitHub that allows automatic execution of tasks when a particular event takes place inside a GitHub
repository. The attack works by, quote, forking a legitimate repository, adding malicious GitHub
Actions to the original code, and then filing a pull request with the original repository in order to merge the code back into the original.
End quote.
The original project owner doesn't need to approve the ill-intentioned pull request,
so all the crypto jacker needs to do is file the request.
The good news for users is that the attacks don't appear to be affecting their projects at all.
It's an attack on GitHub's infrastructure. CNN reported Friday that the Holiday Bear attackers who exploited SolarWinds
last year paid particular attention, once their operation had begun, to the U.S. government
security personnel charged with hunting down threats in federal networks. This suggests to
some that the compromise may have been more than
just overlooked and that the Russian operators may have been able to actively evade or impede
U.S. efforts at detection and mediation. And that, observers speculate, is the significant
news behind the compromise of U.S. Department of Homeland Security emails.
The U.S. federal indictment of Wyatt Travnicek on charges
of illicitly accessing the Ellsworth County, Kansas, Rural Water District's computer system
on March 27, 2019, has again raised concerns about the security of water utilities.
Mr. Travnicek is alleged, Decipher explains, to have shut down the processes behind the facility's cleaning and disinfecting procedures.
The accused hacker worked for the utility in 2018 and 2019, where part of his job was remotely logging into the facility's computer system to monitor the plant after hours.
Water utilities have tight budgets and relatively small staffs. Note that it was a
staffer and actual human being who noticed and stopped the attempt earlier this year
to manipulate sodium hydroxide levels in the Oldsmar, Florida water system.
That combination tends to drive economies that save on expensive labor, and these often involve indifferently secured remote access to control systems.
Wired says water systems are vulnerable and not getting any more secure,
and their article deplores the tendency to look at electrical power
as the only distribution system that presents serious cyber risks.
That may be an overstatement, and the power grid certainly has problems of its own,
so whatever additional security the attention may have brought That may be an overstatement, and the power grid certainly has problems of its own,
so whatever additional security the attention may have brought haven't been anything like a panacea.
And finally, if you've been having trouble getting your car checked for compliance with emission standards,
the fault may not be in the DMV, but in its software.
A cyber attack against vehicle emissions testing provider Applus Technologies, Bleeping Computer reports, has disrupted emissions testing in eight U.S.
states. The problem is expected to continue through tomorrow, at least, and probably longer.
Applus says it's working with law enforcement, but that it's too early to say more about the
nature of the attack or whether personal data was exposed to compromise.
Bleeping Computer speculates that the incident was a ransomware attack,
but that it's a circumstantial judgment at this point.
And if you're worried about being ticketed by the police for having an expired emissions test,
Applus says it's reached out to police in the affected states
to let them know it's not
your fault your vehicle missed its inspection. Hey officer, the software ate my carbon monoxide.
Honest.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The SolarWinds attack has put a spotlight on third-party security risks,
and one element people are pointing out is that third-party risks are nothing new.
Mark Lance is former head of incident response at RSA
and now senior director of cyber defense at GuidePoint Security.
He sees a strong similarity between the SolarWinds attack and the RSA hack from 10 years
ago. Yeah, I mean, I would say that, you know, we see targeted attacks and have seen targeted
attacks historically at a large scale and with advanced threat actors going on for, you know,
obviously an extended period of time going all the way back to the RSA breach and prior. And so,
going all the way back to the RSA breach and prior.
And so, you know, very specifically with what occurred with SolarWinds,
which was this, you know, supply chain attack,
you know, this isn't necessarily the first time we've seen something like this.
And so when you start taking into account trying to access somebody who is, you know, part of the supply chain or a vendor
or somebody else, as opposed to targeting an environment directly.
Again, it's, you know, it's something we've seen historically and was reminiscent of,
of, you know, the RSA attack where, you know, RSA being breached and getting access to the
data there was not necessarily specifically for the end result of trying to access RSA being breached and getting access to the data there was not necessarily specifically for the end result of trying to access RSA, but subsequently to attack other environments.
And so, again, it's reminiscent from the sense that there is initial motivation to get into that specific environment, but predominantly for subsequent access into, you know, a larger
target or more targets. Is it fair for folks to express some frustration that, you know,
10 years out or so from the RSA hack that here we are again? I think that, you know, this is
something that is going to continue to happen.
I mean, I think when you've got motivated attackers who are really have an objective they're trying to accomplish, they're going to find point within the supply chain or, you know, whether it's through
a subsidiary or whether through a partner or vendor relationship, they're going to find a way
in. So I would say that, you know, there can certainly be frustration in some of the qualities
associated with the way that things are being secured. But I think overall, these attackers
are very creative, especially when you're talking about, you know, your, you know,
nation state sponsored actors that, you know, again, when they've got an objective, they're
going to find one way or another to get in. And it just, you know, happened to be that they were
the ones that were impacted. And you would like to think that, you know, there are additional,
you know, controls being put in place and things to prevent similar things from happening in the
future. That's Mark Lance from GuidePoint Security.
Thank you. suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And joining me once again is Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, great to have you back.
I want to touch base with you about some stuff that I know has caught your eye.
This has to do with dynamic data exchange, sort of a legacy thing that's back.
Explain to us what's going on here.
Yeah, it's really one of those things where as a security professional, you're often distracted
by the shiny new thing.
But, you know, big reminder here, old stuff often still works.
And, of course, these days, whenever I sort of talk to people about what they recently got hit by,
how they got infected with ransomware or whatever,
one of the big themes that comes often through is, hey, a user clicked on an email attachment.
of the big themes that comes off and through is, hey, a user clicked on an email attachment.
Now, okay, we have a lot of anti-malware and filters set up that will specifically look for macros in Office documents. However, there's an older technology, Dynamic Data Exchange. It sort
of predates macros. Back in the day when I was still young and full of energy in this business, I saw
a bunch of these coming in. It was great back then because it ran itself without user interaction,
and attackers loved it. But then of course Microsoft clamped down on it. It sort of now
works like macros, you have to give it permission. So attackers figured, hey, I have to go through
the trouble of asking the user for permission, I may as well use these more modern macros, you have to give it permission. So attackers figured, hey, I have to go through the trouble
of asking the user for permission.
I may as well use these more modern macros,
which allow for a lot more fancy exploits and such
than the old DDD allowed.
But then again, anti-malware apparently no longer really looks
for all these old signatures.
And that's sort of standard housekeeping that these products do.
They haven't seen a particular signature trick in a while,
so to reduce some of the bloat in these products,
they remove some of these old ones,
but the attackers often go back five years, ten years,
and try some of these old tricks again.
Yeah, I mean, that's really the mixed blessing
of Microsoft supporting these old tricks again. Yeah, I mean, that's really the mixed blessing of Microsoft supporting these old legacy things.
I mean, I suppose on the one hand,
it's good that if you need it, it's there.
But like you often say, out of sight, out of mind,
it can slip in past the detection, right?
Correct, and we see this with other things too,
like that famous Velvet Sweatshop password that Microsoft introduced way
back in the day when they sort of had some very simple
locked office document. Well, attackers still use it because
it still works to slip past some of these anti-malware tools
and in the end, they just play the numbers game and hope that one of your users will click.
Yeah. All right. Well, good advice as always. Johannes and hoped that one of you would as well click.
All right. Well, good advice as always.
Johannes Ulrich, thanks for joining us.
Thank you.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
The more you look, the more you like.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian
on their show for a lively discussion of the latest security news every week. You can find
Grumpy Old Geeks where all the fine podcasts are listed and check out the Recorded Future podcast
which I also host. The subject there is threat intelligence and every week we talk to interesting Thank you. security teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.