CyberWire Daily - China gets in on the SolarWinds act. More SolarWinds vulnerabilities disclosed and patched. Abuse of lawful intercept tech in South Sudan. BEC phishes for gift cards. Parasitic card skimmer found.
Episode Date: February 3, 2021It appears Chinese intelligence services have been exploiting a vulnerability in SolarWinds to steal data from a US Government payroll system. The presumed Russian intrusion into SolarWinds may have b...een going on for nine months or more. Three new SolarWinds vulnerabilities are disclosed and patched. Amnesty accuses South Sudan of abusing intercept tools. BEC compromise is involved in gift card scams. Joe Carrigan has thoughts on opt-in privacy policies. Our guest is Dale Ludwig from CHERRY on USB attacks and hardware security. And carders steal from other carders. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/22 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
It appears Chinese intelligence services have been exploiting a vulnerability in SolarWinds
to steal data from a U.S. government payroll system.
The presumed Russian intrusion into SolarWinds may have been going on for nine months or more.
Three new SolarWinds vulnerabilities are disclosed and patched.
Amnesty accuses South Sudan of abusing intercept tools.
BEC Compromise is involved in gift card scams.
Joe Kerrigan has thoughts on opt-in privacy policies.
Our guest is Dale Ludwig from Cherry
on USB attacks and hardware security.
And carters steal from other carters.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, February 3rd, 2021. Reuters reports that the FBI's investigation of the SolarWinds supply chain attack is looking into evidence that Chinese threat actors successfully exploited a vulnerability
in the company's software to compromise the National Finance Center,
a payroll system operated by the U.S. Department of Agriculture.
The Department of Agriculture's reaction to the story is ambiguous. The Agriculture Department emailed Reuters to say
that USDA has notified all customers, including individuals and organizations, whose data has
been affected by the SolarWinds Orion code compromise. But a second departmental spokesman said after the story broke
that there was no data breach related to SolarWinds at USDA,
but offered no further clarification.
The vulnerability the Chinese threat actors are believed to have exploited
is said to be different from the one used by UNC-2452,
the threat actor widely believed to be a Russian intelligence service.
Reuters' anonymous sources told them that the campaign used tools and infrastructure
that had been previously deployed by state-backed Chinese cyber spies.
As the Washington Post observes,
many had suspected that another group was also actively exploiting SolarWinds,
but Reuters' report is the first to suggest
that this second threat actor was connected to the Chinese government. The Chinese foreign ministry
denied any involvement, observing first, and in fairness correctly, that attribution is a complex
technical issue. The ministry then moved on to unlikely insistence on the usual pieties.
The ministry then moved on to unlikely insistence on the usual pieties.
China resolutely opposes and combats any form of cyber attacks and cyber theft.
It's doubtful that any government on the planet, even, say, the Holy See or San Marino,
resolutely opposes any form of cyber attack unless cyber attack is construed so narrowly as to rule out any form of interception, surveillance, or retaliation.
If any pure cyber pacifists are running any government, it's doubtful that government is in Beijing.
Some have said that major cyber attacks are often more like riots than bank jobs,
with multiple actors going after the same targets for their own reasons.
than bank jobs, with multiple actors going after the same targets for their own reasons.
Reuters quotes former U.S. Chief Information Security Officer,
retired Air Force General Gregory Tuhill,
who thinks it's not that unusual for more than one group to hit the same product.
He prefers the racing metaphor to the criminal one.
Quote,
It wouldn't be the first time we've seen a nation-state actor surfing in behind someone else. It's like drafting in NAS the National Finance Center is housed in the Department of Agriculture,
its responsibilities aren't confined there.
The NFC also handles payroll for other government agencies.
Some of the more interesting ones from the point of view of national security are the FBI, the State Department, the Department of Homeland Security, and the Treasury Department.
The NFC claims on its website to payroll more than 600,000 employees.
It also provides customizable and flexible financial management services, and integrated shared service solutions.
The data held by the NFC would include social security numbers, phone numbers,
personal email addresses and banking information,
and also associations between individual employees and their agencies.
Such information is useful for building human target dossiers of individuals of interest,
and Chinese services have shown an appetite for such sweeping collection in the past,
against the U.S., most notably in the Office of Personnel Management breach of 2015.
According to the Wall Street Journal, SolarWinds is still investigating to see how the attackers,
the presumed Russians in particular,
gained access to the company's networks. One of the going theories is that they got in by compromising SolarWinds' Microsoft 365 accounts. They appear to have compromised one of the
company's Office 365 accounts in December of 2019 and then were able to pivot into others.
December of 2019 and then were able to pivot into others. All told, they were probably lurking, as the journal puts it, in SolarWinds email systems for nine months or more.
There have been other discoveries related to SolarWinds. Security firm Trustwave has identified
three additional vulnerabilities in SolarWinds products. The researchers say the vulnerabilities
are severe
and should be addressed as soon as possible, but that they've seen no evidence of exploitation in
the wild. Two of the vulnerabilities were found in the Orion platform. The third was discovered
in SolarWinds' ServView FTP for Windows. SolarWinds has patched all three of these and done so in what Trustwave calls
a very timely manner. The researchers have not released proof-of-concept code for exploits
because they don't wish to give threat actors a head start on patching. But if you're a SolarWinds
user, don't delay in applying the patches. Trustwave will release proof- concept next week on February 9th.
Amnesty International reports that the government of South Sudan
obtained VARENT Systems Communications intercept tools between 2015 and 2017.
According to Amnesty's report, South Sudan's National Security Service
has been abusing the technology to keep journalists, critics, and dissidents under
surveillance. Knox Limited contacted us today to say that they'd reached an agreement with security
firm ESET to address the selective exploitation of Knox's Big Knox Android emulator ESET found
and disclosed. That exploitation was used in what appears to have been a cyber espionage campaign.
That exploitation was used in what appears to have been a cyber espionage campaign.
Knox and ESET intend to work together on the security issue and will provide further information as it becomes available.
Microsoft warns of a spike in business email compromise scams
soliciting gift cards said to be intended for K-12 teachers.
If you get an email from some elephant in your organization
asking you to go ahead and buy a gift card for a teacher online,
just put your hands in your pockets and walk on by.
Virtually.
If you'd like to express your appreciation to a teacher with a gift card,
we suggest going to the store and buying one
and then leaving it on the teacher's desk.
An Apple gift card would be a nice gesture toward tradition.
And finally, Bleeping Computer reports that criminals are stealing paycard data
from other criminals who skimmed them using Magento.
It's a piggyback skimmer that quietly rides on top of Magento instances.
There's no honor among thieves.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
Most of the discussion around cybersecurity these days is focused around software and services, which makes sense.
But what about the actual physical devices we use every day
to interact with our computers?
And in particular, what about devices that find themselves
in challenging environments, industrial or medical?
Dale Ludwig is business development manager at Cherry Americas,
a global provider of these types of devices, and he joins us today.
Dale, welcome to the Cyber Wire.
Thanks for having me.
So let's start off with just some descriptive stuff here.
I mean, when we're talking about the security issues
of these devices that we use every day,
these input devices, which is right in the center
of your wheelhouse, what are some of the things
that you all are concerned with on a daily basis?
Yeah, so some of the things that you all are concerned with on a daily basis? Yeah, so transformation of these markets
from the shift to work or remote school atmosphere that we're now in.
So unfortunately, this transformation opens up new avenues for cyber threats
and expands the attack service.
So when it comes to something like a keyboard,
which I think is something most of us interact with every day
but probably don't put a whole lot of thought into the security aspects of it,
what's the spectrum of things that are available
to help secure that keyboard-computer interface?
Yeah, so one of the worst things
that persists in this environment
is access to the USB port on your computer.
And with roughly 3 billion USB devices
shipped every year,
and really the beauty and efficiency
of the USB device
is that you can connect anything to it and you expect it to function.
But unfortunately, there's a cost to that, that ability to connect any device.
But USB gives some vulnerabilities because of that.
It's an ability to verify the devices are what they claim to be.
It's an ability to verify the devices are what they claim to be.
So you have the possibility for USB devices to change their type or introduce additional sub devices while being plugged in. And they can create software attacks through malware, which then you've got key loggers such as a rubber ducky or a bad USB.
key loggers such as a rubber ducky or a bad USB, these types of devices which reprogram your USB device and really cause it to act as a human interface device or a keyboard.
And so our device goes after that channel and really shuts that access point down.
Now, what about devices that find themselves in more challenging environments
than, say, your typical office environment or your home office?
Things that are in industrial situations, things that are in medical situations.
These are devices that you all provide as well.
Are there specific security issues when it comes to putting devices like that in those environments?
Yeah, absolutely.
And both of the features on this keyboard address those.
And, you know, with HIPAA requirements and in medical manufacturing facilities, there are issues about who do you want to operate a piece of machinery.
So obviously controlling access to applications
or even a machine is important.
So we incorporate contact and contactless readers
into this keyboard and then back that up
with the encryption using the TLS protocol.
All right.
Well, Dale Ludwig is Business Development Manager
at Cherry Americas.
Dale, thanks so much for joining us.
Thanks. Appreciate the time.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
You know, over on Hacking Humans, we often talk about privacy issues
and how folks can best protect themselves.
This article from the Wall Street Journal I found interesting.
It's titled, Apple and Facebook trade barbs over privacy-focused business models.
What's going on here, Joe?
So Apple has said that coming this spring, they're going to allow their users to decide whether or not they will share something called their advertising identifier.
So they're actually going to make this what we have been asking for as privacy advocates for decades.
They're going to make this an opt-in thing.
So in other words, everybody always says, well, we make it so you can opt out.
And nobody, of course, opts out.
But Apple is changing the paradigm here.
opt out. And nobody, of course, opts out. But Apple is changing the paradigm here. They're saying you're going to have to opt in in order to share your advertising identifier with companies like
Facebook. Yeah. So the default position will be to not be tracked. Correct. Correct. And that's
fantastic. Right. Right. Of course, this has stuck in the crawl of Facebook and Mark Zuckerberg.
stuck in the crawl of Facebook and Mark Zuckerberg. Zuckerberg has sought to cast this move as a means for Apple to use its platform to put Facebook at a disadvantage. And he says that
Apple's iMessage service is pre-installed on every phone and complained that Apple uses these tools
to put itself at the center of its users' experience. I want to tell Mark Zuckerberg
something because I know he listens to every word I say and he hangs on every word I say.
I'm sure. Yes, of course he does, Joe. That is why people buy Apple products, Mark.
That's it. They like the Apple experience and Apple puts the user experience at the center
of everything they develop. They do a really good job of that. As much as I don't like Apple and I don't use Apple,
their focus is the user. And it always has been, at least since they started developing Macintoshes.
It is remarkable to me. It looks to me like he's trying to make a comparison here between
iMessage and the old Internet Explorer monopoly complaints
from years ago, that Microsoft packages Internet Explorer with every operating system they sell,
right? I don't think that's going to fly either, because not only does Apple offer iMessage,
but you can still install other apps on your phone and use those as well. So it's not really a monopoly. There is no barrier to
entry. Well, who do you think needs each other more? In other words, if it came down to nuclear
options from either company, suppose if Apple were to say, hey, Facebook, your app can't be
in our app store anymore, or Facebook were to say, hey, Apple, if you don't ease up on this,
we're going to pull
our app from the App Store. Who do you think has the upper hand? That's a good question. I don't
know. I think that Apple has the upper hand here because the question is, that question is who's
going to leave whom, right? From the user perspective, who's going to leave? Now, you're
an Apple user, right? I am. I am indeed. But you're not a Facebook user, are you? I am not. So this is not
going to have any impact on you. The way I see this going is it's going to go one of two ways.
Either Facebook is going to say, okay, we're going to have to adapt to this and we're going
to have to target ads based on information that we collect from our apps only. Because rest assured,
Facebook is going to continue to collect
the information about everything you do
on every app they own.
On Facebook, on WhatsApp, on Instagram,
that's all going to be collected and correlated.
And there's not much that Apple can do about that.
All they're going to lose
is the insights into everything else
outside of their ecosystem that the user does that Apple would normally inform them about.
So they can either adapt to that situation or they can say to the Apple user community, in order for you to continue using our services, you must opt in to share your advertising ID with us or you can't use our services.
Now, that is not outside
the realm of possibility with Facebook. We just saw them do that with WhatsApp a couple of weeks
ago. Right, and they backed off. Yeah, they backed off because so many people fled to other apps like
Signal. Right. Well, good. And people should stay on apps like Signal and not use WhatsApp simply
because it is a Facebook property. But yeah, Facebook had
to back down from that, but I can see them doing that. And even if they don't, even if they back
down again, they're probably still going to get some people who just go ahead and do it.
I think that what would happen there is that this is a time, an opportunity, a market opportunity
for someone to start up a new social networking site that is to replace Facebook that doesn't target users as much. And since this privacy discussion has
come to the forefront, I think it's a good time for someone to strike while the iron's hot.
I'm not going to invest any money in it, of course, but other listeners are welcome to do that.
You have to stand by your convictions as long as it doesn't cost you anything.
That's right.
A couple of interesting points from this article.
A TAP research survey found that 85% of respondents said they wouldn't allow apps to track them if given a choice.
So chances are that Facebook is really looking at a hit here in how they target ads.
I do want to also say that Apple's not the golden boy here.
I do want to also say that Apple's not the golden boy here.
Tim Cook is using the events of January 6th as a touchstone for this privacy practice, and he's saying that we shouldn't prioritize algorithms that advance conspiracy theories
over privacy.
And I don't agree with that tactic, Tim.
I don't think you need to highlight this specific event in order to advance your agenda here. You should just have this agenda as part of your privacy policy. And in fact,
Apple has been planning on doing this for a long time. In fact, they were originally planning on
giving users the option to opt-in or making it an opt-in system back in fall of last year,
but they pushed that back. So this is not something that is a result of the events of
January 6th. It's been in the works for a while. I don't think that you need to use that. I think
that's a little bit of demagoguing on the part of Tim Cook. So, you know, I say take what he says
as the reasoning for a grain of salt with a grain of salt. But I think there are plenty of perfectly
good and legitimate reasons to do this just because. Yeah, yeah.
All right, well, the article is in the Wall Street Journal.
It's titled,
Apple Facebook Trade Barbs Over Privacy-Focused Business Models,
written by Tim Higgins.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Nothing runs like a deer.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Guru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.