CyberWire Daily - Codecov supply chain attack update. Babuk’s victim service. Catphishing in LinkedIn. Sanctioned company responds. SolarWinds, Exchange compromise TFs stand down. 5 Eyes notes. IoT risk.
Episode Date: April 20, 2021Update on the Codecov supply chain attack. The Babuk gang says they’ve debugged their decryptor. MI5 warns of “industrial scale” catphishing in LinkedIn. Positive Technologies responds to US san...ctions. The US stands down the two Unified Coordination Groups it established to deal with the SolarWinds and Exchange Server compromises. Are all Five Eyes seeing eye-to-eye on China? Ben Yelin explains the legal side of the FBI removing webshells following the Microsoft Exchange Server hack. Our guest is May Habib from Writer on how the AI is helping the security industry with outdated and problematic terminology. And, psst: your kitchen appliances are a bunch of sellouts...or something. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/75 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Update on the Code Cove supply chain attack.
The Babak gang say they've debugged their decryptor.
MI5 warns of industrial-scale catfishing in LinkedIn.
Positive Technologies responds to U.S. sanctions.
The U.S. stands down the two unified coordination groups it established
to deal with the solar winds and exchange server compromises.
Are all five eyes seeing eye-to-eye on China?
Ben Yellen explains the legal side of
the FBI removing web shells following the Microsoft Exchange server hack. Our guest is May Habib from
Writer on how AI is helping the security industry with outdated and problematic terminology.
And by the way, your kitchen appliances are a bunch of sellouts or something.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, April 20th, 2021. Reuters said late yesterday evening that the Code Cove supply chain attack
may have affected several hundred of the software company's customers' networks,
with other software development vendors attracting particular attention,
along with companies that themselves
have a large customer base. It's unclear whether the attackers are ordinary criminals or threat
actors working on behalf of a nation-state. Sometimes the hoods need good PR too. In this
case, the goons behind Babook have reached out to journalists, GovInfo Security among them,
to say that they've fixed
the buggy decryptor Emsisoft researchers embarrassed the BABUC gang about shortly
after the attack on the Houston Rockets professional basketball team. Emsisoft,
which first noticed earlier this month that the BABUC decryptor didn't work,
is looking into the gang's claims to have fixed the problem. Skeptically, of course,
since stumblebums have difficulty changing their skids. It's an odd sort of customer service problem. Your
victims may not bother to even consider paying the ransom if the decryptor you send them is garbage.
Britain's MI5 warns of widespread industrial-scale catfishing campaigns in progress over LinkedIn, as espionage
services approach government workers through fictitious profiles. At least 10,000 British
personnel are thought to have been prospected, the BBC reports. There are a few lessons here.
First, intelligence officers continue to try to recruit agents, and they often do so with a
personal approach intended to gradually
establish a relationship that will eventually induce the agents to do things they know better
than to do. Today, that approach is more likely to be made online than it is IRL, as the kids say,
and a catfish, a fictitious persona, is likely bait. So don't get hooked, and don't connect
with people you've never encountered.
And please hold off on asking people you've never met to connect.
You're just tossing more chum out there for the catfishers to hide their bait.
Positive Technologies, the well-known Russian security firm sanctioned last week by the U.S.
Treasury Department for what the U.S. government regards as excessive closeness
to Russia's SVR and other intelligence organs,
on Friday issued a statement characterizing
Treasury's accusations as groundless.
Despite the fact that we are not a public company,
the market evaluates our capitalization as high,
several billion dollars, the company says,
which as far as we can tell is true enough.
Their statement adds, this demonstrates the level of interest in our technologies and a serious
level of trust in the company, which is also fair enough. To maintain this trust, Positive
Technologies says, we adhere to the principles of maximum openness at all levels of our activities,
from research to business, including the company's financial statements.
And they point to their positive hack days as an example of their open engagement
with the global security community.
The U.S. Treasury Department, for its part,
sees positive hack days as effectively recruiting events for the FSB and the GRU,
occasions the Russian intelligence organs used
to spot talent. Positive Technologies had been a partner in the Microsoft Active Protections
Program, known as MAP, which is more evidence that the company had indeed enjoyed a good reputation
in the industry. Redmond describes MAP as a program for security software providers that gives them early access to vulnerability information
so that they can provide updated protections to customers faster.
Positive Technologies is no longer a partner.
Microsoft has, Security Week reports, removed them.
The U.S. government has decided to stand down the task forces established to deal with the SolarWinds incident attributed to Russia and the Microsoft Exchange server compromise attributed to China.
Deputy National Security Advisor for Cyber Neuberger says,
Due to the vastly increased patching and reduction in victims, we are standing down the current UCG surge efforts and will be handling
further responses through standard incident management procedures, end quote. The U.S. will
maintain what Neuberger describes as a whole-of-government approach to these incidents
and others that may emerge. She cites four lessons learned from the response to the solar winds and
exchange server compromises. First, integrating
private sector partners at the executive and tactical levels. The active private sector
involvement resulted in an expedited Microsoft one-click tool to simplify and accelerate victims'
patching and cleanup efforts and direct sharing of relevant information. This type of partnership
sets precedent for future engagements on
significant cyber incidents. Second, CISA created and utilized a methodology to track trends in
patching and exposed exchange servers that enabled the UCG to quantify the scope of the incident.
Third, through industry relationships and leveraging legal authorities, the FBI and DOJ quickly identified the scale of the incidents.
In the SolarWinds UCG, for example, scoping from a worst case of 16,800
to fewer than 100 targeted exploited non-government entities.
This enabled focused victim engagement and improved understanding
of what the perpetrators targeted from the larger set of exposed entities.
And finally, NSA and CISA released cybersecurity advisories that detailed adversary techniques
and provided mitigation for system owners.
NSA also provided guidance to other U.S. military and intelligence organizations,
as well as contractors in the defense industrial base.
as well as contractors in the defense industrial base.
Fleet Street has been barking at New Zealand,
arguing that Wellington has decided to stiff the other four eyes in order to pursue closer relations with China.
That's according to a representative article from The Telegraph.
New Zealand's Foreign Affairs Minister Nanania Mahuta, News Hub says,
is simply concerned about the possibility of the Five Eyes remit New Zealand's Foreign Affairs Minister Nanania Mahuta, News Hub says,
is simply concerned about the possibility of the Five Eyes remit being extended beyond security and that it declines to fully align itself with the other eyes' interest in cooperating on the strategic containment of Beijing.
And finally, hey everybody, your air fryer is trying to kill you.
Maybe.
So you're trying to cook healthy since there are no trans fats in, like, air.
And after all, who among us shouldn't be trying to up their game health-wise?
And all of a sudden, blammo, the appliances are all conspiring against you.
All right, maybe we're exaggerating a bit. Anywho, researchers at Cisco
Talos have found remote code execution vulnerabilities in the Kosori Smart Air Fryer.
Talos describes the Smart Air Fryer as a Wi-Fi-enabled kitchen appliance that cooks food
with a variety of methods and settings. Users can also use the device's Wi-Fi features to start and stop cooking,
look up recipe guides, and monitor cooking status. The model Talos tested is the Kosuri
Smart 5.8-quart air fryer, version 1.1, and the researchers say it could be exploited by sending
a specially crafted packet to the device that contains a unique JSON object, which would allow them to execute
arbitrary code. Tim Erlin, VP Product Management and Strategy at Tripwire, emailed us to say that
sure, there seems something risable about finding risk in a smart air fryer,
but like other Wi-Fi-enabled smart IoT devices, things like this come with problems.
Erlin wrote, quote,
it can seem like it's worth a laugh when vulnerabilities are found in these network-connected
smart devices, but the increasing ubiquity of connected devices combined with vulnerabilities
like these increasingly creates an attack surface with real risk, end quote. As Willie Sutton
followed the money, so too will threat actors follow the new technology.
Erland goes on and says,
We've seen that with mobile devices, with cloud, and we'll see it with IoT as well.
Your air fryer or light bulbs might not be that interesting in and of themselves,
but they could provide a point of entry to other devices on the network.
could provide a point of entry to other devices on the network, end quote.
So you try to shrink your waistline and you wind up expanding your attack surface. Go figure. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Flavor the new small and mighty Cortado. Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
We often discuss how cybersecurity is tied to reputational security,
how being the victim of a data breach or ransomware event could affect how people trust your organization.
But what about the reputational damage that comes from communications,
either internally or public-facing?
There are long-used terms in tech that have,
for good reason, fallen out of favor, like blacklist or master-versus-slave hard drives.
May Habib is CEO of Writer, a company that's developed an AI writing assistant. It's kind
of like spellcheck or grammar check, but it also knows your company's rules and style guide and
can remind you when you might just be getting yourself into a little hot water. So we started
as a very engineering focused technology company with a tool for strings management. So basically
what that means is in software, there is user-facing content and copy. It's pretty hard to access.
And we made it very easy for engineers to basically give content people, you know, a file of all of
that content that they could then edit and it synced back to engineering. And we started
automating some of those types of suggestions that would be made because if you want to change username to
handle or backwards the other way, you kind of want to do that in a lot of different places.
And the AI really grew out of that and we added a lot more functionality around automatically
making content a certain way and doing that as a team.
So, you know, if I am writing for a sixth grade reading level,
having everybody who's working on content write to that same reading level.
And over time, we really built the ability to do that for longer form content.
And today, most of our customers are using Writer for product content, customer knowledge-based content, and marketing blog posts and product marketing.
What can you tell us about the security side of things?
I mean, I'm sure there are folks who get nervous about having things run through the browser, of having the writing that their folks are doing
being sent through someone else's system.
How do you contend with that?
That's a great question.
So we are in a lot of sensitive places.
So if you are a professional services firm
and you want all your proposals to your end clients
to be perfect,
you want writer in there perfecting folks' writing,
but you may also be
delivering an audit report that's got very sensitive information. And so we actually,
we're grounds up built for that use case as a B2B product. So there are a couple of things that are
really differentiating here. Number one, we're not saving anyone's data. So that proposal never
actually hits a writer server. And because of
that, you've got number two, which is we're not using customer data to train our machine learning
models. And that's, you know, absolutely pretty differentiating because for most customers,
for most products out there, you are the product. And, you know, anything you write in a browser per their terms of service is fair game for training materials.
And, you know, it will be stripped of personally identifying information if you're lucky.
But, you know, your data is still in somebody else's machine. And, you know, that's just not something that we do.
that we do. It does mean, you know, a huge effort on our part to build our own proprietary data sets that look and feel, you know, similar to our target audience, that we're not looking at what
people are doing. We're not even saving that in order to build those models.
That's May Habib from Writer.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
So we recently had news of the FBI,
this is through some announcements from the Justice Department and elsewhere,
getting a warrant to reach out and touch some Microsoft Exchange servers,
remove some web shells here.
This is certainly, when news broke of this,
this caused some raised eyebrows around the cybersecurity community.
I wanted to touch base with you from a law and policy point of view.
What's your reaction here, Ben?
So I can certainly understand why it raised eyebrows
you have law enforcement gaining access to people's devices
without those people knowing that law enforcement
has gained access to their devices
but I think that law enforcement in this case
does have a proper justification
and the process they used to enable this access
is a legal process prescribed by Justice Department rules.
So just to give a little bit of background, as everybody knows, we had this big hack suspected to be from Chinese hackers of Microsoft Exchange servers across the country.
Microsoft has recommended in response to this hack that people install the latest security patches.
to this hack that people install the latest security patches.
For whatever reason, there are people across the country,
maybe who don't have the type of institutional knowledge we do and our listeners have,
that they would just decide or not know
to download that security patch.
So the FBI was given approval
by a federal magistrate
to remove web shells left by hackers on hundreds of devices all across the country.
And this is obviously a very proactive step that law enforcement is taking.
It's a way of responding to this hack beyond just prosecuting the people that we think are responsible.
are responsible. And they're able to do this because a few years ago, the Justice Department was able to pass an administrative rule internally where you could have a federal magistrate
authorize a warrant for devices all across the country. And one of the justifications for doing
so would be if there were devices in five or more states that were compromised by some
sort of computer crime, as has happened here. So they did get that approval from the judge,
and the FBI followed through and accessed people's Microsoft Exchange servers.
So obviously, I can understand why this rubs people the wrong way. It's the government getting access to our devices without our consent. But this is a legal process. And, you know, the purpose for conducting this operation
certainly is to protect the rest of the country from the effects of this Microsoft Exchange hack.
And I suppose we should take comfort here that they did have to go get a warrant?
Suppose we should take comfort here that they did have to go get a warrant?
Right. I mean, this runs contrast to some other circumstances we talk about, particularly in the name of national security, where the FBI uses warrantless authorities.
Maybe instead they obtain an administrative subpoena, which is a – you have to have a lesser standard to obtain such a subpoena. Maybe they're using some of our post-9-11 surveillance authorities
where they really don't need any judicial approval
to gain access to somebody's personal devices.
So I think we can take some comfort here that this is a process.
There is judicial review.
It's not just the FBI arbitrarily deciding to enter,
to go into people's devices arbitrarily. This is
part of a Justice Department process. So I think that has to be, even though I can understand why
the story rubs people the wrong way, I think it has to be understood in that context.
Yeah. Interesting too, in the press release from the DOJ, they're making the point that the FBI is making a good faith effort to reach out to everyone whose servers they have accessed here.
So, you know, basically sending them a heads up email.
Hey, guess what?
Yeah.
Which reminds me, we talked about this on Caveat, reminds me of the little note you get in your luggage from TSA when they've searched something.
Yeah, I kind of have the same reaction that I have
when I get those TSA notices where it's like,
okay, you already looked at my bag.
I mean, there's not much I can do about it now.
I guess that's a consequence of flying.
It might be a little different here because I think you assume a certain level of risk
that your stuff is going to be searched
when you decide to fly on an airplane.
I guess by owning a device in this country
and by using Microsoft Exchange servers,
you are also assuming a type of risk.
I don't think this authority is very well known to people.
So I think this is not a risk that most people knew they were taking on.
Perhaps now that the story is out, more people are going to recognize this risk.
Yeah, and of course the FBI is still investigating this.
They also make the point that if you feel as though you've been compromised
in this Exchange server incident, the FBI would like to hear from you so they can add that to their investigation.
Every little bit of evidence helps.
Yeah, just give them your social security, your mother's maiden name.
Now, now, Ben.
Oh, so cynical, Ben. So cynical.
I know. I know. I'm sorry.
All right. Well, Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Thanks for listening.
We'll see you back here tomorrow. Thank you. role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.