CyberWire Daily - Coups d’état and Internet disruption. Cyberespionage in the supply chain, again. SonicWall zero day exploited in the wild. Tracking criminal infrastructure-as-a-service. Data breach in Washington State.
Episode Date: February 2, 2021Myanmar’s junta jams the Internet. Operation NightScout looks like a highly targeted cyberespionage campaign delivered through a compromised supply chain. SonicWall zero day is being actively exploi...ted in the wild. StrangeU and RandomU are filling a niche in the criminal-to-criminal market. Ben Yelin ponders whether the Solarwinds attack can be considered an act of war. Our guest Jamie Brown from Tenable on the National Cyber Director position and what it means for the Biden administration. Another data breach is associated with Accellion FTA. And it’s Groundhog Day, campers. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/21 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Myanmar's junta jams the internet.
Operation Night Scout looks like a highly targeted cyber espionage campaign
delivered through a compromised supply chain.
Sonic Wall Zero Day is being actively exploited in the wild.
Strange You and Random You are filling a niche in the criminal-to-criminal market.
Ben Yellen ponders whether the SolarWinds attack can be considered an act of war.
Our guest Jamie Brown from Tenable on the national cyber director position and what it means for the Biden administration. Another data breach
is associated with the Cellian FTA. And it's Groundhog Day, campers.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, February 2nd, 2021.
The internet has gone down throughout much of Myanmar, CyberScoop reports.
The reasons for the outage are unclear, but the overwhelming likelihood is that the outage is a deliberate takedown by the junta military leaders installed in Akutita over the weekend.
Internet usage dropped by a good 75% Sunday, according to observations tweeted by NetBlocks, an NGO that operates an internet
observatory. NetBlocks says, quote, the pattern of disruption indicates centrally issued telecoms
blackout order, end quote. Internet jamming has become a familiar feature of the contemporary
style of coup d'etat. It's what seizing the newspapers would have been in 1850,
what taking over the radio station would have been in the 1930s. ESET researchers have outlined a recently
discovered software supply chain attack that's inflicting surveillance malware on online gamers
who use NoxPlayer, an Android emulator used mostly to play mobile games on PCs.
The security firm says that several distinct malware strains are being delivered to users an Android emulator used mostly to play mobile games on PCs.
The security firm says that several distinct malware strains are being delivered to users in the form of maliciously crafted software updates.
Two of the strains in use are familiar,
Ghost Rat, which is a keylogger and collector of other sensitive information,
and Poison Ivy Rat, which appeared as a secondary infection.
The producer of Knox Player, Hong Kong-headquartered Big Knox,
told ESET that it hadn't been compromised itself
and didn't avail themselves of the help the boys and girls from Bratislava offered.
The campaign shows no signs of monetization,
which leads ESET to conclude that some form of espionage is the point of the effort.
They're calling the campaign Operation Night Scout.
It seems to be a highly targeted campaign.
ESET's telemetry told them that about 100,000 of their users had Knox Player installed,
but of that group, only five were pushed a malicious update.
The victims were in Hong Kong, Taiwan, and Sri Lanka.
What the operators behind Night Scout are after is mysterious.
ESET said it was unable to find any correlations among the victims.
NCC Group reports finding evidence that the recently discovered Sonic Wall Zero Day is now being actively exploited in the wild.
They advise users to pay close attention to their logs.
exploited in the wild. They advise users to pay close attention to their logs.
NCC Group is reluctant to share detailed indicators and warnings, but they suggest keeping an eye out for source IPs hitting management interfaces you would not expect.
SonicWall says it expects to have a patch available today.
Microsoft has been tracking the emails sent by the criminal infrastructure represented by StrangeU and RandomU,
which Redmond says is robust enough to seem legitimate to many mail providers,
while flexible enough to allow the dynamic generation of new domain names and remain evasive.
It's sending out about a million malware-carrying emails a month.
It's sending out about a million malware-carrying emails a month.
The infrastructure seems to be filling the criminal-to-criminal market gap that the NECOR's botnet takedown temporarily opened.
Microsoft says this proves that attackers are highly motivated
to quickly adapt to temporary interruptions to their operations.
The infrastructure-as-a-service initially was seen delivering commodity malware,
but since September it's risen in the criminal status system,
having been adopted in September by both the Drydex and Trickbot operators.
The cyber espionage campaign associated with the software supply chain for SolarWinds Orion platform
remains under investigation, with post-mortems turning to fixes and might-have-beens.
A Security Boulevard piece sketches an outline of third-party security programs.
FCW reports that prospective Homeland Security Secretary Mayorkas promised to review upgrades of the department's Einstein system, and ProPublica wonders why the U.S. government shelved the in-toto system it paid for.
Vulnerabilities in Excelion software, exploited earlier against data belonging to New Zealand's
Central Bank and the Australian Securities and Investments Commission, has now hit the state
auditor of the state of Washington, compromising the personal information of more than a million and a half people who'd contacted the state about unemployment assistance. The state auditor is
notifying victims and offering the usual sorts of help, like credit monitoring. Accelion says the
vulnerabilities lie in an old legacy version of its product, Accelion FTA, that's now approaching
end of life. The vendor says all known issues have now been patched
and mitigation is underway.
The incident has attracted a lot of attention
from the security industry.
And finally, hey, hey, hey, happy Groundhog Day.
The word from our Pennsylvania desk is that Puxatawney Phil,
in a socially distanced virtual ceremony from Gobbler's Knob.
Indeed, saw his shadow.
It spooked him.
And so we've got six more weeks of winter.
So hold off on spring until St. Patrick's Day or thereabout, campers.
It's cold out there.
Calling all sellers. Thank you. winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The recently passed National Defense Authorization Act includes the creation of the position of National Cyber Director.
Joining me to discuss that role is Jamie Brown, Senior Director of Global Government Affairs at Tenable and Chair of the IT Sector's Coordinating Council.
Historically, in previous administrations, particularly in George Bush and Barack Obama's administration, there was a cyber director or, you know, commonly referred to as a cyber czar
that was advising the president and had a central spot at the White House. It was not at that time a Senate-confirmed position, but the role there was to coordinate
cybersecurity activities across the federal government.
That position was maintained in the early part of the Trump administration, but then
ended up ending the position when they switched national security advisors about midway through the administration.
Congress had set up in the meantime a commission to study what are the best approaches to addressing these long-term, really comprehensive challenges of cybersecurity.
of cybersecurity. And one of the key recommendations they made was we really do need to not only reinstall that position of the national cybersecurity director,
but make it a permanent Senate-confirmed position, one that has statutory authority,
one that has to be approved by the Senate. And the thinking being that cybersecurity was such
a cross-cutting challenge, it hit so many different agencies, different industry sectors, that you really needed someone in a centralized location, a single point of contact, in order to coordinate the federal government's response to cybersecurity incidents, but also in terms of proactive strategy and planning for cybersecurity as well.
active strategy and planning for cybersecurity as well.
I've seen some reporting that President Biden is likely to appoint Jen Easterly to this position.
Is that still where things are tracking?
And what's your take on her?
That is what we have heard as well.
You know, I have not heard or I have not seen sort of official confirmation or have not
yet.
I don't think President Biden has officially appointed Jen Easterly, but we think that
she would be an outstanding choice.
She has excellent experience both in the public and private sector, which, again, is extremely
important given the interdependencies about the private sector and government when it
comes to addressing
cybersecurity challenges. So her experience is something that will bring, I think,
tremendous gravitas to that role and a lot of credibility in working both with government
and private sector stakeholders. I think this SolarWinds compromise has opened our eyes to a
lot of important activities that have to take place.
And one of the key areas that we hope that the National Cyber Director will focus on
to be better prepared for future type attacks is pushing through a risk-based vulnerability
management approach throughout the government. And then prioritizing the way that you go about
remediating the gaps or the vulnerabilities that you have
based on real-time contextual factors. What is the severity of a given vulnerability that you
have in your systems? How important is it with respect to where it is located within your systems?
And then also, is that type of vulnerability currently being attacked by bad actors?
All of these things are going to be extremely important moving forward, both to mitigate against current attacks, but also to be prepared for future ones.
That'll be a key role in the cyber directories.
That's Jamie Brown. He's Senior Director of Global Government Affairs at Tenable.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security.
Also my co-host over on the Caveat podcast.
Hey, Ben, good to have you back.
Hello, Dave. How are you?
I am doing well, thanks.
Interesting article. This is from the Lawfare blog.
The title is, Is the SolarWinds Cyber Attack an Act of War?
It is if the United States says it is. The title is, Is the SolarWinds Cyber Attack an Act of War?
It is, if the United States says it is.
Now, this caught my eye because it seems to me like the overall consensus has been that the SolarWinds situation was not an act of war, espionage, but not an act of war.
But this article takes perhaps
or explores a contrarian view here.
Yeah, this article is fascinating for a number of reasons.
First of all, that is a contrarian view
as to the attack itself.
This article gets into questions
of whether we should make these decisions
based on domestic laws or based on international law.
So the previous administration kind of ignored international law.
They were an America first administration.
What this article is suggesting is that we could have proper justification
under international law to declare this an act of war.
So chapter 51 of the United Nations Charter recognizes the inherent right to self-defense.
In response to an act of war, the Latin term is casus belli.
I'm sure I'm mispronouncing that.
But basically, if you are attacked in a surprise attack,
international law justifies a response.
That is self-defense in its purest form.
At least that's the you know, the thinking behind
that section of the charter. And that allows a country or a state, if we're speaking more broadly,
to exercise self-defense to make sure that nobody else gets hurt, to make sure, you know, to limit
harm against our domestic tranquility. And that's what this article is encouraging,
that we should consider this an act of war
under international law,
akin perhaps to something like Pearl Harbor,
where there was a surprise attack
on our physical infrastructure.
I don't think anybody would dispute
that that was an act of war.
If, you know, solar wind as a cyber attack
was as extensive as is reported,
certainly the impact on our critical infrastructure
could be potentially just as severe.
So it's just a really interesting article.
I think using international law in some quarters
is pretty disfavored in this country,
just because, you know, there's kind of a skepticism of why should we be listening
to these international bodies that
why should they carry the force of law? Who elected them?
But I think you put yourself on firmer ground on the world stage
if you can justify your actions, and it seems like we're going to take actions
in response to this attack,
using a portion of the UN Charter.
So I just thought it was a really interesting argument.
Yeah, I'm curious what you think about the idea
that if you come at this from the espionage point of view,
and I always try to, and often unsuccessfully,
try to put these into real world terms.
But suppose the United States found that there were a whole bunch of spies
who'd been placed in organizations around the world.
And these spies were going through filing cabinets
to get secrets from organizations,
from federal organizations, private organizations,
you know, that sort of thing. People doing spying, right? Espionage. Would we, if, with the discovery
of that, would we consider that to be an act of war? Or would we just say, oh, espionage?
I mean, I guess there's a different, espionage isn't to the same extent an act of war.
Right, nobody dies.
Yeah, right, it wouldn't meet that definition under the UN Charter.
I think what I would say is that that's not necessarily the proper analog here
because of the concrete damage that could have been done through the SolarWinds attack.
So it's not just spying.
If you're destroying networks or you're stealing information
or you're threatening our critical infrastructure,
then that goes beyond espionage.
So I don't think it would, if it were just pure spying,
I don't think under this definition that would be an act of warfare
that would justify a precision-based response.
What if the spies were leaving pipe bombs
in the filing cabinets behind, right?
Exactly, exactly.
I mean, that's the scenario
that I think we have to consider.
And I think that's sort of the perspective
of the Biden administration.
We don't know exactly what they're going to do
to respond to this attack,
but early indications are that they see it
as sort of, if not a quasi-act of aggression, an act of aggression.
And that it will justify a precision-based response.
Right, worthy of some response.
Absolutely.
Yeah.
All right, well, an interesting article for sure.
It's over on Lawfare.
It's titled, Is the SolarWinds Cyberattack an Act of War?
It is, if the United States says it is.
Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed. Bring out your best.
Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly produced in Maryland out of the startup
studios of DataTribe, where they're co-building the next generation of cybersecurity teams and
technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.