CyberWire Daily - Cozy Bear has been very successful at being very bad. Advice on dealing with the supply chain compromise. Joker’s Stash has its problems. And a few thoughts on the near future.
Episode Date: December 18, 2020Cozy Bear’s software supply chain compromise and its massive cyberespionage effort against the US Government and the associated private sector, is still being untangled. But it’s very extensive, v...ery bad, and very tough to remediate. Both CISA and NSA have advice about the incident, and we check in with Robert M. Lee from Dragos for his thoughts. John Pescatore from SANS advocates renewing our focus on information security. Iran may be running a ransomware campaign for influence purposes. The Joker’s Stash criminal souk appears to have taken a hit. And don’t let your guard down during the holidays. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/243 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Cozy Bear's software supply chain compromise
and its massive cyber espionage effort against the U.S. government and the associated private sector is still being untangled.
But it's very extensive, very bad, and very tough to immediate.
Both CISA and NSA have advice about the incident, and we check in with Robert M. Lee from Dragos for his thoughts.
John Pescatori from SANS advocates renewing our focus on information security.
Iran may be running a ransomware campaign for influence purposes.
The Joker's stash criminal market appears to have taken a hit.
And don't let your guard down during the holidays.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, December 18th, 2020.
It turns out that what we've come to call the SolarWinds Compromise isn't confined to solar winds.
CISA advises that it has evidence, still under investigation, of other access vectors the threat actors used.
It's a very serious problem whose extent is still being determined.
CISA says the hostile campaign poses a, quote, grave risk to the federal government and state, local, tribal, and territorial governments, as well as critical infrastructure entities and other private sector organizations, end quote.
CISA offers four major takeaways.
First, this is a patient, well-resourced, and focused adversary that has sustained long-duration activity on victim networks.
Second, the SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged.
Third, not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.
have been targeted by the adversary with follow-on actions.
And fourth, organizations with suspected compromises need to be highly conscious of operational security,
including when engaging in incident response activities and planning and implementing remediation plans.
That remediation is going to be a long and difficult slog.
It's going to take a lot of digging, a U.S. Defense Department source told C4ISRnet, and TechCrunch is even glummer. To its headline question, just how bad is that
hack that hit U.S. government agencies? TechCrunch answers in the lead as follows,
spoiler, it's a nightmare scenario, and that indeed seems to be the consensus.
scenario, and that indeed seems to be the consensus. NSA has also weighed in. The U.S.
National Security Agency yesterday released a cybersecurity advisory detecting abuse of authentication mechanisms. NSA is concerned to explain two tactics the attackers used to
compromise U.S. government networks. One was SAML forgery. On-premises components of a federated single sign-on infrastructure
were compromised to steal the credential or private key used to sign security assertion
markup language tokens. Trusted authentication tokens were then forged to gain access to cloud
resources. A variation of this approach involved obtaining admin privileges in the cloud sufficient to permit the attackers to add a malicious certificate trust relationship that would in turn enable SAML token forging.
In the second tactic, the actors leveraged a compromised global administrator account to assign credentials to cloud application service principals.
They are then able to invoke the application's credentials to gain automated access to such cloud resources service principles. They are then able to invoke the application's credentials
to gain automated access to such cloud resources as email.
NSA advises locking down SSO configuration and service principle usage.
The U.S. Department of Energy confirmed this morning
that it had been affected by the SolarWinds compromise,
but that so far malware had been found only in business systems.
Among the DOE organizations hit were the Federal Energy Regulatory Commission, Sandia, and Los Alamos National Laboratory,
the Office of Secure Transportation at the National Nuclear Security Administration, and the Department of Energy's Richland Field Office.
and the Department of Energy's Richland Field Office.
Again, the Department of Energy stressed that only business systems were affected, and it also emphasized that it was working closely with its private sector partners in the energy sector
to avoid any possibility of energy distribution being disrupted.
The National Nuclear Security Administration is worth some discussion,
since some coverage of NNSA in the general press
may have given the impression that the administration is responsible for the employment
of nuclear weapons, that its figurative finger is on the metaphorical button. That's not the case.
NNSA's principal missions include nuclear weapons stockpile maintenance, non-proliferation,
support for counterterrorism and counterproliferation, support for counterterrorism
and counterproliferation, and support for naval nuclear propulsion programs.
It's not directly involved in command and control for U.S. nuclear forces.
Most of the discussion surrounding the supply chain compromise has centered on the risk to
business systems and the loss of sensitive information. It may, however, have other dimensions.
Control Global suggests that building control systems are also susceptible to compromise
and, in principle, manipulation by the same threat actor using the same entry points.
Microsoft, which yesterday itself acknowledged that it too had been affected,
outlined in a long blog post what
it sees as having contributed to a riskier environment infested with more effective,
more aggressive threats. Redmond sees a continuing rise in the determination and
sophistication of nation-state attacks, augmented by the rise of a supporting private sector,
21st century mercenaries, as Microsoft calls them.
And for the near term, of course, this trend is augmented by the organizational stress and
vulnerability the COVID-19 pandemic has induced. As a remedy, Microsoft has three prescriptions,
better sharing of information, stronger and more effective international norms to inhibit nation
states, and finally, more effective ways of holding states accountable for misbehavior in cyberspace.
All three of these are clearly aspirational, especially the second two.
It's worth noting that the official government discussions of the cyberespionage campaign
have tended not to attribute the campaign to any specific nation.
Indeed, while alluding to the role of hostile intelligence services in the incident, NSA makes a point of saying that the
tactics, techniques, and procedures used shouldn't be thought of as capabilities exclusive to
governments. The agency warns that there's no reason to think that criminals won't eventually,
if they haven't already, use them for ordinary criminal financial gain. But the private sector has been quite clear on
who's responsible. The consensus attribution is to Russia, and especially to Cozy Bear,
the SVR foreign intelligence service. Congress has asked the Director of National Intelligence,
the FBI, and CISA to explain what happened,
and they're citing media reports of Russian responsibility for the cyber espionage campaign.
It's not all Russia, of course.
Research from security firm ClearSky outlines the recent activity of Iran's Fox Kitten.
ClearSky says it's confident that Fox Kitten has used its pay-to-key ransomware campaign as a form of misdirection.
Pay-to-key functions like ransomware, but any extortion it actually accomplishes is, the researchers believe, so much gravy.
The real goal, Clear Sky thinks, is influence. The campaign is more interested in inducing fear and uncertainty in its mostly Israeli targets
than it is in collecting ransom or even stealing information.
There is some good news today as well. According to CyberScoop, the criminal-to-criminal data
exchange known as the Joker's Stash, which is notorious for its hawking of stolen credit cards,
yesterday said that some of its infrastructure had been, as the hoods say, busted.
Interpol and the U.S. Department of Justice apparently led a coordinated law enforcement effort against Joker's stash.
Security firm Digital Shadows published an account of where matters stand with the criminal market.
Its blockchain DNS domains, which briefly displayed both Interpol and Department of Justice
logos in a seizure notice, now simply display an anodyne, site not available, message. Digital
Shadows points out that takedown notices normally stay up for some time, and that Joker's stash
still seems to have its Tor infrastructure operating, so people are awaiting some official word from either Interpol or the DOJ.
In the meantime, however, whenever a criminal market is knocked off its normal hangout,
that's bad for reputation and so bad for business.
Many of the predictions we've seen have projected recent trends into the future.
It's betting on form in a way, but that's often how the smart
money bets. The Washington Post joins those who've done so with an additional prediction
that 2020's trends will not only persist, but will intensify. Their big prediction is that
election security will assume even greater importance than it did this year. As private
life follows work during the pandemic, many people will be conducting
holiday meetups by Zoom or other video conferencing platforms. The Telegraph reports warnings that
opportunistic criminals, a formulation that's practically redundant, can be expected to use
bogus invitations to sessions in their social engineering efforts. We hate to have to advise
suspicion during a time
when people are trying to stay in touch with loved ones, but, well, there you have it.
Every meeting invitation isn't what it seems, so do be watchful.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Before we started calling all this stuff we do cybersecurity,
it was commonly referred to as information security.
John Pescatori is Director of Emerging Security Trends at the SANS Institute,
and he joins us with thoughts on why it may be in our best interest to switch back to that phraseology.
John, welcome to the program.
Good to be here.
Well, give us a
little bit of background here. How did information security become cybersecurity? Let me give you a
really fast 40-year tour of the terminology we use. In 1978, I got out of college with an electrical
engineering degree and went to work at the National Security Agency at NSA in Fort Meade. And things were called information security.
And they were just starting to be called computer security because of the use of mainframes.
But a couple other things happened right around then.
And just the year before, the Diffie-Hellman public key encryption technology had come out and been patented.
And just the year before, the U.S. government had finalized the data
encryption standard, a symmetric way of doing encryption. So back then we knew and we talked
a lot about encryption was needed for information security. And oddly enough, we also talked about
how bad passwords were. Passwords would be replaced with tokens and things you would carry around to
make sure you could prove who you were.
So if you flash forward 10 years after that, in the 1988-89 timeframe, a couple interesting
things happened. In 88, we had the Morris worm hit the internet. For those youngins out there,
the Morris worm exploited vulnerabilities in the VMS and Unix operating systems. And still today,
vulnerabilities in the VMS and Unix operating systems. And still today, it still is the highest benchmark for an internet denial of service attack. It took down 30% of the internet within minutes.
Back then, the internet was a smaller place, obviously. But in 88, 89, those attacks sort
of caused us to start focusing on, gee, encrypting data is hard. Passwords are hard to replace. Maybe we ought to focus on just
preventing the attacks from getting in. And the focus changed. The firewall came about out of the
Morris worm. And we started to focus on protecting the vulnerable systems versus addressing the
vulnerabilities in the systems. Oddly enough, in 89, that's the first use I could find of the term cybersecurity.
And right then was when we started really more focusing on sort of protecting the connections to the Internet and not dealing with these vulnerabilities.
And we flash forward today with ransomware and breaches being sort of the dominant damage forms of attacks.
We really need to get back to focusing on the information.
It's been very sort of common over the years
for people to say, it's the information, stupid.
Well, it's not that we were ignoring information
all these years.
It was that it was really hard to get close to the data
and use encryption and strong authentication.
But those factors are changing
and we're seeing a lot of ability to do more
directly connected to protecting the information today. John Pescatori is Director of Emerging
Security Trends at the SANS Institute. John, thank you for your time, sir. Good to talk to you. fault-deny approach can keep your company safe and compliant.
And I'm pleased to welcome back to the Cyber Wire, Robert M. Lee. He is the CEO of Dragos. Rob, thanks for taking the time for us and touching
base on the whole SolarWinds incident here. Let's start off with some basics here before we dig into
some of the details. Can you just, for those who are still trying to get up to speed here,
can you give us an outline of where things stand? Yeah, so I mean, to catch everyone up
who obviously is watching all of this unfold,
but let's pretend that somebody
hasn't been paying attention to it,
to catch you up,
December 13th, FireEye got compromised
and folks were actually not critical.
I was really happy to see
most of the InfoSec community recognized
that FireEye was the victim,
everybody gets hacked eventually, and that FireEye
nailed the response and the detection
of it, so kudos to them. And that seemed
to be the predominant theme. There's always the jackasses,
but for the most part, most of the InfoSec community
was like, hey, good job to you.
Well, little did we know
that FireEye was
likely, them finding it, was likely
the key to finding this adversary
at a lot of other places.
And originally people came out and attributed it to ABT-29 in Russia,
but FireEye has been very explicit.
It's not ABT-29.
It's a new group that they're tracking.
And we have seen senators and similar come out and say it's Russia,
but we don't know at this point.
I think it's a little early in the game.
But the moral of the story is SolarWinds got compromised.
It was a supply chain hack. We're not going to prevent this. It was correctly
done, digital signatures and similar. It was the compromising of the SolarWinds
Orion software package. And that compromise
has been ongoing for the last, I don't know, nine months or so. And so we
were looking at around
18,000 organizations around the world that had downloaded the compromised software. That does
not mean 18,000 organizations in the world were breached. So the adversary had access to some
amount of that 18,000, but they were going after and targeting far less. And we're very fortunate
for that because already it's been a bad, bad week. We've had the Department of Homeland Security
notice that they were breached, the Department of Energy, national labs, labs that deal with
our nuclear weapons and secrets, the Pentagon, the Treasury Department, the Department of Commerce,
the Pentagon, the Treasury Department, the Department of Commerce, pretty much anybody the adversary wanted, they had access to.
So it was a fantastic compromise, screw them and kudos all at the same time, where they did exactly what they wanted to do,
and they did it for nine-plus months undetected into some of the most sensitive infrastructure sites in the world. The thing that bothers me significantly that I think is going a little bit unacknowledged,
and I don't need the adversary to figure this out too soon,
I think now is a safe enough time to talk about it,
but a number of those software packages, the SolarWinds Orion package,
gets used by a number of the industrial vendors out there,
the big original equipment manufacturers, white-labeled to something else, and plugged into a lot of our sensitive infrastructure sites.
So when you hear me talking about the industrial control systems or OT or operations technology, kind of power, water, manufacturing, et cetera, type operation networks, the reality is many of those networks were compromised.
I don't know if the adversary knew that.
I'm sure they would have had to have.
were compromised. I don't know if the adversary knew that. I'm sure they would have had to have.
And I normally am the furthest person from hyping anything up. But we had a strategic,
highly sophisticated foreign adversary that most certainly had access to, direct access to,
some of our most critical networks of some of our most critical sites in the world,
and the United States, I guess, for us. Now, that's not to say all they had to do was push a button and we're dead, right? This isn't saying, oh, my gosh, they're going to bring down the power grid
because there's more than one grid and all that kind of stuff.
But let's realize they had access to,
and they've already shown their capability and sophistication.
And again, without trying to get too hyped up, that's awful.
What's even worse is most of these organizations are not monitoring,
do not have the visibility at those OT layer,
and they focus a lot on prevention and segmentation strategies.
Which, if that's what you're doing, if you're focused on firewalls and antivirus,
once you get compromised with a supply chain hack like this,
you're not going to have the logs or the data to know if you were actually breached,
and you're sure as hell not going to know if you actually kicked the adversary out.
So we could have this team with access to our infrastructure sites
for a long time to come.
And that sounds terrifying, and to some extent it is.
My recommendation to people is go hunting.
Assume you're compromised and start looking at your crown jewels
and your organization and go hunting,
especially on all the behaviors we know, not just the indicators,
because this is not a good day in our country.
Where do you suppose things go from here?
How do you see this playing out?
The politics of this are going to be quite interesting,
because you've got a new administration coming in, which is not exactly thrilled with Russia in the first spot.
And if this was Russia, this is only going to freeze any of the relationships that even were already pretty bad.
I think Putin came out a couple weeks ago and he was asked, how is the relationship to the United States?
And like non-existent.
So that's not getting any better.
And, you know, this isn't some act of war or whatever.
You know, people got to dime down the hyperbole here.
But this was a very sophisticated hack that made the United States look really bad
with access given to our strategic adversaries over long periods of time
in ways that we won't be confident we've actually fully kicked them out for a long time to come.
And so the place you go from here is start asking some real questions on what's got to change.
And I don't like the idea that any one hack changes anything, but we really have got to take a different strategy with what we're doing.
When you look at Congress, they're asking the DHS and NSA, like, why didn't you see this?
We've invested billions.
Well, it's not the job of the intelligence community to do private sector cybersecurity.
It's not the job of the intelligence community to do private sector cybersecurity.
And when the NSA and others are doing intelligence operations, it should be for national requirements.
It should be for intelligence analysis, not I detected the hack.
You detect hacks in the networks that are getting compromised,
not pretending that you're going to magically sit on the one server
that the adversary used that day.
Sure, go do that. maybe you get some goodness,
but that's not a strategy.
That's a, oh, by the way, we got some extra value
out of our intelligence operations.
The DHS and CISA are not the supported agency
by the private sector.
They do not own cybersecurity,
and they've got to get off ever claiming
to own cybersecurity for the private sector.
Hey, we'll roll instant response teams. Hey, we'll help you. There is enough mission set in the
government to keep them busy for a long time, and they're underfunded to even do the government
mission. And in hacks like this, when people are going, I think I need help, they're still cleaning
up the wounds on the government side. So we've got to be real explicit on private sector. You're on your own. You've got to go invest in security. Maybe we look at mechanisms to provide extra
funding or tax credits or something for companies to go take it seriously. Maybe we do layer in some
light regulation of things we would expect. There's a whole strategy behind that. I'm not
going to be prescriptive here, but But we just got to be straight with people on
the government is not coming to save the day on your private sector networks when you get
compromised. We'll help you. We'll coordinate. We'll be the front door to the government.
But private sector, you're on your own. Quit pretending otherwise. And that's a hard pill
to swallow. And for any practitioner, they're like, yeah, that's known. That's not the common discussion in Congress, especially when agencies are out fighting for funding and rice bowls and everything else.
Let's cut the crap, start speaking plainly, be real candid because we're experiencing some real tough times.
And we're beyond the point where we believe things like Einstein or whatever else are there to save the day.
If I see another billion dollars go to a bastardization of snort,
we're going to lose.
So, I mean, this really strikes me as being a bit of a punch in the gut
that we got sort of, is it fair to say we got caught flat-footed with this?
Yes, that's very fair.
I'm trying not to be too coy with you, but we got screwed.
But I'm trying to understand from the basic level in a way that everyone can understand.
I mean, you're in the business of protecting industrial control systems.
This got by you.
This got by lots of people.
What do we have to change? How did that happen? Why did such a broad swath of organizations in private and public sector
get caught flat-footed here? Yeah, because our supply chain was compromised. And nobody's going to prevent
a well-orchestrated supply chain compromise.
What we didn't get caught by,
what we didn't have people get by me and FireEye
and everybody else, was on the detection and response piece.
That's awesome. That's the win.
Hey, some state adversary did exactly what we were concerned about
and talked about for years of compromising the supply chain at a software level
in a way that we really couldn't prevent, and they detected it,
and they responded correctly, and they mitigated any issues at FireEye.
That's the positive story, that no matter how important or great or wonderful
or skilled you think your adversary is,
prevention may fail.
But detection response, you can do it.
And so when we're deployed in places, when we're responding to places, when we're going, it's working.
But the places that aren't doing detection, that don't have response plans, that aren't taking it seriously, they can't say detection and response failed because they
weren't doing it. So that's the takeaway. That's the message. And look, to every practitioner in
the cybersecurity community, everything I'm saying and getting hyped up on is not news.
But to Congress and the Senate and our elected officials that are looking at this,
they do get told a lot of crap. Oh, I can prevent all attacks with this magic AI.
Or blockchain will save the day.
Or this government agency is going to be on point
and we'll do all the response for our critical sites
across the United States in the event of catastrophe.
And we've got to stop that crap.
It's always been annoying.
It's starting to get dangerous.
All right.
Well, Robert M. Lee, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
The taste is going to move you.
Listen for us on your Alexa smart speaker, too.
Be sure to check out this weekend's Research Saturday and my
conversation with Alyssa Miller
from Snyk. We're going to be discussing
Sour Mint, iOS remote code
execution, Android findings, and
the community response.
That's Research Saturday. Check it out.
The Cyber Wire podcast is
proudly produced in Maryland out of the startup
studios of DataTribe, where they're co-building
the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Guru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Errol Terrio, Ben Yellen, Nick Falecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Dittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.