CyberWire Daily - Cring ransomware hits manufacturing plants. Distance learning difficulties. Hafnium’s patient approach to vulnerable Exchange Servers. The Entity List grows. 5G security standards.
Episode Date: April 8, 2021Cring ransomware afflicts vulnerable Fortigate VPN servers. Distance learning in France stumbles due to sudden high demand, and possibly also because of cyberattacks. Hafnium’s attack on Microsoft E...xchange Servers may have been long in preparation, and may have used data obtained in earlier breaches. Commerce Department adds seven Chinese organizations to its Entity List. 5G security standards in the US are said likely to emphasize zero trust. Atlantic Media discloses a breach of employee data. Caleb Barlow from CynergisTek with a clever way of thinking about ransomware preparedness. Our guest is Amit Kanfer from build.security on authorization, a problem he says remains mostly unsolved. And emissions testing stations in some US states remain down. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/67 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Kring ransomware afflicts vulnerable FortiGate VPN servers.
Distance learning in France stumbles due to sudden high demand and possibly also because of cyber attacks. Affliction entity list. 5G security standards in the U.S. are said likely to emphasize zero trust.
Atlantic Media discloses a breach of employee data. Caleb Barlow from Synergist Tech with a
clever way of thinking about ransomware preparedness. Our guest is Amit Kanfer
from Build Security on Authorization. A problem, he says, remains mostly unsolved.
And emissions testing stations in some U.S. states remain down.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 8th, 2021. Researchers at the security firm Kaspersky say they've found a strain of ransomware,
they call it Kring, being actively deployed against vulnerable FortiGate VPN servers.
The vulnerability, for which patches are now available renders the servers susceptible to directory transversal attacks, during which attackers can obtain
session files from the VPN gateway. Such files contain useful information, including usernames
and plain text passwords. The attackers first work to gain control over the targeted system, beginning with
reconnaissance, then performing test connections to ensure that a vulnerable instance of the
software was running. Once gaining initial access, the attackers installed Mimikatz to steal account
credentials used to log into the compromised system. After the domain administrator account
was obtained, the next steps involved distributing
the Cobalt Strike beacon backdoor to other systems on the victim's network. At that point,
they were ready to install Kring ransomware and encrypt the victim's files. The usual sort of
ransom note was delivered. Kring is noteworthy for its deployment against manufacturing facilities.
At least two factories in Italy, CyberScoop reports, have been affected.
The companies are unnamed, but their production has been disrupted.
The protective advice is clear. If you're using Fortinet VPN, update the server.
Online education networks in France are suffering from the strains of an abrupt switch to distance learning this week.
In addition to the stresses on a network one might expect from a sudden surge in use,
the systems are also believed to have been targeted by hackers.
Prosecutors are investigating, The Washington Post reports.
The attacks by Chinese operators on vulnerable Microsoft Exchange server instances appear,
according to the Wall Street Journal, to have been long under preparation.
In particular, investigators are leaning toward a theory that holds Hafnium's operation
was prepared by mining troves of personal information acquired beforehand.
That would explain the surprising speed with which the compromise
progressed. It also revives concerns about the effects of past Chinese collection of personal
data in such breaches as those at the U.S. Office of Personnel Management, Marriott, and Equifax.
The journal quotes U.S. Deputy National Security Advisor for Cyber and Emerging Technology Ann Neuberger is saying,
We face sophisticated adversaries who, we know, have collected large amounts of passwords and personal information in their successful hacks. Their potential ability to operationalize that
information at scale is a significant concern. Another point worth considering in relation to
Hafnium's operation is the value that even older personal data can have,
especially when it's in the hands of a patient and well-resourced intelligence service.
The Times of India reports that General Bipin Rawat, chief of India's defense staff,
said yesterday that the country was working to counter the cyber threat from China
and that India was itself developing offensive capabilities in response to that threat.
The general said, quote, what we are trying to do is to ensure cyber defense. We have therefore
created a tri-service cyber defense agency to ensure that even if we come under a cyber attack,
the downtime and effect don't last long.
He was disinclined to discuss projected offensive capabilities, but he did say that India was somewhere there.
He hopes to be able to turn India's strong private sector IT capabilities to use
in developing a full-spectrum defense against multi-domain attacks.
developing a full-spectrum defense against multi-domain attacks.
The U.S. Department of Commerce has added seven Chinese organizations to the entity list the department's Bureau of Industry and Security maintains.
The Commerce Department said, quote,
These entities are involved with building supercomputers used by China's military actors,
its destabilizing military modernization efforts, and or weapons
of mass destruction programs. Organizations on the entity list are subjected to various
restrictions on their trade. As the department puts it, the point of placement on the entity
list is to restrict the export, re-export, and in-country transfer of items subjected to the
export administration regulations to persons, individuals, organizations, and companies export and in-country transfer of items subjected to the Export Administration Regulations to
persons, individuals, organizations, and companies reasonably believed to be involved, have been
involved, or pose a significant risk of being or becoming involved in activities contrary to the
national security or foreign policy interests of the United States. Additional license requirements apply to exports, re-exports,
and in-country transfers of items subject to the Export Administration regulations to listed
entities, and the availability of most license exemptions is limited.
According to Breaking Defense, U.S. NSA Executive Director Noble says the public-private consortium
developing standards for 5G security intends to emphasize the importance of zero trust.
The standards, collectively called the Enduring Security Framework,
are the work of a public-private partnership among the National Security Agency,
other organizations within the Defense Department, the Department of Homeland Security, and in particular the Cybersecurity and Infrastructure Security Agency, other organizations within the Defense Department, the Department of Homeland
Security, and in particular the Cybersecurity and Infrastructure Security Agency, the intelligence
community, and companies within the U.S. IT sector and the defense industrial base.
The Enduring Security Framework is intended to address threats and risks to the security and
stability of U.S. national security systems and critical infrastructure.
NSA's contribution lies in its cybersecurity and cryptographic expertise.
Zero trust will be particularly important for 5G, Noble said, because of the technology's
high speed and the large distributed attack surface presented by its many IoT nodes.
presented by its many IoT nodes.
Atlantic Media, currently a minority shareholder in The Atlantic and formerly the corporate owner,
has detected unauthorized access to servers that hold employee records.
And finally, emissions testing in several U.S. states
continues to be out due to a cyber attack,
Boston 25 News reports.
Testing stations now hope to be back up on Monday.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving
customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Authorization and authentication are often thought of hand-in-hand
as integrated parts of a permission structure within a security framework.
Amit Kanfer is CEO at BuildSecurity,
and he makes the case that authorization is an area
with plenty of room for improvement.
Yeah, I think if it's not clear enough,
authentication is the mechanism where you authenticate a user
you want to know, or a service, doesn't have to be a user,
where you want to know who is interacting with your API,
with your application.
Authorization is the other side of the coin
where you want to know what is this, once authenticated,
what is this user or service can do
within my application or API.
And I suppose the two often go hand-in-hand, right?
Yeah, often they go hand-in-hand because usually you authenticate to a service
and then there are many authorization requests that go out between you
and the service you're interacting with in order to understand
what kind of user interface to show you, for example, what are the APIs you can interact with, whether you're allowed to make a certain action on a certain asset or a resource.
tabs and actions that you can perform. And each one of those actions could be allowed or denied according to your long list of attributes, whether you're an employee of the bank, whether you are
just an end user of the bank, whether you are from the IT service of the bank, it goes on and on.
Right. I suppose, is it accurate to say that one of the challenges that you face in this sort of situation is that there are so many special cases where there are many exceptions that I suppose you naturally have to deal with? logic tends to be very complex and cumbersome to maintain.
And then, you know, people change roles in the companies
and then that logic stays and it's very hard.
Basically, it's very hard.
It boils down to being very hard to maintain and very
in coupled in the application itself,
which is also a challenge.
How to decouple that logic outside
because it's not the business logic of the company.
It's a policy.
So why not to decouple it from the application?
So that's a trend we're seeing lately.
So what do you suppose the future looks like for this?
In an ideal world, how would people
be dealing with their authorization? I think in an ideal world, authorization will be distributed,
centrally managed, but enforced in a distributed manner. Each application has its own
authorization server that runs right beside it, very close to it, with a low latency
and high throughput mechanisms.
And that central management should be
a single pane of glass to all the policies in the organization.
Imagine where you can have hierarchy between different policies
so you can think about corporate level policies and then business units and then departments where they can extend the corporate level policies and add more restrictions to it, but do not override it.
Testing and playground, treating policies really as code, integrated with your Git,
with your version control system.
So that would be an ideal situation.
That's Amit Kanfer from Build Security.
Cyber threats are evolving every second, Thank you. a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Caleb Barlow.
He is the CEO at Synergist Tech.
Caleb, I wanted to check in with you when it comes to ransomware
and your thoughts on organizations best preparing themselves for the
possibility, and I suppose some would say inevitability, of having to deal with something
like this. What do you have for us today? Okay, Dave, so a warning in place. This is a bit cheesy,
but I'm not going to admit if a beer or two was involved in this, but my team came up with
actually a really interesting way
to think about how you're prepared for ransomware that I thought I'd share.
All right.
And this is very pandemic-esque, but what we found actually, as cheesy as this is,
it has really become a great tool for explaining to executives what you need to do to really
prevent ransomware. So the first thing, just like the pandemic,
is we need testing, Dave.
So, you know, and why do we test, you know, for coronavirus?
Well, to know if someone's infected.
And that's where compromise assessments come in, right?
So your analog for testing is a compromise assessment.
It's something that I think,
especially as we're coming on the other side of the pandemic
and companies have opened up their networks and people are working from home, getting a compromise assessment is a really good idea.
Okay.
What next?
All right.
How about some social distancing, Dave?
I'm all for it.
You're a little too close.
Can you back up?
Yeah, exactly.
Just back off my mic here.
So, you know, the same thing with kind of limiting the spread of COVID, we need to social distance our networks. And what does that mean? Well, network segmentation. And it kills me. I mean, when I go in and do a security assessment, I start asking, well, how segmented is your network? Well, what do you mean?
You know, if there's an infection in one portion of your network, can it get into others?
And we spend a lot of time in hospitals. It is not uncommon at all for the surgical wing in the hospital to be on the same network segment in an academic medical center as the dorm room.
And that's, you know, any security professional listening to this just cringes at that.
So we've got to socially distance our networks.
Okay.
So how about some contact tracing, Dave?
You know, we need early warning signs, right?
And that's where endpoint detection response comes in.
You know, your classic EDR tools,
get in there, find that issue early,
but contact trace it to figure out
who else talked with that endpoint
and is likely also infected.
Uh-huh, all right.
What's next?
How about some masks, Dave?
Now, this one isn't quite as good of an analogy,
but masks, I think, are a lot like multi-factor authentication.
You've got to have that extra barrier and MFA.
But here's the thing I think most people aren't prepared for
when it comes to ransomware.
They might have multi-factor on, let's say, their VPN.
You need multi-factor on everything.
And what I tell people now is, if you can log into anything at work comes to ransomware, they might have multifactor on, let's say, their VPN. You need multifactor on everything.
What I tell people now is, if you can log into anything at work without having to do an MFA challenge, you have a problem.
That doesn't mean every time you log into Outlook,
you've got to get a text on your mobile phone.
But certainly every time you log in from a new computer or a new browser,
you need to be doing that.
Can you guess what's next, Dave?
Have we reached vaccination yet?
No, vaccination's not on the list.
Oh, okay.
All right, sorry, I jumped the gun.
You jumped the gun.
It's okay, it was a good try.
How about scrubs and gowns, right?
Oh, okay.
And this is where kind of, you know,
we need separation of duties
with privileged access management, right?
Everybody's got to be a little bit isolated
than from everybody else.
And the thing with PAM tools
is what we really want to see to prevent ransomware
is admin IDs are not used for anything
other than administering the single system
of which they're assigned.
The admin can't also be using their admin ID
for checking their email and everything else.
That's just not cool anymore.
I see. All right. Any more?
Yeah. How about a checkup?
So we need a, just like you go to the doctor, you need a checkup.
And that's where security control validation comes in.
You know, let's not just look at your controls.
Let's actually make sure they're working.
By launching inoculated attacks in the environment,
seeing how the people, the processes, and the tools respond.
And the last thing, Dave, we need a treatment plan, right?
So like anything else, if you get infected, we've got to have a plan to treat you.
And that's where run books come in.
And we've got to practice and rehearse those run books over and over and over again until
they're muscle memory.
So that's our cheesy prep on how to prevent ransomware, Dave.
Yeah, I'm going to go get us a bottle of wine, Caleb, to go with that cheese.
But it's good.
It's good.
It's good.
I'm a fan of analogies.
So I'm sold.
I'm sold.
If it helps people remember these things, more power to you.
Hey, I just want to know, anybody that uses that to explain it to their CEO, I promise you it'll work even though they'll laugh.
Yeah, yeah. All right. Whatever it takes their CEO, I promise you it'll work, even though they'll laugh. Yeah, yeah.
All right, whatever it takes.
Caleb Barlow, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
It could change your whole way of life.
Listen for us on your Alexa smart speaker, too.
way of life. Listen for us on your Alexa smart speaker too. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer
Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.