CyberWire Daily - Cyberattacks against a Russian rocket shop and the Port of Houston. As ransomware gangs increase activity, the US considers defenses. Pegasus found in French Ministers’ phones. Meng heads home?
Episode Date: September 24, 2021Someone is phishing for Russian rocketeers. The Port of Houston discloses a cyberattack, which the Port says it deflected before it had operational consequences. Ransomware gangs are up and active, an...d the US is considering mandatory reporting by victims as a defensive policy. Pegasus spyware is said to have been found in the phones of five French government ministers. Johannes Ullrich from the SANS Technology Institute on Attackers Hunting for Environment Variables. Our guest is Graeme Bunton of DNS Abuse Institute. And Huawei’s Meng Wanzhou may soon be headed home from Vancouver. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/185 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Someone is fishing for Russian rocketeers.
The port of Houston discloses a cyber attack, which the port says it deflected before it had operational consequences.
Ransomware gangs are up and active, and the U.S. is considering mandatory reporting by victims as a defensive policy.
Pegasus spyware is said to have been found in the phones of five French government ministers.
Johannes Ulrich from the SANS Technology Institute on attackers hunting for environmental variables. Our guest is Graham Bunton of the DNS Abuse Institute,
and Huawei's Meng Wangzhao may soon be headed home from Vancouver.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Friday, September 24th, 2021.
Security firm Malwarebytes reported this week that it had, quote, reason to believe that the MSHTML vulnerability listed under CVE-2021-4444
is being used to target Russian entities, end quote.
The company says its researchers had intercepted email attachments
that appear to be used as fish bait to catch Russian organizations.
Among the organizations targeted was JSC-GREC Mikheyev,
a company that develops both liquid and solid propellant ballistic missile systems,
and that serves as one of Russia's principal rocket and space technology research and development centers.
One of the phishing emails directed at Mikheyev recipients
represented itself as coming from human resources.
Other organizations are receiving emails purported to come from the Ministry of the Interior
and providing notification that illegal activity has been detected.
Whatever the fish bait, the goal of the social engineering
appears to be in the first
instance harvesting of personal information malware bites has no attribution as the company observes
however quote it is rare that we find evidence of cyber crimes against russian targets given the
targets especially the first one we suspect that there may be a state-sponsored actor behind these
attacks and we are trying to find out the origin of the attacks we will keep you informed if we Microsoft has patched the vulnerability the attackers seek to exploit.
The Port of Houston Authority said yesterday in a brief announcement that it had successfully defended itself against a cybersecurity attack in August. Port Houston followed its facility's security plan in doing so
as guided under the Maritime Transportation Security Act and no operational data or systems
were impacted as a result, end quote. CNN reports that on August 19th, attackers believed to be
associated with a foreign intelligence service
gained access to a server in the port of Houston,
planted malware, and stole Microsoft credentials.
Defenders were able to isolate the compromised server
within about an hour and a half of the initial attack.
Whichever nation-state was responsible for the Houston attack,
and there's no attribution yet,
the record reports
that the attack was accomplished by exploiting a zero-day in a Zoho authentication appliance.
A week ago, the U.S. Cybersecurity and Infrastructure Security Agency issued a joint
advisory with the FBI and the Coast Guard, warning that CVE-2021-4539, a vulnerability in Zoho's password manager and single sign-on solution
ManageEngineADSelfServicePlus, was being actively exploited in the wild.
Zoho had addressed the bug on September 6, and CISA urged users to apply the patch as soon as possible.
The Port of Houston incident would seem to explain both the urgency
and of the Coast Guard's involvement in the advisory.
Wired notes that the brief dip in the frequency and consequence of ransomware attacks
earlier this summer was a false dawn and not an enduring trend.
The gangs and the intelligence services that abet them seem simply to have taken time
to adjust to Western, mostly
U.S. policy and law enforcement tactics, and have returned with, if anything, even greater intensity.
Their occultation was no exit and no retirement, and they're back without any sign that they've
moderated their appetites. As part of its response to ransomware and other threats to critical infrastructure,
the U.S. administration has been pushing for mandatory cyber incident reporting,
and the U.S. Congress is considering legislation to that effect.
The Senate Homeland Security and Governmental Affairs Committee yesterday held a hearing on
cybersecurity and protecting critical infrastructure.
Senator Gary Peters, Democrat of Michigan and chair of the committee,
asked CISA Director Easterly for her views on an incident reporting bill
the senator and his colleagues are working on.
My first question is for Director Easterly.
If our incident reporting bill were enacted,
what would CISA do with this information and how would you
be able to help victims? Thanks very much for your question, Chairman. First of all, CISA plays a
critical role as the national coordinator for critical infrastructure resilience and security.
As I think about CISA's superpower that we use on behalf of the nation and the American people is our
ability to share information rapidly to enable us to protect other potential victims.
So what we could do with this information is not only render assistance to the victim
and help them remediate and recover from the attack, but we could use that information,
we could analyze it, and then we could share it broadly to see whether, in fact, evidence of such intrusions were found across the
sector or, frankly, across other sectors or across the federal civilian executive branch. So we think
that timely and relevant reporting of cyber incidents is absolutely critical to help us raise the baseline and protect the cyber ecosystem.
How would such legislation be enforced?
Director Easterly wants something other than subpoenas, something more agile, and thinks that some system of fines might be appropriate.
National Cyber Director Inglis agreed.
Mr. Chairman, I support that view strongly. I would
observe that most of the 50 states have reporting requirements of a similar sort, and the vast
majority of those have an enforcement mechanism. Many of those use fines. There may be some best
practices in there if we do a thoughtful survey of how they've actually addressed this and how
that has worked and whether that has imposed an unfair burden on the victims. We, of course, don't want to impose an unfair burden on
the victims, but this information is essential for the welfare of the whole. There should be
rewards for good behavior. If you've performed well and thoughtfully in this, the benefit should
be obvious, which is that we can provide better services, both in response and preventing this in the future.
The full hearing is available on C-SPAN.
Media Part reports that investigation confirms at least five French ministers' phones were infected with Pegasus spyware.
Just who instigated the installation of the spyware remains unclear.
The Washington Post notes that Media Part has suggested the government of Morocco was behind the installation, but Morocco, for what it's worth, has both denied
involvement and brought a lawsuit against MediaPart, alleging defamation. And finally,
Huawei CFO Meng Wanzhou will soon be able to leave Vancouver, where she's been fighting extradition to the
United States, where she faces charges related to alleged violations of sanctions against Iran.
The U.S. Justice Department is said, according to the Wall Street Journal,
to have reached a deferred prosecution agreement with her that's expected to be entered today,
when she appears remotely from Canada before a court in Brooklyn.
appears remotely from Canada before a court in Brooklyn.
Quote,
The agreement will require Ms. Meng to admit to some wrongdoing in exchange for prosecutors deferring and later dropping wire and bank fraud charges.
End quote.
Ms. Meng was arrested in the Vancouver airport in December 2018, Reuters reminds us,
on a U.S. warrant alleging bank fraud and wire fraud charges
in connection with what the U.S. indictment characterized as misleading a banking partner
and financial services partner, HSBC, about Huawei's involvement with Iran.
The South China Morning Post characterizes the U.S.'s part in the agreement as dropping the charges.
That's not entirely accurate.
Under a deferred prosecution agreement,
the government brings charges
but agrees not to proceed to prosecution
provided the defendant acknowledges responsibility
and agrees to certain conditions.
If the defendant keeps their side of the bargain,
then after a certain specified period of time,
the government drops the charges.
In any case, Ms. Meng is likely to be able to
return to China shortly after the conclusion of today's virtual hearing.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000
off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
When it comes to attempts to mitigate the actions of bad actors abusing the internet's domain name system, the DNS, one of the hurdles facing interested parties is how precisely to define DNS abuse.
Graham Bunton is director of the DNS Abuse Institute, where he's leading the charge to try to bring more clarity to this issue.
So the DNS Abuse Institute was created by PIR, who run the.org TLD. They've been operating in the space for a very long time, and they, like I do,
see DNS abuse or this set of online harms as something like a collective action problem,
where registrars and registries would be better served by being more proactive and
active on mitigating DNS abuse. But there's a number of disincentives and historical reasons
why they haven't been doing so. So the DNS Abuse Institute was created to try and fill that gap.
We're going to do that with technology and education and work on collaboration within
the industry to try and ultimately reduce DNS abuse. Well, this article that you all recently published,
DNS abuse definition, is there an issue with there not being a standard definition of what
constitutes DNS abuse? Unfortunately, yes. At least within the community we operate,
the ICANN community and a bit larger than that, there has been sort of endless cycles of debate
about what constitutes DNS abuse.
It has gone on for years. I can elaborate a little bit here that, you know, registrars and
registries want a relatively constrained set of harms that they feel capable of understanding
and mitigating. And the DNS is like the only centralized bit of the internet's ecosystem,
you know, of the broader infrastructure.
And so lots of people have harms that are impacting them,
and they want to resolve them.
And reasonably, they find themselves at the DNS,
because that's the only place where they're going to have a real crack
at getting them resolved.
And so you have these two competing interests
trying to define what harms registries and registrars should be responsible for.
Is this partially a matter of fostering collaboration among the interested parties rather than, I can imagine there being quite a bit of finger pointing?
There is a lot of finger pointing.
And I think what I am trying to do here is really get people to come to the table and say,
look, here's the harm, here's how it intersects
with the layer of internet infrastructure that you operate.
And you solving it here checks a lot of these boxes.
And then you can disagree about specifically which boxes you think are checked.
So often within the DNS, we fail on two mitigation attributes.
It is often not precise,
so the harm might be on some sort of,
it might be on a subdomain or a long URL,
not the domain name itself,
or it may not be proportional
because most registries and registrars
only have the ability to turn off a domain name.
And so then we can get into a discussion
of specifically what it is that they might disagree on.
They can say, no, I think this harm is proportional
to act at the DNS.
And that's great, because now it's no longer just do it.
We now can say, yes, it's quick and it's efficient,
but we're concerned about this proportionality.
And so now we can have a more nuanced conversation
about the harm and how to mitigate it.
And where are these conversations taking place?
Ah, most of this happens within an ICANN context.
So either at ICANN meetings or events surrounding that ecosystem,
because that's for the most part where domain names are regulated.
Some of this is happening within the broader domain name ecosystem involving ccTLDs as well.
And what do you hope to come out of this?
I mean, if people are on board and you get widespread adoption, what will things look like on the other side?
You know, boy, I would love to, first of all, get more people on board for mitigating abuse so that the internet actually gets safer you know
and then the the next piece of this is that if we have a little bit more sophistication
in our dialogue we can understand where we disagree and we agree a bit more we then can
can begin to tackle things like oh boy this harm is is should be addressed at the hosting level,
but it hasn't been.
We have gone through a rigorous process of trying to do that.
Now we can escalate up to the next layer of internet infrastructure or down to the next layer of internet infrastructure,
to the layer of the DNS,
and you have some evidence of that process that you've gone through.
And now you might have a better case for acting at the layer of the DNS
if you've escalated appropriately.
But none of those best practices exist yet,
and so that's a thing that we'll try and work on next.
That's Graham Bunton from the DNS Abuse Institute. Thank you. security solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed
to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Johannes Ulrich. He is the Dean of Research at the SANS Technology Institute and also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back.
We want to touch today on attackers who are hunting for environmental variables.
What can you share with us today?
The root cause of this problem is how, as a developer, are you going to store secrets?
And in particular, in modern web applications,
you need an awful lot of secrets.
You connect to various APIs where you need to provide some kind of access key.
You need to connect to a database that may ask you for a username and a password.
The one place where you don't want to store these variables is your code.
So you have to find another solution.
Now, they're very expensive, very elaborate, secret managers.
Not everybody has those.
A very cheap and reasonable good way of doing this is we just store them in environment
variables.
Environment variables are not typically sort of directly
readable like source code. They don't leak as easily. But where are you storing these environment
variables? So we just moved the target a little bit. And what a lot of developers apparently are
doing is they're storing these environment variables in a file and then they place the file in the document
root of your web server the document root is the directory where by default your files are being
retrieved from so now it's really just a matter of an attacker guessing the right file name pointing
it to your or looking for that file on your web server, and they have all your secrets.
Add to that that developers aren't really all that inventive when it comes to these file names.
We do see a lot of requests for very common names like.env or just env, so short for environment.
And lately also a lot for Twilio.env,
where Twilio is a service that allows you to send SMS messages,
make phone calls and such.
A lot of websites use that to integrate with voice and text messaging.
And so what's the solution here?
I mean, is it as simple as putting this stuff in a protected directory?
Yeah, that's the first step.
Put it outside the document root.
That way, an attacker, using that very simple attack,
is not able to access it.
Of course, the real solution is use a proper secret manager.
As I said, this can be a little bit complex.
It's very specific on a particular language environment
that you're using.
So, for example, if you're looking at the Twilio documentation,
they have an example of how
to store the secrets
as environment variable. That's
sort of what they recommend. The reason
why they recommend it is because
it pretty much works for everybody.
While any more sophisticated solution
is very specific to the language
and the overall environment
that you're using.
All right.
Interesting stuff.
Johannes Ulrich, thanks for joining us.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Looking for something to do this weekend?
Well, be sure to check out this week's Research Saturday.
My conversation with Ariel Zelovansky from Palo Alto Networks.
We're discussing their work titled,
What You Need to Know About AzureScape.
That's Research Saturday. Do check it out.
Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karp,
Puru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening.
We'll see you back here next week. Thank you. that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.