CyberWire Daily - Disruption of a major BEC campaign. Scope of cyberespionage expands in Pulse Secure exploitation. What the Hades? Russo-US summitry. A more secure workforce. Reality Winner is out, sort of.
Episode Date: June 15, 2021Microsoft disrupts a major BEC campaign. The scope of cyberespionage undertaken via exploitation of vulnerable Pulse Secure instances seems wider than previously believed. Secureworks offers an accoun...t of Hades ransomware, and differs with others on attribution. Final notes during the run-up to tomorrow’s US-Russia summit, where cyber will figure prominently. Helping employees stay secure. Carole Theriault wonders if the internet of things is becoming the internet of everything. Ben Yelin weighs in on the Supreme Court’s ruling affecting the Computer Fraud and Abuse Act. And Reality Winner has been released to a halfway house. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/114 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Microsoft disrupts a major BEC campaign.
The scope of cyber espionage undertaken via exploitation of vulnerable Pulse Secure instances seems wider than previously believed.
SecureWorks offers an account of Hades ransomware and differs with others on attribution.
Final notes during the run-up to tomorrow's U.S.-Russia summit, where cyber will figure prominently.
Helping employees stay secure.
Carol Terrio wonders if the Internet of Things is becoming the Internet of everything.
Ben Yellen weighs in on the Supreme Court's ruling affecting the Computer Fraud and Abuse Act.
And reality winner has been released to a halfway house.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 15th, 2021.
Microsoft said yesterday it had disrupted a major criminal enterprise that exploited multi-cloud infrastructure to deploy automated tools
that staged a very large business email compromise scheme at scale.
The sophistication of the campaign suggests the quality of talent and other
resources criminal gangs are able to bring to bear against their targets.
The AP building on work Group IB issued late last week reports that Chinese exploitation
of Pulse Connect Secure, patched some time ago, was more extensive than previously believed.
It remains unclear what data was extracted in the course of the attacks,
but it was clearly an extensive and ambitious cyber espionage campaign.
SecureWorks describes the tactics of the Hades ransomware operators
in a report out this morning.
The researchers called the threat actor Gold Winter,
and they say the gang appears to be financially motivated.
It's a big game hunter that finds and pursues high-value targets, notably in the North American manufacturing sector.
SecureWorks says its findings don't support others' conclusion that Hades is being run by the Chinese state-sponsored actor Microsoft calls Hafnium,
best known for its exploitation of vulnerable exchange servers.
SecureWorks also disputes attribution of Hades to the Gold Drake gang.
While Hades and Wasted Locker share some similar code, SecureWorks believes they're run by distinct threat actors.
actors. Lindy Cameron, head of GCHQ's National Cyber Security Center, sees criminal gangs and not attacks run directly by states as the threat most Britons will face in cyberspace.
She sees coordinated cooperative defense as the proper direction security should take,
but states are far from innocent. Criminal gangs, Cameron explains, typically operate from overseas jurisdictions who turn a blind eye or otherwise fail to act to pursue these groups.
The principal overseas jurisdiction that enables cybercrime is Russia.
Quote, these criminals don't exist in a vacuum. They are often enabled and facilitated by states acting with impunity. End quote.
are often enabled and facilitated by states acting with impunity, end quote.
The NCSC's Cameron obviously has Russia in mind as the most prominent of the blind eyes and facilitators of cybercrime,
and that's the view U.S. President Biden will take with him to Geneva
when he meets his Russian counterpart for their summit.
President Putin has dismissed U.S. accusations of Russian misbehavior in cyberspace.
Putin said in an interview with NBC News, quote, Where is the evidence? Where is the evidence?
It's becoming a farce. We have been accused of all sorts of crimes, including election
interference and cyber attacks. We have never created any kind of evidence or evidence of any Mr. Putin says he doesn't remember Mr. Biden's calling him soulless,
so the talks have got that much going for them.
The best hope that an essay in foreign policy can hold out is a cold peace,
which, all things considered, wouldn't be too bad.
Dmitry Alperovitch, who as chairman of the Silverado Policy Accelerator,
a seat on Dragos' board, and his record as former CTO of CrowdStrike,
has an extensive background in cybersecurity,
and Matthew Rozanski, director of the Wilson Center's Kennan Institute,
draw three lessons from what they see as President Biden's two predecessors' failures
to negotiate successfully with President Putin.
The first is that the U.S. needs a narrow set of objectives
on which progress is at least possible, if not assured.
Next, Biden should deliver American demands without the finger-wagging and chest-thumping
that has sometimes accompanied past U.S.-Russian negotiations.
And finally,
Biden should lay out the consequences of future Russian malign actions in clear and convincing terms. In short, to deter Russian state cyberattacks and state-enabled privateering,
develop an effective and damaging countervalue strategy, and pursue it without public humiliation.
We're reminded of Teddy Roosevelt,
who was never very good at living up to his maxim, who would have called the advice,
walk softly and carry a big stick. But the countervalue thinking needs to be serious
in identifying what will actually hurt. Big stick is not to be confused with big schtick,
which has been a perennial temptation of American public action since the days of Yankee Doodle.
Tessian has studied the effects protracted remote work has had on labor forces generally,
and the security company concludes that, on balance,
people have picked up more bad habits than good over the course of the current pandemic.
For one thing, more than half the IT leaders surveyed worried that returning staff will bring into the workplace
infected devices and the malware that infests them.
Tessian says their apprehension is founded.
Forty percent of employees say they plan to work from personal devices in the office.
End quote.
How much this is the employees' fault as opposed to being traceable
to company policies is of course an open question, but it does seem clear that securing a network
from the possible risks of personal devices is one of the practical challenges any enterprise will
face. More troubling in some respects may be the finding that more than a quarter of employees
surveyed say they've
failed to report cybersecurity mistakes because they feared either disciplinary action or what's
all too often comparably punitive remedial security training only half of employees bother to report
receipt of a phishing email even when they actually click on it so developing hr and
training practices that help rather than hurt
would seem to be another one of the practical challenges organizations face.
And finally, Reality Winner, a former U.S. Air Force translator
who worked as an NSA contractor in 2018,
received a five-year prison sentence after taking a guilty plea
to one count of transmitting national security information.
She's now been transferred from prison to home confinement at a halfway house.
Ms. Winner smuggled a classified document from her Augusta, Georgia, NSA workplace
and released it to a media outlet generally believed to have been The Intercept.
The stolen document detailed Russian government efforts
to penetrate a Florida-based supplier of voting software
and the accounts of election officials ahead of the 2016 presidential election,
the AP said in its report yesterday.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Try to think back to the first time you heard the term Internet of Things.
Got it?
Remember the virtual gold rush to try to be first to market,
hosing up everything with a power supply to the Internet,
with security as an afterthought if it was considered at all?
To paraphrase author Douglas Adams,
this has made a lot of people very angry and been widely regarded as a bad move.
Commentator Carol Terrio shares her thoughts on where we find ourselves when it comes to IoT
and highlights an organization doing their best to make things better.
The Internet of Things is moving ever closer to an internet of everything.
And we've already heard of a glut of scare stories surrounding emerging IoT tech. They tend to be
about nanny cams being hijacked by grunts who want to frighten children or cars and fridges being
taken control of remotely by researchers. IoT horror stories can also include less visible
dangers like the Mirai botnet, which
infected possibly millions of IoT devices, most of them cameras and routers, and used their collective
power to launch massive DDoS attacks. Companies with long expertise in building everything from
light bulbs and fridges to cars and railway systems suddenly found themselves also in the
networking and software business. And perhaps inevitably, far too many focused first on getting things to connect and only later tacking on
security provisions when hijacks, data leaks, and other fails embarrass them into action.
As the field reaches a more mature stage, however, there is finally more focus on getting the
security right as a basic rather than as an extra.
One group pushing hard in this direction is the IOXT Alliance, tagline Internet of Secure Things.
Since it was founded in 2019, the group has built an impressive roster of members, including giants like Amazon, Google, and a number of VPN firms.
Now, the IOXT Alliance focuses on eight key areas in their pledge.
These include concepts familiar to most in the security world,
such as using only unique passwords,
properly proven cryptographic methods,
properly signed software,
transparent vulnerability reporting,
and automatic and timely updating.
Its certification program for hardware has covered
everything from switching equipment and air conditioners to smartphones and routers.
And of course, there are a few fridges and light bulbs in the mix too. The thing is,
putting an end to unreliable products pushed out by cowboy outfits or indeed by well-intentioned
amateur producers should benefit each and every one of us,
be we in an office environment or fighting with a home assistant.
Alexa, I said volume down!
As the internet and the physical world become more closely intertwined,
we need groups like this to help build out the structures
on which our lives will depend even more.
Our takeaway here is keep a sharp eye
on the IoT stuff in your environment,
be it your home or your office.
And the simplest approach might be the best.
If you weren't monitoring it or using it,
take it offline.
This was Carol Theriault for the Cyber Wire. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security,
but also my co-host over on the Caveat podcast.
Hello, Ben.
Good to be with you again, Dave.
You know, for law and policy nerds like yourself,
it's been a very exciting week.
The Supreme Court came down with a decision on the Van Buren case.
Can you unpack it for us?
What's the brief history and what does it mean?
Yes, I was waiting with bated breath for this decision.
It was argued last November and we waited until very recently to get a decision.
So this decision concerned the Computer Fraud and Abuse Act, which is a federal statute.
It's an anti-hacking statute.
It really has two provisions.
One basically says you can't hack into somebody's computer or network without authorization.
And this other more ambiguous provision says even if you have access to something,
you cannot exceed that authorized access.
And this case concerned what the law meant by exceeding authorized access.
It concerned this guy in Georgia named Van Buren, who was a law enforcement official.
He had access to this license plate database.
He was allowed to look at it as part of his law enforcement work.
But somebody who turned out to be an undercover cop tried to get him to search an individual in this database for non-law enforcement purposes.
He was paid to do this by this undercover law enforcement agent,
was caught and charged.
Mr. Van Buren argued that the Computer Fraud and Abuse Act
should only apply where somebody goes into an area of a network
or a computer where they're not supposed to be.
So exceeding authorized access means going to a folder that
you don't have access to or going to a file that you're not allowed to view, either it's password
protected, for example, or it's very explicit in your company's policies. What the government was
arguing is that the Computer Fraud and Abuse Act should have a broader meaning. It should mean that if you are using anything, some document or
database for a purpose that goes beyond the authorization given to you by your employer,
for example, that in and of itself should be a violation of the Computer Fraud and Abuse Act.
The Supreme Court sided with Van Buren. It was a six-3 decision written by the court's newest justice, Justice Annie Coney Barrett.
She said, and I won't get too much into legalese here, but if she looked at the textual history
and the context of the law, that it was meant to apply in these narrow circumstances where
somebody has access to a computer or a network and they go to a file or a folder where they're not supposed to be.
It's what she calls a gate-up, gate-down approach.
The determining factor is, are you allowed to view this document?
Are you allowed to be in this folder?
What the court didn't clarify is whether that is a code-based approach,
where were you not allowed to view this folder
because it was password-prot protected, encrypted, etc., or is it simply based on your company or organization's own policies? That was
left unresolved in this case. So the dissent, which was written by Justice Thomas and joined
by Justice Alito and Chief Justice Roberts, said that the court should have had this more broad
definition, that courts should be able to look at the purpose of somebody using a database
that they were otherwise authorized to use.
So I think most digital privacy advocates are very pleased with this decision.
It means that we're not going to have criminal liability
for a bunch of things that all of us do all the time.
You can see that if this decision went the other way, you know, if our employer told us we can't
use Facebook on our work computers, if the dissent's interpretation had been adopted,
that would expose us to criminal liability because we would have exceeded our authorized
access to that computer. But because the court came down the
way that it did, we're not going to be left in a situation where we're all overly exposed to
criminal liability here. Now, from a practical point of view going forward, does this mean that
we're likely to see prosecutors limit the range of things that they'll go after folks using the
Computer Fraud and Abuse Act?
Yeah, they're going to have to.
I mean, we're not going to see the scenarios where, you know,
law enforcement is going to throw the book at individuals, and there have been high-profile incidents in the past,
for exceeding their authorized access using databases,
you know, academic databases that they've already had access to,
for some sort of illegitimate purpose,
you know, maybe exposing something in a company's own database as part of a journalistic investigation
or something like that.
Prosecutors are no longer going to be able to use the Computer Fraud and Abuse Act as
a jackhammer unless it is one of those limited types of circumstances
where that person has accessed a file or a folder or anything
that they are not allowed to access.
So we really do have this dividing line, gate up, gate down.
If you are authorized to be in a database,
any part of that database, any part of a computer, any part of a network,
the government doesn't have the authority to prosecute you
based on your purpose of using that database or network.
And that's really a profound decision
that's going to have a huge impact on litigation
under the Computer Fraud and Abuse Act.
Do you suppose this could also point to the need for the Computer Fraud and Abuse Act. Do you suppose this could also point to the need
for the Computer Fraud and Abuse Act to get an update?
I mean, could Congress step in here and say,
hey, this is a law from the 80s.
Things have changed.
It's time for us to...
We've learned a lot since then.
Yes.
It's been over 35 years since the Computer Fraud and Abuse Act
took its current form.
So certainly Congress could have
stepped in and clarified this provision. They could have properly defined what exceeds authorized
access means, and they still could do that. If they are not happy with this decision, they could
clarify in a federal statute that exceeds authorized access does relate to, you know,
somebody going into an access to a database that they already
have access to and using it for illegitimate purposes. I don't think Congress would do that
at this point. You know, I don't think they would see a need to, and I think it would be
a very difficult task politically. But certainly that's an option that Congress has. And I think it shows that, you know,
if Congress doesn't go in and revisit these laws that were enacted prior to the digital age,
you know, they really should go back
and try to clarify those
before it makes its way through the court system.
I mean, it would be better for public policy
if Congress could have hearings,
could consider changing these definitions,
and it wouldn't be up to nine people in robes trying to parse the definition of the word so,
which is exactly what happened in this decision, if you read it closely.
Right, right.
All right, well, thank you for explaining it.
Ben Yellen, always a pleasure.
Always a pleasure, Dave. Thanks.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.