CyberWire Daily - Exploitation of Exchange Server spreads rapidly across the globe. The US mulls its response to Russia over the SolarWinds compromise (and to China over Exchange Server hacks).
Episode Date: March 8, 2021Threat actors rush to exploit Exchange Server vulnerabilities before victims get around to patching--it’s like a worldwide fire sale. Rick Howard digs into third party platforms and cloud security. ...Robert M. Lee from Dragos shares insights on the recent Florida water plant event. The US mulls some form of retaliation against Russia for the SolarWinds supply chain campaign, and it will also need to consider how to respond to China’s operations against Exchange Server. (And another Chinese threat actor may have been exploiting SolarWinds late last year.) For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/44 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Threat actors rush to exploit exchange server vulnerabilities
before victims get around to patching hits like a worldwide fire sale.
Rick Howard digs into third-party platforms and cloud security.
Robert M. Lee from Dragos shares insights on the recent Florida water plant event.
The U.S. mulls some form of retaliation against Russia for the SolarWinds supply chain campaign,
and it will also need to consider how to respond to China's operations against Exchange Server. And another Chinese threat actor may have been exploiting
SolarWinds late last year. From the CyberWire studios at DataTribe, I'm Dave Bittner with
your CyberWire summary for Monday, March 8th, 2021.
Chinese threat actors' exploitation of Microsoft Exchange Server Zero Days has proven about as extensive and damaging as early fears held it to be.
Bloomberg sums up current views of the incident, saying that it's morphing into a global cybersecurity crisis,
with exploitation racing against patching and remediation.
Krebs on Security put the total number of U.S. organizations affected by exploitation of
the exchange server vulnerabilities at about 30,000. The Washington Post reports that the
count of victims has already exceeded the number of targets affected by the SolarWinds compromise,
nor has the incident been confined to U.S. targets. The European Banking Authority, for one,
yesterday disclosed that it too had been
affected and that it has taken its email systems offline as an initial response. Not all such
exploitation is the work of Hafnium, the Chinese-affiliated threat actor Microsoft identified
last week as being behind the campaign. In a Friday update to the relevant security advisory, Redmond wrote,
quote, Microsoft continues to see increased use of these vulnerabilities and attacks targeting
unpatched systems by multiple malicious actors behind Hafnium, end quote. So, as often happens
in such cases, the attack has changed from a break-in by a single organization to a riot,
with many opportunistic groups smashing metaphorical windows and looting virtual organizations.
The Washington Post reports that the change occurred last week.
Paraphrasing security firm Veloxity's Stephen Adair,
the Post says,
Other unidentified actors, some of them no doubt simple criminal gangs, have raced to join the exploitation.
As Adair put it to the Post, quote,
They went to town and started doing mass exploitation, indiscriminate attacks compromising exchange servers literally around the world with no regard to purpose or size or industry.
They were hitting any and every server they could, end quote.
That kind of indiscriminate approach isn't entirely consistent with espionage,
although a lot of collection can be indiscriminate since things like credentials and PII could
always come in handy and you never know. But it is consistent with multiple actors,
many of them criminal, taking advantage of the same vulnerabilities.
It's also consistent with an intelligence service acting to get as much as it can while the getting's good before patching shuts them out.
Many of the victims in the U.S. have included small and medium-sized businesses, local governments, and schools.
As the National Security Council tweeted over the
weekend, simple patching isn't enough. Affected organizations must find and eject any of the
web shells the attackers left behind. The number of victims is very large, and mopping up will
represent a protracted challenge. Wired quotes an unnamed security researcher as calling the
number of victims astronomical.
That's an exaggeration, to be sure, since the total number of potential targets is far less than the number of stars in the heavens.
But it's a forgivable overstatement, because that number is surely really, really large.
Anyone who operates an exposed exchange server should assume they've been compromised and act accordingly.
Reuters reports that the White House has warned that the incident is a serious one, with an official saying,
quote,
The U.S. administration is forming a task force to organize a whole-of-government response to the cyber operations, CNN says.
According to the New York Times, Deputy National Security Advisor for Cyber and Emerging Technology Neuberger is said to be leading that effort.
Chinese operators have been busy elsewhere, too.
ZDNet reports that it's not just the Russians who got busy with SolarWinds.
SecureWorks' counter-threat unit has detected what appears to be a Chinese threat actor.
SecureWorks calls it Spiral, using compromised SolarWinds servers to deploy the webshell
Sunburst. The furor over the Hafnium operation comes on top of the earlier and continuing furor
over the SolarWinds compromise and related cyber espionage efforts.
These have been generally attributed to Russian operators,
and the U.S. is said to have begun preparing a response that the press is calling retaliation.
The Chinese operation may be bigger, at least in terms of the number of organizations affected, but both are regarded as very serious.
The New York Times quotes U.S. National Security Advisor Sullivan on the range of potential U.S. responses.
Sullivan observes that some of the response may not be particularly visible to the larger world.
particularly visible to the larger world. He said, quote, I actually believe that a set of measures that are understood by the Russians but may not be visible to the broader world are actually likely
to be the most effective measures in terms of clarifying what the United States believes are
inbounds and out of bounds and what we are prepared to do in response, end quote. In any case, the
response to both Russia and China will probably
involve the imposition of a familiar range of costs. Economic sanctions will almost certainly
be used, although in Russia's case it's unclear just how much remains to be sanctioned, and other
measures will in all likelihood include indictments, naming, and shaming. They are also likely to involve some
sort of retaliatory cyber operation. Both the Russian and Chinese operations are unusually
troubling because they represent at least a potential threat that extends beyond intelligence
collection. That's serious enough, but the possibility of data corruption or destruction
are more serious, and the potential
to compromise systems in ways that might make attacks on control systems possible is more
serious still. There's no direct publicly available evidence that these more destructive
operations have occurred, but they represent a risk that affected governments cannot ignore.
Among the responses to the SolarWinds compromise
is likely to be an essentially defensive executive order
aimed at preventing similar attacks in the future.
The White House did signal on Friday
that an executive order was under preparation
to induce software developers
to build greater security into their products.
CyberScoop reports that Deputy National Security Advisor Neuberger
told a SANS summit that the proposed executive order,
quote, will focus on building in standards for software,
particularly software that's used in critical areas.
The level of trust we have in our systems
has to be directly proportional to the visibility we have,
and the level of visibility has to match the consequences of the failure of those systems, end quote. And finally, not to further harsh your buzz,
income tax time is approaching in several parts of the world,
but there's some news to make that annual news, if not good,
I mean, let's be realistic, at least less bad.
The National Cybersecurity Alliance and the Internal Revenue Service have published some
advice on how both businesses and individuals can stay safe during a period when scammers
are traditionally active. You can find it at staysafeonline.org. and happy filing.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology here.
Innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and
showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io
And joining me once again
is Rick Howard. He is the CyberWire's
chief analyst and also our chief security officer.
Rick, great to have you back.
Thanks, Dave.
So, over the last few episodes of your
CSO Perspectives show,
you've been looking at how to secure the various cloud provider networks that are out there.
But, okay, you're an old Palo Alto networks guy.
Oh, no.
Write it out.
You found me out.
I don't think that's a big secret in the industry.
But I was wondering, are you going to get around to addressing some of the third-party solutions?
I mean, you know, security solutions that don't actually come from the cloud providers.
Well, that's a good point because, you know, you might be surprised to learn this, Dave,
but most of us don't store and process our data in a single cloud environment.
You know, who knew?
Okay.
I mean, just, you know, using the CyberWire as an example, we use AWS, but we also use like 25 other SaaS applications.
And not to mention our backup systems back at headquarters.
And we are relatively small compared to big government and big academic and big commercial.
Those organizations have data scattered all over the world.
world. So help me understand here is what you're saying that using a cloud provider's security tool set, is that just adding another layer of complexity to, I think what we can all agree is
a pretty tangled security ecosystem? That's right. You know, and in a time when we should all be
looking to reduce complexity, because the more complex it is, the more difficult it is to
maintain, adding another layer of security tools from the cloud provider
that doesn't easily integrate with the rest of your security ecosystem
may not be the best solution for you.
In fact, before we all started moving to the cloud some 10 years ago,
orchestrating this ecosystem was really hard to do.
Now that most of us are working in at least one cloud environment,
orchestration is even harder.
So in this show, we take a look at how some of the big security platforms like Fortinet, Cisco, Checkpoint, and Palo Alto Networks, you know, my alma mater, might be the best security solution, not just for your cloud environments, but for wherever you store and process your data because of their innate ability to orchestrate across all of those environments with a single policy.
All right. Interesting. Well, I'm looking forward to checking that out. That is CSO Perspectives.
It is part of CyberWire Pro. You can find out all about that on our website, thecyberwire.com.
Rick Howard, thanks for joining us. Thanks, Dave. Thank you. security solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed
to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And joining me once again is Robert M. Lee. He is the CEO at Dragos. Rob, it's always great to have you back. I wanted to check in with you and kind of get a ground truth reality check
when it comes to this recent incident with the water system in Oldsmar, Florida.
Can you give us your perspective on what exactly went down here?
Yeah, and the interesting thing to start off with is I don't know that we actually fully know what went down.
So the public reporting is that there was an internet-connected human-machine interface.
This is a software that operators will use to click on buttons to open valves or kick on pumps or so forth.
It's a view into the operations that allows you to control it.
The story goes that an adversary remotely accessed the internet-exposed HMI.
They didn't have a firewall and so forth.
And with that HMI, they tried to dump lye into the water,
which would then obviously poison or significantly hurt people at a minimum,
but probably kill some folks in the community.
And so that's a huge deal in any means.
So I'm not going to underplay this.
I mean, it was an attack on a facility, and it was an attack from a safety perspective,
not on a safety system.
They were trying to hurt people on American soil.
That's insane.
But why I say I don't know we fully know the details
is some of the insights that have come out
and some of the FBI reporting has been a little bit
conflicted on some of the technical details.
And some of the things are highlighting like,
oh, they had Windows 7 software, shared credentials,
have nothing to do with the attack they described,
but yet they were really concerned about it.
I'm not so sure that they're capturing necessarily what had happened there.
We're investigating some stuff ourselves,
so I need to shy away from the topic just a little bit,
but I'll say that I think there are multiple scenarios that took place.
We need to hone in on what exactly took place so we can provide reasonable recommendations out to the community.
But either way, a remote adversary did try to dump lye in the water and hurt people, and that is a big deal.
of the water and hurt people. And that is a big deal. What about the notion that, as you say,
you know, this whole thing is a bit insane, but isn't cranking up the sodium hydroxide into the water, I mean, isn't that kind of insanely noisy? Like if you want to draw attention to yourself,
you don't crank the dial up to 11? I don't know. It depends.
It's kind of depending on the system
and the operator and everything else.
There's some environments, as an example,
where regardless of what you say in the PLC,
regardless of what you say on the HMI,
the valve can't even support that.
You can crank it up to 11,000 parts per milliliter,
but it's not going to actually do that.
Maybe instead of a 100 to 1 scale, it's a 10 to 1 scale.
But that's not universal.
At some sites, you can.
At some sites, if you did this, an alarm would trip
and there'd be a literal sound in the plant
and operators would figure it out real quick.
At some sites, it'd be a little blinky light on an HMI
with another 50 blinky lights and they may not see it.
The reality is there's not any way to generalize everything at every plant.
And there are some water facilities that this exact same style of attack
would have done very little, if anything.
And there's some water facilities that this exact same style of attack
would have significantly hurt and possibly killed people.
Yeah, I guess my thinking is that, you know,
you would imagine that someone would be a little more, they would take more steps.
They'd say, okay, I'm going to change this a little bit, see if anybody notices.
I'm going to change this a little bit, see if anybody notices.
I mean, if you've got access.
Yeah.
If you've got access.
If your point is harm, why hold back?
Yeah, I think a lot of folks, and look, it's a good question, but I think a lot of folks try to rationalize,
well, if I was the adversary, you're not.
I mean, just stop it there.
Like, well, I think you, well, are you the adversary?
No? Okay, all right.
Well, then stop mirror imaging the adversary.
They've got their own motivations.
They've got their own experience.
They've got their own understanding of the problem.
Sometimes they do stupid things.
Sometimes they do stupid things that we think are stupid
that are actually smart things.
We just don't know. And I saw a lot of commentary on social media about that.
Well, if I did this, I would have done it these three ways. And this is obviously a basic threat to do it this way.
No, that's not obvious. It could be a sophisticated actor that did this. It could be a criminal actor that's domestic.
Who knows? But you can't look at what they did with an HMI and predict
the sophistication of the actor because sometimes really basic stuff is all that's required.
No, it's a really good point. I mean, it's so easy to fall into reading the tea leaves that,
oh, they went after a small town instead of a big city.
Plus Tampa, therefore, is related to the Super Bowl and what they're really trying to accomplish.
And oh my gosh, it's like
multiple levels of analytical
leaps.
So where do we go from here?
How does this inform
how we
consider these sorts of vulnerabilities
going forward?
I don't think there's any serious professional in this industry,
especially working in ICS security,
that is shocked at the state of many of our infrastructure sites.
There are so many of our infrastructure operators,
asset owners and operators, that are doing such amazing work.
When you talk about 55,000 municipal water systems,
where they might not even have an IT person,
let alone a security person,
and they're under-resourced and under-staffed and everything else, it's not a shock. where they might not even have an IT person, let alone a security person,
and they're under-resourced and under-staffed and everything else.
It's not a shock.
And so I don't know that you massively fix this
in any one way.
We have serious conversations about how we invest
in our infrastructure, how we think about technology,
how we think about workforce development,
how we think about engineering training
to design out some of the security risk.
There's a lot of stuff to think about at a macro level,
but the reality is there's nothing new
that's kind of informative about the style.
It might be new in helping people understand
that these things are going to happen,
that yeah, it's going to happen on American soil.
There's a lot of like, well, that didn't happen,
like Ukraine attack.
I remember when Ukraine had happened.
The community eventually got around it,
where the first six months it was like,
yeah, but that was Ukraine, that's not us.
But it could happen here.
Well, yeah, that was Ukraine.
And trice has happened.
That's Saudi Arabia.
And so sometimes we fall into that.
And so the fact that this happened in the US
is in some way like a call to some.
But again, my point being,
these things are going to happen more.
The more our infrastructure gets connected,
the more adversaries get focused on it,
the more frequently we are going to see ICS stacks.
I've talked about this kind of trend for years
and what we're anticipating.
And we need to think about organizational
and institutional change with the strategies behind it,
not point security solutions.
Not, well, if they were just using multi-factor, it would have been solved.
Or if they were just doing this one thing, it would have been solved.
No, it wouldn't have been.
I don't know the folks at Ultima, but I know plenty of folks in the water industry.
And for some of them, there's EPA regulations of, hey, if a pump fails,
you've got to be able to access it within a 30-minute window.
But they live an hour and a half away, but they live an hour and a half away
because they've got 15 plants to monitor and they're the
guy on call. And so the only way
to get to it is remote access software.
So it's, I hate
the, these guys are morons and
screw the water people. Nine times
out of ten, they're just doing the best
they can to keep the water on
and to keep it clean, to keep it going.
So I don't like the victim blaming crap,
but I think we're silly if we think there's a simple answer
and we need to sit down and have that conversation
and what that looks like, put out a strategy,
and go approach it because it's going to get worse.
It's not going to be die hard,
stop freaking out about all the scenarios,
but it's going to lead to death.
It's going to lead to environmental impact.
Oldsmar was a facility with 15,000 people
that depended on it.
That is not a national critical infrastructure site
under any consideration.
That is not a significantly impactful
critical infrastructure site.
That is not a national security topic.
But to those 15,000 people, it sure as hell is.
Those are 15,000 humans.
And so we've got to do better for sure.
Yeah.
All right. Well, Robert and Lee, thanks for joining us.
And that's the Cyber Wire. For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Built better to ride better.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.