CyberWire Daily - France’s ANSII warns of a longrunning Sandworm campaign. DPRK tried to steal COVID-19 vaccine data. Supermicro is exasperated. Static Kitten phishes in the UAE
Episode Date: February 16, 2021France finds Sandworm’s trail in a software supply chain. Microsoft is impressed by the amount of effort Russian intelligence services put into the SolarWinds campaign. Pyongyang is reported to have... attempted to steal COVID-19 vaccine information. Supermicro reiterates objections to Bloomberg's report on alleged hardware supply chain compromises. Static Kitten is phishing in the UAE. Updates on the Florida water utility cybersabotage. Ben Yelin examines to what degree the FBI can access Signal app messages. Rick Howard gathers the hash table to discuss AWS. And a new executive director arrives at our state cybersecurity association. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/30 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
France finds sandworms trail in a software supply chain.
Microsoft is impressed by the amount of effort Russian intelligence services put into the SolarWinds campaign.
Yong Yong is reported to have attempted to steal COVID-19 vaccine information.
Supermicro reiterates objections to Bloomberg's report on alleged hardware supply chain compromises.
Static Kitten is fishing in the UAE.
Updates on the Florida water utility cyber sabotage.
Ben Yellen examines to what degree the FBI can access signal app messages.
Rick Howard gathers the hash table to discuss AWS.
And a new executive director arrives at our state's Cybersecurity Association.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, February 16th, 2021. French authorities, specifically the information security agency ANSI,
said yesterday that they determined a Russian threat actor has been active against French targets from 2017 to 2020.
ANSI didn't flatly say which group was responsible,
but it did note, according to Reuters,
that similar tactics, techniques, and procedures
had been seen in use by Sandworm,
also known as Voodoo Bear,
an operation belonging to Russia's GRU
military intelligence service.
ANSI has also made a detailed technical report available.
The attackers dropped back doors
as web shells in their targets.
The operation appears to have been another software supply chain attack, The attackers dropped back doors as web shells in their targets.
The operation appears to have been another software supply chain attack,
with the attackers working their way in through Centrion products used for IT monitoring.
ANSI didn't say how many victims there had been,
but the agency indicated that most of them were IT service firms, especially web hosting providers.
The similarity in targeting and approach to the Solariggate campaign in the U.S. is obvious. Centrion's customer profile is similar
to that of SolarWinds. The Paris-based firm lists more than 600 customers worldwide, including local
and regional government agencies. There's no informed official conjecture about the goals of the campaign
that exploited Centrion yet,
but Wired quotes industry experts as observing that
Sandworm has a track record of disruption and destruction
and hasn't confined itself to simple data theft.
Centrion hadn't, as of this morning,
posted any statement about the incident to its website.
Wired says Centrion emailed it to say that it was too soon to say
whether the campaign represented an ongoing threat
or whether it had been stopped by the patches and upgrades Centrion regularly issues.
Voodoo Bear, think of them as Fancy Bear's daughter,
is known for going after industrial control systems,
especially those associated with power generation and distribution. Its most well-known tool is the Black Energy
Malware Kit. The threat actor is widely believed to have been responsible for both 2008's distributed
denial-of-service attacks against Georgia and 2015's action against a portion of Ukraine's power grid.
To return to Solaragate, the investigation and mop-up of the very large and presumably very damaging cyber espionage campaign against U.S. targets continues. CBS 60 Minutes this
weekend featured the SolarWinds compromise and highlighted both the scope of the attack and
the effort that went into conducting it. Microsoft President Brad Smith said, quote, I think from a software engineering
perspective, it's probably fair to say that this is the largest and most sophisticated attack the
world has ever seen, end quote. He added that Microsoft believed at least a thousand engineers
were involved in mounting the attack. How Microsoft arrived at
that figure is unclear, and while it's probably better to read a thousand as a lot and not as a
rigorously supportable quantification of the human capital Russian intelligence applied to the task,
it is, in any case, a lot. A member of South Korea's Parliamentary Intelligence Committee
told Reuters that he'd been briefed on an attempt by North Korean operators to breach Pfizer and steal information on the company's COVID-19 vaccine development.
briefed him on the attempted espionage and that the apparent motive was financial.
Pyongyang is looking more to its criminal revenue stream, not to public health in the DPRK.
Last week, Bloomberg renewed its reporting on an alleged Chinese hardware backdoor,
allegedly found on Supermicro products.
The report was greeted with more skepticism than such reports usually are, since the earliest versions of the story, published initially in 2018, generally went unconfirmed by organizations that would have been in a position to confirm them.
Supermicro issued a statement about the Bloomberg story, which says in part, quote, Quote, Bloomberg's story is a mishmash of disparate and inaccurate allegations that date back many years.
It draws far-fetched conclusions that once again don't withstand scrutiny.
In fact, the National Security Agency told Bloomberg again last month that it stands by its 2018 comments,
and the agency said of Bloomberg's new claims that it cannot confirm that this incident or the subsequent response actions described ever occurred.
Despite Bloomberg's allegations about supposed cyber or national security investigations
that date back more than 10 years,
Supermicro has never been contacted by the U.S. government
or by any of our partners or customers about these alleged investigations.
End quote.
To round out the familiar four of bad girl nation states,
researchers at security firm Anomaly report a static kitten sighting.
The threat group, believed to be run by Tehran,
has been targeting government agencies in the United Arab Emirates,
phishing them with the goal of installing screen-connect remote access tools
in the systems used by its Emirati targets. The fish bait is usually an Israeli-themed
geopolitical lure, the emails masquerade as communications from Kuwait's foreign ministry,
and the fish hook itself is similar to those used previously in Operation Quicksand.
There's not much new to report about the Oldsmar, Florida
water utility sabotage attempt. Local authorities in Oldsmar have grown increasingly tight-lipped
about the attack on the town's water system, with the Pinellas County Sheriff discouraging
any municipal officials from discussing what is, as they say, an ongoing investigation.
Detectives are on the case, they say,
and the sheriff wants the public to understand that it was never in any danger.
And finally, if you'll indulge us as we share some local news,
we'd like to send our congratulations to Tasha Cornish,
who's just been appointed executive director of the Cybersecurity Association of Maryland.
Our congratulations to Ms. Cornish and our best wishes to the organization she now leads.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and
their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Rick Howard is the CyberWire's chief analyst and also our chief security officer, and he is the host of CSO Perspectives, a podcast that you can hear on CyberWire Pro.
Rick, great to have you back.
Thank you, sir.
On this week's CSO Perspectives, you are wrapping up your two-part miniseries on AWS Cloud Security,
going through a first-principle lens, and you brought your experts to the hash table
this week. What happened? How'd it go for you? Well, Dave, as you know, I love the CyberWire
hash table. I mean, those discussions help get me out of my own thought bubbles, which I need to do
on a regular basis. Okay, so thank goodness I have that thing. To that end, I brought in some old
friends, Merit Baer. she's a security architect for AWS,
and by the way, wicked smart, way ahead of me in most cases, and Jerry Archer, the Sallie Mae CSO,
and a new colleague making his first appearance at the hash table, Mark Ryland, from the office
of the CISO at AWS. And one thing that is emerging from these discussions is a disagreement in the security community about the need for intrusion kill chain prevention in cloud environments.
So Amazon isn't alone here either.
Microsoft has the same general idea too.
Although they did just announce this week an enhancement to their Office 365 Defender dashboard product that will start tracking APT groups in the future.
So that's all positive.
I remember thinking back, one of the first conversations you and I ever had at RSA,
before you were part of the CyberWire, when you were at Palo Alto,
we were talking about the intrusion kill chain.
And that is a foundational pillar in your first principle strategy.
What did these cloud providers disagree with?
Well, you know, what I discovered is it's not so much a disagreement about the strategy.
It's really a disagreement about what intrusion kill chain prevention is.
And it's not just the cloud providers either.
There are many security practitioners who are in that same exact boat.
So we have a pretty lively discussion about that in this episode.
AWS has been around how long? 2006, I guess? 2006, yeah.
Wow. And everybody is talking about moving to the, you're either moving to the cloud,
one form or another. I mean, that's where everybody, it's the place to be today, right?
That's right. That's what everybody's thinking about. But my question is like, yeah, but has anybody actually made it there completely?
And these new companies that are spinning up, I mean, can they call themselves to be cloud native?
Well, yes, of course.
If you're a small startup and you've come into existence, say, in the last 10 years, there's a really good chance that you have most of your assets in a cloud somewhere. And the CyberWire is a good case study. You know, we have
some backups on-prem, but we mostly run the operation with SaaS applications and an AWS
virtual private cloud, or BPC is how the new kids call it. Where the error gets more rarefied is in
bigger organizations that have been around for a while,
and I'm including government organizations in that group too. If you've spent a lot of resources in
the past, and I'm talking money, time, and people here, to build your own data centers and networks,
your move to the cloud has been noticeably slower. But there are unicorns, right? And
Sallie Mae is one of them. Sallie Mae is a publicly traded consumer banking corporation.
And as the CSO, Jerry Archer helped move it almost completely over to AWS.
They don't run their own data centers at all.
And they have deployed VPCs for every major application.
And get this, they don't even use laptops anymore.
They run their client.
They run thin clients for their employees out of the AWS VPC.
So in this episode, we talked to Jerry about how he secures those environments.
Wow.
All right.
Well, I'm looking forward to that.
It is CSO Perspectives.
Again, it's part of CyberWire Pro.
You can learn about that on our website, thecyberwire.com.
Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security,
also my co-host on the Caveat podcast where we discuss privacy and surveillance, law and policy.
Ben, great to have you back.
Good to be with you again, Dave.
Interesting article from the folks over at Forbes.
This is written by Thomas Brewster.
And the title of the article is, Can the FBI hack into private signal messages on a locked iPhone? Evidence indicates
yes. What's going on here, Ben? So obviously a lot of users have moved to signal from other
encrypted applications. It's now among the most popular applications for encrypted messaging.
And an attorney who works for the Program on Extremism
at George Washington University was able to obtain court documents
that seemed to show law enforcement gaining access
to these encrypted communications,
even though the devices used by the criminal suspects were locked.
So this was a couple of gentlemen accused of running a gun trafficking operation in New York.
Their encrypted messages included information about this operation.
Obviously, as the article notes, they have not entered a plea, so they are innocent until proven guilty.
But that's at least what the allegations are. It is unclear how
law enforcement was able to get access to these encrypted communications
from Signal. Apple,
because these were iPhones, were contacted for their comments on
the issue, and they said they would not comment on it, Probably for obvious reasons. They don't want to reveal any privacy or
security flaws in their own software.
Signal was contacted, and a spokesperson on behalf of Signal said, if somebody is in
physical possession of a device and can exploit an unpatched Apple
or Google operating system vulnerability, then they can act as the true
owner of that device.
So their suggestion seems to be,
make sure that your updates are frequent,
that you are downloading all of your patches,
that your devices are up to date,
and choose a strong lock screen passcode.
I think that's certainly wise advice
for users of the Signal application. I think that doesn't wise advice for users of the Signal application.
I think that doesn't give us a satisfying answer
in terms of how law enforcement was able to access this.
We don't know particularly
what generation of iPhone was used,
so I just think there's a lot we don't know.
Yeah, there's an interesting detail in this article.
They refer to something called partial AFU.
And AFU stands for after first unlock.
And it's an interesting sort of technical thing about an iPhone.
So it's a phone that's locked but has been unlocked previously and not turned off. And what's significant about that is that
it makes the phone more susceptible to having the data extracted because the phone's encryption
keys have been generated and they're stored in memory. So you power your phone up, you unlock
your phone, the phone does the things that it, you unlock the phone, the phone does the things
that it does to verify that it's you, does what it does with its encryption keys and it stores those in memory. Celebrite, you know, the folks who make these, what they refer to as lawful intercept tools,
they're more likely to be able to access information when the phone is in that
state. So there's speculation that perhaps that's what's going on here.
Yeah. And what this article makes clear is that these tools, the gray key or Celebrite tools are
tools we know are used by the FBI. And we know that because we have good journalists who have subpoenaed documents
and have figured out that federal law enforcement
has been able to get access to these things in the past.
So I guess the lesson there for users is frequently turn off your device
when you're not using it.
Or before you turn it over to law enforcement,
power it down, I guess, would be good best practice.
Yeah, I hate to say it, but you may not,
depending on the circumstances of your device being obtained by law enforcement,
you may not have that option.
But if you do have that option, that's probably the wise tact to take.
All right, well, it's an interesting article for sure.
Again, this is over from Forbes, written by Thomas
Brewster. It's titled,
Can the FBI hack into private signal messages
on a locked iPhone? Evidence indicates
yes. Ben Yellen,
thanks for joining us. Thank you. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Say yes to new adventures.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security Ha.
I join Jason and Brian on their show for a lively discussion of the latest security
news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. And check
out the Recorded Future podcast, which I also host. The subject there is threat intelligence,
and every week we talk to interesting people about timely cybersecurity topics.
That's at recordedfuture.com slash podcast. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Haru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.
See you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.