CyberWire Daily - It’s not Kates and Vals over Ford Island, but it’s not just a tourist under diplomatic cover taking pictures of Battleship Row, either. Another APT side hustle? To delist or not to delist.
Episode Date: January 5, 2021More assessments of the Solorigate affair, with an excursus on Pearl Harbor. Shareholders open a class action suit against SolarWinds, but no signs of an enforcement action for speculated insider trad...ing. Emissary Panda seems to be working an APT side hustle. Kevin Magee has insights from the Microsoft Digital Defense Report. Our guest is Jason Passwaters from Intel 471 with a look at the growing range of ransomware as a service offerings. And to-ing and fro-ing on Chinese telecoms at the New York Stock Exchange. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/2 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
More assessments of the Soloragate affair with a side trip to Pearl Harbor.
Shareholders opened a class action suit against SolarWinds, but no signs of an enforcement action for speculated insider trading.
Emissary Panda seems to be working an APT side hustle.
Kevin McGee has insights from the Microsoft Digital Defense Report.
Our guest is Jason Passwaters from Intel 471 with a look at the
growing range of ransomware as a service offerings and toing and froing on Chinese
telecoms at the New York Stock Exchange. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 5th, 2021.
Qualys offers a look at the back door installed in the Soloragate cyber espionage operation.
They draw particular attention to the malware's evasiveness and use of domain generation algorithms.
Their concluding assessment is about as gloomy as might be expected.
Quote,
In the end, we can conclude that the techniques which the attackers have used in this breach are very sophisticated.
Supply chain compromise, data encoding, impaired defenses,
and dynamic resolution, to name a few.
Instead of doing major damage to the infected system,
the attackers have focused on staying unnoticed from security products.
In the coming days, we can expect to see widespread use of similar attacks.
End quote.
A ZDNet op-ed throws its hands up and declares the Solar
Wind software supply chain cyber espionage campaign to be worse than imagined. Assessing
just how bad it is would require more understanding of the incident and its effects than is now
publicly at least available, but consensus remains that it's pretty bad. IronNet offers a set of expert takes on why this form of cyber espionage,
more than an ordinary data breach,
has the potential to serve as preparation for more serious attacks later.
A lot of people continue to call this a cyber Pearl Harbor or a cyber 9-11,
but these metaphors still seem wayward.
Thousands were killed at Pearl Harbor and on 9-11, but these metaphors still seem wayward. Thousands were killed at Pearl Harbor
and on 9-11, but as far as anyone knows, there have been no physical casualties attributable
to the SolarWinds hack, so it's probably best to reserve the Pearl Harbor talk until,
heaven forfend, people are actually killed or injured on a large scale by a cyber attack.
So why have intelligent observers
been willing to talk about a cyber Pearl Harbor? In truth, this campaign is more worrisome than
ordinary collection. The threat actors corrupted a software supply chain and quietly established
persistent backdoors in organizations that use that supply chain. This makes it possible,
perhaps even likely,
that the effort amounts to battlespace preparation,
the staging in cyberspace of capabilities that could be deployed
in attacks having widespread effect, including kinetic effects.
So it amounts to more than just knowing that USS Pennsylvania was in dry dock
and that USS West Virginia, Oklahoma, Arizona, California,
Maryland, Tennessee, and Nevada were at their moorings on Battleship Row.
But it's far less than the appearance over Oahu of Kates and Vals from the First Air Fleet.
Not yet a cyber Pearl Harbor, but it's not just collection as usual either.
SolarWinds shareholders have filed a class action suit against the company,
whose Orion software has been at the center of the eponymous cyber espionage incident.
The plaintiffs allege, Fox Business reports, that the company misrepresented and failed to
disclose information about the incident, and this amounted to failing its duty to disseminate
accurate and truthful information.
The harm is alleged to be, first, reputational, as both the company and its shareholders look bad, and second, financial, as the suppression of bad news is alleged to have artificially inflated the company's stock.
It was bound to come crashing back to earth once the air was out of the balloon.
The plaintiffs also allege that SolarWinds
executives had actual knowledge of the material omissions and or the falsity of the material
statements, and that worse yet, they intended to deceive plaintiff and the other members of the
class or, in the alternative, acted with reckless disregard for the truth when they failed to
ascertain and disclose the true facts in the statements made by them or other SolarWinds personnel to members of the investing public.
They're not asking for a specified amount, but rather for reasonable costs and expenses incurred,
like spending on legal counsel and various experts, as well as whatever additional relief
the court should judge appropriate. SolarWinds hasn't, as far as we've seen, commented directly on the lawsuit,
but its representatives are making the right pacifying noises about working with law enforcement and intelligence agencies
to get to the bottom of the incident,
and about doing everything it can to identify, remediate, and mitigate this sort of risk,
including its effects on third parties.
At the close of trading yesterday, SolarWinds shares were priced at $14.53,
a 34% drop-off since the incident came to light.
It's worth noting that the class-action lawsuit against SolarWinds isn't about suspicion that
company insiders traded to their advantage on non-public information.
The plaintiffs assert that they were misled, that the company's valuation was artificially inflated,
and that, had they had an accurate picture of the business, they wouldn't have bought the stock.
Simply, Wall Street observed back on November 19th, well before the news of the cyber espionage came to public attention,
that SolarWinds insiders had for some time been selling rather than buying shares.
That's not at all criminal or even unseemly, but it's a data point outside investors find
interesting. But one large sale in December did raise retrospective suspicions. Silver Lake and Tomabravo on December 7th sold
some $315 million of SolarWinds stock to the Canada Pension Plan Investment Board. FireEye
disclosed an incursion on December 8th, and SolarWinds disclosed on December 14th that the
company had been apprised of the incident. This raised eyebrows, as Axios reported on December 18th,
that some investors may have traded on non-public knowledge of the problem.
SolarWinds denied this and was publicly backed by the CPPIB,
so that story hasn't shown legs, at least not in the present lawsuit.
Chinese threat actors may be involved in an APT side hustle. Researchers at Profero
and Security Joe's say they found Emissary Panda, the Chinese state-run threat group also known as
APT27, conducting ransomware attacks. Their attribution is based on code similarities and
TTPs, but they caution that all such attribution
carries an inevitable degree of uncertainty.
Most ransomware strains have by now evolved
information-stealing capabilities,
so the ongoing campaigns may represent a twofer,
self-funding intelligence collection.
The principal objective is intelligence collection,
with any ransom representing so much gravy,
perhaps to fund the operation, or perhaps as an incentive to the operators running the campaign.
The New York Stock Exchange's on-again, off-again delisting of three major Chinese telecommunications
companies in response to U.S. sanctions has roiled the market for China Mobile, China Telecom, and China Unicom shares.
The Wall Street Journal reports that share prices fell between 3 and 6 percent in trading yesterday
after news broke that the New York Stock Exchange would delist the three companies
in compliance with a U.S. executive order blocking, on security grounds,
Americans from investing in them. But late yesterday evening, the exchange said it had reconsidered,
and after a consultation with various regulatory authorities,
would continue to list the company's shares.
CNBC speculates that the NYSE is counting on the Biden administration
to take a more ironic approach to Sino-American relations,
and of course, the security implications of those regulations.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
The ransomware criminal marketplace continues to expand its offerings,
and it's noteworthy that ransomware as a service
is a growing trend, providing the opportunity to do online crime to those who may not have
the technical know-how to roll their own. The team at threat intelligence firm Intel 471 have
been tracking the evolution of this trend. Jason Passwaters is chief operating officer and co-founder of Intel 471.
Yeah, I think it just goes back to, you know, the days of Zeus and the kind of professionalization or the kind of productization, if you will, in the malware space.
And, you know, as folks made more and more money, they saw the kind of, you know, the ROI there.
And they've really kind of defined and matured a business model
around it.
And that's what you see today is a business model at play that has resiliency built in.
It's got all kinds of stuff like support, everything you'd see in a typical business,
but obviously doing much more nefarious things.
Well, let's walk through that business model together. I mean, suppose I'm someone who
has my sights set on sending some ransomware out into the world, but I don't have the technical
skills to do it. Where do I begin? Yeah, I mean, you hear deep and dark web
often. I don't really see it as deep and dark. It's a very well-organized marketplace, and it is really organized in a product services and goods model.
And then you have consumers, obviously.
So first place you would look is in the marketplace.
It's not every low-level threat actor can get involved into a ransomware affiliate right away,
but they might start with doing low-level hacks or selling of accesses into different organizations or companies.
And that might be their pivot point into the ransomware as a service space.
And who are some of the big players here that you're tracking in this space?
Yeah, so there's a lot of things popping up. We have a model for pretty much everything in the marketplace. Like I said,
it's broken down into product services and goods. So we have this model, a tiered kind of setup,
where if we're looking at a specific service or a specific product or some specialty or focus area
in the marketplace, we break it down into tier one, two, and three. You know, the big
players are going to be, you know, your Gregor, your Doppelheimer, um, Netwalker, uh, Reval, as
well as, uh, the Ryuk and Conti side. So do you suspect that it's certainly in the short term,
I suppose, that this model is here to stay? I do. I do. I think the criminals have the ability
to change faster oftentimes,
but that, I believe, is where the intel,
the threat intel industry can kind of play a large role
into keeping abreast of what's going on,
keeping up with the adversary,
and then constantly making sure that
their business is informed so they can make decisions to keep pace.
That's Jason Passwaters from Intel 471.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
And I'm pleased to be joined once again by Kevin McGee.
He's the Chief Security and Compliance Officer at Microsoft Canada.
Kevin, it's great to have you back.
I want to touch today on a report that you all recently put out. This is the Microsoft Digital Defense Report. First of all,
let's start with some high-level stuff here. What prompted the creation of this report?
I think really that the new reports are a reimagining of the Microsoft Security Intelligence
Report called CERN that a lot of your listeners are probably familiar with because we've been
publishing it since 2005. And the CERN report was really operationally focused. And this new
iteration will be more focused on sort of strategic threat intelligence, you know, providing greater
contributions across the company. We have 77 countries represented. So a truly global perspective
and providing, you know, strategic threat intel that leaders really need to make better informed
decisions. Well, let's go through it together. I mean, what are some of the things that caught
your eye? Well, I think just from a high level, regardless of what company you work for in the
industry, we're all defenders and we're all part of a larger community with a shared mission.
And as defenders, we're better when we have a more complete view of the evolving techniques
of the threat actor.
So that's what we're really trying to provide in this report. And we've broken it into three areas that we found were most relevant to decision makers.
And that's cybercrime, nation-state threats, the current remote workforce, and then we include also some actionable learnings that we've taken from the report.
So not only can you read the report as a decision maker,
there's real concrete things you can do to improve your security posture
included in the report as well.
Well, let's go through each of those categories together.
Can you give us some highlights from each section?
Yeah, I think in the cybercrime, the things that really jumped out at me
that I like to discuss with non-technical people, either policymakers or business leaders, is we're moving away from an infrastructure-focused attacks to identity and applications.
That's really what we need to be protecting now. Things that are happening in the news headlines to evolving tactics and how threat actors are changing how they perceive attacks and how they administer attacks.
And then finally, there's a human element that we're starting to see introduced into attacks now that's really changing how we defend and how we need to think about attacks.
So we don't think about a riot attack anymore.
We're very focused on this sort of media-driven narrative of the attack that names it via the tool. And we're seeing a switch to more of a human-operated cyber attacks and cyber crime where at each point in the attack, a decision is made on how best to proceed next.
So they're getting much more sophisticated.
They're using multiple tools.
And the best example I really use to think about this differently is,
we've for a long time focused on deflecting the arrows.
And now we have to start thinking about the archer,
which is the threat actor and how we can position our security posture and make better decisions based on the threat actors most likely to attack us
rather than the actual tools they're using.
Now, that's a really interesting analogy. What are you tracking on the nation-state trends?
Many of the trends really are tracked similar with other organizations out there that are doing
research work. But we're seeing a lot of overlap now. I think that's what our report really is,
is the message we're trying to land in, that nation-states are adopting a lot of overlap now. I think that's what our report really is, is the message we're trying to land in, that nation states are adopting a lot of the tactics that cyber criminals are using.
And cyber criminals are actually evolving to the level where they're mounting attacks at
the size and complexity of nation state actors. So you need to really start thinking about, again,
You need to really start thinking about, again, not the tool that's going to attack you or preparing for defense posture that is on the providing them with the tools or with nation states where they're emulating those type of attacks to evolve how they're really mounting their attacks on organizations?
And then what were some of the other bits of information that you gathered here?
What were some of the other highlights?
So I think, again, we're seeing these attacks where cyber criminals are actively making decisions as they go.
They're controlling each step of the attack based on the configurations and defenses they encounter in the network.
So they'll do quite a bit of reconnaissance.
They maybe use an open source tool like Mimikatz to harvest credentials.
Then based on the reconnaissance, they may use a different payload for ransomware or whatnot or a different tactic once they're in your network to maximize their leverage, to maximize their take or to maximize their political goal, whatever they're really attempting to do. So we're seeing attackers persist longer in your environment really to gain that understanding, to conduct reconnaissance so that they can make the best decisions to achieve their outcomes.
All right. Well, the report is the Microsoft Digital Defense Report.
Kevin McGee, thanks for joining us.
Thanks, Dave. Thank you. leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll
save you time and keep you informed when you care enough to give the very best. Listen for us on
your Alexa smart speaker too. The CyberWire podcast is proudly produced in Maryland out of the startup
studios of DataTribe, where they're co-building the next generation of cybersecurity teams and
technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan,
Errol Terrio, Ben Yellen, Nick
Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for
listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.