CyberWire Daily - Kubernetes clusters attacked. Home insecurity devices. Update on the supply chain incidents. Incomplete patches. Marque and reprisal? Ransomware notes. Class clowns and zoom-bombing.
Episode Date: February 4, 2021Hildegard malware is targeting Kubernetes clusters. Remote access flaws found in consumer security devices. A brief update on the spreading software supply chain incidents. Project Zero sees incomplet...e patches at the root of most successful zero-day attacks. Recruiting a privateer’s crew. The current mood among ransomware victims. We’ll search for the truth about 5G with Rob Lee and Rick Howard. And who’s behind zoom-bombing remote learning? A hint: the kids aren’t alright. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/23 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Hildegard malware is targeting Kubernetes clusters. Thank you. Recruiting a privateer's crew, the current mood among ransomware victims. We'll search for the truth about 5G with Rob Lee and Rick Howard.
And who's behind Zoom bombing remote learning?
A hint, the kids aren't all right.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 4th, 2021.
Palo Alto Network's Unit 42 has found a malware campaign that targets Kubernetes clusters.
The threat actors establish initial access through a misconfigured kubelet,
then propagate their malware, which Unit 42 calls Hildegard, across as many containers as possible.
The goal of the attack appears to be cryptojacking, and Unit 42 attributes the campaign to Team TNT.
The campaign involving the use of Hildegard is, Unit 42 finds, both more evasive and more persistent than those using other kinds of malware.
It's well adapted to gaining access to cloud resources, it encrypts its payload, and it's able to hide its operation behind a legitimate Linux kernel process.
It has at least two ways of connecting with its command-and-control infrastructure.
It can either use an IRC channel or a reverse shell to do so.
Computing sees the campaign as a precursor to a large-scale Kubernetes-based attack.
Refirm Labs shares some research their colleagues at Florida Tech have completed.
They looked at several widely sold home security devices, smart doorbells and home surveillance cameras,
and found them rife with security vulnerabilities that could give an attacker remote privileged access sufficient to enable them to spy on the unwitting users.
As the report puts it, the vulnerabilities could enable a remote attacker to gain privileged
access to the devices, listen to all audio and video recorded on the devices, and ultimately
use the devices to covertly spy on their users.
ReFirm argues that the results should move industry and its regulators toward a system of IoT security labeling.
They also argue that retailers have an important role to play in vetting products for security and privacy.
They scold, quote,
Retailers have policies to prevent selling products that burn down your house or make you sick.
How about not selling horribly insecure IoT devices
that turn your house into a hacker's playground? End quote.
Gizmodo last night published a brief state-of-the-incident note on SolarWinds,
in which it notices the spread, the complex ramifications, of the known and suspected
independent exploitation by both Russian and Chinese services.
On the Chinese front, NextGov says that the U.S. Department of Agriculture's most recent word
on a compromise of its National Finance Center, Reuters reported earlier this week,
is that USDA hasn't seen any evidence that the compromise happened at all.
Acting U.S. CISA Director Wales told a meeting of the National Association of Secretaries
of State that CISAs found no evidence that SolarWinds vulnerabilities were exploited against
election systems, Reuters' Chris Bing tweeted. One effect some observers foresee is a chill
on the cyber insurance sector, or so thinks Property Casualty 360. The exposure is considerable and imperfectly
understood. Software supply chain attacks pose a novel actuarial challenge that the insurance
sector has yet to master. Google's Project Zero sees bad patching as a breeding ground of
exploitation, CyberScoop reports. Project Zero writes in a retrospective
on 2020, the researchers call deja vulnerability. When looking at the 24 zero days detected in the
wild in 2020, there's an undeniable conclusion. Increasing investment in correct and comprehensive
patches is a huge opportunity for our industry to impact attackers using zero days. Correct and comprehensive are the operative words.
A correct patch is one that no longer permits exploitation of a vulnerability.
A comprehensive patch can be applied everywhere, covering all variants.
Project Zero doesn't consider patching complete until it's both correct and comprehensive.
It's a failure, they think, on the part of industry to ensure that patches are complete,
and this failure is responsible for the damage Zero Days have been doing.
So, looking for some hackers with skills?
Think your interviews aren't really working for you?
Why not let them try out against a real target?
Cointelegraph reports that Red Balloon Security is sending job candidates an encrypted hard drive
holding an altcoin wallet containing about $4,800 in Bitcoin.
If they can crack it, they get to keep the money.
And presumably, they get a nice callback that could lead to a good job.
It's like using a letter of mark and reprisal as an HR tool.
Security firm Coveware reports that ransomware attacks are getting more destructive
as some of the criminals are apparently inadvertently wiping their victims' data.
In what may be a related trend, fewer organizations are paying the ransom.
It doesn't seem to pay.
Not only does paying fuel a banded economy, but there's no good way of enforcing the contract.
The crooks may say they'll send you a key, and maybe they will, or maybe they won't.
Or they may say they'll destroy their copies of the data they stole,
and which they threaten to release if they're not paid.
But it requires a real leap of
very misplaced trust to take the hoods at their word. Still, ransomware remains a big problem,
and relatively poorly protected organizations are especially vulnerable to damage.
With that in mind, IBM has announced a $3 million program that would provide in-kind grants to
schools, which have become favorite targets of the low-lifes in the ransomware criminal underground.
Almost 60% of ransomware attacks in August and September of last year hit K-12 schools,
and IBM's program represents one corporation's response.
And finally, during this pandemic thing you may have heard of
Schools and universities are doing lots, most, sometimes all of their instruction online
And of course, a lot of that instruction is being delivered over Zoom
So what about Zoom bombing?
When trolls disrupt Zoom sessions to deride, insult, or distract participants
It's still a problem
And why is it a problem? Well,
Captain Obvious might ask, hey, do you know any people? But now there's some science behind just
knowing people. A team of researchers at Boston University and Birmingham University studied Zoom
bombing, and this must be understood in its most expansive sense as extending beyond Zoom proper to the disruption of other platforms for remote collaboration.
They found, basically, that the problem is typically the high school and college students themselves.
One of the principal investigators told Wired,
quote,
At least in the French tradition of cahootas, the students are doing their own hooting.
At least in the American tradition of classutas, the students are doing their own hooting. At least in the American
tradition of class clowning, the class clown personally makes funny faces and nasopharyngeal
irruptations. But here, the kids are even outsourcing their own misbehavior. Sad. And you,
yes, you in the back row, stop doing that with your virtual face.
What if it stuck that way? Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families
24-7, 365 365 with Black Cloak.
Learn more at blackcloak.io.
Here in the U.S., we are under a seemingly endless barrage of advertisements
claiming that 5G is here and it's changing the world in all sorts of amazing
and magical ways. And yet those who've gone out and done actual testing of 5G performance have
been left occasionally wowed but often underwhelmed. Our own chief analyst Rick Howard looked into that
apparent disconnect and he files this report. With the release of the iPhone 12 and
Samsung Galaxy, 5G phone customers were expecting, you know, 10 times faster download speeds and a
reduction in latency to almost zero. But for the most part, we are still seeing 4G performance.
I reached out to Kurt Bantel to find out why. He is a senior solutions architect for Spirint
Communications. I think a lot of
people need to realize is that we're not really on a 5G core yet. There's a lot of improvements
still yet to come. As with any new tech, we're all going to have to get used to new acronyms.
Kurt talks about four of them. EPCs, the Evolved 5G Packet Core, SGWs or Serving Gateways,
5G packet core, SGWs or serving gateways, E-node Bs, the old 4G or LTE base stations,
and G-node Bs, the 5G base stations. So the backhaul to the network is still an LTE core. It's still an EPC. And it has all the interfaces that 4G had. You know, when we get
to a 5G core is where we start to get to those, you know, incredibly low latency numbers that we're looking for as we start to deploy a bunch of stuff to the edge.
And I'm not a gamer, but, you know, online gaming via a wireless device becomes a very feasible application that people might be using.
So from your device to the E-NodeB and G-NodeB
are presenting us with speeds that are very similar to 4G numbers.
According to Kurt, the 5G networks are still deploying. Over the next few years,
we will see steady improvement as network providers combine 4G and 5G infrastructure,
but we are probably five to 10 years away before we get a ubiquitous international 5G network.
When we get there, though, we will experience these exponential improvements in download speeds and latency.
For people like me, I'm anticipating the higher download speeds.
For Kurt, though, he is anticipating the new low latency numbers.
Just a little background.
I'm an avocado farmer, too.
And so I've been a huge IoT fan for decades
because my farm is a giant IoT test bed. I have every technology imaginable pretty much deployed
at my farm controlling things. So I get more excited about these low latency, small bandwidth
applications for real-time control type things. I want to turn on a sprinkler valve and have it turn on,
not I turn on a sprinkler valve and, you know,
maybe a couple seconds later or sometimes 30 seconds later, it turns on.
Like it's not, it's just not a sustainable model for me.
Lots of bad things can happen if like a valve doesn't open in time.
An interesting side benefit to 5G technology
is that it will increase the competition
for internet service providers.
Homes and businesses will not have to rely
on fiber to the building.
On one telephone pole,
you might have a choice of four or five providers.
We will get this from something called beamforming.
The technical term is enhanced mobile broadband or EMBB.
I do think that with beamforming and that EMBB aspect and getting the deployment down,
to be able to get into your house in a fixed wireless application,
I think that's another great aspect of 5G.
Like, that to me is kind of game-changing, too.
If I can displace the two, you know,
people bringing broadband to my house and have maybe a choice of six different
opportunities to get, you know, the same types of speeds and the same experiences that I get
off of cable or fiber, I think that's a neat opportunity. So for all you new Apple and Samsung 5G phone owners,
have patience. 5G is coming. You may not be experiencing the download speeds and low latency
times the salesperson promised you in the phone store, but it's coming. And you will start to see
gradual improvements over time as the network providers continue to build the infrastructure.
That's the CyberWire's chief analyst, Rick Howard.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Robert M. Lee.
He is the CEO at Dragos.
Rob, it's always great to have you back.
I want to touch base and hopefully get a little bit of a reality check from you when it comes to 5G.
And what I'm curious about specifically is,
is there a difference in what we're seeing from the consumer launch of 5G and the types of things that you're seeing on the ICS side of things?
I hear lots of people making all sorts of claims that, you know, 5G is going to make the world a better place for everybody in all sorts of ways.
I have to say I'm a little bit skeptical so far with what I've seen from the rollout.
What's your take on this?
I'm a little bit skeptical so far with what I've seen from the rollout.
What's your take on this?
Yeah, I share your skepticism,
but I acknowledge that the world is changing as well, right?
And so every industry that I can think of in the industrial world has been talking about some level of digital transformation
for more than a decade.
And that's the concept of connecting up our infrastructures
in ways that haven't been
connected before to gain access to machine learning and cloud analytics and all sorts of
different technology enablements. We even hear about IIoT, the industrial internet of things.
And the reality is, our infrastructures are getting connected up. And it's not coming,
in many ways it's already here, that many of these companies are taking advantage of IoT and cloud analytics and similar.
The hype around it is the belief
that it's going to fundamentally change everything overnight,
or that even it could fundamentally change everything over time.
And the reality is, these are organizational changes
where as the organization decides to take advantage
of things like hyper-connectivity,
that they take on new risks
and they've got to have compensating controls for that,
but they also take on new value.
And as they change the organization,
it might be as simple and straightforward as more profit,
but it might also be things like access to larger workforces
and better work-life balance for the employees.
5G doesn't really change a lot of that.
I can imagine there's going to be plenty of people that want to argue about this,
and I appreciate that, but 5G doesn't fundamentally change things
from the organizational level.
Is it another technology to take advantage of? Yes.
Is it potentially more dependable, therefore higher bandwidth,
reaching portions of the world that maybe
previous connectivity couldn't reach, all aboard.
Happy to agree with all of that.
But you still have to have the organizational change part to actually take advantage of
those things.
And in many ways, again, where we already have connectivity, it's not like bigger pipes are going to fundamentally
then change either the risk portfolio
or the opportunities in front of us.
Many of the applications, especially in the industrial world
that we're taking advantage of,
don't even require that type of connectivity.
But to your question, very candidly,
will we see more 5G stuff in industrial?
Absolutely.
I saw Siemens the other day explicitly talk about an industrial 5G router and connectivity source that they're
having. Will we see more companies buy new technologies that are 5G enabled? Absolutely.
But yeah, to share the skepticism a little bit, just because it's 5G, I think it's getting bought into more.
But I don't think the differences between 4G and 5G
are really being explored when you're talking about
connecting a pump or a sensor to a local system
that is just now also connecting out to the internet.
Are there things that you can imagine where,
specific examples where having this increased connectivity, which having a bigger pipe, when that opens up possibilities, things that everyone has wanted to do, but they've been unable to do for lack of these sorts of capabilities?
Yeah, I mean, that's where I'm struggling.
I guess that's a simpler way to make my point that I haven't seen or been exposed to, so maybe
this is my own visibility issues, but I haven't been seen or been exposed to
companies that have been limited by the bandwidth. They've been
limited by the organizational side of their house going, what is the value in doing this?
What is the risk? Do we want to take on the cost of doing this, etc.?
It's not been a discussion of, oh, well, we really want to do this,
and as soon as 5G is here, we'll be ready.
I think the 5G thing is a little bit more marketing on that front.
Now, again, is it going to change a lot of things for the better
as it relates to networking? Similar, maybe.
I don't want to just put down all value of 5G.
Obviously, there is value.
I'm just speaking from the, are we going to get 5G appliances,
and then all of a sudden things change?
And the answer is no.
In many ways, what 5G is doing for a lot of your service providers,
like ISPs as an example,
is now you're talking about digitally programmable networking
instead of going through these large generational leaps.
A lot of the 5G aspect is in the software,
kind of defined nature of it,
instead of just expecting large bulky appliances.
That's going to help ISPs and similar, absolutely.
Is putting a 5G router in an oil refinery
going to fundamentally change that oil company's business model?
No, it's not.
All right.
Well, Robert M. Lee, thanks for joining us.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Bring out your best.
Listen for us on your Alexa smart speaker too. Cyber Wire podcast is proudly produced in Maryland out of the startup studios
of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Guru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you. and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.