CyberWire Daily - Looking for leaks in the Microsoft Exchange Server exploitation. International cyber conflict. Sky Global executives indicted in the US. Scammer demands £1000 pounds to go on do-not-call list.
Episode Date: March 15, 2021Microsoft is looking for a possible leak behind the spread of Exchange Server exploits, and hackers piggyback on webshells placed by other threat actors. The US Government continues to mull how to res...pond to Holiday Bear and Hafnium. Britain’s PM calls for greater offensive cyber capabilities. India looks for ways of countering China in cyberspace. Sky Global executives indicted for alleged racketeering. Accenture’s Josh Ray takes on defending against nation states. Rick Howard aims the hash table at third party cloud security. And what does it cost to be on a do-not-call list? Nothing. Really. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/49 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Microsoft is looking for a possible leak behind the spread of exchange server exploits
and hackers' piggyback on web shells placed by other threat actors.
The U.S. government continues to mull how to respond to Holiday Bear and Hafnium.
Britain's PM calls for greater offensive cyber capabilities.
India looks for ways of countering China in cyberspace.
Sky Global executives are indicted for alleged racketeering.
Accenture's Josh Ray takes on defending against nation states.
Rick Howard aims the hash table at third-party cloud security.
And what does it cost to be on a do-not-call list?
Nothing. It costs nothing.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 15, 2021.
Bloomberg reports that Microsoft is looking into whether threat actors use the research of DevCore to exploit vulnerabilities in Exchange service.
DevCore, based in Taiwan, alerted Redmond to the Exchange server vulnerabilities in December.
Hal Hafnium's cyber espionage campaign began quietly in January,
picked up momentum and expanded into widespread cyber looting by many actors shortly before Microsoft patched them.
Microsoft is investigating whether the vulnerability leaked from DevCore,
whether inadvertently or deliberately.
Microsoft quietly and privately released information about the vulnerability to security partners,
those in the Microsoft Active Protections Program, or MAP, on February 23rd,
and it planned to issue its fix on Patch Tuesday last week.
On February 27th, Chinese-linked threat groups began actively scanning for the Exchange server vulnerabilities,
and by the 28th, several distinct groups had begun active exploitation.
This pushed Microsoft to issue its fixes earlier than anticipated.
More recently, publicly released proxy logon proof-of-concept exploits
have placed Exchange server attacks within the reach of script kitties,
Bleeping Computer says.
According to the record, some actors are also piggybacking on other threat groups,
hijacking web shells placed by other attackers.
This has in some cases escalated the damage done
as the hijackers move from cryptojacking to ransomware.
The U.S. government is said by Security Week to be nearing some decision
on how to respond to the cyber espionage campaigns that exploited SolarWinds and Exchange Server, with some public announcement promised in weeks, not months.
Response to the threat actors is half the issue.
The other half, the New York Times reports, is a plan to reorganize the national approach to security.
is a plan to reorganize the national approach to security.
Other governments are also contemplating developing and deploying offensive cyber capabilities.
According to Reuters, British Prime Minister Johnson has called for cyber attack capability ahead of the release of a national security review.
And the Economic Times reports that India's government faces calls for preparation
to face an increasingly
assertive China in cyberspace. Google, at odds with Microsoft over relations with publishers
and news sources, has said that Microsoft's position on paying for content is no coincidence.
Mountain View accused Redmond of engaging in misdirection.
It's naked corporate opportunism, Google's senior vice president of global affairs said,
shortly before Microsoft's president's testimony Friday in congressional hearings
on the effect tech platforms are having on the news business.
Google suggested that Microsoft's stance on the issue is an attempt to distract attention
from the company's large, damaging, and growing problems with Microsoft Exchange server exploitation.
The Wall Street Journal places the dispute in the context of a worldwide drift in the direction of having search engines pay content providers for links.
Friday, an indictment was filed against two executives of Sky Global,
Jean-Francois Iep and Thomas Herdman,
in the U.S. District Court for the Southern District of California.
The two are charged with racketeering offenses involving the sale of encryption devices to transnational criminal organizations.
The devices are sold with the promise that they'll be wiped
should those devices be seized by police. The indictment describes Sky Global devices as
dedicated data devices housed inside an iPhone, Google Pixel, BlackBerry, or Nokia handset.
The devices replace the phone's internal hardware and software responsible for geolocation,
photography, internet activity, and voice communications.
The indictment alleges that Sky Global and the two executives charged
were engaged in both drug trafficking and obstruction of justice.
Vice points out that this is the second major case against an encrypted comms provider
accused of racketeering, the first being Phantom Mobile.
Sky Global apparently drew some lessons from Phantom's
experience. Notably, the indictment says, the importance of maintaining an arm's length of
deniability to distance them from the criminal organizations whose operations they facilitate.
The U.S. indictment follows an earlier disruption of Sky's operations by Europol,
which authorities in Belgium, the Netherlands, and France undertook
earlier in the week. Both of the executives charged are Canadian citizens, and the company
itself is based in Vancouver. Over the weekend, Sky Global posted a response to the indictment
on its website. The CEO framed his indictment, which he says he learned about from press reports
and not from the authorities, as a shot in the crypto wars.
Major Ip said that the indictment can only be described as erosion of the right to privacy.
The company's technology, he added,
exists to prevent anyone from monitoring and spying on the global community.
The indictment against me personally in the United States
is an example of the police and the government
trying to vilify anyone who takes a stance against unwarranted surveillance. End quote. the fundamental right to privacy. The unfounded allegations of involvement in criminal activity
by me and our company are entirely false.
End quote.
And finally, the BBC reports a new wrinkle
in the familiar Microsoft help desk phone scam.
Note, first of all, the obvious.
The nuisance calls claiming to be from Microsoft's tech department
or a Windows help desk have nothing to do with Microsoft.
One of the BBC's tech reporters, tired of being pestered, asked the caller how they got her number and told them to strike it from their list.
Give us a thousand pounds and we will, said the faux tech supporter.
Naturally, the reporter didn't pay them, but apparently some of them have.
Naturally, the reporter didn't pay them, but apparently some of them have.
The whole family of scam calls has been rising during the pandemic,
and there have been calls in the UK and elsewhere that threaten the recipient with arrest if they don't pay a fine or some other legal consideration.
In the UK, these calls have sometimes said that there's an ongoing court case over an unpaid tax bill.
Sometimes the judge and jury are even said to be online and waiting for an answer.
In the U.S., the scammer usually says they're agents of the Social Security Administration,
telling you that your number has been suspended for illegal activity
and that you need to take action to avoid being taken into custody.
Remember, no responsible government is going to call you up
and demand immediate payment by credit or debit card
for some alleged unspecified misdeed.
So hang up on them.
Asking to be placed on their do-not-call list is probably a futile gesture.
They're crooks, after all,
and if they're not worried about grand larceny and wire fraud,
they're not going to be too concerned about a minor matter like pestering someone on a do-not-call list.
But if you feel you must talk to them, you may as well waste their time in something interesting.
Or who knows? Appeal to their conscience. Urge them to leave that boiler room and find honest
work. Sure, it's not likely to work, but who knows? The heart has its reasons after all. Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
executives, and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is the CyberWire's own Chief Security Officer and Chief Analyst, Rick Howard.
Rick, always good to have you back.
Thank you, sir. So, for the past six weeks or so, you have been inviting your Hashtable guests from all
of the various cloud providers to discuss how these environments help us deploy your
cybersecurity first principle strategies. So, do you think it's time to reach out to
some of the third-party pure play security vendors and
maybe see what they have to say about the subject? Well, Dave, you know, great minds think alike.
That's exactly what we did this week. And, you know, just for clarification, when we say third
party, we mean a security vendor that's not part of the internal cloud vendor's product offering.
The cloud provider might partner
with the third-party vendor and even do some integrations, but the product itself isn't built
by the cloud provider. So, for example, Amazon offers products from Sumo Logic in their marketplace,
but these are Sumo Logic's products, not Amazon's, right? And also, when we make a reference to a
pure-play security vendor, we mean that that vendor only builds security products.
You know, companies like KnowBefore, where their product line is not spread out across a galaxy of different kinds of products,
compared to, say, Google, for example, who offers a security product like cloud data loss prevention,
but also you can get YouTube and Gmail and a bunch of other things that have nothing to do with security.
Well, it strikes me that some of these pure play vendors might have a thing or two to say about the ability of how I should characterize them.
Right?
Exactly.
I mean, you know, these newbies in the security industry trying to roll out, these young whippersnappers trying to roll out security products for their cloud environments.
You can just visualize me on my porch with my hand raised in the air.
You whippersnappers, what are you doing in security?
Right, right, right.
Get off my cloud.
Hey, you, get off of my cloud.
Wait, hold.
That's kind of catchy, isn't it?
We might have to go into business here.
Well, it is indeed the case that that's true. And shocker, they all think they do it better than the cloud providers do. Who knew?
All right. So in this show, we brought on guests from Palo Alto Networks and Cisco to hear what
they have to say. But to give it some balance, we also brought on the host of another security podcast
called the Cloud Security Podcast
run by Ashish Rajan out of Australia.
Now, he doesn't have a dog
in the security vendor fight,
but he agreed with the PurePlay vendors
on this one point
that the PurePlay vendors
have been doing intrusion kill chain prevention
for years now,
where the cloud providers
don't really think that intrusion
kill chain prevention is a thing. All right. So in this show, we have a rousing discussion
about whether or not that's important. All right. Well, it's all part of CSO
Perspectives. That is part of CyberWire Pro. You can check that out on our website,
thecyberwire.com. Rick Howard, thanks for joining us. Thanks, Dave.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And I'm pleased to be joined once again by Josh Ray. He's the managing director and global lead of Accenture's cyber defense business.
Josh, it's always great to have you back.
I want to touch today on state-sponsored threat actors and what organizations need to know when it comes to protecting themselves against them.
Yeah, thanks, Dave.
This is a topic that's near and dear to my heart and an area that I've spent a lot of time in my career looking at.
And I think one of the things that the folks
have to understand is that security threats
from state-sponsored actors have been around
really for quite some time.
And these are requirement-driven threats.
So really, what do I mean by that?
I mean that it's their job, their full-time job to achieve their mission
objectives. And remember, you know, folks that like, there's a reason that you're being targeted.
It's because either information that you have or could have, what you produce as a business,
or in many cases, in the case of say third-party attacks, your organization really represents a means to an end
to just broader access to other targets.
I mean, this was obviously highlighted here
in the recent Silver Winds attack.
Yeah, you know, I think about how many organizations
probably think, well, you know, what would a nation state be,
why would they be interested in me?
But then you think about something like the Target breach,
an HVAC contractor, I could see very easily an HVAC contractor
saying, well, there's nothing of interest here, we're an HVAC contractor.
But you could be the back door
into a much more interesting organization.
Yeah, that's right. I mean, a catering facility, an HVAC contractor,
maybe an IT services firm, or other types of businesses.
If you are seen as a means to an end,
as part of an intelligence operation,
you're going to be targeted, unfortunately.
That's not to spread, you know,
fear, uncertainty, and doubt, but this is an active intelligence operation that folks need to understand
is not going to stop just because you don't see yourself as a target. You have to kind of look at
yourself through the lens of a threat. So what are some of the specific things that organizations can do to protect themselves against this particular threat?
Yeah, so I mean, we've actually could share some observations based on our recent Threatscape report and things that we've seen is obviously, you know, the third party vendors to target very specific assets and broader access operations is going to continue.
But what we've also seen now is routinely these adversaries
are chaining together these off-the-shelf penetration tools
with these living off-the-land types of techniques,
just using the native types of tooling
that's used by systems administrators
to move around the network.
And this is both complicating detection,
but also attribution to certain types of threat groups.
And it's also really helping them be more effective, right?
So they can use this tooling that is commercially developed
to really drive the plausible deniability
of a lot of these attacks as well, too.
So what specifically can organizations do to try to stay ahead of this threat?
Yeah, one of the things we always talk about is making sure that you understand
the adversary collection requirements against your specific organization, right?
So that means applying strategic intelligence
to see what types of things that an organization,
why they would be a target
or why you would be a particular target
and how that maps back to strategic requirements
of a particular nation state.
Now, what this allows you to do
is really better focus your security controls
on not only what the business
sees as their high value programs or high value targets, but really what the threat is after as
well, right? So being able to kind of get to that Venn diagram of what the business cares about and
what the threat's after. I think, and then you need to think about prioritizing, you know, what
adversaries are likely to target you the most based on those collection requirements,
and look at their tactics, techniques, and procedures,
and create specific type of hunting programs and activities that mimic that behavior
so you can be a little bit more proactive in your approach and actively look for those threats on your network.
And it's really important to understand those commonly used tools
that I was talking about before and the techniques that are employed so that you can actually detect
that activity in your network as well. So that when you see those types of tools being used or
certain types of patterns that are being exploited by those types of activities,
that you can detect it in your own environment.
by those types of activities that you can detect it in your own environment.
You know, I wonder if particularly for a lot of smaller or mid-sized businesses,
is there an attitude that, you know, what could I possibly do against someone as sophisticated as a state-sponsored threat actor?
But you can defend yourself against this.
There are tools you can use, and you can, you know, improve your defenses.
Yeah. I mean, the thing that, the worst thing you can do is throw your hands up and say,
there's nothing I can do, right? You know, I think it's as a whole industry, we need to kind of
almost move beyond this notion of cyber defense and really start thinking about things and
achieve that level of cyber confidence, right? There's some things that you can very specifically do programmatically, employing the right types
of technologies and driving that, you know, broader business acumen to really defend yourselves
against these types of threats. But also when the bad things happen, that you have that, again,
that confidence to be able to chart that course, you know, in the face of that chaos.
So, you know, you're investing in things that matter.
You're able to see and manage the unseen and really more effectively prepare for the unknown.
All right. Well, Josh Ray, thanks for joining us.
Thank you, Dave. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
They taste as good as they crunch.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
And check out the Recorded Future podcast, which I also host.
The subject there is threat intelligence.
And every week we talk to interesting people about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios
of Data Tribe, where they're co-building
the next generation of cybersecurity
teams and technologies. Our amazing
Cyber Wire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick
Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer
Iben, Rick Howard, Peter
Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.