CyberWire Daily - Mopping up Solorigate. Tehran’s Lightning and Thunder in Amsterdam. The view from Talinn. Malware designed for Apple’s new chips. Lessons from the ice, and how hackers broke bad.
Episode Date: February 19, 2021Microsoft wraps up its internal investigation of Solorigate, which the US Government continues to grapple with, and which has had some effect in Norway. An apparent Iranian APT has been hosting its co...mmand-and-control in two Netherlands data centers. Estonia’s annual intelligence report describes Russian and Chinese ambitions in cyberspace. Threat actors are hard at work against Apple’s new processors. Kevin Magee on the Canadian National Cyber Threat Assessment for 2020. Our guest is Mark Testoni from SAP National Security Services on the Biden administration’s first 100 days. Plus, lessons from the ice, and how hackers became cybercriminals. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/33 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Microsoft wraps up its internal investigation of Solaragate,
which the U.S. government continues to grapple with and which
has had some effect on Norway.
An apparent Iranian APT
has been hosting its command and control
in two Netherlands data centers.
Estonia's annual intelligence
report describes Russian and Chinese
ambitions in cyberspace.
Threat actors are hard at work against
Apple's new processors. Kevin
McGee on the Canadian National
Cyber Threat Assessment for 2020. Our guest is Mark Testoni from SAP National Security Services
on the Biden administration's first 100 days. Plus, lessons from the ice and how hackers became From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, February 19th, 2021.
Microsoft published what it calls its final update on Redmond's internal investigation of Solaragate yesterday.
They found no evidence that threat actors gained access to either production servers or customer data and concluded that Microsoft systems were not used to attack third parties.
They did find signs that the intruders were able to inspect a few code repositories
for Azure cloud identity and security programs,
for Exchange, and for Intune mobile management.
Microsoft takes away from Solarigate a renewed commitment to zero trust.
For its part, the U.S. government continues to mop up what's been by all accounts an effective and quite damaging cyber espionage campaign.
Ann Neuberger, U.S. Deputy National Security Advisor for Cybersecurity and Emerging Technology, has been careful to set expectations.
The U.S. government is still in the relatively early stages of coming to grips with the incident.
The Federal News Network quotes her as saying,
If you can't see a network, you can't defend a network.
And federal networks' cybersecurity need investment and more of an integrated approach to detect and block such threats.
So there's a slog ahead, but Neuberger thinks the end result will
be better security. Agencies will build back better with more modern, more resistant systems.
Compromised versions of the SolarWinds Orion have also affected other organizations outside the U.S.
Norway's Sovereign Wealth Fund has disclosed that it downloaded and installed
a compromised version of Orion last July. They realized what they'd gotten into this past
December 13th and since then have taken steps to fix the problem, the media outlet DN reports.
The Netherland Times reports that an investigation by Bitdefender, in cooperation with the radio news outlet Argos, has uncovered a large cyber espionage operation, apparently Iranian in origin, that's managed to establish its infrastructure in two Amsterdam data centers.
Malware, FUDRA, that's lightning in French, was identified in 2016 and has been active for about a decade.
It's added new command and control capabilities as well as a new component, Toner, Thunder, a second-stage payload used for persistence, surveillance, and data exfiltration.
Bitdefender writes that Toner could allow attackers to take screenshots,
collect recent files and documents with specific extensions, and even record audio using the system's microphone before uploading that data to the attacker-controlled CNC.
The operation appears to target devices in the Netherlands, Germany, Sweden, and India. Estonia, which lives in a relatively rough neighborhood next door to
Russia, which has received more than its share of Russian attention in cyberspace, and which for
some years has punched far above its weight in the fifth domain, this week published its annual
intelligence report, International Security and Estonia. The report concentrates on Russian activities
and the interests and pressures likely to shape Moscow's operations.
It also includes a coda on the other big cyber power a bit farther to the east, China.
Different readers are struck by different aspects of the report.
The Times of Israel fastens on the prospect of Russian information operators
using the stress of the COVID-19 pandemic to divide Western allies. Uractive, for its part,
is struck by what the report has to say about Russian capabilities to deploy deepfakes in the
service of influence operations and disinformation. Security firm ESET reports that threat actors have begun to work on Apple's new M1 Macs,
the ones equipped with Apple's in-house chips.
The M1 processors run on ARM architecture, a departure from Cupertino's former preference
for Intel x86 chips.
In the Objective-C blog, researcher Patrick Wardle summarizes his own analysis as follows,
quote,
So we've succeeded in finding a macOS program containing native M1 ARM64 code that is detected as malicious.
This confirms malware adware authors are indeed working to ensure their malicious creations are natively compatible with Apple's latest hardware.
End quote.
Researchers at Red Canary earlier this month noticed some macOS malware that established persistence through Launch Agent.
They write, quote,
Our investigation almost immediately revealed that this malware, whatever it was,
did not exhibit the behaviors that we've come to expect from the usual adware that so often targets macOS systems.
The novelty of this downloader arises primarily from the way it uses JavaScript for execution,
something we hadn't previously encountered in other macOS malware, and the emergence
of a related binary compiled for Apple's new M1 ARM64 architecture.
binary compiled for Apple's new M1 ARM64 architecture. Red Canary calls the activity cluster Silver Sparrow and says that, for now at least, it lacks a payload. They acknowledge
work done on the malware by VMware Carbon Black and Malwarebytes.
The Texas winter storms aren't, of course, a cyber incident, but they may hold lessons for business continuity and recovery planning against the possibility of cyber attacks on power grids.
In this case, according to the Wall Street Journal, a number of data centers have done fine, but the storm's been harder on humans than machines.
than machines. And finally, Avast takes a look at the history of hacking and sees a progression,
or more properly a regression, from fun to felony, from lulls to looting. The history they see suggests that people once broke into systems as a chest-thumping way of showing off their skills,
a bunch of bravos out counting coup and not interested in much more than the glory,
and of course in outshining the other bravos, not to mention the jocks who used to steal their lunch
and stuff them into lockers. Then the hackers discovered that there was money to be made and
were on the slippery slope into the criminal underworld. Hackers became cyber criminals.
into the criminal underworld, hackers became cybercriminals.
So Avast's bloggers have a point, although one can't help recalling that infamous hacker, Captain Crunch, the OG phone freak,
was also interested in making free long-distance calls on Ma Bell's dime.
As they would have said in San Fernando Valley,
Dude.
So we doubt that hacking ever had a prelapsarian past.
The serpent was whispering possibilities in cyber Eden
before most of us knew it was even a thing.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times
faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
When a new president takes office, it's become standard practice to announce a list of policy goals and aspirations for the first 100 days of their administration.
And President Biden is no exception.
There's symbolism there, signaling priorities.
Mark Testoni is CEO of SAP National Security Services, and he chain to some degree because of what happened in the 2016 election.
There is greater awareness of cyber in general.
So that's all goodness.
I think we often and the expansion and growth of the CISA and the work that was done under the director, Christopher Krebs, I think was noteworthy in the last few years.
But the reality is, is we're coming off of a breach of a new calculus and consequence with solar winds.
And we've also, we're looking at cyber.
I think the vectors of cyber are beyond the concept of breaches, which we've all been hearing and dealing with.
But the nuance around it as well is kind of the information that we hear and process and how that's implicated by cyber and the authenticity of things.
So it's the debates around that and how do we clean it up.
So it's the debates around that and how do we clean it up. So beyond just being this, if somebody is going to get in and steal my information kind of aspect or get into my systems aspect of cyber, we've also really amplified this whole disinformation part of it and that factor.
So it's a much more complicated problem on the one hand. And I think, unfortunately, we are still in a place
where we kind of look at cyber as the government has a set of programs and the private sector is
trying to do certain things. And although there's been some collaboration, I think we've got an
opportunity for collaboration that needs to be exploited there. This is not a problem that's
going to be solved by one or two sets of parties. It's kind of a, there needs to be
a national focus and attention on this. Well, it seems to me like this is one of a handful of
things where there really is true, sincere, good faith, bipartisan support. There's recognition
that this is a problem that everyone needs to address together. Do you agree with that assessment?
I agree. I mean, we've had several Congresses look at this. It's passed legislation that's
had bipartisan support going back a number of years. We've seen over multiple administrations
the expansion of the Homeland Security's role. There was a bipartisan Cyber Space Solarium Commission that laid out
a plan that talked about establishing a national cyber director and developing a national cyber
strategy. So all these things speak to exactly what you said. We got to get on with executing
against it, which is probably a combination of things. And we really do need to develop a strategy.
So I think our heart's in the right place.
I would agree with you.
I think most people agree with us.
And we also need to understand it's not a static problem.
This is going to be something that's with us forever at a level.
It's always going to be a threat, much like security has been since the beginning of man.
We need to recognize it and such, and we need to engineer it more up front
rather than behind as we approach the new world.
And when I start looking at things like 5G and how that's going to change our lives and world,
it's going to be an opportunity for this,
but it's also going to be critically important if we're going to really leverage 5G.
It's funny. I remember, you know, growing up in the 70s and seeing the TV commercials saying, you
know, don't be a litter bug.
And you remember those.
It's fascinating.
And I think we all remember the picture of the Native American in the canoe.
Right, right.
Yep.
And the one by the side of the road with the tear rolling down his face at the litter.
Yep.
Yep.
It's iconic.
This is what we need, Dave, in my mind.
That's the kind of impact.
If our kids, your grandkid or son and my grandchild are doing a podcast in 40 years and they're remembering things that we were able to do during this time, I think it would be critically important.
What do you think about this notion of having something like the NTSB, you know, where major breaches are automatically evaluated, investigated?
You know, I think we do need to do that, but we've got to create an environment for it that allows for collaboration. You know,
the FAA and the airplane manufacturing, the airlines have built really a sense,
and including on an international level, have built a sense of trust up that they can do this,
right? We haven't built that framework yet. So I think that could be an outcome. We can't,
We haven't built that framework yet.
So I think that could be an outcome.
We can't, you know, one of the concerns I have is turning this into something that feels punitive to any of the players.
I'm not saying that it ultimately doesn't end up in punishment if there weren't negligence.
But right now, what we have a tendency to see and being someone that works with the government as well is like requirements will come down and basically it'll be directed upon.
I'm not saying that that isn't part of the calculus, but we need to create a collaborative environment to solve these problems and we need to learn from them.
And we also need to understand the nature of breaches has changed. The SolarWinds one was an attack on our software supply chain.
The SolarWinds one was an attack on our software supply chain.
And the implications of that are much greater than just not that it isn't the disclosure of PII and things that have happened historically. I mean, these bridges is important, but this has ramifications in our infrastructure that are far, far broader and will be much more important in a 5G world where we redistribute the Internet again.
And will be much more important in a 5G world where we redistribute the Internet again. So a long answer to a short question, but I think that we want to make sure we don't create the law of unintended consequences by creating apparatus without really having a strategy behind it, if that makes sense.
That's Mark Testoni from SAP National Security Services.
There is a lot more to our interview.
Don't forget to go listen to extended versions of this and many other interviews at CyberWire Pro.
It's on our website, thecyberwire.com.
Thank you. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And I'm pleased to be joined once again by Kevin McGee.
He's the Chief Security and Compliance Officer at Microsoft Canada.
Kevin, it's always great to have you back. I want to touch base with you on the recently published Canadian National Cyber Threat
Assessment for 2020. There's some interesting things that folks up your way have published.
What sort of things caught your eye? So the report is the second that they've published,
and it's the Canadian Center for Cybersecurity, which is Canada's authority on cybersecurity,
part of the communications security establishment we call the CSE,
which would be sort of the equivalent or cousin of your NSA.
And the head of the organization, Scott Jones,
really challenged his organization to make bold predictions
and really focus on seeing trends farther out.
So it was interesting to read the 2018 report again
and see what they got right and what they got wrong
and then reread the 2020 report.
And I like reading reports like this
because often in our industry,
we read very technical reports
with very technical analysis.
And this report in particular is very focused
on the threats to the citizens of Canada
and how we look at the attack vectors
and how we looked at the challenges from their lens
rather than from the technologist's lens.
And I think that diversity of opinion
and challenging of my premises
is really why I enjoy reports like this.
And so what were some of the highlights for you?
So one of the things that really immediately jumped out at me
is I'd kind of written off cryptojacking as an attack vector.
And maybe that was because of the drop in Bitcoin.
We're not seeing it as often popping up in our day-to-day.
Whereas two, three years ago, I would have really thought that cryptojacking might have taken over the whole ransomware market.
And we would have been done with ransomware.
And we're seeing as the rise in prices are increasing that that's becoming a new attack vectors again.
So again, challenging my premises,
seeing what's happening from another threat vector
makes me as a chief security officer then think,
okay, I now have to invest some time in looking at this
and seeing how it's affecting my organization
and my customers as well.
And how does this compare to things
that are tracking other places around the globe? Are there some specifically regional things or as things happen in Canada, so they do globally? global market for all things, including cybercrime. And cybercrime is really top of the list. It's the
number one threat vector to Canadians as well as in most organizations. That's what I'm reading
around the globe as well. So I think it's different sectors maybe are under attack in Canada than
other countries. But the trends are very much the same. And I guess it's because cybercriminals
don't really look at geography or zip codes. They look at IP addresses. And that's really made a level playing field for smaller countries to come under attack.
And I think there's a message in there, a lesson to be learned,
is that just because you live in a smaller country,
you may not think you're going to be attacked
or you're going to be a victim of some of these crimes because you're obscure.
That's not the case anymore. And we're seeing really the trends that are tracking in Canada
very, very similar to those tracking around the world. All right. Well, the report is the
Canadian National Cyber Threat Assessment. Kevin McGee, thanks for joining us. Thanks, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Give your body the comfort it deserves. Listen
for us on your Alexa smart speaker too. As you're enjoying your weekend, don't forget to take a few
minutes and check out Research Saturday, my conversation with Bohan Zajerna. He's a senior information security consultant at Infigo,
also a member of the SANS Institute. We're discussing his research on using Chrome
extension syncing to exfiltrate data. That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building
the next generation of cybersecurity
teams and technologies. Our amazing
CyberWire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.