CyberWire Daily - More (ambiguous) evidence for attribution of Solorigate. CISA expands incident response advice. Inspiration, investigation, and deplatforming: notes from the Capitol Hill riot.
Episode Date: January 11, 2021Similarities are found between Sunburst backdoor code and malware used by Turla. CISA expands advice on dealing with Solorigate. Courts revert to paper...and USB drives. More members of the US Congres...s report devices stolen during last week’s riot. Online inspiration for violence seems distributed, not centralized. Caleb Barlow examines protocols for handling inbound intel. Rick Howard looks at Solorigate through the lens of first principles. And platforms as publishers? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/6 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Similarities are found between Sunburst's backdoor code
and the malware used by Terla.
CISA expands advice on dealing with Soloragate.
Courts revert on paper and USB drives.
More members of the U.S. Congress report devices stolen during last week's riot.
Online inspiration for violence seems distributed, not centralized.
Hala Barlow examines protocols for handling inbound intel.
Rick Howard looks at Soloragate through the lens of first principles.
And platforms as publishers?
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, January 11th, 2021.
Kaspersky reports finding code similarities between the sunburst backdoor in SolarWinds
Orion platform and a known backdoor,
Kazuar, which Palo Alto Networks in 2017 associated with the Terla threat group.
Kaspersky is cautious about attribution and notes that there are several possibilities.
It could be that Sunburst and Kazuar are the work of the same threat group. It could be that Sunburst's developers borrowed from Kazuar,
or that both backdoors
derived from a common source. It's possible that Kazur's developers jumped ship to another threat
group and there produced Kazur, or whoever developed Sunburst deliberately introduced
the clues into their code in the interest of flying a false flag. Reuters points out that
Estonian intelligence services have long attributed
Terla activity to Russia's FSB, which was unavailable to Reuters for comment.
In an updated advisory concerning Soloragate that CISA issued late Friday, the agency released
detection and mitigation advice for post-compromise activity in the Microsoft 365 and Azure environment.
CISA recommends three openly available PowerShell tools
for detecting malicious activity in this environment.
CISA's Sparrow, the widely available open-source utility KittyHawk,
and CrowdStrike's Azure Reporting tool.
CISA also redistributes Microsoft's guidance for recognizing and stopping exploitation
at the four distinct stages of an incursion into its environment.
Stage 1 involves forging a trusted authentication token used to access resources
that trust the on-premises identity provider.
Stage 2 moves on to using the forged authentication token to create configuration changes
in the service provider,
such as Azure AD, that's establishing a foothold.
In stage 3, the threat actor works on acquiring a zero-auth access token for the application,
using the forged credentials added to an existing application or service principle
and calling APIs with the permissions assigned to that application.
And finally, in stage 4, once access has been established, the threat actor uses Microsoft
Graph API to conduct action on objectives from an external RESTful API, queries impersonating
existing applications.
The full text of the alert can be found on CISA's website.
At least some courts affected by the Solaraigate incident have reverted to older manual systems for handling their documents.
The U.S. District Court for the Southern District of Ohio, for one,
has responded to Solorigate by requiring that court documents be filed on paper,
or at least in a removable USB drive, the Columbus Dispatch reports.
The Dispatch writes, quote,
The federal court considers applications for a search warrant, electronic surveillance,
and pen register or trap and trace devices highly sensitive.
Based on the circumstances, some filings, like social security records, administrative
immigration records, and sealed filings in civil matters may be designated
highly sensitive by the court, end quote. Any such documents will now be submitted in either
two paper copies or on a USB drive, along with certificate and service. We trust the USB drives
will be properly screened before they're plugged into the court system. Among other things, the decision shows
how difficult it is to completely free oneself from digital records. Physical loss of devices
remains the most serious concern for cybersecurity following last week's riot in the U.S. Capitol.
Since the Wednesday unrest, other members of Congress, including Speaker of the House Pelosi,
have also reported that laptops were
taken from their offices, according to Reuters. The Wall Street Journal has an account of how
the unrest was inspired and authorized via social media. Unlike many, perhaps most, other cases of
online incitement, the journal reports that experts who've taken an early preliminary look
at the incident think that the inspiration
was a lot more distributed than it's usually been, with less top-down direction, fewer high-profile
leaders, and a lot more of what we've come to call virality. As the Journal puts it, quote,
the Capitol riot doesn't appear to have been orchestrated by a central figure or organization,
end quote. The agitation has been in progress for weeks, and it proceeded
through a large number of channels and across many platforms. One expert quoted by the journal said
they didn't need central planning. That said, many large internet companies were quick to
deplatform U.S. President Trump and various supporters in response to the president's
encouragement of demonstrations earlier in the week. Axios lists Reddit, Twitch, Shopify, Twitter, Google, YouTube, Facebook,
Instagram, Snapchat, TikTok, Apple, Discord, Pinterest, and Stripe. Bellingcat predicted
last Monday that significant disruption would occur on Capitol Hill as electoral votes were formally counted.
The Wall Street Journal reports that both Apple and Amazon have taken action against Parler,
a social platform whose declared mission is to provide a conservative alternative to what Parler characterizes as the general progressive bias of platforms like Twitter and so forth.
Parler is suing Amazon and the U.S. District Court
for the Western District of Washington,
seeking injunctive relief,
including a temporary restraining order
and preliminary injunctive relief and damages.
Parler is claiming an anti-competitive bias by Amazon.
The company notes that Amazon provides equivalent services
to both Twitter and Parler,
yet only Parler was singled out for silencing
on the grounds that it wasn't filtering content
that amounted to incitement to violence.
The filing observes that, quote,
Friday night, one of the top trending tweets on Twitter
was hang Mike Pence,
but AWS has no plans,
nor has it made any threats to suspend Twitter's account,
end quote.
Parler says it does have content moderation designed to stop incitement,
but Amazon says that whatever Parler's review boards are doing, it's not enough.
An op-ed in the New York Times thinks the lesson to be drawn from the deplatforming
is that tech companies hold a great deal of power over online discourse,
and that power
tends to be exercised from the top on the basis of gut decisions by executives and not in conformity
with established quasi-due process criteria. The American Civil Liberties Union says it understands
the desire to ban President Trump from big tech's platforms, quote, but it should concern everyone when
companies like Facebook and Twitter wield the unchecked power to remove people from platforms
that have become indispensable for the speech of billions, especially when political realities make
those decisions easier, end quote. The implications of the controversy and the ban won't be confined
to the U.S. Computing reports, for example,
that British Health Secretary Matt Hancock
has said that it seems clear that social platforms
are now acting much more like publishers than public square.
He took no position on the deplatforming,
nor did he offer any prescriptions for the future.
But he said the companies are, quote,
choosing who should and shouldn't have a voice on their platform, end quote, and that recognizing this should inform any regulations governments might enact.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. on the cutting edge of technology. Here, innovation
isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be. Let's create the
agent-first future together. Head to salesforce.com slash careers to learn more.
Salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. cybercriminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your
executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And it is my pleasure to welcome back to the show Rick Howard. He is the CyberWire's Chief Security Officer and also Chief Analyst.
Rick, always great to have you back.
Hey, Dave.
So on this week's CSO Perspectives, you are talking about the SolarStorm attack campaign.
That's the attack that used the SolarWinds Orion platform as the backdoor,
which we now think potentially breached some 18,000 SolarWinds customers or so,
but who's counting? 18,000. Yeah, who's counting? Gee whiz.
But what's interesting about your approach here is that you're running it through the lens of
first principle thinking. So, what's going on here? Yeah. So, for the past year on the CSO
Perspectives podcast, I've been developing a set of cybersecurity strategy theories,
you know, based on first principle thinking.
And the key word here, Dave,
is I'm using air quotes, theories, right?
Because I haven't tried them anywhere.
Okay.
All right.
And so the question I've been asking myself
is would they work?
Would that set of theories
prevent material impact in the real world?
When the solar storm campaign came to light just
before Christmas, I realized it was the perfect case study to examine if these theories worked.
Right, right. Well, I mean, during the past year on CSO Perspectives, you've had these strategies,
these four strategies that you say every cybersecurity executive should deploy.
Let's use that as a starting point. First of all, what are the four strategies?
Right, so in no particular order, here they are.
Intrusion kill chain prevention, zero trust,
resilience, and risk assessment.
Okay, I'm no cybersecurity Einstein here,
but the SolarStorm campaign was a zero-day campaign,
which means that the entire attack sequence was stuff that had never been seen before.
So wouldn't that kind of nullify the intrusion kill chain prevention strategy?
Exactly right.
All right, so.
Smarty pants?
Yeah.
Again, theory.
Right.
Uh-huh, yeah. Again, theory.
Right.
So we have from the back door, we get the SolarWinds Orion platform, and that's that supply chain attack we've been talking about for so long.
And, you know, just by the way, some researchers are saying that there might be a second supply chain back door involved, a Czech Republic company called JetBrains.
They sell development tools to at least 70 of the Fortune 100 companies.
So they might be a second vector.
All right, so we have a supply chain attack in order to steal the secret key from an on-prem single sign-on server performing Active Directory Federation services.
Then using a golden SAML technique where the attackers forged trusted authentication
tokens for cloud resources. Now, this is a known adversary campaign that's used that attack
sequence before. We've seen the tactics before, but they haven't ever been strung together in
that particular way. So, we were way ahead of the curve and had prevention controls in place
for all the known adversary
campaigns like, you know, the Russian cozy bears and the Chinese deep pandas. That didn't help you
here. Okay. So where does that leave you within, like from a first principle strategy approach?
Right. So it leaves us with the other three strategies, zero trust, resilience, and risk
assessment. And I'm happy to say that I think these strategies would have most likely defeated this adversary campaign. And that's what we're
talking about on the podcast this week. All right. Well, you know, before I let you go,
in some of our internal discussions on the CyberWire's Slack channels,
we've been talking, and by we, I mean, you have been very
vocal about the problem with attribution with these attacks to the Russians and to the thing
we talked about earlier. I mean, there's, these are new tools. And in what I'm wondering is like,
we've had the FBI, we've had the NSA, we've had CISA and ODNI, they released a joint statement that blamed
Russia. But yet, still, it's kind of like, hey, it was Russia, believe us, because we say so.
We haven't seen a lot of evidence, right? What's your thoughts on that?
Yeah, look, it's probably the Russians, okay? So, you know, think of,
you know, if I was just going to say, just think of the supply chain attack they used in the Sanborn campaign, you know, against Ukraine.
That smells eerily similar to the solar storm supply chain campaign, right?
And, you know, and I'm willing to give the benefit of the doubt to the intelligence community.
But, okay, their joint statement presented no evidence to support the accusation.
They just said, you know, it's the Russians because, you know, we think so.
Right.
So it's a zero-day campaign.
None of us have any TTPs that match any other known campaigns like the Russian bears, like
fancy and cozy and berserk and energetic and voodoo and venomous.
None of that matches.
So until we do, until they want to give us something to sink our
teeth into, then I'm going to be more willing to settle with the adversary group named Coin by
FireEye way at the beginning of this, which they called UNC2452. It really rolls off the tongue
there, doesn't it? No, it just doesn't sound like fancy. I know. Yeah, yeah, yeah. All right. Well,
all this and more is part of CSO Perspectives.
That is a podcast that is part of CyberWire Pro.
You can learn more about that on our website, thecyberwire.com.
Rick Howard, thanks for joining us.
Thanks, Dave.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And joining me once again is Caleb Barlow.
He is the CEO at Synergistech.
Caleb, it's always great to have you back.
I wanted to touch base with you on your insights on how an organization should handle inbound intelligence.
So you're sitting there, you're minding your own business, you're keeping your organization secure.
You get a call from outside the organization that says there's a security incident that requires your attention.
What do you do? How do you handle something like that? Well, Dave, let's probably start by talking about how not to handle it. And
of course, everyone that's ever done one of these, whether you're kind of a red teamer doing
offensive security research or an executive that's had to make one of these calls, everybody has had
one of these calls where it always starts with, does anybody know anyone that works there?
Right.
And that's probably first insight to the problem.
Like, how do you even get to a company that's going to get them to pay attention?
It's not like you can pick up the phone and call the help desk
or the helpline for like product support and go,
hey, you're about to go down in an hour with a ransomware incident.
We just want to let somebody know.
See it on Twitter every day.
Every day, somebody's asking that question.
Yep.
And then of course, you know,
when you do like get the CISO on the phone,
if it starts with a, hey, I'm busy and why am I even here?
And who are you?
Followed by, well, that's impossible.
You know, we've got great systems.
We have antivirus.
That's impossible to happen, right?
And I say this jokingly, but I swear everybody's had this conversation. And then of course,
the worst is, well, you really need to talk to our legal team, which is, and we've seen instances of this, is sometimes followed up with a, you know, a tersely written letter from a law firm about how
what you did is illegal or, you know, you didn't follow
some channel or whatever, right? So here's the thing. The first thing to realize is, I mean,
there's, don't get me wrong, there's reputable people and there's not reputable people, but
either way, you need to take this inbound intelligence and you've got to look at it as
intelligence. What can you learn from this? So someone, whether real or perceived,
has information that you need about either you're being breached or you have some sort of
vulnerability or maybe they found a bug in one of your products. And the first thing is to have
those listening ears on, right? You're not under any obligation to talk to anyone about whether
you're aware of that issue, whether you know about it, whether you've responded to anyone about whether you're aware of that issue, whether you
know about it, whether you've responded to it, whether you have the defense for it, but listen
to what they're telling you. The second thing, and I think this is the hardest thing for companies to
realize, is that the person talking to you probably knows way more than they're telling you.
And you need to kind of get underneath that. How do they know?
Who else knows? You know, if, and especially if it's coming from government, right? You have to
understand that when government is telling you something, they may have more information on the
classified side that they can't tell you about. Or if it's law enforcement, they may have another
investigation and it's, it's completely appropriate to ask, well,
at least what's the sourcing on this? And oftentimes they'll tell you, well, you know,
it came from another investigation, which I can't talk about. Or it came from, you know,
some sources I can't talk about. But the more you can understand, the better. And I think people are
really, well, relatively awful at dealing with inbound intel. Well, so what do you recommend then? What are the best
practices in your mind? Well, first of all, remember that this is an opportunity to build
a relationship, right? So if someone's giving you information, they have access to sources that you
probably don't. And that may mean in the future, they have access to sources that you probably
don't. So start by getting that contact information,
understanding how they came across this,
what type of work they do.
And this sounds silly, Dave, but say thank you,
because that researcher is gonna be more inclined
to reach out to you in the future
than if you're kind of terse or worse yet,
give them some sort of legal response
versus thanking them for giving you the information.
Even if it's stuff you already
know and might not do anything with, you might want their information in the future.
Yeah, it seems like so often these conversations lead to frustration on both sides. And I mean,
I can understand people having their guard up. I mean, this could, you know, how do you know it's not a prank call, right?
There's a dance that has to go on between the two parties here as you go down that path.
What do you know?
How do you know?
Can I trust you?
How much should I say?
And it just, as you say, you got to get past that.
Well, and let's face it.
The I Know Somebody network is alive and well in the world of intelligence.
And, you know, odds are that the company giving you the information may not be
the only one involved or the only one that's aware because usually by the time it's getting to you,
two or three threat researchers from different places have looked at it. But let's also talk
about an example of this where it can really go bad. You know, take the Spectre meltdown disclosure,
and you probably remember that, Dave,
from a few years ago, right?
I mean, this was held very tightly in a couple of companies
because people were very worried
about giving manufacturers time to respond to it.
But a couple of things happened.
Not only did that information not get to all the parties
that needed it, but you also saw that when it did get
in some organizations, it didn't get to
the right people, right? Because it started as a hardware discussion between hardware professionals.
And it took some time before it got to all the security teams in those companies to properly
address and deal with it. And I think, you know, and frankly, probably the biggest example in
Spectre Meltdown is governments.
You know, some of the people that need to know this information more than anybody were often the last to know.
So, you know, we've got to think about not only how do we take in that information,
but also what are our protocols and procedures to make sure it gets to all the right people within our organization
and or potentially within our supply chain.
All right. Interesting insights. Kayla Barlow, thanks for joining us.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
He likes it. Hey, Mikey.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment called Security, Ha!
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
And check out the Recorded Future podcast, which I also host.
The subject there is threat intelligence, to find podcasts are listed. And check out the Recorded Future podcast, which I also host.
The subject there is threat intelligence.
And every week we talk to interesting people about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Haru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Kirill Terrio, Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.