CyberWire Daily - More Exchange Server exploitation, and security advice. Updates on the SolarWinds compromise, criminal TTPs, and the Verkada hack. And news not you, but your friends might be able to use.
Episode Date: March 11, 2021Norway’s parliament is hit with Exchange Server exploitation. CISA and the FBI issue more advice on how to clean up an Exchange Server compromise. CISA hints at more detailed attribution of the Sola...rWinds compromise “soon,” and US Cyber Command says military networks were successfully defended. Microsoft’s Kevin Magee of exporting cyber talent. Our guest is Hanan Hibshi from Carnegie Mellon University on their picoCTF online hacking competition. Notes on some evolving criminal techniques, an update on the security camera hacktivist incident, and some news you won’t need, but your friends might. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/47 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Norway's parliament is hit with exchange server exploitation.
CISA and the FBI issue more advice on how to clean up an exchange server compromise.
CISA hints at more detailed attribution of the SolarWinds compromise soon.
And U.S. Cyber Command says military networks were successfully defended.
Microsoft's Kevin McGee on exporting cyber talent.
Our guest is Hanan Hibshi from Carnegie Mellon University on their PICO CTF online hacking competition. Thank you. From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, March 11th, 2021. Norway's parliament can now be counted among the victims of the campaign against Microsoft Exchange server vulnerabilities.
Bleeping Computer reports that the Storting yesterday disclosed that it had lost some data,
but that investigation was incomplete and the full extent of the damage
was still unknown. The Storting was the subject of a cyber attack late last year, which sources
in the Norwegian government at the time attributed to Russia's GRU. But the Storting believes that
this incident is unconnected to the earlier incursion by Fancy Bear. Given all the groups
in on the scramble to take advantage of exchange server
vulnerabilities while they're still available, it's not surprising that some of this is a bit unclear.
And not only are a lot of the exchange servers still unpatched and ready for the plucking,
but simply patching vulnerable systems isn't enough to clear them of the malware the various
attackers have deployed. Many threat actors, including both intelligence services and criminal gangs,
have rushed to exploit these Exchange server vulnerabilities,
and they've left their access means behind them.
The FBI and CISA yesterday issued a joint advisory on the Microsoft Exchange server compromise.
The advisory includes a summary of the methods the threat actors are
using against their targets, as well as a set of actions victims can take to mitigate the damage.
The advisory remains coy about attribution, stating nation-state actors and cyber criminals
are likely among those exploiting these vulnerabilities. But it's pretty unambiguous
about the consequences of exploitation.
As the advisory puts it, quote, successful exploitation of these vulnerabilities allows
an attacker to access victims' exchange servers, enabling them to gain persistent system access
and control of an enterprise network. It has the potential to affect tens of thousands of systems
in the United States and provides adversaries with access to networks containing valuable research,
technology, personally identifiable information,
and other sensitive information from entities in multiple U.S. sectors.
FBI and CISA assess that adversaries will continue to exploit this vulnerability
to compromise networks and steal information, encrypt data for ransom,
or even
execute a destructive attack. Adversaries may also sell access to compromised networks on the dark
web. End quote. Reuters' Chris Bing tweets that CISA expects to release soon more evidence
attributing the SolarWinds compromise to Russia. While some sources within the U.S. government have blamed Russia for the campaign,
most of the detailed attribution
has come from the private sector.
In the meantime, U.S. Cyber Command
has offered some reassurance about the.mil domain.
The record reports that Cyber Command's executive director
told the Intelligence and National Security Alliance
that, quote,
to date, there's no evidence of a compromise in DOD networks because of the SolarWinds attack.
That doesn't mean we weren't exposed.
The layers of defense we had in place prevented the adversary from advancing from the toehold they had, end quote.
Security firm Bitdefender warns that the FIN-8 criminal group has resumed operation.
The gang is operating improved versions of their bad hatch backdoor.
FIN8 is a criminal-to-business bad actor, and it's shown an interest in the insurance, retail, technology, and chemical sectors.
Geographically, its targets have been largely in the United States, Canada, South Africa, Puerto Rico, Panama, and Italy.
largely in the United States, Canada, South Africa, Puerto Rico, Panama, and Italy.
Bitdefender, noting that FIN8 and other criminal groups do evolve their tactics, techniques, and procedures,
suggests some countermeasures businesses can take to protect themselves,
including segmenting your networks, in particular,
separate the point-of-sale network from the ones used by employees or guests,
training your people to recognize social engineering approaches, supplementing security awareness training with some technical adjuncts,
tune your email security solution to automatically discard malicious or suspicious attachments,
building in some situational awareness about the threat, integrating threat intelligence into
existing SIM or security controls for relevant indicators of compromise.
And if you're too small to operate your own dedicated security team,
consider outsourcing security operations to manage detection and response providers.
FIN-8 isn't the only threat actor showing some signs of changing its approach.
some signs of changing its approach. Researchers at Proofpoint report that the TA-800 gang is using a new initial access tool, Zimzaloter. Proofpoint says,
There's been some evidence suggesting Zimzaloter is being used to download and execute Cobalt Strike
as its secondary payload, but it is unclear whether this is its primary purpose.
but it is unclear whether this is its primary purpose.
End quote.
It's also not clear if the shift to Zimzaloter is just a short-lived thing for TA-800 and others,
or whether this initial access tool will gain wider adoption.
To update yesterday's coverage of the compromise of networked security cameras
by the hacktivists styling themselves the arson cats,
the affected company, Verkada,
says it's found the source of the problem and corrected it,
having secured all of its systems by midday Tuesday.
The company says the attackers were able to access a Jenkins server
Verkada's support team used to perform bulk maintenance
on its customers' cameras.
They think the attackers had access for about two days.
Verkada has retained the security services of FireEye's Mandiant unit
and the law firm Perkins Coie to help with their internal investigation,
and they've notified the FBI, which is on the case.
And finally, hey everybody,
you're probably asking about the security situation with respect to Wi-Fi-enabled, networked, self-regarding, electromechanical, marital aids, right?
We mean, of course, that you're probably asking for a friend, just like we are.
a friend, just like we are. Anywho, wonder no longer, because the helpful researchers at ESET have just published the skinny on this topic, and it's enough to warn any prudent human being away.
A report they published this morning begins with a public-spirited lead, quote,
as Internet of Things devices continue to seep into our homes and offer an increasingly wide
range of features,
new concerns are beginning to arise about the security of the data processed by these devices.
Although they've been subject to countless security breaches that led to the exposure of people's login details,
financial information, and geographical location, among others,
there are a few kinds of data with more potential harm to users
than those relating to their more intimate
practices. Apparently, there's a market for such aids and devices, and apparently they've evolved
in much the same way things like webcams, thermostats, and coffee makers have, in common
with other modern conveniences. Intimate devices, ESET points out, now exhibit many features. Remote control access to the Internet, group chats, multimedia messages, video conferences,
synchronization with songs or audiobooks, and the capacity to connect with smart assistants, to name a few.
Some models can synchronize to replicate their movements, and some others are wearables.
The researchers looked into the security of products produced by the WOW tech group and by Lovents.
They found issues of unwanted remote access in both families of products, which they say the vendors have now addressed.
ESET thanked both WOW and Loveents for their cooperation,
although that's probably to be expected.
After all, who's more open to suggestions than that sector?
And now everything is patched.
And again, like you,
we don't know anything about this stuff either.
Calling all sellers. this stuff either. faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Since 2013, Carnegie Mellon University has been hosting PICO-CTF,
a cybersecurity hacking contest for middle and high schoolers.
Last year, they attracted over 40,000 participants, vying for cash prizes of up to $5,000.
Hanan Hibshi is a research and teaching faculty at the Information Networking Institute at Carnegie Mellon University.
PICO-CTF is a research project that started with a CMU faculty, Dr. David Brumley. He is one of the Scilab faculty, and this project was intended into attracting the
younger youth into cybersecurity through playing a game that we call Capture the Flag. So Capture
the Flag is a term known in the security field because in many major security conferences like DEF CON, for example, we do have capture
the flag events or what we call CTF events.
Basically, lots of those security enthusiasts and professionals would sit in teams and compete.
So PICO CTF started transferring from that yearly competition to become an educational
platform. And the nice thing about
it is that it's no longer this yearly competition that you have to just go sign up to a new site
every year and just compete. Now it's an educational platform. You can go practice your skills. You can
solve prior challenges. We have faculty collaborating with us from all over the
United States by using this in their classes. We have another faculty who used to be at CMU and now
at, he's in Texas A&M, Martin Carlel, who is really interested and invested in this project
that he actually produces videos every year for the new challenges after the competition
is over. So those who are really interested in finding the answer and they couldn't solve the
challenge, they would benefit from using those videos. So now Pico CTF is two things. It's an
educational platform for cybersecurity, and it also hosts competitions year round where students can compete and win prizes
if they were middle and high school. Why is it important for Carnegie Mellon to support this
sort of thing? What do you all get out of it on the university level? It's part of our giving back
to the community and community outreach for us is bigger than just going and
giving talks to the youth and tell them, hey, look at us. This is our journey. Come and be someone
like us. This is, of course, great and we do it, but then there is much more that we can contribute.
We understand the technology. We understand we are pioneers in cybersecurity. So how can we help
address this national and international shortage? The shortage in cybersecurity is really getting
bigger and bigger. It's predicted to have 1 million job openings by 2026 and 3 million worldwide.
But we're not going to rely on someone introducing those in schools.
We want to provide tools that would help the younger youth
figure out that path for themselves
before somebody points it out for them.
Maybe this game would help change somebody's life.
Maybe somebody would figure out,
wait a minute, this is what I want to do for life.
I want to be solving those kind of challenges if this is what a job in cybersecurity looks like.
That's Carnegie Mellon University's Hanan Hibshi. This year's PICO CTF kicks off on March 16th.
You can find out more at picocetf.org. Thank you. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Kevin McGee.
He's the Chief Security and Compliance Officer at Microsoft Canada.
Kevin, it's always great to have you back.
I wanted to touch today on, I know some things you've been following and kind of pondering,
which is this ongoing shortage of talent in the cybersecurity business.
And we always talk about looking out for talent
from other places, reaching out to bring talent in.
But you've been thinking about this notion
of exporting some of our talent.
What's going on here?
Yeah, I think we spend a lot of time
talking about the skills gap
and what we need to get more people interested
in the industry.
And that's kind of a pull.
My thinking is, how do we flip that on its head
and how do we start to export talent
to other areas of the industry and really start to leverage the expertise and whatnot that we have within our industries for other areas?
And that can look like a number of different ways.
That could be having people with security backgrounds sitting on boards of directors.
Maybe it's moving someone from cybersecurity into the finance department to work with anti-fraud or whatnot.
It could be marketing as well.
Social engineers would probably make great marketers.
And non-technical C-levels as well.
So I think there's an opportunity to really start seeding other aspects of the businesses out there or organizations out there with cybersecurity technology.
there with cybersecurity technology, because that will start to implant a tone from the top that security is important, security matters, which I think will start to pull in more people
into the security industry. That's my hypothesis anyways. I think it's fascinating. I mean,
a couple of things come to mind. First of all, I can imagine the folks who are out there trying
to hire cybersecurity people might push back and say, are you crazy? We have enough trouble getting people to fill these jobs now, and you want to
send them off to other departments? One thing, a lot of us have been in the industry for quite a
long time, so I think we're taking up a lot of the top jobs really at the top of some of the
management pyramids. If we can move into other roles and start to add value and create impact
in other areas of the business,
that gives a chance for up-and-coming leadership
to really move up the ranks as well, too.
Again, creating more demand.
Because that's one of the challenges I've heard
from a lot of folks in the industry
is that once you get in,
it's hard to really move up and accelerate
because there's sort of old-timers like me
that are kicking around still
because we still like our work as well. But what really sparked it to me was I was talking to an
automotive executive and we were talking about building out cybersecurity expertise in the
plants and different ways to do that. And I thought, wouldn't it be great if you could just
have someone from the cybersecurity team come out in job shadow or see what it's
like to work on the line or really get immersed in that and even then move someone from cybersecurity
team into plant management or whatnot. And we started to explore that topic and that's what
really got me thinking about this. How can we really approach the problem differently?
What about issues of pay disparity? I mean, there's cybersecurity professionals,
they're generally a premium assigned with those.
Would we have to deal with something like that,
that you're moving into a position
that may not be as lucrative as the one you have now?
Sure.
Pay is always what motivates people in cybersecurity.
I know it's certainly one aspect of it,
but a lot of people get into cybersecurity because they like challenges, they like puzzles.
So having new opportunities to explore new aspects of the business or whatnot can really make a difference.
And some of the insights we can provide, we can still be cybersecurity professionals, but within a different part of the business.
part of the business. I actually joined recently a board of an automotive industry board and was really interested, why would you want me to sit on the board? Well, we talked about sort of my
perspective and my unbiased views of thinking and how I can really enhance the decision-making
process across the board. So to give an example, they asked me if, you know, if I told you I thought
cars are going to look like iPhones more in the future, you know, what changes do you think that
will bring to our industry? I started asking questions like, will I actually even own the car?
Or do I just get a subsidized car hardware and then subscribe to a multi-year service?
What happens when I open the hood? Will it void the warranty? If I uninstall unauthorized third
party software or parts, will that affect my insurance
or will I have some sort of legal liability if the car is jailbroken? If I'm in an accident,
again, we bring a different thought process or a different set of thinking to other areas of
the business that can be of immense value. Yeah, that's a really interesting insight. I mean,
I think about, you know, people talk about this notion of spreading the cybersecurity mindset throughout the organization. And it seems to me like this is a way to do that, to get people in doing those jobs who come to it with that mindset already built in.
And even just what are the sort of attacks that could be used with, say, the automotive industry? Some of the things that come to mind, what if you could create traffic jams as a physical DDoS threat vector by bricking cars or using botnets at autonomous cars? These are things that the auto industry is probably not thinking about because they're so immersed. They have 20, 30 years history of thinking about what a car is. I don't have that. I can barely lift the hood of my car to get the wiper fluid in.
So I'm not encumbered with all of those sort of paradigms of what a car is and whatnot.
I can look at it from a completely different perspective.
So I think we have so much to offer other areas of the business.
We would love to find ways to explore this in the future.
All right.
Well, Kevin McGee, thanks for joining us.
Thanks, Dave.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
The closest thing to a perfect shave.
Listen for us on your Alexa smart speaker, too.
Thanks for listening. Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.