CyberWire Daily - More on that Solorigate threat actor, especially its non-SolarWinds activity. Chimera’s new target list. Executive Order on reducing IaaS exploitation. The case of the stolen laptop.
Episode Date: January 20, 2021Another security company discloses a brush with the threat actor behind Solorigate. Advice on hardening Microsoft 365 against that same threat actor. Chimera turns out to be interested in airlines as ...well as semiconductor manufacturing intellectual property. Former President Trump’s last Executive Order addresses foreign exploitation of Infrastructure-as-a-Service products. Joe Carrigan looks at a hardware key vulnerability. Our guest is Chris Eng from Veracode with insights from their State of Software Security report. And investigation of that laptop stolen from the Capitol continues. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/12 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Another security company discloses a brush with a threat actor behind Celoragate.
Advice on hardening Microsoft 365 against that same threat actor.
Chimera turns out to be interested in airlines as well as semiconductor manufacturing intellectual property.
Former President Trump's last executive order addresses foreign exploitation of infrastructure as a service products.
Joe Kerrigan looks at hardware key vulnerability.
Our guest is Chris Eng from Veracode
with insights from their state of software security report.
And investigation of that laptop
stolen from the Capitol continues.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, January 20th, 2021.
Malwarebytes has disclosed that it was hit by the same nation-state actor
implicated in the SolarWinds breach.
Note that this isn't another victim of the SolarWinds supply chain compromise.
Malwarebytes doesn't use SolarWinds.
But rather, another victim of the same threat actor.
Malwarebytes said, quote,
evidence suggests abuse of privileged access to Microsoft Office 365 and
Azure environments, end quote. They added that the Microsoft Security Response Center alerted the
company to the problem. The damage seems to have been confined to a limited subset of internal
company emails, and there was no evidence found to suggest that on-premises or production
environments were compromised.
Those interested in hardening themselves against this sort of activity would do well to consult some advice FireEye's Mandiant unit published yesterday. They outlined protective measures
available for use against the threat actor they track as UNC-2452, and they concentrate on the attack vector that runs through Microsoft 365.
Mandian addresses four basic approaches UNC 2452 has used. First, they steal Active Directory
Federation Services token signing certificate and then forge tokens for arbitrary users that
enable them to authenticate themselves into a federated resource provider as any user
whatsoever, with no need to get that user's credentials. Second, they modify or add trusted
domains in Azure AD to add a new federated identity provider that the attacker controls.
The result also enables tokens to be forged for arbitrary users. Third, they've been able to compromise credentials
of on-premise accounts synchronized with Microsoft 365,
and specifically accounts with high privileges,
with obvious consequences for their access to targeted organizations.
And fourth, they've added new applications
or service principal credentials
to backdoor an existing legitimate Microsoft 365 app
in order to use such privileges as that app may have. Mandiant notes in a by-the-way fashion
that these things have been done by UNC-2452 and others, and FireEye has kept its attribution of
the threat actor ambiguous, so who knows how many groups may be active.
FireEye did say last week that identifying the principal threat actor as Russian is plausible from what we've seen,
which agrees with public assessments by U.S. officials.
Attribution takes time, but signs point to Russian intelligence services
to one of the cozier members of Huggy Bear's sleuth.
to one of the cozier members of Huggy Bear's sleuth.
NCC Group and its Fox IT subsidiary have found that a Chinese threat actor hitherto known for collecting against Taiwan's semiconductor industry
has a much more extensive target list.
The targets are now believed to include airlines,
and where the attack on semiconductor company networks aimed at intellectual property theft, the airlines are of interest because of the personal data they hold.
Apparently, the group is seeking to collect information about individuals of interest
and also to harvest such credentials as may be available to them.
Psycraft researchers called the group Chimera, and they say it uses its take in credential stuffing and password spraying attacks against the individual's organizations.
Former U.S. President Trump yesterday issued an executive order outlining measures to control foreign malicious use of infrastructure-as-a-service products.
products. The EO, whose title is Executive Order on Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities, has designed, Reuters
reports, to restrict transactions between cloud service providers and foreign customers likely to
misuse such services for cyber attacks. The Secretary of Commerce was given the leading role,
directing the Secretary to
propose for notice and comment regulations that require United States IAAS providers
to verify the identity of a foreign person that obtains an account.
Commerce is expected to coordinate its work under the executive order with the Secretary of Defense,
the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence.
Then-National Security Advisor Robert C. O'Brien explained the motivation for the order as follows,
quote,
Foreign malicious cyber actors threaten our economy and national security through the theft of intellectual property and sensitive data,
and by targeting United States critical infrastructure.
By gaining access to United States IAAS products, foreign actors can steal the fruits of American
innovation and prepare destructive attacks on our nation's critical infrastructure with anonymity.
Malign actor abuse of United States IAAS products has played a role in every cyber incident during
the past four years,
including the actions resulting in the penetrations of United States firms FireEye
and SolarWinds. What the new administration will do with the order isn't known. President Biden
was inaugurated a few hours ago. Presidents may cancel predecessors' executive orders,
but they also may and often do keep them in force.
President Trump's 11th hour EO, for example, cited in its first paragraph an executive order President Obama issued in 2015.
Administrations change, but a lot of challenges endure.
Prominent among those challenges, in cybersecurity at least, is the sort of abuse committed in the
Solorigate incident. The Philadelphia Inquirer reports that Riley Williams, an alleged participant
in the Capitol riots of two weeks ago, has now been charged with felony theft in connection with
the taking of a laptop from U.S. House Speaker Nancy Pelosi's office. Ms. Williams had been
charged Sunday with misdemeanors
involving disorderly conduct and illegally entering the Capitol.
The possibility that Ms. Williams took the laptop
with the intention of offering it to a third party
who would subsequently sell it to Russia's SVR remains under investigation.
That particular sale is said to have fallen through
when the middleman,
woman, or persons withdrew from the deal for unknown reasons. As they say, investigation continues.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The team at Veracode recently released their 11th annual version of their State of Software Security Report.
Chris Eng is Chief Research Officer at Veracode, and he joins us to share their findings.
Chris, welcome to the Cyber Wire.
Thanks. Great to be here.
Well, let's get started with some basics here.
This is your 11th time around with this state of software security report.
So what were some of the outstanding things that you found this time?
Well, just for a little bit of background, you know, this is the biggest security report of
software anywhere that I know about. We take all of the applications that are scanned through our
platform and basically do a lot of analysis to try and find
trends and interesting things about software. There are 130,000 applications in this data set,
over a million scans, and over 10 million flaws. So it's nice to be able to kind of see what's
happening, what's the current state of things out there, and how is software security getting better, or in some cases worse?
This time we found, probably unsurprisingly,
most applications do have security flaws.
Three-quarters of them had at least one.
But most apps don't have severe vulnerabilities.
Only about a quarter of them had a high or critical severity flaw.
But one thing that's still an issue is how people are getting after fixing those flaws. Half of security findings are still unfixed six months after discovery. And so we
spent a bunch of time going into some of the factors that may correlate with better or worse
fixed times. And we spent a little bit of time on that as well. You know, this is your 11th version
of this report. Are there any big picture trends that you
all have been tracking over time? Well, we're always looking at kind of a breakdown of the
categories of flaws that we see. And, you know, I can go back to volume one and we are still seeing
the same types and categories of flaws as we were back then.
What we are seeing is a change in language selection,
as you might expect.
Native applications like C++ apps are declining,
whereas web applications are becoming a lot more prevalent.
And so the types of vulnerabilities that are present
in web apps are obviously increasing.
But even though we haven't, as an industry,
managed to eliminate entire categories,
I think the reason for that is,
going back to our first volume of this,
this was a time when companies were just
applying security testing to their most
high-profile applications.
Maybe their five or ten most important applications.
But these days, every company is a software company,
and every company has hundreds, if not thousands, of applications.
So what they've been able to do over that time
is to scale this type of testing
across their entire software portfolio.
And so you have applications now that are being scanned
that have never been scanned before,
and there's a lot of catching up to do.
So the industry is definitely maturing,
and we can see that just in the growth of the activity.
I mentioned 130,000 applications in this volume.
The previous volume, just a year ago,
was around 80,000 applications.
So you're seeing this immense growth
in how seriously companies are taking security and how well they're baking it in to their process.
That's Chris Eng. He's chief research officer at Veracode.
We're speaking of their state of software security report.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting story from the Hacker News.
This is about an attack going after some Google security keys, some YubiKeys.
What's going on here, Joe?
Right.
So I frequently talk about everybody using multi-factor authentication, and I frequently
say the best form of that is some kind of physical security token like the Google Titan or like a YubiKey, because those things are impossible to intercept. At least we don they have found a way to read the keys from the elliptical curve digital signature algorithm that are stored on the device.
And this is the, I'll say this is the keys to the kingdom.
Okay.
Okay.
And what that is, is if I have these keys, these private keys, then I can sign things, which means I can commit the multi-factor authentication process flawlessly.
Right?
Now, there's a caveat here.
Maybe you shouldn't be too worried because this is a side channel attack, meaning that they're using a physical read on the device while the device is powered up,
right? So what do they have to do? They actually have to get this device from you, and then they have to take it apart so they can put a sensor near a chip on the device so they
can watch the data moving around on this device. And using an algorithm, an AI algorithm or a machine learning
algorithm, they can deduce the keys after six hours. So the threat model is somebody's going
to have to come into your house or come into your office, take the key without you noticing it,
be able to disassemble it, take the cover off of it, and have, I think it was $17,000 worth of equipment.
That's a lot of money for equipment.
It is certainly not outside the range of possibility
for a very advanced adversary.
Sure.
Right?
This is the James Bond kind of stuff
that I'm sure spies do all the time.
Right, right.
But, you know, nobody beyond that
is going to be really able to pull this off.
They're going to try other ways to get into your account.
What is also interesting to me in this
is that only certain of these security keys
are vulnerable to this attack
because what they're doing is
they're using a physical byproduct
of the way the data is stored on these chips.
And just because you have one model
or another model of this device, that doesn't
change the fact that those keys still have to exist in a very real form on these devices in
the form of stored memory, and that those keys have to be used in a very real way that is
detectable in the universe, right? That we can put a sensor near it. So I think that we're going to
see more of these kind of attacks
on a broader range of devices over time.
I checked the YubiKeys that I have,
and they're not on the list of affected devices,
but all the Google Titans
are on the list of affected devices.
Right, right.
Does that mean that Google has to do something
to better shield the devices?
Maybe some tamper-resistant technology
could go in here to stop this from happening.
Yeah, yeah, I can imagine in the spycraft situation
of someone not just removing the one that you have,
but swapping it out for another one,
because if you're not using this every time you log in,
then perhaps you wouldn't notice that a different one had been swapped in
within the amount of time that they need to do what they needed to do.
But again, there's such an edge case here.
It is.
I don't think the take-home here is, for me anyway,
this is interesting research,
always good to find out when there's an unexpected vulnerability.
But no reason to take your Google Titans or your Yubikeys and throw them in the trash yet.
And unless you know, if it is, you know who you are, right?
Right.
Exactly.
The people who this affects, they know who they are.
Right.
They've already got the memo.
Yeah.
If you don't know, then you're probably fine. Yeah. They've already gotten the memo. Yeah. If you don't know,
then you're probably fine. Yeah. But yeah, interesting research for sure. Again, you said it's from the folks at Ninja Lab and it's an interesting read. So if you're interested in
this kind of stuff, do check it out. I said this particular article comes from the Hacker News.
So yeah, interesting stuff, huh? Yeah. I think it's fascinating. I'm always fascinated by
how real and physical things like the internet are. The internet isn't this nebulous cloud
that's out there. There's actually computers that run it, right? And they're all over the place.
Yes, they are. Clever humans, cleverver humans. And this community is absolutely fascinating.
Yeah. Joe Kerrigan,
thanks for joining us. It's my pleasure, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Investment in knowledge pays the best interest.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Thanks for listening.
We'll see you back here tomorrow. Thank you. so practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.