CyberWire Daily - Patching, with special attention to Hafnium and the rest. Responding to the SolarWinds incident. Hactivists don’t like cameras. Dragnet in the Low Countries.
Episode Date: March 10, 2021Patch Tuesday was a big one this month. Microsoft Exchange Server remains under active attack in the wild, with new threat actors hopping on the opportunity. Russia denies it had anything to do with t...he SolarWinds incident and says the kinds of US response that the word on the street tells them are under consideration would be nothing more than international crime. Hacktivists strike a blow against cameras and stuff. Joe Carrigan has thoughts on Google’s plans for third party cookies. Our guest is Kelvin Coleman from the National Cyber Security Alliance (NCSA) on how educators can better protect students’ privacy during distance learning sessions. And police in the low countries sweep up more than a hundred cybercrooks. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/46 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Patch Tuesday was a big one this month.
Microsoft Exchange server remains under active attack in the wild,
with new threat actors hopping on the opportunity.
Russia denies it had anything to do with the SolarWinds incident
and says the kinds of U.S. response that the word on the streets tells them are under consideration
would be nothing more than international crime.
Activists strike a blow against cameras.
Joe Kerrigan has thoughts on Google's plans for third-party cookies,
our guest is Kevin Coleman from the National Cybersecurity Alliance
on how educators can better protect students' privacy during distance learning sessions,
and police in the Low Countries sweep up more than a hundred cyber crooks.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 10th, 2021.
Yesterday's Patch Tuesday was a big one.
Microsoft, who's been urging users to patch Exchange Server,
pushed fixes for 89 vulnerabilities,
14 of which Redmond rated critical.
These are in addition to last week's out-of-band patches for the actively exploited Exchange server flaws.
Adobe patched its Connect, Creative Cloud, and FrameMaker products.
CISA's summary yesterday indicated 21 security upgrades or mitigation for industrial control systems.
Patch Tuesday aside, a great many Exchange server instances remain unpatched and open.
Recorded Futures' record puts the tally at more than 46,000.
It's not just Hafnium either.
The scramble to exploit Exchange server while the exploitation is good continues.
ESET says they found at least 10 distinct threat groups actively working against the vulnerabilities,
some state-sponsored, others apparently criminal, some still unidentified. ESET says they found at least 10 distinct threat groups actively working against the vulnerabilities,
some state-sponsored, others apparently criminal, some still unidentified.
They include TIC, Lucky Mouse, Calypso, Tonto Team, Micro Scene, Winty Group, the last three are espionage groups, and DLT Miner, a crypto-jacking gang.
Axios summarizes the ways in which a state-initiated cyber operation
rapidly spreads to other actors in other precincts in cyberspace.
There's been much advice given on how to respond to the current campaigns against Exchange Server.
Patching and updating are important.
Unfortunately, however, they're a necessary but not sufficient response.
There's a good deal more to be done to locate and expel the threat actors from a compromised
enterprise. We'll say it again that it's worth taking a good look at the guidelines CISA has
provided to help walk organizations through the challenges of responding to this threat.
You can find them on the uscert.gov website.
The U.S. government continues its deliberations over how to respond to both the exchange server exploitation wave and, especially, the SolarWinds supply chain compromise. China's Hafnium Group is
widely held responsible for the campaign against exchange Server. The supply chain compromise involving SolarWinds Orion platform
is generally attributed to Russia under the general threat actor named Holiday Bear.
The legal complexities of any such response were covered
during last week's annual CyberCom legal conference.
Russia has denied involvement in the SolarWinds operation
and yesterday said, according to U.S. News & World Report, that U.S. retaliation would amount to international cybercrime.
An essay in Wired argues that it's difficult to say what line Russia had crossed that other nations, the U.S. included, hasn't crossed as well.
hasn't crossed as well.
This seems a way of saying that all governments collect intelligence,
which is true,
but while this is worth considering before, say,
regarding the incident as an act of war,
which so far it doesn't seem to have amounted to,
it doesn't mean the governments subjected to hostile intelligence collection have to like it,
nor is it obvious why they should refrain from any sort of retaliation.
The range of options would seem to include, from most to least assertive, disruption of hostile
intelligence services networks, what the kids at Fort Meade call defending forward, economic
sanctions, indictment and prosecution of spies, declaring diplomats persona non grata, closing consulates, canceling
exchanges, and so on. Everyone may spy, but that doesn't mean the spied upon have to like it or
forbear any sort of response. Response isn't necessarily hypocrisy. It's how espionage works.
A group of hacktivists, which Bloomberg associates with the APT-69-420 arson cats
collective, accessed some 150,000 live video feeds coming into security firm Verkada.
Leaping Computer says a representative of the group, one Tilly Cotman, a reverse engineer for
the group of hackers, told its reporter that the arson cats gained access to the cameras
using a super admin account for Verkada.
They found the credentials and exposed DevOps infrastructure.
Some high-profile companies, Tesla and Cloudflare among them,
are said to be among those whose feeds were compromised.
But most of the organizations affected were smaller operations,
including not only small businesses,
but jails, schools, churches, pubs, museums, and so on.
The arson cats say they're interested in exposing pervasive surveillance
to help create a better world and to have fun while fighting for it.
Their efforts to save people from the totalitarian implications
of churches, schools, museums, and small businesses
trying to protect themselves from property crime
will no doubt be welcomed by all who go to school,
attend church, visit museums,
like to patronize these small businesses in their neighborhoods,
or have a drink in the local bar.
Besides, property is theft anyway, right? Right?
Didn't we hear that somewhere in a lecture one time or another? At any rate, Newsweek reported
this morning that the arson cat's representative had been suspended by Twitter, which is true.
Their account is indeed down. Twitter offered no explanation, but Newsweek thinks it likely
that the particular rule Cotman broke involved a prohibition against posting hacked material.
One of the final tweets read, in the spirit of John Lennon's Imagine,
what if we just absolutely ended the surveillance capitalism in two days?
Tesla and others say no real damage was done. What effect the arson cat's propaganda
of the deed had on various mom and pops it afflicted remains unclear, but it's probably
not good. At any rate, imagine, right? And finally, police in Belgium and the Netherlands
have taken down an encrypted chat platform they say was much favored by cybercriminals.
They shut down Sky ECC, a company they infiltrated last month.
In coordination with the takedown, they also made more than 100 arrests in sweeps they called, respectively, Operation A-Limit and Operation Argus.
respectively Operation A-Limit and Operation Argus.
The record says that a lot of EncroChat customers are believed to have migrated to Sky ECC after EncroChat's proprietors, feeling the heat, absconded and closed down.
Other companies that once provided criminals with encrypted comms
are said to have included Enetcom, PGP Safe, and Phantom Secure.
said to have included Enetcom, PGP Safe, and Phantom Secure. In fairness to Sky ECC, the company has issued a press release in which they dispute what's being said about them. For one thing, they
say the police didn't compromise them, but rather a cloned site that was spoofing their brand.
And they take strong issue with media reports that characterize them as the platform of choice for criminals.
As they put it, Sky ECC has a strict zero-tolerance policy that prohibits any criminal activity on its platforms.
Quote, Sky ECC users and authorized distributors are expressly prohibited under the terms of service
from using or distributing a Sky ECC device for any illicit, illegal, or criminal use,
any accounts used for criminal activity are immediately deactivated, end quote.
And they say that they haven't been taken down, only disrupted,
and that they're back up and in operation.
So take that, coppers.
Calling all sellers. Thank you. faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security, but when it
comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. at blackcloak.io.
As we head into our second year of dealing with the effects of the COVID pandemic,
CISA and the FBI recently put out a joint statement warning K-12 educators to be alert for cyber attacks and online dangers for themselves and their students.
Kelvin Coleman is
executive director of the National Cybersecurity Alliance, and he offers these thoughts on how we
might better prepare our teachers and students for the year ahead. We know that the education
space has become a major target for cyber criminals, cyber organizations. I think, in fact,
the FBI, as well as the Cybersecurity and Infrastructure
Security Agency, CISA, they recently issued a report that, and they briefed us out on it,
saying that, you know, K-12 schools are a worsening danger in 2021. They saw a 57%
spike in ransomware attacks in this sector just last year, right?
And not so ironically, the bad actors are taking advantage of the global pandemic, as is their MO.
They tend to take advantage of disasters, man-made or natural.
And so, you know, we are in a precarious position, but I do think we're going
to improve over the next year. What do you suppose we should be doing here? I mean, I think for a lot
of us, our hearts go out to both the teachers and the students who are trying to make the most of a
difficult situation. You know, what sort of things can we do to support them yeah we have to create a culture
of cyber security in today's academic environment private sector even public sector we're all
familiar with fire drills you know if a fire starts in a building we we know what to do we
know to exits to go to and we know how to safely exit a building. Bad weather in certain parts of the country. Kids are drilled
on a monthly basis to make sure they know what to do if a tornado pops up in the Midwest or
unexpected rains, whatever the case is on the West Coast. In that same way, we need to create
a culture for cybersecurity. I have to say, I really
find your comparison to a fire drill to be quite compelling. You know, I think about how for most
of us here, really from kindergarten through 12th grade, every year, at least once a year,
and probably several times, you did a fire drill. And these days, even as adults, if you find
yourself, you know, back before COVID, when we as adults, if you find yourself back before COVID when we would
go places, you find yourself in a movie theater or a restaurant or any public place, if there was a
threat of a fire, everybody knows how to behave. Everybody knows how to act. Everybody knows to
look for those exits. And it's because we were all, from the very beginning, we were trained on
the ways to handle those situations safely. That's a really interesting idea to bring to cyber.
Well, and unfortunately, you know, the fire drills came about because, you know, kids were dying in fires, right?
You know, it wasn't just this idea that, oh, this seems like a great idea.
No, it was in response to something.
So why in the world wouldn't we do that for technology?
Why wouldn't we teach these basic things to students so that they can protect themselves?
I'm talking about passwords and multi-factor authentication and educational awareness.
And some people sometimes will say, those are pretty boring things.
Do you have anything more exciting?
No, I don't actually, because those things work.
We know that when you are able to
thoroughly implement that type of training within your organization, your chances of becoming a
target decreases by 40%, four zeros. And so we know it works. It's just having the national will
to be able to make it a top priority. That's Kelvin Coleman,
Executive Director of the National Cybersecurity Alliance.
Cyber threats are evolving every second,
and staying ahead
is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting story.
This comes from the Wall Street Journal.
Right.
And it's titled,
Google to Stop Selling Ads Based
on Your Specific Web Browsing.
There is more to this than meets the eye, right, Joe?
There's a lot more.
There's a lot of moving parts in this story.
Okay.
So if we start from this first story with the Wall Street Journal, from the Wall Street
Journal, it says that Google is moving away from third-party cookies.
And this has been a long time coming.
We've seen other things like this happen
with Apple getting rid of their advertiser ID
or not getting rid of it,
but making it so that users have to opt in
to share it with other people,
other services like Facebook.
Google has been the last browser
to get rid of third-party cookie tracking in their browser, and they're not going
to start doing that until 2022. But because their browser is not going to do it, they're actually
going to stop doing it themselves, stop using these third-party cookies in there as a method
of tracking people. And some advertisers are saying, this is good for the user because it's
going to give them more privacy. And then other advertisers are saying this is good for the user because it's going to give them more privacy.
And then other advertisers are saying this is Google being too heavy-handed.
And some are saying we've been preparing for this for about 10 years.
There's another article here in the Wall Street Journal called Google's User Tracking Crackdown Has Advertising Bracing for Change.
And that's where you're seeing the comments from the advertisers.
But Google walking away from third-party cookies and stopping the use of third-party cookies is not the privacy move that it seems. Brent Cyphers over at the Electronic Frontier Foundation
is talking about what's next because Google doesn't want to stop tracking you. And if you think about,
remember, if we talked about the Facebook issue with Apple not letting them have their Facebook
ID or their Apple advertising ID, unless they asked for it. And I said at that point in time,
that Facebook is still going to track you across all their apps and everything they own, which
includes WhatsApp. They had that privacy or the updates
to the WhatsApp terms and conditions that they kind of backed off of. They own Instagram. They
own Facebook. They're still tracking you and building a model of you inside of their services.
And it looks like Google is trying to do the same thing. But the problem here is that
Google is the leader in the web browser market. They have
the largest share of web browsing. This article from Bennett Ciphers talks about a Google proposal
called the Federated Learning of Cohorts or FLOC. And this is a browser add-on or capability or feature, if you will, that has, I love that Bennett puts
quotes around this, that says the privacy sandbox, and they say it will be better than the world we
have today. But Google has gone to the WC3, which is the standard bodies for the web. And in the
web advertising business group, which is a group within the WC3,
primarily made of ad tech vendors, they have been proposing a bunch of technical standards
to go into flock, which include things like pigeon, turtle, dove, sparrow. They're all bird
names. Very cute. Yeah. Alfred Hitchcock fans are not put at ease by this naming decision, but that's all right.
Neither am I.
Let me quote this article.
Each of the Bird proposals is designed to perform
one of the functions in the targeted advertising ecosystem
that is currently done by cookies, right?
So what that means is Google is putting out to the world,
hey, we're getting rid of third-party cookies.
We're finally coming in line with this.
But keep using our web browser
because that's where we're tracking you now.
Now we have cupcakes.
You're going to love it.
Yeah, yeah.
Of course, users can get around this
by going to something like Firefox or Brave
or some other privacy-centered browser.
Yeah, yeah. It's interesting to me in the Wall Street Journal article, they quote Jonathan Mayer,
who's a professor of computer science at Princeton University. He says, these are proposals that read
like a company that's under enormous regulatory pressure and is trying to find a last-minute
plausible compromise to stave off regulation.
They've done the easy stuff and they haven't done the hard questions. I think that's an
interesting insight. I think it is. Here's my concern with this. And one of my primary concerns
with regulation is if the regulations are written in such a way that they ban something like third
party cookies, they still don't ban Google from doing this kind of tracking in
something that's their own software product, right? And I don't know that they should do that.
You know, Google produces the web browser, the Chrome web browser. So, you know, what they do
with that web browser is really up to them. And the users make that decision. The web is everybody's,
I would say. The web is almost like the airwaves. I like to think of the web as the airwaves.
And that should be, or the internet as a whole,
as the public airwaves.
It's something that everybody should have access to.
And you're talking about not being tracked on the internet
just because you're using the internet.
That everybody can get on board with.
But if you're going to agree to use my piece of software
that I provide you, either for free or for a fee,
I'm not so ready to agree to not being tracked, to not allowing Google to track people using that,
because there are other options out there for people, and they have to make that decision.
Yeah, I suppose you could say it's more sporting to have people opt in than opt out.
I would agree with that 100%. I think that's a better ethical stance is to have
people opt in. And there is no better way to have people opt in or opt out than by using different
software. Yeah, absolutely. All right. Well, interesting stuff for sure. Joe Kerrigan,
thanks for joining us. It's my pleasure, Dave. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
It lasts a good long time.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com. That's ai.domo.com.