CyberWire Daily - Ransomware enters vulnerable Exchange Servers through the backdoor. REvil is out and active. SolarWinds and control systems. Molson Coors responds to a cyber incident.
Episode Date: March 12, 2021Microsoft warns that ransomware operators are exploiting vulnerable Exchange Servers. Threat actors continue to look for unpatched instances of Exchange Server. Johannes Ullrich joins us with his thou...ghts on the incident. REvil ransomware hits a range of fresh targets. Concerns are raised about the effects of the SolarWinds compromise on embedded devices. Our guest is Sally Carson from Cisco making the case that good design can save cybersecurity. And an unspecified cyber incident shuts down Coors Molson. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/48 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Microsoft warns that ransomware operators are exploiting vulnerable exchange servers.
Threat actors continue to look for unpatched instances of exchange server.
Johannes Ulrich joins us with his thoughts on the incident.
Our evil ransomware hits a range of fresh targets.
Concerns are raised about the effects of the SolarWinds compromise on embedded devices.
Our guest is Sally Carson from Cisco, making the case that good design may just save cybersecurity.
And an unspecified cyber incident shuts down Coors Molson.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 12th, 2021.
Microsoft tweeted late last night that it had detected and begun blocking a new strain of ransomware, quote, being used after an initial compromise of unpatched on-premises exchange servers, end quote.
Redmond is calling the ransomware Dear Cry.
Automatic updates should be protected, but anyone operating an unpatched on-premises exchange server instance really does need to get on the stick and fix things.
Clippy is not a concierge for bad actors.
The ransomware outbreak would seem to be the sound of the other shoe dropping that CrowdStrike co-founder and current executive chairman of Silverado policyator Dmitry Alperovitch told CrowdStrike to expect. Exploitation of exchange server vulnerabilities has clearly
moved beyond the break-in the Chinese government-run threat group Hafnium initiated.
It's developed into a cyber riot with widespread virtual looting. ESET two days ago said it had detected at least 10 groups
attacking unpatched exchange server instances,
and there are almost surely more than 10 of them out there and active.
As happens in a riot, the looting has been indiscriminate,
not confined to one country or any selected group of victims.
The BBC reports that at least 500 British firms have been affected.
The Record reports that the ransomware operators
are exploiting the proxy logon vulnerability to install Dear Cry.
So far, this particular threat seems to have hit
only a relatively small number of vulnerable targets,
but the criminal campaign is still in its early stages.
And of course, what Dear Cry can do, other ransomware gangs can also accomplish.
Barracuda Networks says that it's observed a high and increasing rate of probing for unpatched exchange servers.
They started seeing scans around March 1st, and the rate of scanning has jumped remarkably since then.
So do look to your defenses.
Dear Cry isn't the only ransomware strain making news.
Security firm eSentire has been warning about a wave of activity by the gang behind R-Evil,
the ransomware strain also known as Sodin, which is eSentire's preferred name for the hoods, or Sodinikibi.
The target list is marked for its diversity,
both geographically and in terms of sector.
eSentire's tally includes two law firms, an insurance company,
an architectural firm, a construction company, and an agricultural co-op,
all located in the U.S., as well as two large international banks,
one in Mexico and one in
Africa, and a European manufacturer. Rob McLeod, director of eSentire's threat response unit,
wrote in an email that, quote, these attacks come directly on the heels of an extensive and well
planned drive-by download campaign, which was launched in late December. This malicious
campaign's sole purpose is to infect business professionals' computer systems
with the SODIN ransomware, the GootKit banking trojan, or the Cobalt Strike intrusion tool.
As is now routine for this kind of crime,
the extortionists are also stealing files and threatening their release.
Lest we forget, the SolarWinds compromise remains a matter of active concern.
An op-ed in The Hill by Red Balloon Security points out a growing uneasiness
over how the campaign may have affected embedded devices.
The concern is that the successful effort to compromise the SolarWinds software supply chain
represented not merely cyber espionage, which it clearly did, but also an effort to stage the SolarWinds software supply chain represented not merely cyber espionage,
which it clearly did, but also an effort to stage more damaging attacks. SolarWinds Orion platform
is used in more than simple business networks and applications. As the op-ed puts it,
SolarWinds Orion software has privileged access to the switchers, routers, firewalls,
and other network infrastructure used by power plant control systems, hey everybody, first they came for your friends' electromechanical marital aids,
and now they're coming for your beer.
Now, neither of those sectors are on the
critical infrastructure list, although we admit we haven't checked either Nevada or New Brunswick,
but this seems out of control. A Form 8K, the Molson Coors Beer Barons, filed with the U.S.
Securities and Exchange Commission, disclosed that the brewery had sustained an unspecified cybersecurity
incident that has caused and may continue to cause a delay or disruption to parts of the
company's business, including its brewery operations, production, and shipments.
Fox 6 Milwaukee reports that production is at a standstill, and it's not confined to Wisconsin either. Molson Coors employees have
been telling WALB News 10 in Albany, Georgia, that they've been sent home because of the incident
and asked not to try to log in to any company resources. The exact nature of the incident is
unknown, and the company is being tight-lipped about it for now. But Bleeping Computer cites speculation that it was a ransomware attack.
Security Week quotes experts from Nozomi to the effect that
industrial processes are attractive targets for ransomware gangs.
The attack is believed to have hit the brewer yesterday,
and the incident is under investigation and remediation,
with Coors Molson having brought in an unnamed outside firm to assist.
Maybe you're thinking to yourself, well, you don't drink Molson or Coors, so I'm all right,
Jack. Don't be too sure. Molson Coors has a number of well-known international brands,
including not only its two eponymous beers, but also Coors Light, Miller Light, Carling,
to eponymous beers, but also Coors Light, Miller Light, Carling, Coors Banquet, Molson Canadian,
Blue Moon, Peroni, Killian's, and Foster's. Is Northcom on this? Has anyone gotten on the horn to Colorado Springs to let the guardians in Cayenne Mountain know? We're pretty sure a lot
of them are customers. Beer might not be formally entered into the list of critical infrastructure, strictly speaking, but come on, this is beyond a joke.
Okay, okay, so there is something inherently jolly about beer, as we all know from having watched commercials for it.
But to resume speaking seriously, an incident like this isn't a trivial matter, and it does show how industrial operations
can be disrupted by cybercrime. And we wish Coors Molson a speedy recovery, hope their
employees can get back to work soon, and finally, we wish good hunting to law enforcement.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting Thank you. Showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Apple co-founder Steve Jobs famously said when asked about the design of their products,
the design is not just what it looks like and feels like.
The design is how it works.
End quote.
To that end, a security tool is no good if only some people can figure out how to use it.
It's no good if the indicators it presents are ambiguous or hard to understand.
Design matters.
For an expert's view on this, I checked in with Sally Carson, security design lead at Cisco.
We know right now that complexity is the enemy of security. That's one core pillar of the
work that I do. And design is all about folding away complexity and just radically simplifying
products and services. So that's one. But we also know that security today is mostly about human
behavior. We know that most breaches still originate via phishing attacks. And so when
human behavior is involved, that's a
great opportunity to bring in design because I like to explain that design is not just about
user interface design. That's certainly part of it, but it's more expansive view of design. It's
very much about human behavior and anthropology. And so where do you come into this? I mean,
what are you doing day to day?
How is the work that you do influencing the products that your organization is putting out there in the world?
Yeah, that's great.
So I came into Cisco via the Duo acquisition.
Cisco acquired Duo about two, two and a half years ago. And prior to that, I had joined Duo about six years ago and built out the product design and user research functions there.
And a lot of what we spend our time doing at the very beginning, the very inception of a new project or a new initiative,
a lot of what we spend our time doing is partnering with our product managers to go out and talk to customers or would-be customers about their needs, their motivations, their goals,
all of the behavioral elements that can inform our product strategy.
And it's not about asking customers
what features they like.
Like that certainly comes up
in the course of our conversations,
but it's more like,
show me how you solve this problem today.
And oftentimes what we're observing is,
you know, the equivalent of like duct tape
and bubble gum, you know,
stringing different tools
together in wonky ways. And usually that speaks to some kind of unmet need. And maybe there's a
way that we can deliver a product to market that addresses that need. Is there a bit of an uphill
battle? I mean, are there challenges that you face? I'm thinking of, you know, in a sector where using the command line is a badge of honor,
do some people come to even the notion of design with a bit of resistance?
Well, it's interesting.
The designers that I led at Duo, we even did quite a lot of work in command line interfaces.
How do we generate error messaging that's quite a bit more intuitive and instructive and helps guide the person to next steps. So even if you're just looking at using
the command line for some actions, there's work that design can do there to radically simplify
and clarify what processes are happening behind the scenes. Where do you think things are headed?
Where do you think we're going in terms of making use of design to help make us all safer?
Good question. I mean, part of what we look at is we try to zoom out a level and not just focus on the products that we're delivering to market, but even zoom out beyond that and understand the state of the technology landscape in general and how people's attitudes and behaviors
are changing as a result. So one example is when I joined Duo six years ago, I want to say maybe
five years ago, we performed some expansive research just on the state of biometrics and
customers' attitudes and behaviors toward biometrics. And then we've tracked that over time to see how it's
changed. And with the early days of things like touch ID or face ID, early on, we found that our
customers were pretty uncomfortable with that. And there was some privacy concerns were coming
up for them. And they were sort of at times conflating some of the privacy concerns that
you might see in social networking with hardware-based biometric authentication.
So they're worried that this thing's scanning my face, it's scanning my thumbprint, what's
it going to do with that?
But since then, that technology has become much more ubiquitous and general consumer
sentiment about that.
They're much more comfortable with using biometrics and they understand it a bit more now and
they understand that no one's selling their face to advertisers. Yeah, that's interesting.
Are there industry-wide standards that are finding themselves coming into play? Are there
best practices? How do we settle on best practices that this works and we should all adopt this?
Yeah, it's a really great question.
I think there is a need for best practices that are tailored to cybersecurity.
More generally, there are best practices just in terms of developing technology products for humans.
And a great canonical resource for some of that thinking
is Apple's human interface guidelines, the HIG. People call it the HIG. So if people are ever
curious to kind of nerd out on design stuff, you can Google Apple HIG and look and see how they
have developed their own standards that really do set precedent across the industry.
There's more beyond just Apple, but that is sort of a gold standard that's been out there for decades now, and they've continued to evolve it. But I'd
be really interested in seeing some emergent standards that are specific to cybersecurity.
I think that could be really useful, especially for orgs that have the intent to improve their
product, but maybe don't yet have the resourcing to invest in a really mature design function.
That's Sally Carson. She's security design lead at Cisco.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Thank you. And joining me once again is Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back.
You know, we had breaking news recently about an out-of-band patch from Microsoft
dealing with some of their exchange server products.
And I wanted to use that as an opportunity
to kind of touch base with you
about some security concerns that folks should have
when it comes to their exchange servers.
What can you share with us today?
Yeah, so Microsoft Exchange, a really interesting product.
It used to be sort of the
stable in every sort of corporate enterprise network. Of course, recently, a lot of people
have moved their Exchange servers into the cloud or they're using cloud-based email services.
But well, with that, they sort of became a little bit of a forgotten asset. And there are still hundreds of thousands out
there exposed to the internet. And it has become an issue where they're no longer really well
maintained and probably a little bit sort of out of sight, out of mind for a lot of IT departments.
Not just recently with these vulnerabilities that were exploited and quickly patched by Microsoft.
But over the last couple of years, we had a number of critical vulnerabilities in Exchange that were exploited, even though a patch was available.
But the patching was much slower than what we typically see for similar critical assets.
Now, is this a case where even when companies are transitioning to the cloud
that they'll likely leave their exchange server up and running because
why not and who knows what will break if we shut it off?
I think the last part is really it, sort of. Who knows what will break?
My attitude is always, well, let's see who complains and then we know what will break.
But not everybody is that willing to upset
their users but yeah i've for example seen them if you have some legacy like fax email gateways
and stuff like that that sometimes needs an on-premise exchange server at least for the
outbound part now in that case you could firewall it off nicely and not
allow any inbound connections but then again you know you're just using probably the exchange server
you had sitting there for the last few years back in the day it was used for inbound email so you
still have that firewall port open you may even still have like outlook web access or something
like this running for access even though it's no longer really used. You're only using that outbound part.
I think that's part of what's going on here. There are some legacy applications
that do need an on-premise Exchange server.
For a Windows network, that's the easy way to set up a mail server,
but it no longer really would need a lot of that exposure to the outside world.
So is the lesson here then to, I guess, first of all,
take a look and see what you've got running in your environment
and then decide if it still needs to be there?
Yeah, inventory is always step number one.
Figure out what's there, next why it's there,
and then do we still need it or do we get rid of it?
I sometimes call this a little bit the slumlord philosophy to networking.
Kind of like in a cheap apartment, if you don't need it, the landlord is going to take it out.
In a network, if you don't need it, no need to pay for it, repair it, fix it, just remove it.
Yeah, all right.
That's always a colorful explanation from you, Johannes. I remove it. Yeah. All right.
It's always a colorful explanation from you, Johannes.
I appreciate it.
Johannes Ulrich, thanks for joining us. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
14 is more fun than one.
Listen for us on your Alexa smart speaker
too. Be sure to check out this weekend's Research Saturday and my conversation with Dr. Rosario
Camerata from Intel Labs. We'll be discussing their research on fully homomorphic encryption.
That's Research Saturday. Check it out. The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see you back here next week. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.