CyberWire Daily - RedEcho under investigation (amid reassurances). Stopping Operation Exchange Marauder. Containing Ursnif. Cyber proliferation. And another round in the Crypto Wars.
Episode Date: March 3, 2021India continues to investigate the possibility of RedEcho cybersabotage of its power distribution system, but says any hack was stopped and contained. Microsoft issues an out-of-band patch against a C...hinese-run “Operation Exchange Marauder.” The financial sector works to contain an Ursnif outbreak. CISA issues ICS security advisories. Myanmar and the difficulty of stopping cyber proliferation. Joe Carrigan looks at CNAME cloaking. Our guest is author Neil Daswani from Stanford University’s Advanced Security Certification Program, on his upcoming book Big Breaches - Cybersecurity Lessons for Everyone. And another round in the Crypto Wars seems ready to start. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/41 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
India continues to investigate the possibility of Red Echo's cyber sabotage of its power distribution system,
but says any hack was stopped and contained.
Microsoft issues an out-of-band patch against a Chinese-run Operation Exchange marauder.
The financial sector works to contain an Ernstniff outbreak.
CISA issues ICS security advisories.
Myanmar and the difficulty of stopping cyber proliferation.
Joe Kerrigan looks at C-name cloaking.
Our guest is author Neil Daswani from Stanford University's Advanced Security Certification
Program on his upcoming book, Big Breaches, Cybersecurity Lessons for Everyone.
And another round in the crypto wars seems ready to start.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, March 3rd, 2021. Indian authorities continue their investigation of the possibility
that the Chinese threat actor Recorded Future calls Red Echo
compromised portions of the country's power grid.
Inquiries are in progress, at least, in Maharashtra, according to India Today,
and Telangana reports Business Today.
Business Today adds that signs of malware were found in some 40 substations.
There may have been attempts at command-and-control communication from the Chinese-based threat actor
trying to access power distribution systems
operated by the Telangana State Load Dispatch Center and TS Transco.
CERT-IN, the Computer Emergency Response Team of India,
advised both organizations to take appropriate precautions against those attempts.
Telangana Today says that utilities have taken various measures
to reduce the possibility of cyber attack,
including blocking risky IP addresses, changing operator credentials,
and isolating equipment suspected of having been compromised.
India's Union Power Ministry confirmed to The Hindu that it had received warnings of the Red Echo operation
and its possible use of shadow pad malware,
but that prompt action had prevented a data incident.
According to the ministry, such attacks failed.
Quote,
There is no impact on any of the functionalities carried out by the Power Sector Operations Corporation
due to the referred threat.
No data breach data loss has been detected due to these incidents.
As the Hindu notes, the statement made no explicit mention of the power outage in Mumbai
on October 12, 2020. The reference to data breaches and data loss and their prevention
also leaves aside discussion of the sort of sabotage the New York Times discussed in its coverage earlier this
week. Microsoft warned late yesterday that the Chinese state-directed threat actor Hafnium was
actively exploiting four zero-days in on-premises Microsoft Exchange server 2013, 2016, and 2019.
Redmond has issued out-of-band patches for all four vulnerabilities,
and it urges users to apply them immediately. Hafnium is a cyber espionage group active
mostly against organizations in the U.S., especially infectious disease researchers,
law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
While based in and directed from China,
Hafnium operates for the most part from least virtual private servers in the U.S.
Microsoft offers its attribution with high confidence
and says it's based on observed victimology tactics and procedures.
The company characterizes Hafnium as a highly skilled and sophisticated actor.
The description of Hafnium's operation suggests that it represents a cyber espionage actor.
Microsoft stresses that this campaign and the actor behind it
are completely unrelated to the recent SolarWinds supply chain compromise.
Redmond credited security firms Dubex and Veloxity with helping identify the exploitation.
Veloxity dates the onset of the campaign, which it calls Operation Exchange Marauder, to January 6th at least.
Prague-based security company Avast has obtained information on victims of the venerable Ersnif malware and has reached out to payment processors, banks, and financial services information sharing groups
to help facilitate remediation.
Ersnif came to Defender's attention in 2007 when it surfaced as a banking trojan.
It's evolved since then to encompass other capabilities and new uses avast has located
credentials pay card and banking information the earth sniff operators appear to have taken from
victims during recent criminal activity and the firm is sharing that information with organizations
in a position to notify and assist the victims much recent recent Ersniff activity has targeted Italy.
Avast says it's seen evidence that more than 100 Italian banks were affected,
and so one of the company's key partners is CertFin Italy.
The U.S. Cybersecurity and Infrastructure Security Agency
yesterday issued three more ICS security advisories,
the latest cover products by MB Rockwell and Hitoshi.
The New York Times reviews cyber proliferation to Myanmar's junta. The report indicates the
perennial difficulty of restricting the spread of dual-use technologies, that is, not only tech
that has entirely legitimate civilian uses, but technology that has lawful military and law enforcement uses, but which should be kept away from governments likely to use it for illicit repression.
MSAB that can download the contents of mobile devices and recover deleted items,
and Macquisition forensic software that extracts data from Apple devices. Macquisition is made by Black Bag Technologies, a U.S. company that was acquired late last year by Israel's Celebrite.
Both companies say the tech in question appears to represent legacy systems and that they had suspended sales to Myanmar before this year's coup.
Some of the tools may have been provided by various middlemen.
The report in The Times might be considered a useful case study of the sort of problem
the Atlantic Council addressed in its report on initial access brokers
and cyber proliferation earlier this week.
And finally, familiar lines appear to have been redrawn in Washington
for a coming engagement in the crypto wars.
The Washington Post reports that FBI Director Wray has mentioned
the difficulty of adequately tracking domestic extremists
when such extremists are able to
avail themselves of end-to-end encryption. The opposing side says this misses the point
and that weakening encryption will only serve, ultimately, to weaken security generally.
As one expert put it, in the old days, when you had a legal wiretap on the mob,
sometimes the mobsters whispered
and played a loud radio in the background.
You can't always get what you want.
Neil Deswani is co-director of Stanford University's Advanced Security Certification Program,
and he's author of the new book, Big Breaches, Cybersecurity Lessons for Everyone.
We caught up recently to discuss his new book.
One of the reasons that I wrote this book is because I've been studying some of the biggest breaches
that have been taking place for the past seven years.
I started studying these big breaches
even before I became a chief information security officer
for LifeLock quite a while back.
And I also spent time just trying to understand,
do some core research as to what are the root causes of all of these data breaches so that we can get a handle on them and hopefully do a better job at preventing them in the future.
Well, let's go through it together.
I mean, are there common things that your research has brought to bear here when it comes to the big ones?
Yes, absolutely.
has brought to bear here when it comes to the big ones? Yes, absolutely.
So in the Big Breaches book,
I go back to 2013 and start with telling the histories
and stories behind the breaches at Target,
JPMorgan Chase, OPM, Yahoo, Equifax, Capital One,
and all of the mega breaches
pretty much have similar root causes.
Chief information security officers have hundreds of, I'd say, security compliance checkboxes
that they need to check.
But there's really six things that these breaches come down to.
And they are phishing, malware, software vulnerabilities, unencrypted data, third-party compromise and abuse,
and inadvertent employee mistakes. If you're an organization that wants to defend yourself
against a breach, I'd focus on those six things first, and you'll overwhelmingly reduce your
susceptibility to being breached much more effectively than trying to check a whole bunch of
checkboxes.
Well, so what are the take-homes for you? What do you hope people get out of reading the book? Well, I hope that most of the security professionals and chief security officers
take away that if they focus on the six key technical root causes of breaches, they can make a significant advancement
in mitigating their risk due to a breach in an environment where if you look at an average
organization, they might have to satisfy PCI compliance standards to take credit cards. They
might have to satisfy HIPAA if they're a healthcare organization. They might have to satisfy FedRAMP
if they do organization with the government. And each of these security compliance standards has
hundreds of checkboxes. And so there's a saying that complexity is typically the enemy of security.
And if we simplify and focus on the six key technical root causes that have been at the heart of so many, so many breaches,
I think we can be a lot more focused in our cybersecurity defense and hopefully prevent
more breaches in the future. That's author Neil Deswani. The book is titled Big Breaches,
Cybersecurity Lessons for everyone. Do you know the status of your compliance controls right now?
Like right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-
time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, Thank you. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
There's an interesting story from the Hacker News.
It's titled,
Online Trackers Increasingly Switching to Invasive C-Name Cloaking Technique. What's going, uh, online trackers increasingly switching to invasive C name cloaking technique.
Uh, what's going on here, Joe?
Well, it's, it's a result of most of the browsers saying we're going to block third party cookies,
right?
So you can put third party cookies into, uh, into web pages by putting, uh, other URLs
and requesting resources from them in your code, but that's pretty easy to block,
right? I can just say, hey, the user is going to this domain and this domain wants to load
some resource from another domain. We're not going to do that. We're not going to load that
other resource. We're not even going to request it. We're just going to ignore it. And because
that is impacting advertising dollars, of course,
now you have a very strong financial incentive to find a way around it. And a few advertising
networks looks like they have found a way around it using something called CNAME cloaking.
So a CNAME or canonical name, DNS entry, is a DNS entry that points to another DNS entry.
It's a domain name that points to another one. And this
is very common. It's absolutely required for the operation of the internet and the web.
Say, for example, you have a domain, davebittner.com, but you don't want to set up your own
web server and everything. You want someone else to host that for you. So you go to some service
provider and they give you a domain that's davebittner.serviceprovider.com, right? And you could tell everybody, hey, go to
davebittner.serviceprovider.com, but that seems kind of lame, right? Would you rather just tell
them go to davebittner.com? Absolutely. You make a CNAME entry that is davebittner.com that points to davebittner.serviceprovider.com.
That's how it works. The problem is this also works for cookies, right? Because DNS happens
outside of the web browser. So when these advertisers get in bed with the website,
they say, okay, so website, you're going to have a domain called whatever.website.com.
And that domain is going to have a CNAME entry that points to our advertising network.com.
So the browser sees that as a URL that matches the domain that the user is visiting. And they go ahead and ask DNS for the IP address.
And DNS does all the hopping around
and returns just the IP address, right?
And it goes out and requests the resource.
And it's going to the advertiser's servers,
but the web browser doesn't know
that it's going to an advertiser's server.
Hmm.
So it's essentially making a third-party cookie look like a first-party cookie?
Exactly. Yep. From the browser perspective, it does exactly that.
Huh. So, okay. So we're playing this game of cat and mouse with these advertisers and these
trackers. I mean, where do we stand in terms of blocking this sort of thing?
advertisers and these trackers. I mean, where do we stand in terms of blocking this sort of thing?
Right now, it's kind of hard to block these because there are some mitigations that are available. Also, Firefox is rolling out something called total cookie protection that prevents
cross-site tracking by confining all cookies from each domain into its separate cookie jar,
they're calling it. I think that's very cute.
I say it sounds like something that Kermit the Frog used on Sesame Street to protect
against Cookie Monster.
Apple's iOS 14 and the macOS have come out with additional safeguards to build upon their
existing features to shield third-party CNAME cloaking.
That's, you know, it's, I don't know how they're doing it. I don't know what the technical backend is, but I imagine that
within the web browser, they might build some kind of DNS engine that says, what does this resolve
to? Does this resolve to a third-party domain? Okay, shut it down. But then they have to,
that means they have to update the code. And now the browser is actually doing more, you know, things that would, it should be offloading to DNS, but it's actually having to resolve it first because of this tactic.
You know, that's just going to make things more inefficient.
It's going to make your computers, you know, I don't know if it's going to make them run slower given how fast everything is now, but it is unnecessary operations.
Right, right.
This is why we can't have nice things.
Right, exactly.
This article at Acronews points out that Chrome and, by extension, Chromium-based browsers are not – they are the browser that are not blocking CNAME cloaking natively.
Right.
Well, they're still not blocking third-party trackers natively.
They've reluctantly agreed that they're going to come along on this.
But the reason is because Chrome is built by Google.
Right.
And a huge part of their revenue comes from advertising, from their advertising network.
They're one of the biggest, if not the biggest, advertising there. Yeah. Yeah. So they don't have an interest.
Self-interest. Right. Yeah. It's a conflict of interest here.
Right. Right. All right. Well, it's just an interesting article again over on Hacker News.
Some neat technical details there. Thank you for helping us understand it. Joe Kerrigan.
It's my pleasure, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed. The special snack that makes ordinary occasions
special. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly produced in
Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.