CyberWire Daily - Riding herd on Mustang Panda. Drupalgeddon2 is out in the wild. VPN warnings and mitigations. Patch notes. An offer to share intelligence about Huawei. Presidential sites get low privacy grades.
Episode Date: October 8, 2019An update on Mustang Panda, and its pursuit of the goals outlined in the Thirteenth Five Year Plan. Unpatched Drupal instances are being hit as targets of opportunity. NSA adds its warnings to those o...f CISA and NCSC concering widely used VPNs: if you use them, patch them. (And change your credentials). Five Senators tell Microsoft, nicely, that Redmond is naive about Huawei. Patch Tuesday is here. And US Presidential campaign websites get privacy grades. Johannes Ullrich from the SANS Technology Institute on server side request forging. Guest is Jadee Hanson from Code42 with the results of their 2019 Global Data Exposure Report. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/October/CyberWire_2019_10_08.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An update on Mustang Panda and its pursuit of the goals outlined in the 13th five-year plan.
Unpatched Drupal instances are being hit as targets of opportunity.
NSA adds its warnings to those of CISA and NCSC concerning widely used VPNs.
If you use them, patch them and change your credentials.
Five senators tell Microsoft nicely that Redmond is naive about Huawei.
And U.S. presidential campaign websites get privacy grades.
And U.S. presidential campaign websites get privacy grades.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 8, 2019.
Late yesterday, Anomaly issued a report on Mustang Panda,
a Chinese government threat group that's probably operating against a distinct but extensive set of targets.
People interested in UN Security Council resolutions concerning ISIL,
which of course was the Islamic State's incarnation in Syria and adjacent regions.
Miat Airlines, the Mongolian national carrier.
The European, German-speaking, Catholic, cultural and religious exchange, not-for-profit China Zentrum, the Communist Party of Vietnam,
and Shantai Theravada Buddhist communities in Southeast Asia.
They also seem to have taken an interest in police agencies in Pakistan's Sindh province and in insurgent paramilitary organizations in the Shan states of Myanmar,
especially the Shan state army and its political arm,
the Restoration Council of Shan state.
Anomaly's conclusions about the targets are circumstantial,
but they think they're moderately convincing.
The nature of the fish bait suggests something
about whom the threat actors are fishing for.
.ink files used in the fishing usually contained an embedded HTA file
with VB script of PowerShell script that, when executed, opens the decoy document and runs the malicious payload in the background.
The payloads have been the PlugX remote access Trojan and the penetration tool CobaltStrike.
Mustang Panda was first identified by CrowdStrike in June of 2018, so it's not a new threat group.
The tip-offs that the recent activity is traceable
to this particular threat group
lie in its tactics, techniques, and procedures,
and in its targets.
The targets, Anomaly observes,
are the kind of groups and individuals
likely to be of interest to Chinese intelligence services.
How do they know this?
They've read the 13th Five-Year Plan,
the one that runs through next year, and they've this? They've read the 13th five-year plan, the one that runs through
next year, and they've noted the ways in which the targeting serves the plan's objectives of
openness, that is, dominance of export markets and penetration of global infrastructure through
Beijing's Belt and Road Initiative, innovation, that is, effective industrial espionage, and the
enduring goals of keeping a close eye on neighboring states
for strategic reasons, especially those states that have a large Chinese diaspora.
Unpatched instances of the Drupal content management system continue to receive Drupal
Geddon 2 attacks, Akamai warns. The vulnerability being exploited was patched last year,
but there are, unsurprisingly, many unpatched instances of
the popular software kicking around out there. Drupal Geddon 2 is an unauthenticated remote code
execution vulnerability that the Drupal platform fixed in March of 2018. An attacker could use
Drupal Geddon 2 to force the server running the content management system to execute malicious
code, which in principle could compromise the Drupal installation and possibly the host machine too. Akamai isn't seeing widespread
exploitation of the vulnerability. It is rather seeing opportunistic attacks against high-profile
sites where the vulnerability persists. As is so often the case, the best course of action
is to keep your systems patched.
Security firm Code42 recently released the latest version of their Global Data Exposure Report,
and one of the highlights was the prevalence of insider threats.
J.D. Hansen is CISO and VP of Information Technology at Code42. A lot of non-malicious data exfiltration happens when employees mislabel documents and overly share documents, and then they're leaked out of organizations.
On the malicious side, you know, certainly a lot of aspects around departing employees.
So when employees leave organizations, I don't think it's any surprise to anyone that they're taking documents
with them. One of the things that I think the report called out was just the fact that companies
need to wake up to this and start thinking about like how impactful it is to a company when
insiders and when employees leave organizations and take data with them. And what is the disconnect here in terms of
companies being able to combat this and it continuing to be an ongoing problem? Where are
they missing? Because as you said in the report, it seems as though many of these companies feel
as though they have protections in place. Yeah, So there's a couple of things at play.
First and foremost, I think in the security industry, we have been very focused on prevention technology and we've been very focused on the external threat.
I think now companies have to start waking up to the internal threat.
The internal threat being employees misusing or missharing information or exfiltrating
information. It's interesting, like when you think about the ways employees can get information out
of a company, we're in a time of complete collaboration where we have, you know, lots and
lots of collaboration tools in the cloud that we're sharing data with.
We have, in many cases, no network perimeter.
And so I think the other thing at play is that it's just much easier than it ever was
to move information outside of a company.
I think the other thing that I've always thought, the fact that employees feel very
entitled to personal ownership, a majority of our information
security leaders that we surveyed, 72% agree, it's not just corporate data, it's my work and my ideas,
which, you know, that's a scary statistic, because if people think that it's their work and their
ideas, they're going to take it with them when they leave and I don't think companies realize how impactful that can
be until the data is gone I talked to a lot of customers and potential customers
and just recently I was on the phone with a company that had an employee
leave start their own company and that became a threat to the existing company or the initial company to the point where they had to buy out the company that was started with the employer's data.
So I don't think companies really realize how impactful it is until it's probably too late.
So based on the information that you gathered in this version of the report,
what are your recommendations? What do you suggest folks should do here?
Yeah, my suggestions would be just don't wait. Make sure that you really think about the
information in the report and what it's telling you and the fact that this is a problem that we
can't ignore. Start with coming up with some sort of framework on an insider threat program.
If you don't have one already at your company, start to launch one.
An insider threat program is much more than just buying technology.
For our own insider threat program, we have a very strong partnership with legal and HR,
which are probably the two most important organizational units as part of
an insider threat program. HR from the standpoint of they own the employee life cycle from start to
finish. And this is really about employees. Legal certainly has to get engaged if there is some sort
of lawsuit against a particular employee. And so certainly those two teams have to be involved.
But then it really is like process and technology second. And so, you know, coming up with the right
steps that you're going to take when you do find data X-filled. And then what's the right
technology? And I really stress not focusing on preventative technology
or focusing on some sort of solution that gives you more visibility across everything, across
your endpoints, as well as cloud sharing, across every aspect in which a data could be exfilled
out of the company. Something that gives you much more visibility and doesn't necessarily focus on prevention only.
That's J.D. Hansen from Code42.
We were discussing the latest version of their Global Data Exposure Report.
The U.S. NSA yesterday added its own warnings to those of CISA and the U.K.'s NCSC issued last week
concerning the exploitation of older but still widely used VPNs by various
international threat actors. NSA's notes include advice about mitigation. After patching or
updating your VPN, NSA recommends that you reset all associated credentials, implement two-factor
authentication, require mutual certificate authentication, as well as other sound hygienic measures.
Five U.S. Republican senators have written Microsoft President Brad Smith
to tell him he's underestimating the security threat Huawei poses.
Smith had earlier this year told Bloomberg Businessweek
that he thought Huawei's treatment was unfair, indeed un-American.
Senators Cotton, Rubio, Scott, Hawley, and Braun
say they appreciate Microsoft views
and that they understand that many U.S. companies
have done business in good faith with Huawei,
but that the security concerns that surround the Chinese device manufacturer
are both serious and urgent.
They review familiar incidents involving compromise
and intellectual property theft,
and they offer
well-attested accounts of the company's thorough alignment with China's ruling Communist Party.
One of the points Microsoft Smith brought up, however, the senators found themselves in
agreement with. Smith had said that U.S. agencies typically said when questioned that, well, if you
knew what we knew, your eyes would be open for sure. So, Smith said, why not show us some of what you know?
The senators think that's a good idea,
and they'd welcome further conversations with Microsoft
and other businesses about coordinating such briefings.
This sounds like a job for CISA.
Director Krebs, call your office.
By the way, the U.S. Commerce Department announced further sanctions against Chinese businesses,
adding eight companies to the entity list that already includes Huawei.
This round of sanctions is different in that Commerce says, credibly, that the new members of the entity list earned their way there not because they pose a security threat to the U.S. or other countries,
but because they've played a prominent and important role in repressive measures Beijing has instituted against its predominantly Muslim Uyghur minority.
It's Patch Tuesday, and the usual round of updates are expected later today.
Microsoft's patching round is expected to be somewhat lighter than usual,
especially since.NET, Exchange, and SharePoint all received fixes last month.
Some commentators looking ahead have gotten cold feet with respect to automatically patching Windows,
since some recent rounds have brought problems with them.
One set of patches, however, won't appear.
D-Link has decided not to patch its older home routers against a critical remote takeover vulnerability, ThreatPost reports.
Users should upgrade to new equipment instead.
The affected routers,
although still available as new from third-party vendors, are beyond their end of life. So,
D-Link's advice in this case is probably pretty sound. Why buy and install a vulnerable system
that's no longer being maintained? And finally, the Internet Society has done a privacy audit of 23 U.S. presidential campaign sites and found seven of them worthy, those belonging to candidates Buttigieg, Harris, Klobuchar, O'Rourke, Sanders, Trump, and Williamson.
The other 16? Well, sorry, no bueno.
Report to Study Hall.
Report to Study Hall.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now, a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses is by targeting your executives
and their families at home. Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Johannes Ulrich. He is the Dean of Research
at the SANS Technology Institute, and he's also the host of the ISC Stormcast podcast. Johannes, it's great to have you back. We wanted to do a little follow-up
on some things we've talked about before with some server-side request forging.
What do you have to share with us today? Yeah, the problem here is that everything is becoming
an HTTP API, and while this is good in some ways,
it makes software more interoperable.
It also does open up some new vulnerabilities
because every software is now able to accept commands
via HTTP requests.
Much software is also able to send HTTP requests.
And there's a specific vulnerability,
server-side request forging where I'm tricking a web server into
sending an HTTP request.
Typically, web servers, they accept HTTP requests.
They don't send them.
But in these modern web applications, what's happening
is that the web server is reaching out to all of these
different HTTP APIs to typically REST APIs,
and is basically using them like a more traditional web
application would have used a database or something like this.
So with all of these HTTP APIs interacting with each other, it
becomes really critical that access is properly controlled to
them. And that's where lately there have been some high visibility
vulnerabilities that led to major breaches, like for example, the Capital One case,
that as a root cause sort of led to these server side request forging vulnerabilities.
In terms of limiting access, what do you recommend?
So first of all, you need to carefully define what the capabilities
of these APIs are. So you don't expose any functionality that you don't need to expose.
And then secondly, even if it's systems connecting to systems, servers connecting to servers,
you still need to authenticate. There's always this idea, I only need to authenticate the user.
But here, the server is acting on behalf of the user. And of course, those requests need to authenticate the user. But here the server is acting on behalf of the user.
And of course, those requests need to carry credentials, just like the request that came
in from the user originally. And then of course, well, a good old input validation, output
encoding, where when you are creating these requests requests that you're careful that the attacker isn't able
to inject any additional commands. So typically how would someone go about exploiting this?
So as an example if you have let's say a payment application that does accept orders from users
and then is connecting back to a payment service to, for example, charge a credit card, and attacker may not be
able to modify that request that's going back to the credit
card service to actually send a request. It's not even a payment
request. But if your application is receiving the okay back from
the payment service, well, you think the card was charged, the
order was paid, and you're shipping the product without ever actually receiving payment.
All right. Well, Johannes Ulrich, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your