CyberWire Daily - SolarWinds breach updates. Microsoft sinkholes Sunburst's C&C domain. Facebook takes down inauthentic networks.
Episode Date: December 16, 2020SolarWinds breach reportedly affected parts of the Pentagon. Microsoft and partners seize and sinkhole command-and-control domain used by Sunburst malware. The threat actor behind the breach used a no...vel technique to bypass multi factor authentication at a think tank. Facebook takes down competing inauthentic networks focused on Africa. Joe Carrigan has insights on Amnesia 33. Our guest, Greg Edwards from CryptoStopper, shares his experience getting back online after a Derecho. And the execution of the FCC’s rip-and-replace plan will likely fall to the next US administration. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/241 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The SolarWinds breach reportedly affected parts of the Pentagon.
Microsoft and partners seize and sinkhole command and control domains used by Sunburst malware.
The threat actor behind the breach used a novel technique to bypass multi-factor authentication at a think tank.
Facebook takes down competing inauthentic networks focused on Africa.
Joe Kerrigan has insights on Amnesia 33.
Our guest, Greg Edwards from CryptoStopper, shares his experience getting back online after a DeRay show.
And the execution of the FCC's rip and replace plan will likely fall to the next U.S. administration.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, December 16, 2020.
The scope of the SolarWinds supply chain breach continues to expand.
The New York Times reports that parts of the Pentagon were compromised,
although the extent is still unclear.
A Pentagon spokesman told the Times, quote,
the DOD is aware of the reports and is currently assessing the impact, end quote.
CyberScoop reports that the White House National Security Council
has activated the Cyber Unified Coordination Group
to coordinate the government's response to the incident.
And the Wall Street Journal says White House National Security Advisor Robert O'Brien
has cut short a trip to Europe and returned to the U.S. to deal with the incident.
ZDNet reports that Microsoft has seized and sink-holed the
domain that served as a command-and-control server for the malware used in the operation.
Microsoft Defender also began blocking known malicious SolarWinds versions this morning,
stating that it will quarantine the binary even if the process is running.
Reuters says SolarWinds' security posture is now being scrutinized closely
amidst reports of security missteps in the past. A security researcher told the publication that
he informed SolarWinds last year that anyone could access the company's update server using
the password SolarWinds123. Volexity describes an incident involving the threat actor behind the SolarWinds operation,
presumed to be Russia's SVR.
The actor first compromised a U.S.-based think tank and remained undetected for several years.
After being discovered and removed,
the actor regained access by exploiting a vulnerability in Microsoft Exchange Control Panel.
The attackers were again expelled,
but returned a third time via the compromised SolarWinds update in June and July of 2020.
Notably, during its second appearance,
the actor used a new technique to bypass the victim's multi-factor authentication solution,
in this case Duo,
after gaining administrative privileges on the victim's Outlook web app server.
The security firm explains,
quote,
Vilexity's investigation into this incident determined the attacker had accessed the Duo integration secret key from the OWA server.
This key then allowed the attacker to derive a pre-computed value to be set in the Duo SID cookie.
the attacker to derive a pre-computed value to be set in the Duo SID cookie. After successful password authentication, the server evaluated the Duo SID cookie and determined it to be valid.
This allowed the attacker, with knowledge of a user account and password, to then completely
bypass the MFA set on the account. It should be noted that this is not a vulnerability with the MFA provider and underscores
the need to ensure that all secrets associated with key integrations, such as those with an MFA
provider, should be changed following a breach. Ars Technica stresses that this could have been
pulled off with any multi-factor solution, noting that, quote, MFA threat modeling generally doesn't
include a complete system compromise of an OWA server. The level of access the hacker achieved
was enough to neuter just about any defense, end quote. Facebook has taken down three competing
inauthentic networks that primarily focused on African countries. One of the operations
originated in France, while two were based in Russia. Interestingly, Facebook says this is the
first time it's seen two opposing information operations, quote, actively engage with one
another, including by befriending, commenting, and criticizing the opposing side for being fake,
end quote. The French operation posted primarily in French and Arabic
about news and current events,
including France's policies in Francophone Africa,
the security situation in various African countries,
claims of potential Russian interference
in the election in the Central African Republic,
supportive commentary about French military
and criticism of Russia's involvement in CAR.
Facebook tied this campaign to individuals associated with the French military. The Russian campaigns posted
primarily in French, English, Portuguese, and Arabic about news and current events,
including COVID-19 and the Russian vaccine against the virus, the upcoming election in
the Central African Republic,
terrorism, Russia's presence in sub-Saharan Africa, supportive commentary about the CIR
government, criticism of the French foreign policy, and a fictitious coup d'etat in Equatorial Guinea.
Facebook attributes this campaign to individuals previously associated with Russia's Internet
Research Agency.
Roll Call says the execution of the U.S. Federal Communication Commission's rip-and-replace order for Chinese hardware will be the responsibility of the incoming Biden administration and the U.S.
Congress. The FCC estimates that the reimbursement costs to replace the equipment will be at least $1.6 billion.
And outgoing FCC Chairman Ajit Pai noted that, quote, we can't actually implement the reimbursement program unless and until Congress appropriates the necessary funding, unquote. The current top
contenders to serve as Biden's FCC chair voted in favor of the rip and replace plan. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with BlackCloak.
Learn more at blackcloak.io.
What happens when your community is hit by an unexpected natural disaster,
one that falls outside of the range of things you'd planned for?
Greg Edwards is CEO at ransomware prevention firm Crypto Stopper.
And when his community got hit with a derecho,
which is a weather system
perhaps best described as a wall of wind,
they learned a lot of lessons
about getting up and running online.
I actually used to own an offsite backup
and disaster recovery company.
And during Hurricane Sandy, we did
nine simultaneous recoveries for companies on the East Coast. So we specialized in working
with insurance agencies and had clients all over the country. And so we were prepared for
events like that on the coast with hurricanes or earthquakes, but here in the Midwest, we were not prepared for
something like this at all. Even having a disaster recovery background, we had all of our clients had
cloud-based backup and local backup solutions, and it really was only one of those that we actually
There really was only one of those that we actually enacted because they had a secondary location that's about 70 miles away that wasn't as badly affected that we could take their recovery servers and bring it back online there. But everyone else, because there was no power anywhere, it took waiting because you couldn't just have people go home and work from home because they didn't have power at home either.
So really the recovery was about getting generators for companies that didn't pre-plan for that.
The ones that did have generators and their buildings weren't too badly destroyed, we were able to get them up and going pretty quickly.
But sent people to hotels and
sent servers to different locations. It was, from a disaster recovery standpoint,
I mean, we handled it and didn't lose any data, but definitely lost more time
than we would have liked because there just wasn't power.
But what are some of the lessons learned here in terms of, I mean, I'm thinking about,
derecho is not something that you all probably saw coming.
We had one here on the East Coast a few years ago.
No one had ever remembered one in memory.
And who knows if and when we'll have another one.
But I think one thing people sort of agree on
is that the weather isn't as predictable as it used to be.
And so I'm curious, just from sort of a risk management point of view,
what sort of take-homes do you have?
So I think the most critical thing that I learned from this is how absolutely
important access to generators is. So I personally at my home, I had a generator large enough to run
most of my house. So I was very fortunate to be able to have, for the most part, power. I didn't have air conditioning, but I can survive without that.
But the clients had a couple clients that had full generators to run their entire buildings.
And those clients were back up and running.
And internet service took a few days to get back up. But for the most part, they were back
up and going right away. People that didn't have generators were really the ones that were suffering
more. So biggest takeaway is where are you going to get power? And secondary is where are you going
to get internet? That's Greg Edwards from CryptoStopper.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
also my co-host on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
Interesting story from Gizmodo.
This is something we've covered here on the Cyber Wire,
but I want to get your take on it. This is researchers discover dangerous security flaws
in code used in millions of devices.
What's going on here, Joe?
So this is a company called Forescout,
and they found 33 vulnerabilities
in four open source libraries
that have been used in IoT devices.
So let me explain how this works
from a software development
or from a product development standpoint.
When you're developing software and you need some functionality that is commonly available,
you go out and you find these open source products that you can integrate into your
software and somebody else has already done all the work and that's great, right?
So now, the one thing I needed was at one point in time, I needed an SNMP protocol representation in code.
So I went out and I found one, and I was like, this is great, and it's open source, and I can use it, and it worked fantastic.
There was nothing wrong with it, or at least not that I knew of, right?
There very well may have been some vulnerabilities in that product.
there very well may have been some vulnerabilities in that product. And that's what these guys have found is they have found these 33 vulnerabilities in four very commonly used libraries. So the free
software makes it easy to get these products out the door, but now these products are out there
and there are devices from 150 manufacturers that are vulnerable, which is a very large footprint for these vulnerabilities.
Lots of IoT devices. These are IoT devices, exactly. The article says that some people may say,
just issue a round of security patches. And I'm sure that Forescout was responsible in their
vulnerability handling, and they disclosed this information. And I'm sure that those
companies have now gone ahead and patched all these vulnerabilities, and that's great for future releases, but there are still thousands or if
not millions of these devices out there on the internet that have not been updated and are still
vulnerable to these kind of attacks. Right, right. And the Forescout is calling this Amnesia 33
because the 33 is for the 33 vulnerabilities. Right. Yeah, and I think it's an interesting dilemma here
because, as you say, it makes total sense to not reinvent the wheel
when there are functioning, well-working things you can plug into your process
that'll save you time, save you money,
and have been through the ringer
with other people testing them,
but then time passes.
Right.
Some of these products
have been out there for,
I think, 20 years,
the article said.
Wow.
There have been these kind of
open-source libraries out there
available for developers
to use for a very long time.
What's going to be challenging
about this is getting
these devices updated. If these devices were low- cost or if these devices have been discontinued, there is no way
they're going to be updated. So people need to be aware of this. Go out and look in your
infrastructure for these devices. See if you have any. And if you do, if you can't update them,
replace them. That needs to happen because this is going to provide a foothold on your network.
That needs to happen.
Because this is going to provide a foothold on your network.
Right, right.
Yeah, I think about, we talk about how so many organizations don't have a good inventory of all of the devices
that are hooked up to their networks.
Yeah, and if you're working in a development environment,
developers are, and I've been guilty of this as well,
well-known for just hooking something into the network and going, yeah, I'm going to use that.
And never telling IT about it, never telling the organization, I put this Raspberry Pi on the network.
Yeah, yeah.
Which, I mean, speaks to the need for security tools that can detect when you do that.
Right.
Security tools that can go in and take that inventory
in some sort of automated fashion.
But also having a checklist of what's been updated, what hasn't.
And I don't know.
I mean, should some things be in a regular replacement cycle?
I think they should be.
If a device is more than X number of years old and it's end of life,
does that mean we should get a new one that is being updated?
Yes.
It's an interesting question.
I think it should be.
I think that's – you do all kinds of other hardware replacement.
You replace people's laptops every couple of years or three years, however long the warranties wear out on them, right?
Yeah.
So why not everything else?
These things should have a life cycle, a life cycle that includes disposal.
Right, right. I just think it's so easy to, because these devices become out of sight,
out of mind. Right. I always think about that security camera sitting up there in the ceiling
or in the corner of the warehouse or whatever, and it's doing a great job doing everything you
want it to do. And so you just don't think about it. Right. You know, but it might also be doing some things you don't want it to do.
Absolutely.
Absolutely.
All right.
Well,
it is amnesia.
Amnesia 33 is the,
the,
the name that the folks at four scout have put on this list of security
flaws.
So do check that out.
See if it applies to you.
Joe Kerrigan.
Thanks for joining us.
My pleasure, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
All day strong, all day long.
Listen for us on your Alexa smart speaker, too.
day long. Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly
produced in Maryland out of the startup studios of
DataTribe, where they're co-building the
next generation of cybersecurity teams
and technologies. Our amazing
CyberWire team is Elliot Peltzman,
Guru Prakash, Stefan Vaziri,
Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.