CyberWire Daily - SonicWall, Pulse Secure products under exploitation (mitigations are available). Power grid security. Cyber conflict in the Near Abroad. ISIS worries about Bitcoin. Bad passwords.
Episode Date: April 21, 2021SonicWall zero-days are under active exploitation; mitigations are available. Pulse Secure VPN is also undergoing exploitation, probably by China, and mitigations are available here, too. The US begin...s work on shoring up power grid cybersecurity. Cyber ops rise with Russo-Ukrainian tension. The help desk at ISIS tells jihadists to stay away from Bitcoin. Joe Carrigan looks at cryptocurrency anonymity. Our guest is Bert Kashyap from SecureW2 on what needs to be done before devices used for learning from home return to schools. And is your password inspired by cinema? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/76 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
SonicWall Zero Days are under active exploitation.
Mitigations are available.
Pulse Secure VPN is also undergoing exploitation, probably by China, and mitigations are available. Pulse Secure VPN is also undergoing exploitation,
probably by China, and mitigations are available here too.
The U.S. begins work on shoring up power grid cybersecurity.
Cyber Ops rise with Russo-Ukrainian tension.
The help desk at ISIS tells jihadists to stay away from Bitcoin.
Joe Kerrigan looks at cryptocurrency anonymity.
Our guest is Bert Kashyap from SecureW2 on what needs to be done before devices used for learning from home return to schools.
And is your password inspired by cinema?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 21st, 2021.
SonicWall has issued mitigations for three zero days affecting its email security products.
FireEye discovered that the vulnerabilities were under active exploitation and disclosed the security issues to SonicWall.
Attribution is unclear, but FireEye's Mandiant unit is tracking the activity as UNC-2682.
The threat actor's goals are unknown. Pulse Security is addressing vulnerabilities in
the Pulse Connect Secure VPN publicly reported yesterday by FireEye's Mandiant unit. CISA,
the U.S. Cybersecurity and Infrastructure Security Agency, has issued an alert on the
vulnerabilities, providing technical details and urging organizations to apply the mitigations Pulse Secure has provided. CISA says, quote, the cyber threat
actor is using exploited devices located on residential IP space, including publicly facing
network attached storage devices and small home business routers from multiple vendors
to proxy their connection to interact with the web shells they placed on these devices. There's no clear evidence yet of lateral movement, but no one should get cocky about this.
Federal agencies are getting more than encouragement from CISA.
The agency yesterday issued Emergency Directive 2103,
requiring all organizations under its jurisdiction to enumerate all instances
of Pulse Connect secure virtual and hardware appliances hosted by the agency
or a third party on the
agency's behalf, and then by 5 p.m. Eastern Daylight Time this Friday to run the Pulse
Connect Secure integrity tool on every such instance. According to Reuters, exploitation
of the secure email product, which heavily affects U.S. and European defense firms,
is being attributed to Chinese intelligence services.
Nikkei suggests Japanese firms are also affected.
The Chinese government dismisses FireEye's attribution as irresponsible and ill-intentioned
because Beijing, quote, firmly opposes and cracks down on all forms of cyberattacks, end quote.
But to most observers, it looks like espionage in progress.
CISA is encouraging anyone who has additional information on the threat to contact them.
In fairness to Beijing, not all the groups actively seeking to exploit Pulse Secure
vulnerabilities are believed to be working on behalf of the Chinese government. CSO and others
point out that several different threat actors have
been working against Pulse Secure. In this respect, the incident resembles the Microsoft
Exchange server exploitation, where criminal gangs jumped onto the vulnerabilities in the
wake of the apparently state-run campaign. The U.S. has begun a 100-day program to increase
the cybersecurity of its power grid. The U.S. Department begun a 100-day program to increase the cybersecurity of its power grid.
The U.S. Department of Energy describes the plan as a coordinated effort between DOE, the electricity industry, and the Cybersecurity and Infrastructure Security Agency.
The Energy Department is soliciting input from industry.
Security Week observes that this 100-day plan would be the effort of Ann Neuberger, the Deputy National Security Advisor for Cyber, alluded to earlier this month as a project that was in the works.
Elsewhere in the world, as tensions rise between Russia and Ukraine, and as Russia increases troop presence and readiness along the border Moscow disputes with Kiev,
U.S. news reports that Ukraine has seen an increase
in the tempo of Russian offensive cyber activity.
The U.S. is said to be quietly offering Ukraine support
in fending off Russian cyber attacks.
The Electronic Horizons Foundation,
a group generally regarded as an ISIS cybersecurity support outfit,
warned adherents of the jihadist
group to steer clear of Bitcoin, it's too easily tracked, and recommends Monero instead,
Homeland Security Today reports. It's a bad idea, the EHF says, quote, for financial transactions
and money transfer as Bitcoin logs the financial records and transactions on the blockchain,
which is a database of Bitcoin transactions, and allows tracking of transfers from the financial records and transactions on the blockchain, which is a database of Bitcoin transactions,
and allows tracking of transfers from the sender and receiver.
End quote.
Besides, the EHF thinks, the Bitcoiners are a bunch of government stooges.
Quote,
We also warn that the money transfer services and sites to Bitcoin
logs IP addresses and the purchase data of Bitcoin currency.
And these sites also cooperate with government agencies.
End quote.
They say that they advise their brothers to follow the maximum possible security measures
and to avoid using common methods in financial transactions.
And finally, to all of us who use Ninja or Camaro or diamonds are a girl's best friend as the password for everything,
did you know that there are other genres of lame credentials out there?
Spec Ops, which previously ranked the Major League Baseball teams, whose names are most likely to be used as passwords,
now has published a list of the most commonly used movie titles.
Rocky tops the list, followed closely by Hook, Matrix, Batman, Psycho, Superman, Avatar,
Mummy, Twilight, and Star Wars. The second 10 are Spider-Man, Frozen, X-Men, Iron Man, Jaws,
Shrek, Twister, Gladiator, Titanic, and rounding out the top 20, Terminator.
Why these?
Well, Star Wars, Titanic, Jaws, and Avatar all appear among the top 20 grossing films in the U.S.,
so simple popularity may account for four of the password choices.
But the others are odd.
Why Twister, for example, and not Sharknado?
Why Twilight and not Dracula?
Easier to spell.
And where's V for Vendetta?
Is there no love for the Guy Fawkes masks the flick made popular?
Anyway, the list probably calls for some attention from culture critics.
We're okay because we use last year at Marion Bad for everything,
with the A's represented by the at symbol.
No one would guess that.
No.
Dang it.
Now we're going to have to change to the work of a director
other than Alain Reynaud.
Maybe Sharknado is still available.
What do you think?
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. We are witnessing the successful mass distribution
of COVID vaccines, and with it a growing sense of hope that come this fall, students may be
headed back to school in a fairly normal way. The IT and security folks responsible for handling that first-week flood of new users and devices
will no doubt face a unique situation this year,
transitioning from at-home online learning to on-site or hybrid learning.
Bert Kashyap is co-founder of Seattle-based cybersecurity company SecureW2,
and he joins us with insights on how the education sector
needs to shore up their security.
You know, school districts have been embracing
more and more of a digital learning model
that's not necessarily new,
and certainly universities have been sort of in the forefront
of, you know, bring your own device.
But I think the pandemic has generally accelerated a lot of these, you know, bring your own device. But I think the pandemic has generally accelerated a lot
of these, you know, digital learning initiatives. And I think that, you know, many districts are
faced with kind of a dual challenge where they're going to have to support devices that they issue
themselves as well as devices that students are using on their own today.
And many had to use early in the pandemic before they were able to do some one-to-one initiatives
to try and get devices in the hands of students.
And so how are they preparing for that?
What sort of things are they putting in place?
So a couple of things that they're doing.
One is they're implementing some distribution mechanisms to get these devices.
Secondly, some management software to try and get devices managed centrally.
This is easier done in very clear-cut managed environments
where they have, say, a tranche of Chromebooks or iPads that they can issue.
There's good management software, but in more
bring-your-own-device scenarios, there's not a lot of good answers. So districts don't want to,
and the universities as well, don't want to be in the business of taking over the controls of
devices that they don't own. And this is a strategic challenge, especially if they're
going to have to allow these devices onto their own networks and infrastructures do you have any
recommendations for the people who are responsible for this of how they go about you know making
their case to their to the powers that be to their their boards of education to their communities that
you know these are investments that are that's money well spent.
Yeah, absolutely.
Yeah, so there's a couple of areas in which can have on, you know, learning for their students.
Just, you know, we saw just a couple of days ago with the Microsoft Teams outage. I know my daughter had, you know, basically no instruction that day.
had basically no instruction that day.
And so we do hear areas, things like malware and potential ransomware issues in districts
that really cause significant disruption in education.
So I think paying attention to cybersecurity
is not just good from a basic security best practice approach,
but it also is good to make sure that things are reliable
and districts can function properly in digital learning initiatives.
So I would say that's probably one of the biggest things that they could focus on.
That's Bert Kashyap from SecureW2. Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the Hacking Humans podcast. Hello, Joe.
Hi, Dave.
Interesting story from the Decrypt website, an article by Matthew DeSalvo, and it's titled
Bitcoin is a Boon for Surveillance, says former CIA director. What's going on here, Joe?
So the Crypto Council for Innovation has released a report. It's by Michael Morrell,
who is the former acting head or director of the CIA, along with a guy named John Kirshner and
Thomas Schoenberger. They both work for Beacon Global Strategies. And the Crypto Council for
Innovation is essentially a PR organization for cryptocurrencies founded by
Coinbase, which is a cryptocurrency exchange, Paradigm, which is a cryptocurrency venture
capital firm, and Fidelity and Payment Processor Square. So two companies that are big in finance
and then two companies that are in cryptocurrency that are pretty big in cryptocurrency. I mean,
Coinbase has been in the news a lot lately, so you may have heard of them.
But there's this belief system or belief rather that's been around for a while. And
US Treasury Secretary said, Janet Yellen expressed worry that Bitcoin was often,
quote, used for illicit finance. And the European Central Bank's president,
Christine Lagarde, or Lagarda, I don't know how you pronounce that. Sorry if I'm mangling your name,
said in January that Bitcoin was used for, quote, funny business and money laundering.
However, Morell says two things. He says, one, right now, less than 1% of Bitcoin is illicit.
One, right now, less than 1% of Bitcoin is illicit.
Or 1% of Bitcoin activity is illicit. So when Bitcoin first started at its peak, there was a graph in this report that shows illicit activity around 7% of Bitcoin.
And now it's less than 1%.
So it's really, really small.
I would like to know what percentage of cash is used in illicit transactions.
Okay.
By comparison. That would have been helpful to know, actually. And number two, and this is the
more interesting thing he says, is that blockchain provides an excellent forensic tool. It's much
easier to trace Bitcoin than it is to trace cash, which is true because you can put cash in a truck
and drive it anywhere in the world and it's still cash, but you can't really do that with Bitcoin.
Every Bitcoin transaction has to be made in public on a public ledger. And if I can associate
a particular individual with a particular private key, then I can associate that private key with
the public key, which is essentially their Bitcoin address, right? And then I can associate that private key with the public key, which is essentially their Bitcoin address.
Right.
And then I can track every single transaction that person has made with that public key, private key pair.
Right.
One source for the report was quoted as saying, if all criminals use blockchain, we could wipe out illicit financial activity.
I think that's overstated.
Yeah. I mean, I go on. It's, it's really dependent
upon getting the, uh, getting the private keys and, and unmasking these people. Cause there is
a certain amount of anonymity in Bitcoin in that you don't really know who, who it is that holds
the keys. Uh, and that's the point. But, uh can demonstrate that this financial criminal, whoever it is, is the person that holds those keys, then you can associate all of their financial transactions they made with those keys.
Yeah. cryptocurrency, or many people only think about Bitcoin. But there is privacy-preserving coins like Monero and Zcash. And Monero is more favored for illicit activity and has a higher percentage
of illicit transactions in Bitcoin. Yeah. And I think that's an important point. I mean,
I think part of what's going on here is that Bitcoin is kind of the Xerox of cryptocurrency.
You know, it's the default name. It's the Xerox. It's the
Vaseline. It's the Q-tip. It's the brand that does represent the thing. So I think when they
say Bitcoin is being used for illicit things, I think most people, when they hear that, they just
substitute cryptocurrency. And I don't think that's exactly out of line. While it might not be precise, you can understand people having that
line of thinking. Right. Yeah. It's, it's, that's, it's a good point. It's a good analogy, Dave,
that people, people do think that about, about these cryptocurrencies, but they, these
cryptocurrencies all have different features. Yeah. Like the Ethereum blockchain lets you do
smart contracts on top of it.
A lot easier than, I think you can do that with Bitcoin. I'm not exactly sure, but it's not really
something that is used a lot, but in the Ethereum network, it is used frequently.
Yeah. Yeah. Yeah. I mean, I guess their point is well taken. I guess I'm a little skeptical
because this is by their own admission, an organization who's out there trying to promote the use of cryptocurrencies.
Right.
So I don't begrudge them that. They're upfront about it. But we know what direction they're coming at this report from.
this because, you know, there's no doubt that Bitcoin is used for these sorts of things. But I suppose if they're making the point that, well, only a small percentage of Bitcoin transactions
are used for illicit things, perhaps. But I don't know. It's hard for me to weight the importance
of those kinds of things, right? Yeah. Yeah. Absolutely.
Yeah. No, but some interesting statistics here for sure.
If this is your thing, it's an article worth checking out.
Again, it's titled,
Bitcoin is a boon for surveillance, says former CIA director.
It's over on the Decrypt website.
Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave. Thank you. I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to