CyberWire Daily - SUNSHUTTLE backdoor described. What the Exchange Server campaign was after. Misconfigured clouds. Airline IT service provided attacked. Criminal-on-criminal crime.
Episode Date: March 5, 2021A new second-stage backdoor has been found in a SolarWinds compromise victim. Those exploiting the now-patched Exchange Server zero days seem to have done so to establish a foothold in the targeted sy...stems. India continues to investigate a Chinese cyber threat to its infrastructure. Misconfigured clouds leak mobile app data. A major airline IT provider sustains a cyber attack. Dinah David helps us prevent account takeover attacks. Our guest is Troy Hunt from NordVPN. And criminals hack other criminals. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/43 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A new second stage backdoor has been found in a SolarWinds compromise victim.
Those exploiting the now-ed exchange server zero days seem to have done so to establish a foothold in the targeted systems.
India continues to investigate a Chinese cyber threat to its infrastructure.
Misconfigured clouds leak mobile app data.
A major airline IT provider sustains a cyber attack.
Dinah Davis helps us prevent account takeover attacks.
Our guest is Troy Hunt from NordVPN. And criminals hack other criminals. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 5th, 2021.
FireEye reports finding a second-stage backdoor in one of the victims of the SolarWinds compromise,
finding a second-stage backdoor in one of the victims of the SolarWinds compromise,
and the company's Mandiant unit thinks it possible that the backdoor,
which they're calling SunShuttle, is connected with the threat actor they track as UNC-2452.
Mandiant wrote, quote, The new SunShuttle backdoor is a sophisticated second-stage backdoor
that demonstrates straightforward but elegant detection-evasion techniques UNC-2452 has been associated with the SolarWinds supply chain exploitation,
but FireEye stresses that its researchers have not fully verified a connection with SunShuttle.
FireEye is also tracking the exploitation of the Microsoft Exchange Server Zero Days patch this week.
Quote,
The activity we have observed, coupled with others in the information security industry,
indicate that these threat actors are likely using Exchange Server vulnerabilities
to gain a foothold into the environments.
This activity is followed quickly by additional access and persistent mechanisms.
End quote.
Their investigation continues.
And quote, cyber sabotage and the power outages Mumbai sustained in October. Recorded Future is quoted by CNBC as saying that it is tracking the threat group Red Echo, which is targeting India's oil
and gas assets, electricity sector, maritime assets, and critical rail infrastructure.
The motive appears to be staging. As Recorded Future said, This is not for any economic espionage opportunity,
but it is targeted at future disruptive cyber operations.
So, it's not theft, but it could be battle space preparation.
Zimperium warns that unsecured cloud configurations
are exposing data from a large number of mobile apps.
Both Android and iOS apps are affected.
Cloud storage solutions are attractive to app developers
because of the efficiencies they provide
and because they enable storage of information necessary to API calls.
Zimperium said, quote,
In our analysis, 14% of mobile apps that use cloud storage
had unsecure configurations
and were vulnerable to the risks described in this post.
In apps around the world and in almost every category,
our analysis revealed a number of significant issues that exposed PII,
enabled fraud, and or exposed IP or internal systems and configurations.
End quote.
It's not that the cloud services don't provide detailed
guidance on how to configure storage and their large and well-regarded services that include
Amazon Web Services S3, Google Storage, Microsoft Azure, and Google Firebase. Rather, it's that
users too often fail to follow that guidance and consequently misconfigure their storage in ways that turn out
to be leaky. Both personally identifiable information and configuration have been found
to leak. The lesson Zemperium draws is that cloud users should ensure that their cloud storage and
their databases are not exposed, unprotected, to the internet and, of course, monitor for exposure or compromise.
SITA, a leading provider of IT services to the airline industry,
disclosed yesterday that it was the victim of a cyber attack,
leading to a data security incident involving certain passenger data that was stored on SITA passenger service system servers.
The company explained that its passenger service system
operates passenger processing systems for airlines.
Tice notes that SITA serves about 90% of airlines worldwide
with its reservation, ticketing,
and flight departure information management systems.
SITA has the breach under investigation.
And finally, the hackers get hacked too.
Krebs on Security reports that three of the largest and most influential Roussophone cybercriminal forums were themselves hit by hackers who stole and exposed data taken from
the sites. The forums were Mazzafaka, also known as Mazza, verified and exploit.
Researchers at Intel 471 puts the number of sites hacked at four, adding CredClub to the list.
Intel 471 has been unable to identify either the hackers,
but they have been able to confirm that data the hackers posted on various sites indeed seem to be genuine.
to confirm that data the hackers posted on various sites indeed seemed to be genuine.
The data include, according to Recorded Future,
usernames, emails, account passwords, and social media IDs.
The motive of the incident isn't certain,
but Krebs on Security says that it seems likely to be a familiar one.
Money.
Whoever was behind the intrusion was able, at least in the case of CredClub, to induce the forum's customers to use a money transfer service misrepresented as having been vouched for by the forum's administrators.
But even if you're disposed to trust crooks, and in fairness, any market, even a criminal-to-criminal one, would seem to require some measure of trust if it's to operate at all, your trust in this place would have been misplaced.
Those who used that transfer service indeed found that their money had been transferred,
but into the virtual pockets of other crooks. Where it's gone, baby gone.
Troy Hunt is well-respected in the cybersecurity industry and perhaps best known for being the originator of the
Have I Been Pwned? online database of breached credentials,
a public service if there ever was one.
He's also a member of the NordVPN team of advisors,
and he joins us to share his insights.
Well, it's sort of an interesting time because on the one hand, we're getting more ubiquitous
encryption than what we ever had before on the transport layer, which is good. In fact,
I'd noticed just yesterday, I posted a link to the Facebook page for Have I Been Pwned,
and Facebook gave me a warning. It said, it's not HTTPS. Are you really sure you want to do this? That's pretty cool. I like seeing that here. On the other hand,
we've still got all of these edge cases where we just simply don't have transport layer security.
So a really good example. In fact, I did write about the value proposition of VPNs a few months
ago. And I found that particularly the likes of banks are still not doing enough to
enforce that the first request is sent over HTTPS. So they don't necessarily force all
connections to be secure using things like HTTP strict transport security, which is out there and
it's free and everyone has access to it. So there's still a really good value proposition even on the first entry point to
the bank for products like NordVPN to make sure that that traffic isn't intercepted. Because if
you can't get the first request through safely, then everything sort of falls apart after that.
In terms of how people are perceiving VPNs, I mean, I think the message is out there that
folks should be using them, but there's a
lot of confusion around the various products that are being offered. You know, there's no shortage
of free VPNs out there. And I think they tend to cloud the market a bit because you also hear
these stories about, you know, if something's for free, you're the product that your data is
getting sold and so on.
I mean, what are your recommendations for folks
to kind of sort that out?
I'm not sure how often I actually agree with that term,
given I provide a free service for people with,
have I been paying, I don't look at them as products.
Yes, you are the edge case.
I'm not sure it always sticks.
The noble edge case, Troy.
I think the big thing to keep in mind
is that trustworthiness in a VPN provider
is absolutely critical because they control your traffic.
So if you're using a VPN provider and you go,
oh, these guys are good because they're free,
it's like, well, the big question you've got to be asking
is do I now want to delegate all of my traffic to this provider?
Now, that means that
any traffic that's sent in the clear that's not over, let's say, HTTPS for normal internet
connections, they get to inspect it, they get to modify it, they get to reroute it. But it also
means that a huge amount of the traffic that is encrypted is also still observable insofar as they
get to see where you are going. So, what is the host name that you're connecting to, for example?
they get to see where you are going. So what is the host name that you're connecting to,
for example? Now, you might be connecting to a site about health. Now, that is a very generic concept and someone might say that it's myhealth.com, but what if it's a site about
depression? What if it's a site about suicide prevention or alcoholism or something like this?
So you are putting a lot of trust in the VPN provider.
So this is why choosing one that you can trust and that you do feel is reliable is absolutely
essential. And there has been some absolutely shocking cases of VPN providers doing the wrong
thing as well. Yeah. What is on your radar as we continue, you know, full speed here into 2021,
having been through this last year of pandemic
and the focuses that the fraudsters have had when it comes to that,
especially when it comes to things, you know, like the vaccine,
using these things to trigger on people's fears.
What sort of things are on your radar for the coming year?
I was just laughing because I was literally having a discussion with my mother yesterday,
and we're in a bit of a privileged position in Australia because we've got very, very low rates
of corona, and we're really taking our time with the vaccine. And she's sort of saying,
you know, look, I think I'll take my time and not rush it. And she's in her early 70s,
but very fit and healthy. And I sort of said, look, mum, you're in a high-risk demographic
with your age, take the vaccine.
Do not read the Facebook posts about it.
I'm less worried about the scammers and I'm more worried about her friends.
That's what worries me.
But in all seriousness, this is one of the greater concerns I have,
which is legitimate, for want of a better term,
legitimate disinformation from people that just simply don't understand the science. Now, to be
clear, I don't understand the science, but I know the scientists do. So listen to those guys.
The scammers, I guess part of the problem here is that a lot of their behavior by design is
indistinguishable from legitimate communication. Now, whether that's
disinformation, and of course, we've seen very well orchestrated disinformation campaigns over
recent years, or whether it literally leads to things like phishing attacks, we're in an era
where there is a lot of concern and there's a lot of people seeking out information and there's a
lot of vulnerability. And this is precisely the sort of things that scammers prey on. So inevitably, we're going to
see this situation with vaccines rolling out taken advantage of. I want to touch on have I been
pwned and your creation of that. Where do you see that heading? I mean, is it steady on towards the future
or are there additional sorts of functionalities
you like to have it
or is simplicity part of what makes it work?
Well, yeah, look, I've gone through a bit of an epiphany,
I think, the last couple of years.
So bang on two years ago,
I decided to go through an M&A process,
a merger and acquisition process
and find somewhere for have I been pwned
to sort of go permanently and grow and do all of these things.
And it was, look, it was a fascinating process, I'll give you that much,
but it was very painful and it resulted in no sale.
And I've got to say, when I got to the end of it,
this is about bang on a year ago now, I was really relieved
and I sort of went, you know what, if I just keep doing the same thing
I'd been doing at that time for six and a bit years, I'm okay with that.
I've got a big backlog of stuff I want to do,
and I'm gradually adding more and more bits.
But this is meant to be a hobby project, you know, not a career.
And I think that have I been pined as at its best when I'm not stressed
and feeling pressured to continually do new things? I'm quite happy just ticking it along as it is. Yeah, well, no doubt.
I mean, it's been a great service to the community. So hats off to you for all the work you've done
and continue to do. Yeah, cheers. Thank you. That's Troy Hunt from NordVPN.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And I am pleased to welcome back to the show Dinah Davis.
She is the VP of R&D for Arctic Wolf.
Dinah, always a pleasure to have you back on the Cyber Wire.
I wanted to touch base with you today about account takeover attacks. I was hoping you could kind of walk us through how this sort of
thing works, you know, how it comes to pass that someone finds themselves a victim of an account
takeover. Yeah, absolutely. And they're a big problem, right? They're about 65% of the fraud
that has been reported to the FBI is business email compromise fraud. So it's a big deal,
right? So how does it happen? So let's say we have this guy, Trevor, and he's going to work
for a company called Acme. I mean, we always pick Acme when it's some random, right? Back to our
Looney Tunes days. And like many people, Trevor has probably about 200 online accounts.
I have at least that, I would assume.
And multiple personal email addresses.
And to keep track of his passwords, he likes to iterate on a few favorites, like Cupcake or Cupcake Bang 5 or Cupcake 1, that kind of thing.
Trevor has a family, and like Trevor, his wife Jada has 200
accounts of her own. His kids like to game, and Jada and the kids also like to use variations
of Trevor's favorite password, which happens to be their dog's name, Cupcake. So Trevor works for Acme. He's a senior executive there. He has access to financial accounts. And he works on projects associated with their IP. And like most users, he has access to cloud services like Dropbox. And sometimes the services are associated with his personal account. Okay, so that's our current landscape. Now, Myra runs security for Acme
and she thinks she's doing a fantastic job.
She's implemented a strict password policy,
eight characters, letters, numbers, symbols,
password change every 90 days, 2FA,
and she's got great security measures in place.
So like what could go wrong here?
Clearly something's going to go wrong.
I have a feeling you're going to tell us.
So let's think about what Acme's attack surface is.
If you're looking just at the corporation, you're thinking all of
the network tools, the email, Salesforce, HRIS
systems, maybe if they have a development team
like GitHub. The problem is it's not limited to that. It's also all of Trevor's attack surface.
And that includes all of his social media, private email, banking, phones. It also includes
everything that Trevor's family uses, their Netflix, their Wi-Fi, their shared devices, right?
Everything that Trevor's family uses, their Netflix, their Wi-Fi, their shared devices, right?
Okay, so how can attacker leverage Trevor's less secure personal and family accounts to infiltrate Acme?
So let's assume that attacker wants to steal funds from Acme.
So the attacker knows that Trevor is an executive there and starts following his social media accounts.
They notice that Trevor plays fantasy football, and they recognize that the fantasy football site was recently breached.
And so they're like, hmm, possible account takeover possibilities here.
They go to the dark web.
They buy all of the usernames and passwords for that breach.
They find Trevor's account and notice the password is Cupcake5.
From social media,
they also know Trevor has a dog named Cupcake.
So they think this could be a common password for him.
The attacker then tries to access his corporate email so they can get more information about Acme finances.
Fortunately for the attacker,
Acme uses SMS two-factor authentication.
So they buy a tool online
that will allow them to steal the text message
as it's on its way to Trevor's phone.
And with that info and a good guess at his email password,
they're into Trevor's email.
They set up an email forwarding rule
that will forward all of Trevor's emails to them so they
can watch everything happening and they notice that trevor needs to pay a contractor one million
dollars but because they intercepted the invoice email so they pretend to be the contractor and
send the message to trevor telling him to send the funds to one of their accounts instead of the contractors.
And now they have a million dollars.
And so this is sadly fairly common.
So, I mean, not this exact process here, but it is pretty common.
And so, I mean, the big question is like, how do you protect from that, right?
Yeah. I mean, because I have to be honest, you know, when you said that they had 2FA enabled, in my mind, you know, that takes care of, that gets you a long way along of being better off than you otherwise would, right?
Absolutely, it does.
It's better than not having it, for sure.
Yeah.
But at this point, it's important as to what kind of 2FA you have.
Because the SMS 2FA is not much better than no 2FA at all anymore.
So there's a few things you can do to protect from this.
So absolutely use multi-factor auth everywhere.
But don't use SMF auth. You want to make sure you are using either a software or hardware authenticator. So a software one is like Google Authenticator, that kind of thing.
like admin accounts and really secure accounts, you want to have a hardware authenticator like a YubiKey, right? Those are much, much harder to spoof. And then you want to make sure you
have an MDM system for any devices that have corporate apps installed on them. So it forces
users to lock their phone. You can wipe the corporate tools off of that phone if needed,
that kind of thing.
And then you also want to make sure you are using password managers because you never want to use the same password twice. You know, if we all have 200 accounts, there's no way you're remembering
200 emails, passwords, right? And so you're going to have to reuse them. But if you use
a password manager, you can use a different one for every single one, right? And then a big key one is monitoring email forwarding rules.
So we monitor all of those for our clients because it's an easy way for us to find nefarious
behaviors in your account, right? Not only does it tell us that a forwarding role was created,
it tells us who created it in the system.
So if they do create one and they're forwarding it to an external usage,
we know which account might be compromised because of that.
So that's a very key piece as well.
Yeah, yeah.
So many of these make use of that email forwarding, like you said,
just kind of slip into somebody's email.
Absolutely. Yeah, yeah. All right, just kind of slip into somebody's email. Absolutely.
Yeah.
All right.
Well, good advice, Dinah Davis.
Thanks for joining us.
No problem.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker, too.
Don't forget to tune in this weekend to Research Saturday and my conversation with Hossein Jazzy of Malwarebytes.
We're going to be taking a deep dive into North Korea's APT37 toolkit.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Bilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.