CyberWire Daily - The IAEA investigates the Natanz incident (amid conflicting reports on the nature of the sabotage). Mopping up the SolarWinds Exchange Server hacks.
Episode Date: April 14, 2021Updates on Natanz, where the nature of the sabotage remains unclear--it happened, but there are conflicting explanations of how. Electrical utilities on alert for cyberattack, especially after the Sol...arWinds incident. The US Government takes extraordinary steps to fix the Microsoft Exchange Server compromise. Joe Carrigan analyses effective phishing campaigns. Our guest is the FBI’s Herb Stapleton on their recent IC3 report. And the US Intelligence Community’s Annual Threat Assessment points, in order of diminishing rsk, to China, Russia, Iran, and North Korea. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/71 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Updates on Natanz, where the nature of the sabotage remains unclear.
Electrical utilities are on alert for cyber attack, especially after the SolarWinds incident.
The U.S. government takes extraordinary steps to fix the Microsoft Exchange server compromise.
Joe Kerrigan analyzes effective phishing campaigns.
Our guest is the FBI's Herb Stapleton on their recent IC3 report.
And the U.S. intelligence community's annual threat
assessment points to China, Russia, Iran, and North Korea.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary
for Wednesday, April 14th, 2021.
The Jerusalem Post reports that the International Atomic Energy Agency visited Natanz yesterday,
quoting the agency as saying simply,
quote,
IAEA inspectors are continuing their verification and monitoring activities in Iran and today have been at the Natanz enrichment site.
The IAEA will continue to report on relevant developments
regarding Iran's nuclear program to the IAEA Board of Governors. The precise nature of the sabotage remains unclear, and there are conflicting official
and unofficial reports in circulation of hacks, bombs, and bombs controlled by hackers.
The Intercept describes ways in which cutting power could have damaged the centrifuges.
Rotating machinery like centrifuges can be destroyed through sudden abrupt power cycling,
which may have been the point of disrupting power distribution at Natanz.
Investigation continues.
Iran has called for an international inquiry,
but Reuters said that President Rouhani has indicated what Tehran's first response will be,
an increase in uranium enrichment levels to 60%.
4% uranium-235 is generally regarded as sufficient to fuel a reactor.
Fission bombs need much more highly enriched material and typically use 90% enriched uranium.
President Rouhani disclaims any intention to make a bomb, but inducing fear of bomb construction would seem to be the retaliatory point of increasing enrichment levels.
60 is, after all, a lot closer to 90 than it is to 4.
How Iran might quickly ramp up enrichment if the damage to its centrifuges is as extensive as some of Tehran's statements have suggested, remains unclear.
The Hill reports that the North American Electric Reliability Corporation, NERC,
is seeing an unprecedented level of cyber threat to the power grid.
A senior vice president at NERC, who also leads the Electricity Information Sharing and Analysis Center,
the EI-ISAC, said,
Whether they are nation-state actors or cybercriminals, they possess the capabilities to disrupt our infrastructure, so that again underscores the need to remain vigilant. The
pandemic created a broader opportunity since it increased our attack vector since everyone was
working from home, and we saw adversaries targeting and attempting to take advantage of this across our industry, end quote. A great deal of the concern about power utility
security centers on the holiday bear compromise of SolarWinds. That activity has been widely
attributed to Russia's SVR, Foreign Intelligence Service, and there's been considerable speculation
to the effect that the operation's goal could have equally been staging a sabotage capability and intelligence collection. According
to CyberScoop, about a quarter of the 1,500 utilities sharing information with NERC
downloaded compromised versions of the SolarWinds Orion platform.
The other big and ongoing state-directed, or at least state-initiated, cyber incident afflicting U.S. systems, of course,
is China's operation against vulnerable instances of Microsoft Exchange Server.
It's continuing to give Washington fits, The Washington Post writes.
Much of the Microsoft activity in yesterday's Patch Tuesday, an unusually busy one, surrounded Exchange.
Redmond addressed a large number of vulnerabilities, 108 bugs in total across its several products,
including, as Bleeping Computer points out, five zero-days.
NSA, which CBS News and others credit with disclosing some of the zero-days to Microsoft,
is urging all
organizations to apply the patches as soon as possible. CISA, the U.S. Cybersecurity and
Infrastructure Security Agency, has also updated its Emergency Directive 2102 to require that
federal agencies it oversees immediately apply the Microsoft Exchange Server patches. CISA directs the.gov world to, first, deploy Microsoft updates to all their on-premises Exchange servers by midnight tomorrow.
If, for some reason, an agency can't update a server by the deadline, it must immediately remove that server from its networks.
Second, apply and maintain technical and management controls to ensure that any newly provisioned or previously disconnected endpoints are updated before connecting to agency networks.
Third, report completion by noon Friday.
CISA has provided a template for all agencies to use when rendering their reports.
Fourth, and finally, immediately report any incidents or indications of compromise that appear during the update.
All times, of course, are U.S. Eastern Daylight.
Federal IT staffs are in for a busy week.
And what about the private sector's vulnerable exchange servers?
Well, they're a problem because, once compromised, the web shells left behind by the attackers continue to work their mischief. The U.S. Justice Department yesterday announced that the FBI, pursuant to
a warrant, has gone into private sector systems to remove malicious web shells from Microsoft
Exchange server instances. As the department puts it, quote, authorities have executed a
court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable It puts it, quote, When the DOJ mentions certain hacking groups,
most will understand China's Hafnium threat group,
which Microsoft holds responsible for the initial compromise
and also by the large number of criminal groups
who hopped on the bandwagon Hafnium got rolling.
The Justice Department's statement goes on, quote,
many infected system owners successfully removed the web shells from thousands of computers.
Others appeared unable to do so, and hundreds of such web shells persisted unmitigated.
This operation removed one early hacking group's remaining web shells,
which could have been used to maintain and escalate persistent unauthorized access to U.S. networks.
The FBI conducted the removal by issuing a command through the web shell to the server,
which was designed to cause the server to delete only the web shell,
identified by its unique file path, end quote.
Most observers seem to have applauded the operation,
and in this case the Bureau seems to have been on the side of the angels.
But a few others have expressed
reservations. The Electronic Frontier Foundation is quoted in the Washington Post with a caution
about the troubling maternalistic implication of the feds acting on behalf of your best interests
without so much as a buy-your-leave. The EFF said, quote, it's good that the DOJ unsealed this
promptly, and it's true that eliminating the Exchange server security exploit is beneficial,
though notably it did not patch the hole.
But it remains deeply disturbing to see a court authorize government agents to access your computer
based on the government's idea of what is best for you, end quote.
The action is indeed unusual and seems to indicate how serious the government believes this threat to be.
The Justice Department appears to have gone out of its way to be as transparent as possible in the matter.
The U.S. attorneys for the Southern District of Texas were the ones who petitioned the court for partial unsealing of the warrant under which the Bureau acted.
sealing of the warrant under which the Bureau acted. And it might have been missed in the flurry of patches from Microsoft and others, but CISA yesterday also issued an unusually large set of
advisories for industrial control systems. The U.S. Director of National Intelligence has released
the Intelligence Community's annual threat assessment. China, Russia, Iran, and North
Korea are flagged as threats in that order of seriousness. Quote, Beijing, Moscow, Tehran,
and Pyongyang have demonstrated the capability and intent to advance their interests at the
expense of the United States and its allies despite the pandemic. End quote. Terrorist
groups get a look, but the familiar four nation-state adversaries
have center stage. Their offensive cyber capabilities are given due attention,
with threats to infrastructure receiving a prominent place.
Quote, cyber capabilities, to illustrate, are demonstrably intertwined with threats to our
infrastructure and to the foreign malign influence threats against our democracy. about China specifically, the report says,
we continue to assess that China can launch cyber attacks that, at a minimum,
can cause localized temporary disruptions to critical infrastructure within the United States.
Russia's cyber capabilities are similarly described, quote, Russia continues to target critical infrastructure, including underwater cables and industrial control systems in the United States and in allied and partner countries.
As compromising, such infrastructure improves and in some cases can demonstrate its ability to damage infrastructure during a crisis.
demonstrate its ability to damage infrastructure during a crisis.
Iran's 2020 cyber attacks against Israeli water facilities are duly noted, as are North Korea's active participation in cybercrime. So far, North Korea's threat to infrastructure has been more
potential than actual. The report does assess, however, that Pyongyang
probably possesses the expertise to cause temporary limited disruptions of some critical infrastructure networks
and disrupt business networks in the United States, judging from its operations during the past decade,
and it may be able to conduct operations that compromise software supply chains, end quote.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. The FBI runs the IC3, the Internet Crime Complaint Center, and they recently published
their 2020 Internet Crime Report. Joining me now is Herb Stapleton, Cyber Division Sector Chief for the FBI.
There are parts of this that are unsurprising given the pandemic and the overall kind of
environment that we worked in, but unfortunately we saw a significant increase in the number of
complaints received at the IC3 for the year. Can you take us through some of the things that really drew your attention?
What were some of the areas that really stood out?
Yeah, I'd be glad to.
You know, I think a couple of things that really stood out to us, you know, once again,
we see business email compromise, frauds as one of our leading complaints in terms
of amounts of loss. And that number only increased
in 2020. Another thing that really stood out to us is on the ransomware front. Unfortunately,
we saw huge increases in the amounts of loss reported in ransomware incidents. Not so much
just the overall number of complaints, but the amount of losses.
And I would attribute that to a couple of things.
You and I have talked before, I think, even about how the pandemic created this opportunity
for cybercriminals with more of an attack surface, more volume of people working from
home and creating an opportunity for things like phishing emails and other things that
ultimately lead to these types of frauds like ransomware and BEC.
And the second thing is that I think that we saw an increase in the amount of reporting.
I think we saw a higher number of people actually reporting things to the FBI this past year than we have seen in previous years.
So I think it's really a combination of increased activity and increased reporting.
Can you touch on the importance of people reaching out to you and your colleagues at the IC3?
Why that can help make a difference in trying to combat these things?
Yeah, it's incredibly important.
And one example I would provide of that is while we saw a lot of trends that we don't want to see
as far as increase in
losses, increase in complaints, we also saw an increase in the amount of funds that the IC3 was
able to help recover through its recovery asset team. Basically, the way this functions is if a
complaint meets a certain set of criteria, we can work with financial institution partners to
potentially prevent that money from actually being delivered to the overseas cyber criminals that it's intended
for. We saw a corresponding increase in the amount of funds we were able to stop for victims before
they actually reached their ultimate destination with the cyber criminals. We can't do that type
of work unless we know about the crime in the first place.
The second thing that's really important is many of these investigations are very long-term criminal enterprise investigations that we have to undertake.
And so every piece of evidence is really potentially helpful as we try to work our way through these complex investigations, identify who's responsible,
and ultimately try to bring charges against them and bring them to justice.
So even if a complaint seems like a very small piece of the overall puzzle, it can be very,
very valuable to the investigators in the field who are trying to piece together these long-term
criminal enterprise investigations. Our thanks to Herb Stapleton from the FBI for joining us.
You can check out the 2020 Internet Crime Report on the IC3 website.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Got an interesting article here from ZDNet.
This is written by Danny Palmer, and it's titled,
Why Do Phishing Attacks Work?
Blame the Humans, Not the Technology.
This is something you and I talk about over on Hacking Humans quite regularly.
It is.
What are they getting at here, Joe?
Well, I'm going to start off by saying I don't like the idea,
the tone of the headline, blame the humans.
Yeah.
I was going to call that out myself,
but go ahead. Go ahead. Yeah. It's really not, I mean, yes, the humans are ultimately being
tricked here, but who you should be blaming are the scammers and these fishers. These guys are
committing criminal acts against people who are otherwise just trying to do their jobs.
And that's who you should blame for this. Now, that doesn't mean that everybody is without responsibility, right, that you have to take some kind of personal responsibility for these phishing attacks. But one of the things that's pointed out in here is a Nord VPN security survey that Nord ran that people said they feel like they know how to stay safe online, but despite the fact that they know how to stay safe online, people are still getting phished.
And they have a quote in here from Troy Hunt, who runs Have I Been Pwned, and is actually an advisor to Nord.
He says, part of the problem is that phishing signals are often indistinguishable from positive user experience attributes, which is exactly how these guys craft their phishing emails.
Right.
And what you and I have talked about
over on Hacking Humans
is how much better these guys are getting at this.
Yeah.
And it's remarkable how well these things go on.
Now, let's leave business email compromise out of it
because that's a different situation, right?
That's not some random email coming in and asking you to enter your credentials.
That's somebody who has already compromised somebody's email account and inserting themselves into a situation.
But in order for a business email compromise to happen, somebody has to have their credentials phished.
and somebody has to have their credentials phished.
One of the things that Troy actually says in this is he says,
it's easy when you get the link because you just click on it and it just takes you right to where they want you to go.
And a lot of times, one of the biggest problems is that we're working
and we're trying to get as much done as possible.
So we're really not we're trying to, we're trying to get, uh, as much done as possible. So we're really not, um, paying full attention to things. Uh, so, so when somebody comes in and
says, Hey, I need you to log in and get this document. We go, great. Let me just take care
of this real quick. Uh, not realizing that this is actually a phishing email that's taking you
to a credential harvesting site. Yeah. Not to mention the fact that everyone I would maintain is still perhaps not their best self,
having been through a year of COVID, and we're tired, we're stressed, we're anxious.
I would agree.
Yes, the vaccines are rolling out, so it's nice that there's signs of hope from that,
and spring is in the air and all those sorts of things.
But I think it's still fair to say that's a contributing factor.
I would agree. I would agree.
I would agree.
One of the things that Troy Hunt goes on to say,
he says, humans are ultimately fallible.
And that's true.
That's 100% true.
That's why these things continue to work.
And he recommends a balance of training and technology. And of course, training,
we need social engineering training,
security awareness training.
These kind of things need to be part of your security stance at your company.
They need to be regular.
They can't just be one and done.
You had to do them at least annually, I would say.
It'd be better if you could do them semi-annually or quarterly.
That would be even better.
And on the technology side, you should
get some kind of multi-factor authentication solution because that really stops a lot of
these phishing attacks right in their tracks. When the scammer comes in with a username and
password and they don't have that second factor authentication, they'll just move on to another
set of user names and passwords and skip yours entirely.
Yeah. Yeah. I want to swing back, though, to the whole thing about, like we said,
the tone of using the word blame. I think it's important. My opinion is that it's important to
have a culture within your company that if someone falls for something like this, you don't shame them.
You use it as a learning opportunity for them and for the whole organization and also a learning
opportunity for the folks whose responsibility is to protect everyone, to figure out how did
this happen? Why did this happen? What are the things we can put in place to make sure it doesn't happen again?
Because it shouldn't be a situation where someone is shamed because they fell for something that anybody could fall for at any level of the company, including the security people.
Yep. Yep. That's correct. That's 100% correct.
My soapbox.
Yep. And if there was enough room in that soapbox for me, I'd get up there with you.
You know, it's, I don't know, it's going to be kind of tough, particularly if you're a
public company to, you know, to not fire somebody.
If you have a data breach, that person's responsible.
It'd be tough for a public company to get behind this person and go, you know, they're
not really the person at fault here.
They fell for a scam from a criminal who came into the
company under false pretenses. Now, if somebody came into a bank and robbed the bank, do you fire
the teller they rob? No, you don't. You just say it was a sophisticated attacker.
But the thing is, it doesn't even need to be a sophisticated attacker. Actually,
not a technically sophisticated attacker. It has to be a sophisticated attacker in terms of social
engineering and language, right? And psychology. That's a completely different technique than a
lot of security people have the mindset to think about. And it needs to be, we need more psychologists
in this field, is one of the things I frequently say. Yeah, yeah.
Yeah, more business psychologists.
Yeah, absolutely.
All right.
Well, Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
It's the ultimate bubble.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.