CyberWire Daily - The SVR’s exploitation of the SolarWinds software supply chain proves a very damaging cyberespionage campaign. HPE zero-day. Report on China’s influence ops delayed.
Episode Date: December 17, 2020The SolarWinds supply chain compromise may not have been an act of war, but it was certainly a very damaging espionage effort. The FBI, CISA, and ODNI are leading a whole-of-government response to the... incident. Three companies have collaborated on a killswitch for the Sunburst backdoor’s initial command and control. HPE discloses a zero day in its SIM software. ODNI will delay its report on Chinese election influence ops. Thomas Etheridge from CrowdStrike on their Services Front Lines report. Our guest is Derek Manky from Fortinet with 2021 threat insights. And, of course, some predictions. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/242 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The SolarWinds supply chain compromise may not have been an act of war,
but it was certainly a very damaging espionage effort.
The FBI, CISA, and ODNI are leading a whole-of-government response to the incident.
Three companies have collaborated on a kill switch for the Sunburst backdoor's initial command and control.
HPE closes a zero-day in its SIM software.
ODNI will delay its report on Chinese election influence ops.
Thomas Etheridge from CrowdStrike on their services frontlines report.
Our guest is Derek Manke from Fortinet with 2021 Threat Insights.
And of course, it wouldn't be the end of the year without some predictions.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 17, 2020.
The U.S. government and a large number of private organizations continue to assess the extent of the SolarWinds incident.
The scope and extent of the damage are known to be large,
but just how large and who specifically was affected remains under investigation.
An op-ed by former U.S. Homeland Security Advisor Thomas Bossert
probably has it right in saying that the breach is hard to overestimate.
Bossert's assessment is worth quoting at some length.
Quote,
The Russians have had access to a considerable number of important and sensitive networks for six to nine months.
The Russian SVR will surely have used its access to further
exploit and gain administrative control over the networks it considered priority targets.
For those targets, the hackers will have long ago moved past their entry point, covered
their tracks and gained what experts call persistent access, meaning the ability to
infiltrate and control networks in a way that is hard to detect or remove.
While the Russians did not have the time to gain complete control over every network they hacked,
they most certainly did gain it over hundreds of them. It will take years to know for certain which networks the Russians control and which ones they just occupy. The logical conclusion
is that we must act as if the Russian government has control of all the networks it has penetrated,
but it is unclear what the Russians intend to do next.
The access the Russians now enjoy could be used for far more than simply spying.
End quote.
Some of the congressional reaction to the sunburst backdoor
and the presumed compromise of hundreds of U.S. networks has been overstated.
Senator Dick Durbin, Democrat of Illinois, to take one example, has fulminated that Russia's exploitation of the
vulnerability is an act of war. That's one point of view, but it's not widely shared, at least
outside Capitol Hill. It's a very bad incident, but it isn't war. It's espionage, cyber espionage.
And while espionage is damaging and hostile, it's not an act of war.
So this isn't the cyber Pearl Harbor you're looking for.
Should there be some appropriate and proportionate response?
Sure.
But a ranger battalion in the parking lot of Stardog's Hot Dog Joint in South Moscow
or a brace of tomahawks headed for the Moscow Ring Road?
With all due respect to constitutionally specified congressional war powers, ladies and gents,
have you taken leave of your senses?
Probably not. Actually, of course not.
And Senator Durbin was caught up in the tweet of the moment, but clarity is always a good thing.
And one hopes that the Senate is clear that the solar wind supply chain compromise represents very serious
espionage, but not an act of war against the United States. As Bossert points out, it's possible that
the access Cozy Bear gained to U.S. systems could be used for far more than simply spying,
but it doesn't appear so far that it has been so used.
It's espionage. A joint statement yesterday from the U.S. FBI, CISA, and ODNI says that the
government has invoked Presidential Policy Directive 41 to establish a cyber-unified
coordination group to coordinate a whole-of-government response to the Russian cyber operation that exploited SolarWinds Orion platform. The FBI has the lead for threat response.
It's investigating for purposes of attribution, pursuit, and disruption of the threat actors.
It's presently doing so by engaging with known and suspected victims. CISA, the Cyberspace and Infrastructure Security Agency, has the lead for asset response activities.
Emergency Directive 21-01 was its first step in helping contain and remediate the damage.
And the Office of the Director of National Intelligence is coordinating the intelligence community's collection and analysis of the incident.
community's collection and analysis of the incident.
According to Krebs on Security, FireEye, Microsoft, and GoDaddy cooperated on a response to the SolarWinds compromise by establishing a kill switch to disable sunburst backdoor instances
still beaconing to their original domain.
As FireEye said in a widely quoted statement,
This actor moved quickly to establish additional
persistent mechanisms to access victim networks beyond the sunburst back door, end quote. So the
kill switch, while a welcome contribution, is very far from representing a thorough remediation,
and the three companies understand that. Leaping Computer has a summary of what's
publicly available so far. The participants have been tight-lipped about the details.
Hewlett Packard Enterprise has disclosed a zero-day remote code execution vulnerability in its Systems Insight Manager.
The company is working on a patch, Bleeping Computer says,
but in the meantime has released mitigations for the Windows version of the software.
Trend Micro's zero-day initiative reported the issue to HPE.
It's tracked as CVE-2020-7200, and it affects HPE Systems Insight Manager 7.6.x.
The mitigations HPE has published all involve disabling the software's federated search feature.
Bloomberg reports that the U.S. Director of National Intelligence said yesterday that the
intelligence community will not meet tomorrow's deadline to report to Congress about Chinese
influence operations in the 2020 election season. That there were attempts seems clear enough,
but how extensive they were and how much prominence they should be given remains a matter of disagreement among the agencies in the intelligence community. And we continue to hear predictions.
Security companies foresee an enduring shift to remote work,
initially driven by the COVID-19 pandemic,
but subsequently taking on a momentum of its own.
That shift is one organizations remain imperfectly prepared to handle,
Digital Shadows thinks.
Checkpoint's assessment is blunter.
The pandemic amounts to a security pandemic as well as a biological one.
There's also considerable agreement about the effects of newly arrived technology.
The Bangkok Post quotes its local Fortinet authorities,
quote,
by leveraging intelligent edge, 5G-enabled devices
and advanced computing power,
this creates a wave of new and advanced threats
of an unprecedented speed and scale, end quote.
Digital Shadows projects existing technological trends
into the cybercriminal future
and sees more botnets and more adversarial
machine learning. And Restore Privacy offers some advice about securing online during the holiday
season, a sad review of the usual scams, non-delivery, form jacking, fake shipping notifications,
and so on. Do stay safe out there.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges
faster with agents,
winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Derek Manke is Chief of Security Insights and Global Threat Alliances
with FortiGuard Labs,
which is part of Fortinet.
He joins us with thoughts
on how the intelligent edge
may increasingly be a target
as we head into 2021.
Really, I look at it as the next leap forward from this evolution that we've had over the last 10
years, specifically with threats, moving from mobile initially to the world of IoT and OT,
operational technology, and now the edge. So when I look at the edge, it's positioning,
but it's also capability.
So obviously, the world of IoT generally are a lot of these smaller devices,
smaller footprint, where if we look at the intelligent edge,
these are devices that have more compute power,
more connectivity, more access, authorization, privilege, and more reach.
So what are some of the security concerns there as this intelligent edge develops?
Yeah, absolutely.
So anytime we have a new tool,
the history has taught us this before several times.
I think that anytime that we have a new tool
and that we have new
capability and functionality, security threats follow. And, you know, attackers see this as a
ripe opportunity. And, you know, we just have to look at how these tools can be weaponized
to understand what we're up against in the future. Are there potential advantages here as well to have these capabilities distributed?
Is there an upside of not having all your eggs in one basket?
Yeah, yeah, absolutely.
We're already seeing that.
A relevant example right now is TrickBot.
So this is something where, but by not being all the eggs in one basket, these threats become much more resilient.
We've seen this before, even in the world of IoT and botnet takedown attempts.
There's a lot of great activity, a lot of great partnerships that are happening out there in the industry, which is fantastic.
And we need to do more of that.
But because of this technology, threats are becoming much more resilient as well.
But because of this technology, threats are becoming much more resilient as well.
So now it's not just, hey, you have 100 domains that you have to take down because it's public access.
These IoT devices are private access. And it's much harder to go knocking on someone's door and say, hey, excuse me, you've got a printer hosting some pretty malicious stuff in your house.
You should take that offline.
It's much more tough to do that.
And it's the same challenge with Edge, but it's on a larger scale, as I said, because
these Edge devices have more authorization in general, more authentication authorization
to these different APIs and quite a bit more power too.
Well, Derek Manke, thanks for joining us.
Yeah, it was a pleasure. Thanks so much.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant. And joining me once again is Thomas Etheridge.
He's the Senior Vice President of Services at CrowdStrike.
Thomas, great to have you back.
I want to touch base with you today on the report that you all recently published.
This is your CrowdStrike
Services Frontlines Report. Let's go through some of the highlights together. What were some of the
key things that you all reported on this time? Thanks, Dave. I appreciate you having me on again.
Yes, this year we produced yet another annual Frontlines Report highlighting some of the
activities we found from our investigations and service engagements.
This year, the 2020 report highlights a staggering increase in financially motivated
threat actor activity. One of the key findings from the report this year was it's not just about
ransomware and deploying ransomware for financial gain. It was really about threat actors increasingly destroying,
exfilling, and threatening to leak some of that sensitive data as they effectively tried to target
larger ransomware payments. About 81% of the cases we worked on this year involved some form of
ransomware deployment or at least showed the precursor to a ransomware type of activity.
The remaining 19% included e-crime tactics such as point of sale intrusions, e-commerce, website attacks, business email compromises, and cryptocurrency mining.
mining. You know, I'm intrigued by this notion of the destruction of data and this extortion that you say, you know, you all been tracking, which certainly we've done a lot of reporting on.
I'm wondering too, you know, there's this specter of not just destroying, but altering data. And
it doesn't seem to me like we've really seen that come to pass, the corruption of data.
Great point.
You're right.
I think for most of the threat actor activity that we reported on in the Frontlines report and that we saw from an intelligence gathering perspective,
a huge volume of success in terms of compromising organizations' infrastructure, being able to monitor over a period of time and look for sensitive information, business-impacting
information, and be able to either exfil that data or encrypt infrastructure for ransom,
made that operation kind of core to what they were doing. They were quick in,
quick to deploy their tools and tactics, ransom an organization, and if they were successful in
doing so, they would move on to the next organization. We saw a lot of really fast
movement by these threat actors this past year. Yeah, that's interesting. So what are the
takeaways here in terms of the recommendations that you're making for the folks that you work with? What sort of stuff have you
put together based on what you found in this report? There are several things, Dave. The first
thing is that in about 30% of the incident response engagements that we performed over the
course of the year, 30% of those cases, the organization's antivirus
solution was either incorrectly configured, did not have the appropriate prevention settings
set up, or was not fully deployed across their environment.
And that resulted in, in many cases, an easier path for threat actors to compromise those
solutions.
Additionally, those antivirus solutions
fail to provide protection in 40% of the incidents we responded to in 2020. So really taking a look
at the tooling that you're using for your solution for preventions, making sure it's
configured properly, making sure it's a next-gen solution that leverages machine learning and AI,
and then making sure that it's deployed fully across your environment.
The second recommendation, Dave, was that CrowdStrike identified that 68% of the organizations we responded to
experienced another intrusion attempt after suffering their initial breach.
It's really important to have a strategy around
continuous monitoring and response. What we mean by that is that thinking of incident response as
a one-and-done activity is no longer a viable and effective strategy for responding to incidents.
It's critical to understand that threat actors are persistent.
They will make multiple attempts, and if they're successful at making an attempt and extorting a
ransom, for example, it's not uncommon to see that same organization potentially victimized again,
either by the same threat actor or by a different threat actor. It's critical that organizations start to move to more of a continuous monitoring and response approach
in order to defend against these high-velocity attacks.
All right. Well, interesting insights for sure.
Thomas Etheridge, the report is the CrowdStrike Services Frontlines Report.
Thanks so much for joining us.
Thank you, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
Save you time and keep you informed.
It's the Uncola.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman, Peru Prakash,
Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.