CyberWire Daily - Updates on the state of Microsoft Exchange Server vulnerability, patching, and exploitation. Third-party breaches affect Shell and AFCEA. TikTok’s privacy. A manga site goes down.
Episode Date: March 23, 2021Exchange Server patching is going well, they say, but they also say that patching isn’t enough. Crooks are continuing to look for unpatched instances, and even in the patched systems, you’ve got t...o check to make sure the bad actors have been found and ejected. AFCEA and Shell both disclose being affected by third-party breaches. Citizen Lab sees no particular problem with TikTok. Ben Yelin ponders possible US response to the Microsoft Exchange Server attacks. Our guest is Alex Gizis from Connectify using VPNs to thwart government internet restrictions in Myanmar. And a major manga fan site is down. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/55 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Exchange server patching is going well, they say,
but they also say that patching isn't enough.
Crooks are continuing to look for
unpatched instances, and even in the
patched systems, you've got to check to make sure the bad
actors have been found and ejected.
AFCEA and Shell both
disclose being affected by third-party
breaches. Citizen Lab sees
no particular problem with TikTok.
Ben Yellen ponders possible U.S.
response to the Microsoft Exchange server
attacks. Our guest is Alex Jesus from Connectify on using VPNs to thwart government Internet restrictions in Myanmar.
And a major manga fan site is down.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 23, 2021. Microsoft Exchange Server Patching
Microsoft Exchange Server Patching has gone extraordinarily well, the record reports,
with roughly 92% of all Exchange servers as of yesterday having had either patches or other emergency mitigations applied.
The one-click tool Redmond has made available has been downloaded more than 25,000 times since its release last week, Fortune writes.
25,000 times since its release last week, Fortune writes.
The tool has received positive reviews, with FireEye, for one,
praising the easily downloaded turnkey script that organizations can use to both apply patches and determine whether their systems have been compromised.
That's all good news, but patching alone isn't sufficient.
Potentially affected organizations need to do some threat hunting and remediation
before they can consider themselves in the clear. According to CyberScoop,
CISA's acting director yesterday cautioned that, Patching is not sufficient. There are literally thousands of compromised servers that are
currently patched, and these system owners, they believe they are protected." They're not,
of course. Thousands of Exchange servers were compromised
before the patches were available,
and if the attackers were in them,
unless they've been found and booted out,
they're still there.
And of course, even with 92% of on-premise Exchange servers fixed,
that still leaves around 30,000 of them unpatched.
Criminals are still seeking to get while the getting's good.
Computing reports that Black Kingdom ransomware operators are among those seeking to exploit
Exchange server proxy logon vulnerabilities.
Their source is Marcus Hutchins, the security researcher who blogs at MalwareTech.
And Mr. Hutchins says he caught Black Kingdom over the weekend in a honeypot.
We add an obligatory note from recent history. Mr. Hutchins was the hero who found the WannaCry
kill switch, but who was subsequently convicted by a U.S. court of earlier involvement with the
Kronos banking trojan and sentenced to time served, a year of supervised release, and a fine.
The judge said at sentencing that Mr. Hutchins appeared to have outgrown
and forsaken his earlier criminal ways,
and that the court took notice of that.
Attacks also continue actively scanning for servers that remain unpatched,
with F-Secure seeing a significant number of attempted hacks daily.
ZDNet quotes F-Secure as saying,
they're being hacked faster than we can count. ZDNet quotes F-Secure as saying, Acting CISA Director Wales also said that the list of SolarWinds victims had solidified,
FCW reports, and that he doesn't expect many, if any, new victims to come forward.
AFCEA yesterday emailed its members to notify them that Spargo,
a third-party vendor who handles registration for AFCEA yesterday emailed its members to notify them that Spargo, a third-party vendor who handles registration for AFCEA events, had sustained a ransomware attack, and that some member personal information may have been compromised.
Financial data are believed to be unaffected.
Compromise may have included names, addresses, email addresses, phone numbers, fax numbers, job titles, and organizational affiliation.
To the best of AFCEA's knowledge, credit cards and other financial information, passwords, social security numbers, dates of birth, and driver's licenses aren't at risk.
Spargo is investigating, and AFCEA is staying close to them for updates.
Shell disclosed yesterday that it has discovered personal data the company held was affected by the Accelion breach.
Regulators, law enforcement authorities, and affected individuals have been contacted.
This represents the latest fallout from the compromise of Accelion's FTA software.
So, TikTok.
Privacy nightmare and national security threat,
or just a goofball site where you can watch someone bop their head to Millie B.
The University of Toronto's Citizen Lab took up the question
and concluded that it's the latter.
TikTok is owned by China's ByteDance,
but Citizen Lab found no unusual evidence of overt malicious influence.
They did admit that, of course, you don't know what you don't know, and that maybe there are security issues they didn't find.
And also, of course, it's possible the Chinese government could use unconventional ways to force ByteDance to turn user data over to the authorities under China's national security
laws. So the charge of security threat didn't get a guilty or not guilty finding, but more of a
not proven, as they say in Aberdeen. On the privacy issue, Citizen Lab shrugged and said,
well, at least TikTok's no worse than Facebook, which almost amounts to a letter of recommendation now, doesn't it?
So for now at least, you can watch the cat searching an aperture,
the baby getting its smiling cheeks squeezed,
and Fashion Week fantasy, and so on.
So enjoy.
And finally, sorry Otaku,
but MangaDex, the manga fansite,
says it's been hacked in an apparent extortion attempt.
The hacker gained access to an admin account through the reuse of a session token found in an old database leak through faulty configuration of session management.
Mangadex, after having closed off that particular problem, subsequently found that one of its developer accounts had been improperly accessed, and at that point took its site down for more complete remediation and a security upgrade. The intruder may have been more nuisance than serious extortionist. At any rate,
in the early morning on March 20th, the attacker had, as Mangadex put it, abandoned any pretenses
of ransomware. They emailed some users to say,
MangaDex has a DB leak. I suggest you tell their staff about it.
So, MangaDex appears to be taking all the reasonable precautions one might expect.
In the meantime, Otaku, what are you going to do?
Granted, social distancing is probably not the same issue for you
that it is to many others, but still, you're out of manga.
May we suggest broadening your reading interests?
Try Jane Austen, maybe.
Sure, Emma isn't Sailor Moon, but we all face sacrifices, don't we?
Here's an idea.
TikTok yourself reading Jane Austen.
You'll stay busy and provide a public service beside.
Start here. This is about the right length.
Mr. Knightley, a sensible man, about seven or eight and thirty,
was not only a very old and intimate friend of the family,
but particularly connected with it, as the elder brother of Isabella's husband.
He lived about a mile from Highbury, was a frequent visitor and always welcome,
and at this time more welcome than usual,
as coming directly from their mutual connections in London.
He had returned to a late dinner after some days' absence,
and now walked up to Hartfield to say that all were well in Brunswick Square.
It was a happy circumstance,
and animated Mr. Woodhouse for some time.
Mr. Knightley had a cheerful manner, which always did him good.
On second thought, yeah, probably best to just stick with sailor mode.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
status of your compliance controls right now, like right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak.io unique to Myanmar, of course. There's the Great Firewall of China, and other nations dial in what they do or do not allow their citizens to access. One way around those restrictions is the use of a
VPN. Connectify is a company that offers a VPN product called Speedify, and in the course of a
week's time, they've seen over half a million users from Myanmar start using their service.
over half a million users from Myanmar start using their service.
A service, it should be said, that in the interest of global citizenry,
Connectify is providing citizens of Myanmar for free.
Alex Gizis is Connectify's CEO.
So there was a coup on February 1st where the military of Myanmar overthrew the country's leadership.
And they had two short internet shutdowns in the first week.
And they started filtering all sorts of sites.
Facebook and things like that are blocked by the firewalls in the country.
And for the last, I would say, 15 nights in a row,
they've actually just been literally cutting off the internet right at 1 a.m. local time and turning it back on at 9 a.m. So the
whole night they are simply disconnecting from the internet entirely. You know, I think it's hard for
those of us here in the U.S., and certainly we cannot claim to have the best, fastest, or cheapest Internet in the world.
But in general, we have good accessibility.
You know, I can imagine in the days when we used to get together in the office here that, you know, if the Internet goes down for five minutes, people start walking around nervously, you know, wondering what are they going to do with the rest of their day.
It's hard to imagine having big outages like that. But beyond that, I mean, that it's being used for
political control in this way, not just in Myanmar, but around the world.
Yeah, it absolutely is. And running an operation, you know, so the Great Firewall of China, of
course, is a super advanced thing that filters all sorts of URLs and even reads the contents of messages and things like that to make sure you're not doing things the government doesn't approve of.
But these other countries can't afford that.
China has, I believe, tens of thousands of people running that filter operation.
China, Myanmar, they can't do that.
They have to come up with blunter tools,
like simply disconnecting the internet for 8 or 23 hours at a time.
So how are the citizens getting around that?
What sort of tools do they have at their disposal?
Well, so once the whole internet is disconnected, there isn't much you can do.
I mean, we have no magic cure to that.
During the 16 hours a day that there is internet, people are turning to VPNs to get around the blunt filtering, right?
You can't go to Facebook.
Well, you download Speedify, you fire it up, connects to one of our servers,
and now you can get on Facebook, right? So as long as you have internet access to us,
we can get you to everywhere else on the internet. And that seems to be what people are doing,
right? So we have 500,000 active users now in Myanmar. And I have no idea what the competitors have, but that's 1% of the
population is on Speedify at any given time.
Where do we suppose this sort of
arms race is headed? Do we suppose
that through the encryption that comes with using a VPN
that's going to serve us for the long haul?
It is absolutely a game of cat and mouse.
Arms race is the right term, right?
So we now support ESNI.
So we not only encrypt our data packets,
now we encrypt the headers so that they can't recognize our certificate.
We use DNS over HTTPS, DOH, so that they can't block us in the DNS server, right?
So, I mean, every few months we are adding another tool to our quiver when we see some country managed to block us.
We look at how and we add another, and it just keeps ramping up.
So I expect the arms race to really continue as an arms race for a long time.
That's Alex Gizis from Connectify.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security.
Also my co-host over on the Caveat podcast.
Hello, Ben. Hey, Dave.host over on the Caveat podcast. Hello, Ben.
Hey, Dave.
Interesting article from the Lawfare blog.
It's written by Dmitry Alperovitch and Ian Ward.
And it's titled,
How Should the U.S. Respond to the Solar Winds and Microsoft Exchange Hacks?
Can you give us a rundown of what they're proposing here, Ben?
Yeah, so we've had two very high-profile cyber attacks
at the behest of nation-states recently. So obviously, SolarWinds, which was perpetuated by
agents of the Russian government. And then more recently, the attack on Microsoft Exchange
servers, which we think is from China. And what this article gets into, or this blog post, is the difference between these
two attacks, why that difference is so critical, and how it should shape our responses to these
attacks. So the SolarWinds attack was much more narrow. It was sort of a clinical strike,
and it was much more of a responsible attack, if you can say such a thing. Even though Russia
was able to gain access to some of our Fortune 500 companies through this attack, they didn't
exploit the vast majority of the networks that they gained access to. And in fact, as this blog
post notes, they voluntarily sent a kill switch to 99% of their potential victims, which limited their own access.
The hidden underbelly of all of this is this is the type of espionage attack that the U.S.
government almost certainly has engaged in itself. So, you know, if we were to impose a
disproportionate response on Russia, that could be inviting a disproportionate attack on us and
retaliation. So for something like this, you know, there are diplomatic means you can use to respond,
you know, kicking out diplomats, closing diplomatic facilities, limited sanctions,
that type of thing. Right. But for the Chinese attack on Microsoft Exchange servers, this was more of an indiscriminate attack by Chinese hackers.
It was the type of thing that was not limited in scope.
It wasn't carefully executed.
It was broad.
They basically ransacked our computer networks, took as much of the loot as they could find, and are going to figure out what's useful to them as they search through it. So I think our response to China
has to be proportionate to the scale of this attack.
And we have to make it very clear
with whatever diplomatic means we use
that this type of attack is an escalation.
It's not going to be acceptable.
As the blog post called it,
and I think he was quoting another cybersecurity expert, China used a pillage-everything model.
And whatever disincentives we want to give, we need to do that because this is not something that we can accept.
Where do you suppose this goes from here?
I mean, is the Biden administration making any noises as to what their likely responses might be?
Biden administration making any noises as to what their likely responses might be?
So I think they've been teasing the Biden administration for a while, how they're going to respond to the SolarWinds attack. And we've heard rumors about various sanctions that are
going to be instituted. The Chinese attack, the Microsoft Exchange attack is still relatively new.
So we don't have much guidance as to what the response is going to be and how proportionate it's going to be to the attack itself.
But it seems like in the interest of not only ourselves, but the international community, I think there's a call among experts to draw a bright line against this type of indiscriminate attack that we saw with the Microsoft Exchange attack.
that we saw with the Microsoft Exchange attack.
So I think we will probably see a more robust and perhaps offensive cyber operation
in retaliation for this attack.
I have seen some folks say also in response to SolarWinds,
because it's more of an espionage type of thing,
it's more of a spy versus spy type of thing,
that there may not be public signs of our response. It may be a
more behind the scenes thing where the, you know, the folks who need to know that we know that they
know that we know, you know, that sort of thing. Yeah, I kind of analogize it. I'm a big hockey
fan. I analogize it to what happens on the ice during a game where you kind of are feeling each other out
with little stick checks that nobody else can see
and kind of asserting your own authority
and seeing what you can get away with,
testing that out before you actually drop the gloves
and get into a fight.
I kind of think that that's sort of what's happening here,
that we might see a response
that's not immediately evident to us,
but would be appropriate for more of a targeted attack
like the one that we saw from Russia.
All right, well, Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed. Comes with everything you see here.
Listen for us on your Alexa smart speaker too. The Cyber Wire podcast is proudly produced in Maryland out
of the startup studios of Data Tribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman,
Uru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellin, Nick Vilecki, Gina Thanks for listening.
We'll see you back here tomorrow. Thank you. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.