CyberWire Daily - VPN vulnerability exploited for cyberespionage closed. “IT security incident” at medical system. Android banking Trojans and cryptocurrency. Cyber threats to the Tokyo Olympics.
Episode Date: May 4, 2021Pulse Secure patches its VPN, and CISA for one thinks you ought to apply those fixes. Apple has also patched two zero-days in its Webkit engine. Scripps Health recovers from what’s said to be a rans...omware attack. Researchers describe Genesis, a criminal market for digital fingerprints. Ben Yelin described a grand jury subpoena for Signal user data. Our guest is Ryan Weeks from Datto on the need for cyber resilience in the MSP community. And Japan works on cybersecurity for this summer’s upcoming Olympic Games. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/85 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Pulse Secure patches its VPN, and CISA, for one, thinks you ought to apply those fixes.
Apple has also patched to zero days in its WebKit engine.
Scripps Health recovers from what's said to be a ransomware attack.
Researchers describe Genesis, a criminal market for digital fingerprints.
Ben Yellen describes a grand jury subpoena for signal user data.
Our guest is Ryan Weeks from Dotto on the need for cyber resilience in the MSP community.
And Japan works on cybersecurity for this summer's upcoming Olympic Games.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 4th, 2021.
May the 4th be with you.
Pulse Secure yesterday issued patches to close vulnerabilities in its widely used VPN that have been undergoing active exploitation by an advanced persistent threat group.
CISA, the U.S. Cybersecurity and Infrastructure Security Agency, has warned that the VPN has been under attack since at least June of last year, and it updated its alert yesterday to recommend that organizations using Avanti Pulse Connect Secure appliances to immediately run the Pulse Secure
Connect Integrity tool update to the latest software version and investigate for malicious
activity. The most serious of the vulnerabilities addressed yesterday was CVE-2021-22-893, a use-after-free issue in Pulse Connect Secure
that could allow a remote unauthenticated attacker to execute arbitrary code via licensed server web
services. The other three vulnerabilities addressed, the first two rated critical,
the third rated high in severity, included a buffer overflow in Pulse Connect Secure
collaboration suite that could enable remote-authenticated users to execute arbitrary
code as the root user via a maliciously crafted meeting room, a command injection flaw in Pulse
Connect Secure by which remote-authenticated users could perform remote code execution via
Windows file resource profiles, and finally, a vulnerability
enabling multiple unrestricted uploads in Pulse Connect Secure, by which an authenticated
administrator could perform a file write via maliciously crafted archive uploads in the
administrator web interface. So, patch. While CISA especially has its eye on U.S. federal
civilian agencies,
its advice is surely of immediate value to any organization that runs the Pulse Secure VPN.
FireEye believes some of the exploitation may be connected with the Chinese government. The security firm's Mandiant unit reported on April 20 that two groups,
which it tracks as UNC-2630 and UNC-2717, were active against,
respectively, companies in the U.S. defense industrial base and government agencies in a
wide range of countries. The researchers said at the time that UNC-2630 targeted U.S. DIB companies
with, and here they name specific malware packages, slow pulse, radial pulse,
thin blood, atrium, pacemaker, slight pulse, and pulse check as early as August 2020 until March
2021. Mandiant added, we suspect UNC-2630 operates on behalf of the Chinese government
and may have ties to APT-5. Among its activities was an active program of harvesting credentials from compromised VPNs.
On the second group, the researchers said that UNC-2717 targeted global government agencies
between October 2020 and March 2021 using hard pulse, quiet pulse, and pulse jump.
They did not have enough evidence to offer any attribution
to a government sponsor or an affiliated APT.
Apple patched yesterday, fixing two iOS zero days
that are being actively exploited in the wild.
Leaping Computer explains that the issues arise
in the WebKit browser rendering engine used in iOS,
Apple Mail, and the App Store.
iPhones, iPads, iPods, macOS, and Apple Watches have all come under attack.
Scripps Health, which operates hospitals and outpatient clinics in Southern California,
is recovering from an information technology security incident that began affecting its systems Saturday.
Scripps says it suspended user access to IT systems and reverted to backups,
but that it continues to deliver care safely and effectively.
Solutions Review records a range of industry speculation that the incident was a ransomware attack. Scripps itself hasn't reported it as ransomware,
but the San Diego Union Tribune says it's obtained an internal memo indicating that ransomware was in fact the cause. The paper reports that the medical system's operations
are still suffering disruption. Digital Shadows today published an interesting report on Genesis
Market, an underground souk that caters to the
criminal-to-criminal trade. The company's researchers describe Genesis as a fully-gated,
invitation-only, English-language automated vending cart site focused on the sale of
digital fingerprints relating to a victim user's computer, browser, and accounts on websites and services. It's been in business since 2017.
Genesis is an aggregator. It trades such information about victims' accounts as
the commonplace and desirable username and password, but it adds other identifiers like
browser cookies, IP addresses, user agent strings, and various operating system details.
The hoods used to have to find these one by one, but Genesis offers a one-stop shop.
Genesis has been more enduring than most of its competing markets.
It seems to have achieved its position in the criminal market by attracting criminal influencers as early adopters
and to have largely lived up to the high-reputation word-of-mouth lent it.
A report from Threat Fabric assesses 2020 as a banner year for Android banking trojans.
Increased usage coincided with a rise in the sophistication of the criminal-to-criminal market
that did much to commoditize this form of cybercrime.
The record notes that cryptocurrency apps
received a particularly high share of criminal attention last year.
The Cyber Threat Alliance has updated its assessment
of the cyber threat to this summer's Olympic Games in Tokyo.
They expect the ransomware activity burgeoning worldwide
to present some degree of threat,
and they expect that Russian, Chinese, and North
Korean actors will take advantage of such opportunities as the Games may present for
espionage and influence operations. Japanese authorities have been preparing for the Olympics
cybersecurity for several years now. A note on scheduling, the Games are referred to as the 2020
Games because they were originally scheduled for last summer,
but were pushed back to this July and August by the pandemic.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Cozy up with the familiar flavors of pistachio or shake up your mood with an iced brown sugar oat shake and espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Managed service providers know that one of their top business priorities is reliability uptime.
A ransomware attack, for instance, can take down not only the MSP, but all of their clients as well, and that can be a quick path to financial ruin.
Cyber resilience is a widely used term, and today I'm joined by Ryan Weeks, CISO at MSP Software and Services Provider, DATO, for his insights on the
criticality of cyber resilience for SMBs and MSPs. Yeah, for cyber resilience, what we've been doing
is really trying to educate MSPs and through MSPs, SMBs, that really they're living in a world where
you can't just assume that you're going
to be able to prevent a bad outcome from occurring. You have to assume that a bad outcome is going to
occur. And, you know, those in security circles know we call that the assume breach mentality.
And in that mentality, we need to not just be focused on trying to implement technologies and processes to, to kind of reduce the likelihood of a bad outcome,
but also invest in the abilities to detect,
respond and recover when those bad outcomes do occur.
And to us,
that ability to like kind of build a cybersecurity program that protects and
detects threats,
and then having really robust capability in response
and recovery is, you know, being incident response and business continuity, that is really what cyber
resilience is. And so it's, you know, really that preparation for, you know, both being prepared for
the bad thing to happen to try to prevent it, but also knowing how you're going to respond in order to minimize damage when the bad thing does happen. So from a practical point of
view, what does that look like? I mean, what's the spectrum of options that organizations have to
prepare themselves in a resilient kind of way? Yeah, it's a great question, right? People are
like, okay, great. So now that I kind of understand what cyber resilience is, how do I achieve it? And so again, that's been a focus of our education
for MSPs is really helping them lay out a pathway. And so we have been seeing a lot of MSPs
focus on CIS security controls, so specifically implementation group one, as a means to kind of
improve their security programs and
then also you know drive that into their small and medium-sized businesses that they support as well
the challenge with that is cis can be a little focused on technology-centric controls and when
you actually kind of map them out they're very heavy in identified protect and detect capabilities. And for real
true cyber resilience, you need a balance of people, process, and technology, and you really
need capabilities kind of right of boom, which is your detect, respond, and recover as well.
So CIS is a great place to get started, but what we're really advocating for MSPs to do is follow a framework,
whether it's kind of the NIST cybersecurity framework, which follows those five functional areas
and has kind of an appreciation for people, process, and technology as well,
or even something that builds on top of it, like the cyber defense matrix.
We're seeing that that is really going to help MSPs and SMBs be in a position where they're more able to recover from bad outcomes, which for them primarily means ransomware.
That's Ryan Weeks from Datto. Thank you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Ben Yellen. He's from the University of Maryland Center for Health and Homeland Security, also my co-host over on the Caveat podcast. Ben, great to have you back.
Good to be with you, Dave.
I caught my eye, the folks over at the Signal app posted a blog post. It's titled Grand Jury Subpoena for Signal User Data, Central District of California. It's a bit of, I guess, a bit of
tongue-in-cheek in their approach here, but there's some interesting
privacy stuff that they're focusing on. Can you give us a rundown of what's going on here, Ben?
Yeah, I mean, the tongue-in-cheek stuff is very funny. The hook for this article is it's 2021 now.
It's been five years since 2016. Remember Brexit? Remember Trump? remember Justin Bieber at number one on the charts. But that's a hook for
Signal receiving yet another grand jury subpoena asking for identifying information about their
users. Signal does not have any identifying information about their users. That's the
whole point. It is an end-to-end encrypted application. So things that you can retrieve
that a grand jury
subpoena could obtain from other companies
that don't have end-to-end encryption,
you can't get from Signal.
So the subpoena that they're
referencing here, which is posted
as part of this blog post,
asks for addresses,
the
transcript of correspondence over the
application, and a name associated
with an account. Signal does not have that information. It cannot provide it. All they
have is very limited, basically the date that you started your account, and that's not going
to tell them much.
And when you last connected to the Signal service, that's all.
Right. That actually might be relevant in a limited number of cases,
but it's really not much information.
This is going to be a really nice selling point for Signal
as they try to advertise the benefits of end-to-end encryption
by saying, here's an actual situation where a district court in California
sent us a request for information, but because
we don't have access to that information, we can't send it to them. Thus, your privacy is protected.
So I can completely understand why Signal would have a blog post about this and would put up the
grand jury subpoena. There is sort of one interesting element that's in the subpoena here.
The court is asking for information sufficient to show interstate wiring, which is supposed to be a mechanism to show a jurisdictional theory, as they call it, that signal messages cross state lines.
And perhaps that's going to be relevant in this case for the communications that they're seeking.
This is something that's going to be relevant in this case for the communications that they're seeking. This is something that's new.
Apparently it wasn't in the last grand jury subpoena that they received five years ago.
And he said it feels like something out of a Law & Order episode from the mid-90s when the internet, in quotations, was still young and people didn't really understand how it worked.
But that's not really something that – they didn't really talk about how they're going
to respond to that aspect of it. I think they're tongue-in-cheek about it because
it kind of points to an outdated understanding of how the internet works, and that it almost
certainly doesn't matter in adjudicating the case. So yeah, they were represented by good ACLU lawyers here. And of course,
they're going to want to publicize every chance they can of actual situations where they're
getting requests for personal information. And because of how stringent their end-to-end
encryption is, they are unable to hand over that information.
Right. A couple questions here. Is it possible that this is just simply that the DOJ sent out something
that's fairly boilerplate, and that's why it just sort of
doesn't really align with how things work at Signal?
Yes. I think that's exactly what happened.
This is the form we give to tech companies to give us information.
And they're not really aligning it
for end-to-end encrypted applications.
You know, it's like you might as well,
you know, shoot your shot, right?
There's no harm in requesting it.
Signal's just going to come back and say,
we don't have it.
Yeah.
The other thing that caught my eye here in the subpoena
is it says,
because this subpoena relates
to an ongoing criminal investigation,
you are asked not to disclose the existence or nature of this subpoena relates to an ongoing criminal investigation, you are asked not
to disclose the existence or nature of the subpoena. Such disclosure could obstruct and
impede the ongoing investigations and interfere with the enforcement of the law. If you nonetheless
plan to disclose the existence or nature of the subpoena, please contact the special agent
identified above first. Can you unpack that for me from a legal point of view? Like, is that just sort of
please, please do us a favor? Or is there any, you know, legal backing behind that paragraph?
So it depends on the circumstances. In most grand jury subpoenas, there isn't much of a legal threat
for people who disclose information. There are a couple of exceptions. One of them is national
security letters. So this is information related to homeland security or national security
information, there's actually a legally enforceable gag order that comes with those
subpoenas. And that's what national security letters are, administrative subpoenas. And in
that circumstance, you could face criminal penalties for divulging the contents of that subpoena.
People have been fighting against these gag orders for years, with good reason.
I mean, it puts people, you know, the companies and individuals who receive these requests
in a very difficult situation.
And prior to some reforms that have been passed over the past several years,
you couldn't even discuss it with an attorney lest you'd be violating that gag order.
Fortunately, in most circumstances now, at least
the government has given people who've received these
gag orders a chance to challenge them in court, and they give them
instructions on exactly what kind of information they have to submit.
And they've allowed exceptions for who those individuals can talk to.
And one of those is you can run this by your attorney
as long as you keep it confidential.
So this does appear to be a Homeland Security investigation.
I'm wondering if this was issued under that National Security Letter Authority
or some other authority. But it does, generally when we're talking about National Security Letter Authority or some other authority.
But it does, generally when we're talking about
national security, homeland security cases,
they do have a legally enforceable gag order.
Yeah, I wonder if the folks from Signal
or their attorneys from the ACLU
contacted the special agent before they published this or not.
I'm going to guess not.
I'm going to guess not, yeah.
I mean, they also...
One selling point of these companies is, like,
we like to thumb it in the nose of overreaching government agents,
and that just proves how much we care about protecting your privacy.
Right, right.
This is one way of showing it, yeah.
Yeah, a bit of swagger here as well.
For sure.
Yeah.
All right, well, Ben Yellen, thanks here as well. For sure. Yeah. All right.
Well, Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Guru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Elliot Peltzman, Guru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Patrick, Jennifer Ivan, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.