The CyberWire Daily Podcast 8.4.20
Ep 1144 | 8.4.20
US attributes Taidoor RAT to China’s government. Pegasus spyware in Togo. The TikTok affair. More fallout from the Blackbaud ransomware incident.
Transcript

Dave Bittner: The U.S. attributes the Taidoor remote access Trojan to the Chinese government. Pegasus spyware is found deployed against churchmen and political opposition figures in Togo. China denounces the American smash-and-grab of TikTok. Ben Yelin looks at international law and attribution. Our guest is Ameesh Divatia from Baffle on misconfigured databases being attacked within just hours after coming online. And the Blackbaud ransomware attack continues to affect new victims.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 4, 2020. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency - that's CISA - has published a Malware Analysis Report on Taidoor, a remote access Trojan that Chinese intelligence services have deployed against collection targets since 2008. The FBI and the Department of Defense concurred in the analysis, and U.S. Cyber Command has uploaded samples of Taidoor's code to VirusTotal. It's been used against government agencies, corporations and think tanks, mostly organizations with an interest in Taiwan. The FBI says it has high confidence that Chinese government actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. 

Dave Bittner: Both FireEye and CrowdStrike have tracked Taidoor for some time, with FireEye publishing a study in 2013 and CrowdStrike in 2014. So Taidoor hasn't suddenly emerged from nowhere. But the news in this latest report is its formal, explicit attribution of the RAT to the Chinese government and the urgency with which the U.S. government urges organizations to apply against Taidoor. 

Dave Bittner: NSO Group's Pegasus spyware is said, by the University of Toronto's Citizen Lab, to have been deployed against a Roman Catholic bishop and a priest who had advocated human rights reforms in the West African country of Togo, as well as against two members of the political opposition. Pegasus is believed to have been installed through a WhatsApp exploit. 

Dave Bittner: This is the most recent case in which NSO Group tools have been found in use by governments for domestic surveillance that appears to go beyond law enforcement or counterterrorism investigations. No government is flawless, of course, and an argument could be made that the sale of Pegasus to Togo is a legitimate case of lawful intercept technology being delivered to a legitimate customer. NSO Group has declined to comment. But Citizen Lab thinks that's a tough case to make. 

Dave Bittner: Togo is not the worst regime on the planet, but if your standard is, say, North Korea, you're probably missing the mark. Citizen Lab describes Togo as a flawed democracy ruled by a single family for 57 years with a long track record of human rights abuses, including reports that torture is routine in the country's prisons. And they go on to say that the four individuals targeted are clearly neither criminals nor terrorists by any international human rights-respecting standards. 

Dave Bittner: NSO Group emailed a statement to Vice. The vendor said, quote, "as NSO has now stated on several occasions, due to strict contractual and legal confidentiality requirements, we cannot confirm or deny who our customers are. As we have also made clear before, we are not privy to who our authorized and verified sovereign government clients target using our technology, though they are contractually obliged to only do so against terrorists and criminals," end quote. 

Dave Bittner: Citizen Lab says it doesn't have conclusive evidence that the spyware was deployed by Togo's security forces, but it does think that the timing and target selection amount to a strong circumstantial case that it was. 

Dave Bittner: China Daily, an outlet for the Chinese Communist Party, has announced the party line on Microsoft's interest in buying TikTok's operations in the U.S., Australia, New Zealand and Canada. The U.S. administration's smash-and-grab of TikTok will not be taken lying down, the paper's headline declared, although what the implied retaliation might be is left unspecified. It's a lot of shilly-shallying out of "The Art of the Deal," the same stuff Beijing endured during trade negotiations with the U.S. 

Dave Bittner: But Forbes thinks this is more smoke-blowing than fire-breathing. TikTok isn't Huawei, and reading between the tough lines are avowals of determination to be measured and responsible, which suggests that China is signaling that it doesn't intend to retaliate against U.S. software shops. There are, after all, companies and there are companies, and TikTok, while splashy, isn't Huawei. 

Dave Bittner: It has become all too routine for us to report on misconfigured databases being left open to the Internet. But how much time does it take for a misconfigured database to be discovered and exploited? Ameesh Divatia is co-founder and CEO at data-centric encryption firm Baffle, and he joins us with some findings. 

Ameesh Divatia: Cloud databases are certainly becoming a very important aspect of the value proposition that customers look for when they move to cloud. Databases tend to be a very big-cost item for customers to deploy on-prem. So we look for those services very often when they go to cloud. 

Ameesh Divatia: You know, RDS is Amazon's probably fastest-growing service. So when that happens, there's a couple different things that customers run into. The first one, actually, is just in the migration process itself. One of the things is - that is not very well-known is when the migration happens, when the data goes from on-prem environments into cloud, it actually shows up in the clear in the cloud first. The second one has to do with just cloud-native databases where you're just creating a database in cloud. There's some checks and balances - that Amazon makes sure that you have a certain password and, you know, make sure that you are setting up some basic security. But as you know, most of the vulnerabilities that happen with hacks is user error. 

Dave Bittner: Yeah. I mean, I think it's - I suppose it's probably not too surprising these days that it doesn't take very much time for the bad guys to find a misconfigured database. 

Ameesh Divatia: Exactly. So one of the big issues that we're running into is that the convenience of being able to actually set up these databases, you know, makes it really easy to make the mistake and keep it open, right? It's a little problematic to put in lots of security controls then - which are difficult to implement. So what happens is, you know, operators tend to take shortcuts. And that's predominantly one of the reasons why some of these things get hacked. 

Ameesh Divatia: This is the new norm, right? We are going to be using cloud environments for data storage and data analytics. And it's databases who started it, but eventually, it's going to evolve into data lakes. And what is very important is that the data pipeline that you create, as you put sensitive data in cloud, has to be protected. So it is really about securing the data analytics pipeline. The storage could be databases. It could be data links. Or it could be just straight object storage, like S3. But the utility of the data improves as it moves into these latest types of data stores. And that's the future. I think data is the new oil, right? Everybody says you've got to have data in order to function. You just have to make sure that it does not become the new asbestos, as well, right? 

Dave Bittner: (Laughter) I was just going to say - yeah, make sure it's not radioactive. Right. You get too much of it in one place, and you reach critical mass. And things go bad in a hurry. 

Ameesh Divatia: That is exactly what is happening, right? 

Dave Bittner: (Laughter). 

Ameesh Divatia: When you're fined $100 to $750 per record by regulations like CCPA, it is, by all means, asbestos. 

Dave Bittner: That's Ameesh Divatia from Baffle. 

Dave Bittner: And finally, the effects of the Blackbaud ransomware incident continue to ripple through the educational, political and not-for-profit sectors, affecting the sorts of businesses that have donors as opposed to customers. It's a significant example of third-party risk. 

Dave Bittner: In the U.S., a new set of universities are now known to have been affected. The universities of Texas and Oklahoma have both warned donors and alumni that their information may have been accessed by the attackers. And after a coy, slow reveal from California State University, Northridge, EdScoop reports that the California State University system is now investigating the possibility that the Blackbaud attackers successfully compromised all 23 institutions in the system. California State University system is a public higher education institution distinct from its sister system, the University of California. 

Dave Bittner: There have been other victims in the United Kingdom, too. Third Sector reports that more than 30 British charities have been affected. And it's not just charities, either. The Labour Party has disclosed that personal information about thousands of its donors was exposed in the incident. Labour had been using Raiser's Edge, a fundraising and donor management solution from Blackbaud. 

Dave Bittner: Blackbaud has said that it believes its payment of ransom to the attackers has foreclosed the possibility that the exposed data would be abused or exploited. One can always hope, but the customers affected by this third-party breach would do well to look to their mitigations. And the donors should keep a close eye on their accounts and identities. 

Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security. Ben, always great to have you back. We have an interesting article. This is from the Justice Security website. And this is, I think, the perfect thing to dig in with you on. It's about - it's titled "Cyberattack Attribution and International Law." I have to say, I have a personal interest in this. The whole notion of attribution is fascinating to me as to - some people think it's really important; some people don't. Can you take us through what they're getting at here in this article? 

Ben Yelin: Sure. So it's a fascinating article. I highly recommend all of the listeners read it. It's really a good academic analysis of international law and the issue of attribution. 

Ben Yelin: So the impetus for this article is - very recently, the U.S. Department of Justice unsealed an indictment accusing a couple of individuals linked to China, to the Chinese government, of a decades-long campaign of hacking dissidents, human rights activists and a variety of private sector targets. I'm quoting the article here. More recently, they've accused these same actors of trying to hack information on tests and vaccines related to the COVID-19 pandemic. And this comes also in the wake of a notice issued by the United States government in coordination with our allies in the U.K. and Canada about Russian cybercriminals trying to steal intellectual property related to COVID-19 vaccine development. 

Ben Yelin: So at issue here is how to establish a just and uniform system of attribution that fits with international law. And her proposal is to require standards that states have to abide by to make attribution claims. You know, I think in the past, some of these attribution claims haven't been backed up by on-the-record data - you know, exactly what happened, why it happened, what the evidence is that a particular state actor was behind a particular hack. We are getting better at being more precise in our indictments and our allegations. But the only way that we're going to be able to foster international agreements and legitimacy to some of these attribution charges, in her view, is to require evidence-based, fact-based allegations that meet a certain elevated standard. It should, you know, be something that's codified to the extent that anything can be codified in international law. 

Ben Yelin: So I think it's a really interesting and valuable proposal. And you know, I think it gets at the idea that if we are going to try and maintain our legitimacy in making accusations against other state actors, we should make sure that we're doing so based on specifically identifiable evidence and information. 

Dave Bittner: And I should point out - when you say her, we're speaking of Kristen Eichensehr. She's the author of this article, and she's the one making these suggestions, putting out this proposal. 

Ben Yelin: Yeah, a very persuasive writer. I mean, I think one thing she pointed out that really stuck out to me is, you know, in the past, attributions have sort of been on a trust-us basis. You know, for example, with the Sony hack, we said we have evidence that it's North Korea. We don't want to give you too much information because that might divulge some of their methods. It might expose some of our own vulnerabilities. But I think the allegation doesn't carry the same weight in the international community if it's not backed up by robust evidence. 

Ben Yelin: And that's something that has been improving recently. We've seen it in some of the more recent, prominent indictments that we've discussed. But, you know, it's something that's not well-settled so far in international law, and it's something that we can strive for. A lot of this is governed by custom. You know, it's just what we've always done informally with our allies. And you know, custom... 

Dave Bittner: (Laughter) Custom is not enjoying a whole lot of backing at the moment - right? - internationally. 

Ben Yelin: No, it certainly is not. Yeah. 

Dave Bittner: (Laughter). 

Ben Yelin: I feel like we're in a period where we love to violate all sorts of international customs. 

Dave Bittner: (Laughter) Right. Right. 

Ben Yelin: But, you know... 

Dave Bittner: Could we see something like, I mean, an international court to handle these things? You know, like, I'm thinking of the Hague. 

Ben Yelin: The Hague - a Hague for attribution. 

Dave Bittner: The cyber-Hague, yeah (laughter). 

Ben Yelin: I mean, the regulating bodies are going to be set up by work that's already happened. So, you know, we do have multilateral agreements in this area between us and some of our allies. You know, there are U.N. groups. There's a U.N. group of governmental experts who have tried to apply rules to cyberspace. 

Ben Yelin: You know, I'm probably not the most foremost expert in international law, but I can say, you know, when you don't have those same types of institutions already set up, it's hard to develop these types of actionable standards. And so, you know, in a sense, it might be most useful for us to get the institutions working first before we start to, you know, come up with more of these substantive reforms. 

Dave Bittner: Yeah. Well, as you say, it's a very thought-provoking, well-written article. It's over on Just Security. It's titled "Cyber Attack Attribution and International Law," written by Kristen Eichensehr. Highly recommend it, so do check it out. Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.