The CyberWire Daily Podcast 9.28.20
Ep 1182 | 9.28.20

Will no one rid me of this turbulent newsletter? US court delays TikTok ban. Microsoft takes down cyberespionage operation. Huawei’s CFO gets another day in court. REvil recruits.


Dave Bittner: The TikTok ban has been delayed. Microsoft takes down infrastructure used by a Chinese cyber-espionage group. Huawei's CFO returns to court in Vancouver. The U.K. shows some of its cyber offensive hand. DDoS in Hungary, malware in Texas. The strange and sad case of eBay and a newsletter. Rick Howard shares lessons learned from his "CSO Perspectives" podcast. Our guest is Thomas Etheridge from CrowdStrike on mitigating the risk of public cloud key compromises. And REvil wants to recruit more criminal affiliates.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Monday, September 28, 2020.

Dave Bittner: In what The Wall Street Journal calls a short-term victory, the U.S. District Court for the District of Columbia yesterday granted a nationwide preliminary injunction that stopped the scheduled U.S. ban on TikTok transactions. The Verge, which has a useful brief history of this particular phase of the dispute, quotes TikTok as arguing that the government's ban, which would've taken effect last night at midnight, was arbitrary and capricious. Both sides will get together to review the dispute tomorrow. Fortune notes that the judge left the November deadline for TikTok's sale in place - for now at least. Official Beijing is unhappy with the prospect of a forced spin-off of TikTok Global, the proposed name for the new company, whatever its ownership turns out to be. The Wall Street Journal describes several reasons for this. Chinese government-controlled media have characterized the sale as dirty and unfair, which seems the sort of reaction any major power would have when it felt itself strong-armed by a competitor. But the government seems particularly troubled by the aspects of the deal that would permit Oracle to inspect TikTok's source code, ostensibly because of the troubling precedent that would set for protection of Chinese intellectual property against foreign exposure. Sources tell The Journal that at least some ByteDance executives have been upbraided by the government for failure to undertake proper consultation before negotiating the spin-off.

Dave Bittner: Microsoft has taken down 18 Azure Active Directory accounts that were being used by Gadolinium, also known as APT 40, Leviathan or Kryptonite Panda, a Chinese government threat actor that's most active against the maritime and health care sectors. Gadolinium's recent campaign has used a great deal of spear phishing. The attacks proceeded on three phases. First, the payload is distributed in a COVID-19-themed spear-phishing campaign. Opening the message infects the target's system with PowerShell-based malware. Second, the attackers use this malware to install one of the 18 Azure Active Directory applications. Third, an Azure Active Directory is used to configure the compromised endpoint so that it can exfiltrate data to a Microsoft OneDrive under Gadolinium's control. So it's an information-stealing campaign, a case of cyber-espionage. 

Dave Bittner: The BBC says that today's the day Huawei's CFO, Meng Wanzhou returns to a Vancouver court as she continues to fight extradition from Canada to the United States. The U.S. charges she faces involve violations of sanctions against Iran. 

Dave Bittner: The Guardian reports that in an unusual public avowal, the head of the U.K. Strategic Command, General Sir Patrick Sanders says Prime Minister Johnson has directed him to ensure that the U.K. remains a leading full-spectrum cyber power. And that includes deploying significant offensive capability. General Sanders' public statements may foreshadow the five-year integrated defense review expected to be complete in November. 

Dave Bittner: Magyar Telekom said that Hungary's banking and telecom sector suffered a brief but sharp disruption last Thursday, according to Reuters. Magyar Telekom said the distributed denial of service was mounted by Russian, Chinese and Vietnamese hackers but that the company was able to thwart the attack quickly. A qualification - the servers used were in Russia, China and Vietnam, but that in itself is insufficient for attribution. 

Dave Bittner: On Saturday, Tyler Technologies warned that two of its customers had reported suspicious log-ons to their systems using Tyler credentials. The Dallas Morning News says the company was hit by an unspecified ransomware strain. 

Dave Bittner: The very strange story of the then-eBay employees who took unusually active measures against a mom-and-pop newsletter the company's then-leaders found displeasing is winding its way through the courts. The New York Times has a long and thorough account of what happened. That account is striking in its portrayal of an aggressive corporate culture hermetically locked by threat from above and fear from below from anything that might have served to moderate it. The company's global security and resiliency team was the section alleged to be responsible for an extended campaign of focused and unremitting harassment of the proprietors of EcommerceBytes, an online publication that served an audience of sellers - people who sell things on Amazon, Etsy, and other sites, including, of course, eBay. 

Dave Bittner: An example of the immoderate guidance the company's communications chief used with the corporate enforcers of global security and resiliency is as follows. Quote, "I genuinely believe these people are acting out of malice, and anything we can do to solve it must be explored." He signed that particular message, The Times says, whatever, period, it, period, takes, period. The CEO was equally direct with communications like I couldn't care less what she says, take her down. Neither the former CEO nor the former communications director have been charged in the case, and both have denied ordering the harassment the Massachusetts couple who run EcommerceBytes suffered. But the communications quoted in The Times story hardly seem to have even the ambiguity of King Henry II's will no one rid me of this turbulent priest, the offhand remark that got St. Thomas a Becket martyred by overzealous barons.

Dave Bittner: And finally, Bleeping Computer reports that REvil, the Sodinokibi ransomware gang, has put its bitcoin where its virtual mouth is, posting a million dollars in altcoin to a Russophone hacking forum to recruit new affiliates. The hoods say, quote, "for your peace of mind and confidence, we have made a deposit of $1 million U.S." end quote. Apparently, the fund to which potential affiliates may contribute can be used to buy illicit goods and services. 

Dave Bittner: And it's always a pleasure to welcome back to the show Rick Howard. He is the CyberWire's chief security officer; also our chief analyst. But more importantly than any of that, he is the host of the "CSO Perspectives" podcast, which is part of CyberWire Pro. Rick, great to have you back. 

Rick Howard: Thank you, sir. 

Dave Bittner: So you are just wrapping up Season 2 of "CSO Perspectives." Let's take stock here for a minute. First of all, two seasons - how have things evolved since you started this endeavor? 

Rick Howard: Yeah. So we started this thing back in April, Season 1, Episode 1. And we had this vague idea about creating a kind of a new podcast designed from the perspective of the cybersecurity C-suite. You know, not a technical show and not a news show but a discussion of topics pitched at the executive level. 

Dave Bittner: So have you kept with that? I mean, is the show primarily targeting executives? Is it only for them? 

Rick Howard: No, not at all. The idea is that if you can hear what executives are worried about, you know, and then across the entire cybersecurity landscape, then even the newbies, the technicians and the analysts, the gray beards, the junior management and even other C-suite executives, we can all learn together about how we think about different problems. 

Dave Bittner: Well, let's talk about Season 2 specifically. What are some of the big takeaways that you learned this round? 

Rick Howard: So we covered five tactics that many infosec programs are running today. We talked about security operations centers. We talked about incident management, data loss protection and prevention programs, identity management systems and finally red team, blue team operations. And I will tell you, my big takeaway from this season is that your mileage may vary on any one of those things, right? It is kind of up to you to decide which one to tackle first. You know, the entire premise of the podcast, if we go back to day one, was we're trying to find out the, you know, first principle thinking in cybersecurity. And what we've come up with is you're trying to reduce the probability of material impact to your organization. So the question you're trying to answer in Season 2 is any of those tactical functions, are they really, really necessary? And what we've learned is, you know, maybe not for everybody. It depends on your organization. It depends on politics. Pick and choose, but pick the one thing that will have the greatest impact in your organization. 

Dave Bittner: Is there any frustration there for you that the answer is kind of fuzzy? 

Rick Howard: Yeah, really - I really wanted it to be black and white, OK, so - and it just isn't. Every organization is different. You know, we've introduced this hash table idea where we bring in these executives in from all over the world. And they tell us how they're doing it. And it turns out that everybody is different, and the priorities are different depending on your situation, depending on your - the way you've deployed your stuff and depending on your culture. So, yeah, I'm a little frustrated by that, but I'm willing to learn a little bit. 

Dave Bittner: All right. So Season 3 - when does season 3 kick off? Any previews there? 

Rick Howard: Yeah. We're going take a couple of weeks off and prepare all that. The next episodes for Season 3 start on 19 October. So if anybody has any ideas about what they want us to cover, they can hit me up on LinkedIn or Twitter, and I'd be glad to entertain all of that. 

Dave Bittner: All right. Well, Rick Howard, host of "CSO Perspectives," a part of CyberWire Pro, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And joining me once again is Thomas Etheridge. He is the senior vice president of services at CrowdStrike. Thomas, it's always great to have you back. I wanted to touch today on some issues with the cloud, specifically with some things going on with public cloud keys and the security that needs to be monitored there. What do you have to share with us today? 

Thomas Etheridge: Thanks, Dave. It's great to be here again. So what we're seeing is, as organizations move workloads and some of their critical infrastructure to the cloud, understanding that cloud security has its own set of challenges and that organizations need to be focused on some of the basic blocking and tackling in terms of securing cloud infrastructure. We have observed over the last few years an increasing number of sophisticated operations where many financially motivated adversaries are using cloud application programming interfaces - API keys - to harvest information for ransom and for sale. The adversaries are also looking for other keys and passwords to facilitate further access, enabling them to kind of rinse and repeat the cycle. So gaining access and securing API keys for cloud infrastructure is absolutely essential. 

Dave Bittner: And so what are your recommendations here? I mean, what are the best practices? 

Thomas Etheridge: There are several things. The first really is avoiding the use of static API keys anywhere in your cloud infrastructure. We strongly encourage using ephemeral credentials for automated cloud activity. We want to make sure that organizations are enforcing the usage of those credentials only from authorized IP address spaces. And we really, really encourage multifactor authentication for all user-originated cloud activity. That's number one. Number two, it's managing cloud accounts and permissions. Inventorying accounts is really, really critical. So many organizations don't even understand how many accounts exist or who has responsibility for those accounts. So really understanding what accounts are active in your environment is very, very important. Leveraging cloud account factory models for standardization of accounts, reviewing permissions on legacy accounts and accounts that may be ready for decommissioning is also important. And then looking at which accounts are not being monitored by your existing security tool set - also important. So good account hygiene - very, very critical. 

Thomas Etheridge: The next thing is enabling logging and alerting. I know that's a cost for many organizations, but enabling detailed logging, including API and data object access logging, to the maximum extent possible that you can afford - really important, especially if you need to do investigations down the road - and then investigating and tuning automated alerting where possible to make sure you're getting quick and prescriptive alerting on things that may be changing in your environment. And then lastly, looking at firewall rules on the cloud as well - looking at automated and manual firewall rule sets to avoid global permitting is also important. 

Dave Bittner: Where do you suppose we find ourselves today in terms of organizations getting a handle on this? Are we getting better? 

Thomas Etheridge: I think most organizations are starting to understand that by moving to cloud infrastructure and moving workloads to cloud that those workloads require the same type of security as on-premise infrastructure. There is no shortage of blog posts and technical papers and presentations that exist in the market that talk about many of the things I just mentioned - making sure you're not using static keys, making sure you're inventorying accounts and you don't have accounts that should be decommissioned that still exist in active status in your environment and that the permissions are properly configured. A lot of the basic blocking and tackling needs to be done, and I think there's plenty of material out there that is filtering into organizations that are either considering moving to cloud infrastructure or have already started to move and need to uplift their overall security programs to consider these factors. 

Dave Bittner: All right. Good information as always. Thomas Etheridge, thanks for joining us. 

Thomas Etheridge: Thank you, David. Great to be here. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. We work hard so you don't have to. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.