The CyberWire Daily Podcast 12.16.20
Ep 1235 | 12.16.20

SolarWinds breach updates. Microsoft sinkholes Sunburst's C&C domain. Facebook takes down inauthentic networks.

Transcript

Dave Bittner: The SolarWinds breach reportedly affected parts of the Pentagon. Microsoft and partners seize and sinkhole command-and-control domains used by Sunburst malware. The threat factor behind the breach used a novel technique to bypass multifactor authentication at a think tank. Facebook takes down competing inauthentic networks focused on Africa. Joe Carrigan has insights on AMNESIA:33. Our guest, Greg Edwards from CryptoStopper, shares his experience getting back online after a derecho. And the execution of the FCC's rip-and-replace plan will likely fall to the next U.S. administration.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 16, 2020. 

Dave Bittner: The scope of the SolarWinds supply chain breech continues to expand. The New York Times reports that parts of the Pentagon were compromised, although the extent is still unclear. A Pentagon spokesman told the Times, quote, "the DOD is aware of the reports and is currently assessing the impact," end quote. 

Dave Bittner: CyberScoop reports that the White House National Security Council has activated the Cyber Unified Coordination Group to coordinate the government's response to the incident. And The Wall Street Journal says White House national security adviser Robert O'Brien has cut short a trip to Europe and returned to the U.S. to deal with the incident. 

Dave Bittner: ZDNet reports that Microsoft has seized and sinkholed the domain that served as a command-and-control server for the malware used in the operation. Microsoft Defender also began blocking known malicious SolarWinds versions this morning, stating that it "will quarantine the binary even if the process is running."

Dave Bittner: Reuters says SolarWinds' security posture is now being scrutinized closely amidst reports of security missteps in the past. A security researcher told the publication that he informed SolarWinds last year that anyone could access the company's update server using the password solarwinds123. 

Dave Bittner: Volexity describes an incident involving the threat actor behind the SolarWinds operation, presumed to be Russia's SVR. The actor first compromised a U.S.-based think tank and remained undetected for several years. After being discovered and removed, the actor regained access by exploiting a vulnerability in Microsoft Exchange Control Panel. The attackers were again expelled, but returned a third time via the compromised SolarWinds update in June and July of 2020. 

Dave Bittner: Notably, during its second appearance, the actor used a new technique to bypass the victim's multifactor authentication solution, in this case Duo, after gaining administrative privileges on the victim's Outlook Web App server. The security firm explains, quote, "Volexity's investigation into this incident determined the attacker had access to the Duo integration secret key from the OWA server. This key then allowed the attacker to derive a pre-computed value to be set in the duo-sid cookie. After successful password authentication, the server evaluated the duo-sid cookie and determined it to be valid. This allowed the attacker, with knowledge of a user account and password, to then completely bypass the MFA set on the account. It should be noted that this is not a vulnerability with the MFA provider and underscores the need to ensure that all secrets associated with key integrations, such as those with an MFA provider, should be changed following a breach," end quote. 

Dave Bittner: Ars Technica stresses that this could have been pulled off with any multifactor solution, noting that, quote, "MFA threat modeling generally doesn't include a complete system compromise of an OWA server. The level of access the hacker achieved was enough to neuter just about any defense," end quote. 

Dave Bittner: Facebook has taken down three competing inauthentic networks that primarily focused on African countries. One of the operations originated in France, while two were based in Russia. Interestingly, Facebook says this is the first time it's seen two opposing information operations, quote, "actively engage with one another, including by befriending, commenting and criticizing the opposing side for being fake," end quote. 

Dave Bittner: The French operation posted primarily in French and Arabic about news and current events, including France's policies in Francophone Africa, the security situation in various African countries, claims of potential Russian interference in the election in the Central African Republic, supportive commentary about French military and criticism of Russia's involvement in CAR. Facebook tied this campaign to individuals associated with the French military. 

Dave Bittner: The Russian campaigns posted primarily in French, English, Portuguese and Arabic about news and current events, including COVID-19 and the Russian vaccine against the virus, the upcoming election in the Central African Republic, terrorism, Russia's presence in sub-Saharan Africa, supportive commentary about the CAR government, criticism of the French foreign policy and a fictitious coup d'etat in Equatorial Guinea. Facebook attributes this campaign to individuals previously associated with Russia's Internet Research Agency. 

Dave Bittner: Roll Call says the execution of the U.S. Federal Communication Commission's rip-and-replace order for Chinese hardware will be the responsibility of the incoming Biden administration and the U.S. Congress. The FCC estimates that the reimbursement costs to replace the equipment will be at least $1.6 billion. And outgoing FCC Chairman Ajit Pai noted that, quote, "we can't actually implement the reimbursement program unless and until Congress appropriates the necessary funding," end quote. The current top contenders to serve as Biden's FCC chair voted in favor of the rip-and-replace plan. 

Dave Bittner: What happens when your community is hit by an unexpected natural disaster, one that falls outside of the range of things you'd planned for? Greg Edwards is CEO at ransomware prevention firm CryptoStopper. And when his community got hit with a derecho, which is a weather system perhaps best described as a wall of wind, they learned a lot of lessons about getting up and running online. 

Greg Edwards: I actually used to own an offsite backup and disaster recovery company. And during Hurricane Sandy, we did nine simultaneous recoveries for companies on the East Coast. So we specialized in working with insurance agencies and had clients all over the country. And so we were prepared for events like that on the coasts with hurricanes or earthquakes. 

Greg Edwards: But here in the Midwest, we were not prepared for something like this at all. Even having a disaster recovery background, we had - all of our clients had cloud-based backup and local backup solutions. And it really was only one of those that we actually enacted because they had a secondary location that's about 70 miles away that wasn't as badly affected that we could take their recovery servers and bring it back online there. 

Greg Edwards: But everyone else, because there was no power anywhere, it took waiting - 'cause you couldn't just have people go home and work from home because they didn't have power at home either. So really, the recovery was about getting generators for companies that didn't preplan for that. The ones that did have generators and their buildings weren't too badly destroyed, we were able to get them up and going pretty quickly but sent people to hotels and sent servers to different locations. 

Greg Edwards: It was - from a disaster recovery standpoint, I mean, we handled it and didn't lose any data but definitely lost more time than we would have liked because there just wasn't power. 

Dave Bittner: But what are some of the lessons learned here in terms of - I'm thinking about - a derecho is not something that you all probably saw coming. You know, we had one here on the East Coast a few years ago. You know, no one had ever remembered one in memory. And who knows if and when we'll have another one? But I think one thing, you know, people sort of agree on is that the weather isn't as predictable as it used to be. And so I'm curious, just from sort of a risk management point of view, what sort of take-homes do you have? 

Greg Edwards: So I think the most critical thing that I learned from this is how absolutely important access to generators is. So I - personally at my home, I had a generator large enough to run most of my house, so I was very fortunate to be able to have, for the most part, power. I didn't have air conditioning, but, you know, I can survive without that. So... 

Dave Bittner: Right. 

Greg Edwards: But the clients - had a couple clients that had full generators to run their, you know - run their entire buildings. And those clients were back up and running. And internet service took a few days to get back up. But for the most part, they were back up and going right away. 

Greg Edwards: People that didn't have generators were really the ones that were suffering more. So biggest takeaway is, where are you going to get power? And secondary is, where are you going to get internet? 

Dave Bittner: That's Greg Edwards from CryptoStopper. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting story from Gizmodo - this is something we've covered here on the CyberWire, but I want to get your take on it. This is "Researchers Discover Dangerous Security Flaws in Code Used in Millions of Devices." What's going on here, Joe? 

Joe Carrigan: So this is a company called Forescout, and they found 33 vulnerabilities in four open-source libraries that have been used in IoT devices. 

Dave Bittner: Right. 

Joe Carrigan: So let me explain how this works from a software development or from a product development standpoint. When you're developing software and you need some functionality that is commonly available, you go out and you find these open-source products that you can integrate into your software. And somebody else has already done all the work. And that's great, right? 

Joe Carrigan: So now, like, the - one thing I needed was, at one point in time, I needed an SNMP - protocol representation in code. So I went out and I found one, and I was like, this is great. It's open-source, and I can use it. And it worked fantastic. It was - there was nothing wrong with it. 

Dave Bittner: Right. 

Joe Carrigan: Or at least not that I knew of, right? 

Dave Bittner: (Laughter). 

Joe Carrigan: There very well may have been some vulnerabilities in that product. And that's what these guys have found, is they have found these 33 vulnerabilities in four very commonly used libraries. 

Joe Carrigan: So the free software makes it easy to get these products out the door. But now these products are out there, and there are devices from 150 manufacturers that are vulnerable, which is a very large footprint for these vulnerabilities. Now... 

Dave Bittner: Lots of IoT devices. 

Joe Carrigan: These are IoT devices, exactly. The article says that some people may say, just issue a round of security patches. And I'm sure that Forescout was responsible in their vulnerability handling and they disclosed this information, and I'm sure that those companies have now gone ahead and patched all these vulnerabilities. And that's great for future releases, but there are still thousands, if not millions, of these devices out there on the internet that have not been updated and are still vulnerable to these kind of attacks. 

Dave Bittner: Right, right. Forescout is calling this AMNESIA:33 because of the - the 33 is for the 33 vulnerabilities. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. And I think - it's an interesting dilemma here because, as you say, it makes total sense to not reinvent the wheel when there are... 

Joe Carrigan: Right, absolutely. 

Dave Bittner: There are, you know, functioning, well-working things you can plug into your process that'll save you time, save you money and have been through the wringer with other people testing them. But then time passes (laughter). 

Joe Carrigan: Right. And some of these products have been out there for, I think, 20 years, the article said. 

Dave Bittner: Wow. 

Joe Carrigan: There have been these kind of open-source libraries out there available for developers to use for a very long time. What's going to be challenging about this is getting these devices updated. If these devices were low-cost or if these devices have been discontinued, there is no way they're going to be updated. 

Joe Carrigan: So people need to be aware of this. Go out and look in your infrastructure for these devices. See if you have any. And if you do, if you can't update them, replace them. That needs to happen because this is going to provide a foothold on your network. 

Dave Bittner: Right, right. Yeah, I think about - we talk about how, you know, so many organizations don't have a good inventory of all of the devices that are hooked up to their networks. 

Joe Carrigan: Yeah, it's - and if you're working in a development environment, developers are - and I've been guilty of this as well - well-known for just hooking something into the network and going, yeah, I'm going to use that, and never telling IT about it, never telling the... 

Dave Bittner: Right (laughter). 

Joe Carrigan: ...The organization, I put this Raspberry Pi in the network. 

Dave Bittner: Yeah, yeah. Which, I mean, speaks to the need for, you know, security tools that can detect when you do that... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, security tools that can go in and take that inventory in some sort of automated fashion, but also having a checklist of... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, what's been updated, what hasn't. And I don't know. I mean, should some things be in a regular replacement cycle? 

Joe Carrigan: I think they should be. 

Dave Bittner: If the device is more than X number of years old and it's end-of-life? Does that mean we should get a new one that is being updated? Interesting question. 

Joe Carrigan: Yes, I think it should be. I think that's - you do all kinds of other hardware replacement. You replace people's laptops every couple of years or three years, however long the warranties wear out on them, right? 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: So why not everything else? These things should have a life cycle - a life cycle that includes disposal. 

Dave Bittner: Right, right. I just think it's so easy to - you know, 'cause these devices become out of sight, out of mind. 

Joe Carrigan: Right. 

Dave Bittner: And I always think about that security camera sitting up there in the ceiling or in the corner of the warehouse or whatever. And it's doing a great job doing everything you want it to do, and so you just don't think about it. 

Joe Carrigan: Right. 

Dave Bittner: You know... 

Joe Carrigan: But it might also be doing some things you don't want it to do. 

Dave Bittner: Absolutely, absolutely. All right, well, it is - AMNESIA:33 is the name that the folks at Forescout have put on this list of security flaws. So do check that out, see if it applies to you. Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed - all day strong, all day long. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.