The CyberWire Daily Podcast 12.17.20
Ep 1236 | 12.17.20

The SVR’s exploitation of the SolarWinds software supply chain proves a very damaging cyberespionage campaign. HPE zero-day. Report on China’s influence ops delayed.


Dave Bittner: The SolarWinds supply chain compromise may not have been an act of war, but it was certainly a very damaging espionage effort. The FBI, CISA and ODNI are leading a whole-of-government response to the incident. Three companies have collaborated on a kill switch for the Sunburst backdoor's initial command and control. HPE closes a zero day in its SIM software. ODNI will delay its report on Chinese election influence ops. Thomas Etheridge from CrowdStrike on their Services Front Lines Report. Our guest is Derek Manky from Fortinet with 2021 threat insights. And of course, it wouldn't be the end of the year without some predictions.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 17, 2020. 

Dave Bittner: The US government and a large number of private organizations continue to assess the extent of the SolarWinds incident. The scope and extent of the damage are known to be large, but just how large and who specifically was affected remains under investigation. An op-ed by former US Homeland Security adviser Thomas Bossert probably has it right in saying that the breach is "hard to overestimate." 

Dave Bittner: Bossert's assessment is worth quoting at some length. Quote, "The Russians have had access to a considerable number of important and sensitive networks for six to nine months. The Russian SVR will surely have used its access to further exploit and gain administrative control over the networks it considered priority targets. For those targets, the hackers will have long ago moved past their entry point, covered their tracks and gained what experts call persistent access, meaning the ability to infiltrate and control networks in a way that is hard to detect or remove. While the Russians did not have the time to gain complete control over every network they hacked, they most certainly did gain it over hundreds of them. It will take years to know for certain which networks the Russians control and which ones they just occupy. The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated, but it is unclear what the Russians intend to do next. The access the Russians now enjoy could be used for far more than simply spying," end quote. 

Dave Bittner: Some of the congressional reaction to the Sunburst backdoor and the presumed compromise of hundreds of US networks has been overstated. Senator Dick Durbin, Democrat of Illinois, to take one example, has fulminated that Russia's exploitation of the vulnerability is an act of war. That's one point of view, but it's not widely shared, at least outside Capitol Hill. It's a very bad incident, but it isn't war. It's espionage - cyber-espionage. And while espionage is damaging and hostile, it's not an act of war. So this isn't the cyber Pearl Harbor you're looking for.

Dave Bittner: Should there be some appropriate and proportionate response? Sure, but a ranger battalion in the parking lot of Stardog's hot dog joint in South Moscow or a brace of Tomahawks headed for the Moscow Ring Road? With all due respect to constitutionally specified congressional war powers, ladies and gents, have you taken leave of your senses?

Dave Bittner: Probably not - actually, of course not. And Senator Durbin was caught up in the tweet of the moment, but clarity is always a good thing. And one hopes that the Senate is clear that the SolarWinds supply chain compromise represents very serious espionage but not an act of war against the United States. As Bossert points out, it's possible that the access Cozy Bear gained to US systems could be used for far more than simply spying. But it doesn't appear so far that it has been so used. It's espionage. 

Dave Bittner: A joint statement yesterday from the US FBI, CISA, and ODNI says that the government has invoked Presidential Policy Directive 41 to establish a cyber-unified coordination group to coordinate a whole-of-government response to the Russian cyber operation that exploited SolarWinds' Orion platform. The FBI has the lead for threat response. It's investigating for purposes of attribution, pursuit and disruption of the threat actors. It's presently doing so by engaging with known and suspected victims. 

Dave Bittner: CISA, the Cybersecurity and Infrastructure Security Agency, has the lead for asset response activities. Emergency Directive 21-01 was its first step in helping contain and remediate the damage. And the Office of the Director of National Intelligence is coordinating the intelligence community's collection and analysis of the incident. 

Dave Bittner: According to KrebsOnSecurity, FireEye, Microsoft, and GoDaddy cooperated on a response to the SolarWinds compromise by establishing a kill switch to disable Sunburst backdoor instances still beaconing to their original domain. As FireEye said in a widely quoted statement, quote, "This actor moved quickly to establish additional persistent mechanisms to access victim networks beyond the Sunburst backdoor," end quote. So the kill switch, while a welcome contribution, is very far from representing a thorough remediation, and the three companies understand that. BleepingComputer has a summary of what's publicly available so far. The participants have been tight-lipped about the details. 

Dave Bittner: Hewlett Packard Enterprise has disclosed a zero-day remote code execution vulnerability in its Systems Insight Manager. The company is working on a patch, BleepingComputer says, but in the meantime, has released mitigations for the Windows version of the software. Trend Micro's Zero Day Initiative reported the issue to HPE. It's tracked as CVE 2020-7200, and it affects HPE Systems Insight Manager 7.6.x. The mitigations HPE has published all involve disabling the software's federated search feature. 

Dave Bittner: Bloomberg reports that the U.S. director of national intelligence said yesterday that the intelligence community will not meet tomorrow's deadline to report to Congress about Chinese influence operations in the 2020 election season. That there were attempts seems clear enough, but how extensive they were and how much prominence they should be given remains a matter of disagreement among the agencies in the intelligence community. 

Dave Bittner: And we continue to hear predictions. Security companies foresee an enduring shift to remote work, initially driven by the COVID-19 pandemic, but subsequently taking on a momentum of its own. That shift is one organizations remain imperfectly prepared to handle, Deep Instinct thinks. Check Point's assessment is blunter: the pandemic amounts to a security pandemic as well as a biological one. 

Dave Bittner: There's also considerable agreement about the effects of newly arrived technology. The Bangkok Post quotes its local Fortinet authorities. Quote, "By leveraging intelligent edge, 5G-enabled devices and advanced computing power, this creates a wave of new and advanced threats of an unprecedented speed and scale," end quote. Digital Shadows projects existing technological trends into the cybercriminal future and sees more botnets and more adversarial machine learning. And Restore Privacy offers some advice about securing online during the holiday season. A sad review of the usual scams - nondelivery, form jacking, fake shipping notifications and so on. Do stay safe out there.

Dave Bittner: Derek Manky is chief of security insights and Global Threat Alliances with FortiGuard Labs, which is part of Fortinet. He joins us with thoughts on how the intelligent edge may increasingly be a target as we head into 2021. 

Derek Manky: I - really, I look at as a next leap forward from this evolution that we've had over the last 10 years, specifically with threats moving from mobile initially to the world of IoT and OT, operational technology, and now and now the edge. So when I look at the edge, it's positioning, but it's also a capability. So obviously, you know, the world of IoT generally are a lot of these smaller devices, smaller footprint, where if we look at the intelligent edge, these are devices that have more compute power, more connectivity and more access, authorization privilege and more reach. 

Dave Bittner: So what are some of the security concerns there as this intelligence edge develops? 

Derek Manky: Yeah, absolutely. So anytime we have a new tool, any time - history has taught us this before several times. I think that any time that we have a new tool, that we have a new capability and functionality, security threats follow. And you know, attackers see this as a ripe opportunity. And, you know, we just have to look at how these tools can be weaponized to understand what we're up against in the future. 

Dave Bittner: Are there potential advantages here as well to have these these capabilities distributed? Is there an upside of, you know, not having all your eggs in one basket? 

Derek Manky: Yeah. Yeah, absolutely. We're already seeing that. You know, our relevant example right now is Trickbot. So, you know, this is something where - but by not being all the eggs in one basket, these threats become much more resilient. We've seen this before, even in the world of IoT botnet takedown attempts. There's a lot of great activity, a lot of great, you know, partnerships that are happening out there in the industry, which is fantastic. And we need to do more of that. But because of this technology, threats are becoming much more resilient as well. 

Derek Manky: All right. So now it's not just, hey, you have, you know, a hundred domains that you have to take down 'cause it's public access. These IoT devices are private access. And you can't just - so it's much harder to go knocking on someone's door and say, hey, excuse me, you know, you've got a printer hosting some pretty malicious stuff in your house. You should take that offline. It's much more tough to do that. And it's the same challenge with with edge, but it's on a larger scale, as I said, because these edge devices have more authorization - in general, more authentication and authorization to use different APIs and quite a bit more power, too. 

Dave Bittner: Well, Derek Manky, thanks for joining us. 

Derek Manky: Yeah, it was a pleasure. Thanks so much. 

Dave Bittner: And joining me once again is Thomas Etheridge. He's the senior vice president of services at CrowdStrike. Thomas, great to have you back. I wanted to touch base with you today on the report that you all recently published. This is your CrowdStrike Services Front Lines report. Let's go through some of the highlights together. What were some of the key things that you all reported on this time? 

Thomas Etheridge: Thanks, Dave. I appreciate you having me on again. Yes, this year, we produced yet another annual front lines report highlighting some of the activities we found from our investigations and service engagements. This year, the 2020 report highlights a staggering increase in financially motivated threat actor activity. One of the key findings from the report this year was, it's not just about ransomware and deploying ransomware for financial gain. It was really about threat actors increasingly destroying, exfilling and threatening to leak some of that sensitive data as they effectively tried to target larger ransomware payments. About 81% of the cases we worked on this year involved some form of ransomware deployment or at least showed the precursor to a ransomware type of activity. The remaining 19% included e-crime tactics such as point-of-sale intrusions, e-commerce website attacks, business email compromises and cryptocurrency mining. 

Dave Bittner: You know, I'm intrigued by this notion of the destruction of data and this extortion that you say, you know, you all have been tracking which, certainly, we've done a lot of reporting on. I'm wondering, too, you know, there's this specter of not just destroying but altering data. And it doesn't seem to me like we've really seen that come to pass, the corruption of data. 

Thomas Etheridge: Great point - you're right. I think for most of the threat actor activity that we reported on in the front lines report and that we saw from an intelligence-gathering perspective, the threat actors this past year had such a huge volume of success in terms of compromising organizations' infrastructure, being able to monitor over a period of time and look for sensitive information, business-impacting information and be able to either exfil that data or encrypt infrastructure for ransom - made that operation kind of core to what they were doing. They were quick in, quick to deploy their tools and tactics, ransom an organization. And if they were successful in doing so, they would move on to the next organization. We saw a lot of really fast movement by these threat actors this past year. 

Dave Bittner: Yeah, that's interesting. So what are the takeaways here? In terms of the recommendations that you're making for the folks that you work with, what sort of stuff have you put together based on what you found in this report? 

Thomas Etheridge: There are several things, Dave. The first thing is that in about 30% of the incident response engagements that we performed over the course of the year, 30% of those cases, the organization's antivirus solution was either incorrectly configured, did not have the appropriate prevention settings set up or was not fully deployed across their environment. And that resulted in, in many cases, an easier path for threat actors to compromise those solutions. Additionally, those antivirus solutions failed to provide protection in 40% of the incidents we responded to in 2020 - so really taking a look at the tooling that you're using for your, you know, solution for preventions, making sure it's configured properly, making sure it's a next-gen solution that leverages machine learning and AI and then making sure that it's deployed fully across your environment. 

Thomas Etheridge: The second recommendation, Dave, was that CrowdStrike identified that 68% of the organizations we responded to experienced another intrusion attempt after suffering their initial breach. It's really important to have a strategy around continuous monitoring and response. What we mean by that is that thinking of incident response as a one-and-done activity is no longer a viable and effective strategy for responding to incidents. It's critical to understand that threat actors are persistent. They will make multiple attempts. And if they're successful at making an attempt and extorting a ransom, for example, it's not uncommon to see that same organization potentially victimized again either by the same threat actor or by a different threat actor. It's critical that organizations start to move to more of a continuous monitoring and response approach in order to defend against these high-velocity attacks. 

Dave Bittner: All right. Well, interesting insights for sure, Thomas Etheridge. The report is the CrowdStrike Services Front Lines Report. Thanks so much for joining us. 

Thomas Etheridge: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. Save you time, and keep you informed. It's the Uncola. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.