The CyberWire Daily Podcast 12.18.20
Ep 1237 | 12.18.20

Cozy Bear has been very successful at being very bad. Advice on dealing with the supply chain compromise. Joker’s Stash has its problems. And a few thoughts on the near future.


Dave Bittner: Cozy Bear's software supply chain compromise and its massive cyber-espionage effort against the U.S. government and the associated private sector is still being untangled, but it's very extensive, very bad and very tough to remediate. Both CISA and NSA have advice about the incident, and we check in with Robert M. Lee from Dragos for his thoughts. John Pescatore from SANS advocates renewing our focus on information security. Iran may be running a ransomware campaign for influence purposes. The Joker's Stash criminal market appears to have taken a hit. And don't let your guard down during the holidays.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, December 18, 2020.

Dave Bittner: It turns out that what we've come to call the SolarWinds compromise isn't confined to SolarWinds. CISA advises that it has evidence, still under investigation, of other access vectors the threat actors used. It's a very serious problem whose extent is still being determined. CISA says the hostile campaign poses a, quote, "grave risk to the federal government and state, local, tribal and territorial governments as well as critical infrastructure entities and other private sector organizations," end quote.

Dave Bittner: CISA offers four major takeaways. First, this is a patient, well-resourced and focused adversary that has sustained long-duration activity on victim networks. Second, the SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged. Third, not all organizations that have the back door delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions. And fourth, organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans. 

Dave Bittner: That remediation is going to be a long and difficult slog. It's going to take a lot of digging, a US Defense Department source told C4ISRNET, and TechCrunch is even glummer. To its headline question, "Just How Bad is That Hack That Hit US Government Agencies?" TechCrunch answers in the lede as follows: "Spoiler - it's a nightmare scenario." And that, indeed, seems to be the consensus. 

Dave Bittner: NSA has also weighed in. The US National Security Agency yesterday released a Cybersecurity Advisory, "Detecting Abuse of Authentication Mechanisms." NSA is concerned to explain two tactics the attackers used to compromise U.S. government networks. 

Dave Bittner: One was SAML forgery. On-premises components of a federated single-sign-on infrastructure were compromised to steal the credential or private key use to sign Security Assertion Markup Language tokens. Trusted authentication tokens were then forged to gain access to cloud resources. A variation of this approach involved obtaining admin privileges in the cloud sufficient to permit the attackers to add a malicious certificate trust relationship that would in turn enable SAML token forging. 

Dave Bittner: In the second tactic, the actors leveraged a compromised global administrator account to assign credentials to cloud application service principals. They're then able to invoke the application's credentials to gain automated access to such cloud resources as email. NSA advises locking down SSO configuration and service principal usage. 

Dave Bittner: The US Department of Energy confirmed this morning that it had been affected by the SolarWinds compromise, but that so far malware had been found only in business systems. 

Dave Bittner: Among the DOE organizations hit were the Federal Energy Regulatory Commission, Sandia and Los Alamos National Laboratory, the Office of Secure Transportation at the National Nuclear Security Administration and the Department of Energy's Richland Field Office. 

Dave Bittner: Again, the Department of Energy stressed that only business systems were affected, and it also emphasized that it was working closely with its private sector partners in the energy sector to avoid any possibility of energy distribution being disrupted. 

Dave Bittner: The National Nuclear Security Administration is worth some discussion since some coverage of NNSA in the general press may have given the impression that the administration is responsible for the employment of nuclear weapons, that its figurative finger is on the metaphorical button. That's not the case. NNSA's principal missions include nuclear weapons stockpile maintenance, nonproliferation, support for counterterrorism and counterproliferation and support for naval nuclear propulsion programs. It's not directly involved in command and control for U.S. nuclear forces. 

Dave Bittner: Most of the discussion surrounding the supply chain compromise has centered on the risk to business systems and the loss of sensitive information. It may, however, have other dimensions. Control Global suggests that building control systems are also susceptible to compromise and in principle manipulation by the same threat actor using the same entry points. 

Dave Bittner: Microsoft, which yesterday itself acknowledged that it, too, had been affected, outlined in a long blog post what it sees as having contributed to a riskier environment infested with more effective, more aggressive threats. Redmond sees a continuing rise in the determination and sophistication of nation-state attacks, augmented by the rise of a supporting private sector - 21st century mercenaries, as Microsoft calls them. And for the near term, of course, this trend is augmented by the organizational stress and vulnerability the COVID-19 pandemic has induced. 

Dave Bittner: As a remedy, Microsoft has three prescriptions - better sharing of information, stronger and more effective international norms to inhibit nation-states and, finally, more effective ways of holding states accountable for misbehavior in cyberspace. All three of these are clearly aspirational, especially the second two. 

Dave Bittner: It's worth noting that the official government discussions of the cyber-espionage campaign have tended not to attribute the campaign to any specific nation. Indeed, while alluding to the role of hostile intelligence services in the incident, NSA makes a point of saying that the tactics, techniques and procedures used shouldn't be thought of as capabilities exclusive to governments. The agency warns that there's no reason to think that criminals won't eventually, if they haven't already, use them for ordinary criminal financial gain. 

Dave Bittner: But the private sector has been quite clear on who's responsible. The consensus attribution is to Russia, and especially to Cozy Bear, the SVR Foreign Intelligence Service. Congress has asked the director of national intelligence, the FBI, and CISA to explain what happened, and they're citing media reports of Russian responsibility for the cyber-espionage campaign. 

Dave Bittner: It's not all Russia, of course. Research from security firm ClearSky outlines the recent activity of Iran's Fox Kitten. ClearSky says it's confident that Fox Kitten has used its Pay2Key ransomware campaign as a form of misdirection. Pay2Key functions like ransomware, but any extortion it actually accomplishes is, the researchers believe, so much gravy. The real goal, ClearSky thinks, is influence. The campaign is more interested in inducing fear and uncertainty in its mostly Israeli targets than it is in collecting ransom or even stealing information. 

Dave Bittner: There is some good news today as well. According to CyberScoop, the criminal-to-criminal data exchange known as the Joker's Stash, which is notorious for its hawking of stolen credit cards, yesterday said that some of its infrastructure had been, as the hoods say, busted. Interpol and the U.S. Department of Justice apparently led a coordinated law enforcement effort against Joker's Stash. 

Dave Bittner: Security firm Digital Shadows published an account of where matters stand with the criminal market. Its blockchain DNS domains, which briefly displayed both Interpol and Department of Justice logos in a seizure notice, now simply display an anodyne site not available message. Digital Shadows points out that takedown notices normally stay up for some time and that Joker's Stash still seems to have its Tor infrastructure operating. 

Dave Bittner: So people are awaiting some official word from either Interpol or the DOJ. In the meantime, however, whenever a criminal market is knocked off its normal hangout, that's bad for reputation and so bad for business. 

Dave Bittner: Many of the predictions we've seen have projected recent trends into the future. It's betting on form in a way, but that's often how the smart money bets. The Washington Post joins those who've done so with an additional prediction that 2020's trends will not only persist but will intensify. Their big prediction is that election security will assume even greater importance than it did this year. 

Dave Bittner: As private life follows work during the pandemic, many people will be conducting holiday meetups by Zoom or other videoconferencing platforms. The Telegraph reports warnings that opportunistic criminals - a formulation that's practically redundant - can be expected to use bogus invitations to sessions in their social engineering efforts. We hate to have to advise suspicion during a time when people are trying to stay in touch with loved ones, but, well, there you have it. Every meeting invitation isn't what it seems, so do be watchful. 

Dave Bittner: Before we started calling all this stuff we do cybersecurity, it was commonly referred to as information security. John Pescatore is director of Emerging Security Trends at the SANS Institute, and he joins us with thoughts on why it may be in our best interest to switch back to that phraseology. John, welcome to the program. 

John Pescatore: Good to be here. 

Dave Bittner: Well, give us a little bit of background here. How did information security become cybersecurity? 

John Pescatore: Let me give you a really fast, 40-year tour of the terminology we use. 

Dave Bittner: (Laughter). 

John Pescatore: In 1978, I got out of college with an electrical engineering degree and went to work at the National Security Agency, NSA, in Fort Meade. And things were called information security. And they were just starting to be called computer security 'cause of the use of mainframes. 

John Pescatore: But a couple other things happened right around then. In just the year before, the Diffie-Hellman public key encryption technology had come out and been patented. And in just the year before, the U.S. government had finalized the data encryption standard, a symmetric way of doing encryption. 

John Pescatore: So back then, we knew and we talked a lot about encryption was needed for information security. And oddly enough, we also talked about how bad passwords were, that, you know, passwords would be replaced with tokens and things you would carry around to make sure you could prove who you were. 

John Pescatore: So if you flash-forward 10 years after that, in the 1988, '89 time frame, a couple interesting things happened. In '88, we had the Morris worm hit the internet, which for those youngins out there, the Morris worm exploited vulnerabilities in the VMS and Unix operating systems. And still today, it still is the highest benchmark for an internet denial-of-service attack. It took down 30% of the internet within minutes. 

Dave Bittner: Wow. 

John Pescatore: Back then, the internet was a smaller place, obviously. 

Dave Bittner: Right (laughter). 

John Pescatore: In '88, '89, those attacks sort of caused us to start focusing on, gee, you know, encrypting data is hard. Passwords are hard to replace. Maybe we ought to focus on just preventing the attacks from getting in. And the focus changed. The firewall came about out of the Morris worm. And we started to focus on protecting the vulnerable systems versus addressing the vulnerabilities in the systems. 

John Pescatore: Oddly enough, in '89, that's the first use I could find of the term cybersecurity. And right then was when we started really more focusing on sort of protecting the connections to the internet and not dealing with these vulnerabilities. 

John Pescatore: And we flash-forward today with ransomware and breaches being sort of the dominant damage forming of - forms of attacks. We really need to get back to focusing on the information. 

John Pescatore: It's been very sort of common over the years for people to say, it's the information, stupid. Well, it's not that we were ignoring information all these years. It was that it was really hard to get close to the data and use encryption and strong authentication. But those factors are changing, and we're seeing a lot of ability to do more directly connected to protecting the information today. 

Dave Bittner: John Pescatore is director of Emerging Security Trends at the SANS Institute. John, thank you for your time, sir. 

John Pescatore: Good to talk to you. 

Dave Bittner: And I'm pleased to welcome back to the CyberWire Robert M. Lee. He is the CEO of Dragos. Rob, thanks for taking the time for us and touching base on the whole SolarWinds incident here. 

Dave Bittner: Let's start off with some basics here before we dig into some of the details. Can you just - for those who are still trying to get up to speed here, can you give us an outline of where things stand? 

Robert M. Lee: Yeah. So, I mean, to catch everyone up who, obviously, is watching all of this unfold, but, you know, let's pretend that somebody hasn't been paying attention to it. To catch you up, December 13, FireEye got compromised, and folks were actually not critical. I was really happy to see most of the infosec community recognize that FireEye was the victim, everybody gets hacked eventually and that FireEye nailed the response and the detection of it. So kudos to them. And that seemed to be the predominant theme. There's always the jackasses, but for the most part, most of the infosec community was like, hey, good job to you. 

Robert M. Lee: Well, little did we know that FireEye was likely - them finding it was likely the key to finding this adversary a lot of other places. And originally people came out and attributed it to APT29 in Russia. But it - FireEye has been very explicit. It's not APT29. It's a new group that they're tracking. And we have seen senators and similar come out and say it's Russia, but we don't know at this point. I think it's a little early in the game. 

Robert M. Lee: But the moral of the story is SolarWinds got compromised. There's a supply chain hack. You were not going to prevent this. It was, you know, correctly done - digital signatures. And similarly was the compromising of the SolarWinds Orion software package. And that compromise has been ongoing for the last - I don't know - nine months or so. 

Robert M. Lee: And so we were looking at around 18,000 organizations around the world that had downloaded the compromised software. That does not mean 18,000 organizations in the world were breached. So the adversary had access to some amount of that 18,000, but they were going after and targeting far less. And we're very fortunate for that because already, it's been a bad, bad week. 

Robert M. Lee: We've had the Department of Homeland Security notice that they were breached, the Department of Energy, national labs, labs that deal with our nuclear weapons and secrets, the Pentagon, the Treasury Department, the Department of Commerce. Pretty much anybody the adversary wanted they had access to. 

Robert M. Lee: So it was a fantastic compromise - you know, screw them and kudos all at the same time - where they did exactly what they wanted to do, and they did it for, you know, nine-plus months undetected into some of the most sensitive infrastructure sites in the world. 

Robert M. Lee: The thing that bothers me significantly that I think is going a little bit unacknowledged - and I don't need, you know, the adversary to figure this out too soon. I think now is a safe enough time to talk about it. But a number of those software packages, the SolarWinds Orion package, gets used by a number of the industrial vendors out there, the big original equipment manufacturers white labeled as something else, and plugged in to a lot of our sensitive infrastructure sites. 

Robert M. Lee: So when you hear me talking about the industrial control systems or OT, or operations technology, kind of our water manufacturing center type operation networks, the reality is, though - many of those networks were compromised. I don't know if the adversary knew that. I'm sure they've - they would have had to have. And I normally am the furthest person from hyping anything up, but we had a strategic, highly sophisticated foreign adversary that most certainly had access to - direct access to some of our most critical networks of some of our most critical sites in the world and the United States, I guess, for us. 

Robert M. Lee: And that's not to say all they had to do was push a button and we're dead, right? This isn't saying, oh, my gosh, they're going to bring down the power grid, (unintelligible) grid and all that kind of stuff. But let's realize they had access to and they've already shown their capability and sophistication. And again, without trying to get too hyped up, that's awful. 

Robert M. Lee: What's even worse is most of these organizations are not monitoring, do not have the visibility at those OT layer. And they focus a lot on prevention, segmentation strategies, which if that's what you're doing, if you focus on firewalls and antivirus, once you get compromised with a supply chain hack like this, you're not going to have the logs or the data to know if you were actually breached, and you're sure as hell not going to know if you actually kick the adversary out. So we could have this team with access to our infrastructure sites for a long time to come. And that sounds terrifying, and to some extent, it is. 

Robert M. Lee: My recommendation to people is go hunting. Assume you're compromised and start looking at your crown jewels in your organization and go hunting, especially on all the behaviors we know, not just the indicators, because this is not a good day in our country. 

Dave Bittner: Where do you suppose things go from here? How do you see this playing out? 

Robert M. Lee: The politics of this are going to be quite interesting because you've got a new administration coming in which is not exactly thrilled with Russia in the first spot. And if this was Russia, this is only going to freeze any of the relationships that even were already pretty bad. I think Putin came out a couple weeks ago, and he was asked, how is the relationship to the United States? Nonexistent. So that's not getting any better. 

Robert M. Lee: And, you know, this isn't some act of war or whatever. You know, people got to dime down the hyperbole here. But this was a very sophisticated hack that made the United States look really bad with access given to strategic adversaries over a long period of time in ways that we won't be confident we've actually fully kicked them out for a long time to come. 

Robert M. Lee: And so the place you go from here is start asking some real questions on what's got to change. And I don't like the idea that anyone hack-changes anything, but we really have got to take a different strategy with what we're doing. When you look at Congress, they're asking the DHS and NSA, like, why didn't you see this? We've invested billions. Well, it's not the job of the intelligence community to do private sector cybersecurity. 

Dave Bittner: And when the NSA and others are doing intelligence operations, it should be for national requirements. It should be for intelligence analysis, not, I detected the hack. You detect hacks in the networks that are getting compromised, not pretending that you're going to magically sit on the one server that the adversary used that day. Sure, go do that. Maybe you get some goodness. But that's not a strategy. That's a, oh, by the way, we got some extra value out of our intelligence operations. 

Robert M. Lee: The DHS and CISA are not the supported agencies by the private sector. They do not own cybersecurity, and they've got to get off ever claiming to own cybersecurity for the private sector. Hey, we'll roll in response teams. Hey, we'll help you. There is enough mission set in the government to keep them busy for a long time, and they're underfunded to even do the government mission. And in hacks like this, when people are going, I think I need help, they're still cleaning up the wounds on the government side. 

Robert M. Lee: So we've got to be real explicit on private sector. You're on your own. You got to go invest in security. Maybe we look at mechanisms to provide extra funding or tax credits or something for companies to go take it seriously. Maybe we do layer in some, you know, light regulation of things we would expect. There's a whole strategy behind that. I'm not going to be prescriptive here. But we just got to be straight with people on the government is not coming to save the day on your private sector networks when you get compromised. We'll help you. We'll coordinate. We'll be the front door to the government. But, private sector, you're on your own. Quit pretending otherwise. And that's a hard pill to swallow. 

Robert M. Lee: And for any practitioner like, yeah, that's known, that's not the common discussion in Congress, especially when agencies are out fighting for funding and rice bowls and everything else. Let's cut the crap, start speaking plainly, be real candid because we're experiencing some real tough times, and we're beyond the point where we believe things like EINSTEIN or whatever else are there to save the day. If I see another billion dollars go to a bastardization of Snort, we're going to lose. 

Dave Bittner: I mean, this really strikes me as being a bit of a punch in the gut, that we got sort of - is it fair to say we got caught flat-footed with this? 

Robert M. Lee: Yes, that's very fair (laughter). I'm like - I'm trying not to be too coy with you, but we got screwed. 

Dave Bittner: But I'm trying to understand from, you know, the basic level, you know, in a way that everyone can understand - I mean, you know, you're in the business of protecting industrial control systems. You know, this got by you. This got by - I mean, this got by lots of people. What do we have to change? How did that happen? Why did so many - why did such a broad swath of organizations in private and public sector get caught flat-footed here? 

Robert M. Lee: Yeah, 'cause our supply chain was compromised, and... 

Dave Bittner: Yeah. 

Robert M. Lee: And nobody is going to prevent a well-orchestrated supply chain compromise. What we didn't get caught by, what we didn't have people get by me and FireEye everybody else was on the detection and response piece. That's awesome. That's the win. Hey, some state adversary did exactly what we were concerned about and talked about for years of compromising the supply chain at a software level in a way that we really couldn't prevent, and they detected it and they responded correctly and they mitigated any issues at FireEye. That's the positive story, that no matter how important or great or wonderful or skilled you think your adversary is, prevention may fail, but detection response - you can do it. 

Robert M. Lee: And so when we're deployed in places, when we're responding to places, when we're going - it's working. But the places that aren't doing detection, that don't have response plans, that aren't taking it seriously, they can't say detection response failed 'cause they weren't doing it. So that's the takeaway. That's the message. 

Robert M. Lee: And, look; to every practitioner in the cybersecurity community, everything I'm saying and getting hyped up on is not news. But to Congress and the Senate and our elected officials that are looking at this, they do get told a lot of crap. Oh, I can prevent all attacks with this magic AI, or blockchain will save the day or the - this government agency is going to be on point, and we'll do all the response for our critical sites across the United States in the event of catastrophe. And we've got to stop that crap. It's always been annoying. It's starting to get dangerous. 

Dave Bittner: All right, Robert M. Lee, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. The taste is going to move ya. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Be sure to check out this weekend's "Research Saturday" and my conversation with Alyssa Miller from Snyk. We're going to be discussing SourMint, iOS Remote Code Execution, Android findings and the community response. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.