Threat actors were able to see Microsoft source code repositories. Zyxel closes a backdoor. Kawasaki discloses data exposure. Slack’s troubles. Julian Assange escapes extradition to the US.
Dave Bittner: Updates on the spreading consequences of Solorigate, including Microsoft's disclosure that threat actors gained access to source code repositories. A hard-coded backdoor is found in Zyxel firewalls and VPNs. Kawasaki Heavy Industries says parties unknown accessed sensitive corporate information. Slack has been having troubles today. Andrea Little Limbago from Interos on democracies aligning against global technodictators. Our guest is Drew Daniels from Druva with a look at the true value of data. And a British court declines to extradite WikiLeaks' Julian Assange to the United States.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, January 4, 2021.
Dave Bittner: Microsoft last week updated its account of Solorigate, the large cyber-espionage campaign generally attributed to Russia's SVR. Redmond says the threat actors gained access to several of the company's source code repositories. The intrusion is believed to have been limited to inspection of the code. Microsoft reports that it found no evidence that any code had been altered, that it's contained and remediated the infestations it found and that the company's "assume breach" approach to security limited the damage.
Dave Bittner: CISA has directed all Federal organizations to upgrade their SolarWinds Orion instances to the latest version. The agency had earlier told them to hold off on updating their software until it had an opportunity to assess the effectiveness and the effects of the upgrade. It's now done so, and it's determined that SolarWinds has fixed the vulnerabilities in Orion and that agencies should move to the new software promptly.
Dave Bittner: The New York Times' review of the Solorigate affair puts the tally of affected networks, both government and corporate, at upwards of 250. The campaign is thought to have succeeded in part because it was staged through servers in the U.S. at the time when NSA and U.S. Cyber Command were focused on election security and their own penetration of hostile infrastructure. The cyber-espionage is unusually troubling because the persistence it established could amount to battlespace preparation for future destructive attacks.
Dave Bittner: Researchers at the Dutch firm Eye Control have found a hard-coded admin backdoor on Zyxel firewalls and VPN gateways. ZDNet reports that more than 100,000 users are affected. Zyxel's security advisory says that patches are available for affected products in its ATP, USG, USG Flex and VPN series. A fix for the NXC series is expected in April. Users are advised to apply the available patch.
Dave Bittner: Zyxel describes the backdoor as follows - quote, "a hard-coded credential vulnerability was identified in the zyfwp user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP," end quote. The downside of this is obvious, and the vulnerability is readily exploited by IoT botnets set up for password attack. So do patch. Vulnerable systems are readily accessible. Any prospective attackers apparently do not need any other prior access to them.
Dave Bittner: Kawasaki Heavy Industries disclosed last week that its networks had been subjected to unauthorized access by external parties unknown. The Tokyo-headquartered industrial conglomerate says that sensitive corporate information was exposed but that no personal data were at risk. Reports in The Japan Times suggest that the information compromised was related to defense programs. But beyond that, little is publicly known about the incident. The intrusions were first detected in June. The company says that it had completed remediation by early December.
Dave Bittner: The first work week of the new year got off to an unpleasant start with respect to the widely used business collaboration tool Slack. Slack users began to experience outages around 10 o'clock this morning, and at 11:30, the platform declared that it was a general outage. Something's not quite right was the understated notification posted to the company's status page.
Dave Bittner: Shortly before noon, Slack amplified, writing, there are no changes to report as of yet. We're still all hands on deck and continuing to dig in on our side. We'll continue to share updates every 30 minutes until the incident has been downgraded.
Dave Bittner: Around 12:30 Eastern Time, Slack said that users had begun to see an improvement in service. A system refresh is apparently having good effect, but the company remains cautious about declaring victory.
Dave Bittner: In the UK, the Westminster Magistrates' Court has blocked extradition of WikiLeaks impresario Julian Assange to the US. TechCrunch reports that Judge Vanessa Baraitser denied the US request on the grounds that sending Mr. Assange to the US would be sufficiently oppressive to drive him to suicide and that his intelligence and resourcefulness would make it unacceptably likely that he would be able to evade suicide prevention measures. The decision represents this as more of a judgment of the accused's psychological and emotional state than a finding of inordinate harshness in the US justice system. Mr. Assange faces 17 counts of violating the US Espionage Act and one count involving unauthorized access to a computer system.
Dave Bittner: The US has 14 days to appeal and has announced its intention of filing additional charges against Mr. Assange. The New York Times notes that the judge did not find bad faith in the US extradition request, and The Washington Post says that Judge Baraitser's rejection of claims that the charges amounted to a violation of free speech guarantees amounted to a partial win for the US, which show no disposition to abandon the case against Mr. Assange.
Dave Bittner: Drew Daniels is CIO and CISO at data protection and security company Druva. They recently published the 2020 edition of their Value of Data report, and Drew Daniels joins us to discuss their findings. Drew, welcome to the CyberWire.
Drew Daniels: Thank you. I'm happy to be here.
Dave Bittner: So, Drew, I mean, let's start with some basic stuff here. This is the inaugural year of your Value of Data report. What prompted the creation of it?
Drew Daniels: Well, I think there was a number of things that we looked at in this. You know, when we were thinking about this report, we knew that everybody was experiencing this pandemic and that it was clear to us that they may not know where their data is or how it's being used. And I think that the other thing that we learned from this survey is that many companies struggle to know what is the critical data that they have.
Dave Bittner: Well, let's go through the report together. What were some of the key insights that caught your attention?
Drew Daniels: You know, as a security professional who's been doing this for a long time, there weren't a lot of things that really caught me off guard. Being - what I have to do, you know, kind of being the paranoid/person that is looking at kind of the risks out there, a lot of the things that I saw, it was more encouraging to see that other people are starting to see those things.
Drew Daniels: For example, what we saw in the report - numerous respondents mentioned that in a lot of ways, they don't know what their critical data is. They don't know where it resides. A lot of them - you know, and I certainly struggle with this as well on the CIO side of my responsibilities - is we went from having an office, where we can have shared infrastructure and we have, you know, meeting rooms where people get together and collaborate, to having all of these kind of remote endpoints with one person in them and kind of figuring out that collaboration and how we do data sharing and how we gain access to the data, how we protect that data. These were all things that, you know, I was thinking about, and the survey sort of shared that other people were thinking that as well.
Dave Bittner: One of the things that you mentioned in the report is this notion of data agility. Can you define for us, you know, what does that mean in this context? And why is it important?
Drew Daniels: So from my perspective - and I think that each of the respondents probably were - had a colored (ph) perspective that may be different. To me, you know, now that you have kind of data portability, you have data everywhere, you need to know how to get that data backed up so that you can protect it.
Drew Daniels: You know, one of the things that I always struggle with as a security professional is, you know, the - just the amounts of data and how it's stored. You know, I'm sure every respondent thought about this, and you probably do as well. I mean, what's all the data that you have on your laptop that you probably don't need anymore that you should probably delete? When I'm thinking about how I protect data, how do I sort through and sift through all of that data?
Drew Daniels: So data agility, to me, is, you know, making sure that the right people have the right data in the right context so that as that data shifts, as it grows, as it changes, as it becomes more critical or more sensitive, I can maintain a track on where that data is and how it's being used so that should that data become at risk to being exposed, I can make and change things to protect that data and protect that resource. And I think that's where the agility comes in.
Dave Bittner: Drew Daniels is CIO and CISO at Druva. Drew, thanks so much for joining us.
Drew Daniels: Absolutely. Thank you very much. It's been fun.
Dave Bittner: And joining me once again is Andrea Little Limbago. She's the vice president of research and analysis at Interos. It's great to have you back. I wanted to touch today on what I'm sensing is some - I guess some pushback from governments when it comes to some of these big social networks, some of the Big Tech companies. I wanted to get your take on this. What are you tracking?
Andrea Little Limbago: Yeah, I think there definitely is. And that - you know, on the one hand, we've seen the techlash starting to grow in the United States. And so that's pushing the government. And that actually is occurring, you know, in many democracies, given the widespread disinformation and various data-sharing scandals and so forth. And so governments are - democratic governments are starting to push back on that.
Andrea Little Limbago: And what they've really been doing, you know, for a while has been more piecemeal approaches not just to Big Tech, but just to the broader range of insecurities through the internet, everything from cyberattacks to concerns over government access to data in certain countries and so forth.
Andrea Little Limbago: And so what we're seeing is that as both the social media - the social network companies, on top of the technodictators together, have basically been a driving force in shaping the internet, that democratic governments are finally getting their head out of the sand and trying to push back and help and, you know, push forth some policies and regulations to rein that in a bit.
Andrea Little Limbago: And so it's going to be a balance. And that's - we're really in the very nascent stages of that. And one example of it is United Kingdom earlier this year announced an initiative to do a 10-democracy pact for 5G networks. And so with that, what they're arguing is to have the - basically a pact of 10 democracies focus on trusted software and hardware within the broader 5G networks. And by trusted, really what that means are - you know, are companies that are national champions within democracies that have not had this sort of the wide-range security concerns that we've seen elsewhere. And so that's, you know, just one example that we're seeing of the democracies.
Andrea Little Limbago: Australia, Japan and India are focusing on a supply chain alliance, which has, you know, a huge technology component to it as well. And so that's where we're really just starting to see some of these start to pick up.
Andrea Little Limbago: And, you know, the interesting thing is I really do think that COVID-19 has accelerated some of this. And so - which - some of these trends were - they were under the surface already and starting to emerge, but COVID-19 has accelerated them. Just like how it's disrupted and upended every aspect of our life, it has done so as well in the realm of tech alliances among democracies as well.
Dave Bittner: You know, you use the term technodictators. That's new to me. How do you define that?
Andrea Little Limbago: Yeah. No, it's a good question. And there are a couple of different terms - technodictators or digital authoritarians. And so it really is the use by generally authoritarian governments - but I will say that some democracies are starting to borrow from their playbook - of trying to get complete control of information both within their own national sovereign borders, but also using the internet through various means - cyberattacks, disinformation, censorship - to also push forth their own incentives and their own narrative globally.
Andrea Little Limbago: And it's a wide variety of tools, but it's really how the dictators have leveraged technology and largely the internet, but also, you know, moving into the areas of, you know, of AI and how they've been using bots over time. So it's really across the realm of all these emerging technologies, how authoritarians have really jumped on those technologies to use them for their own purposes.
Andrea Little Limbago: And, you know, like all technologies, they can be used for good or bad. And, you know, the technodictators, I would argue, are the ones that are using them to suppress civil liberties, inherent freedoms, controlling people with - or controlling information access within their borders and externally and then using it even as a, you know, as a tool of foreign policy. And that's where we're seeing those - you know, those kind of countries are starting to have more and more power.
Andrea Little Limbago: And, you know, towards the end of 2019, autocracies had a greater share of GDP than democracies for the first time since 1900. And so, you know, there's an economic clout behind it as well. And that's what I think makes it even more so disconcerting and worrisome. And it's why it's nice to see, finally, that democracies are starting to move away from some piecemeal approaches that aren't working and realizing, again, the benefits of collective security.
Dave Bittner: And how is that playing out? Are there some specific ways that you're seeing the democracies teaming up here?
Andrea Little Limbago: Yeah. And I'll say it again. It's very, very nascent. It's, you know, the U.K. initiative, some of the Asian supply chain initiative. You know, in the United States, the Department of State has introduced a clean tech initiative. That's received both some - has some proponents and opponents. You know, so it's really becoming a broad discussion.
Andrea Little Limbago: And, you know, we'll see. I wish I could say there was this really great initiative that just came out, but we're not there yet. And that's...
Andrea Little Limbago: But we're starting - at least the discussions that haven't been held are starting to be held. And especially at a time when, you know, democracy has been on the decline for over a decade, you know, it's nice to see. You know, it's one area - it's a little bit of hope that they're starting to have some of these discussions. And so we'll see what happens over the next few years.
Andrea Little Limbago: You know, and I think that if - you know, depending on U.S. and EU relations, but also seeing some partnerships with India and Australia, South Korea, Australia, there is a growing sense and awareness of the growing power of, you know, especially China, but also, you know, of the Chinese model that's spreading. But the democracies are starting to realize that there needs to be some form of government involvement to determine and help shape the future of the internet and of, you know, basically, you know, of societies at this point, the digital revolution.
Andrea Little Limbago: And whether you want to be in the mold of technodictators, where the governments having control, where the national champions basically, you know, act at the whims of the government and the data can be accessed there, or on this emerging, you know, technodemocracies and some of these tech alliances that are starting to be discussed that are focused much more so on trusted networks, on the security and privacy that's going to be foundational and is foundational to human rights, civil liberties and democracy - and so those are the different models being discussed.
Andrea Little Limbago: And it's - you know, it's well past time that the democracies are starting to step in. And we'll see what happens with that. But it's nice to see, finally, some pushback because it has been quite some time where this other model has basically gone without any kind of counterweight.
Dave Bittner: All right. Well, Andrea Little Limbago, thanks for joining us.
Andrea Little Limbago: Thank you so much.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. It can bring home the bacon and fry it up in a pan. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. Happy new year. We'll see you back here tomorrow.