The CyberWire Daily Podcast 1.11.21
Ep 1246 | 1.11.21

More (ambiguous) evidence for attribution of Solorigate. CISA expands incident response advice. Inspiration, investigation, and deplatforming: notes from the Capitol Hill riot.


Dave Bittner: Similarities are found between Sunburst backdoor code and malware used by Turla. CISA expands advice on dealing with Solorigate. Courts revert on paper and USB drives. More members of the US Congress report devices stolen during last week's riot. Online inspiration for violence seems distributed, not centralized. Caleb Barlow examines protocols for handling inbound intel. Rick Howard looks at Solorigate through the lens of first principles. And platforms as publishers?

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, January 11, 2021. 

Dave Bittner: Kaspersky reports finding code similarities between the Sunburst backdoor in SolarWinds' Orion platform and a known backdoor, Kazuar, which Palo Alto Networks in 2017 associated with the Turla threat group. Kaspersky is cautious about attribution and notes that there are several possibilities. 

Dave Bittner: It could be that Sunburst and Kazuar are the work of the same threat group. Could be that Sunburst's developers borrowed from Kazuar or that both backdoors derived from a common source. It's possible that Kazuar's developers jumped ship to another threat group and there produced Kazuar, or whoever developed Sunburst deliberately introduced the clues into their code in the interest of flying a false flag. 

Dave Bittner: Reuters points out that Estonian intelligence services have long attributed Turla activity to Russia's FSB, which was unavailable to Reuters for comment. 

Dave Bittner: In an updated advisory concerning Solorigate that CISA issued late Friday, the agency released detection and mitigation advice for post-compromise activity in the Microsoft 365 and Azure environment. 

Dave Bittner: CISA recommends three openly available PowerShell tools for detecting malicious activity in this environment - CISA's Sparrow, the widely available open-source utility Hawk and CrowdStrike's Azure Reporting Tool. 

Dave Bittner: CISA also redistributes Microsoft's guidance for recognizing and stopping exploitation at the four distinct stages of an incursion into its environment. 

Dave Bittner: Stage one involves forging a trusted authentication token used to access resources that trust the on-premises identity provider. 

Dave Bittner: Stage two moves on to using the forged authentication token to create configuration changes in the service provider, such as Azure AD. That's establishing a foothold. 

Dave Bittner: In stage three, the threat actor works on acquiring an OAuth access token for the application using the forged credentials added to an existing application or service principal and calling APIs with the permissions assigned to that application. 

Dave Bittner: And, finally, in stage four, once access has been established, the threat actor uses Microsoft Graph API to conduct action on objectives from an external RESTful API - queries impersonating existing applications. 

Dave Bittner: The full text of the alert can be found on CISA's website. 

Dave Bittner: At least some courts affected by the Solorigate incident have reverted to older, manual systems for handling their documents. The U.S. District Court for the Southern District of Ohio, for one, has responded to Solorigate by requiring that court documents be filed on paper, or at least in a removable USB drive, the Columbus Dispatch reports

Dave Bittner: The Dispatch writes, quote, "the federal court considers applications for a search warrant, electronic surveillance and pen register or trap and trace devices highly sensitive. Based on the circumstances, some filings, like Social Security records, administrative immigration records and sealed filings in civil matters, may be designated highly sensitive by the court," end quote. 

Dave Bittner: Any such documents will now be submitted in either two paper copies or on a USB drive along with certificate and service. We trust the USB drives will be properly screened before they're plugged into the court's system. Among other things, the decision shows how difficult it is to completely free oneself from digital records. 

Dave Bittner: Physical loss of devices remains the most serious concern for cybersecurity following last week's riot in the U.S. Capitol. Since the Wednesday unrest, other members of Congress, including Speaker of the House Pelosi, have also reported that laptops were taken from their offices, according to Reuters. 

Dave Bittner: The Wall Street Journal has an account of how the unrest was inspired and authorized via social media. Unlike many, perhaps most, other cases of online incitement, the Journal reports that experts who've taken an early, preliminary look at the incident think that the inspiration was a lot more distributed than it's usually been, with less top-down direction, fewer high-profile leaders and a lot more of what we've come to call virality. 

Dave Bittner: As the Journal puts it, quote, "the Capitol riot doesn't appear to have been orchestrated by a central figure or organization," end quote. The agitation has been in progress for weeks, and it proceeded through a large number of channels and across many platforms. One expert quoted by the Journal said, they didn't need central planning. 

Dave Bittner: That said, many large internet companies were quick to deplatform U.S. President Trump and various supporters in response to the president's encouragement of demonstrations earlier in the week. Axios lists Reddit, Twitch, Shopify, Twitter, Google, YouTube, Facebook, Instagram, Snapchat, TikTok, Apple, Discord, Pinterest and Stripe.  

Dave Bittner: Bellingcat predicted last Monday that significant disruption would occur on Capitol Hill as electoral votes were formally counted. 

Dave Bittner: The Wall Street Journal reports that both Apple and Amazon have taken action against Parler, a social platform whose declared mission is to provide a conservative alternative to what Parler characterizes as the general progressive bias of platforms like Twitter and so forth. 

Dave Bittner: Parler is suing Amazon in the U.S. District Court for the Western District of Washington, seeking injunctive relief, including a temporary restraining order and preliminary injunctive relief, and damages. Parler is claiming an anti-competitive bias by Amazon. The company notes that Amazon provides equivalent services to both Twitter and Parler, yet only Parler was singled out for silencing on the grounds that it wasn't filtering content that amounted to incitement to violence. The filing observes that, quote, "Friday night, one of the top trending tweets on Twitter was "Hang Mike Pence." But AWS has no plans, nor has it made any threats to suspend Twitter's account," end quote. 

Dave Bittner: Parler says it does have content moderation designed to stop incitement, but Amazon says that whatever Parler's review boards are doing, it's not enough. 

Dave Bittner: An op-ed in The New York Times thinks the lesson to be drawn from the deplatforming is that tech companies hold a great deal of power over online discourse, and that power tends to be exercised from the top on the basis of gut decisions by executives and not in conformity with established "quasi due process" criteria. 

Dave Bittner: The American Civil Liberties Union says it understands the desire to ban President Trump from Big Tech's platforms, quote, "but it should concern everyone when companies like Facebook and Twitter wield the unchecked power to remove people from platforms that have become indispensable for the speech of billions, especially when political realities make those decisions easier," end quote. 

Dave Bittner: The implications of the controversy and the ban won't be confined to the U.S. Computing reports, for example, that British Health Secretary Matt Hancock has said that it seems clear that social platforms are now acting much more like publishers than a public square. He took no position on the deplatforming, nor did he offer any prescriptions for the future, but he said the companies are, quote, "choosing who should and shouldn't have a voice on their platform," end quote, and that recognizing this should inform any regulations governments might enact. 

Dave Bittner: And it is my pleasure to welcome back to the show Rick Howard. He is the CyberWire's chief security officer and also chief analyst. Rick, always great to have you back. 

Rick Howard: Hey, Dave. 

Dave Bittner: So on this week's "CSO Perspectives," you are talking about the SolarStorm attack campaign. That's the attack that used the SolarWinds Orion platform as the backdoor, which we now think potentially breached some 18,000 SolarWinds customers or so. But who's counting? 

Rick Howard: Eighteen thousand - yeah, who's counting? Gee whiz. 


Dave Bittner: But what's interesting about your approach here is that you're running it through the lens of first principle thinking. So what's going on here? 

Rick Howard: Yeah. So for the past year on the "CSO Perspectives" podcast, I've been developing a set of cybersecurity strategy theories, you know, based on first principle thinking. And the key word here, Dave, is - I'm using air quotes - "theories" - right? - 'cause I haven't tried them anywhere (laughter). 

Dave Bittner: OK. 

Rick Howard: All right? And so the question I've been asking myself is, would they work? Would that set of theories prevent material impact in the real world? When the SolarStorm campaign came to light just before Christmas, I realized it was the perfect case study to examine if these theories work. 

Dave Bittner: Right, right. Well, I mean, during the past year on "CSO Perspectives," you've had this - these strategies - these four strategies that you say every cybersecurity executive should deploy. Let's use that as a starting point. First of all, what are the four strategies? 

Rick Howard: Right. So in no particular order, here they are - intrusion kill chain prevention, zero trust, resilience and risk assessment. 

Dave Bittner: OK. I'm no cybersecurity Einstein here, but the SolarStorm campaign was a zero-day campaign, which means that the entire attack sequence was stuff that had never been seen before. So wouldn't that kind of nullify the intrusion kill chain prevention strategy? 

Rick Howard: Exactly right, all right? So... 

Dave Bittner: Smarty pants. 

Rick Howard: Yeah. 


Rick Howard: Again, theory. 


Dave Bittner: Right. 

Rick Howard: So we have - from the backdoor, we get the SolarWinds Orion platform, and that's that supply chain attack we've been talking about for so long. And, you know, just by the way, some researchers are saying that there might be a second supply chain backdoor involved, a Czech Republic company called JetBrains. They sell development tools to at least 70 of the Fortune 100 companies. So they might be a second vector. 

Rick Howard: All right, so we have a supply chain attack in order to steal the secret key from an on-prem single-sign-on server performing Active Directory Federation Services, then using a Golden SAML technique, where the attackers forged trusted authentication tokens for cloud resources. 

Rick Howard: Now, these - this is a known - no known adversary campaign has used that attack sequence before. We've seen the tactics before, but they haven't been - ever been strung together in that particular way. So we were way ahead of the curve and had prevention controls in place for all the known adversary campaigns, like, you know, the Russian Cozy Bears and the Chinese Deep Pandas. That didn't help you here. 

Dave Bittner: Right. OK, so where does that leave you within - like, from a first principle strategy approach? 

Rick Howard: Right. So it leaves us with the other three strategies - zero trust, resilience and risk assessment. And I'm happy to say that I think these strategies would have most likely defeated this adversary campaign. And that's what we're talking about on the podcast this week. 

Dave Bittner: All right. Well, you know, before we let you go, in some of our internal discussions on the CyberWire's, you know, Slack channels, we've been talking. And by we, I mean you have been very vocal about the problem with attribution with these attacks to the Russians. And to the thing we talked about earlier, I mean, there's - these are new tools. And what I'm wondering is, like, we've had the FBI, we've had the NSA, we've had CISA and ODNI - they released a joint statement that blamed Russia. But yet, still, it's kind of like, hey, it was Russia. Believe us because we say so. 

Rick Howard: That's right. 

Dave Bittner: We haven't seen a lot of evidence, right? What's your thoughts on that? 

Rick Howard: Yeah. Look; it's probably the Russians, OK? So, you know, think of... 


Rick Howard: You know, if I was just going to say. Just think of the... 

Dave Bittner: Yeah. 

Rick Howard: ...Supply chain attack they used in the Sandworm campaign, you know, against Ukraine. That smells eerily similar to the SolarStorm supply chain campaign, right? And, you know, I'm willing to give the benefit of the doubt to the intelligence community, but - OK? - their joint statement presented no evidence to support the accusation. They just said, you know, it's the Russians because, you know, we think so, right? 

Rick Howard: So it's a zero-day campaign. None of us have any TTPs that match any other known campaigns. Like, the Russian Bear is, like, Fancy and Cozy and Berserk and Energetic and Voodoo and Venomous. None of that matches. So until we do, until they want to give us something to sink our teeth into, then I'm going to be more willing to settle with the adversary group name coined by FireEye way at the beginning of this, which they called UNC2452. 

Dave Bittner: That really rolls off the tongue there, doesn't it? 

Rick Howard: No, it just doesn't sound like Fancy Bear. I know. 

Dave Bittner: Yeah, yeah, yeah. All right, well, all this and more is part of "CSO Perspectives." That is a podcast that is part of CyberWire Pro. You can learn more about that on our website, Rick Howard, thanks for joining us. 

Rick Howard: Thanks, Dave. 

Dave Bittner: And joining me once again is Caleb Barlow. He is the CEO at CynergisTek. Caleb, it's always great to have you back. I wanted to touch base with you on your insights on how an organization should handle inbound intelligence. 

Dave Bittner: So you're sitting there. You're minding your own business. You're keeping your organization secure. You get a call from outside the organization that says there's a security incident that requires your attention. What do you do? How do you handle something like that? 

Caleb Barlow: Well, Dave, let's probably start by talking about how not to handle it. 

Dave Bittner: (Laughter). 

Caleb Barlow: And, of course, everyone that's ever done one of these, whether you're kind of a red teamer doing offensive security research or you're an executive that's had to make one of these calls, everybody has had one of these calls where it always starts with, does anybody know anyone that works there, right? 

Caleb Barlow: And that's probably first insight to the problem. Like, how do you even get to a company that's going to get them to pay attention? It's not like you can pick up the phone, call the help desk or the help line... 

Dave Bittner: Right. 

Caleb Barlow: ...For, like, product support and go, hey, you're about to go down in an hour with a ransomware incident. We just wanted to let somebody know. 

Dave Bittner: See it on Twitter every day. 

Caleb Barlow: Yeah. 

Dave Bittner: Every day, somebody's asking that question, yup. 

Caleb Barlow: And then, of course, you know, when you do, like, get the CISO (ph) on the phone, if it starts with a, hey, I'm busy, and why am I even here, and who are you, followed by, well, that's impossible; you know, we've got great systems, we have antivirus, that's impossible to happen - right? And... 

Dave Bittner: Right, right. 

Caleb Barlow: I say this jokingly, but I swear everybody's had this conversation. And then, of course, the worst is, well, you really need to talk to our legal team, which is - and we've seen instances of this - is sometimes followed up with a, you know, a tersely written letter from a law firm about how what you did is illegal or, you know, you didn't follow some channel or whatever, right? 

Caleb Barlow: So here's the thing. The first thing to realize is - I mean, there's - don't get me wrong. There's reputable people, and there's not reputable people. But either way, you need to take this inbound intelligence, and you've got to look at it as intelligence. What can you learn from this? 

Caleb Barlow: So someone, whether real or perceived, has information that you need about either you're being breached or you have some sort of vulnerability, or maybe they found a bug in one of your products. And the first thing is to have those listening ears on, right? You're not under any obligation to talk to anyone about whether you're aware of that issue, whether you know about it, whether you've responded to it, whether you have the defense for it. But listen to what they're telling you. 

Caleb Barlow: The second thing, and I think this is the hardest thing for companies to realize, is that the person talking to you probably knows way more than they're telling you. And you need to kind of get underneath that. How do they know? Who else knows? 

Caleb Barlow: You know, especially if it's coming from government, right? You have to understand that when government is telling you something, they may have more information on the classified side that they can't tell you about. Or if it's law enforcement, they may have another investigation. And it's completely appropriate to ask, well, at least what's the sourcing on this? And oftentimes they'll tell you, well, you know, it came from another investigation, which I can't talk about, or it came from, you know, some sources I can't talk about. But the more you can understand, the better. And I think people are really, well, relatively awful at dealing with inbound intel. 

Dave Bittner: Well, so what do you recommend then? What are best practices in your mind? 

Caleb Barlow: Well, first of all, remember that this is an opportunity to build a relationship, right? So if someone's giving you information, they have access to sources that you probably don't. And that may mean in the future, they have access to sources that you probably don't. So start by getting that contact information, understanding how they came across this, what type of work they do. 

Caleb Barlow: And this sounds silly, Dave, but say thank you because that research is going to be more inclined to reach out to you in the future than if you're kind of terse or, worse yet, give them some sort of legal response versus thanking them for giving you the information. Even if it's stuff you already know and might not do anything with, you might want their information in the future. 

Dave Bittner: Yeah. It seems like so often, these conversations lead to frustration on both sides. And, I mean, I can understand people having their guard up. I mean, this could - you know, how do you know it's not a prank call, right? There's a dance that has to go on between the two parties here as you go down that path. What do you know? How do you know? Can I trust you? What - how much should I say? And it just - as you say, you got to get past that. 

Caleb Barlow: Well, and let's face it. The I-know-somebody network is alive and well in the world of intelligence. And, you know, odds are that the company giving you the information may not be the only one involved or the only one that's aware because usually by the time it's getting to you, two or three threat researchers from different places have looked at it. 

Caleb Barlow: But let's also talk about an example of this where it can really go bad. You know, take the Spectre Meltdown disclosure. And you probably remember that day from a few years ago, right? I mean, this was, you know, held very tightly in a couple of companies because people were very worried about giving manufacturers time to respond to it. 

Caleb Barlow: But a couple things happened. Not only did that information not get to all the parties that needed it, but you also saw that when it did get in some organizations, it didn't get to the right people - right? - because it started as a hardware discussion between hardware professionals, and it took some time before it got to all the security teams in those companies to properly address and deal with it. 

Caleb Barlow: And I think - you know, and, frankly, probably the biggest example in Spectre Meltdown is governments. You know, some of the people that needed to know this information more than anybody were often the last to know. 

Caleb Barlow: So, you know, we've got to think about not only how do we take in that information, but also what are our protocols and procedures to make sure it gets to all the right people within our organization and/or potentially within our supply chain. 

Dave Bittner: All right, interesting insights. Caleb Barlow, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. He likes it. Hey, Mikey. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.