The CyberWire Daily Podcast 1.20.21
Ep 1252 | 1.20.21

More on that Solorigate threat actor, especially its non-SolarWinds activity. Chimera’s new target list. Executive Order on reducing IaaS exploitation. The case of the stolen laptop.


Dave Bittner: Another security company discloses a brush with the threat actor behind Solorigate. Advice on hardening Microsoft 365 against that same threat actor. Chimera turns out to be interested in airlines as well as semiconductor manufacturing intellectual property. Former President Trump's last executive order addresses foreign exploitation of infrastructure-as-a-service products. Joe Carrigan looks at a hardware key vulnerability. Our guest is Chris Eng from Veracode with insights from their State of Software Security report. And investigation of that laptop stolen from the Capitol continues.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, January 20, 2021. 

Dave Bittner: Malwarebytes has disclosed that it was hit by the same nation-state actor implicated in the SolarWinds breach. Note that this isn't another victim of the SolarWinds supply chain compromise - Malwarebytes doesn't use SolarWinds - but rather another victim of the same threat actor. 

Dave Bittner: Malwarebytes said, quote, "evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments," end quote. They added that the Microsoft Security Response Center alerted the company to the problem. The damage seems to have been confined to a limited subset of internal company emails. And there was no evidence found to suggest that on-premises or production environments were compromised. 

Dave Bittner: Those interested in hardening themselves against this sort of activity would do well to consult some advice FireEye's Mandiant unit published yesterday. They outlined protective measures available for use against the threat actor they track as UNC2452, and they concentrate on the attack vector that runs through Microsoft 365. Mandiant addresses four basic approaches UNC2452 has used. 

Dave Bittner: First, they steal Active Directory Federation Services' token-signing certificate and then forge tokens for arbitrary users that enable them to authenticate themselves into a federated resource provider as any user whatsoever, with no need to get that user's credentials. 

Dave Bittner: Second, they modify or add trusted domains in Azure AD to add a new federated identity provider that the attacker controls. The result also enables tokens to be forged for arbitrary users. 

Dave Bittner: Third, they've been able to compromise credentials of on-premise accounts synchronized with Microsoft 365, and specifically accounts with high privileges, with obvious consequences for their access to targeted organizations. 

Dave Bittner: And fourth, they've added new applications or service principal credentials to backdoor an existing, legitimate Microsoft 365 app in order to use such privileges as that app may have. 

Dave Bittner: Mandiant notes, in a by-the-way fashion, that these things have been done by UNC2452 and others. And FireEye has kept its attribution of the threat actor ambiguous, so who knows how many groups may be active? FireEye did say last week that identifying the principal threat actor as Russian is plausible from what we've seen, which agrees with public assessments by US officials. Attribution takes time, but signs point to Russian intelligence services, to one of the cozier members of Huggy Bear's sleuth. 

Dave Bittner: NCC Group and its Fox-IT subsidiary have found that a Chinese threat actor hitherto known for collecting against Taiwan's semiconductor industry has a much more extensive target list. The targets are now believed to include airlines. And where the attack on semiconductor company networks aimed at intellectual property theft, the airlines are of interest because of the personal data they hold. 

Dave Bittner: Apparently, the group is seeking to collect information about individuals of interest and also to harvest such credentials as may be available to them. CyCraft researchers called the group Chimera, and they say it uses its take in credential stuffing and password spraying attacks against the individuals' organizations. 

Dave Bittner: Former US President Trump yesterday issued an Executive Order outlining measures to control foreign malicious use of infrastructure-as-a-service products. The EO, whose title is "Executive Order on Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities," is designed, Reuters reports, to restrict transactions between cloud service providers and foreign customers likely to misuse such services for cyberattacks. 

Dave Bittner: The Secretary of Commerce was given the leading role, directing the Secretary to propose for notice and comment regulations that require United States IaaS providers to verify the identity of a foreign person that obtains an account. Commerce is expected to coordinate its work under the executive order with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence. 

Dave Bittner: Then National Security Adviser Robert C. O'Brien explained the motivation for the order as follows - quote, "foreign malicious cyber actors threaten our economy and national security through the theft of intellectual property and sensitive data and by targeting United States' critical infrastructure. By gaining access to United States IaaS products, foreign actors can steal the fruits of American innovation and prepare destructive attacks on our nation's critical infrastructure with anonymity. Malign actor abuse of United States IaaS products has played a role in every cyber incident during the past four years, including the actions resulting in the penetrations of United States firms FireEye and SolarWinds," end quote. 

Dave Bittner: What the new administration will do with the order isn't known. President Biden was inaugurated a few hours ago. Presidents may cancel predecessors' executive orders, but they also may and often do keep them in force. President Trump's eleventh-hour EO, for example, cited in its first paragraph an executive order President Obama issued in 2015. Administrations change, but a lot of challenges endure. Prominent among those challenges - in cybersecurity, at least - is the sort of abuse committed in the Solorigate incident. 

Dave Bittner: The Philadelphia Inquirer reports that Riley Williams, an alleged participant in the Capitol riots of two weeks ago, has now been charged with felony theft in connection with the taking of a laptop from US House Speaker Nancy Pelosi's office. Ms. Williams had been charged Sunday with misdemeanors involving disorderly conduct and illegally entering the Capitol. The possibility that Ms. Williams took the laptop with the intention of offering it to a third party, who would subsequently sell it to Russia's SVR, remains under investigation. That particular sale is said to have fallen through when the middleman, woman or persons withdrew from the deal for unknown reasons. As they say, investigation continues. 

Dave Bittner: The team at Veracode recently released their 11th annual version of their State of Software Security report. Chris Eng is chief research officer at Veracode, and he joins us to share their findings. Chris, welcome to the CyberWire. 

Chris Eng: Thanks. Great to be here. 

Dave Bittner: Well, let's get started with some basics here. This is your 11th time around with the State of Software Security report. So what were some of the outstanding things that you found this time? 

Chris Eng: Well, just for a little bit of background, you know, this is the biggest security report of software anywhere that I know about. We take all of the applications that are scanned through our platform and basically do a lot of analysis to try and find trends and interesting things about software. There are 130,000 applications in this dataset, over a million scans and over 10 million flaws. So, yeah. So it's nice to be able to kind of see what's happening, what's the current state of things out there and, you know, how is software security getting better or, in some cases, worse. 

Chris Eng: You know, so this time we found, you know, probably unsurprisingly, most applications do have security flaws. Three-quarters of them had at least one. But most apps don't have severe vulnerabilities. Only about a quarter of them had a high- or critical-severity flaw. 

Chris Eng: But one thing that's still an issue is how people are getting after fixing those flaws. Half of security findings are still unfixed six months after discovery. And so we spent a bunch of time going into some of the factors that may correlate with better or worse fix times. And we spent a little bit of time on that as well. 

Dave Bittner: You know, this is your 11th version of this report. Are there any big-picture trends that you all have been tracking over time? 

Chris Eng: Well, we're always looking at kind of a breakdown of the categories of flaws that we see. And, you know, I can go back to volume one, and we are still seeing the same types and categories of flaws as we were back then. 

Chris Eng: What we are seeing, you know, is a change in, you know, language selection, as you might expect. Like, native applications, like C++ apps, are declining, whereas web applications are becoming a lot more prevalent. And so the types of vulnerabilities that are present in the web apps are obviously increasing. 

Chris Eng: But even though we haven't kind of as an industry, managed to eliminate entire categories, I think the reason for that is, you know, going back to our first volume of this, this was a time when companies were just, you know, applying security testing to their most high-profile applications - right? - maybe their five or 10 most important applications. 

Chris Eng: But these days, you know, every company is a software company, and every company has hundreds, if not thousands of applications. And so what they've been able to do over that time is to scale this type of testing across their entire software portfolio. And so you have applications now that are being scanned that have never been scanned before. And there's a lot of catching up to do. 

Chris Eng: So the industry is definitely maturing, and we can see that just in the growth of the activity, right? A hundred - as I mentioned, 130,000 applications in this volume. The previous volume, just a year ago, was around 80,000 applications. So you're seeing this immense growth in how seriously companies are taking security and how well they're baking it into their process. 

Dave Bittner: That's Chris Eng - he's chief research officer at Veracode - speaking of their State of Software Security report. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting story from The Hacker News. This is about an attack going after some Google security keys, some YubiKeys. What's going on here, Joe? 

Joe Carrigan: Right. So I frequently talk about everybody using multifactor authentication. 

Dave Bittner: Right. 

Joe Carrigan: And I frequently say the best form of that is some kind of physical security token, like the Google Titan or like a YubiKey, because those things are impossible to intercept. At least we don't know of a way to intercept them along the communication chain right now. That may change in the future. 

Joe Carrigan: But what these guys have done is they have - this is NinjaLabs (ph), and what they have done is they have found a way to read the keys from the Elliptical Curve Digital Signature Algorithm that are stored on the device. And this is the - I'll say this is the keys to the kingdom. 

Dave Bittner: OK. 

Joe Carrigan: And what that is - if I have these keys, these private keys, then I can sign things, which means I can commit the multifactor authentication process flawlessly, right? 

Joe Carrigan: Now, there's a caveat here. You shouldn't - maybe you shouldn't be too worried because this is a side-channel attack, meaning that they're using a physical read on the device while the device is powered up, right? So what do they have to do? They actually have to get this device from you, and then they have to take it apart so they can put a sensor near a chip on the device so they can watch the data moving around on this device. And using an algorithm, an AI algorithm or a machine-learning algorithm, they can deduce the keys after six hours. 

Joe Carrigan: So the threat model is somebody's going to have to come into your house or come into your office, take the key without you noticing it, be able to disassemble it, take the cover off of it and have - I think it was $17,000 worth of equipment. That's a lot of money for equipment. It is certainly not outside the range of possibility for a very advanced adversary. 

Dave Bittner: Sure. 

Joe Carrigan: Right? This is the James Bond kind of stuff that I'm sure spies do all the time. 

Dave Bittner: (Laughter) Right. Right. Right. 

Joe Carrigan: But, you know, nobody beyond that is going to be really able to pull this off. 

Dave Bittner: Mmm hmm. 

Joe Carrigan: They're going to try other ways to get into your account. 

Joe Carrigan: What is also interesting to me in this is that only certain of these security keys are vulnerable to this attack because what they're doing is they're using a physical byproduct of the way the data is stored on these chips. And just because you have one model or another model of this device, that doesn't change the fact that those keys still have to exist in a very real form on these devices in the form of stored memory and that those keys have to be used in a very real way that is detectable in the universe - right? - that we can put a sensor near it. 

Joe Carrigan: So I think that we're going to see more of these kind of attacks on other - a broader range of devices over time. I checked the YubiKeys that I have, and they're not on the list of affected devices. But all the Google Titans are on the list of affected devices. 

Dave Bittner: Right. Right. 

Joe Carrigan: Does that mean that Google has to do something to better shield the devices? Maybe some tamper-resistant technology could go in here to stop this from happening. 

Dave Bittner: Yeah. As you say, I can imagine in the spycraft situation of someone not just removing the one that you have, but swapping it out for another one, you know? Because, you know, if you're not using this every time you log in, you know... 

Joe Carrigan: Right. 

Dave Bittner: ...Then perhaps you wouldn't notice that a different one had been swapped in within the amount of time that they'd need to do what they needed to do. But again, such an edge case here. 

Joe Carrigan: It is. 

Dave Bittner: I don't think - the take-home here is, for me anyway, this is interesting research. Always good to find out when there's an unexpected vulnerability, but no reason to take your Google Titans or your YubiKeys and throw them in the trash yet. And unless you know - if it is, you know who you are, right (laughter)? 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: (Laughter) Exactly. The people who this affects, they know who they are. 

Joe Carrigan: Right. They've already gotten the memo. 

Dave Bittner: Yeah. If you don't know, then you're probably fine (laughter). 

Joe Carrigan: Yeah. 

Dave Bittner: But, yeah, interesting research for sure. Again, you said it's from the folks at NinjaLab, and it's an interesting read. So if you're interested in this kind of stuff, do check it out. So this particular article comes from The Hacker News. So, yeah. Interesting stuff, huh? 

Joe Carrigan: Yeah, I think it's fascinating. I'm always fascinated by, you know, how real and physical the - you know, things like the internet are. 

Dave Bittner: Mmm hmm. 

Joe Carrigan: You know, the internet isn't this nebulous cloud that's out there. There's actually computers that run it, right? 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: And they're all over the place. And... 

Dave Bittner: (Laughter) Yes, they are - clever humans - clever humans. 

Joe Carrigan: Yes. And this... 

Dave Bittner: All right. 

Joe Carrigan: ...To me is absolutely fascinating. 

Dave Bittner: Yeah. Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Investment in knowledge pays the best interest. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.