The CyberWire Daily Podcast 2.2.21
Ep 1261 | 2.2.21

Coups d’état and Internet disruption. Cyberespionage in the supply chain, again. SonicWall zero day exploited in the wild. Tracking criminal infrastructure-as-a-service. Data breach in Washington State.


Dave Bittner: Myanmar's junta jams the internet. Operation NightScout looks like a highly targeted cyber-espionage campaign delivered through a compromised supply chain. SonicWall zero-day is being actively exploited in the wild. StrangeU and RandomU are filling a niche in the criminal-to-criminal market. Ben Yelin ponders whether the SolarWinds attack can be considered an act of war. Our guest, Jamie Brown from Tenable, on the national cyber director position and what it means for the Biden administration. Another data breach is associated with Accellion FTA. And it's Groundhog Day, campers.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 2, 2021.

Dave Bittner: The internet has gone down throughout much of Myanmar, CyberScoop reports. The reasons for the outage are unclear, but the overwhelming likelihood is that the outage is a deliberate takedown by the junta military leaders installed in a coup d'etat over the weekend. 

Dave Bittner: Internet usage dropped by a good 75% Sunday, according to observations tweeted by NetBlocks, an NGO that operates an internet observatory. NetBlocks says, quote, "the pattern of disruption indicates a centrally issued telecoms blackout order," end quote. Internet jamming has become a familiar feature of the contemporary style of coup d'etat. It's what seizing the newspapers would've been in 1850, what taking over the radio station would've been in the 1930s. 

Dave Bittner: ESET researchers have outlined a recently discovered software supply chain attack that's inflicting surveillance malware on online gamers who use NoxPlayer, an Android emulator used mostly to play mobile games on PCs. The security firm says that several distinct malware strains are being delivered to users in the form of maliciously crafted software updates. Two of the strains in use are familiar - Gh0st RAT, which is a keylogger and collector of other sensitive information, and PoisonIvy RAT, which appeared as a secondary infection. 

Dave Bittner: The producer of NoxPlayer, Hong Kong-headquartered BigNox, told ESET that it hadn't been compromised itself and didn't avail themselves of the help the boys and girls from Bratislava offered. The campaign shows no signs of monetization, which leads ESET to conclude that some form of espionage is the point of the effort. They're calling the campaign Operation NightScout. 

Dave Bittner: It seems to be a highly targeted campaign. ESET's telemetry told them that about a hundred thousand of their users had NoxPlayer installed. But of that group, only five were pushed a malicious update. The victims were in Hong Kong, Taiwan, and Sri Lanka. What the operators behind NightScout are after is mysterious. ESET said it was unable to find any correlations among the victims. 

Dave Bittner: NCC Group reports finding evidence that the recently discovered SonicWall zero-day is now being actively exploited in the wild. They advise users to pay close attention to their logs. NCC Group is reluctant to share detailed indicators and warnings, but they suggest keeping an eye out for source IPs hitting management interfaces you would not expect. SonicWall says it expects to have a patch available today. 

Dave Bittner: Microsoft has been tracking the emails sent by the criminal infrastructure represented by StrangeU and RandomU, which Redmond says is robust enough to seem legitimate to many mail providers, while flexible enough to allow the dynamic generation of new domain names and remain evasive. It's sending out about a million malware-carrying emails a month. 

Dave Bittner: The infrastructure seems to be filling the criminal-to-criminal market gap that the Necurs botnet takedown temporarily opened. Microsoft says this proves that attackers are highly motivated to quickly adapt to temporary interruptions to their operations. 

Dave Bittner: The infrastructure-as-a-service initially was seen delivering commodity malware. But since September, it's risen in the criminal status system, having been adopted in September by both the Dridex and Trickbot operators. 

Dave Bittner: The cyber-espionage campaign associated with the software supply chain for SolarWinds' Orion platform remains under investigation, with postmortems turning to fixes and might-have-beens. A Security Boulevard piece sketches an outline of third-party security programs. FCW reports that prospective Homeland Security Secretary Mayorkas promised to review upgrades of the department's EINSTEIN system. And ProPublica wonders why the US government shelved the "in-toto" system it paid for. 

Dave Bittner: Vulnerabilities in Accellion software, exploited earlier against data belonging to New Zealand's central bank and the Australian Securities and Investments Commission, has now hit the state auditor of the state of Washington, compromising the personal information of more than a million and a half people who'd contacted the state about unemployment assistance. The state auditor is notifying victims and offering the usual sorts of help, like credit monitoring. 

Dave Bittner: Accellion says the vulnerabilities lie in an old legacy version of its product, Accellion FTA, that's now approaching end-of-life. The vendor says all known issues have now been patched and mitigation is underway. The incident has attracted a lot of attention from the security industry. 

Dave Bittner: And finally, hey, hey, hey, happy Groundhog Day. The word from our Pennsylvania desk is that Punxsutawney Phil, in a socially distanced, virtual ceremony from Gobbler's Knob, indeed saw his shadow. It spooked him, and so we've got six more weeks of winter. So hold off on spring until St. Patrick's Day or thereabout, campers. It's cold out there. 

Dave Bittner: The recently passed National Defense Authorization Act includes the creation of the position of national cyber director. Joining me to discuss that role is Jamie Brown, senior director of global government affairs at Tenable and chair of the IT Sector Coordinating Council. 

Jamie Brown: Historically, in previous administrations, particularly in George Bush and Barack Obama's administration, there was a cyber director - or, you know, commonly referred to as a cyber czar - that was advising the president and had a central spot at the White House. It was not a - it was not at that time a Senate-confirmed position. But the role there was to coordinate cybersecurity activities across the federal government. That position was maintained in the early part of the Trump administration but then, you know, was - they ended up ending the position when he switched national security advisers about midway through the administration. 

Jamie Brown: Congress had set up, in the meantime, a commission to study what are the best approaches to addressing these long-term, really comprehensive challenges of cybersecurity. And one of the key recommendations they made was we really do need to not only reinstall that position of the national cybersecurity director, but make it a permanent, Senate-confirmed position, you know, one that has statutory authority, one that has to be approved by the Senate, and the thinking being that cybersecurity was such a crosscutting challenge, it hit so many different agencies, different industry sectors that you really needed someone in a centralized location, a single point of contact in order to coordinate the federal government's response to cybersecurity incidents, but also in terms of proactive strategy and planning for cybersecurity as well. 

Dave Bittner: I've seen some reporting that President Biden is likely to appoint Jen Easterly to this position. 

Jamie Brown: Right. 

Dave Bittner: Is that still where things are tracking? And what's your take on her? 

Jamie Brown: That is what we have heard as well. You know, I have not heard, or I have not seen sort of official confirmation or have not yet - I don't think President Biden has officially appointed Jen Easterly. But we think that she would be an outstanding choice. She has excellent experience both in the public and private sector, which, again, is extremely important given the interdependencies of both the private sector and government when it comes to addressing cybersecurity challenges. So her experience is something that will bring, you know, I think, tremendous gravitas to that role and a lot of credibility in working both with government and private sector stakeholders. 

Jamie Brown: I think this SolarWinds compromise has opened our eyes to a lot of important activities that have to take place. And one of the key areas that we hope that the national cyber director will focus on to be better prepared for future-type attacks is pushing through a risk-based vulnerability management approach throughout the government and then prioritizing the way that you go about remediating the gaps or the vulnerabilities that you have based on real-time contextual factors. 

Jamie Brown: You know, what is the severity of a given vulnerability that you have in your systems? How important is it with respect to where it is, you know, located within your systems? And then, you know, also, is that type of vulnerability currently being attacked by bad actors? All these things are going to be extremely important moving forward, both to mitigate against current attacks, but also to be prepared for future ones. That will be a key role of the cyber director as well. 

Dave Bittner: That's Jamie Brown. He's senior director of global government affairs at Tenable. 

Dave Bittner: And I'm pleased to be joined once again by Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Hey, Ben. Good to have you back. 

Ben Yelin: Hello, Dave. How are you? 

Dave Bittner: I am doing well, thanks. Interesting article - this is from the Lawfare blog. The title is "Is the SolarWinds Cyberattack an Act of War? It Is, If the United States Says It Is." Now, this caught my eye because it seems to me like the overall consensus has been that the SolarWinds situation was not an act of war - espionage, but not an act of war. But this article takes, perhaps, or explores a contrarian view here. 

Ben Yelin: Yeah. This article is fascinating for a number of reasons. First of all, that is a contrarian view as to the attack itself. This article gets into questions of whether we should make these decisions based on domestic laws or based on international law. So the previous administration kind of ignored international law. They were an "America First" administration. 

Ben Yelin: What this article is suggesting is that we could have proper justification under international law to declare this an act of war. So Chapter (ph) 51 of the United Nations Charter recognizes the inherent right to self-defense in response to an act of war. The Latin term is casus belli. I'm sure I'm mispronouncing that. 

Dave Bittner: (Laughter). 

Ben Yelin: But basically, if you are attacked in a surprise attack, international law justifies a response. That is self-defense in its purest form. At least that's, you know, the thinking behind that section of the Charter. And that allows a country or a state, if we're speaking more broadly, to exercise self-defense to make sure that nobody else gets hurt, to make sure... 

Dave Bittner: Right. 

Ben Yelin: ...You know, to limit harm against our domestic tranquility. 

Dave Bittner: Yeah. 

Ben Yelin: And that's what this article is encouraging, that we should consider this an act of war under international law, akin perhaps to something like Pearl Harbor, where there was a surprise attack on our physical infrastructure. I don't think anybody would dispute that that was an act of war. If, you know, SolarWinds as a cyberattack was as extensive as is reported, certainly the impact on our critical infrastructure could be potentially just as severe. 

Ben Yelin: So it's just a really interesting article. I think using international law in some quarters is pretty disfavored in this country just because, you know, there's kind of a skepticism of why should we be listening to these - you know, these international bodies that - you know, why should they carry the force of law? Who elected them? But, you know, I think you'd put yourself on firmer ground on the world stage if you can justify your actions - and it seems like we're going to take actions in response to this attack - using a portion of the U.N. Charter. So I just thought it was a really interesting argument. 

Dave Bittner: Yeah. I'm curious, you know, what you think about the idea that if you come at this from the espionage point of view - and, you know, I always try to, and often unsuccessfully try to put these into real-world terms. But, you know, suppose the United States found that there were a whole bunch of spies who'd been placed in organizations around the world, you know, and these spies were going through filing cabinets to get secrets from organizations - from federal organizations, private organizations, you know, that sort of thing - people doing spying, right? 

Ben Yelin: Right, right. 

Dave Bittner: Espionage. Would we - would the discovery of that - would we consider that to be an act of war, or would we just say, ooh, espionage? 

Ben Yelin: I mean, I guess there's a different - espionage isn't to the same extent an act of war. 

Dave Bittner: Right. Nobody dies. 

Ben Yelin: Yeah. Right. It wouldn't meet that definition under the U.N. Charter. I think... 

Dave Bittner: Right. 

Ben Yelin: ...What I would say is that that's not necessarily the proper analogue here because of the concrete damage that could have been done through the SolarWinds attack. So it's not just spying. You know, if you're destroying networks or you're stealing information, you know, or you're threatening our critical infrastructure, then that goes beyond espionage. So I don't think it would - you know, if it were just pure spying, I don't think, under this definition, that would be, you know, an act of warfare that would justify... 

Dave Bittner: Right. 

Ben Yelin: ...A precision-based response. 

Dave Bittner: What if the spies were leaving pipe bombs in the filing cabinets behind - right? - something like that? 

Ben Yelin: Exactly, exactly. 

Dave Bittner: Yeah (laughter). 

Ben Yelin: I mean, that's the scenario that I think we have to consider. And I think that's sort of the perspective of the Biden administration. We don't know exactly what they're going to do to respond to this attack, but early indications are that they see it as sort of, if not a quasi act of aggression, an act of aggression and that it will justify a precision-based response. 

Dave Bittner: Right, worthy of some response. 

Ben Yelin: So, yeah, absolutely. 

Dave Bittner: Yeah. All right. Well, an interesting article for sure. It's over on Lawfare. It's titled "Is the SolarWinds Cyberattack an Act of War? It Is, If the United States Says It Is." Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Bring out your best. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.