The CyberWire Daily Podcast 2.3.21
Ep 1262 | 2.3.21

China gets in on the SolarWinds act. More SolarWinds vulnerabilities disclosed and patched. Abuse of lawful intercept tech in South Sudan. BEC phishes for gift cards. Parasitic card skimmer found.

Transcript

Dave Bittner: It appears Chinese intelligence services have been exploiting a vulnerability in SolarWinds to steal data from a U.S. government payroll system. The presumed Russian intrusion into SolarWinds may have been going on for nine months or more. Three new SolarWinds vulnerabilities are disclosed and patched. Amnesty accuses South Sudan of abusing intercept tools. BEC compromise is involved in gift-card scams. Joe Carrigan has thoughts on opt-in privacy policies. Our guest is Dale Ludwig from CHERRY on USB attacks and hardware security. And carders steal from other carters.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 3, 2021. 

Dave Bittner: Reuters reports that the FBI's investigation of the SolarWinds supply chain attack is looking into evidence that Chinese threat actors successfully exploited a vulnerability in the company's software to compromise the National Finance Center, a payroll system operated by the U.S. Department of Agriculture. The Department of Agriculture's reaction to the story is ambiguous. The Agriculture Department emailed Reuters to say that USDA has notified all customers, including individuals and organizations, whose data has been affected by the SolarWinds Orion Code Compromise. But a second departmental spokesman said after the story broke that there was no data breach related to SolarWinds at USDA but offered no further clarification. 

Dave Bittner: The vulnerability the Chinese threat actors are believed to have exploited is said to be different from the one used by UNC2452, the threat actor widely believed to be a Russian intelligence service. Reuters' anonymous sources told them that the campaign used tools and infrastructure that had been previously deployed by state-backed Chinese cyberspies. As The Washington Post observes, many had suspected that another group was also actively exploiting SolarWinds, but Reuters' report is the first to suggest that this second threat actor was connected to the Chinese government. 

Dave Bittner: The Chinese foreign ministry denied any involvement, observing first - and, in fairness, correctly - that attribution is a complex technical issue. The ministry then moved on to unlikely insistence on the usual pieties - China resolutely opposes and combats any form of cyberattacks and cyber theft. It's doubtful that any government on the planet - even, say, the Holy See or San Marino - resolutely opposes any form of cyberattack, unless cyberattack is construed so narrowly as to rule out any form of interception, surveillance, or retaliation. If any pure cyber pacifists are running any government, it's doubtful that government is in Beijing. 

Dave Bittner: Some have said that major cyberattacks are often more like riots than bank jobs, with multiple actors going after the same targets for their own reasons. Reuters quotes former US Chief Information Security Officer, retired Air Force General Gregory Touhill, who thinks it's not that unusual for more than one group to hit the same product. He prefers the racing metaphor to the criminal one - quote, "It wouldn't be the first time we've seen a nation-state actor surfing in behind someone else. It's like drafting in NASCAR," Touhill said. 

Dave Bittner: It's worth noting that while the National Finance Center is housed in the Department of Agriculture, its responsibilities aren't confined there. The NFC also handles payroll for other government agencies. Some of the more interesting ones from the point of view of national security are the FBI, the State Department, the Department of Homeland Security and the Treasury Department. The NFC claims on its website to payroll more than 600,000 employees. It also provides customizable and flexible financial management services and integrated shared service solutions. 

Dave Bittner: The data held by the NFC would include Social Security numbers, phone numbers, personal email addresses and banking information and also associations between individual employees and their agencies. Such information is useful for building HUMINT target dossiers of individuals of interest, and Chinese services have shown an appetite for such sweeping collection in the past - against the U.S., most notably, in the Office of Personnel Management breach of 2015. 

Dave Bittner: According to The Wall Street Journal, SolarWinds is still investigating to see how the attackers - the presumed Russians, in particular - gained access to the company's networks. One of the going theories is that they got in by compromising SolarWinds' Microsoft 365 accounts. They appear to have compromised one of the company's Office 365 accounts in December of 2019 and then were able to pivot into others. All told, they were probably lurking, as The Journal puts it, in SolarWinds' email systems for nine months or more. 

Dave Bittner: There have been other discoveries related to SolarWinds. Security firm Trustwave has identified three additional vulnerabilities in SolarWinds' products. The researchers say the vulnerabilities are severe and should be addressed as soon as possible, but that they've seen no evidence of exploitation in the wild. Two of the vulnerabilities were found in the Orion Platform. The third was discovered in SolarWinds' Serv-U FTP for Windows. SolarWinds has patched all three of these and done so in what Trustwave calls a very timely manner. The researchers have not released proof-of-concept code for exploits because they don't wish to give threat actors a head start on patching. But if you're a SolarWinds user, don't delay in applying the patches. Trustwave will release proof-of-concept next week on February 9. 

Dave Bittner: Amnesty International reports that the government of South Sudan obtained Verint Systems' communications intercept tools between 2015 and 2017. According to Amnesty's report, South Sudan's National Security Service has been abusing the technology to keep journalists, critics and dissidents under surveillance. 

Dave Bittner: Nox Limited contacted us today to say that they'd reached an agreement with security firm ESET to address the selective exploitation of Nox's BigNox Android emulator ESET found and disclosed. That exploitation was used in what appears to have been a cyberespionage campaign. Nox and ESET intend to work together on the security issue and will provide further information as it becomes available. 

Dave Bittner: Microsoft warns of a spike in business email compromise scams, soliciting gift cards said to be intended for K-12 teachers. If you get an email from some elephant in your organization asking you to go ahead and buy a gift card for a teacher online, just put your hands in your pockets and walk on by - virtually. If you'd like to express your appreciation to a teacher with a gift card, we suggest going to the store and buying one and then leaving it on the teacher's desk. An Apple gift card would be a nice gesture toward tradition. 

Dave Bittner: And finally, BleepingComputer reports that criminals are stealing pay card data from other criminals who skimmed them using Magento. It's a piggyback skimmer that quietly rides on top of Magento instances. There's no honor among thieves. 

Dave Bittner: Most of the discussion around cybersecurity these days is focused around software and services, which makes sense. But what about the actual physical devices we use every day to interact with our computers? And in particular, what about devices that find themselves in challenging environments - industrial, medical? Dale Ludwig is business development manager at CHERRY Americas, a global provider of these types of devices, and he joins us today. Dale, welcome to the CyberWire. 

Dale Ludwig: Thanks for having me. 

Dave Bittner: So let's start off with just some descriptive stuff here. I mean, when we're talking about the security issues of these devices that we use every day, these input devices - which is right in the center of your wheelhouse - what are some of the things that you all are concerned with on a daily basis? 

Dale Ludwig: Yeah, so some of the markets that we serve include the government, enterprise, health care, retail, even schools and now home office. And obviously, with COVID, we're seeing a massive change to, really, a digital transformation of these markets from the shift to work or remote school atmosphere that we're now in. So unfortunately, this transformation opens up new avenues for cyberthreats and expands the attack surface. 

Dave Bittner: So when it comes to something, you know, like a keyboard, which I think is something most of us interact with every day but probably don't put a whole lot of thought into the security aspects of it, what's the spectrum of things that are available to help secure that keyboard-computer interface? 

Dale Ludwig: Yeah, so one of the worst things that, you know, persists in this environment is access to the USB port on your computer. And, you know, with roughly 3 billion USB devices shipped every year - and, really, the beauty and efficiency of the USB device is that you can connect anything to it, and it'll - you expect it to function. But unfortunately, there's a cost to that, that ability to connect any device. But USB gives some vulnerabilities because of that - its inability to verify the devices are what they claim to be. So you have the possibility for USB devices to change their type or introduce additional subdevices while being plugged in, and they can create software attacks through malware, which then you've got keyloggers such as a Rubber Ducky or a BadUSB, these types of devices which reprogram your USB device and really cause it to act as a human interface device or a keyboard. And so we - our device goes after that channel and really shuts that access point down. 

Dave Bittner: Now, what about devices that find themselves in more challenging environments than, say, your typical office environment or your home office - you know, things that that are in industrial situations, things that are in medical situations? These are devices that you all provide as well. Are there specific security issues when it comes to putting devices like that in those environments? 

Dale Ludwig: Yeah, absolutely. And both of the features on this keyboard address those. And, you know, with HIPAA requirements in medical manufacturing facilities, there are issues about who do you want to operate a piece of machinery. So, obviously, controlling access to applications or even a machine is important. So we incorporate contact and contactless readers into this keyboard and then back that up with the encryption using the TLS protocol. 

Dave Bittner: All right. Well, Dale Ludwig is business development manager at CHERRY Americas. Dale, thanks so much for joining us. 

Dale Ludwig: Thanks. Appreciate the time. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: You know, over on "Hacking Humans," we often talk about privacy issues and how folks can best protect themselves. This article from The Wall Street Journal I found interesting. It's titled "Apple and Facebook Trade Barbs Over Privacy-Focused Business Models." What's going on here, Joe? 

Joe Carrigan: So Apple has said that, coming this spring, they are going to allow their users to decide whether or not they will share their - something called their advertising identifier. So they're actually going to make this what we have been asking for, as privacy advocates, for decades - they're going to make this an opt-in thing. 

Dave Bittner: Right, right. 

Joe Carrigan: So in other words, everybody always says, well, we make it so you can opt out. And nobody, of course, opts out. 

Dave Bittner: (Laughter). 

Joe Carrigan: But Apple is changing the paradigm here. They're saying, you're going to have to opt in in order to share your advertising identifier with companies like Facebook. 

Dave Bittner: Yeah. So the default position will be to not be tracked. 

Joe Carrigan: Correct. Correct. 

Dave Bittner: Yeah. 

Joe Carrigan: And that's fantastic, right? 

Dave Bittner: Right. 

Joe Carrigan: Of course, this has stuck in the craw of Facebook and Mark Zuckerberg. Zuckerberg has sought to cast this move as a means for Apple to use its platform to put Facebook at a disadvantage. And he says that Apple's iMessage service is preinstalled on every phone and complained that Apple uses these tools to put itself at the center of its users' experience. 

Dave Bittner: Hmm. 

Joe Carrigan: I want to tell Mark Zuckerberg something... 

Dave Bittner: (Laughter) If he's listening. 

Joe Carrigan: ...Because I know he listens to every word I say... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...And he hangs at every word I say. 

Dave Bittner: I'm sure. Yes, of course he does, Joe. 

Joe Carrigan: That is why people buy Apple products, Mark. 

Dave Bittner: (Laughter). 

Joe Carrigan: That's it. They like the Apple experience. And Apple puts the user experience at the center of everything they develop. They do a... 

Dave Bittner: Right. 

Joe Carrigan: ...Really good job of that. As much as I don't like Apple and I don't use Apple, their focus is the user. And it always has been, at least since they started developing Macintoshes. 

Dave Bittner: Right. 

Joe Carrigan: It is remarkable to me - it looks to me like he's trying to make a comparison here between iMessage and the old Internet Explorer monopoly complaints from years ago... 

Dave Bittner: Yeah. 

Joe Carrigan: ...That Microsoft packages Internet Explorer with every operating system they sell, right? 

Dave Bittner: Mmm hmm (ph). 

Joe Carrigan: I don't think that's going to fly either because not only does Apple offer iMessage, but you can still install other apps on your phone and use those as well. 

Dave Bittner: Right. 

Joe Carrigan: So it's not really a monopoly. There is no barrier to entry. 

Dave Bittner: Well, who do you think needs each other more? In other words, does - if it came down to, you know, nuclear options from either company - suppose, you know, if Apple were to say, hey, Facebook, your app can't be on our app store anymore, or Facebook were to say, hey, Apple, you know, if you don't ease up on this, we're going to pull our app from the app store, who do you think has the upper hand? 

Joe Carrigan: That's a good question. I don't know. I think that Apple has the upper hand here because the question is - that question is who's going to leave whom, right? 

Dave Bittner: Yeah. 

Joe Carrigan: From the user perspective, who's going to leave? Now, you're an Apple user, right? 

Dave Bittner: I am. I am indeed. 

Joe Carrigan: And - but you're not a Facebook user, are you? 

Dave Bittner: I am not. 

Joe Carrigan: No (laughter). 

Dave Bittner: No, I... 

Joe Carrigan: So this is not going to have any impact on you. 

Dave Bittner: No. 

Joe Carrigan: The way I see this going is it's going to go one of two ways. Either Facebook is going to say, OK, we're going to have to adapt to this, and we're going to have to target ads based on information that we collect from our apps only - because, rest assured, Facebook is going to continue to collect the information about everything you do on every app they own - on Facebook, on WhatsApp, on Instagram. 

Dave Bittner: Mmm hmm. 

Joe Carrigan: That's all going to be collected and correlated. And there's not much that Apple can do about that. All they're going to lose is the insights into everything else outside of their ecosystem that the user does that Apple would normally inform them about. 

Dave Bittner: Right. 

Joe Carrigan: So they can either adapt to that situation, or they can say to the Apple user community, in order for you to continue using our services, you must opt in to share your advertising ID with us or you can't use our services. Now, that is not outside the realm of possibility with Facebook. We just saw them do that with WhatsApp a couple of weeks ago, where they said... 

Dave Bittner: Right. And they backed off. Yeah, they backed off (laughter) because so many people fled to other apps like Signal. 

Joe Carrigan: Right. Well, good. And people should stay on apps like Signal and not use... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Not use WhatsApp simply because it is a Facebook property. But yeah, Facebook had to back down from that. But I can see them doing that. And even if they don't - even if they back down again, they're probably still going to get some people who just go ahead and do it. I think that what would happen there is - this is a time, an opportunity, a market opportunity, for someone to start up a new social networking site that is - to replace Facebook that doesn't target users as much. And since this privacy discussion has come to the forefront, I think it's a good time for someone to strike while the iron is hot. I'm not going to invest any money in it of course, but (laughter)... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Other listeners are welcome to do that. 

Dave Bittner: (Laughter) You got to stand by your convictions... 

Joe Carrigan: Right. 

Dave Bittner: ...As long as it doesn't cost you anything. 

Joe Carrigan: That's right. 

Dave Bittner: (Laughter). 

Joe Carrigan: A couple of interesting points from this article. A TapResearch survey found that 85% of respondents said they wouldn't allow apps to track them if given a choice. So... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Chances are that Facebook is really looking at a hit here in how they target ads. I do want to also say that, you know, Apple's not the golden boy here. Tim Cook is using the events of January 6 as a touchstone for this privacy practice. And he's saying that we shouldn't prioritize algorithms that advance conspiracy theories over privacy. 

Joe Carrigan: And, you know, I don't agree with that tactic, Tim. I don't think you need to highlight this specific event in order to advance your agenda here. You should just have this agenda as part of your privacy policy. And in fact, Apple has been planning on doing this for a long time. In fact, they were originally planning on giving users the option to opt in - or making it an opt-in system back in fall of last year. But they pushed that back. 

Dave Bittner: Right. 

Joe Carrigan: So this is not something that is a result of the events of January 6. It's been in the works for a while. I don't think that you need to use that - I think that's a little bit of demagoguing on the part of Tim Cook. So, you know, I say take what he says as the reasoning for a grain of salt - with a grain of salt. But I think there are plenty of perfectly good and legitimate reasons to do this just because. 

Dave Bittner: Yeah. Yeah. All right. Well, the article is in The Wall Street Journal. It's titled "Apple, Facebook Trade Barbs Over Privacy-Focused Business Models," written by Tim Higgins. Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. 

Dave Bittner: For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Nothing runs like a Deere. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.