The CyberWire Daily Podcast 2.4.21
Ep 1263 | 2.4.21

Kubernetes clusters attacked. Home insecurity devices. Update on the supply chain incidents. Incomplete patches. Marque and reprisal? Ransomware notes. Class clowns and zoom-bombing.

Transcript

Dave Bittner: As you may have heard, the CyberWire's new subscription program, CyberWire Pro, is designed for security professionals and all others who want to stay abreast of cybersecurity news. CyberWire Pro is a premium service that will save you time and keep you informed. You may be saying to yourself, hey, that sounds great and something my entire organization can benefit from. We think so, too. With a CyberWire Pro enterprise subscription, you can make that happen. You can help to keep your organization up to date with the latest news, analysis and trends across the evolving cybersecurity landscape. Save some money and look like a hero at the same time. We've got great discounts for government, commercial teams and academia, too. To learn more, visit thecyberwire.com/pro and click on the contact us link in the enterprise box. That's thecyberwire.com/pro, click contact us in the enterprise box, and we will help you become that office hero.

Dave Bittner: Hildegard malware is targeting Kubernetes clusters. Remote access flaws have been found in consumer security devices. A brief update on the spreading software supply chain incidents. Project Zero sees incomplete patches as the root of most successful zero-day attacks. Recruiting a privateer's crew. The current mood among ransomware victims. We'll search for the truth about 5G with Rob Lee and Rick Howard. And who's behind Zoom-bombing remote learning? A hint - the kids aren't all right.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 4, 2021. Palo Alto Networks' Unit 42 has found a malware campaign that targets Kubernetes clusters. The threat actors establish initial access through a misconfigured kubelet, then propagate their malware - which Unit 42 calls Hildegard - across as many containers as possible. The goal of the attack appears to be cryptojacking, and Unit 42 attributes the campaign to TeamTNT.

Dave Bittner: The campaign involving the use of Hildegard is, Unit 42 finds, both more evasive and more persistent than those using other kinds of malware. It's well adapted to gaining access to cloud resources, it encrypts its payload and it's able to hide its operation behind a legitimate Linux kernel process. It has at least two ways of connecting with its command-and-control infrastructure. It can either use an IRC channel or a reverse shell to do so. Computing sees the campaign as a precursor to a large-scale Kubernetes-based attack.

Dave Bittner: ReFirm Labs shares some research their colleagues at Florida Tech have completed. They looked at several widely sold home security devices - smart doorbells and home surveillance cameras - and found them rife with security vulnerabilities that could give an attacker remote privileged access sufficient to enable them to spy on the unwitting users. As the report puts it, the vulnerabilities could enable a remote attacker to gain privileged access to the devices, listen to all audio and video recorded on the devices and ultimately use the devices to covertly spy on their users.

Dave Bittner: ReFirm argues that the results should move industry and its regulators toward a system of IoT security labeling. They also argue that retailers have an important role to play in vetting products for security and privacy. They scold, quote, "retailers have policies to prevent selling products that burn down your house or make you sick. How about not selling horribly insecure IoT devices that turn your house into a hacker's playground?" end quote.

Dave Bittner: Gizmodo last night published a brief state-of-the-incident note on SolarWinds in which it notices the spread, the complex ramifications, of the known and suspected independent exploitation by both Russian and Chinese services. On the Chinese front, Nextgov says that the US Department of Agriculture's most recent word on a compromise of its National Finance Center Reuters reported earlier this week is that USDA hasn't seen any evidence that the compromise happened at all. Acting US CISA Director Wales told a meeting of the National Association of Secretaries of State that CISA's found no evidence that SolarWinds vulnerabilities were exploited against election systems, Reuters' Chris Bing tweeted. One effect some observers foresee is a chill on the cyber insurance sector, or so thinks Property Casualty 360. The exposure is considerable and imperfectly understood. Software supply chain attacks pose a novel actuarial challenge that the insurance sector has yet to master.

Dave Bittner: Google's Project Zero sees bad patching as a breeding ground of exploitation, CyberScoop reports. Project Zero writes, in a retrospective on 2020 the researchers call deja vu-lnerability, "when looking at the 24 zero-days detected in the wild in 2020, there's an undeniable conclusion. Increasing investment in correct and comprehensive patches is a huge opportunity for our industry to impact attackers using zero-days," end quote. Correct and comprehensive are the operative words. A correct patch is one that no longer permits exploitation of a vulnerability. A comprehensive patch can be applied everywhere, covering all variants. Project Zero doesn't consider patching complete until it's both correct and comprehensive. It's a failure, they think, on the part of industry to ensure that patches are complete, and this failure is responsible for the damage zero days have been doing.

Dave Bittner: So looking for some hackers with skills? Think your interviews aren't really working for you? Why not let them try out against a real target? Coin Telegraph reports that Red Balloon Security is sending job candidates an encrypted hard drive holding an alt-coin wallet containing about $4,800 in bitcoin. If they can crack it, they get to keep the money. And presumably, they get a nice callback that could lead to a good job. It's like using a letter of marque and reprisal as an HR tool.

Dave Bittner: Security firm Coveware reports that ransomware attacks are getting more destructive, as some of the criminals are apparently inadvertently wiping their victims' data. In what may be a related trend, fewer organizations are paying the ransom. It doesn't seem to pay. Not only does paying fuel a bandit economy, but there is no good way of enforcing the contract. The crooks may say they'll send you a key, and maybe they will, or maybe they won't. Or they may say they'll destroy their copies of the data they stole and which they threaten to release if they're not paid. But it requires a real leap of very misplaced trust to take the hoods at their word.

Dave Bittner: Still, ransomware remains a big problem, and relatively poorly protected organizations are especially vulnerable to damage. With that in mind, IBM has announced a $3 million program that would provide in-kind grants to schools, which have become favorite targets of the lowlifes in the ransomware criminal underground. Almost 60% of ransomware attacks in August and September of last year hit K-12 schools, and IBM's program represents one corporation's response.

Dave Bittner: And finally, during this pandemic thing you may have heard of, schools and universities are doing lots, most, sometimes all of their instruction online. And of course, a lot of that instruction is being delivered over Zoom. So what about Zoom-bombing, when trolls disrupt Zoom sessions to deride, insult or distract participants? It's still a problem. And why is it a problem? Well, Captain Obvious might ask, hey, do you know any people?

Dave Bittner: But now there's some science behind just knowing people. A team of researchers at Boston University and Birmingham University studied Zoom-bombing, and this must be understood in its most expansive sense, as extending beyond Zoom proper to the disruption of other platforms for remote collaboration. They found, basically, that the problem is typically the high school and college students themselves. 

Dave Bittner: One of the principal investigators told WIRED, quote, "our findings are basically that most of these calls seem to be targeting online classes, and they seem to be called by insiders. Students in the class are bored or want to piss off their lecturer or whatever, so they basically post details of their own classes online and ask people to join and disrupt them," end quote. 

Dave Bittner: At least in the French tradition of cahoutage, these students are doing their own hooting. At least in the American tradition of class-clowning, the class clown personally makes funny faces and nasopharyngeal eructations. But here, the kids are even outsourcing their own misbehavior - sad. And you - yes, you in the back row - stop doing that with your virtual face. What if it stuck that way? 

Dave Bittner: Here in the U.S., we are under a seemingly endless barrage of advertisements claiming that 5G is here and it's changing the world in all sorts of amazing and magical ways. And yet those who've gone out and done actual testing of 5G performance have been left occasionally wowed but often underwhelmed. Our own chief analyst, Rick Howard, looked into that apparent disconnect, and he files this report. 

Rick Howard: With the release of the iPhone 12 and Samsung Galaxy, 5G phone customers were expecting, you know, 10 times faster download speeds and a reduction in latency to almost zero. But for the most part, we are still seeing 4G performance. I reached out to Kurt Bantle to find out why. He's a senior solutions architect for Spirent Communications. 

Kurt Bantle: I think a lot of people realize - need to realize is that we're not really on a 5G core yet. There's a lot of improvement still yet to come. 

Rick Howard: As with any new tech, we're all going to have to get used to new acronyms. Kurt talks about four of them - EPCs, the Evolved 5G Packet Core; SGWs, or Serving Gateways; eNodeBs, the old 4G or LTE base stations; and gNodeBs, the 5G base stations. 

Kurt Bantle: So the backhaul to the network is still an LTE core. It's still an EPC. And it has all the interfaces that 4G had. You know, when we get to a 5G core, that's where we start to get to those incredibly low latency numbers that we're looking for. As we start to deploy a bunch of stuff to the edge, and I'm not a gamer, but, you know, online gaming via a wireless device becomes a very feasible application that people might be using. So from your device to the eNodeB and gNodeB are presenting us with speeds that are very similar to 4G numbers. 

Rick Howard: According to Kurt, the 5G networks are still deploying. Over the next few years, we will see steady improvement as network providers combine 4G and 5G infrastructure. But we are probably five to 10 years away before we get a ubiquitous international 5G network. When we get there, though, we will experience these exponential improvements in download speeds and latency. For people like me, I'm anticipating the higher download speeds. For Kurt, though, he is anticipating the new low latency numbers. 

Kurt Bantle: Just a little background, I'm an avocado farmer, too. And so I've been a huge IoT fan for decades because my farm is a giant IoT testbed. I have every technology imaginable pretty much deployed at my farm controlling things. So I get more excited about these low latency, small bandwidth applications for real-time control type things. I want to turn on a sprinkler valve and have it turn on, not I turn on a sprinkler valve, and, you know, maybe a couple seconds later or sometimes 30 seconds later, it turns on. Like, it's not - this is not a sustainable model for me. Lots of bad things can happen if, like, a valve doesn't open in time. 

Rick Howard: An interesting side benefit to 5G technology is that it will increase the competition for internet service providers. Homes and businesses will not have to rely on fiber to the building. On one telephone pole, you might have a choice of four or five providers. We will get this from something called beamforming. The technical term is Enhanced Mobile Broadband, or eMBB. 

Kurt Bantle: I do think that with beamforming and that eMBB aspect and getting the deployment down, to be able to get into your house in a fixed wireless application, I think that's another great aspect of 5G. Like, that to me is kind of game-changing, too. If I can displace the two, you know, people bringing broadband to my house and have maybe a choice of six different opportunities to get, you know, the same types of speeds and the same experiences that I get off of cable or fiber, I think that's a neat opportunity. 

Rick Howard: So for all you new Apple and Samsung 5G iPhone owners, have patience. 5G is coming. You may not be experiencing the download speeds and low latency times the salesperson promised you in the phone store, but it's coming. And you will start to see gradual improvements over time as the network providers continue to build the infrastructure. 

Dave Bittner: That's the CyberWire's chief analyst, Rick Howard. 

Dave Bittner: And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, it's always great to have you back. I want to touch base and hopefully get a little bit of a reality check from you when it comes to 5G. And what I'm curious about specifically is, is there a difference in what we're seeing from the consumer launch of 5G and the types of things that you're seeing on the ICS side of things? I hear lots of people making all sorts of claims that, you know, 5G is going to make the world a better place for everybody in all sorts of ways. I have to say, I'm a little bit skeptical so far with what I've seen from the rollout. What's your take on this? 

Robert M. Lee: Yeah, I share your skepticism, but I acknowledge that the world is changing as well, right? And so every industry that I can think of in the industrial world has been talking about some level of digital transformation for more than a decade. And that's the concept of connecting up our infrastructures in ways they have been connected before to gain access to machine learning and cloud analytics and all sorts of different technology enablements. We even hear about IIoT, the industrial internet of things. 

Robert M. Lee: And the reality is our infrastructures are getting connected up. And it's not coming. In many ways, it's already here. And many of these companies are taking advantage of IIoT and cloud analytics and similar. The sort of hype around it is the belief that it's going to fundamentally change everything overnight or that even it could fundamentally change everything over time. And the reality is these are organizational changes, where, as the organization decides to take advantage of things like hyperconnectivity, that they take on new risks, and they've got to have compensating controls for that. But they also take on new value. And as they change the organization, it might be as simple and straightforward as more profit, but it might also be things like access to larger workforces and better work/life balance for the employees. 5G doesn't really change a lot of that. I can imagine there's going to be plenty of people that want to argue about this, and I appreciate that. But 5G doesn't fundamentally change things from the organizational level. Is it another technology to take advantage of? Yes. Is it potentially more dependable, therefore higher bandwidth reaching, you know, portions of the world that maybe, you know, previous connectivity couldn't reach? All aboard - happy to agree with all of that. But you still have to have the organizational change part to actually take advantage of those things. And in many ways, again, where we already have connectivity, it's not like bigger pipes are going to fundamentally then change either the risk portfolio or the opportunities in front of us. Many of the applications, especially in the industrial world that we're taking advantage of, don't even require that type of connectivity. But to your question, very candidly, will we see more 5G stuff in industrial? Absolutely. I saw Siemens the other day explicitly talk about an industrial 5G router and connectivity source that they're having. Will we see more companies buy new technologies that are 5G-enabled? Absolutely. But, yeah, to share the skepticism a little bit - just because it's 5G, I think it's getting bought into more. But I don't think the differences between 4G and 5G are really being explored when you're talking about connecting a pump or a sensor to a local system that is just now also connecting out to the internet. 

Dave Bittner: Are there things that you can imagine where - you know, specific examples where having this increased connectivity, which - having a bigger pipe - when that opens up possibilities, things that everyone has wanted to do but they've been unable to do for lack of these sorts of capabilities? 

Robert M Lee: Yeah. I mean, that's where I'm struggling, I guess. That's a simpler way to make my point that I haven't seen or been exposed to - so maybe this is my own visibility issues - but I haven't seen or been exposed to companies that have been limited by the bandwidth. They've been limited by the organizational side of their house going, what is the value in doing this? What is the risk? Do we want to take on the cost of doing this, et cetera? It's not been a discussion of, oh, well, we really want to do this. And as soon as 5G's here, we'll be ready. Like, that - I think the 5G thing is a little bit more marketing on that front. Now, again, is it going to change a lot of things for the better as it relates to, like, networking? Similar - maybe. I don't want to just put down all value of 5G. Obviously, there is value. I'm just speaking from the - are we going to get 5G appliances and then all of a sudden, things change? And the answer is no. In many ways, what 5G is doing for a lot of your service providers, like ISPs as an example, is now you're talking about digitally, you know, programmable networking instead of going through these large generational leaps. A lot of the 5G aspect is in the software kind of defined nature of it instead of just expecting large, bulky appliances. That's going to help ISPs and similar, absolutely. Is putting a 5G router in an oil refinery going to fundamentally change that oil company's business model? No, it's not. 

Dave Bittner: All right. Well, Robert M. Lee, thanks for joining us. Thanks to all of our sponsors for making the CyberWire possible. And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Bring out your best. Listen for us on your Alexa smart speaker, too. CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.