The CyberWire Daily Podcast 2.23.21
Ep 1275 | 2.23.21

DDoS in hybrid war. Accellion compromise attributed. Initial access brokers. Agile C2 for botnets. US Senate’s SolarWinds hearing. US DHS cyber strategy. Shiny new phishbait.


Dave Bittner: Ukrainian security services complain of DDoS from Russia. The Accellion compromise is attributed to an extortion gang. Digital Shadow tracks the rise of initial access brokers, new middlemen in the criminal-to-criminal market. A botmaster uses an agile C2 infrastructure to avoid takedowns. IT executives to appear at U.S. Senate hearings on Solorigate. U.S. DHS talks up its cyber strategies. Ben Yelin comments on the latest court ruling on device searches at the border. Rick Howard speaks with Ariel Assaraf from Coralogix on SOAR and SIEM. And don't be deceived by bogus FedEx and DHL phishbait.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 23, 2021. 

Dave Bittner: Ukrainian news agency Unian reports that Ukraine's SBU security services says it's been under distributed denial of service attack for several days. SBU representatives told Ukrayinska Pravda that the attack is obviously connected with Russia's ongoing hybrid war against Ukraine. 

Dave Bittner: The attack against secure file-sharing service provider Accellion has been attributed to the FIN11 and Clop ransomware gangs. FireEye's Mandiant unit, which has been working with Accellion to respond to the incident, says that exploitation began in mid-December and that the victims began receiving extortion notices in January. It appears to have been a pure extortion campaign. The Clop ransomware itself seems not to have been deployed. FireEye has remarked in the past that FIN11's successes have been predicated more on volume than on technical sophistication. So as the old Crazy Eddie commercials used to ask, what's your secret? And then gave the immediate answer - volume. 

Dave Bittner: Accellion has issued guidelines for its customers to help protect themselves against further damage from the compromise of its FTA service. In particular, the company recommends that FTA customers migrate to the company's Kiteworks service. 

Dave Bittner: Researchers at security firm Digital Shadows this morning released a report on initial access brokers, which they see as a relatively young, emerging sector of the criminal-to-criminal market. While they've been monitoring initial access brokers since 2014, during this past year, they've found some 500 criminals or criminal gangs selling initial access in underworld markets. 

Dave Bittner: The brokers serve, for the most part, ransomware operators. Initial access brokers find vulnerable organizations and then, acting as a middleman, sell access to potential victims to criminals who use that access to conduct ransomware attacks. The growth of this criminal market represents another stage in lowering the barriers to entry for less skilled cybercriminals. The middlemen have also learned from experience to obscure and redact the identities of the accessible networks they're hawking, the better to escape the attention of law enforcement organizations. 

Dave Bittner: The brokers rely on scanning tools to identify accessible networks. Should you have entertained any hope that they would regard certain targets, let us say, for example, health care organizations or essential services, well, put such hope aside. They don't appear to regard any targets as off limits. Digital Shadows suggests that companies use threat intelligence and in particular threat intelligence designed to detect when their own network's compromise might be up for sale, to disrupt the criminals' approach. 

Dave Bittner: Security firm Akamai reports that it's tracking a criminal botnet operator that's started leveraging Bitcoin block chain transactions in order to hide its backup C2 IP address. It's a simple yet effective way to defeat takedown attempts. The group is able to fetch real-time data from a decentralized source in a way that enables it to generate command and control IP addresses in simple and quick pivots. Akamai has made a comprehensive list of indicators of compromise available. 

Dave Bittner: SolarWinds' still relatively new CEO Sudhakar Ramakrishna will appear before a congressional committee investigating Solorigate this week, according to The Washington Post. His public statements foreshadow the testimony he's believed likely to give. FCW reports that he told the Center for Strategic and International Studies' virtual meeting yesterday that what happened to SolarWinds could have happened to anyone. He's also advocated, Nextgov says, incentivized risk information sharing with some protection against liability. Some such protections have already been enacted, but Ramakrishna thinks more are in order. He also points out that restrictive clauses in federal contracts have sometimes inhibited fuller information sharing. 

Dave Bittner: The hearings are taking place before the Senate Select Committee on Intelligence. Ramakrishna will not be the only tech executive to appear on Capitol Hill today. He'll be joined by FireEye chief executive Kevin Mandia, Microsoft President Brad Smith and CrowdStrike chief executive and President George Kurtz. MSSP Alert thinks that at least two questions are likely to be addressed during the hearings - first, how much cleaning up after the SolarWinds supply chain compromise is likely to cost, and second, what's the impact on company revenues? Specifically with respect to SolarWinds itself, did its disclosures prompt buyer concerns? Did the company lose revenue, and is it experiencing other forms of revenue pressure? 

Dave Bittner: The US Department of Homeland Security has announced a range of intentions aimed at furthering President Biden's call for improved security. The department's announcement suggests more continuity than change, as it describes with satisfaction such accomplishments as securing the 2020 election against cyberattack, especially by timely information-sharing with state and local election officials, lending urgency to remediation and providing incident response assistance, collaborating with government and private sector partners to defend against North Korean cyberattacks on financial institutions, improving vulnerability disclosure and facilitating the growth of shared cybersecurity services among federal civilian agencies. Among new initiatives announced will be a campaign to reduce the risk posed by ransomware and a new requirement that recipients of Federal Emergency Management Agency grants increase their minimum cybersecurity spend. 

Dave Bittner: And finally, be on the lookout for phishing emails baited with what appears to be notices from shippers FedEx or DHL Express. Armorblox this morning warned that a campaign was in progress and that it appeared to be targeting, for the most part, Microsoft email users. The phish bait is pretty convincing but, of course, entirely bogus. Still, it does look like the sort of shipping notice one might receive, and it would be easy to bite. The criminals' goal appears to be theft of work email credentials. The lures use convincing logos and layouts, and an unwary user more attuned to look than language might fall for them. But some of the examples Armorblox gives suggest that the crooks still suffer from weak idiomatic control. Still, look and think before you click. 

Dave Bittner: The CyberWire's own CSO, Rick Howard, has been talking to experts about DevOps and infrastructure as code and how that design philosophy applies to security. He files this report. 

Rick Howard: For the past few years, the SIEM market has been going through some changes as vendors transition to delivering their product from the cloud and competing with SOAR products to move the security community closer to the DevSecOps model. I sat down with Ariel Assaraf, founder and CEO of Coralogix, a SIEM product, on this changing and perhaps merging landscape. I started by asking Ariel to clear up a misunderstanding in the InfoSec community about the cost of storing SIEM data in the cloud. 

Ariel Assaraf: I think what a lot of companies try to do - and they provide very good product - but what they try to do is to take SIEM that was deployed on-prem and just put it on the cloud and then say, OK, in the cloud, my infrastructure limitations are smaller because I can easily scale and I can use a lot of disc (ph), so I think that the problem is solved. But then you run into another problem, which is there's just too much data. That means that is extremely expensive, and that means that there's a lot of clutter. 

Ariel Assaraf: So when we took SIEM to the cloud, we said, OK, it's not enough to just put it in the cloud. We need to figure out a new way to handle data because companies on-cloud are actually generating a lot more data than companies on-prem because of what we just said - it's easier to scale, it's easier to add machines, it's easier to add devices. The cost of storing is not lower, but the option of scaling the storage and machines is much easier. 

Rick Howard: Among the new features in these new cloud-delivered SIEMs are the way that they can process alerts. 

Ariel Assaraf: Now we ingest, analyze and then store. So we know a lot of stuff on the data way before it's stored into the storage. So we understand, for instance, whether a specific record has a suspected ID (ph), or specific records form an anomaly, or something triggered an alert that you care about, or something was enriched with your own data source making it important or, if you define a certain component to be critical and you define that, it has to be stored. 

Ariel Assaraf: So we know all that before we get to the point where we store the data, so we only put the relevant information under the index. And all the rest of the information goes to an archive that can be queried on a lower frequency just in case, you know, you need the forensics or for compliance reasons. 

Rick Howard: Another interesting change in the SIEM market as well as the SOAR market is a convergence of the two. SOAR tools are adopting SIEM capability, and SIEM tools are adopting SOAR capabilities. 

Ariel Assaraf: It started with a few interesting acquisitions - you know, you look at Splunk and Phantom and then Sumo Logic and JASK. So obviously, we see acquisitions and then merging those products into a single solution of SIEM and SOAR. I think that there is still much to do in both of them that it's going to take some time. At the end, just like the DevOps tools - again, I like to compare these two markets - DevOps tools started with Matrix products and then log analytics products in separate and then APM separately. And then they're all combining to these mega observability platforms. I think the same will happen with security. It's going to take some time. 

Rick Howard: SIEMs have been around since the early 2000s, but SOAR has only popped up in the last three years. Still, it wouldn't surprise me that in just a few short years, we won't have separate categories for these products. They will merge into a bigger product of combined capability. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host on the "Caveat" podcast. Ben, great to have you back. 

Ben Yelin: Good to be with you again, Dave. 

Dave Bittner: Interesting article. This is from the Courthouse News Service, and it's written by Thomas F. Harrison. It's titled "1st Circuit Upholds Border Searches of Phones and Laptops." This is an ongoing thing here, more - I don't know - confirmation that the folks at the border have the right to rifle through our belongings. 

Ben Yelin: Yeah, it sure is. So we've seen a lot of conflicting case law on this. This is a pretty serious problem because the last year for which we have reliable data, 2017, there were 30,000 of these searches at the border. So it's more common than you would think. And this - we're talking about searches of the digital devices of U.S. persons. So it's not, you know, searching people who are tourists to this country or who are immigrating to this country. It's people who are U.S. citizens. 

Ben Yelin: So what the 1st Circuit is saying in this decision is that border searches qualify as what's known as a special need and Fourth Amendment jurisprudence, meaning it's a special governmental need beyond, you know, mere law enforcement, beyond mere - the mere apprehension of criminals, because, you know, we need strict border searches to protect our national integrity, to protect our safety. And so as a result of that, they are saying that warrantless searches of these devices at the border - so at airports or at border crossings - are allowed, even if the border agents don't actually have any suspicion. And this is in conflict of what another judicial circuit has said. The 9th Circuit said that in order to have these searches, you have to have at least reasonable suspicion that you're going to find something of value. 

Ben Yelin: I, you know - it's - obviously, I respect the need to protect our borders, to, you know, make sure that everybody we let into the United States or back into the United States is not going to do anything to jeopardize our security. But, you know, there are some issues in having these suspicionless searches at the border. One thing that this case brings up is there are some racial and ethnic biases that go into the decisions to search devices. So all of the plaintiffs in this case brought by the ACLU and the Electronic Frontier Foundation are Muslims or people of color. So, you know, I think it's something where suspicionless is maybe the term of art, but there perhaps is some suspicion merely on the basis of somebody's race or ethnicity. And I think that's something that - for which we need to be mindful. 

Dave Bittner: Yeah, this article points out some nuance here that I was not aware of. It says that current government policy is that agents can rummage through phones and laptops for no reason, although they can't access the Internet while they search, and they must have reasonable suspicion to hook the device up to an external machine to extract data or to view deleted or encrypted files. That's interesting to me. 

Ben Yelin: Put everything in the cloud, people. That seems to be the lesson here. 

Dave Bittner: (Laughter). 

Ben Yelin: Be careful what you write in your notes application because... 

Dave Bittner: Yeah. 

Ben Yelin: Yeah, that's right there for the taking - or as we've talked about, any alerts you're getting, notifications on your phone or the picture that you use as your backgrounds - don't show yourself selling drugs in that picture. 

Dave Bittner: (Laughter) Right. Right. 

Ben Yelin: Yeah. I mean, it seems like that's kind of a - and I'm sure there are reasons for it - but it seems to me to be, at least on its face, kind of an arbitrary dividing line. You know, if it's OK to rummage through somebody's device, how much of a difference does it make if you have internet connectivity? 

Dave Bittner: Yeah. 

Ben Yelin: I mean, I guess it makes some difference, but it just seems to me like a bizarre place to draw a distinction. 

Dave Bittner: Does this push us one step closer to having this head to the Supreme Court? 

Ben Yelin: Yeah. So anytime you see a circuit split like this, that usually means that we're on a collision course that will end up at the Supreme Court. It doesn't always mean that, but it certainly makes it more likely. This means that you've had some of our most prominent jurists looking at the same issue and coming to different conclusions. And that might, you know, require something that leads to a Supreme Court resolution. 

Dave Bittner: Yeah. I suppose in this case, that would be welcome - to have some, I don't know, some finality on this. 

Ben Yelin: Yes, just some clarity, you know, so people can have expectations when they're crossing the border. Is it acceptable for Customs and Border Patrol agents to search my laptop without any suspicion? Right now, it's largely unclear and perhaps based on where you are making your border entry because that determines which federal court of appeals has jurisdiction. 

Dave Bittner: Oh, yeah. 

Ben Yelin: So, you know, the First Circuit is in the Northeast. So make of that what you will. The 9th Circuit is on the West Coast. You know, perhaps there are some important nuance and differences in terms of the geography. 

Dave Bittner: (Laughter) Right, right - you can shop your border crossing based on privacy, right? 

Ben Yelin: Yeah. 

Dave Bittner: How you want to come in and out - yeah. 

Ben Yelin: Maybe I'll use the, you know, LA airport instead of the New York airport, even if it's a little bit out of the way, right? 

Dave Bittner: (Laughter) Just a little, just a little. 

Ben Yelin: Yeah. 

Dave Bittner: Yeah, yeah. All right. Well, interesting development for sure. Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. So much pin-punishing power, it's almost unfair. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.