Accellion FTA compromise spreads. Ocean Lotus is back. LazyScripter seems to represent a new threat group. Notes from the SolarWinds hearings. New ICS threat actors.
Dave Bittner: As more organizations are affected by the Accellion FTA compromise, authorities issue some recommendations for risk mitigation. OceanLotus is back and active against Vietnamese domestic targets. LazyScripter is phishing with COVID and air travel lures. SolarWinds hearings include threat information, exculpation and calls for more liability protection. Turkey Dog is after bank accounts. Joe Carrigan ponders the ease with which new security flaws are discovered. Rick Howard speaks with our guest, Michael Dick from C2A Security, on automotive security. And some new ICS threat groups are identified.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 24, 2021.
Dave Bittner: Canadian aircraft manufacturer Bombardier yesterday disclosed that it had suffered a limited data breach accomplished through a third-party file-sharing application. Some personal and other confidential information relating to employees, customers and suppliers was compromised, the company said.
Dave Bittner: Bombardier didn't identify the third-party application through which the breach was accomplished, but others have called it Accellion's FTA. ZDNet and The Register both report that the Clop ransomware gang posted what appeared to be Bombardier design documents on its leak site.
Dave Bittner: A joint advisory from authorities in Australia, New Zealand, Singapore, the UK, and the US outlines the risks of the Accellion FTA compromise and recommends risk mitigation measures. The alert, which is hosted on CISA's site, recommends that FTA users temporarily block internet access to and from any systems that host the software, check for evidence of malicious activity and especially for the indicators of compromise included in the alert, consider auditing FTA user accounts for unauthorized changes, reset security tokens on the system and upgrade to the latest version of the Accellion product.
Dave Bittner: FTA is going to reach its end-of-life at the end of April. CISA and its partners point out that migrating away from FTA before it gets to that point would be a good idea.
Dave Bittner: Amnesty International reports that Vietnam's OceanLotus cyber intelligence group is surveilling dissidents in a renewed spyware campaign. The spyware comes in Windows, Android and macOS variants, and Amnesty's Security Lab says the tool allows to fully monitor a compromised system, including reading and writing files or launching other malicious programs.
Dave Bittner: Researchers at security firm Malwarebytes are tracking a new threat actor they're calling LazyScripter that's targeting airlines and job seekers with malware-laden phishing documents. In a report released this morning, Malwarebytes says the threat actor is using the Octopus and Koadic RATs, as well as LuminosityLink, RMS, Quasar, njRAT and Remcos, against its targets. They're treating the group provisionally as a new player, despite some similarities between its tactics, techniques and procedures and those used by other groups.
Dave Bittner: LazyScripter uses GitHub to host its malware. The group deleted two of its GitHub accounts in January and then created a new one on Groundhog Day, February 2.
Dave Bittner: LazyScripter prefers to embed its malicious executables in icons purported to be PDF, Excel or Word files, as opposed to using malicious Office macros.
Dave Bittner: The threat actor seems to have begun its operations in August of 2018. It began by phishing people seeking to immigrate to Canada by offering them access to job-seeking programs. That continued until January of 2020, when the phishbait changed to the shinier lure of COVID-19 themes. Most recently, this past November, the group began to target the International Air Transport Association and those airlines that use BSPLink software to access IATA's Billing & Settlement Plan. That particular interest may be an enduring one. Malwarebytes says this particular finding indicates that this actor is constantly updating its tool sets to target new systems developed by IATA.
Dave Bittner: So who exactly is LazyScripter? Russia's APT28 and Iran's MuddyWater espionage groups are both known to have used the Koadic Trojan, but in itself such circumstantial evidence is less than dispositive. The researchers believe the differences between the two groups are significant enough to warrant LazyScripter being tracked as a new threat actor, and they don't attribute the activity to any particular nation-state. For one thing, LazyScripter relies on a number of open-source tools, while MuddyWater has shown a strong preference for bespoke malware.
Dave Bittner: Yesterday's hearings before the US Senate Select Committee on Intelligence outlined the scope of the SolarWinds hack. Reuters characterizes the testimony of the four companies who appeared - SolarWinds, Microsoft, FireEye and CrowdStrike - as apologetic for their handling of the incursion. Seeking Alpha reports that CrowdStrike singled out Microsoft Windows' antiquated authentication architecture as enabling the cyber-espionage campaign. According to MarketWatch, Microsoft itself reiterated its belief that the Russian operation involved over a thousand software engineers.
Dave Bittner: Nextgov says SolarWinds recommends more liability protection, suggesting that it found information sharing difficult because companies fear being exposed to litigation and that incident response would have proceeded more happily and effectively without fear that collaboration with other organizations might get them sued. It's worth noting, as others have pointed out, that information sharing has for some time been protected by the SAFETY Act and especially the Cybersecurity Information Sharing Act of 2015. There's certainly litigation over data breaches, and SolarWinds, no doubt, has considerable exposure, but it's not unclear how information sharing especially contributes to the famous rapacity of the plaintiff's bar.
Dave Bittner: RiskIQ reports on the activities of Turkey Dog, a criminal operation that's targeting Turkish-speaking victims with these Cerberus and Anubis banking Trojans. Turkey Dog's interests are obvious. It's into fraud and banking account looting.
Dave Bittner: ICS security shop Dragos this morning released its annual report on industrial control system security. Among its general conclusions is that there's still only limited visibility into industrial control systems and that detection, triage and incident response remain difficult to execute and especially difficult to scale.
Dave Bittner: One of their specific findings has attracted attention. Dragos analysts have identified four distinct new ICS activity groups that are principally interested in the energy and manufacturing sectors. They call these groups KAMACITE, STIBNITE, TALONITE and VANADINITE. Of these, KAMACITE is particularly interesting. It's been working with the GRU's Sandworm unit against electrical power grids. KAMACITE seems to have served as an access team for its GRU colleagues.
Dave Bittner: And finally, speaking of ICS security, CISA yesterday issued three advisories for industrial control systems, one addressing Rockwell Automation systems, two for systems from Advantech. Those advisories come with remediation. If you operate those systems, by all means, take a look.
Dave Bittner: The CyberWire's own chief security officer Rick Howard has been talking to experts about automotive security in terms of the near future of 5G and autonomous cars. Here's Rick.
Rick Howard: Michael Dick is the CEO of C2A Security, an Israeli company that provides the automotive industry with end-to-end in-vehicle cybersecurity protection.
Michael Dick: Hi. This is Michael Dick speaking.
Rick Howard: I asked him about the history of cybersecurity in the automotive industry.
Michael Dick: Traditionally, what's happened is that the cars, you know, were designed on technology that was available 40 years ago. You know, CAN bus technology, for example, is one of the networks that runs in vehicles today. CAN bus was developed, was invented by Bosch 40 years ago. They never thought in those days about security and so much software and all this type of stuff. And as time has gone on, they've added on more computers. Any new feature that comes into the vehicle, they add another computer.
Michael Dick: Today, in a car, they call them ECUs - electronic control units. Like, a high-end vehicle, you might have 200 ECUs, 200 computers in the vehicle because every new feature is a new computer that they put in to be able to control that new feature.
Rick Howard: As with many business sectors, the automobile industry layered on new features and enhancements incrementally.
Michael Dick: You know, it's becoming patch on patch on patch. It's like - you know, and software developers will call it spaghetti code. There's so many wires and computers, and it's becoming impossible for them, for the car manufacturers and generally for the industry, to manage this on this (inaudible). You know, you can't take an old architecture and just keep on patching it for more and more and more features. Eventually, it just becomes - you can't manage it anymore.
Rick Howard: But Michael does say that there has been some movement in a new direction.
Michael Dick: So there's a lot of discussions now and developments on new architectures for vehicles - zonal-type architecture, much fewer ECUs, much stronger computers running multiple things in the vehicle.
Rick Howard: But what's clear is that our very notion of just what a car is will fundamentally change. Instead of it being a mechanical device dependent on a human to control it in some analog fashion, it is moving towards becoming a completely digital software platform on wheels with high-end entertainment systems and a sensor package that is equivalent to a current day F-35 jet fighter.
Michael Dick: Yeah. I've heard some people say that it's a mobile phone on wheels, but (laughter) - but I think as time goes on, the vehicle is becoming less and less mechanical. From a software perspective, obviously, it's becoming more and more complicated, and it's becoming, like, a software-defined vehicle.
Rick Howard: In terms of security, we are just starting to see the automobile industry begin to grapple with the same problems that their traditional and stationary enterprise counterparts have been wrestling with for 25 years.
Michael Dick: You know, you'll have, for example, firewalls in big businesses. And it's just - it goes without saying that you will have some type of a configuration system where you'll be able to - you know, you've got a new user. You want to open a port. You need to do a reconfiguration because there's some security violation, whatever it is. These automatic configurations will allow you to do that and to do - you know, to deploy the software to the endpoints that are needed, et cetera, all automatically.
Michael Dick: We're going to have to do the same thing for vehicles. They are going to become, you know, sophisticated software on wheels. We've seen companies that are offering the automotive ecosystem, as you describe it - they are offering services. They say, oh, we can run this for you. We can put a big team together that will be able to configure everything and make sure that everything's safe on an ongoing basis, et cetera, which is - the car manufacturers are not used to this. They don't have departments that are doing this. They don't have tens of people that are doing this. They are used to having one.
Rick Howard: And you all thought managing and securing cloud environments was hard. Doing it with a fleet of moving vehicles adds a nice little wrinkle to this already complex job of securing things and still allowing them to be useful. As Sir Austen Chamberlain said in 1936, describing a Chinese curse that he totally just made up, may you live in interesting times. Indeed, sir.
Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Hello, Joe.
Joe Carrigan: Hi, Dave. How are you?
Dave Bittner: Doing well, thanks. There's an interesting article that came by from the MIT Technology Review, written by Patrick Howell O'Neill, and it's titled "Google Says It's Too Easy for Hackers to Find New Security Flaws." What's going on here, Joe?
Joe Carrigan: Well, the article sounds like they're complaining about how easy it is for hackers because of tools or something, but it actually isn't that at all. It's actually because of development practices.
Joe Carrigan: And they talk to Maddie Stone, who works at Google's Project Zero, and they're talking about - she's talking about some vulnerabilities that were discovered in Internet Explorer. And how these vulnerabilities were discovered - they were all zero-day vulnerabilities, but the first one was discovered in September of 2019. And once that one was patched, there were subsequent discoveries in November of that year, January and April the following years and at least five zero-day vulnerabilities being exploited from the same bug class in short order.
Joe Carrigan: And further down in the article, there's a quote from a man named John Simpson, who works at Trend Micro, who says, in the worst case, a couple of zero-days that I discovered were an issue of a vendor fixing something on one line of code and literally on the next line of code had the exact same type of vulnerability, and they didn't bother to fix it.
Joe Carrigan: So what we're seeing here is that these - is people write code, right? And those people have coding practices. So if you're doing something in code and you are doing it wrong, chances are that's a skill error - right? - a defect in skill, not necessarily a defect in coding. So if that coder continues to write that way, that error is going to exist all over that application. It's not just going to be in one place. And that's kind of the crux of this article.
Joe Carrigan: The article also focuses on patching these vulnerabilities. Simpson from Trend Micro says we can - you know, we can talk till we're blue in the face. But if they're not doing the patch management and the patch updates properly - if they're just going in and fixing the one bug and not looking or doing a code audit for all the other bugs that might be in there, they're never going to find them.
Joe Carrigan: I think the problem is multilayered here. First off, the development problem is what is the root of this. You know, there are studies out there that show when you have a defect in code, the cheapest time to fix that is before you start doing integration testing.
Dave Bittner: And software is so complex these days. I mean, there are so many...
Joe Carrigan: Software is remarkably complex. And not only...
Dave Bittner: ...So many dependencies.
Joe Carrigan: Yeah, exactly. Not only is it complex, but we build software, and we rely on tons of other libraries that we don't control, as well.
Dave Bittner: Yeah. I mean, these libraries are like Lego blocks...
Joe Carrigan: Right.
Dave Bittner: ...You know, putting together your software. And it makes total sense to use them.
Joe Carrigan: Yeah, absolutely.
Dave Bittner: I've seen people say it's impractical to do it any other way at this point. But with that convenience comes certain vulnerabilities.
Joe Carrigan: Well, that's an excellent point, Dave. There really is no way to build a large software program now from the ground up. I mean, I guess you can, but it is very expensive. And it's a lot faster and cheaper to use the libraries that are already existing.
Dave Bittner: Yeah. Yeah. What are they - what do they get at here in this article in terms of mitigation or solutions to this issue? Any suggestions that come out?
Joe Carrigan: Dave, actually, at the end of the article, they talk about Apple, who had some zero-days in one of their iMessage phones. And instead of narrowly approaching the specific vulnerability, the company went into the message of - the guts of iMessage, they say. So essentially, it sounds like they did, like, a full code review of the project to address these fundamental structural problems that people were exploiting.
Joe Carrigan: That's probably what has to happen for these projects that are vulnerable, particularly with Internet Explorer. You know, Microsoft - this was a problem that Microsoft had back in the '90s and the early 2000s is that they would - they were not really regarded as a company that was good at security.
Dave Bittner: Right.
Joe Carrigan: I think that's changed. I think Microsoft does a much better job now. But still, they still have that holdover from Internet Explorer, which was just never a really good browser, but it had a huge market share.
Dave Bittner: Yeah.
Joe Carrigan: Yeah. But comparing Internet Explorer to Apple's iMessage is not really a fair comparison. You're comparing Apples to Microsofts here. It's...
Dave Bittner: (Laughter).
Joe Carrigan: That's a pretty good joke. Feel free to use that one.
Joe Carrigan: It's - iMessage is probably a very small code base compared to Internet Explorer. Internet Explorer is originally based on Mozilla, which was, like - Microsoft didn't own that to start with. And it's a large, complicated program, as opposed to a simple program that just sends you messages and does end-to-end encryption.
Joe Carrigan: And maybe that's the way we should go in the future, is we don't build these large, monolithic programs anymore. We build small programs that do little things for us, and the users just collect these small programs, and hopefully the small programs are more secure.
Dave Bittner: And give them the ability to maybe interact with each other in a secure way.
Joe Carrigan: Yeah, absolutely.
Dave Bittner: Yeah.
Joe Carrigan: Like, much like Linux. The whole Nix architecture is what they call Taco Bell programming, you know, where you essentially use the operating system and all the operating system tools to build functionality that you would have to write code for in other operating systems.
Dave Bittner: Right. Right. You have a limited set of ingredients, but with those, you can make many, many different delicious food items.
Joe Carrigan: Exactly, yes.
Dave Bittner: (Laughter) All right. All right. Well, again, the article is from the MIT Technology Review. It's titled "Google Says It's Too Easy for Hackers to Find New Security Flaws." Joe Carrigan, thanks for joining us.
Joe Carrigan: It's my pleasure, Dave.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed - chocolate, caramel and a surprising cookie crunch. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.