The CyberWire Daily Podcast 3.3.21
Ep 1281 | 3.3.21

RedEcho under investigation (amid reassurances). Stopping Operation Exchange Marauder. Containing Ursnif. Cyber proliferation. And another round in the Crypto Wars.


Dave Bittner: India continues to investigate the possibility of RedEcho cybersabotage of its power distribution system, but says any hack was stopped and contain. Microsoft issues an out-of-band patch against a Chinese-run Operation Exchange Marauder. The financial sector works to contain an Ursnif outbreak. CISA issues ICS security advisories. Myanmar and the difficulty of stopping cyber proliferation. Joe Carrigan looks at CNAME cloaking. Our guest is author Neil Daswani from Stanford University's Advanced Security Certification Program on his upcoming book, "Big Breaches: Cybersecurity Lessons for Everyone." And another round in the Crypto Wars seems ready to start.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 3, 2021. 

Dave Bittner: Indian authorities continue their investigation of the possibility that the Chinese threat actor Recorded Future calls RedEcho compromised portions of the country's power grid. Inquiries are in progress, at least in Maharashtra, according to India Today, and Telangana, reports Business Today. 

Dave Bittner: Business Today adds that signs of malware were found in some 40 substations. There may have been attempts at command-and-control communication from the Chinese-based threat actor trying to access power distribution systems operated by the Telangana State Load Dispatch Centre and Tstransco. CERT-in, the Computer Emergency Response Team of India, advised both organizations to take appropriate precautions against those attempts. Telangana Today says that utilities have taken various measures to reduce the possibility of cyberattack, including blocking risky IP addresses, changing operator credentials and isolating equipment suspected of having been compromised. 

Dave Bittner: India's Union Power Ministry confirmed to The Hindu that it had received warnings of the RedEcho operation and its possible use of ShadowPad malware, but that prompt action had prevented a data incident. According to the Ministry, such attacks failed. Quote, "there is no impact on any of the functionalities carried out by the Power Sector Operations Corporation due to the referred threat. No data breach/data loss has been detected due to these incidents." As The Hindu notes, the statement made no explicit mention of the power outage in Mumbai on October 12, 2020. The reference to data breaches and data loss and their prevention also leaves aside discussion of the sort of sabotage The New York Times discussed in its coverage earlier this week. 

Dave Bittner: Microsoft warned late yesterday that the Chinese state-directed threat actor HAFNIUM was actively exploiting four zero days in on-premises Microsoft Exchange Server 2013, 2016 and 2019. Redmond has issued out-of-band patches for all four vulnerabilities, and it urges users to apply them immediately. HAFNIUM is a cyberespionage group active mostly against organizations in the US, especially infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs. While based in and directed from China, HAFNIUM operates for the most part from leased virtual private servers in the U.S. Microsoft offers its attribution with high confidence and says it's based on observed victimology, tactics and procedures. The company characterizes HAFNIUM as a highly skilled and sophisticated actor. The description of HAFNIUM's operation suggests that it represents a cyberespionage actor. 

Dave Bittner: Microsoft stresses that this campaign and the actor behind it are completely unrelated to the recent SolarWinds supply chain compromise. Redmond credited security firms Dubex and Volexity with helping identify the exploitation. Volexity dates the onset of the campaign (which it calls "Operation Exchange Marauder") to January 6 at least. 

Dave Bittner: Prague-based security company Avast has obtained information on victims of the venerable Ursnif malware and has reached out to payment processors, banks and financial services information sharing groups to help facilitate remediation. 

Dave Bittner: Ursnif came to defenders' attention in 2007 when it surfaced as a banking Trojan. It's evolved since then to encompass other capabilities and new uses. Avast has located credentials, pay card and banking information the Ursnif operators appear to have taken from victims during recent criminal activity, and the firm is sharing that information with organizations in a position to notify and assist the victims. Much recent Ursnif activity has targeted Italy. Avast says it's seen evidence that more than 100 Italian banks were affected, and so one of the company's key partners is CERTFin Italy

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency yesterday issued three more ICS security advisories. The latest cover products by MB, Rockwell and Hitachi. 

Dave Bittner: The New York Times reviews cyber proliferation to Myanmar's junta. The report indicates the perennial difficulty of restricting the spread of dual-use technologies - that is, not only tech that has entirely legitimate civilian uses, but technology that has lawful military and law enforcement uses, but which should be kept away from governments likely to use it for illicit repression. 

Dave Bittner: Singled out for particular mention are field units produced by the Swedish firm MSAB that can download the contents of mobile devices and recover deleted items and MacQuisition forensic software that extracts data from Apple devices. MacQuisition is made by BlackBag Technologies, a U.S. company that was acquired late last year by Israel's Cellebrite. 

Dave Bittner: Both companies say the tech in question appears to represent legacy systems, and that they had suspended sales to Myanmar before this year's coup. Some of the tools may have been provided by various middlemen. The report in the Times might be considered a useful case study of the sort of problem the Atlantic Council addressed in its report on initial access brokers and cyber proliferation earlier this week. 

Dave Bittner: And finally, familiar lines appear to have been redrawn in Washington for a coming engagement in the Crypto Wars. The Washington Post reports that FBI Director Wray has mentioned the difficulty of adequately tracking domestic extremists when such extremists are able to avail themselves of end-to-end encryption. The opposing side says this misses the point, and that weakening encryption will only serve ultimately to weaken security generally. As one expert put it, in the old days, when you had a legal wiretap on the mob, sometimes the mobsters whispered and played a loud radio in the background. You can't always get what you want. 

Dave Bittner: Neil Daswani is co-director of Stanford University's Advanced Security Certification Program, and he's author of the new book "Big Breaches: Cybersecurity Lessons for Everyone." We caught up recently to discuss his new book. 

Neil Daswani: One of the reasons that I wrote this book is because I'd been studying some of the biggest breaches that have been taking place for the past seven years. I started studying these big breaches even before I became a chief information security officer for LifeLock quite a while back. And I also spent time just trying to understand - do some core research - as to what are the root causes of all of these data breaches so that we can get a handle on them and hopefully do a better job at preventing them in the future. 

Dave Bittner: Well, let's go through it together. I mean, what are some of the - are there common things that your research has brought to bear here when it comes to the big ones? 

Neil Daswani: Yes, absolutely. So in the "Big Breaches" book, I go back to 2013 and start with telling the histories and stories behind the breaches at Target, JPMorgan Chase, OPM, Yahoo!, Equifax, Capital One. And all of the mega-breaches pretty much have similar root causes. Chief information security officers have hundreds of, I'd say, security compliance checkboxes that they need to check, but there's really six things that these breaches come down to, and they are phishing, malware, software vulnerabilities, unencrypted data, third-party compromise and abuse and inadvertent employee mistakes. If you're an organization that wants to defend yourself against a breach, I'd focus on those six things first, and you'll overwhelmingly reduce your susceptibility to being breached much more effectively than, you know, trying to check a whole bunch of checkboxes. 

Dave Bittner: Well, so what are the take-homes for you? What do you hope people get out of reading the book? 

Neil Daswani: Well, I hope that most of the security professionals and chief security officers take away that, if they focus on the six key technical root causes of breaches, they can make a significant advancement in mitigating their risk due to a breach in an environment where, if you look at an average organization, they might have to satisfy PCI compliance standards to take credit cards. They might have to satisfy HIPAA if they're a health care organization. They might have to satisfy FedRAMP if they do organization with the government. And each of these security compliance standards has hundreds of checkboxes. And so there is a saying that complexity is typically the enemy of security. And if we simplify and focus on the six key technical root causes that have been at the heart of so many breaches, I think we can be a lot more focused in our cybersecurity defense and hopefully prevent more breaches in the future. 

Dave Bittner: That's author Neil Daswani. The book is titled "Big Breaches: Cybersecurity Lessons for Everyone." 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: There's an interesting story from The Hacker News. It's titled "Online Trackers Increasingly Switching to Invasive CNAME Cloaking Technique." What's going on here, Joe? 

Joe Carrigan: Well, it's a result of most of the browsers saying, we're going to block third-party cookies, right? So you can put third-party cookies into webpages by putting other URLs and requesting resources from them in your code, but that's pretty easy to block, right? I can just say, hey, the user is going to this domain, and they want to - this domain wants to load some resource from another domain. We're not going to do that. We're not going to load that other resource. We're not even going to request it. 

Dave Bittner: Right. 

Joe Carrigan: We're just going to ignore it. And because that is impacting advertising dollars, of course, now you have a very strong financial incentive to find a way around it. And a few advertising networks, looks like - they have found a way around it using something called CNAME cloaking. So a CNAME, or canonical name, DNS entry is a DNS entry that points to another DNS entry. It's a domain name that points to another one. And this is very common. It's absolutely required for the operation of the internet and the web. Say, for example, you have a domain, 

Dave Bittner: Yeah. 

Joe Carrigan: But you don't want to set up your own web server and everything. You want someone else to host that for you. So you go to some service provider, and they give you a domain that's, right? And you could tell everybody, hey, go to, but that seems kind of lame, right? 

Dave Bittner: (Laughter) Right. Right. 

Joe Carrigan: Wouldn't you rather just tell them, go to 

Dave Bittner: Absolutely (laughter). 

Joe Carrigan: So you make a CNAME entry that is that points to That's how it works. 

Dave Bittner: OK. 

Joe Carrigan: The problem is this also works for cookies - right? - because DNS happens outside of the web browser. So when these advertisers get in bed with the website, they say, OK, so, website, you're going to have a domain called, and that domain is going to have a CNAME entry that points to So the browser sees that as a URL that matches the domain that the user is visiting, and they go ahead and ask DNS for the IP address. And DNS does all the hopping around and returns just the IP address - right? - and goes out and requests the resource. And it's going to the advertisers' servers, but the web browser doesn't know that it's going to an advertiser server. 

Dave Bittner: So it's essentially making a third-party cookie look like a first-party cookie. 

Joe Carrigan: Exactly. Yep. From the browser perspective, it does exactly that. 

Dave Bittner: So - OK, so we're playing this game of cat and mouse... 

Joe Carrigan: Right. 

Dave Bittner: ...With these advertisers and these trackers. I mean, where do we stand in terms of blocking this sort of thing? 

Joe Carrigan: Right now, it's kind of hard to block these because - there are some mitigations that are available. Also, Firefox is rolling out something called total cookie protection that prevents cross-site tracking by confining all cookies from each domain into its separate cookie jar, they're calling it. 

Dave Bittner: (Laughter). 

Joe Carrigan: I think that's very cute. 

Dave Bittner: Actually, it sounds like something that Kermit the Frog used on "Sesame Street" to protect against Cookie Monster. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter). 

Joe Carrigan: Apple's iOS 14 and the Mac OS have come out with additional safeguards to build upon their existing features to shield third-party CNAME cloaking. That's - you know, it's - I don't know how they're doing it. I don't know what the technical backend is. But I imagine that within the web browser, they might build some kind of DNS engine that says, what does this resolve to? Does this resolve to a third-party domain? OK, shut it down. But then they have to - you know, that means they have to update the code. And now the browser is actually doing more of, you know, things it would - it should be offloading to DNS, but it's actually having to resolve it first because of this tactic. You know, that's just going to make things more inefficient. It's... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Going to make your computers, you know - I don't know if it's going to make them run slower, given how fast everything is now, but it is unnecessary operations. 

Dave Bittner: Right. Right. This is why we can't have nice things. 

Joe Carrigan: Right. Exactly. 

Dave Bittner: This article at Hacker News points out that Chrome and, by extension, Chromium-based browsers are not - they are the browser that are not blocking CNAME cloaking natively. Like (laughter)... 

Joe Carrigan: Right. Well, they're still not blocking third-party trackers natively. They've reluctantly agreed that they're going to come along on this. But the reason is because Chrome is built by Google. 

Dave Bittner: Right. 

Joe Carrigan: And a huge part of their revenue comes from advertising, from their advertising network. 

Dave Bittner: Right. 

Joe Carrigan: They're one of the biggest, if not the biggest, advertising network out there. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: So they don't have an interest... 

Dave Bittner: So it's sort of against their self-interest (laughter). 

Joe Carrigan: Right. It's a conflict of interest here. 

Dave Bittner: Right. Right. All right. Well, this is an interesting article, again, over on Hacker News - some neat technical details there. Thank you for helping us understand it, Joe Carrigan. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed - the special snack that makes ordinary occasions special. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.