The CyberWire Daily Podcast 3.5.21
Ep 1283 | 3.5.21

SUNSHUTTLE backdoor described. What the Exchange Server campaign was after. Misconfigured clouds. Airline IT service provided attacked. Criminal-on-criminal crime.


Dave Bittner: A new second-stage backdoor has been found in a SolarWinds compromise victim. Those exploiting the now-patched Exchange Server zero days seem to have done so to establish a foothold in the targeted systems. India continues to investigate a Chinese cyberthreat to its infrastructure. Misconfigured clouds leak mobile app data. A major airline IT provider sustains a cyberattack. Dinah Davis helps us prevent account takeover attacks. Our guest is Troy Hunt from NordVPN. And criminals hack other criminals.

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Friday, March 5, 2021. 

Dave Bittner: FireEye reports finding a second-stage backdoor in one of the victims of the SolarWinds compromise, and the company’s Mandiant unit thinks it possible that the backdoor, which they’re calling SUNSHUTTLE, is connected with the threat actor they track as UNC2452. Mandiant wrote, quote, "the new SUNSHUTTLE backdoor is a sophisticated second-stage backdoor that demonstrates straightforward but elegant detection evasion techniques via its blend-in traffic capabilities for C2 communications. SUNSHUTTLE would function as a second-stage backdoor in such a compromise for conducting network reconnaissance alongside other SUNBURST-related tools," end quote. UNC2452 has been associated with the SolarWinds supply chain exploitation, but FireEye stresses that its researchers have not fully verified a connection with SUNSHUTTLE. 

Dave Bittner: FireEye is also tracking the exploitation of the Microsoft Exchange Server zero days patched this week. Quote, “The activity we have observed, coupled with others in the information security industry, indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments. This activity is followed quickly by additional access and persistent mechanisms,” end quote. Their investigation continues. 

Dave Bittner: Indian media outlets continue to warn of alleged Chinese cyberattacks on India’s infrastructure. The reports center on conclusions reported by Recorded Future, which yesterday confirmed that it had found no evidence of Chinese cybersabotage in the power outages Mumbai sustained in October. Recorded Future is quoted by CNBC as saying that it is tracking the threat group RedEcho, which is targeting India’s oil and gas assets, electricity sector, maritime assets and critical rail infrastructure. The motive appears to be staging. As Recorded Future said, quote, “this is not for any economic espionage opportunity, but it is targeted at future disruptive cyber operations.” So it’s not theft, but it could be battlespace preparation. 

Dave Bittner: Zimperium warns that unsecured cloud configurations are exposing data from a large number of mobile apps. Both Android and iOS apps are affected. Cloud storage solutions are attractive to app developers because of the efficiencies they provide and because they enable storage of information necessary to API calls. Zimperium said, quote, "in our analysis, 14% of mobile apps that use cloud storage had unsecure configurations and were vulnerable to the risks described in this post. In apps around the world and in almost every category, our analysis revealed a number of significant issues that exposed PII, enabled fraud and/or exposed IP or internal systems and configurations," end quote. 

Dave Bittner: It’s not that the cloud services don’t provide detailed guidance on how to configure storage - and they’re large and well-regarded services that include Amazon Web Services S3, Google Storage, Microsoft Azure, and Google Firebase. Rather, it’s that users too often fail to follow that guidance and consequently misconfigure their storage in ways that turn out to be leaky. Both personally identifiable information and configuration have been found to leak. The lesson Zimperium draws is that cloud users should ensure that their cloud storage and their databases are not exposed, unprotected, to the Internet. And, of course, monitor for exposure or compromise. 

Dave Bittner: SITA, a leading provider of IT services to the airline industry, disclosed yesterday that it was the victim of a cyberattack, leading to a data security incident involving certain passenger data that was stored on SITA Passenger Service System servers. The company explained that its Passenger Service System operates passenger processing systems for airlines. 

Dave Bittner: Teiss notes that SITA serves about 90% of airlines worldwide with its reservation, ticketing, and flight departure information management systems. SITA has the breach under investigation. 

Dave Bittner: And finally, the hackers get hacked, too. KrebsOnSecurity reports that three of the largest and most influential Russophone cybercriminal forums were themselves hit by hackers who stole and exposed data taken from the sites. The forums were Mazafaka, also known as Maza, Verified and Exploit. Researchers at Intel 471 put the number of sites hacked at four, adding CrdClub to the list. Intel 471 has been unable to identify either of the hackers, but they have been able to confirm that data the hackers posted on various sites indeed seem to be genuine. The data include, according to Recorded Future, usernames, emails, account passwords and social media IDs. 

Dave Bittner: The motive of the incident isn't certain, but KrebsOnSecurity says that it seems likely to be a familiar one - money. Whoever was behind the intrusion was able, at least in the case of CrdClub, to induce the forum's customers to use a money transfer service misrepresented as having been vouched for by the forum's administrators. 

Dave Bittner: But even if you're disposed to trust crooks - and in fairness, any market, even a criminal-to-criminal one, would seem to require some measure of trust if it's to operate at all - your trust in this place would have been misplaced. Those who used that transfer service indeed found that their money had been transferred, but into the virtual pockets of other crooks, where it's gone, baby, gone. 

Dave Bittner: Troy Hunt is well-respected in the cybersecurity industry and perhaps best known for being the originator of the Have I Been Pwned online database of breached credentials, a public service if there ever was one. He's also a member of the NordVPN team of advisers, and he joins us to share his insights. 

Troy Hunt: Well, it's sort of an interesting time because on the one hand, we're getting more ubiquitous encryption than what we ever had before on the transport layer, which is good. And, in fact, I noticed just yesterday, I posted a link to a - the Facebook page for Have I Been Pwned, and Facebook gave me a warning. It said, it's not HTTPS. Are you really sure you want to do this? 


Troy Hunt: That's pretty cool. I like seeing that here. On the other hand, we've still got all of these edge cases where we just simply don't have Transport Layer Security. So a really good example - in fact, I did write about the very proposition of VPNs a few months ago, and I found that particularly the likes of banks are still not doing enough to enforce that the first request is sent over HTTPS. So they don't necessarily force all connections to be secure using things like HTTPS Strict Transport Security, which is out there, and it's free, and everyone has access to it. So there's still a really good value proposition, even on the first entry point to the bank, for products like NordVPN to make sure that that traffic isn't intercepted because if you can't get the first request through safely, then everything sort of falls apart after that. 

Dave Bittner: In terms of how people are perceiving VPNs, I mean, I think the message is out there that folks should be using them, but there's a lot of confusion around the various products that are being offered. You know, there's no shortage of free VPNs out there, and I think they tend to cloud the market a bit because you also hear these stories about, you know, if something's for free, you're the product - that... 

Troy Hunt: (Laughter). 

Dave Bittner: Your data's getting sold and so on. I mean, what are your recommendations for folks to kind of sort that out? 

Troy Hunt: I'm not sure how often I actually agree with that term, given I provide a free service for people with Have I Been Pwned. I don't look at them as products. 

Dave Bittner: Yes, you are the edge case... 

Troy Hunt: I'm not sure it's always... 


Dave Bittner: ...The noble edge case, Troy (laughter). 

Troy Hunt: I think the big thing to keep in mind is that trustworthiness in a VPN provider is absolutely critical because they control your traffic. So if you're using a VPN provider, and you go, oh, these guys are good because they're free, so, well, the big question you've got to be asking is, do I now want to delegate all of my traffic to this provider? Now, that means that any traffic that's sent in the clear that's not over, let's say, HTTPS for normal internet connections, they get to inspect it, they get to modify it, they get to reroute it. 

Troy Hunt: But it also means that a huge amount of the traffic that is encrypted is also still observable insofar as they get to see where you are going. So what is the hostname that you're connecting to, for example? Now, you might be connecting to a site about health. Now, that is a very generic concept. And someone might say that it's But what if it's a site about depression? What if it's a site about suicide prevention or alcoholism or something like this? So you are putting a lot of trust in the VPN provider. So this is why choosing one that you can trust and that you do feel is reliable is absolutely essential. And there has been some absolutely shocking cases of VPN providers doing the wrong thing as well. 

Dave Bittner: Yeah. What is on your radars as we continue, you know, full speed here into 2021, having been through this last year of pandemic and the focuses that the fraudsters have had when it comes to that? Especially when it comes to things, you know, like the vaccine, using these things to trigger on people's fears... 

Troy Hunt: (Laughter). 

Dave Bittner: What sort of things are on your radar for the coming year? 

Troy Hunt: I was just laughing because I was literally having a discussion with my mother yesterday. And we're in a bit of a privileged position in Australia because we've got very, very low rates of corona and we're really taking our time with the vaccine. And she's sort of saying, you know, look. I think I'll take my time and not rush it. And she's, you know, in her early 70s, but very fit and healthy. And I sort of said, look, mate - you know, mum, look. You're in a high-risk demographic with your age. Take the vaccine. I mean, come on. Do not read the Facebook posts about it, you know? 

Dave Bittner: (Laughter). 

Troy Hunt: Like, I'm less worried about the scammers and I'm more worried about her friends, you know? That's worries me. But in all seriousness, this is one of the greater concerns I have, which is legitimate - for want of a better term, legitimate disinformation from people that just simply don't understand the science out there. To be clear, I don't understand the science, but I know the scientists do, so listen to those guys. The scammers - yeah, I guess part of the problem here is that a lot of their behavior, by design, is indistinguishable from legitimate communication. 

Troy Hunt: Now, whether that's disinformation - and, of course, we've seen very well-orchestrated disinformation campaigns over recent years - or whether it is - it literally leads to things the likes of phishing attacks, we're in an era where there is a lot of concern, and there's a lot of people seeking out information and there's a lot of vulnerability. And this is precisely the sort of things that scammers prey on. So, inevitably, we're going to see this situation with vaccines rolling out taken advantage of. 

Dave Bittner: I want to touch on Have I Been Pwned and your creation of that. Where do you see that heading? I mean, is it steady on towards the future? Are there additional sorts of functionalities you'd like to have? Or is simplicity part of what makes it work? 

Troy Hunt: Well, yeah, look. I've gone through a bit of an epiphany, I think, the last couple of years. So bang on two years ago, I decided to go through an M&A process, a merger and acquisition process, and find some way for Have I Been Pwned to sort of go permanently and grow and all of these things. And it was – look. It was a fascinating process. I'll give you that much... 

Dave Bittner: Yeah. 

Troy Hunt: ...But it was very painful, and it resulted in no sale. And I got to say, when I got to the end of it - this is about bang on a year ago now - I was really relieved and I sort of went, like - you know what? - if I just keep doing the same thing I've been doing at that time for six and a bit years, I'm OK with that. I got a big backlog of stuff I want to do, and I'm gradually adding more and more bits. But this is meant to be a hobby project, you know, not a career. And I think that Have I Been Pwned is at its best when I'm not stressed and feeling pressured to continually do new things. I'm quite happy just ticking it along as it is. 

Dave Bittner: Yeah, well, no doubt. I mean, it's been a great service to the community, so hats off to you for all the work you've done and continue to do. 

Troy Hunt: Yeah, cheers. Thank you. 

Dave Bittner: That's Troy Hunt from NordVPN. 

Dave Bittner: And I am pleased to welcome back to the show Dinah Davis. She is the VP of R&D for Arctic Wolf. Dinah, always a pleasure to have you back on the CyberWire. I wanted to touch base with you today about account takeover attacks. And I was hoping you could kind of walk us through how this sort of thing works, you know, how it comes to pass that someone finds themself a victim of an account takeover. 

Dinah Davis: Yeah, absolutely. And they're a big problem, right? They're about 65% of the fraud that that has been reported to the FBI - is business email compromise fraud. So it's a big deal, right? 

Dave Bittner: Right. 

Dinah Davis: So how does it happen? So let's say we have this guy, Trevor, and he's going to work for a company called Acme. I mean, we always pick Acme when it's some random. 

Dave Bittner: (Laughter) Right. 

Dinah Davis: Back to our "Looney Tunes" days. And, like many people, Trevor has probably about 200 online accounts - I have at least that I would assume - and multiple personal email addresses. And to keep track of his passwords, he likes to iterate on a few favorites like cupcake or cupcakebang5 or cupcake1, that kind of thing. Trevor has a family. And, like Trevor, his wife Jada (ph) has 200 accounts of her own. His kids like to game. And Jada and the kids also like to use variations of Trevor's favorite password, which happens to be their dog's name, Cupcake. 

Dinah Davis: So Trevor works for Acme. He's a senior executive there. He has access to financial accounts. And he works on projects associated with their IP. And, like most users, he has access to cloud services like Dropbox. And sometimes those services are associated with his personal account. OK. So that's our current landscape. 

Dave Bittner: OK. 

Dinah Davis: Now, Meira (ph) runs security for Acme. And she thinks she's doing a fantastic job. She's implemented a strict password policy - eight characters, letters, numbers, symbols, password change every 90 days, 2FA. And she's got great, you know, security measures in place. So, like, what could go wrong here? 

Dave Bittner: (Laughter). 

Dinah Davis: Clearly, something's going to go wrong. 

Dave Bittner: I have a feeling you're going to tell us. 


Dinah Davis: So let's think about what ACME's attack surface is - right? If you're looking just at the corporation, you're thinking all of the network tools, the emails, sales force, HRIS systems, maybe if they have a development team like GitHub. The problem is, it's not limited to that. It's also all of Trevor's attack surface, and that includes all of his social media, private email, banking, phones. It also includes everything that Trevor's family uses - their Netflix, their Wi-Fi, their shared devices - right? OK, so how can an attacker leverage Trevor's less secure personal and family accounts to infiltrate ACME? So let's assume that attacker wants to steal funds from ACME. So the attacker knows that Trevor is an executive there and starts following his social media accounts. They notice that Trevor plays fantasy football, and they recognize that the fantasy football site was recently breached. 

Dinah Davis: And so they're like, hmm, possible account takeover possibilities here. They go to the dark web. They buy all of the usernames and passwords for that breach. They find Trevor's account and notice the password is cupcake5. From social media, they also know Trevor has a dog named Cupcake, so they think this could be a common password for him. The attacker then tries to access his corporate email so they can get more information about ACME finances. Fortunately for the attacker, ACME uses SMS two-factor authentication. 

Dinah Davis: So they buy a tool online that will allow them to steal the text message as it's on its way to Trevor's phone. And with that info and a good guess at his email password, they're into Trevor's email. They set up an email forwarding rule that will forward all of Trevor's emails to them so they can watch everything happening. And they notice that Trevor needs to pay a contractor $1 million but - because they intercepted the invoice email. So they pretend to be the contractor and send the message to Trevor, telling him to send the funds to one of their accounts instead of the contractor's, and now they have a million dollars. And so this is sadly, fairly common. So... 

Dave Bittner: Yeah. 

Dinah Davis: ...I mean, not this exact process here, but it is pretty common. And so, I mean, the big question is, like, how do you protect from that - right? 

Dave Bittner: Yeah. I mean, because I have to be honest, you know, when you said that they had 2FA enabled, in my mind, you know, that takes care of a - that gets you a long way along of being better off than you otherwise would - right? 

Dinah Davis: Absolutely, it does. It's better than not having it, for sure. 

Dave Bittner: Yeah. 

Dinah Davis: But at this point, it's important as to what kind of 2FA you have because the SMS 2FA is not much better than no 2FA at all anymore. Yeah. So there's a few things you can do to protect from this. So absolutely use multifactor auth everywhere, but don't use SMS auth. You want to make sure you are using either a software or hardware authenticator. So a software one is like Google Authenticator, that kind of thing. And if it's for really, like, admin accounts and really secure accounts, you want to have a hardware authenticator like a YubiKey - right? Those are much, much harder to spoof. And then you want to make sure you have an MDM system for any devices that have corporate apps installed on them. 

Dinah Davis: So it forces users to lock their phone. You can wipe the corporate tools off of that phone if needed, that kind of thing. And then you also want to make sure you are using password managers because you never want to use the same password twice. You know, if we all have 200 accounts, there's no way you're remembering 200 emails, passwords, right? And so you're going to have to reuse them. But if you use a password manager, you can use a different one for every single one - right? 

Dinah Davis: And then a big, key one is monitoring email forwarding rules. So we monitor all of those for our clients because it's an easy way for us to find nefarious behaviors in your account - right? Not only does it tell us that a forwarding rule was created, it tells us who created it in the system. So if they do create one, and they're forwarding it to an external usage, we know which account might be compromised because of that. So that's a very key piece as well. 

Dave Bittner: Yeah, yeah. It's - so many of these make use of that email forwarding like you said - just kind of slip into somebody's email. 

Dinah Davis: Absolutely. 

Dave Bittner: Yeah. Yeah. All right. Well, good advice. Dinah Davis, thanks for joining us. 

Dinah Davis: No problem. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too. 

Dave Bittner: Don't forget to tune in this weekend to "Research Saturday" and my conversation with Hossein Jazi of Malwarebytes. We're going to be taking a deep dive into North Korea's APT37 tool kit. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.