Patching, with special attention to Hafnium and the rest. Responding to the SolarWinds incident. Hactivists don’t like cameras. Dragnet in the Low Countries.
Dave Bittner: Patch Tuesday was a big one this month. Microsoft Exchange Server remains under active attack in the wild, with new threat actors hopping on the opportunity. Russia denies it had anything to do with the SolarWinds incident and says the kinds of U.S. response that the word on the streets tells them are under consideration would be nothing more than international crime. Activists strike a blow against cameras. Joe Carrigan has thoughts on Google's plans for third-party cookies. Our guest is Kelvin Coleman from the National Cyber Security Alliance on how educators can better protect students' privacy during distance learning sessions. And police in the low countries sweep up more than a hundred cybercrooks.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 10, 2021.
Dave Bittner: Yesterday's Patch Tuesday was a big one. Microsoft, who's been urging users to patch Exchange Server, pushed fixes for 89 vulnerabilities, 14 of which Redmond rated critical. These are in addition to last week's out-of-band patches for the actively exploited Exchange Server flaws. Adobe patched its Connect, Creative Cloud and Framemaker products. CISA's summary yesterday indicated 21 security upgrades or mitigation for industrial control systems.
Dave Bittner: Patch Tuesday aside, a great many Exchange Server instances remain unpatched and open. Recorded Future's Record puts the tally at more than 46,000. It's not just Hafnium either. The scramble to exploit Exchange Server while the exploitation is good continues. ESET says they found at least 10 distinct threat groups actively working against the vulnerabilities, some state-sponsored, others apparently criminal, some still unidentified. They include Tick, LuckyMouse, Calypso, Tonto Team, Mikroceen, Winnti Group - the last three are espionage groups - and DLTMiner, a cryptojacking gang. Axios summarizes the ways in which a state-initiated cyber operation rapidly spreads to other actors in other precincts in cyberspace.
Dave Bittner: There's been much advice given on how to respond to the current campaigns against Exchange Server. Patching and updating are important. Unfortunately, however, they're a necessary but not sufficient response. There's a good deal more to be done to locate and expel the threat actors from a compromised enterprise. We'll say it again that it's worth taking a good look at the guidelines CISA has provided to help walk organizations through the challenges of responding to this threat. You can find them on the us-cert.gov website.
Dave Bittner: The US government continues its deliberations over how to respond to both the Exchange Server exploitation wave and, especially, the SolarWinds supply chain compromise. China's Hafnium group is widely held responsible for the campaign against Exchange Server. The supply chain compromise involving SolarWinds' Orion platform is generally attributed to Russia, under the general threat actor named Holiday Bear. The legal complexities of any such response were covered during last week's annual CYBERCOM legal conference.
Dave Bittner: Russia has denied involvement in the SolarWinds operation and yesterday said, according to US News and World Report, that US retaliation would amount to international cybercrime. An essay in WIRED argues that it's difficult to say what line Russia had crossed that other nations, the US included, hasn't crossed as well. This seems a way of saying that all governments collect intelligence, which is true.
Dave Bittner: But while this is worth considering before, say, regarding the incident as an act of war, which so far it doesn't seem to have amounted to, it doesn't mean the governments subjected to hostile intelligence collection have to like it, nor is it obvious why they should refrain from any sort of retaliation.
Dave Bittner: The range of options would seem to include, from most to least assertive, disruption of hostile intelligence services networks - what the kids at Fort Meade call defending forward - economic sanctions, indictment and prosecution of spies, declaring diplomats persona non grata, closing consulates, canceling exchanges and so on. Everyone may spy, but that doesn't mean the spied upon have to like it or forebear any sort of response. Response isn't necessarily hypocrisy. It's how espionage works.
Dave Bittner: A group of hacktivists, which Bloomberg associates with the APT 69420 Arson Cats collective, accessed some 150,000 live video feeds coming into security firm Verkada. BleepingComputer says a representative of the group, one Tillie Kottmann, a reverse engineer for the group of hackers, told its reporter that the Arson Cats gained access to the cameras using a super admin account for Verkada. They found the credentials in exposed DevOps infrastructure.
Dave Bittner: Some high-profile companies, Tesla and Cloudflare among them, are said to be among those whose feeds were compromised, but most of the organizations affected were smaller operations, including not only small businesses but jails, schools, churches, pubs, museums and so on. The Arson Cats say they're interested in exposing pervasive surveillance to help create a better world and to have fun while fighting for it.
Dave Bittner: Their efforts to save people from the totalitarian implications of churches, schools, museums and small businesses trying to protect themselves from property crime will no doubt be welcomed by all who go to school, attend church, visit museums, like to patronize these small businesses in their neighborhoods or have a drink in the local bar. Besides, property is theft anyway, right? Right? Didn't we hear that somewhere in a lecture one time or another?
Dave Bittner: At any rate, Newsweek reported this morning that the Arson Cats' representative had been suspended by Twitter, which is true. Their account is indeed down. Twitter offered no explanation, but Newsweek thinks it likely that the particular rule Kottmann broke involved a prohibition against posting hacked material. One of the final tweets read, in the spirit of John Lennon's "Imagine," "What if we just absolutely ended the surveillance capitalism in two days?"
Dave Bittner: Tesla and others say no real damage was done. What effect the Arson Cats' propaganda of the deed had on various mom and pops it afflicted remains unclear, but it's probably not good. At any rate, imagine, right?
Dave Bittner: And finally, police in Belgium and the Netherlands have taken down an encrypted chat platform they say was much favored by cybercriminals. They shut down SKY ECC, a company they infiltrated last month. In coordination with the takedown, they also made more than a hundred arrests in sweeps they called, respectively, Operation A-Limit and Operation Argus.
Dave Bittner: The Record says that a lot of EncroChat customers are believed to have migrated to SKY ECC after EncroChat's proprietors, feeling the heat, absconded and closed down. Other companies that once provided criminals with encrypted comms are said to have included Ennetcom, PGP Safe and Phantom Secure.
Dave Bittner: In fairness to SKY ECC, the company has issued a press release in which they dispute what's being said about them. For one thing, they say the police didn't compromise them, but rather a cloned site that was spoofing their brand. And they take strong issue with media reports that characterize them as the platform of choice for criminals. As they put it, SKY ECC has a strict zero-tolerance policy that prohibits any criminal activity on its platforms. Quote, "SKY ECC users and authorized distributors are expressly prohibited under the terms of service from using or distributing a SKY ECC device for any illicit, illegal or criminal use. Any accounts used for criminal activity are immediately deactivated." And they say that they haven't been taken down, only disrupted, and that they're back up and in operation. So take that, coppers.
Dave Bittner: As we head into our second year of dealing with the effects of the COVID pandemic, CISA and the FBI recently put out a joint statement warning K-12 educators to be alert for cyberattacks and online dangers for themselves and their students. Kelvin Coleman is executive director of the National Cyber Security Alliance, and he offers these thoughts on how we might better prepare our teachers and students for the year ahead.
Kelvin Coleman: We know that the education space has become a major target for cybercriminals, cyber organizations. I think, in fact, the FBI, as well as the Cybersecurity and Infrastructure Security Agency, CISA - they recently issued a report that - and they briefed us out on it, saying that, you know, K-12 schools are a worsening danger in 2021. They saw a 57% spike in ransomware attacks in this sector just last year, right? And not so ironically, the bad actors are taking advantage of the global pandemic, as is their M.O. They tend to take advantage of, you know, disasters, manmade or natural. And so, you know, we are in a precarious position, but I do think we're going to improve over the next year.
Dave Bittner: What do you suppose we should be doing here? I mean, I think for a lot of us, our hearts go out to both the teachers and the students who are trying to make the most of a difficult situation. You know, what sort of things can we do to support them?
Kelvin Coleman: Yeah, we have to create a culture of cybersecurity in today's academic environment, private sector, even public sector. We're all familiar with fire drills. You know, if a fire starts in a building, we know what to do. We know the exits to go to, and we know how to safely exit a building. Bad weather in certain parts of the country - kids are drilled on it on a monthly basis to make sure they know what to do if a tornado pops up in the Midwest or, you know, unexpected rains - you know, whatever the case is on the West Coast. In that same way, we need to create a culture for cybersecurity.
Dave Bittner: You know, I have to say I really find your comparison to a fire drill to be quite compelling. You know, I think about how for most of us, you're - really, from kindergarten through 12th grade, every year, at least once a year and probably several times, you did a fire drill. And these days, even as adults, if you find yourself - you know, back before COVID, when we would go places, you'd find yourself in a movie theater or a restaurant or any public place. If there was a threat of a fire, everybody knows how to behave. Everybody knows how to act. Everybody knows, you know, to look for those exits. And it's because we were all - from the very beginning, we were trained on the ways to handle those situations safely. That's a really interesting idea to bring to cyber.
Kelvin Coleman: Well, and unfortunately, you know, the fire drills came about because, you know, kids were dying in fires, right?
Dave Bittner: Right.
Kelvin Coleman: You know, it wasn't just this idea that, oh, this seems like a great idea. No, it was in response to something. So why in the world wouldn't we do that for technology? Why wouldn't we teach these basic things to students so that they can protect themselves? I'm talking about passwords and multifactor authentication and educational awareness.
Kelvin Coleman: And some people sometimes, you know, will say those are pretty boring things. Do you have anything more exciting? No, I don't, actually, because those things work. We know that when you are able to thoroughly implement that type of training within your organization, your chances of becoming a target decreases by 40% - four, zero. And so we know it works. It's just having (ph) the national will to be able to make it a top priority.
Dave Bittner: That's Kelvin Coleman, executive director of the National Cyber Security Alliance.
Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Interesting story. This comes from The Wall Street Journal.
Joe Carrigan: Right.
Dave Bittner: And it's titled "Google to Stop Selling Ads Based on Your Specific Web Browsing." There is more to this than meets the eye, right, Joe?
Joe Carrigan: There's a lot more. There's a lot of moving parts in this story.
Dave Bittner: OK.
Joe Carrigan: So if we start from this first story with The Wall Street Journal - from The Wall Street Journal, it says that Google is moving away from third-party cookies. And this has been a long time coming. We've seen other things like this happen with Apple getting rid of their advertiser ID - or maybe not getting rid of it, but making it so that users have to opt in to share it with other people...
Dave Bittner: Right.
Joe Carrigan: ...Other services like Facebook. Google is then the last browser to get rid of third-party cookie tracking in their browser. And they're not going to start doing that till 2022. But because their browser is not going to do it, they're actually going to stop doing it themselves - stop using these third-party cookies in their - as a method of tracking people.
Dave Bittner: Right.
Joe Carrigan: And some advertisers are saying this is good for the user 'cause it's going to have - give them more privacy. And then other advertisers are saying this is Google being too heavy-handed. And some are saying, we've been preparing for this for about 10 years. There's another article here in The Wall Street Journal called "Google's User-Tracking Crackdown Has Advertisers Bracing for Change," and that's where you're seeing the comments from the advertisers.
Joe Carrigan: But Google walking away from third-party cookies and stopping the use of third-party cookies is not the privacy move that it seems.
Dave Bittner: (Laughter).
Joe Carrigan: Bennett Cyphers over at the Electronic Frontier Foundation is talking about what's next because Google doesn't want to stop tracking you. And if you think about - remember, we talked about the Facebook issue with Apple not letting them have their Facebook ID...
Dave Bittner: Right.
Joe Carrigan: ...Or their Apple advertising ID unless they asked for it. And I said at that point in time that Facebook is still going to track you across all their apps and everything they own, which includes, you know, WhatsApp. They had that privacy - or the update to the WhatsApp terms and conditions they kind of backed off of.
Dave Bittner: Yup.
Joe Carrigan: They're on - they own Instagram. They own Facebook. They're still tracking you and building a model of you inside of your - their services. And it looks like Google is trying to do the same thing. But the problem here is that Google is the leader in the web browser market. They have the largest share of web browsing.
Joe Carrigan: This article from Bennett Cyphers talks about a Google proposal called the Federated Learning of Cohorts, or FLoC, right? And this is a browser add-on or capability or, you know, feature, if you will, that has - I love that Bennett put privacy - quotes around this. This is the "privacy sandbox," and they say it will be better than the world we have today.
Joe Carrigan: But Google has gone to the WC3 (ph), which is the standard bodies for the web, and in the Web Advertising Business Group, which is a group within the WC3 (ph) primarily made of ad tech vendors. They have been proposing a bunch of technical standards to go into FLoC, which include things like PIGIN, TURTLEDOVE, SPARROW. They're all bird names, very cute.
Dave Bittner: (Laughter) Yeah, Alfred Hitchcock fans are not put at ease...
Joe Carrigan: Right.
Dave Bittner: ...By this naming decision, but that's all right.
Joe Carrigan: Neither am I. Let me quote this article - "each of the bird proposals is designed to perform one of the functions in the targeted advertising ecosystem that is currently done by cookies." Right? So what that means is Google is putting out to the world, hey, we're getting rid of third-party cookies. We're finally coming in line with this.
Dave Bittner: Right.
Joe Carrigan: But keep using our web browser 'cause that's where we're tracking you now.
Dave Bittner: (Laughter) Now we have cupcakes.
Joe Carrigan: Right.
Joe Carrigan: You're going to love it.
Dave Bittner: Yeah, yeah. Right.
Joe Carrigan: Of course, users can get around this by going to something like Firefox or Brave or some other privacy-centered browser.
Dave Bittner: Yeah, yeah. It's interesting to me in the Wall Street Journal article, they quote Jonathan Mayer, who's a professor of computer science at Princeton University. He says, these are proposals that read like a company that's under enormous regulatory pressure and is trying to find a last-minute plausible compromise to stave off regulation. They've done the easy stuff, and they haven't done the hard questions.
Joe Carrigan: Right.
Dave Bittner: That's an interesting insight.
Joe Carrigan: I think it is. Here's my concern with this. And one of my primary concerns with regulation is if the regulations are written in such a way that they ban something like third-party cookies, they still don't ban Google from doing this kind of tracking in something that's their own software product.
Dave Bittner: Right.
Joe Carrigan: And I don't know that they should do that. You know, Google produces the web browser - the Chrome web browser, so, you know, what they do with that web browser is really up to them. And the users make that decision.
Joe Carrigan: The web is everybody's, I would say. The web is almost like the airwaves. I'd like to think of the web as the airwaves. That should be - or the internet as a whole as the public airwaves. It's something that everybody should have access to. And you're talking about not being tracked on the internet just because you're using the internet.
Dave Bittner: Yeah.
Joe Carrigan: That, everybody can get on board with. But if you're going to agree to use my piece of software that I provide you either for free or for a fee, I'm not so ready to agree to not being tracked - to not allowing Google to track people using that because there are other options out there for people, and they have to make that decision.
Dave Bittner: Yeah. I suppose you could say it's more sporting to have people opt in than opt out.
Joe Carrigan: I would agree with that 100%. I think that's a better ethical stance is to have people opt in. And there is no better way to have people opt in or opt out than by using different software.
Dave Bittner: Yeah, absolutely. All right, well, interesting stuff, for sure. Joe Carrigan, thanks for joining us.
Joe Carrigan: It's my pleasure, Dave.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. It lasts a good, long time. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.