The CyberWire Daily Podcast 3.12.21
Ep 1288 | 3.12.21

Ransomware enters vulnerable Exchange Servers through the backdoor. REvil is out and active. SolarWinds and control systems. Molson Coors responds to a cyber incident.


Dave Bittner: We're always looking for ways to improve our podcasts and publications, so we can save you time and keep you up to speed on developments in the cybersecurity industry. We've created a survey, and we would love a chance to hear your thoughts and ideas. The best part - once you complete the survey, you'll have a chance to win a $100 Amazon gift card. The survey expires on March 24. So be sure to help us out and give us your input and don't hold back. We want to hear it all. Tell us what you love, what you'd like to see more of and how we can make your lives easier. Just go to That's

Dave Bittner: Microsoft warns that ransomware operators are exploiting vulnerable Exchange Servers. Threat actors continue to look for unpatched instances of Exchange Server. Johannes Ullrich joins us with his thoughts on the incident. REvil ransomware hits a range of fresh targets. Concerns are raised about the effects of the SolarWinds compromise on embedded devices. Our guest is Sally Carson from Cisco, making the case that good design may just save cybersecurity. And an unspecified cyber incident shuts down cause Molson. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 12, 2021. 

Dave Bittner: Microsoft tweeted late last night that it had detected and begun blocking a new strain of ransomware, quote, "being used after an initial compromise of a unpatched on-premises Exchange Servers," end quote. Redmond is calling the ransomware DearCry. Microsoft Defender customers who receive automatic updates should be protected, but anyone operating an unpatched on-premises Exchange Server instance really does need to get on the stick and fix things. Clippy is not a concierge for bad actors. The ransomware outbreak would seem to be the sound of the other shoe dropping that CrowdStrike co-founder and current executive chairman of Silverado Policy Accelerator Dmitri Alperovitch told CrowdStrike to expect. Exploitation of Exchange Server vulnerabilities has clearly moved beyond the break-in the Chinese government-run threat group Hafnium initiated. It's developed into a cyber riot with widespread virtual looting. ESET two days ago said it had detected at least 10 groups attacking unpatched Exchange Server instances. And there are almost surely more than 10 of them out there and active. 

Dave Bittner: As happens in a riot, the looting has been indiscriminate, not confined to one country or any selected group of victims. The BBC reports that at least 500 British firms have been affected. The Record reports that the ransomware operators are exploiting the ProxyLogon vulnerability to install DearCry. So far, this particular threat seems to have hit only a relatively small number of vulnerable targets. But the criminal campaign is still in its early stages. And, of course, what DearCry can do, other ransomware gangs can also accomplish. Barracuda Networks says that it's observed a high and increasing rate of probing for unpatched Exchange Servers. They started seeing scans around March 1. And the rate of scanning has jumped remarkably since then. So do look to your defenses. 

Dave Bittner: DearCry isn't the only ransomware strain making news. Security firm eSentire has been warning about a wave of activity by the gang behind REvil, the ransomware strain, also known as Sodin, which is the center's preferred name for the hoods, or Sodinokibi. The target list is marked for its diversity, both geographically and in terms of sector. eSentire's tally includes two law firms, an insurance company, an architectural firm, a construction company and an agricultural co-op, all located in the U.S., as well as two large international banks, one in Mexico and one in Africa, and a European manufacturer. Rob McLeod, director of eSentire's Threat Response Unit, wrote in an email that, quote, "These attacks come directly on the heels of an extensive and well-planned drive-by download campaign which was launched in late December. This malicious campaign's sole purpose is to infect business professionals' computer systems with the Sodin ransomware, the Gootkit banking Trojan or the Cobalt Strike intrusion tool," end quote. As is now routine for this kind of crime, the extortionists are also stealing files and threatening their release. 

Dave Bittner: Lest we forget, the SolarWinds compromise remains a matter of active concern. An op-ed in The Hill by Red Balloon Security points out a growing uneasiness over how the campaign may have affected embedded devices. The concern is that the successful effort to compromise the SolarWinds software supply chain represented not merely cyberespionage - which it clearly did - but also an effort to stage more damaging attacks. SolarWinds' Orion platform is used in more than simple business networks and applications. As the op-ed puts it, "SolarWinds' Orion software has privileged access to the switches, routers, firewalls and other network infrastructure used by power plant control systems, defense systems, traffic lights and critical infrastructure operations generally," end quote. 

Dave Bittner: And finally, hey, everybody, first they came for your friends' electromechanical marital aids, and now they're coming for your beer. Now, neither of those sectors are on the critical infrastructure list - although we admit we haven't checked either Nevada or New Brunswick - but this seems out of control. 

Dave Bittner: A Form 8-K the Molson Coors beer barons filed with the US Securities and Exchange Commission disclosed that the brewery had sustained an unspecified cybersecurity incident that has caused and may continue to cause a delay or disruption to parts of the company's business, including its brewery operations, production and shipments. Fox 6 Milwaukee reports that production is at a standstill. And it's not confined to Wisconsin, either. Molson Coors employees have been telling WALB News 10 in Albany, Ga., that they've been sent home because of the incident and asked not to try to log in to any company resources. 

Dave Bittner: The exact nature of the incident is unknown, and the company is being tight-lipped about it for now, but BleepingComputer cites speculation that it was a ransomware attack. SecurityWeek quotes experts from Nozomi to the effect that industrial processes are attractive targets for ransomware gangs. The attack is believed to have hit the brewer yesterday, and the incident is under investigation and remediation, with Coors Molson having brought in an unnamed outside firm to assist. 

Dave Bittner: Maybe you're thinking to yourself, well, you don't drink Molson or Coors, so I'm all right, Jack. Don't be too sure. Molson Coors has a number of well-known international brands, including not only its two eponymous beers, but also Coors Light, Miller Lite, Carling, Coors Banquet, Molson Canadian, Blue Moon, Peroni, Killian's and Foster's. 

Dave Bittner: Is Northcom on this? Has anyone gotten on the horn to Colorado Springs to let the Guardians in Cheyenne Mountain know? We're pretty sure a lot of them are customers. Beer might not be formally entered into the list of critical infrastructure, strictly speaking, but come on - this is beyond a joke. 

Dave Bittner: OK, OK, so there is something inherently jolly about beer, as we all know from having watched commercials for it, but to resume speaking seriously, an incident like this isn't a trivial matter, and it does show how industrial operations can be disrupted by cybercrime. And we wish Coors Molson a speedy recovery, hope their employees can get back to work soon and finally, we wish good hunting to law enforcement. 

Dave Bittner: Apple co-founder Steve Jobs famously said when asked about the design of their products, the design is "not just what it looks like and feels like. The (ph) design is how it works," end quote. To that end, a security tool is no good if only some people can figure out how to use it. It's no good if the indicators it presents are ambiguous or hard to understand. Design matters. For an expert's view on this, I checked in with Sally Carson, security design lead at Cisco. 

Sally Carson: We know right now that complexity is the enemy of security. That's one core pillar of the work that I do. And design is all about folding away complexity and just radically simplifying products and services. So that's one. But we also know that security today is mostly about human behavior. We know that most breaches still originate via phishing attacks. And so when human behavior is involved, that's a great opportunity to bring in design because I like to explain that design is not just about user interface design. That's certainly part of it. But it's a more expansive view of design. It's very much about human behavior and anthropology. 

Dave Bittner: And so where do you come into this? I mean, what are you doing day to day? How is the work that you do influencing the products that your organization is putting out there in the world? 

Sally Carson: Yeah, that's great. So I came into Cisco via the Duo acquisition. Cisco acquired Duo about two, 2 1/2 years ago. And prior to that, I had joined Duo about six years ago and built out the product design and user research functions there. And a lot of what we spent our time doing at the very beginning, the very inception of a new project or a new initiative - a lot of what we'd spend our time doing is partnering with our product managers to go out and talk to customers or would-be customers about their needs, their motivations, their goals, all of the behavioral elements that can inform our product strategy. 

Sally Carson: And it's not about asking customers what features they like. Like, that certainly comes up in the course of our conversations, but it's more like, show me how you solve this problem today. And oftentimes what we're observing is, you know, the equivalent of, like, duct tape and bubblegum, you know, stringing different tools together in wonky ways. And usually that speaks to some kind of unmet need. And maybe there's a way that we can deliver a product to market that addresses that need. 

Dave Bittner: Is there a bit of an uphill battle? I mean, are there challenges that you face? I'm thinking of, you know, in a sector where using the command line is a badge of honor, do people - do some people come to even the notion of design with a bit of resistance? 

Sally Carson: Well, it's interesting. Like, we even - the designers that I led at Duo, we even did quite a lot of work in command line interfaces. Like, how do we generate error messaging that's quite a bit more intuitive and instructive and helps guide the person to next steps. So even if you're just looking at using the command line for some actions, there's work that design can do there to radically simplify and clarify what processes are happening behind the scenes. 

Dave Bittner: Where do you think things are headed? Where do you think we're going in terms of making use of design to help make us all safer? 

Sally Carson: Good question. I mean, part of what we look at is we try to zoom out a level and not just focus on the products that we're delivering to market but even zoom out beyond that and understand the state of the technology landscape in general and how people's attitudes and behaviors are changing as a result. 

Sally Carson: So one example is when I joined Duo six years ago, I want to say maybe five years ago, we performed some expansive research just on the state of biometrics and customers' attitudes and behaviors toward biometrics. And then we've tracked that over time to see how it's changed. 

Sally Carson: And with the early days of things like Touch ID or Face ID, early on we found that our customers were pretty uncomfortable with that, and there was a - some privacy concerns were coming up for them. And they were sort of at times conflating some of the privacy concerns that you might see in social networking with hardware-based biometric authentication. So they're, you know, worried that this thing's scanning my face. It's scanning my thumbprint. What's it going to do with that? 

Sally Carson: But since then, that technology has become much more ubiquitous, and general consumer sentiment about that - they're much more comfortable with using biometrics. And they understand it a bit more now, and they understand that no one's selling their face, you know, to advertisers. 

Dave Bittner: Yeah, that's interesting. Are there industry-wide standards that are finding themselves coming into play? You know, are there best practices? How do we settle on best practices that, you know, this works and we should all adopt this? 

Sally Carson: Yeah, it's a really great question. I think there is a need for best practices that are tailored to cybersecurity. More generally, there are best practices just in terms of developing technology products for humans. And a great, you know, canonical resource for some of that thinking is Apple's Human Interface Guidelines, the HIG. People call it the HIG. So if people are ever curious to kind of nerd out on design stuff, you can Google Apple HIG and look and see how they have developed their own standards that really do set precedent across the industry. There's more beyond just Apple, but that is sort of a gold standard that's been out there for decades now, and they've continued to evolve it. 

Sally Carson: But I'd be really interested in seeing some emergent standards that are specific to cybersecurity. I think that could be really useful, especially for orgs that have the intent to improve their product but maybe don't yet have the resourcing to invest in a really mature design function. 

Dave Bittner: That's Sally Carson. She's security design lead at Cisco. 

Dave Bittner: And joining me once again is Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the ISC "StormCast" podcast. Johannes, it's always great to have you back. You know, we had breaking news recently about an out-of-band patch from Microsoft dealing with some of their Exchange Server products. And I wanted to use that as an opportunity to kind of touch base with you about some security concerns that folks should have when it comes to their Exchange Servers. What can you share with us today? 

Johannes Ullrich: Yeah. So Microsoft Exchange - a really interesting product. It used to be sort of the staple in every sort of corporate enterprise network. Of course, recently, a lot of people have moved the Exchange Servers into the cloud or they're using cloud-based email services. But, well, with that, they sort of became a little bit of a forgotten asset. And there are still hundreds of thousands out there exposed to the internet. 

Johannes Ullrich: And it has become an issue where they're no longer really well-maintained and probably a little bit sort of out of sight, out of mind for a lot of IT departments. Not just recently with these vulnerabilities that were exploited and quickly patched by Microsoft, but over the last couple of years, we had a number of critical vulnerabilities in Exchange that were exploited even though a patch was available. But really, the patching was much slower than what we typically see for similar critical assets. 

Dave Bittner: Now, is this a case where even when companies are transitioning to the cloud, that they'll likely leave their Exchange Server up and running because why not and, you know, who knows what we'll break if we shut it off? 

Johannes Ullrich: I think the last part is really - it's sort of, you know, who knows what'll break? Now, my attitude is always, well, let's see who complains, then we know what'll break. 

Dave Bittner: (Laughter). 

Johannes Ullrich: But not everybody is that willing to upset their users. 


Johannes Ullrich: But, yeah, I've, for example, seen them - if you've got some legacy, like, fax, email gateways and stuff like that, that sometimes needs an on-premise Exchange Server, at least for the outbound part. Now, in that case, you could firewall it off nicely and not allow any inbound connections. But then again, you know, you're just using probably the Exchange Server you had sitting there for the last few years. Back in the day, it was used for inbound email. So you still have that firewall port open. You may even still have, like, Outlook web access or something like this running for access, even though it's no longer really used. You're only using that outbound part. 

Johannes Ullrich: And I think that's part of what's going on here, that there are some legacy applications that do need an on-premise Exchange Server, you know, for a Windows network 'cause of the easy way to set up a mail server. But it no longer really would need a lot of that exposure to the outside world. 

Dave Bittner: So is the lesson here then to, I guess, first of all, take a look and see what you've got running in your environment and then decide if it still needs to be there? 

Johannes Ullrich: Yeah, inventory is always step No. 1 - you know, figure out what's there. Next, why it's there. And then, you know, do we still need it, or do we get rid of it? Kind of - I sometimes call it a little bit the slumlord philosophy to networking. You know, kind of like in a cheap apartment, if you don't need it, the landlord is going to take it out. In a network, if you don't need it, you know, no need to pay for it, repair it, fix it. You know, just remove it. 

Dave Bittner: Yeah. All right (laughter). That's a - that's one - that's - always a colorful explanation from you, Johannes. I appreciate it. 


Dave Bittner: Johannes Ullrich, thanks for joining us. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Fourteen is more fun than one. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Be sure to check out this weekend's "Research Saturday" and my conversation with Dr. Rosario Cammarota from Intel Labs. We'll be discussing their research on fully homomorphic encryption. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.