The CyberWire Daily Podcast 3.15.21
Ep 1289 | 3.15.21

Looking for leaks in the Microsoft Exchange Server exploitation. International cyber conflict. Sky Global executives indicted in the US. Scammer demands £1000 pounds to go on do-not-call list.


Dave Bittner: Microsoft is looking for a possible leak behind the spread of Exchange Server exploits, and hackers piggyback on web shells placed by other threat actors. The US government continues to mull how to respond to Holiday Bear and Hafnium. Britain's PM calls for greater offensive cyber capabilities. India looks for ways of countering China in cyberspace. Sky Global executives are indicted for alleged racketeering. Accenture's Josh Ray takes on defending against nation-states. Rick Howard aims the Hash Table at third-party cloud security. And what does it cost to be on a do not call list? Nothing. It costs nothing.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 15, 2021. 

Dave Bittner: Bloomberg reports that Microsoft is looking into whether threat actors used the research of DEVCORE to exploit vulnerabilities in Exchange Server. DEVCORE, based in Taiwan, alerted Redmond to the Exchange Server vulnerabilities in December. 

Dave Bittner: At issue, The Wall Street Journal explains, is how Hafnium's cyber-espionage campaign began quietly in January, picked up momentum and expanded into widespread cyber looting by many actors shortly before Microsoft patched them. Microsoft is investigating whether the vulnerability leaked from DEVCORE, whether inadvertently or deliberately. 

Dave Bittner: Microsoft quietly and privately released information about the vulnerability to security partners - those in the Microsoft Active Protections Program, or MAPP - on February 23, and it planned to issue its fix on Patch Tuesday last week. 

Dave Bittner: On February 27, Chinese-linked threat groups began actively scanning for the Exchange Server vulnerabilities, and by the 28th, several distinct groups had begun active exploitation. This pushed Microsoft to issue its fixes earlier than anticipated. 

Dave Bittner: More recently, publicly released ProxyLogon proof-of-conflict exploits have placed Exchange Server attacks within the reach of script kiddies, BleepingComputer says. According to The Record, some actors are also piggybacking on other threat groups, hijacking web shells placed by other attackers. This has in some cases escalated the damage done, as the hijackers move from cryptojacking to ransomware. 

Dave Bittner: The US government is said by SecurityWeek to be nearing some decision on how to respond to the cyber-espionage campaigns that exploited SolarWinds and Exchange Server, with some public announcement promised in weeks, not months. Response to the threat actors is half the issue. The other half, The New York Times reports, is a plan to reorganize the national approach to security. 

Dave Bittner: Other governments are also contemplating developing and deploying offensive cyber capabilities. According to Reuters, British Prime Minister Johnson has called for cyberattack capability ahead of the release of a national security review. And the Economic Times reports that India's government faces calls for preparation to face an increasingly assertive China in cyberspace. 

Dave Bittner: Google, at odds with Microsoft over relations with publishers and news sources, has said that Microsoft's position on paying for content is no coincidence. Mountain View accused Redmond of engaging in misdirection. It's naked corporate opportunism, Google's senior vice president of global affairs said shortly before Microsoft's president's testimony Friday in Congressional hearings on the effect tech platforms are having on the news business. Google suggested that Microsoft's stance on the issue is an attempt to distract attention from the company's large, damaging and growing problems with Microsoft Exchange Server exploitation. The Wall Street Journal places the dispute in the context of a worldwide drift in the direction of having search engines pay content providers for links. 

Dave Bittner: On Friday, an indictment was filed against two executives of Sky Global, Jean-Francois Eap and Thomas Herdman, in the US District Court for the Southern District of California. The two are charged with racketeering offenses involving the sale of encryption devices to transnational criminal organizations. The devices are sold with the promise that they'll be wiped should those devices be seized by police. 

Dave Bittner: The indictment describes Sky Global devices as dedicated data devices housed inside an iPhone, Google Pixel, BlackBerry or Nokia handset. The devices replace the phones' internal hardware and software responsible for geolocation, photography, internet activity and voice communications. The indictment alleges that Sky Global and the two executives charged were engaged in both drug trafficking and obstruction of justice. 

Dave Bittner: Vice points out that this is the second major case against an encrypted comms provider accused of racketeering, the first being Phantom Mobile (ph). Sky Global apparently drew some lessons from Phantom's experience, notably, the indictment says, the importance of maintaining an arm's length of deniability to distance them from the criminal organizations whose operations they facilitate. 

Dave Bittner: The US indictment follows an earlier disruption of Sky's operations by Europol, which authorities in Belgium, the Netherlands and France undertook earlier in the week. 

Dave Bittner: Both of the executives charged are Canadian citizens, and the company itself is based in Vancouver. Over the weekend, Sky Global posted a response to the indictment on its website. The CEO framed his indictment, which he says he learned about from press reports and not from the authorities, as a shot in the crypto wars. Monsieur Eap said that the indictment can only be described as erosion of the right to privacy. The company's technology, he added, "exists to prevent anyone from monitoring and spying on the global community. The indictment against me personally in the United States is an example of the police and the government trying to vilify anyone who takes a stance against unwarranted surveillance. It seems that it is simply not enough that you have not done anything illegal. There is no question that I have been targeted, as Sky Global has been targeted, only because we build tools to protect the fundamental right to privacy. The unfounded allegations of involvement in criminal activity by me and our company are entirely false," end quote. 

Dave Bittner: And, finally, the BBC reports a new wrinkle in the familiar Microsoft help desk phone scam. Note, first of all, the obvious - the nuisance calls claiming to be from Microsoft's tech department or a Windows help desk have nothing to do with Microsoft. One of the BBC's tech reporters, tired of being pestered, asked the caller how they got her number and told them to strike it from their list. Give us a thousand pounds and we will, said the faux tech supporter. 

Dave Bittner: Naturally, the reporter didn't pay them, but apparently some of them have. The whole family of scam calls has been rising during the pandemic, and there have been calls in the U.K. and elsewhere that threaten the recipient with arrest if they don't pay a fine or some other legal consideration. In the U.K., these calls have sometimes said that there's an ongoing court case over an unpaid tax bill - sometimes the judge and jury are even said to be online and waiting for an answer. In the U.S., the scammer usually says they're agents of the Social Security Administration telling you that your number has been suspended for illegal activity and that you need to take action to avoid being taken into custody. 

Dave Bittner: Remember; no responsible government is going to call you up and demand immediate payment by credit or debit card for some alleged unspecified misdeed, so hang up on them. Asking to be placed on their do not call list is probably a futile gesture. They're crooks, after all, and if they're not worried about grand larceny and wire fraud, they're not going to be too concerned about a minor matter like pestering someone on a do not call list. But if you feel you must talk to them, you may as well waste their time in something interesting or - who knows? - appeal to their conscience. Urge them to leave that boiler room and find honest work. Sure, it's not likely to work, but who knows? The heart has its reasons, after all. 

Dave Bittner: And joining me once again is the CyberWire's own chief security officer and chief analyst, Rick Howard. Rick, always good to have you back. 

Rick Howard: Thank you, sir. 

Dave Bittner: So for the past six week or so, you have been inviting your Hash Table guests from all of the various cloud providers to discuss how these environments help us deploy your cybersecurity first principle strategies. So you think it's time to reach out to some of the third-party pure play security vendors and maybe see what they have to say about the subject? 

Rick Howard: Well, Dave, you know, great minds think alike, and... 

Dave Bittner: (Laughter). 

Rick Howard: ...That's exactly what we did this week. And, you know, just for clarification, when we say third party, we mean a security vendor that's not part of the internal cloud vendor's product offering. The cloud provider might partner with a third-party vendor and even do some integration, but the product itself isn't built by the cloud provider. So, for example, Amazon offers products from Sumo Logic in their marketplace. But these are Sumo Logic's products, not Amazon's, right? 

Rick Howard: And also, when we make a reference to a pure play security vendor, we mean that that vendor only builds security products - you know, companies like KnowBe4, where their product line is not spread out across a galaxy of different kinds of products, compared to, say, Google, for example, who offers a security product like cloud data loss prevention, but also, you can get YouTube and Gmail and a bunch of other things that have nothing to do with security. 

Dave Bittner: Well, it strikes me that some of these pure play vendors might have a thing or two to say about the ability of how I should characterize them. 


Dave Bittner: Right? 

Rick Howard: Exactly. 

Dave Bittner: I mean, you know, these newbies in the security industry trying to roll out - these young whippersnappers... 

Rick Howard: Yeah. 

Dave Bittner: ...Trying to roll out security products for... 

Rick Howard: These youngsters. 

Dave Bittner: ...Their cloud environments. 

Rick Howard: You could just visualize me on my porch with my hand raised in the air. You whippersnappers, what are you doing in security? 

Dave Bittner: Right, right. Get off my cloud. Hey, you, get off of my cloud. Wait. Oh... 

Rick Howard: Wait. 

Dave Bittner: ...That is kind of catchy, isn't it (laughter)? 

Rick Howard: We might have to go into business here. 

Rick Howard: Well, that - it is indeed the case. That's true. And, you know, shocker - OK? - they all think they do it better than the cloud providers do. You know, who knew? All right, so... 

Dave Bittner: Yeah. 

Rick Howard: So in this show, we brought on guests from Palo Alto Networks and Cisco to hear what they had to say. But, you know, to give it some balance, we also brought on the host of another security podcast called the "Cloud Security Podcast," run by Ashish Rajan out of Australia. Now, he doesn't have a dog in the security vendor fight, but he agreed with the pure play vendors on this one point that the pure play vendors have been doing intrusion kill chain prevention for years now, where the cloud providers don't really think that intrusion kill chain prevention is a thing, all right? So in this show, we have a rousing discussion about whether or not that's important. 

Dave Bittner: All right. Well, it's all part of "CSO Perspectives." That is part of CyberWire Pro. You can check that out on our website, Rick Howard, thanks for joining us. 

Rick Howard: Thanks, Dave. 

Dave Bittner: And I'm pleased to be joined once again by Josh Ray. He's the managing director and global lead of Accenture's cyberdefense business. Josh, it's always great to have you back. I want to touch today on state-sponsored threat actors and what organizations need to know when it comes to protecting themselves against them. 

Josh Ray: Yeah, thanks, Dave. This is a topic that's near and dear to my heart, an area that I've spent a lot of time in my career looking at. And I think one of the things that the folks have to understand is that, you know, security threats from state-sponsored actors have been around, really, for quite some time. And these are requirement-driven threats. 

Josh Ray: So really, what do I mean by that? I mean that it's their job, their full-time job, to achieve their mission objectives. And remember; you know, folks, that, like, there's a reason that you're being targeted. It's because either information that you have or could have, what you produce as a business. Or in many cases, in the case of, say, third-party attacks, your organization really represents a means to an end to just broader access to other targets. I mean, this was obviously highlighted here in the recent SolarWinds attack. 

Dave Bittner: Yeah. You know, I think about how many organizations probably think, well, you know, what would a nation-state - why would they be interested in me? But then you think about something like the Target breach, you know, with an HVAC contractor. I could see very easily an HVAC contractor saying, well, there's nothing of interest here. We're an HVAC contractor. But you could be the back door into a much more interesting organization. 

Josh Ray: Yeah, that's right. I mean, you know, a catering facility, an HVAC contractor, maybe, you know, maybe an IT services firm or, you know, other types of businesses - if you are seen as a means to an end as part of an intelligence operation, you're going to be targeted, unfortunately. That's not to spread, you know, fear, uncertainty and doubt, but this is an active intelligence operation that folks need to understand is not going to stop just because you don't see yourself as a target. You have to kind of look at yourself through the lens of a threat. 

Dave Bittner: So what are some of the specific things that organizations can do to protect themselves against this particular threat? 

Josh Ray: Yeah. So, I mean, we've actually - I could share some observations based on our recent threatscape report and things that we've seen. Obviously, you know, the third-party vendors to target very specific assets and broader access operations is going to continue. 

Josh Ray: But what we've also seen now is, routinely, these adversaries are chaining together these off-the-shelf penetration tools with these living-off-the-land types of techniques - right? - just using the native types of tooling that's, you know, used by systems administrators to move around the network. And this is both complicating detection, but also attribution to certain types of threat groups. 

Josh Ray: And it's also really helping them be more effective, right? So they're - you know, they can use this tool - tooling that is commercially developed to, you know, really drive the plausible deniability of a lot of these attacks as well, too. 

Dave Bittner: So what specifically can organizations do to try to stay ahead of this threat? 

Josh Ray: Yeah. One of the things we always talk about is making sure that you understand the adversary collection requirements against your specific organization, right? So that means applying strategic intelligence to see, you know, what types of things that an organization - why they would be a target or why you would be a particular target and how that maps back to strategic requirements of a particular nation-state. 

Josh Ray: Now, what this allows you to do is really better focus your security controls on not only what the business sees as their high-value programs or high-value targets, but really what the threat is after as well - right? - so being able to kind of get to that Venn diagram of what the business cares about and what the threat's after. 

Josh Ray: I think and then you need to think about prioritizing, you know, what adversaries are likely to target you the most based on those collection requirements. And look at their tactics, techniques and procedures, and create specific type of hunting programs and activities that mimic that behavior so you can be a little bit more proactive in your approach and actively look for those threats on your network. 

Josh Ray: And it's really important to, you know, understand those commonly used tools that I was talking about before and the techniques that are employed so that you can actually detect that activity in your network as well, so that when you see those types of tools being used or certain types of patterns that are being exploited by those types of activities, that you can detect it in your own environment. 

Dave Bittner: You know, I wonder if, particularly for a lot of small or mid-sized businesses, do they - is there an attitude that, you know, what could I possibly do against someone as sophisticated as a state-sponsored threat actor? But you can defend yourself against this. There are tools you can use, and you can, you know, improve your defenses. 

Josh Ray: Yeah. I mean, the thing - the worst thing you can do is throw your hands up and say there's nothing I can do, right? You know, I think it's - as a whole industry, we need to kind of almost move beyond this notion of cyberdefense and really start thinking about things and achieve that level of cyber confidence, right? There are some things that you can very specifically do programmatically, employing the right types of technologies and driving that, you know, broader business acumen to really defend yourself against these types of threats. 

Josh Ray: But also, when the bad things happen, that you have that, again, that confidence to be able to chart that course, you know, in the face of that chaos. So, you know, you're investing in things that matter. You're able to see and manage the unseen and really more effectively prepare for the unknown. 

Dave Bittner: All right. Well, Josh Ray, thanks for joining us. 

Josh Ray: Thank you, Dave. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. They taste as good as they crunch. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.