Updates on the state of Microsoft Exchange Server vulnerability, patching, and exploitation. Third-party breaches affect Shell and AFCEA. TikTok’s privacy. A manga site goes down.
Dave Bittner: Exchange Server patching is going well, they say, but they also say that patching isn't enough. Crooks are continuing to look for unpatched instances, and even in the patched systems, you've got to check to make sure the bad actors have been found and ejected. AFCEA and Shell both disclose being affected by third-party breaches. Citizen Lab sees no particular problem with TikTok. Ben Yelin ponders possible U.S. response to the Microsoft Exchange Server attacks. Our guest is Alex Gizis from Connectify on using VPNs to thwart government internet restrictions in Myanmar. And a major manga fan site is down.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 23, 2021.
Dave Bittner: Microsoft Exchange Server patching has gone extraordinarily well, The Record reports, with roughly 92% of all Exchange Servers as of yesterday having had either patches or other emergency mitigations applied.
Dave Bittner: The one-click tool Redmond has made available has been downloaded more than 25,000 times since its release last week, Fortune writes. The tool has received positive reviews, with FireEye, for one, praising the easily downloaded turnkey script that organizations can use to both apply patches and determine whether their systems have been compromised.
Dave Bittner: That's all good news, but patching alone isn't sufficient. Potentially affected organizations need to do some threat hunting and remediation before they can consider themselves in the clear. According to CyberScoop, CISA's acting director yesterday cautioned that "patching is not sufficient. There are literally thousands of compromised servers that are currently patched. And these system owners, they believe they are protected," end quote. They're not, of course. Thousands of Exchange Servers were compromised before the patches were available, and if the attackers were in them, unless they've been found and booted out, they're still there.
Dave Bittner: And, of course, even with 92% of on-premise Exchange Servers fixed, that still leaves around 30,000 of them unpatched. Criminals are still seeking to get while the getting's good. Computing reports that Black Kingdom ransomware operators are among those seeking to exploit Exchange Server ProxyLogon vulnerabilities. Their source is Marcus Hutchins, the security researcher who blogs at MalwareTech, and Mr. Hutchins says he caught Black Kingdom over the weekend in a honeypot.
Dave Bittner: We add an obligatory note from recent history - Mr. Hutchins was the hero who found the WannaCry kill switch but who was subsequently convicted by a U.S. court of earlier involvement with the Kronos banking Trojan and sentenced to time served, a year of supervised release and a fine. The judge said at sentencing that Mr. Hutchins appeared to have outgrown and forsaken his earlier criminal ways and that the court took notice of that.
Dave Bittner: Attacks also continue actively scanning for servers that remain unpatched, with F-Secure seeing a significant number of attempted hacks daily. ZDNet quotes F-Secure as saying "they're being hacked faster than we can count."
Dave Bittner: Acting CISA Director Wales also said that the list of SolarWinds victims had solidified, FCW reports, and that he doesn't expect many, if any, new victims to come forward.
Dave Bittner: AFCEA yesterday emailed its members to notify them that Spargo, a third-party vendor who handles registration for AFCEA events, had sustained a ransomware attack and that some member personal information may have been compromised. Financial data are believed to be unaffected. Specifically, the compromise may have included names, addresses, email addresses, phone numbers, fax numbers, job titles and organizational affiliation. To the best of AFCEA's knowledge, credit cards, other financial information, passwords, Social Security numbers, dates of birth and driver's licenses aren't at risk. Spargo is investigating, and AFCEA is staying close to them for updates.
Dave Bittner: Shell disclosed yesterday that it has discovered personal data the company held was affected by the Accellion breach. Regulators, law enforcement authorities and affected individuals have been contacted. This represents the latest fallout from the compromise of Accellion's FTA software.
Dave Bittner: So TikTok - privacy nightmare and national security threat or just a goofball site where you can watch someone bop their head to Millie B?
Dave Bittner: The University of Toronto's Citizen Lab took up the question and concluded that it's the latter. TikTok is owned by China's ByteDance, but Citizen Lab found no unusual evidence of overt malicious influence. They did admit that, of course, you don't know what you don't know and that maybe there are security issues they didn't find. And also, of course, it's possible the Chinese government could use unconventional ways to force ByteDance to turn user data over to the authorities under China's national security laws. So the charge of security threat didn't get a guilty or not guilty finding, but more of a not proven, as they say in Aberdeen.
Dave Bittner: On the privacy issue, Citizen Lab shrugged and said, well, at least TikTok's no worse than Facebook, which almost amounts to a letter of recommendation now, doesn't it?
Dave Bittner: So for now, at least, you can watch the cat searching an aperture, the baby getting its smiling cheeks squeezed and Fashion Week fantasy and so on. So enjoy.
Dave Bittner: And finally, sorry, otaku, but MangaDex, the manga fan site, says it's been hacked in an apparent extortion attempt. The hacker gained access to an admin account through the reuse of a session token found in an old database leak through faulty configuration of session management. MangaDex, after having closed off that particular problem, subsequently found that one of its developer accounts had been improperly accessed and at that point took its site down for more complete remediation and a security upgrade.
Dave Bittner: The intruder may have been more nuisance than serious extortionist. At any rate, in the early morning on March 20, the attacker had, as MangaDex put it, abandoned any pretenses of ransomware. They emailed some users to say MangaDex has a DB leak; I suggest you tell their staff about it.
Dave Bittner: So MangaDex appears to be taking all the reasonable precautions one might expect. In the meantime, otaku, what are you going to do? Granted, social distancing is probably not the same issue for you that it is to many others. But still, you're out of manga. May we suggest broadening your reading interests? Try Jane Austen, maybe. Sure, "Emma" isn't "Sailor Moon," but we all face sacrifices, don't we?
Dave Bittner: Here's an idea - TikTok yourself reading Jane Austen. You'll stay busy and provide a public service beside. Start here. This is about the right length.
Dave Bittner: (Reading) Mr. Knightley, a sensible man about seven or eight-and-thirty, was not only a very old and intimate friend of the family but particularly connected with it, as the elder brother of Isabella's husband. He lived about a mile from Highbury, was a frequent visitor and always welcome, and at this time more welcome than usual, as coming directly from their mutual connections in London. He had returned to a late dinner after some days' absence and now walked up to Hartfield to say that all were well in Brunswick Square. It was a happy circumstance and animated Mr. Woodhouse for some time. Mr. Knightley had a cheerful manner, which always did him good.
Dave Bittner: On second thought, yeah, probably best to just stick with "Sailor Moon."
Dave Bittner: The recent military coup in Myanmar has brought renewed attention on the reality of repressive regimes taking control of internet access. This is not unique to Myanmar, of course. There's the Great Firewall of China, and other nations dial in what they do or do not allow their citizens to access.
Dave Bittner: One way around those restrictions is the use of a VPN. Connectify is a company that offers a VPN product called Speedify. And in the course of a week's time, they've seen over half a million users from Myanmar start using their service - a service, it should be said, that in the interest of global citizenry Connectify is providing citizens of Myanmar for free. Alex Gizis is Connectify's CEO.
Alex Gizis: So there was a coup on February 1, where the military of Myanmar overthrew the country's leadership. And they had two short internet shutdowns in the first week. And they started filtering all sorts of sites. Facebook and things like that are blocked by the firewalls in the country. And for the last, I would say, 15 nights in a row, they've actually just been literally cutting off the internet right at 1 a.m. local time and turning it back on at 9 a.m. So the whole night, they are simply disconnecting from the internet entirely.
Dave Bittner: You know, I think it's hard for those of us here in the U.S. - and certainly, we cannot claim to have the best, fastest or cheapest internet in the world, but in general, we have good accessibility. You know, I can imagine in the days when we used to get together in the office here that, you know, the internet goes down for five minute (ph), people start walking around nervously, you know, wondering what are they going to do with the rest of their day. It's hard to imagine having big outages like that. But beyond that, I mean, that it's being used for political control in this way not just in Myanmar, but around the world.
Alex Gizis: Yes, it absolutely is. And running an operation - you know, so the Great Firewall of China, of course, is this super advanced thing that filters all sorts of URLs and, you know, even reads the contents of messages and things like that to make sure you're not doing, you know, things the government doesn't approve of. But these other countries can't afford that. I mean, China has, I believe, tens of thousands of people running that filter operation. A China - a Myanmar, they can't do that, so they have to come up with blunter tools, like simply disconnecting the internet for eight or 23 hours at a time.
Dave Bittner: So how are the citizens getting around that? What sort of tools do they have at their disposal?
Alex Gizis: Well, so once the whole internet is disconnected, there isn't much you can do. I mean, we have no magic cure to that.
Dave Bittner: Right.
Alex Gizis: During the 16 hours a day that there is internet, people are turning to VPNs to get around the blunt filtering - right? - the you can't go to Facebook. Well, you download Speedify, you fire it up, it connects to one of our servers and now you can get on Facebook, right? So as long as you have internet access to us, we can get you to everywhere else on the internet.
Alex Gizis: And that seems to be what people are doing, right? So we have, you know, 500,000 active users now in Myanmar. And I have no idea what the competitors have, but, you know, that's, you know, 1% of the population is on Speedify at any given time (laughter).
Dave Bittner: Where do we suppose this sort of arms race is headed? I mean, is the - do we suppose that through the encryption that comes with using a VPN that that's going to serve us for the long haul?
Alex Gizis: It is absolutely a game of cat and mouse. You know, arms race is the right term, right? So we now support ESNI. So, you know, we not only encrypt our data packets now, we encrypt the headers so that they can't recognize our certificate. We use DNS over HTTPS - you know, DoH - so that they can't block us in the DNS server, right? So, I mean, every few months, we are adding another tool to our quiver.
Alex Gizis: When we see some country managed to block us, we look at how, and we add another technology. And it just keeps ramping up. So I expect the arms race to really continue as an arms race for a long time.
Dave Bittner: That's Alex Gizis from Connectify.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Hello, Ben.
Ben Yelin: Hey, Dave.
Dave Bittner: Interesting article from the Lawfare blog. It's written by Dmitri Alperovitch and Ian Ward. And it's titled "How Should the U.S. Respond to the SolarWinds and Microsoft Exchange Hacks?" Can you give us a rundown of what they're proposing here, Ben?
Ben Yelin: Yeah. So we've had two very high-profile cyberattacks at the behest of nation-states recently, so obviously SolarWinds, which was perpetuated by agents of the Russian government, and then more recently, the attack on Microsoft Exchange servers, which we think is from China. And what this article gets into - or this blog post - is the difference between these two attacks, why that difference is so critical and how it should shape our responses to these attacks.
Ben Yelin: So the SolarWinds attack was much more narrow. It was sort of a clinical strike. And it was much more of a responsible attack, if you can say such a thing. Even though Russia was able to gain access to, you know, some of our Fortune 500 companies through this attack, they didn't exploit the vast majority of the networks that they gained access to. And in fact, as this blog post notes, they voluntarily sent a kill switch to 99% of their potential victims, which limited their own access.
Ben Yelin: The hidden underbelly of all of this is this is the type of espionage attack that the U.S. government almost certainly has engaged in itself. So, you know, if we were to impose a disproportionate response on Russia, that could be inviting a disproportionate attack on us in retaliation. So for something like this, you know, there are diplomatic means you can use to respond - you know, kicking out diplomats, closing diplomatic facilities, limited sanctions, that type of thing.
Dave Bittner: Right.
Ben Yelin: But for the Chinese attack on Microsoft Exchange servers, this was more of an indiscriminate attack on - by Chinese hackers. It was the type of thing that was not limited in scope. It wasn't carefully executed. It was broad. They basically ransacked our computer networks, took as much of the loot as they could find and are going to figure out what's useful to them as they search through it.
Ben Yelin: So, you know, I think our response to China has to be proportionate to the scale of this attack, and we have to make it very clear, you know, with whatever diplomatic means we use that this type of attack is an escalation. It's not going to be acceptable. As the blog post called it - and I think he was quoting another cybersecurity expert - China used a pillage everything model. And whatever disincentives we want to give, we need to do that because this is not something that we can accept.
Dave Bittner: Where do you suppose this goes from here? I mean, is the Biden administration making any noises as to what their likely responses might be?
Ben Yelin: So I think they've been teasing - the Biden administration - for a while how they're going to respond to the SolarWinds attack, and we've heard rumors about various sanctions that are going to be instituted. The Chinese attack, the Microsoft Exchange attack, is still relatively new, so we don't have much guidance as to what the response is going to be and how proportionate it's going to be to the attack itself.
Ben Yelin: But it seems like in the interest of not only ourselves, but the international community, I think there is a call among experts to draw a bright line against this type of indiscriminate attack that we saw with the Microsoft Exchange attack. So I think we will probably see a more robust and perhaps offensive cyber operation in retaliation for this attack.
Dave Bittner: I have seen some folks say also in response to SolarWinds - because it's more of an espionage type of thing, it's more of a spy-versus-spy type of thing - that there may not be public signs of our response. It may be a more behind-the-scenes thing where, you know, the folks who need to know that we know that they know that we know - you know, (laughter) that sort of thing.
Ben Yelin: Yeah, I kind of analogize it - I'm a big hockey fan. I analogize it to what happens on the ice during a game where, like, you kind of are feeling each other out with little stick checks that nobody else can see and kind of asserting your own authority and seeing what you can get away with, you know, testing that out before you actually drop the gloves and get into a fight. I kind of think that that's sort of what's happening here - that we might see a response that's not immediately evident to us but would be, you know, appropriate for more of a targeted attack like the one that we saw from Russia.
Dave Bittner: Yeah. All right. Well, Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Comes with everything you see here. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.