The CyberWire Daily Podcast 4.5.21
Ep 1304 | 4.5.21

An old Facebook database handed over to skids (and it’s a big database). APTs look for vulnerable FortiOS instances. Cryptojacking in GitHub infrastructure. Risk and water utilities.


Dave Bittner: An old leaked database has been delivered into the hands of skids. CISA and the FBI warn that APTs are scanning for vulnerable Fortinet instances. Cryptojackers pan for altcoin in GitHub's infrastructure. Holiday Bear may have looked for network defenders. Threats to water utilities. Johannes Ullrich explains why dynamic data exchange is back. Our guest is Mark Lance from GuidePoint Security, tracking parallels between the SolarWinds attack and the RSA hack a decade ago. And a cyberattack snarls vehicle emission testing.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 5, 2021. 

Dave Bittner: Citing a Business Insider report, the Washington Post writes that 533 million Facebook users' personal information was dumped over the weekend to a hacking forum. The data is old and the leak isn't new - Facebook detected and fixed it in October 2019 - but the concern is that the information is now in the hands of criminal skids who will be able to make a greater nuisance of themselves than usual. 

Dave Bittner: So it's not a new breach, but the dissemination is now far wider and can be expected to appear in low-grade scams. What kind of scams and mischief? The Record lists the usual dreary mob - email or SMS spam, robocalls, extortion attempts, threats, harassment and more. 

Dave Bittner: The US Cybersecurity and Infrastructure Security Agency - that's CISA - and the FBI warned Friday that advanced persistent threat actors are scanning devices on multiple ports looking to take advantage of multiple CVEs and that it's likely the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial and technology services networks. 

Dave Bittner: All three vulnerabilities affect Fortinet's FortiOS. Patches are available for all three vulnerabilities listed. The unnamed APT actors are scanning for unpatched systems that remain susceptible to exploitation. 

Dave Bittner: The advisory says it's possible that this activity represents staging for future data exfiltration or data encryption attempts. The FBI and CISA list the sorts of activity this kind of staging has historically been used to prepare - distributed denial-of-service attacks, ransomware attacks, structured query language injection attacks, spear-phishing campaigns, website defacements and disinformation campaigns. The advisory adds APT actors may use other CVEs or common exploitation techniques, such as spear-phishing, to gain access to critical infrastructure networks to pre-position for follow-on attacks. 

Dave Bittner: In addition to the obvious protective measures like patching and adding key artifact files used by FortiOS to your organization's execution deny list, the advisory is particularly concerned to recommend email security measures, such as consider adding an email banner to emails received from outside your organization, disable hyperlinks in received emails and, of course, focus on awareness and training. 

Dave Bittner: The phrase APT actor as used in these advisories commonly refers to a state-directed threat group. Betting on form, The Record points out that Iranian and Chinese threat actors - MuddyWater and APT5 specifically - have a record of pursuing Fortinet bugs. 

Dave Bittner: GitHub is dealing with the discovery of a cryptojacking campaign that was mining coin in the repository's own servers. According to The Record, the crooks have been abusing GitHub Actions since this past fall. Actions is a feature in GitHub that allows automatic execution of tasks when a particular event takes place inside a GitHub repository. 

Dave Bittner: The attack works by, quote, "forking a legitimate repository, adding malicious GitHub Actions to the original code and then filing a pull request with the original repository in order to merge the code back into the original," end quote. The original project owner doesn't need to approve the ill-intentioned pull request, so all the cryptojacker needs to do is file the request. 

Dave Bittner: The good news for users is that the attacks don't appear to be affecting their projects at all. It's an attack on GitHub's infrastructure. 

Dave Bittner: CNN reported Friday that the Holiday Bear attackers who exploited SolarWinds last year paid particular attention, once their operation had begun, to the U.S. government security personnel charged with hunting down threats in federal networks. This suggests to some that the compromise may have been more than just overlooked and that the Russian operators may have been able to actively evade or impede U.S. efforts at detection and mediation. And that, observers speculate, is the significant news behind the compromise of U.S. Department of Homeland Security emails. 

Dave Bittner: The US Federal indictment of Wyatt Travnichek on charges of illicitly accessing the Ellsworth County, Kansas, Rural Water District's computer system on March 27, 2019, has again raised concerns about the security of water utilities. Mr. Travnichek is alleged, Decipher explains, to have shut down the processes behind the facility's cleaning and disinfecting procedures. The accused hacker worked for the utility in 2018 and 2019, where part of his job was remotely logging into the facility's computer system to monitor the plant after hours. 

Dave Bittner: Water utilities have tight budgets and relatively small staffs. Note that it was a staffer, an actual human being, who noticed and stopped the attempt earlier this year to manipulate sodium hydroxide levels in the Oldsmar, Fla., water system. That combination tends to drive economies that save on expensive labor, and these often involve indifferently secured remote access to control systems. 

Dave Bittner: WIRED says water systems are vulnerable and not getting any more secure, and their article deplores the tendency to look at electrical power as the only distribution system that presents serious cyber risks. That may be an overstatement, and the power grid certainly has problems of its own, so whatever additional security the attention may have brought haven't been anything like a panacea. 

Dave Bittner: And finally, if you've been having trouble getting your car checked for compliance with emission standards, the fault may not be in the DMV, but in its software. A cyberattack against vehicle emissions testing provider Applus Technologies, BleepingComputer reports, has disrupted emissions testing in eight US states. The problem is expected to continue through tomorrow at least and probably longer. Applus says it's working with law enforcement but that it's too early to say more about the nature of the attack or whether personal data was exposed to compromise. 

Dave Bittner: BleepingComputer speculates that the incident was a ransomware attack but that it's a circumstantial judgment at this point. And if you're worried about being ticketed by the police for having an expired emissions test, Applus says it's reached out to police in the affected states to let them know it's not your fault your vehicle missed its inspection. Hey, Officer, the software ate my carbon monoxide, honest. 

Dave Bittner: The SolarWinds attack has put a spotlight on third-party security risks, and one element people are pointing out is that third-party risks are nothing new. Mark Lance is former head of incident response at RSA and now senior director of cyber defense at GuidePoint Security. He sees a strong similarity between the SolarWinds attack and the RSA hack from 10 years ago. 

Mark Lance: Yeah. I mean, I would say that, you know, we see targeted attacks and have seen targeted attacks historically at a large scale and with advanced threat actors going on for, you know, obviously an extended period of time, going all the way back to the RSA breach and prior. And so, you know, very specifically, with what occurred with SolarWinds, which was a, you know, a supply chain attack, you know, this isn't necessarily the first time we've seen something like this. 

Mark Lance: And so when you start taking into account trying to access somebody who is, you know, part of the supply chain or a vendor or somebody else as opposed to targeting an environment directly, again, it's, you know, it's something we've seen historically and was reminiscent of, you know, the RSA attack, where, you know, RSA being breached and getting access to the data there was not necessarily specifically for the end result of trying to access RSA, but subsequently to, you know, attack other environments. 

Mark Lance: And so, again, it's, you know, reminiscent from the sense that, you know, there is initial motivation to get into that specific environment, but predominantly for subsequent access into, you know, a larger target or more targets. 

Dave Bittner: Is it fair for folks to express some frustration that, you know, 10 years out or so from the RSA hack, that here we are again? 

Mark Lance: I think that, you know, this is something that is going to continue to happen. I mean, I think when you've got motivated attackers who are - really have an objective they're trying to accomplish, they're going to find one way to do it or another. So if it wasn't, you know, RSA or if it wasn't SolarWinds, they're going to find some other, you know, potential access point within the supply chain. Or, you know, whether it's through a subsidiary or whether through a partner or vendor relationship, they're going to find a way in. 

Mark Lance: So I would say that, you know, there, you know, can certainly be frustration in some of the qualities associated with the way that things are being secured. But I think overall, these attackers are very creative, especially when you're talking about, you know, your nation-state-sponsored actors that, again, when they've got an objective, they're going to find one way or another to get in. And it just, you know, happened to be that they were the ones that were impacted. And you would like to think that, you know, there are additional, you know, controls being put in place and things to prevent similar things from happening in the future. 

Dave Bittner: That's Mark Lance from GuidePoint Security. 

Dave Bittner: And joining me once again is Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the ISC "StormCast" podcast. Johannes, great to have you back. I wanted to touch base with you about some stuff that I know has caught your eye. This has to do with dynamic data exchange, sort of a legacy thing that's back. Explain to us what's going on here. 

Johannes Ullrich: Yeah, it's really one of those things where as a security professional, you're often distracted by the shiny new thing. But, you know, big reminder here, old stuff often still works. And, of course, these days, whenever I sort of talk to people about what they recently got hit by, how they got infected with ransomware or whatever, one of the big themes that comes often through is, hey, a user clicked on an email attachment. 

Johannes Ullrich: Now, OK, we have a lot of anti-malware and filters set up that will specifically look for macros in Office documents. However, there's an older technology, dynamic data exchange. It sort of predates macros. Back in the day when I was still young and full of energy in this business... 

Dave Bittner: (Laughter). 

Johannes Ullrich: ...I sort of saw a bunch of these coming in. And it was great back then because it ran itself without user interaction. And attackers loved it. But then, of course, Microsoft clamped down on it. It sort of now works like macros. You have to give it permission. So attackers figured, hey, I have to go through the trouble of asking the user for information; I may as well use these more modern macros, which allow for a lot more fancy exploits and such than the old DDE allowed. 

Johannes Ullrich: But then again, anti-malware apparently no longer really looks for all these old signatures. And that's sort of not standard housekeeping that these products do. They haven't seen a particular signature trick in a while, so to reduce some of the load to these products, they remove some of these old ones. But the attackers often go back five years, 10 years and try some of these old tricks again. 

Dave Bittner: Yeah. I mean, it's really the mixed blessing of Microsoft supporting, you know, these old legacy things. And, I mean, I suppose on the one hand, it's good that if you need it, it's there. But like we often say, out of sight, out of mind. It can slip in past the detection, right? 

Johannes Ullrich: Correct. And we see this with other things, too, like that famous VelvetSweatshop password that Microsoft introduced way back in the day when they sort of had some very simple locked Office document. Well, attackers still use it because it still works to slip past some of these anti-malware tools. And in the end, they just play the numbers game and hope that one of the users will click. 

Dave Bittner: Yeah. All right, well, good advice, as always. Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: Thank you. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. The more you look, the more you like. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.