The CyberWire Daily Podcast 4.8.21
Ep 1307 | 4.8.21

Cring ransomware hits manufacturing plants. Distance learning difficulties. Hafnium’s patient approach to vulnerable Exchange Servers. The Entity List grows. 5G security standards.

Transcript

Dave Bittner: Cring ransomware afflicts vulnerable Fortigate VPN servers. Distance learning in France stumbles due to sudden high demand - and possibly also because of cyberattacks. Hafnium's attack on Microsoft Exchange Servers may have been long in preparation and may have used data obtained in earlier breaches. The Commerce Department adds seven Chinese organizations to its entity list. 5G security standards in the U.S. are said likely to emphasize zero trust. Atlantic Media discloses a breach of employee data. Caleb Barlow from CynergisTek with a clever way of thinking about ransomware preparedness. Our guest is Amit Kanfer from build.security on authorization - a problem he says remains mostly unsolved. And emissions testing stations in some U.S. states remain down.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 8, 2021. 

Dave Bittner: Researchers at the security firm Kaspersky say they've found a strain of ransomware - they call it Cring - being actively deployed against vulnerable Fortigate VPN servers. The vulnerability, for which patches are now available, renders the servers susceptible to directory transversal attacks, during which attackers can obtain session files from the VPN gateway. Such files contain useful information, including usernames and plaintext passwords. 

Dave Bittner: The attackers first worked to gain control over the targeted system, beginning with reconnaissance, then performing test connections to ensure that a vulnerable instance of the software was running. Once gaining initial access, the attackers installed Mimikatz to steal account credentials used to log into the compromised system. After the domain administrator account was obtained, the next steps involved distributing the Cobalt Strike Beacon backdoor to other systems on the victim's network. At that point, they were ready to install Cring ransomware and encrypt the victim's files. The usual sort of ransom note was delivered. 

Dave Bittner: Cring is noteworthy for its deployment against manufacturing facilities. At least two factories in Italy, CyberScoop reports, have been affected. The companies are unnamed, but their production has been disrupted. The protective advice is clear - if you're using Fortinet VPN, update the server. 

Dave Bittner: Online education networks in France are suffering from the strains of an abrupt switch to distance learning this week. In addition to the stresses on a network one might expect from a sudden surge in use, the systems are also believed to have been targeted by hackers. Prosecutors are investigating, The Washington Post reports

Dave Bittner: The attacks by Chinese operators on vulnerable Microsoft Exchange Server instances appear, according to The Wall Street Journal, to have been long under preparation. In particular, investigators are leaning toward a theory that holds Hafnium's operation was prepared by mining troves of personal information acquired beforehand. That would explain the surprising speed with which the compromise progressed. It also revives concerns about the effects of past Chinese collection of personal data in such breaches as those at the US Office of Personnel Management, Marriott, and Equifax

Dave Bittner: The Journal quotes US Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger as saying, quote, "We face sophisticated adversaries who, we know, have collected large amounts of passwords and personal information in their successful hacks. Their potential ability to operationalize that information at scale is a significant concern," end quote. Another point worth considering in relation to Hafnium's operation is the value that even older personal data can have, especially when it's in the hands of a patient and well-resourced intelligence service. 

Dave Bittner: The Times of India reports that General Bipin Rawat, Chief of India's Defence Staff, said yesterday that the country was working to counter the cyber threat from China and that India was itself developing offensive capabilities in response to that threat. The general said, quote, "What we are trying to do is to ensure cyberdefense. We have, therefore, created a tri-service Cyber Defense Agency, to ensure that even if we come under a cyberattack, the downtime and effect doesn’t last long," end quote. He was disinclined to discuss projected offensive capabilities, but he did say that India was somewhere there. He hopes to be able to turn India's strong private-sector IT capabilities to use in developing a full-spectrum defense against multidomain attacks. 

Dave Bittner: The U.S. Department of Commerce has added seven Chinese organizations to the entity list the department's Bureau of Industry and Security maintains. The Commerce Department said, quote, "These entities are involved with building supercomputers used by China's military actors, its destabilizing military modernization efforts and-or weapons of mass destruction programs." 

Dave Bittner: Organizations on the entity list are subjected to various restrictions on their trade. As the Department puts it, the point of placement on the entity list is "to restrict the export, re-export and in-country transfer of items subjected to the export administration regulations to persons, individuals, organizations and companies reasonably believed to be involved, have been involved or pose a significant risk of being or becoming involved in activities contrary to the national security or foreign policy interests of the United States. Additional license requirements apply to exports, re-exports and in-country transfers of items subject to the export administration regulations to listed entities, and the availability of most license exceptions is limited," end quote. 

Dave Bittner: According to Breaking Defense, U.S. NSA Executive Director Noble says the public-private consortium developing standards for 5G security intends to emphasize the importance of zero trust. The standards, collectively called the Enduring Security Framework, are the work of a public-private partnership among the National Security Agency, other organizations within the Defense Department, the Department of Homeland Security and, in particular, the Cybersecurity and Infrastructure Security Agency, the intelligence community and companies within the U.S. IT sector and the defense industrial base. The Enduring Security Framework is intended to address threats and risks to the security and stability of U.S. national security systems and critical infrastructure. 

Dave Bittner: NSA's contribution lies in its cybersecurity and cryptographic expertise. Zero trust will be particularly important for 5G, Noble said, because of the technology's high speed and the large distributed attack surface presented by its many IoT nodes. 

Dave Bittner: Atlantic Media, currently a minority shareholder in The Atlantic and formerly the corporate owner, has detected unauthorized access to servers that hold employee records. 

Dave Bittner: And finally, emissions testing in several U.S. states continues to be out due to a cyberattack, Boston 25 News reports. Testing stations now hope to be back up on Monday. 

Dave Bittner: Authorization and authentication are often thought of hand in hand as integrated parts of a permission structure within a security framework. Amit Kanfer is CEO at build.security, and he makes the case that authorization is an area with plenty of room for improvement. 

Amit Kanfer: Yeah, I think it's a - if it's not clear enough, authentication, you know, is the mechanism where you authenticate a user you want to know or a service - it doesn't have to be a user - where you want to know who is interacting with your API, with your application. Authorization is the other side of the coin, where you want to know what is this - once authenticated, what does this user or service can do within my application or API? 

Dave Bittner: And I suppose, I mean, the two often go hand in hand, right? 

Amit Kanfer: Yeah, often they go hand in hand because usually you do - you authenticate to a service, and then there are many authorization requests that go out between you and the service you're interacting with in order to understand what kind of user interface to show you, for example, what are the APIs you can interact with, whether you're allowed to make a certain action on a certain asset or a resource. So, for example, when you log into a bank, you log in once. But then there are many, many tabs and actions that you can perform, and each one of those actions could be allowed or denied, according to your - a long list of attributes - whether you are an employee of the bank, whether you are just an end user of the bank, whether you are from the IT service of the bank - goes on and on, right? 

Dave Bittner: Right. I suppose - I mean, is it accurate to say that one of the challenges that you face in this sort of situation is that, you know, there are so many special cases where - there are many exceptions that, I suppose, you naturally have to deal with. 

Amit Kanfer: Yes, there are many exceptions. And all policy logic tends to be very complex and cumbersome to maintain. And then, you know, people change roles in the companies, and then that logic stays, and it's very hard. Basically, it's very hard - it boils down to being very hard to maintain and very - and coupled in the application itself, which is also a challenge - how to decouple that logic outside because it's not the business logic of the company; it's a policy. So why not - to decouple it from the application. So that's a trend we're seeing lately. 

Dave Bittner: So what do you suppose the future looks like for this? In an ideal world, how would people be dealing with their authorization? 

Amit Kanfer: I think in an ideal world, authorization will be distributed, centrally managed, but enforced in a distributed manner. Each application has its own authorization server that runs right beside it, very close to it and with a low latency and high-throughput mechanisms. And that, centrally, central management should be a single pane of glass to all the policies in the organization. Imagine where you can have hierarchy between different policies so you can think about corporate level of policies and then business units and then departments where they can extend the corporate-level policies and add more restrictions to it but do not override it - testing and playground. Treating policies really as code, integrated with your Git, with your version control system. So that would be an ideal situation. 

Dave Bittner: That's Amit Kanfer from build.security. 

Dave Bittner: And I'm pleased to be joined once again by Caleb Barlow. He is the CEO at CynergisTek. Caleb, I wanted to check in with you when it comes to ransomware and your thoughts on organizations best preparing themselves for the possibility - and I suppose some would say inevitability - of having to deal with something like this. What do you have for us today? 

Caleb Barlow: OK, Dave, so a warning in place - this is a bit cheesy. 

Dave Bittner: (Laughter). 

Caleb Barlow: But - and I'm not going to admit if a beer or two is involved in this. But my team came up with, actually, a really interesting way to think about how you're prepared for ransomware that I thought I'd share. 

Dave Bittner: All right. 

Caleb Barlow: And this is very pandemic-esque. But what we've found, actually, as cheesy as this is, it has really become a great tool for explaining to executives what you need to do to really prevent ransomware. So the first thing, just like the pandemic, is we need testing, Dave. So, you know - and why do we test for coronavirus? Well, to know if someone's infected. And that's where compromise assessments come in, right? So your analogue for testing is a compromise assessment. It's something that, I think, especially as we're coming on the other side of the pandemic and companies have opened up their networks and people are working from home, getting compromised assessments is a really good idea. 

Dave Bittner: OK. What next? 

Caleb Barlow: All right, how about some social distancing, Dave? 

Dave Bittner: (Laughter) I'm all for it. 

Caleb Barlow: You're a little bit a little too close. Can you back up? OK? 

Dave Bittner: (Laughter) Yeah, I'll just back off my mic here. 

Caleb Barlow: So, you know, the same thing with kind of limiting the spread of COVID - we need to social distance our networks. And what does that mean? Well, network segmentation. And it kills me. I mean, when I go in and do a security assessment, I start asking, going, well, how segmented is your network? Well, what do you mean? You know, if there's an infection in one portion of your network, can it get into others? And we spent a lot of time at hospitals. It is not uncommon at all for the surgical wing in the hospital to be on the same network segment in an academic medical center as the dorm room. And that's a - you know, any security professionalist just cringes at that. So we've got to socially distance our networks. 

Dave Bittner: OK. 

Caleb Barlow: So how about some contact tracing, Dave? 

Dave Bittner: (Laughter). 

Caleb Barlow: You know, we need early warning signs, right? And that's where endpoint detection and response comes in, you know, your classic EDR tools. Get in there, find that issue early, but contact-trace it to figure out who else talked with that endpoint and is likely also infected. 

Dave Bittner: Uh huh. All right. What's next? 

Caleb Barlow: How about some masks, Dave? So... 

Dave Bittner: Ah, OK. 

Caleb Barlow: Now, this one isn't quite as good of analogy, but, you know, masks, I think, are a lot like multifactor authentication - right? - in that, you know, you've got to have that extra barrier in MFA. But here's the thing I think most people aren't prepared for when it kind of comes to ransomware. They might have multifactor on, let's say, their VPN. You need multifactor on everything. And what I tell people now is if you can log into anything at work without having to do an MFA challenge, you have a problem. Now, that doesn't mean every time you log in to Outlook, you've got to, you know, get a text on your mobile phone. But certainly every time you log in from a new computer or a new browser, you need to be doing that. 

Dave Bittner: Right. Right. 

Caleb Barlow: Can you guess what's next, Dave? 

Dave Bittner: Have we reached vaccination yet? 

Caleb Barlow: No. Vaccination's... 

Dave Bittner: OK. 

Caleb Barlow: ...Not on the list. 

Dave Bittner: Oh, OK. All right. All right. Sorry, I jumped the gun. 

Caleb Barlow: You jumped the gun. That's OK. It was a good try. But how about... 

Dave Bittner: (Laughter). 

Caleb Barlow: How about scrubs and gowns, right? And... 

Dave Bittner: Oh, OK. 

Caleb Barlow: ...This is where kind of, you know, you need separation of duties with privileged access management, right? Everybody's got to be a little bit isolated than from everybody else. And the thing with PAM tools is what we really want to see to prevent ransomware is admin IDs are not used for anything other than administering the single system of which they're assigned. The admin can't also be using their admin ID for checking their email and everything else. That's just not cool anymore. 

Dave Bittner: I see. All right. Any more? 

Caleb Barlow: Yeah. How about a checkup? So we need a - just like you go to the doctor, you need a checkup. 

Dave Bittner: Yeah. 

Caleb Barlow: And that's where security control validation comes in. You know, let's not just look at your credentials, let's actually make sure they're working by launching inoculated attacks in the environment, seeing how the people, the processes and the tools respond. And the last thing, Dave, we need a treatment plan, right? So like anything else, if you get infected, we've got to have a plan to treat you. And that's where runbooks come in. And we've got to practice and rehearse those runbooks over and over and over again until they're muscle memory. So that's our cheesy prep... 

Dave Bittner: (Laughter). 

Caleb Barlow: ...On how to prevent ransomware, Dave. 

Dave Bittner: Yeah. I've got to go get us a bottle of wine, Caleb, to go with that cheese. But it's good. It's good (laughter). It's good. I am a fan of analogies, so you got... 

Caleb Barlow: OK. 

Dave Bittner: Yeah. I'm sold. I'm sold. If it helps people remember these things, more power to you (laughter). 

Caleb Barlow: Hey, I just want to know - anybody that uses that to explain it to the CEO, I promise you it'll work even though they'll laugh. 

Dave Bittner: Yeah. Yeah. All right. Whatever it takes. Caleb Barlow, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. It could change your whole way of life. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.