The CyberWire Daily Podcast 4.14.21
Ep 1311 | 4.14.21

The IAEA investigates the Natanz incident (amid conflicting reports on the nature of the sabotage). Mopping up the SolarWinds Exchange Server hacks.

Transcript

Dave Bittner: Updates on Natanz, where the nature of the sabotage remains unclear. Electrical utilities are on alert for cyberattack, especially after the SolarWinds incident. The U.S. government takes extraordinary steps to fix the Microsoft Exchange Server compromise. Joe Carrigan analyzes effective phishing campaigns. Our guest is the FBI's Herb Stapleton on their recent IC3 report. And the U.S. intelligence community's Annual Threat Assessment points to China, Russia, Iran and North Korea.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 14, 2021. 

Dave Bittner: The Jerusalem Post reports that the International Atomic Energy Agency visited Natanz yesterday, quoting the agency as saying simply, quote, "IAEA inspectors are continuing their verification and monitoring activities in Iran and today have been at the Natanz enrichment site. The IAEA will continue to report on relevant developments regarding Iran's nuclear program to the IAEA Board of Governors," end quote.

Dave Bittner: The precise nature of the sabotage remains unclear, and there are conflicting official and unofficial reports in circulation of hacks, bombs and bombs controlled by hackers. The Intercept describes ways in which cutting power could've damaged the centrifuges. Rotating machinery like centrifuges can be destroyed through sudden, abrupt power cycling, which may have been the point of disrupting power distribution at Natanz. Investigation continues. 

Dave Bittner: Iran has called for an international inquiry, but Reuters said that President Rouhani has indicated what Tehran's first response will be - an increase in uranium enrichment levels to 60%. Four percent uranium-235 is generally regarded as sufficient to fuel a reactor. Fission bombs need much more highly enriched material and typically use 90% enriched uranium. President Rouhani disclaims any intention to make a bomb, but inducing fear of bomb construction would seem to be the retaliatory point of increasing enrichment levels. Sixty is, after all, a lot closer to 90 than it is to four. How Iran might quickly ramp up enrichment if the damage to its centrifuges is as extensive as some of Tehran's statements have suggested remains unclear. 

Dave Bittner: The Hill reports that the North American Electric Reliability Corporation - NERC - is seeing an unprecedented level of cyberthreat to the power grid. A senior vice president at NERC who also leads the Electricity Information Sharing and Analysis Center - the EI-ISAC (ph) - said, "whether they are nation-state actors or cybercriminals, they possess the capabilities to disrupt our infrastructure. So that, again, underscores the need to remain vigilant. The pandemic created a broader opportunity since it increased our attack vector since everyone was working from home, and we saw adversaries targeting and attempting to take advantage of this across our industry," end quote. 

Dave Bittner: A great deal of the concern about power utility security centers on the Holiday Bear compromise of SolarWinds. That activity has been widely attributed to Russia's SVR Foreign Intelligence Service, and there's been considerable speculation to the effect that the operation's goal could have equally been staging a sabotage capability and intelligence collection. According to CyberScoop, about a quarter of the 1,500 utilities sharing information with NERC downloaded compromised versions of the SolarWinds Orion platform. 

Dave Bittner: The other big and ongoing state-directed, or at least state-initiated, cyber incident afflicting U.S. systems, of course, is China's operation against vulnerable instances of Microsoft Exchange Server. It's continuing to give Washington fits, The Washington Post writes

Dave Bittner: Much of the Microsoft activity in yesterday's Patch Tuesday, an unusually busy one, surrounded Exchange. Redmond addressed a large number of vulnerabilities - 108 bugs in total across its several products, including, as BleepingComputer points out, five zero days. 

Dave Bittner: NSA, which CBS News and others credit with disclosing some of the zero days to Microsoft, is urging all organizations to apply the patches as soon as possible. 

Dave Bittner: CISA, the US Cybersecurity and Infrastructure Security Agency, has also updated its Emergency Directive 21-02 to require that federal agencies it oversees immediately apply the Microsoft Exchange Server patches. 

Dave Bittner: CISA directs the dot-gov world to, first, deploy Microsoft updates to all their on-premises Exchange Servers by midnight tomorrow. If, for some reason, an agency can't update a server by the deadline, it must immediately remove that server from its networks. 

Dave Bittner: Second, apply and maintain technical and management controls to ensure that any newly provisioned or previously disconnected endpoints are updated before connecting to agency networks. 

Dave Bittner: Third, report completion by noon Friday. CISA has provided a template for all agencies to use when rendering their reports. 

Dave Bittner: And fourth and finally, immediately report any incidents or indications of compromise that appear during the update. 

Dave Bittner: All times, of course, are U.S. Eastern Daylight. Federal IT staffs are in for a busy week. 

Dave Bittner: And what about the private sector's vulnerable Exchange Servers? Well, they're a problem because once compromised, the web shells left behind by the attackers continue to work their mischief. The U.S. Justice Department yesterday announced that the FBI, pursuant to a warrant, has gone into private sector systems to remove malicious web shells from Microsoft Exchange Server instances. 

Dave Bittner: As the department puts it, quote, "authorities have executed a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States. They were running on-premises versions of Microsoft Exchange Server software used to provide enterprise-level email service. Through January and February 2021, certain hacking groups exploited zero-day vulnerabilities in Microsoft Exchange Server software to access email accounts and place web shells for continued access. Web shells are pieces of code or scripts that enable remote administration. Other hacking groups followed suit, starting in early March after the vulnerability and patch were publicized," end quote. 

Dave Bittner: When the DOJ mentions certain hacking groups, most will understand China's Hafnium threat group, which Microsoft holds responsible for the initial compromise, and also by the large number of criminal groups who hopped on the bandwagon Hafnium got rolling. 

Dave Bittner: The Justice Department statement goes on, quote, "many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated. This operation removed one early hacking group's remaining web shells, which could've been used to maintain and escalate persistent, unauthorized access to U.S. networks. The FBI conducted the removal by issuing a command through the web shell to the server which was designed to cause the server to delete only the web shell identified by its unique file path," end quote. 

Dave Bittner: Most observers seem to have applauded the operation, and in this case the bureau seems to have been on the side of the angels. But a few others have expressed reservations. The Electronic Frontier Foundation is quoted in The Washington Post with a caution about the troubling maternalistic implication of the feds acting on behalf of your best interests without so much as a by-your-leave. 

Dave Bittner: The EFF said, quote, "it's good that the DOJ unsealed this promptly, and it's true that eliminating the Exchange Server security exploit is beneficial - though notably, it did not patch the hole - but it remains deeply disturbing to see a court authorize government agents to access your computer based on the government's idea of what is best for you," end quote. 

Dave Bittner: The action is indeed unusual and seems to indicate how serious the government believes this threat to be. The Justice Department appears to have gone out of its way to be as transparent as possible in the matter. The U.S. Attorneys for the Southern District of Texas were the ones who petitioned the court for partial unsealing of the warrant under which the bureau acted. 

Dave Bittner: And it might have been missed in the flurry of patches from Microsoft and others, but CISA yesterday also issued an unusually large set of advisories for industrial control systems. 

Dave Bittner: The US Director of National Intelligence has released the intelligence community's Annual Threat Assessment. China, Russia, Iran, and North Korea are flagged as threats, in that order of seriousness. Quote, "Beijing, Moscow, Tehran and Pyongyang have demonstrated the capability and intent to advance their interests at the expense of the United States and its allies, despite the pandemic," end quote. Terrorist groups get a look, but the familiar four nation-state adversaries have center stage. 

Dave Bittner: Their offensive cyber capabilities are given due attention, with threats to infrastructure receiving a prominent place. Quote, "cyber capabilities, to illustrate, are demonstrably intertwined with threats to our infrastructure and to the foreign malign influence threats against our democracy," end quote. 

Dave Bittner: About China specifically, the report says, quote, "we continue to assess that China can launch cyberattacks that, at a minimum, can cause localized, temporary disruptions to critical infrastructure within the United States," end quote. 

Dave Bittner: Russia's cyber capabilities are similarly described - quote, "Russia continues to target critical infrastructure, including underwater cables and industrial control systems, in the United States and in allied and partner countries, as compromising such infrastructure improves and, in some cases, can demonstrate its ability to damage infrastructure during a crisis," end quote. 

Dave Bittner: Iran's 2020 cyberattacks against Israeli water facilities are duly noted, as are North Korea's active participation in cybercrime. So far, North Korea's threat to infrastructure has been more potential than actual. The report does assess, however, that Pyongyang, quote, "probably possesses the expertise to cause temporary, limited disruptions of some critical infrastructure networks and disrupt business networks in the United States, judging from its operations during the past decade, and it may be able to conduct operations that compromise software supply chains," end quote. 

Dave Bittner: The FBI runs the IC3, the Internet Crime Complaint Center, and they recently published their "2020 Internet Crime Report." Joining me now is Herb Stapleton, Cyber Division sector chief for the FBI. 

Herb Stapleton: There are parts of this that are unsurprising given the pandemic and the overall kind of environment that we worked in. But unfortunately, we saw a significant increase in the number of complaints received at the IC3 for the year. 

Dave Bittner: Can you take us through some of the things that really drew your attention? What were some of the areas that really stood out? 

Herb Stapleton: Yeah, I'd be glad to. You know, I think a couple of things that really stood out to us - you know, once again, we see business email compromise frauds as one of our leading complaints in terms of amounts of loss, and that number only increased in 2020. 

Herb Stapleton: You know, another thing that really stood out to us is on the ransomware front, unfortunately, we saw huge increases in the amounts of loss reported in ransomware incidents - not so much just the overall number of complaints, but the amount of losses. And I would attribute that to a couple of things. 

Herb Stapleton: You and I have talked before, I think, even about how the pandemic created this opportunity for cybercriminals with more of a attack surface, more volume of people working from home and creating opportunity for things like phishing emails and other things that ultimately lead to these types of frauds like ransomware and BEC. 

Herb Stapleton: And the second thing is that I think that we saw an increase in the amount of reporting. I think we saw a higher number of people actually reporting things to the FBI this past year than we have seen in previous years. So I think it's really a combination of increased activity and increased reporting. 

Dave Bittner: Can you touch on the importance of people reaching out to you and your colleagues at the IC3, why that can help make a difference in trying to combat these things? 

Herb Stapleton: Yeah, it's incredibly important. And one example I would provide of that is while we saw a lot of trends that we don't want to see as far as increase in losses, increase in complaints, we also saw an increase in the amount of funds that the IC3 was able to help recover through its Recovery Asset Team. 

Herb Stapleton: Basically, the way this functions is if a complaint meets a certain set of criteria, we can work with financial institution partners to potentially prevent that money from actually being delivered to the overseas cybercriminals that it's intended for. We saw a corresponding increase in the amount of funds we were able to stop for victims before they actually reached their ultimate destination with the cybercriminals. We can't do that type of work unless we know about the crime in the first place. 

Herb Stapleton: The second thing that's really important is many of these investigations are very long-term criminal enterprise investigations that we have to undertake. And so every piece of evidence is really potentially helpful as we try to work our way through these complex investigations, identify who's responsible and ultimately try to bring charges against them and bring them to justice. So even if a complaint seems like a very small piece of the overall puzzle, it can be very, very valuable to the investigators in the field who are trying to piece together these long-term criminal enterprise investigations. 

Dave Bittner: Our thanks to Herb Stapleton from the FBI for joining us. You can check out the "2020 Internet Crime Report" on the IC3 website. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: I got an interesting article here from ZDNet. This is written by Danny Palmer. And it's titled "'Why Do Phishing Attacks Work? Blame The Humans, Not The Technology." This is something you and I talk about over on "Hacking Humans" quite regularly. 

Joe Carrigan: It is, yeah. 

Dave Bittner: What are they getting at here, Joe? 

Joe Carrigan: Well, I'm going to start off by saying I don't like the idea, the tone of the headline "Blame The Humans." 

Dave Bittner: Yeah. 

Joe Carrigan: Right. 

Dave Bittner: I was going to call that out myself, but go ahead. 

Joe Carrigan: Right. Yeah, it's really not - I mean, yes, the humans are ultimately being tricked here, but who you should be blaming are the scammers and the - these phishers. These guys are committing criminal acts against people who are otherwise just trying to do their jobs. And that's who you should blame for this. Now, that doesn't mean that everybody is without responsibility - right? - that you have to take some kind of personal responsibility for these phishing attacks. 

Joe Carrigan: But one of the things that's pointed out in here is a NordVPN security survey that Nord ran. The people said they feel like they know how to stay safe online. But despite the fact that they know how to stay safe online, people are still getting phished. 

Joe Carrigan: And they have a quote in here from Troy Hunt, who runs Have I Been Pwned and is actually an adviser to Nord. He says, "part of the problem is that phishing signals are often indistinguishable from positive user experience attributes," which is exactly how these guys craft their phishing emails. 

Dave Bittner: Right. 

Joe Carrigan: And what's - you and I have talked about over on "Hacking Humans" is how much better these guys are getting at this. 

Dave Bittner: Yeah. 

Joe Carrigan: And it's remarkable how well these things go. Now, let's leave business email compromise out of it because that's a different situation, right? That's not some random email coming in and asking you to enter your credentials. That's somebody who has already compromised somebody's email account, inserting themselves into a situation. So - but in order for a business email compromise to happen, somebody has to have their credentials phished. 

Joe Carrigan: One of the things that Troy actually says in this is he says it's easy when you get the link because you just click on it, and it just takes you right to where they want you to go. And a lot of times, one of the biggest problems is that we're working, and we're trying to get as much done as possible, so we're really not paying full attention to things. So when somebody comes in and says, hey, I need you to log in and get this document, we go, great, let me just take care of this real quick, not realizing that this is actually a phishing email that's taking you to a credential-harvesting site. 

Dave Bittner: Yeah, not to mention the fact that everyone, I would maintain, is still perhaps not their best self, having been through a year of COVID. And, you know, we're tired. We're stressed. We're anxious. 

Joe Carrigan: I would agree, yeah. 

Dave Bittner: Yes, we're - the vaccines are rolling out, so it's nice that there's signs of hope from that, and spring is in the air and all those sorts of things. But... 

Joe Carrigan: Yup. 

Dave Bittner: ...I think it's still fair to say that's a contributing factor. 

Joe Carrigan: I would agree. I would agree. One of the things that Troy Hunt goes on to say - he says humans are ultimately fallible. And that's true. That's 100% true. That's why these things continue to work. 

Joe Carrigan: And he recommends a balance of training and technology. And, of course, training - we need social engineering training, security awareness training. These kind of things need to be part of your security stance at your company. They need to be regular. They can't just be one and done. You have to do them at least annually, I would say. It'd be better if you could do them semiannually or quarterly. That would be even better. 

Dave Bittner: Yeah. 

Joe Carrigan: And on the technology side, you should get some kind of multifactor authentication solution because that really stops a lot of these phishing attacks right in their tracks. When the user - when the scammer comes in with a username and password and they don't have that second-factor authentication, they'll just move on to another set of password - usernames and passwords and skip yours entirely. 

Dave Bittner: Yeah. Yeah. I want to swing back, though, to the whole thing about, you know, like we said, the tone of using the word blame. 

Joe Carrigan: Right, yeah. 

Dave Bittner: I think it's important. My opinion is that it's important to have a culture within your company that if someone falls for something like this, you don't shame them. You use it as a learning opportunity for them and for the whole organization and also a learning opportunity for the folks whose responsibility is to protect everyone to figure out... 

Joe Carrigan: Right. 

Dave Bittner: ...How did this happen? Why did this happen? What are the things we can put in place to make sure it doesn't happen again? Because, you know, it shouldn't be a situation where someone is shamed because they fell for something that anybody could fall for at any level... 

Joe Carrigan: Right. 

Dave Bittner: ...Of the company... 

Joe Carrigan: Absolutely. 

Dave Bittner: ...Including the security people. So... 

Joe Carrigan: Yup, yup. That's correct. That's 100% correct. 

Dave Bittner: That's my soapbox. 

Joe Carrigan: Yup. And if there is enough room on that soapbox for me, I'd get up there with you. 

Dave Bittner: (Laughter). 

Joe Carrigan: You know, it's - I don't know. It's going to be kind of tough, particularly if you're a public company, to, you know, to not fire somebody if you have a data breach and that person's responsible. It'd be tough for a public company to get behind this person and go, you know, they're not really the person at fault here. They fell for a scam from a criminal who came into the company under false pretenses. Now, if somebody came into a bank and robbed the bank, do you fire the teller they rob? No, you don't. But... 

Dave Bittner: You just say it was a sophisticated attacker - sophisticated. 

Joe Carrigan: But the thing is it doesn't even need to be a sophisticated attacker - actually, technically - not a technically sophisticated attacker. It has to be a sophisticated attacker in terms of social engineering and language - right? - and... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Psychology. That's a completely different technique than a lot of security people have the mindset to think about. And it needs to be - we need more psychologists in this field. (Unintelligible). 

Dave Bittner: (Laughter) Yeah, yeah. All right. 

Joe Carrigan: Yeah, more business psychologists. 

Dave Bittner: Yeah, absolutely. All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. It's the ultimate bubble. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash.