The CyberWire Daily Podcast 4.20.21
Ep 1315 | 4.20.21

Codecov supply chain attack update. Babuk’s victim service. Catphishing in LinkedIn. Sanctioned company responds. SolarWinds, Exchange compromise TFs stand down. 5 Eyes notes. IoT risk.


Dave Bittner: Update on the Codecov supply chain attack. The Babuk gang say they've debugged their decryptor. MI5 warns of industrial-scale catphishing in LinkedIn. Positive Technologies' response to U.S. sanctions. The U.S. stands down the two unified coordination groups it established to deal with the SolarWinds and Exchange Server compromises. Are all Five Eyes seeing eye-to-eye on China? Ben Yelin explains the legal side of the FBI removing web shells following the Microsoft Exchange Server hack. Our guest is May Habib from Writer on how AI is helping the security industry with outdated and problematic terminology. And by the way, your kitchen appliances are a bunch of sellouts - or something.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 20, 2021. 

Dave Bittner: Reuters said late yesterday evening that the Codecov supply chain attack may have affected several hundred of the software company's customer's networks, with other software development vendors attracting particular attention, along with companies that themselves have a large customer base. It's unclear whether the attackers are ordinary criminals or threat actors working on behalf of a nation-state. 

Dave Bittner: Sometimes the hoods need good PR, too. In this case, the goons behind Babuk have reached out to journalists, GovInfoSecurity among them, to say that they've fixed the buggy decryptor Emsisoft researchers embarrassed the Babuk gang about shortly after the attack on the Houston Rockets' professional basketball team. Emsisoft, which first noticed earlier this month that the Babuk decryptor didn't work, is looking into the gang's claims to fix the problem - skeptically, of course, since stumblebums have difficulty changing their skids. It's an odd sort of customer service problem. Your victims may not bother to even consider paying the ransom if the decryptor you send them is garbage. 

Dave Bittner: Britain's MI5 warns of widespread industrial-scale catphishing campaigns in progress over LinkedIn as espionage services approach government workers through fictitious profiles. At least 10,000 British personnel are thought to have been prospected, the BBC reports. There are a few lessons here - first, intelligence officers continue to try to recruit agents. And they often do so with a personal approach intended to gradually establish a relationship that will eventually induce the agents to do things they know better than to do. Today, that approach is more likely to be made online than it is IRL, as the kids say. And a catphish a fictitious persona, is likely bait. So don't get hooked, and don't connect with people you've never encountered. And please hold off on asking people you've never met to connect. You're just tossing more chum out there for the catphishers to hide their bait. 

Dave Bittner: Positive Technologies, the well-known Russian security firm sanctioned last week by the U.S. Treasury Department for what the U.S. government regards as excessive closeness to Russia's SVR and other intelligence organs, on Friday issued a statement characterizing Treasury's accusations as groundless. 

Dave Bittner: Despite the fact that we are not a public company, the market evaluates our capitalization as high - several billion dollars, the company says, which, as far as we can tell, is true enough. Their statement adds, this demonstrates the level of interest in our technologies and a serious level of trust in the company, which is also fair enough. To maintain this trust, Positive Technologies says, we adhere to the principles of maximum openness at all levels of our activities, from research to business, including the company's financial statements. And they point to their Positive Hack Days as an example of their open engagement with the global security community. The U.S. Treasury Department, for its part, sees Positive Hack Days as effectively recruiting events for the FSB and the GRU, occasions the Russian intelligence organs used to spot talent. 

Dave Bittner: Positive Technologies had been a partner in the Microsoft Active Protections program, known as MAPP, which is more evidence that the company had indeed enjoyed a good reputation in the industry. Redmond describes MAPP as a program for security software providers that gives them early access to vulnerability information so that they can provide updated protections to customers faster. Positive Technologies is no longer a partner. Microsoft has, SecurityWeek reports, removed them. 

Dave Bittner: The U.S. government has decided to stand down the task forces established to deal with the SolarWinds incident attributed to Russia and the Microsoft Exchange Server compromise attributed to China. Deputy National Security Adviser for Cyber Neuberger says, quote, "due to the vastly increased patching and reduction in victims, we are standing down the current UCG surge efforts and will be handling further responses through standard incident management procedures," end quote. 

Dave Bittner: The U.S. will maintain what Neuberger describes as a whole-of-government approach to these incidents and others that may emerge. She cites four lessons learned from the response to the SolarWinds and Exchange Server Compromises. 

Dave Bittner: First, integrating private sector partners at the executive and tactical levels. The active private sector involvement resulted in an expedited Microsoft one-click tool to simplify and accelerate victims' patching and cleanup efforts and direct sharing of relevant information. This type of partnership sets precedent for future engagements on significant cyber incidents. 

Dave Bittner: Second, CISA created and utilized a methodology to track trends in patching and exposed Exchange servers that enabled the UCG to quantify the scope of the incident. 

Dave Bittner: Third, through industry relationships and leveraging legal authorities, the FBI and DOJ quickly identified the scale of the incidents. In the SolarWinds UCG, for example, scoping from a worst case of 16,800 to fewer than 100 targeted, exploited nongovernment entities. This enabled focused victim engagement and improved understanding of what the perpetrators targeted from the larger set of exposed entities. 

Dave Bittner: And finally, NSA and CISA released cybersecurity advisories that detailed adversary techniques and provided mitigation for system owners. NSA also provided guidance to other U.S. military and intelligence organizations, as well as contractors in the defense industrial base. 

Dave Bittner: Fleet Street has been barking at New Zealand, arguing that Wellington has decided to stiff the other four eyes in order to pursue closer relations with China. That's according to a representative article from the Telegraph. New Zealand's foreign affairs minister Nanaia Mahuta, Newshub says, is simply concerned about the possibility of the Five Eyes' remit being extended beyond security and that it declines to fully align itself with the other Eyes' interest in cooperating on the strategic containment of Beijing. 

Dave Bittner: And finally, hey, everybody. Your air fryer is trying to kill you - maybe. So you're trying to cook healthy, since there are no trans fats in, like, air. And after all, who among us shouldn't be trying to up their game healthwise? And all of a sudden, blammo. The appliances are all conspiring against you. 

Dave Bittner: All right. Maybe we're exaggerating - a bit. Anyhoo, researchers at Cisco Talos have found remote code execution vulnerabilities in the Cosori Smart Air Fryer. Talos describes the smart air fryer as a Wi-Fi-enabled kitchen appliance that cooks food with a variety of methods and settings. Users can also use the device's Wi-Fi features to start and stop cooking, look up recipe guides and monitor cooking status. 

Dave Bittner: The model Talos tested is the Cosori Smart 5.8-Quart Air Fryer, version 1.1. And the researchers say it could be exploited by sending a specially-crafted packet to the device that contains a unique JSON object, which would allow them to execute arbitrary code. 

Dave Bittner: Tim Erlin, VP product management and strategy at Tripwire, emailed us to say that, sure, there seems something risible about finding risk in a smart air fryer. But like other Wi-Fi-enabled smart IoT devices, things like this come with problems. Erlin wrote, quote, "it can seem like it's worth a laugh when vulnerabilities are found in these network-connected smart devices. But the increasing ubiquity of connected devices combined with vulnerabilities like these increasingly creates an attack surface with real risk," end quote. As Willie Sutton followed the money, so too will threat actors follow the new technology. Erlin goes on and says, quote, "we've seen that with mobile devices, with cloud and we'll see it with IoT as well. Your air fryer or light bulbs might not be that interesting in and of themselves, but they could provide a point of entry to other devices on the network," end quote. So you try to shrink your waistline, and you wind up expanding your attack surface. Go figure. 

Dave Bittner: We often discuss how cybersecurity is tied to reputational security, how being the victim of a data breach or ransomware event could affect how people trust your organization. But what about the reputational damage that comes from communications, either internally or public facing? There are long-used terms in tech that have, for good reason, fallen out of favor, like blacklist or master versus slave hard drives. May Habib is CEO of Writer, a company that's developed an AT writing assistant. It's kind of like spell check or grammar check, but it also knows your company's rules and style guide and can remind you when you might just be getting yourself into a little hot water. 

May Habib: So we started as a very engineering-focused technology company with a tool for strings management. So basically, what that means is, in software, there is user-facing content and copy. It's pretty hard to access. And we made it very easy for engineers to basically give content people, you know, a file of all of that content that they could then edit, and it synced back to engineering. And we started automating some of those types of suggestions that would be made because if you want to change username to handle or backwards the other way, you kind of want to do that in a lot of different places. And the AI really grew out of that. And we added a lot more functionality around automatically making content a certain way and doing that as a team. 

May Habib: So, you know, if I am writing for a sixth-grade reading level, having everybody who's working on content write to that same reading level. And over time, we really built the ability to do that for longer-form content. And today, most of our customers are using Writer for product content, customer knowledge-based content and marketing blog posts and product marketing. 

Dave Bittner: What can you tell us about the security side of things? I mean, I'm sure there are folks who are - get nervous about, you know, having things run through the browser, of having their - the writing that their folks are doing being sent through someone else's system. How do you contend with that? 

May Habib: That's a great question. So we are in a lot of sensitive places. So if you are a professional services firm and you want all your proposals to your end clients to be perfect, you want a Writer in there, perfecting folks' writing. But, you know, you may also be delivering an audit report that's got very sensitive information. And so we actually - we're grounds up built for that use case as a B2B product. So there are a couple of things that are really differentiating here. 

May Habib: No. 1, we're not saving anyone's data. So that proposal never actually hits a Writer server. And because of that, you've got No. 2, which is we're not using customer data to train our machine learning models. And that's, you know, absolutely pretty differentiating because for most customers - for most products out there, you are the product. And, you know, anything you write in a browser per their terms of service is fair game for training materials. And, you know, it will be stripped of personally identifying information, if you're lucky. 

May Habib: But, you know, your data is still in somebody else's machine. And, you know, that's just not something that we do. It does mean a huge effort on our part to build our own proprietary data sets that look and feel, you know, similar to our target audience. But we're not looking at what people are doing. We're not even saying that in order to build those models. 

Dave Bittner: That's May Habib from Writer. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland's Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: So we recently had news of the FBI - this is through some announcements from the Justice Department and elsewhere - getting a warrant to reach out and touch some Microsoft Exchange servers, remove some web shells here. This is certainly - when news broke of this, this caused some raised eyebrows around the cybersecurity community. I wanted to touch base with you from a law and policy point of view. What's your reaction here, Ben? 

Ben Yelin: So I can certainly understand why it raised eyebrows. You have law enforcement gaining access to people's devices without those people knowing that law enforcement has gained access to their devices. And I think that law enforcement, in this case, does have a proper justification. And the process they used to enable this access is a legal process prescribed by Justice Department rules. 

Ben Yelin: So just to give a little bit of background, as everybody knows, we had this big hack, suspected to be from Chinese hackers of Microsoft Exchange servers across the country. Microsoft has recommended in response to this hack that people install the latest security patches. For whatever reason, there are people across the country, maybe who don't have the type of institutional knowledge we do and our listeners have, that they would just decide or, you know, not know to download that security patch. 

Dave Bittner: Yeah. 

Ben Yelin: So the FBI was given approval by a magistrate - federal magistrate - to remove web shells left by hackers on hundreds of devices all across the country. And this is obviously a very proactive step that law enforcement is taking. It's a way of responding to this hack beyond just prosecuting the people that we think are responsible. And this - they're able to do this because a few years ago, the Justice Department was able to pass an administrative rule internally, where you could have a federal magistrate authorize a warrant for devices all across the country. And one of the justifications for doing so would be if there were devices in five or more states that were compromised by some sort of computer crime, as has happened here. So they did get that approval from the judge. And the FBI followed through and accessed people's Microsoft Exchange servers. 

Ben Yelin: So obviously, I can understand why this rubs people the wrong way. It's the government getting access to our devices without our consent. But this is a legal process. And, you know, the purpose for conducting this operation, certainly, is to protect the rest of the country from the effects of this Microsoft Exchange hack. 

Dave Bittner: And I suppose we should take comfort here that they did have to go get a warrant? 

Ben Yelin: Right, I mean, this runs contrast to some other circumstances we talk about, particularly in the name of national security, where the FBI uses warrantless authorities. Maybe instead, they obtain an administrative subpoena, which is a - you have to have a lesser standard to obtain such a subpoena. Maybe they're using some of our post-9/11 surveillance authorities, where they really don't need any judicial approval to gain access to somebody's personal devices. So I think we can take some comfort here that this is a process. There is judicial review. It's not just the FBI arbitrarily deciding to enter - to go into to people's devices arbitrarily. This is part of a Justice Department process. So I think that has to be - even though I can understand why the story rubs people the wrong way, I think it has to be understood in that context. 

Dave Bittner: Yeah, interesting, too, in the press release from the DOJ, they're making the point that the FBI is making a good faith effort to reach out to everyone whose servers they have accessed here. So, you know, basically send them a heads-up email. 

Ben Yelin: Hey, guess what - yeah. 

Dave Bittner: (Laughter) Which - it reminds me, we talked about this on "Caveat" - reminds me of the little note you get in your luggage from TSA, you know, when they when they've searched something. You know, we were here. 

Ben Yelin: Yeah, I mean, I kind of same reaction that I have when I get those TSA notices, where it's like, OK. 

Dave Bittner: (Laughter). 

Ben Yelin: You already looked at my bag, and then there's not much I can do about it now. 

Dave Bittner: Yeah, yeah. 

Ben Yelin: I guess that's a consequence of flying. You know, it might be a little different here because, you know, I think you assume a certain level of risk that your stuff is going to be searched when you decide to fly on an airplane. You know, I guess by owning a device in this country and by using Microsoft Exchange servers, you are also assuming a type of risk. I don't think that risk - I don't think this authority is very well-known to people. So, you know, I think this is not a risk that most people knew they were taking on. Perhaps that now the story is out, more people are going to recognize this risk. 

Dave Bittner: Yeah, yeah. And of course, the FBI is still investigating this, they also make the point that if you feel as though you've been compromised in this exchange server incident, the FBI would like to hear from you so they can add that to their investigation. Every little bit of evidence helps. So... 

Ben Yelin: Yeah, just give them your Social Security, your mother's maiden name. 

Dave Bittner: (Laughter). 

Ben Yelin: Yeah. 

Dave Bittner: Now, now, Ben. (Laughter) Oh, so cynical, Ben, so cynical (laughter). 

Ben Yelin: I know. I know. I'm sorry. 

Dave Bittner: All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.