The CyberWire Daily Podcast 4.21.21
Ep 1316 | 4.21.21

SonicWall, Pulse Secure products under exploitation (mitigations are available). Power grid security. Cyber conflict in the Near Abroad. ISIS worries about Bitcoin. Bad passwords.


Dave Bittner: SonicWall zero-days are under active exploitation; mitigations are available. Pulse Secure VPN is also undergoing exploitation, probably by China, and mitigations are available here, too. The U.S. begins work on shoring up power grid cybersecurity. CyberOps rise with Russo-Ukrainian tension. The help desk at ISIS tells jihadists to stay away from Bitcoin. Joe Carrigan looks at cryptocurrency anonymity. Our guest is Bert Kashyap from SecureW2 on what needs to be done before devices used for learning from home return to schools. And is your password inspired by cinema?

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 21, 2021. 

Dave Bittner: SonicWall has issued mitigations for three zero-days affecting its email security products. FireEye discovered that the vulnerabilities were under active exploitation and disclosed the security issues to SonicWall. Attribution is unclear, but FireEye's Mandiant unit is tracking the activity as UNC2682. The threat actor's goals are unknown. 

Dave Bittner: Pulse Secure is addressing vulnerabilities in the Pulse Connect Secure VPN publicly reported yesterday by FireEye's Mandiant unit. CISA, the U.S. Cybersecurity and Infrastructure Security Agency, has issued an alert on the vulnerabilities, providing technical details and urging organizations to apply the mitigations Pulse Secure has provided.

Dave Bittner: CISA says, quote, "the cyberthreat actor is using exploited devices located on residential IP space, including publicly facing network-attached storage devices and small home business routers from multiple vendors, to proxy their connection to interact with the web shells they placed on these devices. These devices, which the threat actor is using to proxy the connection, correlate with the country of the victim and allow the actor activity to blend in with normal telework user activity," end quote. 

Dave Bittner: There's no clear evidence yet of lateral movement, but no one should get cocky about this. 

Dave Bittner: Federal agencies are getting more than encouragement from CISA. The agency yesterday issued Emergency Directive 21-03, requiring all organizations under its jurisdiction to enumerate all instances of Pulse Connect Secure virtual and hardware appliances hosted by the agency or a third party on the agency's behalf and then, by 5 p.m. Eastern Daylight Time this Friday, to run the Pulse Connect Secure Integrity Tool on every such instance. 

Dave Bittner: According to Reuters, exploitation of the secure email product, which heavily affects U.S. and European defense firms, is being attributed to Chinese intelligence services. Nikkei suggests Japanese firms are also affected. The Chinese government dismisses FireEye's attribution as irresponsible and ill-intentioned because Beijing, quote, "firmly opposes and cracks down on all forms of cyberattacks," end quote. 

Dave Bittner: But to most observers, it looks like espionage in progress. CISA is encouraging anyone who has additional information on the threat to contact them.  

Dave Bittner: In fairness to Beijing, not all the groups actively seeking to exploit Pulse Secure vulnerabilities are believed to be working on behalf of the Chinese government. CSO and others point out that several different threat actors have been working against Pulse Secure. In this respect, the incident resembles the Microsoft Exchange Server exploitation, where criminal gangs jumped onto the vulnerabilities in the wake of the apparently state-run campaign. 

Dave Bittner: The US has begun a hundred-day program to increase the cybersecurity of its power grid. The US Department of Energy describes the plan as a coordinated effort between DOE, the electricity industry and the Cybersecurity and Infrastructure Security Agency. 

Dave Bittner: The Energy Department is soliciting input from industry. SecurityWeek observes that this hundred-day plan would be the effort of Anne Neuberger, the deputy national security adviser for cyber, alluded to earlier this month as a project that was in the works. 

Dave Bittner: Elsewhere in the world, as tensions rise between Russia and Ukraine, and as Russia increases troop presence and readiness along the border Moscow disputes with Kyiv, US News reports that Ukraine has seen an increase in the tempo of Russian offensive cyberactivity. The U.S. is said to be quietly offering Ukraine support in fending off Russian cyberattacks. 

Dave Bittner: The Electronic Horizons Foundation, a group generally regarded as an ISIS cybersecurity support outfit, warned adherents of the jihadist group to steer clear of Bitcoin - it's too easily tracked - and recommends Monero instead, Homeland Security Today reports. It's a bad idea, the EHF says, quote, "for financial transactions and money transfer, as Bitcoin logs the financial records and transactions on the blockchain, which is a database of Bitcoin transactions, and allows tracking of transfers from the sender and receiver," end quote. 

Dave Bittner: Besides, the EHF thinks the Bitcoiners are a bunch of government stooges. Quote, "we also warn that the money transfer services and sites to Bitcoin logs IP addresses and the purchase data of Bitcoin currency, and these sites also cooperate with government agencies," end quote. They say that they advise their brothers to follow the maximum possible security measures and to avoid using common methods in financial transactions. 

Dave Bittner: And finally, to all of us who use Ninja or Camaro or DiamondsAreAGirlsBestFriend as the password for everything, did you know that there are other genres of lame credentials out there? Specops, which previously ranked the Major League Baseball teams whose names are most likely to be used as passwords, now has published a list of the most commonly used movie titles. 

Dave Bittner: "Rocky" tops the list, followed closely by "Hook," "Matrix," "Batman," "Psycho," "Superman," "Avatar," "Mummy," "Twilight" and "Star Wars." The second 10 are "Spider-Man," "Frozen," "X-Men," "Iron Man," "Jaws," "Shrek," "Twister," "Gladiator," "Titanic" and, rounding out the top 20, "Terminator." 

Dave Bittner: Why these? Well, "Star Wars," "Titanic," "Jaws" and "Avatar" all appear among the top 20 grossing films in the U.S., so simple popularity may account for four of the password choices. But the others are odd. Why "Twister," for example, and not "Sharknado"? Why "Twilight" and not "Dracula"? Easier to spell? And where's "V for Vendetta"? Is there no love for the Guy Fawkes masks the flick made popular? Anyway, the list probably calls for some attention from culture critics. 

Dave Bittner: We're OK because we use "Last Year at Marienbad" for everything, with the A's represented by the @ symbol. No one would guess that. Dang it. Now we're going to have to change to the work of a director other than Alain Resnais. Maybe "Sharknado" is still available. What do you think? 

Dave Bittner: We are witnessing the successful mass distribution of COVID vaccines and, with it, a growing sense of hope that come this fall, students may be headed back to school in a fairly normal way. The IT and security folks responsible for handling that first-week flood of new users and devices will no doubt face a unique situation this year, transitioning from at-home, online learning to on-site or hybrid learning. 

Dave Bittner: Bert Kashyap is co-founder of Seattle-based cybersecurity company SecureW2, and he joins us with insights on how the education sector needs to shore up their security. 

Bert Kashyap: You know, school districts have been embracing more and more of a digital learning model. That's not necessarily new. But - and certainly, universities have been sort of in the forefront of, you know, bring-your-own-device. But I think the pandemic has generally accelerated a lot of these, you know, digital learning initiatives. 

Bert Kashyap: And I think that, you know, many districts are faced with kind of a dual challenge where they are going to have to support devices that they issue themselves, as well as devices that students are using on their own today and many had to use early in the pandemic before they were able to do some one-to-one initiatives to try and get devices in the hands of students. 

Dave Bittner: And so how are they preparing for that? What sort of things are they putting in place? 

Bert Kashyap: So a couple of things that they're doing. One is they're implementing some, you know, distribution mechanisms to get these devices. Secondly, some management software to try and get devices managed centrally. This is easier done in, you know, in very clear-cut, managed environments where they have, say, a tranche of Chromebooks or iPads that they can issue. There's good management software. But in more bring-your-own-device scenarios, there's not a lot of good answers. So districts don't want to, and the universities as well don't want to be in the business of, you know, taking over the controls of devices that they don't own. And this is a strategic challenge, especially if they're going to have to allow these devices onto their own networks and infrastructures. 

Dave Bittner: Do you have any recommendations for the people who are responsible for this of how they go about, you know, making their case to their - to the powers that be, to their boards of education, to their communities that, you know, these are investments that are - that's money well spent? 

Bert Kashyap: Yeah, absolutely. Yeah, so there's a couple of areas in which districts and district superintendents can really reach out to their boards and get the allocated budget dollars for cybersecurity. I think that some of the key things they could focus on is, you know, obviously the disruption that, you know, these types of digital learning initiatives can have on, you know, learning for their students. 

Bert Kashyap: Just - you know, we saw just a couple of days ago with the Microsoft Teams outage. I know my daughter had, you know, basically no instruction that day. And so we do hear, you know, the areas, things like malware and potential ransomware issues in districts that, you know, really cause significant disruption in education. 

Bert Kashyap: So I think paying attention to cybersecurity is not just good from, you know, from just - from a basic security best-practice approach. But it also is good, you know, to make sure that things are reliable and districts can function properly in digital learning initiatives. So I would say that's probably one of the biggest things that they can focus on. 

Dave Bittner: That's Bert Kashyap from SecureW2. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting story from the Decrypt website, an article by Mathew Di Salvo. And it's titled "Bitcoin Is a 'Boon for Surveillance,' Says Former CIA Director." What's going on here, Joe? 

Joe Carrigan: So the Crypto Council for Innovation has released a report. It's by Michael Morell, who is the former acting head or director of the CIA, along with a guy named John (ph) Kirshner and Thomas Schoenberger. They both work for Beacon Global Strategies. And the Crypto Council for Innovation is a - essentially a PR organization for cryptocurrency. It was founded by Coinbase, which is a cryptocurrency exchange; Paradigm, which is a cryptocurrency venture capital firm; and Fidelity and payment processor Square, so two companies that are big in finance and then two companies that are in cryptocurrency - that are pretty big in cryptocurrency. I mean, Coinbase has been in the news a lot lately, so you may have heard of them. 

Joe Carrigan: But there's this belief system or belief, rather, that's been around for a while. And U.S. Treasury secretary said - Janet Yellen expressed worry that Bitcoin was often, quote, "used for illicit finance." And the European Central Bank's president, Christine Lagarde, or Lagarde - I don't know how you pronounce that; sorry if I'm mangling your name - said in January that Bitcoin was used for, quote, "funny business" and money laundering. 

Joe Carrigan: However, Morell says two things. He says, one, right now, less than 1% of Bitcoin is illicit - or 1% of Bitcoin activity is illicit. So when Bitcoin first started, at its peak - there's a graph in this report - it shows illicit activity around 7% of Bitcoin, and now it's less than 1%. So it's really, really small. I would like to know what percentage of cash is used in illicit transactions... 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: ...By comparison. That would've been helpful to know, actually. 

Joe Carrigan: And No. 2, and this is the more interesting thing he says, is that blockchain provides an excellent forensic tool. It's much easier to trace Bitcoin than it is to trace cash, which is true because you can put cash in a truck and drive it anywhere in the world, and it's still cash, but you can't really do that with Bitcoin. You have - every Bitcoin transaction has to be made in public on a public ledger. 

Joe Carrigan: And if I can associate a particular individual with a particular private key, then I can associate that private key with the public key, which is essentially their Bitcoin address, right? And then I can track every single transaction that person has made with that public key-private key pair. 

Dave Bittner: Right. 

Joe Carrigan: One source for the report was quoted as saying, "if all criminals used blockchain, we could wipe out illicit financial activity." I think that's overstated. 

Dave Bittner: Yeah. I mean, I - go on. 

Joe Carrigan: It's really dependent upon getting the private keys and unmasking these people 'cause there is a certain amount of anonymity in Bitcoin in that you don't really know who it is that holds the keys, and that's the point. 

Dave Bittner: Right. 

Joe Carrigan: But if you can demonstrate that this financial criminal, whoever it is, is the person that holds those keys and you can - then you can associate all of their financial transactions they made with those keys. 

Dave Bittner: Yeah. 

Joe Carrigan: There is another wrinkle to this. Everybody thinks only about Bitcoin when they think about cryptocurrency, or many people only think about Bitcoin. But there are privacy preserving coins like Monero and Zcash. And Monero is more favored for illicit activity and has a higher percentage of illicit transactions than Bitcoin. 

Dave Bittner: Yeah. And I think that's an important point. I mean, I think part of what's going on here is that Bitcoin is kind of the Xerox of cryptocurrency. You know... 

Joe Carrigan: Right. 

Dave Bittner: ...It's the default name. It's the Xerox. It's the Vaseline. It's the Q-tip. You know, it's the... 

Joe Carrigan: Yup. 

Dave Bittner: It's the brand that does represent the thing. So I think when they say Bitcoin is being used for illicit things, I think most people, when they hear that, they just - they substitute cryptocurrency. And I don't think that's exactly out of line. While it might not be precise, you can understand people having that line of thinking. 

Joe Carrigan: Right. Yeah. It's a good point. It's a good analogy, Dave, that people do think that about these cryptocurrencies. But these cryptocurrencies all have different features. 

Dave Bittner: Yeah. 

Joe Carrigan: Like the Ethereum blockchain lets you do smart contracts on top of it. A lot easier than - I think you can do that with Bitcoin - I'm not exactly sure - but it's not really something that's - that is used a lot. But in Ethereum network, it is used frequently. 

Dave Bittner: Yeah, yeah. Yeah, I mean, I guess their point is well taken. I guess I'm a little skeptical 'cause this is, by their own admission, an organization who's out there trying to promote the use of cryptocurrencies. 

Joe Carrigan: Right. 

Dave Bittner: So I don't begrudge them that. They're upfront about it. 

Joe Carrigan: Yup. 

Dave Bittner: But, you know, we know what direction they're coming at this report from. And I wonder how things like tumblers play into this 'cause, you know, there's no doubt that Bitcoin is used for these sorts of things. But I suppose if they're making the point that, well, only a small percentage of Bitcoin transactions are used for illicit things - perhaps, but I don't know. It's hard for me to weight the importance of those kinds of things, right? 

Joe Carrigan: Yeah, yeah. Absolutely. 

Dave Bittner: Yeah. Yeah. No, but some interesting statistics here for sure. If this is your thing, it's an article worth checking out. Again, it's titled "Bitcoin Is a 'Boon for Surveillance,' Says Former CIA Director." It's over on the Decrypt website. Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.