The CyberWire Daily Podcast 4.29.21
Ep 1322 | 4.29.21

Buggy APIs may expose credit scores. Dealing with ransomware. Iran-Israeli tensions are up. Russia says it will always see the Americans coming. Surge cyber capacity. NSA’s advice on OT security.

Transcript

Dave Bittner: An API bug may have exposed credit ratings. A study offers advice for the new anti-ransomware task force emerging in the U.S. and elsewhere. Israelis warned to keep their cyber-guard up on Quds Day next week. Russia says it would spot any U.S. cyberattack before it hit. The U.S. Congress considers establishing surge cyber response capability. Dinah Davis from Arctic Wolf has tips on preventing RDP attacks. Rick Howard speaks with Rehan Jalil from Securiti on GDPR. And NSA offers advice for security OT networks.

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Thursday, April 29, 2021. 

Dave Bittner: KrebsOnSecurity says that Experian has patched an API flaw in a partner website that exposed individuals' credit ratings. The researcher believes the flaw may persist, unaddressed, in other partners' APIs. The story is still developing it. We'll be following it as it does. 

Dave Bittner: IBM reviews the history and activity of the REvil ransomware gang - also known as Sodinokibi - a new-breed mob as interested in stealing information as it is in encrypting it. The report is timely given the attention ransomware is currently receiving from law enforcement organizations. 

Dave Bittner: As the US Department of Justice organizes its anti-ransomware task force, a report by the Institute for Security and Technology offers 48 recommendations. Prominent among them are calls for close international regulation of cryptocurrencies and assistance for victims who refuse to pay ransom. 

Dave Bittner: The beginning of wisdom concerning ransomware, the report argues, is to recognize that it’s overwhelmingly a financially motivated crime, and as long as the profits outweigh the risks, attacks will continue. So governments and the private sector should work to disrupt the criminal business model and make sure crime doesn’t pay. A variety of actions should be taken, it says, to disrupt payment systems and to make ransomware attacks less profitable, to disrupt the infrastructure used to facilitate attacks and disrupt ransomware actors themselves through criminal prosecution and other tactics. 

Dave Bittner: The alt-coin trading and remittance system is seen as a key enabler of ransomware. While no one should think that cryptocurrencies are inherently nefarious - they’re not and have many benign uses - they should, the report argues, be regulated. The regulation should start with their being held to existing standards. Governments should require cryptocurrency exchanges, crypto kiosks and over-the-counter trading desks comply with existing laws. 

Dave Bittner: The victim assistance the report proposes would occur in several ways. The financial aspects would be handled, the recommendations propose, by establishing a Ransomware Response Fund that would help those victims who refuse to pay the hoods. The report says, "if such funding were available for ransomware victims, then cost would play a smaller role in an organization’s decision about whether to pay the ransom. As an incentive to invest in cybersecurity, governments could consider requiring the organization to cover some portion of the ransom as a deductible," end quote. 

Dave Bittner: May 7 is Quds Day - Jerusalem Day, observed by the Islamic Republic of Iran. By coincidence, this year it falls near Israel's own Jerusalem Day, May 10, which commemorates Israel's unification of the city during the Six-Day War. The Times of Israel reports that Israel's National Cyber Directorate has issued an alert to expect Iran-associated cyberattacks in connection with the observances. The directorate expects any cyberattacks this year to be more ambitious than the customary website defacements. 

Dave Bittner: The difficulty of mopping up after the compromise of Microsoft Exchange Server - presumably by Chinese intelligence services - and especially after the compromise and exploitation of the SolarWinds supply chain - presumably by Russia’s SVR - has prompted discussions in the U.S. Congress and elsewhere about preparing a surge capacity to deal with future incidents. 

Dave Bittner: Bipartisan sentiment has therefore grown in the U.S. Congress for establishing a cyber reserve that could surge for incident response. Some proposals call for more cyber capability going into the National Guard. The Guard, it should be noted, already has cyber units. Another proposal, Defense News reports, would pilot a Civilian Cybersecurity Reserve that could be called up to augment both Department of Defense and Department of Homeland Security organizations during an emergency. It would be composed of former Federal civilians and military veterans with relevant training. Versions of the bill establishing a pilot Civilian Cybersecurity Reserve have been introduced in both the Senate and the House of Representatives. 

Dave Bittner: It’s not just response and remediation, of course, that could have been under discussion in the U.S. since the SolarWinds incident, but also more active measures, with various rumblings out of Washington concerning the possibility of deterrence and, more directly, retaliation. 

Dave Bittner: Are the Russians ready for it? Moscow says they are. The Russian news service Interfax quotes senior Russian official Andrey Krutskikh to the effect that it would be technologically impossible for the U.S. to mount an undetectable cyberattack in retaliation for Russia's SolarWinds campaign, which Russia doesn't admit it conducted. It's all stupidity, Krutskikh said, anything the Americans might try, Russia will surely see coming. Maybe, but on the other hand, the Americans didn’t really see Holiday Bear come snuffling up until it was too late. 

Dave Bittner: The SolarWinds incident also raised concerns about the degree to which operational technology might have been compromised, either actually or potentially. NSA has taken note. This morning, the U.S. National Security Agency released a Cybersecurity Advisory covering ways of stopping malicious activity against connected operational technology - that is, OT - networks. The Agency gives as its motivation for the Advisory a recent shift in adversary attacks. Quote, "recent adversarial exploitation of IT management software and its supply chain has resulted in publicly documented impacts across the U.S. government and the Defense Industrial Base. Malicious cyberactivities directed at OT also continue to threaten these networks." So, Cozy Bear, Fort Meade is looking at you. 

Dave Bittner: Essentially, NSA advocates a rigorous, cost-risk-benefit analysis of any connectivity. At its highest level, the Advisory recommends a two-step process. First, determine whether the cost of connecting OT networks to IT network, and especially the cost of increased risk, is worth the benefits it might bring, such as greater efficiency, reduced labor costs and so on. This cost-versus-risk-versus-benefit analysis should take it as a guiding assumption, NSA says, that a standalone, unconnected, islanded OT system is safer from outside threats than one connected to an enterprise IT system with external connectivity, no matter how secure the outside connections are thought to be. 

Dave Bittner: Second, should you decide in favor of connecting IT and OT networks, systematically improve the cybersecurity of those networks, with particular attention to managing, monitoring and baselining the systems. The advice isn’t surprising, but it’s brief and to the point, worth attending to by organizations grappling with securing their operational technology. The days are long gone when they could count on a nice, safe, default air-gap. 

Dave Bittner: The CyberWire's own CSO, Rick Howard, continues his series of conversations with experts about cyberthreat intelligence. Here's Rick. 

Rick Howard: GDPR, or the EU's General Data Protection Regulation, has been on the legal books since January 2012, but there is still a lot of industry confusion about what it is and how you might go about complying with it. Rehan Jalil is the CEO of Securiti, spelled with an I, a data privacy, security and governance company. I asked him to explain what GDPR is. 

Rehan Jalil: GDPR is all tied to how you handle people's personal data and how you collect it with or without the consent, how you store it, how you provide protections around it. People do get the rights to either request a copy of the data or understand how much of their personal information is being collected from various different sources. It also gives the right to request the company to release this information. GDPR treats personal data as the property of the owner, and it treats data privacy as a human right. That really is the fundamental premise. 

Rick Howard: When they passed the law, there weren't a lot of tools available to help us get a handle on this new requirement. So what did we do? Well, like most self-respecting security professionals, whenever confronted with some new problem to characterize and understand, we broke out the universal tool in everybody's toolbox - the ubiquitous spreadsheet. 

Rehan Jalil: Initially, companies do the approach of doing manual inventories and asking people across the organization what kind of data you have. I don't believe in issues of spreadsheets, and you don't believe it was just a spreadsheet-like tools, which will simply ask people, hey, what data do you have? And they would kind of log in somewhere and post it in a graphic. And it was certainly early days and, in some ways, frankly, completely useless because data changes every second, and it flows, and it goes across different systems, across different parts of the organization. And if companies were trying to do this mapping on spreadsheet or equal tools, it was certainly a recipe of failure in some ways. 

Rick Howard: Of course, things have gotten better. In this world of automation and dev ops and site reliability engineering, technology can help solve this problem, too. 

Rehan Jalil: Now, technologies can actually help to map the requirements to the individual and the residences and then do a lot of automation on the back end to discover the data, figure out the way the data should be hosted or not hosted, and then the request comes in to make sure what kind of rights can be given to that individual that's based on residency and based on, you know, what regulations in that particular residence. What you see is, very rapidly, a lot of technologies are evolving to understand it exactly as the data, you could catalog it, and then you can now then provide rights to people on that data. And a much better position, if ever there is an audit that happens, you can open up your books and show, here, this methodology is a tool, and you can equate it, and here's out data, and this is what we're doing. So the chances of fines could be a lot less. 

Rick Howard: But this still feels like a very big problem. With our data scattered across various data islands like on end points back at headquarters, in our data centers, in hundreds of SaaS applications, in multiple cloud-provider networks and in giant data lakes, most of us don't know where to start. The good news is that the kind of data we are worried about for GDPR compliance is a small fraction of the data we typically collect day to day. 

Rehan Jalil: I think it really hit it on the head. The important thing is to narrow down to that personal data, discover it, point out where that data is, catalog it, and use that knowledge as your mechanism to give people rights on the data. 

Rick Howard: So be of stout heart. GDPR and all privacy compliance laws can be managed with a little planning and probably a lot of automation. You've been meaning to get moving on that dev ops project, anyway. Automating GDPR compliance might be a good place to start. 

Dave Bittner: That's the CyberWire's own chief security officer, Rick Howard. 

Dave Bittner: And joining me once again is Dinah Davis. She's the VP of R&D at Arctic Wolf. Dinah, great to have you back. I want to touch today about ransomware and some of the things that you've been tracking there. What can you share with us today? 

Dinah Davis: Yeah. So, I mean, I think a lot of the time we hear, you know, ransomware comes in from phishing and other social engineering vulnerabilities, right? And it does. It absolutely does come in that way. But one that doesn't often get discussed is the remote desktop protocol or RDP. 

Dinah Davis: So remote desktop is exactly what the name implies. It's an option to remotely control a computer system. And so because of COVID and because everybody is working from home, you know, a lot more ports are open to the internet than previously there would have been - right? - because they would have been behind company firewalls in their physical networks, right? So how do attackers use RDP to do a ransomware attack? Basically, they try to reverse brute force the account. So if they see a port is open and they know, you know, who you are, they probably can just try, you know, lots of common passwords, like using a dictionary attack on it - right? - or using credential stuffing, given that maybe there was a database of valid usernames and passwords out there, and then they try those. There's also the hybrid brute force, which starts with, like, combinations that would be more specific to you, the person that they're trying to attack, and then go over to a dictionary attack. 

Dinah Davis: So we're seeing still, like, 50% of ransomware attacks are from RDP. And what they do is they get in through that port, and then they'll install the ransomware in your system because they have remote access to your machine, right? So a big thing here is how to prevent this. And it's actually... 

Dave Bittner: Yeah. 

Dinah Davis: ...Not hard. 

Dave Bittner: Go on. 

Dinah Davis: OK. So to prevent an RDP attack, the best thing to do is if you don't need to use RDP, then just close all the ports and don't use it. And then it's not an attack vector... 

Dave Bittner: (Laughter). 

Dinah Davis: ...Especially closing port 3389. 

Dave Bittner: Now, slow down here, Dinah. You're getting a little bit ahead of me. This is - don't get too technical. 

(LAUGHTER) 

Dinah Davis: Just shut her down. 

Dave Bittner: Just turning it off - yeah. All right. 

Dinah Davis: (Laughter). 

Dave Bittner: All right. Go on. Go on. 

Dinah Davis: Let's say you do need to use it as part of your job. There's not a way around it. So at the very least, use strong passwords. Make RDP only available through a corporate VPN - right? - so it makes it harder for an attacker to get at. Use network-level authentication. And if possible, enable two-factor auth. And still close any external access to port 3389 and use a different port because there's so many bots on the internet that are just going through, looking for open port 3389s, that that's, like, one of the simplest things you can do to avoid getting ransomware via RDP. 

Dave Bittner: Oh, change it from the default port to something else. 

Dinah Davis: Yep. 

Dave Bittner: Yeah. Yeah. All right, well, good information as always. Dinah Davis, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.