The CyberWire Daily Podcast 5.4.21
Ep 1325 | 5.4.21

VPN vulnerability exploited for cyberespionage closed. “IT security incident” at medical system. Android banking Trojans and cryptocurrency. Cyber threats to the Tokyo Olympics.


Dave Bittner: Pulse Secure patches its VPN, and CISA, for one, thinks you ought to apply those fixes. Apple has also patched two zero-days in its WebKit engine. Scripps Health recovers from what's said to be a ransomware attack. Researchers describe Genesis, a criminal market for digital fingerprints. Ben Yelin describes a grand jury subpoena for Signal user data. Our guest is Ryan Weeks from Datto on the need for cyber resilience in the MSP community. And Japan works on cybersecurity for this summer's upcoming Olympic Games.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 4, 2021. May the fourth be with you. 

Dave Bittner: Pulse Secure yesterday issued patches to close vulnerabilities in its widely used VPN that have been undergoing active exploitation by an advanced persistent threat group. CISA, the U.S. Cybersecurity and Infrastructure Security Agency, has warned that the VPN has been under attack since at least June of last year, and it updated its alert yesterday to recommend that organizations using Ivanti Pulse Connect Secure appliances to immediately run the Pulse Secure Connect Integrity Tool, update to the latest software version and investigate for malicious activity. 

Dave Bittner: The most serious of the vulnerabilities addressed yesterday was CVE-2021-22893, a use after free issue in Pulse Connect Secure that could allow a remote unauthenticated attacker to execute arbitrary code via licensed server web services. 

Dave Bittner: The other three vulnerabilities addressed - the first two rated critical, the third rated high in severity - included a buffer overflow in Pulse Connect Secure Collaboration Suite that could enable remote authenticated users to execute arbitrary code as the root user via a maliciously crafted meeting room, a command injection floor in Pulse Connect Secure by which remote authenticated users could perform remote code execution via Windows File Resource Profiles, and, finally, a vulnerability enabling multiple unrestricted uploads in Pulse Connect Secure by which an authenticated administrator could perform a file-write via maliciously crafted archive uploads in the administrator web interface. 

Dave Bittner: So, patch. While CISA especially has its eye on U.S. federal civilian agencies, its advice is surely of immediate value to any organization that runs the Pulse Secure VPN. 

Dave Bittner: FireEye believes some of the exploitation may be connected with the Chinese government. The security firm's Mandiant unit reported on April 20 that two groups, which it tracks as UNC2630 and UNC2717, were active against, respectively, companies in the U.S. defense industrial base and government agencies in a wide range of countries. 

Dave Bittner: The researchers said at the time that UNC2630 targeted U.S. DIB companies with - and here they name specific malware packages - SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE and PULSECHECK as early as August 2020 until March 2021. Mandiant added, we suspect UNC2630 operates on behalf of the Chinese government and may have ties to APT5. Among its activities was an active program of harvesting credentials from compromised VPNs. 

Dave Bittner: On the second group, the researchers said that UNC2717 targeted global government agencies between October 2020 and March 2021 using HARDPULSE, QUIETPULSE and PULSEJUMP. They did not have enough evidence to offer any attribution to a government sponsor or an affiliated APT. 

Dave Bittner: Apple patched yesterday, fixing two iOS zero-days that are being actively exploited in the wild. BleepingComputer explains that the issues arise in the WebKit browser rendering engine used in iOS, Apple Mail and the App Store. iPhones, iPads, iPods, macOS and Apple Watches have all come under attack. 

Dave Bittner: Scripps Health, which operates hospitals and outpatient clinics in Southern California, is recovering from an information technology security incident that began affecting its system Saturday. Scripps says it's suspended user access to IT systems and reverted to backups but that it continues to deliver care safely and effectively. 

Dave Bittner: Solutions Review records a range of industry speculation that the incident was a ransomware attack. Scripps itself hasn't reported it as ransomware, but the San Diego Union-Tribune says it's obtained an internal memo indicating that ransomware was, in fact, the cause. The paper reports that the medical system's operations are still suffering disruption. 

Dave Bittner: Digital Shadows today published an interesting report on Genesis Market, an underground souk that caters to the criminal-to-criminal trade. The company's researchers describe Genesis as a fully gated, invitation-only, English-language automated vending cart site focused on the sale of digital fingerprints relating to a victim user's computer, browser and accounts on websites and services. It's been in business since 2017. 

Dave Bittner: Genesis is an aggregator. It trades such information about victims' accounts as the commonplace and desirable username and password, but it adds other identifiers like browser cookies, IP addresses, user-agent strings and various operating system details. The hoods used to have to find these one by one, but Genesis offers a one-stop shop. 

Dave Bittner: Genesis has been more enduring than most of its competing markets. It seems to have achieved its position in the criminal market by attracting criminal influencers as early adopters and to have largely lived up to the high reputation word-of-mouth lent it. 

Dave Bittner: A report from Threat Fabric assesses 2020 as a banner year for Android banking Trojans. Increased usage coincided with a rise in the sophistication of the criminal-to-criminal market that did much to commoditize this form of cybercrime. The Record notes that cryptocurrency apps received a particularly high share of criminal attention last year. 

Dave Bittner: The Cyber Threat Alliance has updated its assessment of the cyberthreat to this summer's Olympic Games in Tokyo. They expect the ransomware activity burgeoning worldwide to present some degree of threat, and they expect that Russian, Chinese and North Korean actors will take advantage of such opportunities as the Games may present for espionage and influence operations. Japanese authorities have been preparing for the Olympics' cybersecurity for several years now. 

Dave Bittner: A note on scheduling. The Games are referred to as the 2020 Games because they were originally scheduled for last summer but were pushed back to this July and August by the pandemic. 

Dave Bittner: Managed service providers know that one of their top business priorities is reliability uptime. A ransomware attack, for instance, can take down not only the MSP, but all of their clients as well, and that can be a quick path to financial ruin. Cyber resilience is a widely used term. And today, I'm joined by Ryan Weeks, CISO at MSP software and services provider Datto, for his insights on the criticality of cyber resilience for SMBs and MSPs. 

Ryan Weeks: Yeah, for cyber resilience, what we've been doing is really trying to educate MSPs and, through MSPs, SMBs that, really, they're living in a world where, you know, you can't just assume that you're going to be able to prevent a bad outcome from occurring. You have to assume that a bad outcome is going to occur. And, you know, those in security circles know we call that the assumed breach mentality. And in that mentality, we need to not just be focused on trying to implement technologies and processes to kind of reduce the likelihood of a bad outcome, but also invest in the abilities to detect, respond and recover when those bad outcomes do occur. 

Ryan Weeks: And to us, that ability to, like, kind of build a cybersecurity program that protects and detects threats and then having really robust capability in response and recovery is, you know - being incident response and business continuity, that is really what cyber resilience is. And so it's, you know, really that preparation for, you know, both being prepared for the bad thing to happen, to try to prevent it, but also knowing how you're going to respond in order to minimize damage when the bad thing does happen. 

Dave Bittner: So from a practical point of view, what does that look like? I mean, what's the spectrum of options that organizations have to prepare themself in a resilient kind of way? 

Ryan Weeks: Yeah, it's a great question, right? People are like, OK, great. So now that I kind of understand what cyber resilience is, how do I achieve it? And so, again, that's been a focus of our education for MSPs is really helping them lay out a pathway. 

Ryan Weeks: And so we have been seeing a lot of MSPs focus on CIS security controls - specifically Implementation Group 1 - as a means to kind of improve their security programs and then also, you know, drive that into their small and medium-sized businesses that they support as well. 

Ryan Weeks: The challenge with that is CIS can be a little focused on technology-centric controls. And when you actually kind of map them out, they're very heavy in identify, protect and detect capabilities. And for real, true cyber resilience, you need a balance of people, process and technology, and you really need capabilities kind of, you know, right of boom, which is your detect, respond and recover as well. 

Ryan Weeks: So CIS is a great place to get started, but what we're really advocating for MSPs to do is follow a framework, you know, whether it's kind of the NIST Cybersecurity Framework, which follows those five functional areas and has kind of an appreciation for people, process and technology as well, or even something that builds on top of it, like the Cyber Defense Matrix. We're seeing that that is really going to help, you know, MSPs and SMBs be in a position where they're - you know, they're more able to recover from bad outcomes, which for them primarily means ransomware. 

Dave Bittner: That's Ryan Weeks from Datto. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Ben, great to have you back. 

Ben Yelin: Good to be with you, Dave. 

Dave Bittner: It caught my eye. The folks over at the Signal app posted a blog post. It's titled "Grand Jury Subpoena for Signal User Data, Central District of California." It's a bit of - I guess a bit of tongue-in-cheek in their approach here. But there's some interesting privacy stuff that they're focusing on. Can you give us a rundown of what's going on here, Ben? 

Ben Yelin: Yeah. I mean, the tongue-in-cheek stuff is very funny. The hook for this article is it's 2021 now. It's been five years since 2016. You know, remember Brexit? Remember Trump? Remember Justin Bieber at No. 1 on the charts? 

Dave Bittner: (Laughter). 

Ben Yelin: But that's a hook for Signal receiving yet another grand jury subpoena asking for identifying information about their users. Signal does not have any identifying information about their users. That's the whole point. It is an end-to-end encrypted application. 

Dave Bittner: Right. 

Ben Yelin: So things that you can retrieve that a - you know, a grand jury subpoena could obtain from other companies that don't have end-to-end encryption you can't get from Signal. So this subpoena that they're referencing here, and which is posted as part of this blog post, asks for addresses, you know, the transcript of correspondence over the application and a name associated with an account. Signal does not have that information. It cannot provide it. All they have is, you know, very limited - basically, the date that you started your account. 

Dave Bittner: Right, right. 

Ben Yelin: And that's not going to tell them much. 

Dave Bittner: And when you last connected to the Signal service. That's all. 

Ben Yelin: Right. You know, that actually might be relevant in a limited number of cases, but it's really not much information. 

Ben Yelin: This is going to be a really nice selling point for Signal as, you know, they try to advertise the benefits of end-to-end encryption by saying, here's an actual situation where a district court in California sent us a request for information, but because we don't have access to that information, we can't send it to them, thus your privacy is protected. So I can completely understand why Signal would have a blog post about this and would put up the grand jury subpoena. 

Ben Yelin: There is sort of... 

Dave Bittner: Yeah. 

Ben Yelin: ...One interesting element that's in the subpoena here. They - the court is asking for information sufficient to show interstate wiring, which is supposed to be a mechanism to show a jurisdictional theory, as they call it, that Signal messages cross state lines. And perhaps that's going to be relevant in this case for the communications that they're seeking. 

Ben Yelin: This is something that's new. Apparently, it wasn't in the last grand jury subpoena that they received five years ago. And they said it feels like something out of a "Law & Order" episode from the mid-'90s... 

Dave Bittner: (Laughter). 

Ben Yelin: ...When the "internet," in quotations, was still young and people didn't really understand how it worked. But that's not really something that - they didn't really talk about how they're going to respond to that aspect of it. I think they're tongue-in-cheek about it because it kind of points to an outdated understanding of how the internet works and that it almost certainly doesn't matter in adjudicating the case. 

Ben Yelin: So, yeah, they were represented by good ACLU lawyers here. And, of course, they're going to want to publicize every chance they can of actual situations where they're getting requests for personal information and, because of how stringent their end-to-end encryption is, they are unable to hand over that information. 

Dave Bittner: Right. A couple questions here - is it possible that this is just simply that the DOJ sent out something that's fairly boilerplate and that's why it just sort of doesn't really align with how things work at Signal? 

Ben Yelin: Yes. 

Dave Bittner: Yeah. 

Ben Yelin: I think that's exactly what happened... 

Dave Bittner: (Laughter) OK. 

Ben Yelin: ...Is that, like, this is the form we give to tech companies to give us information. 

Dave Bittner: Right. OK. 

Ben Yelin: And they're not really aligning it for end-to-end encrypted applications. 

Dave Bittner: I see. 

Ben Yelin: You know, it's like you might as well, you know, shoot your shot, right? There's no harm in requesting it. 

Dave Bittner: Yeah. 

Ben Yelin: Signal is just going to come back and say, we don't have it. 

Dave Bittner: Yeah. The other thing that caught my eye here in the subpoena is it says, because this subpoena relates to an ongoing criminal investigation, you are asked not to disclose the existence or nature of the subpoena. Such disclosure could obstruct and impede the ongoing investigations and interfere with the enforcement of the law. If you, nonetheless, plan to disclose the existence or nature of the subpoena, please contact the special agent identified above first. 

Dave Bittner: Can you unpack that for me (laughter) from a legal point of view? Like, is that just sort of, please, please, do us a favor, or is there any, you know, legal backing behind that paragraph? 

Ben Yelin: So it depends on the circumstances. In most grand jury subpoenas, there isn't much of a legal threat for people who disclose information. There are a couple of exceptions. One of them is national security letters. So this is information related to homeland security or national security information. There's actually a legally enforceable gag order that comes with those subpoenas, and that's what national security letters are, administrative subpoenas. And in that circumstance, you could face criminal penalties for divulging the contents of that subpoena. 

Ben Yelin: These - people have been fighting against these gag orders for years, with good reason. I mean, it's - it puts people, you know, the companies and individuals who receive these requests, in a very difficult situation. And prior to some reforms that have been passed over the past several years, you couldn't even discuss it with an attorney, lest you be violating that gag order. 

Dave Bittner: Wow. 

Ben Yelin: Fortunately, in most circumstances now, at least the government has given people who've received these gag orders a chance to challenge them in court, and they give them instructions on exactly, you know, what kind of information they have to submit. And they've allowed exceptions for who those individuals can talk to. And one of those is you can run this by your attorney as long as you keep it confidential. 

Ben Yelin: So this does appear to be a homeland security investigation. I'm wondering if this was issued as under that national security letter authority or some other authority. 

Dave Bittner: Right, right. 

Ben Yelin: But generally, when we're talking about national security, homeland security cases, they do have a legally enforceable gag order. 

Dave Bittner: Yeah. I wonder if the folks from Signal or their attorneys from the ACLU contacted the special agent before they published this or not. I'm going to guess not. 

Ben Yelin: I'm going to guess not, yeah. 

Dave Bittner: (Laughter). 

Ben Yelin: I mean, they also - one selling point of these companies is, like, we like to thumb it in the nose of overreaching government, you know, government agents, and that just proves how much we care about protecting your privacy. 

Dave Bittner: Right, right. Sure. 

Ben Yelin: This is one way of showing it, yeah. 

Dave Bittner: Yeah. A bit of swagger here as well. 

Ben Yelin: For sure. 

Dave Bittner: Yeah. All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.