The CyberWire Daily Podcast 5.5.21
Ep 1326 | 5.5.21

DDoS interrupts Belgium’s parliament. New malware in the wild. Spies and crooks work around MFA, OAuth. COVID-19 scam site takedown. Online election fraud (in a homecoming queen election).


Dave Bittner: Belgium sustains a DDoS attack that knocks parliamentary sessions offline. New malware strains are identified in phishing campaigns. Threat actors look for ways of working around multifactor authentication and open authentication. COVID-19 scams continue online and attract law enforcement attention. Joe Carrigan describes a compromised password manager. Our guests are Linda Gray Martin and Britta Glade from RSA with a preview of this year's RSAC conference. And how secure was your high school's election for homecoming court?

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 5, 2021. 

Dave Bittner: A large distributed denial-of-service attack yesterday hit Belnet, the ISP that serves much of Belgium's public sector. Belnet has since restored service. Computing notes that the attack caused the cancellation of several parliamentary meetings. The denial-of-service prevented streaming the meetings to external participants. 

Dave Bittner: Among the sessions disrupted was a hearing before the Foreign Affairs Committee that would have heard testimony on human rights in China's Xinjiang Uyghur autonomous region. Attribution would be premature, but this context has prompted speculation about the possibility of Chinese cyber operations. 

Dave Bittner: FireEye's Mandiant unit has identified three new malware varieties in a phishing campaign operated by a group it tracks as UNC2529, probably a criminal gang working for a direct financial take. The researchers call the group capable, professional and well resourced and say that it researched its targets closely and tailored its phishbait to the intended catch. FireEye named the new malware families DOUBLEDRAG, a downloader; DOUBLEDROP, a dropper; and DOUBLEBACK, a backdoor. 

Dave Bittner: If you can't beat it, go around it, like the blitzkrieg flanking the Maginot Line through the Ardennes. And it's worth noting that the Maginot Line was a pretty good fixed fortification, as fortifications go, and it forced the opposition to rethink the way it would attack. 

Dave Bittner: The point isn't that defenses are futile, because they aren't. It's that conflict is dynamic. The big point is that all conflict is between antagonists who perceive and think and react to each others' moves. No single solution is sufficient, still less permanent. That's as true in crime as it is in warfare. 

Dave Bittner: Two reports today show ways in which threat actors have reacted to the widespread adoption of sensible security measures. 

Dave Bittner: First, researchers at security firm Symantec describe the ways in which threat actors respond to improved security, in this case the widespread adoption of two-factor authentication. The researchers point out that one thing the recent SolarWinds compromise, the Microsoft Exchange Server ProxyLogon attacks and the exploitation of vulnerabilities have in common is that they obviate the need to defeat multifactor authentication. Bypassing such protection has become a principal tactical goal of advanced persistent threats and sophisticated cybercriminals. 

Dave Bittner: The silver lining, as Symantec sees it, is that this tactical shift shows that multifactor authentication is working. If it weren't, the threat actors wouldn't take such pains to find a way around it. So don't give up on multifactor authentication. Symantec recommends that organizations supplement it with some additional protections, specifically auditing login and Active Directory events, reviewing and reducing services and accounts that do not require MFA, keeping up to date on patches for any discovered vulnerabilities, considering a threat model where MFA may be bypassed or on-site secrets may be compromised, and expanding their zero trust architecture beyond simple two-factor authentication. 

Dave Bittner: In the second case of threat actor adaptation, security firm Proofpoint takes a look at how malicious apps abuse open authentication. OAuth app abuse had a successful run in 2020. 

Dave Bittner: As Proofpoint says, quote, "we have observed many forms of OAuth token phishing and OAuth app abuse, which is ideal for attackers to conduct reconnaissance, launch employee-to-employee attacks and steal files and emails from cloud platforms. Malicious app attacks often target the accounts of vice presidents, account managers, human resources representatives and chief financial officers - the kinds of users with access to highly sensitive data. If successful, attackers gain persistent and independent access to emails, including read, write, send and setting mailbox rules, files, contacts, notes, Microsoft Teams chats and more. In some cases, they redirect users to a phishing site after the user consents to the application," end quote. 

Dave Bittner: In response to this problem, companies like Microsoft have begun to require that app publishers be verified. Microsoft's procedures, instituted in late 2020, have been sufficiently onerous to induce threat actors to look for new approaches. Microsoft's verification process requires that the app publisher be a member of its Partner Network, that the publisher's account be part of a verified tenant and that the publisher agree to the terms of use developers must abide by to participate in the Microsoft Identity platform. Redmond also checks tenant bills and activity. 

Dave Bittner: Proofpoint notes with evident approval that the whole process of verification is a complicated and unrewarding procedure from the attacker's standpoint, but, of course, it hasn't put the crooks and spies out of business. As was seen with the threat actors' response to widespread adoption of multifactor authentication, they're simply finding an alternative approach. They now compromise accounts in credible tenants, and then creating, hosting and distributing cloud malware from within those tenants. Proofpoint says that cloud account compromise is now widespread, with perhaps more than 50% of all tenants compromised. 

Dave Bittner: COVID-19 scams, whether counterfeited vaccination records or bogus nostrums, continue to be hawked online, but they're also attracting more attention from law enforcement. The Wall Street Journal reports that demand for such things is particularly high in Europe, which has seen more delays and stoppages in vaccination than have the U.K., Israel and the U.S. 

Dave Bittner: But, of course, the problem isn't exclusively an Old World one. The U.S. Food and Drug Administration this week announced that the U.S. Attorney for the District of Maryland had taken down a fraudulent website misrepresenting itself as a biotechnology company working on COVID vaccines. It's the ninth such bogus site the Feds have taken down during the pandemic. 

Dave Bittner: And, finally, there's a case of election fraud being prosecuted in Florida. No, it's not a U.S. federal or state election being finagled through inauthentic online ballots. Instead, this one is a case in which a mother and her teenage daughter tried to rig a homecoming queen election at Tate High School in Pensacola. 

Dave Bittner: The accused, the AP reports, allegedly used the mother's access to school district networks to cast fraudulent votes for the daughter. The mother had district-level access by virtue of her job as assistant principal at a local elementary school. One hundred seventeen votes were cast from the same IP address within a short period of time. That tipped investigators, who found a total of 246 votes cast for the homecoming court from devices found in the accused's home. 

Dave Bittner: The mother-daughter duo are charged with offenses against users of computers, computer systems, computer networks and electronic devices, unlawful use of two-way communications device, criminal use of personally identifiable information and conspiracy to commit those offenses. Both are currently free on bond, but both face the possibility of 16 years in prison if convicted. They are, of course, entitled to the presumption of innocence. 

Dave Bittner: The RSA Conference has unsurprisingly gone virtual this year, and the CyberWire is once again a proud media partner for the conference. Going virtual is a mixed bag of challenges and opportunities. And for a better understanding of that, I spoke with Linda Gray Martin, vice president of RSA Conference, and Britta Glade, senior director of content and curation at RSA Conference. We hear from Linda Gray Martin first. 

Linda Gray Martin: I have to say it's been a really interesting learning curve over the last year. You know, virtual events are a new industry really in themselves. And there's been so much innovation in this space. It's been really interesting to watch it evolve. 

Linda Gray Martin: So, you know, I think our community will see lots of the same elements of the conference, albeit reformatted for a virtual world. But, you know, there are, of course, new things, particularly the format, the structure, the way the agenda is planned. 

Linda Gray Martin: But, you know, looking at the familiar elements - and Britta will do a deeper dive into the kind of content side of things, but we have a very comprehensive track session agenda. We have a very robust keynote program. We have interactive sessions. And we've got quite a lot of new going on in this space, which I know Britta's keen to share with the listeners. 

Linda Gray Martin: But we also have our innovation programming, like Innovation Sandbox and our sandbox (ph) and capture the flag events and networking opportunities and, of course, the Digital Expo, which is the digital version of the expo hall that people are familiar with in San Francisco. 

Linda Gray Martin: But just looking at the new, like I said at the beginning, kind of the format, the structure, the way the agenda is planned in particular - those are definitely new. You know, we all know a year into virtual events that virtual experiences are very different from physical ones. We're hoping, actually, that people will be able to attend our virtual event who would never normally get the opportunity to come to San Francisco. So I think there's a real opportunity there for us to really reach all corners of the world. 

Linda Gray Martin: Because of that, we've been working hard to time zone optimize the agenda as much as we can. Britta and team have worked really hard to kind of clump groups of like sessions together. So if someone's joining us from Singapore and they're coming on later in our day, you know, all their sessions they attend, or if they've got an interest in a particular topic, they can attend the like sessions at the same time just to make it easier on them. 

Linda Gray Martin: The agenda is going to kick off at 8 o'clock PT every morning, which is 4 p.m. in the U.K. So that's always my reference point for the U.K. You know, we've tried to make it as global as we can. It's early for APJ, but we planned it so that there are sessions running later in the day for the APJ audience. 

Linda Gray Martin: So, you know, we've done a fair amount of research, talked to a lot of peers in the industry at other large event organizations to try and get to this point. I'm sure it's not perfect, but it does give our attendees worldwide an opportunity to participate. 

Linda Gray Martin: So just to kind of summarize, lots of familiar, but also lots of new as well. 

Dave Bittner: Yeah. I think, you know, here at the CyberWire, we're excited to continue our media partnership with the RSA Conference. And, indeed, we'll be taking part in the virtual version of Broadcast Alley, which we had a great time being a part of last year. What are some of the programs that you're particularly excited about as we approach this year's conference? 

Britta Glade: You bet. And as Linda mentioned, we are trying to take and make the best of a digital environment, which actually does lend itself to some different things. 

Britta Glade: One of the programs that I'm super excited about is what we're calling our networking lounges. And the lounges - as Linda indicated, we've organized our content. We've kind of thought about everything in clumps of three hours, thinking if we have a really nice packaged, tight body of content for someone with a particular domain interest - anti-fraud, for example - you've got a tight set of programming against that topically. 

Britta Glade: And then corresponding, you have a networking lounge. And in the networking lounge, which is hosted by a member of our program committee, so someone with tremendous domain knowledge in that area - which then is visited by various speakers for live, engaged Q&A, host-to-speaker presented, but also the opportunity for anyone in that networking lounge to take and engage in the conversation, to meet one another. So that's one element that we're doing. 

Britta Glade: We have traditional sessions. We have ability to have Q&A associated with all of those sessions. We have some fabulous keynote programming put together, again, taking and embracing what couldn't you do in a physical environment - well, bringing together, you know, these experts from across the globe in a real-time basis. 

Britta Glade: So there's some really interesting, fun programming. And we have tried to embrace and continue to be pure to our reputation of connecting people, of having moments of fun, moments of surprise, but certainly that depth of focus on education and applicability of the education being shared. 

Linda Gray Martin: I'm sure you're aware that each year we have a particular theme. Last year's theme was the human element, and that resonated so well with our community at the time. But this year, the theme is resilience. And, of course, it's taken on a whole new meaning for everybody kind of professionally and personally. You know, it's a word we've all become very familiar with, but it also means something very specific to our industry in that, you know, resilience is the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. 

Linda Gray Martin: So, you know, it's - as we've gone through this process, we're so happy to have the theme resilience kind of as our umbrella this year. And I think it will hopefully really resonate with everybody as we go through life. 

Dave Bittner: Our thanks to Linda Gray Martin and Britta Glade from RSA Conference for joining us. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: You know, something you and I talk about a lot over on "Hacking Humans" is the importance of password managers. 

Joe Carrigan: Indeed. 

Dave Bittner: And here we've got a story from BleepingComputer, and it's titled "Passwordstate Password Manager Hacked In Supply Chain Attack." What's going on here, Joe? 

Joe Carrigan: All right, so what has happened here is there's a company called Click Software (ph) that makes a password manager called Passwordstate. And Passwordstate includes a copy of an open-source library called moserware.secretsplitter.dll. 

Dave Bittner: OK. 

Joe Carrigan: All right. Somebody managed to compromise the copy of the DLL that Passwordstate was - included in itself. And that compromise included a loader that would load a malicious version of the software that would then upload all of the information to a malicious-actor-controlled website. So the malicious software was active for about 28 hours. So it wasn't a very long-lived thing. 

Joe Carrigan: This is a case of somebody using an open-source library and not verifying when things have changed. You know, that - open-source libraries are extremely helpful in the development of software. There is a lot of stuff out there so you don't have to reinvent the wheel every time you want to use some functionality that probably already exists and is available for you to use under a free and open-source license. 

Joe Carrigan: This is actually available - it's developed by a guy named Jeff Moser, who put it out under the MIT License, which is a very open license. It's very similar to the BSD license. It's not like the GNU licenses that require that if you - you know, there's one GNU license that if you include any of the software under that license, your software also has to be free. 

Joe Carrigan: But this software says you can do whatever you want with this - or this license says you can do whatever you want with this. You can even charge people for it if you want. You know, you shouldn't. But, you know, if you make any changes, you're free to do whatever you want. It's actually a very open license... 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: ...And people can do whatever they want with it. 

Dave Bittner: And it's a near certainty these days that if you're developing something with any degree of sophistication, it's going to have some open-source libraries in it, yeah. 

Joe Carrigan: It's going to have some open-source libraries in it, exactly. 

Dave Bittner: Yeah. 

Joe Carrigan: And I don't know where Click was getting their version of Moserware from because the original version that's on GitHub hasn't been updated in 10 years. 

Joe Carrigan: And Jeff Moser was on Twitter. I actually found him on Twitter. He said, about 10 years ago, I researched the math behind securely splitting secrets and wrote an open-source prototype for the idea. Unfortunately, someone took my code and created a malicious version of the moserware.secretsplitter.dll in a malware that has been dubbed Moserpass by @csis_cyber. That's a Twitter handle. It's unfortunate that my last name and DLL are associated with this malware. I have no connection to it other than my prototype code that was open-source and apparently has been used by a commercial product. And he didn't even know about that until earlier today. 

Joe Carrigan: So here's a product that a developer put on GitHub 10 years ago. You look at his GitHub repository, it hasn't been updated in 10 years. 

Dave Bittner: Right. 

Joe Carrigan: And this company has been using another version of that. I don't think they've been using his copy of it because somehow they got somebody's updated version. I don't know exactly how that supply chain attack happened, but these malicious actors were able to put something in there that essentially exposed the secrets of users of this software if they downloaded an update between, I think, April 20 and April 21. 

Joe Carrigan: There's a couple of advisories from Click Software (ph) and one from CrowdStrike as well. To Click Software's (ph) credit - Click Studios' credits, they have been remarkably forthcoming about this, and they're very good at stopping this. I think 28 hours is a remarkably short time horizon for them to fix this. That was good work mitigating this issue. 

Joe Carrigan: I would've liked to have seen a little bit better configuration management and quality control in the front end of this to stop that from happening. But, you know, once - you know, these mistakes are going to happen. These things are going to - these kind of things are just going to happen. It's not anything that you can truly avoid. Somebody's going to fall victim to this. 

Dave Bittner: Yeah. 

Joe Carrigan: It just so happens that it was Click Studios this time. 

Dave Bittner: I wonder, too - I mean, is it plausible that it could be as simple as, you know, some bad actor out there posting up, hey, here's the latest version of Moser? You know, the original hasn't been updated in a decade, but we've got one with all these improvements. And so - you know, and that's the one that has the malicious stuff in it. 

Joe Carrigan: Right. 

Dave Bittner: You know, someone who's using it looks - sees that, you know, doing a Google search and says, oh, OK, here's an updated version, doesn't do their due diligence, and Bob's your uncle. 

Joe Carrigan: Oh, I think that they were using a version that was good for a period of time because - these attackers may have actually created a version that was good and may have had better functionality, right? But then when it was time, once they knew that Click Studios was putting it in Passwordstate, they went ahead and attacked Click Studios specifically. It was a very specific attack. 

Dave Bittner: OK, gotcha. Interesting. 

Joe Carrigan: It is. One thing I want to say before we go - this does not mean you should not use a password manager. 

Dave Bittner: (Laughter) Right, right. 

Joe Carrigan: Continue using password managers. It is better to use a password manager than to not use a password manager and use the same password everywhere. That's just asking to be hacked by very low-skilled attackers. 

Dave Bittner: Yeah. 

Joe Carrigan: The information - you can go and update your passwords now and be just as safe as you were before. 

Dave Bittner: All right, well, the article is over on BleepingComputer. It's titled "Passwordstate Password Manager Hacked In Supply Chain Attack." Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.