The CyberWire Daily Podcast 9.24.21
Ep 1425 | 9.24.21

Cyberattacks against a Russian rocket shop and the Port of Houston. As ransomware gangs increase activity, the US considers defenses. Pegasus found in French Ministers’ phones. Meng heads home?


Dave Bittner: Someone is phishing for Russian rocketeers. The Port of Houston discloses a cyberattack, which the Port says it deflected before it had operational consequences. Ransomware gangs are up and active, and the U.S. is considering mandatory reporting by victims as a defensive policy. Pegasus spyware is said to have been found in the phones of five French government ministers. Johannes Ullrich from the SANS Technology Institute on attackers hunting for environment variables. Our guest is Graeme Bunton of DNS Abuse Institute. And Huawei's Meng Wanzhou may soon be headed home from Vancouver.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 24, 2021. 

Dave Bittner: Security firm Malwarebytes reported this week that it had, quote, "reason to believe that the MSHTML vulnerability listed under CVE-2021-40444 is being used to target Russian entities," end quote. The company says its researchers had intercepted email attachments that appear to be used as phishbait to catch Russian organizations. 

Dave Bittner: Among the organizations targeted was JSC GREC Makeyev, a company that develops both liquid and solid propellant ballistic missile systems, and that serves as one of Russia's principal rocket and space technology research and development centers. 

Dave Bittner: One of the phishing emails directed at Makeyev recipients represented itself as coming from human resources. Other organizations are receiving emails purporting to come from the Ministry of the Interior and providing notification that illegal activity has been detected. Whatever the phishbait, the goal of the social engineering appears to be, in the first instance, harvesting of personal information. 

Dave Bittner: Malwarebytes has no attribution. As the company observes, however, quote, "It is rare that we find evidence of cybercrimes against Russian targets. Given the targets, especially the first one, we suspect that there may be a state-sponsored actor behind these attacks, and we are trying to find out the origin of the attacks. We will keep you informed if we make any progress in that regard," end quote. Microsoft has patched the vulnerability the attackers seek to exploit. 

Dave Bittner: The Port of Houston Authority said yesterday in a brief announcement that it had "successfully defended itself against a cybersecurity attack in August. Port Houston followed its Facilities Security Plan in doing so, as guided under the Maritime Transportation Security Act, and no operational data or systems were impacted as a result," end quote. 

Dave Bittner: CNN reports that on August 19, attackers believed to be associated with a foreign intelligence service gained access to a server in the Port of Houston, planted malware, and stole Microsoft credentials. Defenders were able to isolate the compromised server within about an hour and a half of the initial attack. 

Dave Bittner: Whichever nation-state was responsible for the Houston attack - and there's no attribution, yet - the Record reports that the attack was accomplished by exploiting a zero-day in a Zoho authentication appliance. A week ago the U.S. Cybersecurity and Infrastructure Security Agency issued a Joint Advisory with  the FBI and the Coast Guard, warning that CVE-2021-40539, a vulnerability in Zoho's password manager and single-sign-on solution ManageEngine ADSelfService Plus, was being actively exploited in the wild. Zoho had addressed the bug on September 6, and CISA urged users to apply the patch as soon as possible. The Port of Houston incident would seem to explain both the urgency, and of the Coast Guard's involvement in, the Advisory. 

Dave Bittner: WIRED notes that the brief dip in the frequency and consequence of ransomware attacks earlier this summer was a false dawn and not an enduring trend. The gangs and the intelligence services that abet them seem simply to have taken time to adjust to Western, mostly U.S., policy and law enforcement tactics, and have returned with if anything even greater intensity. Their occultation was no exit and no retirement, and they're back without any sign that they've moderated their appetites. 

Dave Bittner: As part of its response to ransomware and other threats to critical infrastructure, the U.S. Administration has been pushing for mandatory cyber incident reporting, and the U.S. Congress is considering legislation to that effect. The Senate Homeland Security and Governmental Affairs Committee yesterday held a hearing on Cybersecurity and Protecting Critical Infrastructure. Senator Gary Peters, Democrat of Michigan, and chair of the Committee, asked CISA Director Easterly for her views on an incident reporting bill the Senator and his colleagues are working on. 


Gary Peters: My first question is for Director Easterly. If our incident reporting bill were enacted, what would CISA do with this information and how would you be able to help victims? 

Jen Easterly: Thanks very much for your question, Chairman. First of all, CISA plays a critical role as the national coordinator for critical infrastructure, resilience and security. As I think about CISA's superpower that we use on behalf of the nation and the American people - is our ability to share information rapidly to enable us to protect other potential victims. So what we could do with this information is not only render assistance to the victim and help them remediate and recover from the attack, but we can use that information, we could analyze it, and then we could share it broadly to see whether, in fact, evidence of such intrusions were found across the sector or frankly, across other sectors or across the federal civilian executive branch. So we think that timely and relevant importing - reporting of cyber incidents is absolutely critical to help us raise the baseline and protect the cyber ecosystem. 

Dave Bittner: How would such legislation be enforced? Director Easterly wants something other than subpoenas, something more agile, and thinks that some system of fines might be appropriate. National Cyber Director Inglis agreed. 


John Inglis: Mr. Chairman, I support that view strongly. I would observe that most of the 50 states have reporting requirements of a similar sort, and the vast majority of those have an enforcement mechanism. Many of those use fines. There may be some best practices in there if we do a thoughtful survey of how they've actually addressed this and how that has worked and whether that has imposed an unfair burden on the victims. We, of course, don't want to impose an unfair burden on the victims, but this information is essential for the welfare of the whole. There should be rewards for good behavior. If you've performed well and thoughtfully in this, the benefit should be obvious, which is that we can provide better services both in response and in preventing this in the future. 

Dave Bittner: The full hearing is available on C-SPAN. 

Dave Bittner: Mediapart reports that investigation confirms at least five French ministers' phones were infected with Pegasus spyware. Just who instigated the installation of the spyware remains unclear. The Washington Post notes that Mediapart has suggested the government of Morocco was behind the installation. But Morocco, for what it's worth, has both denied involvement and brought a lawsuit against Mediapart, alleging defamation. 

Dave Bittner: And finally, Huawei CFO Meng Wanzhou will soon be able to leave Vancouver, where she's been fighting extradition to the United States where she faces charges related to alleged violations of sanctions against Iran. The U.S. Justice Department is said, according to the Wall Street Journal, to have reached a deferred prosecution agreement with her that's expected to be entered today, when she appears remotely, from Canada, before a court in Brooklyn. Quote, "The agreement will require Ms. Meng to admit to some wrongdoing in exchange for prosecutors deferring and later dropping wire and bank fraud charges," end quote. 

Dave Bittner: Ms. Meng was arrested in the Vancouver airport in December 2018, Reuters reminds us, on a U.S. warrant alleging bank fraud and wire fraud charges in connection with what the U.S. indictment characterized as misleading a banking partner and financial services partner, HSBC, about Huawei's involvement with Iran. The South China Morning Post characterizes the U.S.'s part in the agreement as dropping the charges. That's not entirely accurate. Under a deferred prosecution agreement, the Government brings charges but agrees not to proceed to prosecution provided the defendant acknowledges responsibility, and agrees to certain conditions. If the defendant keeps their side of the bargain, then after a certain specified period of time, the Government drops the charges. 

Dave Bittner: In any case, Ms. Meng is likely to be able to return to China shortly after the conclusion of today's virtual hearing. 

Dave Bittner: When it comes to attempts to mitigate the actions of bad actors abusing the internet's domain name system, the DNS, one of the hurdles facing interested parties is how precisely to define DNS abuse. Graeme Bunton is director of the DNS Abuse Institute, where he's leading the charge to try to bring more clarity to this issue. 

Graeme Bunton: So the DNS Abuse Institute was created by PIR, who run the dot-org TLD. You know, they've been operating in the space for a very long time, and they, like I do, see DNS abuse, or these - this set of online harms - as something like a collective action problem, where registrars and registries would be better served by being more proactive and active on mitigating DNS abuse. But there's a number of disincentives and historical reasons why they haven't been doing so. So the DNS Abuse Institute was created to try and fill that gap, and we're going to do that with technology and education and work on collaboration within the industry to try and ultimately reduce DNS abuse. 

Dave Bittner: Well, this article that you all recently published, "DNS Abuse Definition," is there an issue with there not being a standard definition of what constitutes DNS abuse? 

Graeme Bunton: Unfortunately, yes, at least within the community. We operate the ICANN community and a bit larger than that. There has been sort of endless cycles of debate about what constitutes DNS abuse. It has gone on for years. I can elaborate a little bit here that, you know, registrars and registries want a relatively constrained set of harms that they feel capable of understanding and mitigating. And the DNS is, like, the only centralized bit of the internet's ecosystem, you know, of the broader infrastructure. And so lots of people have harms that are impacting them, and they want to resolve them. And reasonably, they find themselves at the DNS because that's the only place where they're going to have a real crack at getting them resolved. And so you have these two competing interests trying to define what harms registries and registrars should be responsible for. 

Dave Bittner: Is this partially a matter of fostering collaboration among the interested parties rather than - I could imagine there being quite a bit of finger-pointing. 

Graeme Bunton: There is a lot of finger-pointing, and I think what I am trying to do here is really get people to come to the table and say, look, here is the harm, here's how it intersects with the layer of internet infrastructure that you operate, and you solving it here checks a lot of these boxes. And then you can disagree about specifically which boxes you think are checked. So often within the DNS, we fail on on two mitigation attributes. It is often not precise. So the harm might be on some sort of - it might be on a subdomain or a long URL, not the domain name itself. Or it may not be proportional because most registries and registrars only have the ability to turn off a domain name. And so then we can get into a discussion of specifically what it is that they might disagree on. They can say, no, I think there's harm is proportional to act at the DNS, and that's great because now it's no longer just do it. We now can say, yes, it's quick and it's efficient, but we're concerned about this proportionality. And so now we can have a more nuanced conversation about the harm and how to mitigate it. 

Dave Bittner: And where are these conversations taking place? 

Graeme Bunton: Most of this happens within an ICANN context, so either at ICANN meetings or events surrounding that ecosystem because that's, for the most part, where domain names are regulated. Some of this is happening within the broader domain name ecosystem involving ccTLDs as well. 

Dave Bittner: And what do you hope to come out of this? I mean, if people are on board and you get widespread adoption, what will things look like on the other side? 

Graeme Bunton: You know, boy, I would love to, first of all, get more people on board for mitigating abuse so that the internet actually gets safer, you know? And then the next piece of this is that if we have a little bit more sophistication in our dialogue, we can understand where we disagree and we agree a bit more, we then can can begin to tackle things like, oh, boy, this harm is - should be addressed at the hosting level. But it hasn't been. We have, you know, gone through a rigorous process of trying to do that. Now we can escalate up to the next layer of internet infrastructure or down to the next layer of internet infrastructure, you know, to the layer of the DNS. And you have some, you know, evidence of that process that you've gone through. And now you might have a better case for acting at the layer of the DNS if you've escalated appropriately. But none of those best practices exist yet. And so that's a thing that we'll try and work on next. 

Dave Bittner: That's Graeme Bunton from the DNS Abuse Institute. 

Dave Bittner: And I'm pleased to be joined once again ***** 

Dave Bittner: *** by Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the "ISC StormCast" podcast. Johannes, it's always great to have you back. We wanted to touch today on attackers who are hunting for environmental variables. What can you share with us today? 

Johannes Ullrich: The root cause of this problem is, how, as a developer, are you going to store secrets? And in particular in modern web applications, you need an awful lot of secrets. You connect to various APIs. You need to provide some kind of access key. You need to connect to a database that may ask you for a username and password. The one place where you don't want to store those variables is your code. So you have to find another solution. Now, there are very expensive, very elaborate secret managers. Not everybody has those. A very cheap and reasonable good way of doing this is just store them in environment variables. Environment variables are not typically sort of directly readable like source code. They don't leak as easily, but where are you storing these environment variables? So we just moved the target a little bit. And what a lot of developers apparently are doing is they're storing these environment variables in a file and then they place the file in the document route off your web server. The document route is the directory where, by default, your files are being retrieved from. So now it's really just a matter of an attacker guessing the right file name, pointing it to your or looking for that file on your web server. And they have all your secrets. Add to that, that the developers aren't really all that inventive when it comes to these file names. We do see a lot of requests for very common names like .ENV and, or just ENV - so short for environment. And lately, also a lot for Twilio.ENV. Twilio is a service that allows you to send SMS messages, make phone calls and such. A lot of websites use that sort of to integrate with voice and text messaging. 

Dave Bittner: And so what's the solution here? I mean, is it as simple as putting this stuff in a protected directory? 

Johannes Ullrich: Yeah, that's the first step. Put it outside the document route. That way an attacker, using that very simple attack, is not able to access it. Of course, the real solution is use a proper secret manager. As I said, this can be a little bit complex. It's very specific on particular language environment that you are using. So, for example, if you're looking at the Twilio documentation, they have an example of how to store the secrets as environment variable. That's sort of what they recommend. The reason why they recommend it is because it pretty much works for everybody while any more sophisticated solution is very specific to the language and the overall environment that you're using. 

Dave Bittner: All right, well, interesting stuff. Johannes Ullrich, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: Looking for something to do this weekend? Well, be sure to check out this week's Research Saturday and my conversation with Ariel Zelivansky from Palo Alto Networks. We're discussing their work titled "What You Need to Know About Azurescape." That's Research Saturday. Do check it out. 

Dave Bittner: Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.