Riding herd on Mustang Panda. Drupalgeddon2 is out in the wild. VPN warnings and mitigations. Patch notes. An offer to share intelligence about Huawei. Presidential sites get low privacy grades.
Dave Bittner: [00:00:03] An update on Mustang Panda and its pursuit of the goals outlined in the 13th Five-Year Plan; unpatched Drupal instances are being hit as targets of opportunity. NSA adds its warnings to those of CISA and NCSC concerning widely used VPNs. If you use 'em, patch 'em. And change your credentials. Five senators tell Microsoft, nicely, that Redmond is naive about Huawei. And U.S. presidential campaign websites get privacy grades.
Dave Bittner: [00:00:37] It's time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing one billion threat sensors from device to cloud, intelligence that enables you to respond to your environment, and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:05] From the CyberWire studios at DataTribe, I'm David Bittner with your CyberWire summary for Tuesday, October 8, 2019. Late yesterday, Anomali issued a report on Mustang Panda, a Chinese government threat group that's probably operating against a distinct but extensive set of targets, people interested in U.N. Security Council resolutions concerning ISIL, which of course was the Islamic State's incarnation in Syria and adjacent regions, MIAT Airlines, the Mongolian national carrier, the European, German-speaking, Catholic cultural and religious exchange not-for-profit China Zentrum, the Communist Party of Vietnam and Shan Tai Theravada Buddhist communities in Southeast Asia.
Dave Bittner: [00:02:48] They also seem to have taken an interest in police agencies in Pakistan's Sindh province, and in insurgent paramilitary organizations in the Shan states of Myanmar, especially the Shan State Army and its political arm, the Restoration Council of Shan State. Anomali's conclusions about the targets are circumstantial, but they think they are moderately convincing. The nature of the phishbait suggests something about whom the threat actors are phishing for. Dot-Ink files used in the phishing usually contained an embedded HTA file with VBScript of PowerShell script that, when executed, opens the decoy document and runs the malicious payload in the background. The payloads have been the PlugX remote access Trojan and the penetration tool Cobalt Strike.
Dave Bittner: [00:03:35] Mustang Panda was first identified by CrowdStrike in June of 2018. So it's not a new threat group. The tip-offs that the recent activity is traceable to this particular threat group lie in its tactics, techniques and procedures, and in its targets. The targets, Anomali observes, are the kind of groups and individuals likely to be of interest to Chinese intelligence services. How do they know this? They've read the 13th Five-Year Plan, the one that runs through next year. And they've noted the ways in which the targeting serves the plan's objectives of openness - that is, dominance of export markets and penetration of global infrastructure through Beijing's Belt and Road Initiative - innovation - that is, effective industrial espionage - and the enduring goals of keeping a close eye on neighboring states for strategic reasons, especially those states that have a large Chinese diaspora.
Dave Bittner: [00:04:28] Unpatched instances of the Drupal content management system continue to receive Drupalgeddon2 attacks, Akamai warns. The vulnerability being exploited was patched last year, but there are, unsurprisingly, many unpatched instances of the popular software kicking around out there. Drupalgeddon2 is an unauthenticated remote code execution vulnerability that the Drupal platform fixed in March of 2018. An attacker could use Drupalgeddon2 to force the server running the content management system to execute malicious code, which, in principle, could compromise the Drupal installation and possibly the host machine, too. Akamai isn't seeing widespread exploitation of the vulnerability. It is, rather, seeing opportunistic attacks against high-profile sites where the vulnerability persists. As is so often the case, the best course of action is to keep your systems patched.
Dave Bittner: [00:05:23] Security firm Code42 recently released the latest version of their "Global Data Exposure Report," and one of the highlights was the prevalence of insider threats. Jadee Hanson is CISO and VP of information technology at Code42.
Jadee Hanson: [00:05:37] A lot of non-malicious data exfiltration happens when employees mislabel documents and overly share documents, and then they're leaked out of organizations. On the malicious side, you know, certainly, a lot of aspects around departing employees. So when employees leave organizations, I don't think it's any surprise to anyone that they're taking documents with them. One of the things that I think the report called out was just the fact that companies need to wake up to this and start thinking about, like, how impactful it is to a company when insiders and when employees leave organizations and take data with them.
Dave Bittner: [00:06:20] And what is the disconnect here in terms of companies being able to combat this and it continuing to be an ongoing problem? Where are they - what are they missing? Because as you said in the report, it seems as though many of these companies feel as though they have protections in place.
Jadee Hanson: [00:06:38] Yeah. So there's a couple things at play. First and foremost, I think in the security industry, we have been very focused on prevention technology. And we've been very focused on the external threat. I think now companies have to start waking up to the internal threat. The internal threat being employees misusing or mis-sharing information or exfiltrating information. It's interesting, like, when you think about the ways employees can get information out of a company, we're in a time of complete collaboration where we have, you know, lots and lots of collaboration tools in the cloud that we're sharing data with. We have, in many cases, no network perimeter. And so I think the other thing at play is that it's just much easier than it ever was to move information outside of a company.
Jadee Hanson: [00:07:34] I think the other thing that I've always thought - the fact that employees feel very entitled to personal ownership. A large majority of our information security leaders that we surveyed, 72%, agree it's not just corporate data. It's my work and my ideas. Which, you know, that's a scary statistic because if people think that it's their work and their ideas, they're going to take it with them when they leave. And I don't think companies realize how impactful that can be until the data's gone. I talk to a lot of customers and potential customers, and just recently I was on the phone with a company that had an employee leave, start their own company, and that became a threat to the existing company or the initial company to the point where they had to buy out the company that was started with the employee's data - or with the employer's data. So I don't think companies really realize how impactful it is until it's probably too late.
Dave Bittner: [00:08:38] So based on the information that you gathered in this version of the report, what are your recommendations? What do you suggest folks should do here?
Jadee Hanson: [00:08:46] Yeah. My suggestions would be just don't wait. Make sure that you really think about the information in the report and what it's telling you and the fact that this is a problem that we can't ignore. Start with coming up with some sort of framework on an insider threat program. If you don't have one already at your company, start to launch one. An insider threat program is much more than just buying technology. For our own insider threat program, we have a very strong partnership with legal and HR, which are probably the two most important organizational units as part of an insider threat program. HR from the standpoint of they own the employee life cycle from start to finish. And this is really about employees. Legal - legal certainly has to get engaged if there is some sort of lawsuit against a particular employee.
Jadee Hanson: [00:09:40] And so certainly, those two teams have to be involved. But then it really is, like, process and technology second. And so, you know, coming up with the right steps that you're going to take when you do find data exfil-ed, and then what's the right technology? And I would really stress not focusing on preventative technology or focusing on some sort of solution that gives you more visibility across everything. Across, you know, your end points as well as cloud sharing, across every aspect in which a data could be exfil-ed out of the company, something that gives you much more visibility and doesn't necessarily focus on prevention only.
Dave Bittner: [00:10:23] That's Jadee Hanson from Code42. We were discussing the latest version of their "Global Data Exposure Report."
Dave Bittner: [00:10:31] The U.S. NSA yesterday added its own warnings to those of CISA and the U.K.'s NCSC, issued last week, concerning the exploitation of older but still widely used VPNs by various international threat actors. NSA's notes include advice about mitigation. After patching or updating your VPN, NSA recommends that you reset all associated credentials, implement two-factor authentication, require a mutual certificate authentication as well as other sound, hygienic measures. Five U.S. Republican senators have written Microsoft President Brad Smith to tell him he's underestimating the security threat Huawei poses. Smith had earlier this year told Bloomberg Businessweek that he thought Huawei's treatment was unfair, indeed, un-American.
Dave Bittner: [00:11:19] Senators Cotton, Rubio, Scott, Holly and Braun say they appreciate Microsoft views and that they understand that many U.S. companies have done business in good faith with Huawei but that the security concerns that surround the Chinese device manufacturer are both serious and urgent. They review familiar incidents involving compromise and intellectual property theft, and they offer well-attested accounts of the company's thorough alignment with China's ruling Communist Party. One of the points Microsoft's Smith brought up, however, the senators found themselves in agreement with. Smith had said that U.S. agencies typically said, when questioned, that, well, if you knew what we knew, your eyes would be open, for sure. So Smith said, why not show us some of what you know? The senators think that's a good idea, and they'd welcome further conversations with Microsoft and other businesses about coordinating such briefings. This sounds like a job for CISA. Director Krebs, call your office.
Dave Bittner: [00:12:17] By the way, the U.S. Commerce Department announced further sanctions against Chinese businesses, adding eight companies to the entity list that already includes Huawei. This round of sanctions is different in that Commerce says, credibly, that the new members of the entity list earned their way there not because they pose a security threat to the U.S. or other countries, but because they've played a prominent and important role in repressive measures Beijing has instituted against its predominantly Muslim Uighur minority.
Dave Bittner: [00:12:46] It's Patch Tuesday, and the usual round of updates are expected later today. Microsoft's patching round is expected to be somewhat lighter than usual, especially since .NET, Exchange and SharePoint all received fixes last month. Some commentators looking ahead have gotten cold feet with respect to automatically patching Windows, since some recent rounds have brought problems with them. One set of patches, however, won't appear. D-Link has decided not to patch its older home routers against a critical remote takeover vulnerability, Threatpost reports. Users should upgrade to new equipment instead. The affected routers, although still available as new from third-party vendors, are beyond their end of life. So D-Link's advice in this case is probably pretty sound. Why buy and install a vulnerable system that's no longer being maintained?
Dave Bittner: [00:13:37] And finally, the Internet Society has done a privacy audit of 23 U.S. presidential campaign sites and found seven of them worthy - those belonging to candidates Buttigieg, Harris, Klobuchar, O'Rourke, Sanders, Trump and Williamson. The other 16? Well, sorry, no bueno. Report to study hall.
Dave Bittner: [00:14:02] And now a word from our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:14:58] And I'm pleased to be joined once again by Johannes Ullrich. He is the dean of research at the SANS Technology Institute, and he's also the host of the "ISC StormCast" podcast. Johannes, it's great to have you back. We wanted to do a little follow-up on some things we've talked about before with some server-side request forging. What do you have to share with us today?
Johannes Ullrich: [00:15:18] Yeah. The problem here is that everything is becoming an HTTP (ph) API. And while this is good in some ways, it makes software more interoperable, it also does open up some new vulnerabilities because every software is now able to accept commands via HTTP requests. Much software is also able to send HTTP requests. And there is a specific vulnerability server-side request forging where I'm tricking a web server into sending an HTTP request. Typically, web servers, they accept HTTP requests. They don't send them.
Johannes Ullrich: [00:15:55] But in these modern web applications, what's happening is that the web server is reaching out to all of these different HTTP APIs, to the REST APIs, and is basically using them like a more traditional web application, but if you used a database or something like this. So with all of these HTTP APIs interacting with each other, it becomes really critical that access is property controlled to them, and that's very - lately, there have been some high-visibility vulnerabilities that led to major breaches, like for example, the Capital One case that, as a root cause, sort of led to these server-side request forging vulnerabilities.
Dave Bittner: [00:16:39] In terms of limiting access, what do you recommend?
Johannes Ullrich: [00:16:42] So first of all, you need to carefully define what the capabilities of these APIs are so you don't expose any functionality they don't need to expose. And secondly, even if it's systems connecting to systems, servers connecting to servers, you still need to authenticate. There's always this idea I only need to authenticate the user. But here, the server's acting on behalf of the user. And of course, those requests need to carry credentials just like the request that came in from the user originally. And then of course, well, a good old input validation, output encoding, where, when you are creating these requests, that you are careful that the attacker isn't able to inject any additional commands.
Dave Bittner: [00:17:30] So typically, how would someone go about exploiting this?
Johannes Ullrich: [00:17:33] So as an example, if you have, let's say, a payment application that does accept orders from users and then is connecting back to a payment service to, for example, charge a credit card. An attacker may now be able to modify that request that's going back to the credit card service to actually send a request that's not even a payment request. But if your application is receiving the OK back from the payment service, well, you think the card was charged, the order was paid and you're shipping the product without ever actually receiving payment.
Dave Bittner: [00:18:10] All right. Well, Johannes Ullrich, thanks for joining us.
Johannes Ullrich: [00:18:12] Thank you.
Dave Bittner: [00:18:18] And that's the CyberWire.
Dave Bittner: [00:18:19] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:18:30] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.