The CyberWire Daily Podcast 3.11.21
Ep 1287 | 3.11.21

More Exchange Server exploitation, and security advice. Updates on the SolarWinds compromise, criminal TTPs, and the Verkada hack. And news not you, but your friends might be able to use.


Dave Bittner: Are you a student in the cybersecurity industry? CyberWire Pro is available to students at a huge discount so that you can get context for what you're learning and accelerate your awareness and education on key issues in the industry. With a subscription, you'll receive access to exclusive podcasts and briefings, our quarterly analyst calls where you can connect directly with our analysts, commentary from executives and practitioners from across the industry and much more. Discounts are also available to educators, those in active duty or reserves and government agencies. To learn more, visit and click on the Contact Us link in the Academic box. That's, and then click Contact Us in the Academic box.

Dave Bittner: Norway's Parliament is hit with Exchange Server exploitation. CISA and the FBI issued more advice on how to clean up an Exchange Server compromise. CISA hints at more detailed attribution of the SolarWinds compromise soon, and U.S. Cyber Command says military networks were successfully defended. Microsoft's Kevin Magee on exporting cyber talent. Our guest is Hanan Hibshi from Carnegie Mellon University on their picoCTF online hacking competition. Notes on some evolving criminal techniques, an update on the security camera hacktivist incident. And some news that surely you won't need, but your friends might. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 11, 2021. 

Dave Bittner: Norway's Parliament can now be counted among the victims of the campaign against Microsoft Exchange Server vulnerabilities. BleepingComputer reports that the Storting yesterday disclosed that it had lost some data, but that investigation was incomplete, and the full extent of the damage was still unknown. The Storting was the subject of a cyberattack late last year, which sources in the Norwegian government at the time attributed to Russia's GRU. But the Storting believes that this incident is unconnected to the earlier incursion by Fancy Bear. Given all the groups in on the scramble to take advantage of Exchange Server vulnerabilities while they're still available, it's not surprising that some of this is a bit unclear. 

Dave Bittner: And not only are a lot of the Exchange Servers still unpatched and ready for the plucking, but simply patching vulnerable systems isn't enough to clear them of the malware the various attackers have deployed. Many threat actors, including both intelligence services and criminal gangs, have rushed to exploit these Exchange Server vulnerabilities, and they've left their access means behind them. The FBI and CISA yesterday issued a joint advisory on the Microsoft Exchange Server compromise. The advisory includes a summary of the methods the threat actors are using against their targets, as well as a set of actions victims can take to mitigate the damage. The advisory remains coy about attribution, stating nation-state actors and cybercriminals are likely among those exploiting these vulnerabilities, but it's pretty unambiguous about the consequences of exploitation. 

Dave Bittner: As the advisory puts it, quote, "Successful exploitation of these vulnerabilities allows an attacker to access victims' Exchange Servers, enabling them to gain persistent system access and control of an enterprise network. It has the potential to affect tens of thousands of systems in the United States and provides adversaries with access to networks containing valuable research, technology, personally identifiable information and other sensitive information from entities in multiple U.S. sectors. FBI and CISA assess that adversaries will continue to exploit this vulnerability to compromise networks and steal information, encrypt data for ransom or even execute a destructive attack. Adversaries may also sell access to compromised networks on the dark web," end quote. 

Dave Bittner: Reuters' Chris Bing tweets that CISA expects to release soon more evidence attributing the SolarWinds compromise to Russia. While some sources within the U.S. government have blamed Russia for the campaign, most of the detailed attribution has come from the private sector. In the meantime, U.S. Cyber Command has offered some reassurance about the dot mil domain. The Record reports that Cyber Command's executive director told the Intelligence and National Security Alliance that, quote, "To date, there's no evidence of a compromise in DoD networks because of the SolarWinds attack. That doesn't mean we weren't exposed. The layers of defense we had in place prevented the adversary from advancing from the toehold they had," end quote. 

Dave Bittner: Security firm Bitdefender warns that the FIN8 criminal group has resumed operation. The gang is operating improved versions of their Badhatch backdoor. FIN8 is a criminal-to-business bad actor, and it's shown an interest in the insurance, retail, technology and chemical sectors. Geographically, its targets have been largely in the United States, Canada, South Africa, Puerto Rico, Panama and Italy. 

Dave Bittner: Bitdefender, noting that FIN8 and other criminal groups do evolve their tactics, techniques and procedures, suggests some countermeasures businesses can take to protect themselves, including segmenting your networks - in particular, separate the point-of-sale network from the ones used by employees or guests, training your people to recognize social engineering approaches, supplementing security awareness training with some technical adjuncts, tune your email security solution to automatically discard malicious or suspicious attachments, building in some situational awareness about the threat, integrating threat intelligence into existing SIEM or security controls for relevant indicators of compromise. And if you are too small to operate your own dedicated security team, consider outsourcing security operations to manage detection and response providers. 

Dave Bittner: FIN8 isn't the only threat actor showing some signs of changing its approach. Researchers at Proofpoint report that the TA800 gang is using a new initial access tool, NimzaLoader. Proofpoint says there's been some evidence suggesting NimzaLoader is being used to download and execute Cobalt Strike as its secondary payload. But it is unclear whether this is its primary purpose. It's also not clear if the shift to NimzaLoader is just a short-lived thing for TA800 and others or whether this initial access tool will gain wider adoption. 

Dave Bittner: To update yesterday's coverage of the compromise of networked security cameras by the hacktivists styling themselves the Arson Cats, the affected company, Verkada, says it's found the source of the problem and corrected it, having secured all of its systems by midday Tuesday. The company says the attackers were able to access a Jenkins server Verkada's support team used to perform bulk maintenance on its customers' cameras. They think the attackers had access for about two days. Verkada has retained the security services of FireEye's Mandiant unit and the law firm Perkins Coie to help with their internal investigation. And they've notified the FBI, which is on the case. 

Dave Bittner: And finally, hey, everybody, you're probably asking about the security situation with respect to Wi-Fi-enabled, networked, self-regarding electromechanical marital aids, right? We mean, of course, that you're probably asking for a friend, just like we are. Anyhoo, wonder no longer because the helpful researchers at ESET have just published the skinny on this topic, and it's enough to warn any prudent human being away. A report they published this morning begins with a public-spirited lede. Quote, "As internet of things devices continue to seep into our homes and offer an increasingly wide range of features, new concerns are beginning to arise about the security of the data processed by these devices. Although they've been subject to countless security breaches that led to the exposure of people's login details, financial information and geographical location, among others, there are a few kinds of data with more potential harm to users than those relating to" their more intimate practices. 

Dave Bittner: Apparently, there's a market for such aids and devices, and apparently, they've evolved in much the same way things like webcams, thermostats, and coffee makers have. In common with other modern conveniences, intimate devices, ESET points out, now exhibit many features - remote-control access to the internet, group chats, multimedia messages, videoconferences, synchronization with songs or audiobooks and the capacity to connect with smart assistants, to name a few. Some models can synchronize to replicate their movements, and some others are wearables. 

Dave Bittner: The researchers looked into the security of products produced by the WOW Tech Group and by Lovense. They found issues of unwanted remote access in both families of products, which they say the vendors have now addressed. ESET thanked both WOW and Lovense for their cooperation, although that's probably to be expected. After all, who's more open to suggestions than that sector? And now everything is patched. And again, like you, we don't know anything about this stuff either. 

Dave Bittner: Since 2013, Carnegie Mellon University has been hosting picoCTF, a cybersecurity hacking contest for middle and high schoolers. Last year, they attracted over 40,000 participants vying for cash prizes of up to $5,000. Hanan Hibshi is a research and teaching faculty at the Information Networking Institute at Carnegie Mellon University. 

Hanan Hibshi: PicoCTF is a research project that started with a CMU faculty, Dr. David Brumley. He is one of the CyLab faculty. And this project was intended into attracting the younger youth into cybersecurity through playing a game that we call capture the flag. So capture of the flag is a term known in the security field because in many major security conferences like DEF CON, for example, we do have capture-the-flag events or what we call CTF events. Basically, lots of those security enthusiasts and professionals would sit in teams and compete. 

Hanan Hibshi: So picoCTF started transferring from that yearly competition to become an educational platform. And then the nice thing about it is that it's no longer this yearly competition that you have to just go sign up to a new site every year and just compete. Now, it's an educational platform. You can go practice your skills. You can solve prior challenges. 

Hanan Hibshi: We have faculty collaborating with us from all over the United States by using this in their classes. We have another faculty who used to be at CMU and now he's in Texas A&M, Martin Carlisle, who is really interested in investing - invested in this project, that he actually produces videos every year for the new challenges after the competition is over. So those who are really interested in finding the answer and they couldn't solve the challenge, they would benefit from using those videos. 

Hanan Hibshi: So now picoCTF is two things. It's an educational platform for cybersecurity, and it also hosts competitions year-round where students can compete and win prizes if they were in middle and high school. 

Dave Bittner: Why is it important for Carnegie Mellon to support this sort of thing? What do you all get out of it on the university level? 

Hanan Hibshi: It's part of our giving back to the community. And community outreach for us is bigger than just going and giving talks to the youth and tell them, hey, look at us, this is our journey, come and be someone like us. This is, of course, great, and we do it, but then there is much more that we can contribute. We understand the technology. We understand we are pioneers in cybersecurity. 

Hanan Hibshi: So how can we help address this national and international shortage? The shortage in cybersecurity is really getting bigger and bigger. It's predicted to have 1 million job openings by 2026 and 3 million worldwide. But we're not going to rely on someone introducing those in schools. We want to provide tools that would help the younger youth figure out that path for themselves before somebody points it out for them. 

Hanan Hibshi: Maybe this game would help change somebody's life. Maybe somebody would figure out, wait a minute, this is what I want to do for life. I want to be solving those kind of challenges if this is what a job in cybersecurity looks like. 

Dave Bittner: That's Carnegie Mellon University's Hanan Hibshi. This year's picoCTF kicks off on March 16. You can find out more at 

Dave Bittner: And joining me once again is Kevin Magee. He's the chief security and compliance officer at Microsoft Canada. Kevin, it's always great to have you back. I wanted to touch today on - I know some things you've been following and kind of pondering, which is this ongoing shortage of talent in the cybersecurity business. And we always talk about looking out for talent from, you know, other places, reaching out to bring talent in, but you've been thinking about this notion of exporting some of our talent. What's going on here? 

Kevin Magee: Yeah, I think we spend a lot of time talking about the skills gap and what we need to get more people interested in the industry. And that's kind of a pull. My thinking is how do we flip that on its head and how do we start to export talent to other areas of the industry and really start to leverage the expertise and whatnot that we have with other industries for other areas? 

Kevin Magee: And that can look like a different - number of different ways. That could be having people with security backgrounds sitting on boards of directors. Maybe it's moving someone from cybersecurity into the finance department to work with antifraud or whatnot. It could be marketing as well. Social engineers would probably make great marketers. And non-technical C levels as well. 

Kevin Magee: So I think there's an opportunity to really start seeding other aspects of the businesses out there, organizations out there, with cybersecurity technology because that will start to implant from the top that security is important, security matters, which I think will start to pull in more people into the security industry. That's my hypothesis, anyways. 

Dave Bittner: I think it's fascinating. I mean, a couple things come to mind. First of all, I can imagine the folks who are out there trying to hire cybersecurity people might push back and say, are you crazy? Like, we have enough trouble getting people to fill these jobs now, and you want to send them off to other departments? 

Kevin Magee: Well, one thing - a lot of us have been in the industry for quite a long time, so I think we're taking up a lot of the top jobs at the - you know, really, at the top of some of the management pyramids. So if we can move into other roles and start to add value and create impact in other areas of the business, that gives a chance for up-and-coming leadership to really to move up the ranks as well, too, again, creating more demand 'cause that's one of the challenges I've heard from a lot of folks in the industry, is that once you get in, it's hard to really move up and accelerate because there's sort of old-timers like me that are kicking around still because we still like our work as well. 

Kevin Magee: But what really sparked it to me was - I was talking to an automotive executive, and we were talking about building out cybersecurity expertise in the plants and different ways to do that, and I thought, wouldn't it be great if you could just have, you know, someone from the cybersecurity team come out and job-shadow or see what it's like to work on the line or really get immersed in that and even then move someone from a cybersecurity team into plant management or whatnot? And we started to explore that topic, and that's what really got me thinking about this. How can we really approach the problem differently? 

Dave Bittner: What about issues of pay disparity? I mean, there's a - you know, there's - cybersecurity professionals, there's generally a premium assigned with those. Would we have to deal with something like that? You know, you're moving into a position that may not be as lucrative as the one you have now. 

Kevin Magee: Sure. You know, pay is always what motivates people in cybersecurity. I know it's certainly, you know, one aspect of it. But a lot of people get into cybersecurity because they like challenges; they like puzzles. So having new opportunities to explore new aspects of the business or whatnot can really make a difference. And some of the insights we can provide - we can still be cybersecurity professionals but within a different part of the business. I actually joined recently a board of - an automotive industry board and, you know, was really interested - why would you want me to sit on the board? Well, we talked about sort of my perspective and my unbiased views of thinking and how I can really enhance the decision-making process across the board. 

Kevin Magee: So to give an example, they asked me if - you know, if I told you I thought cars are going to look like iPhones more in the future, you know, what changes do you think that will bring to our industry? I started asking questions like, will I actually even own the car, or do I just get a subsidized car hardware and then subscribe to a multiyear service? What happens when I open the hood? Will it void the warranty? If I install unauthorized party - third-party software or parts, will that affect my insurance, or will I have some sort of legal liability if the car is jail-broken, if I'm in an accident? Again, we bring a different thought process or a different set of thinking to other areas of the business that can be of immense value. 

Dave Bittner: Yeah, that's a really interesting insight. I mean, I think about - you know, people talk about this notion of spreading the cybersecurity mindset throughout the organization, and it seems to me like this is a way to do that, to get people in doing those jobs who come to it with that mindset already built in. 

Kevin Magee: Yeah, and even just - what are the sort of attacks that could be used, you know, with, say, the automotive industry? You know, some of the things that come to mind - what if you could create traffic jams as a physical DDoS threat vector by bricking cars or using botnets on autonomous cars? These are things that the auto industry is probably not thinking about because they're so immersed. They have, you know, 20, 30 years of history of thinking about what a car is. I don't have that. I can barely lift the hood of my car to get the wiper fluid in. 

Dave Bittner: (Laughter). 

Kevin Magee: So I'm not encumbered with all of those sort of paradigms of what a car is and whatnot. I can look at it from a completely different perspective. So I think we have so much to offer other areas of the business, would love to find ways to explore this in the future. 

Dave Bittner: All right. Well, Kevin Magee, thanks for joining us. 

Kevin Magee: Thanks, Dave. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed - the closest thing to a perfect shave. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team Is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.