The CyberWire Daily Podcast 5.12.20
Ep 1086 | 5.12.20

Cyberwar looms in the Middle East? Hidden Cobra’s fangs described. Evasive Astaroth. Ransomware in Texas courts. COVID-19 espionage. Content moderation.


Dave Bittner: [00:00:04] Unattributed cyberattacks in an Iranian port prompt speculation that a broader cyberwar in the Middle East may be in the offing. CISA releases malware analysis reports on North Korea's HIDDEN COBRA. Astaroth malware grows more evasive, and it was already pretty good at hiding. Texas courts sustain a ransomware attack, COVID-19 espionage warnings are on the way. Twitter's misinformation warning system. Ben Yelin describes a Fourth Amendment case on automated license plate reader databases. Our guest is Brian Dye from Corelight on dealing with encrypted traffic without compromising privacy. And taking down "Plandemic's" trailer. 

Dave Bittner: [00:00:48]  And now a word from our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book "SOAR Platforms: Everything You Need to Know About Security, Orchestration, Automation, and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at That's And we thank ThreatCononect for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to 

Dave Bittner: [00:02:20]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 12, 2020. 

Dave Bittner: [00:02:29]  Iranian officials acknowledge that Shahid Rajaei, the port of Bandar Abbas, sustained a minor cyberattack last week. They characterize it as a failure, ZDNet reports, with only a few computers affected and operations of the port undisrupted. The authorities offered no specific attribution beyond saying that the attack had a foreign origin. Whether that foreign actor was a state, a hacktivist group or a criminal gang wasn't specified. The Jerusalem Post wonders if these Shahid Rajaei attack and the cyberattack on Israeli water systems, which the newspaper says caught the Israeli Cabinet by surprise, are harbingers of a wider cyberwar in the Middle East. 

Dave Bittner: [00:03:11]  CyberScoop reports that the US FBI and Department of Homeland Security this morning released malware analysis reports on tools used by North Korea's HIDDEN COBRA threat group. The cybersecurity and infrastructure security agency summarizes the three reports in an announcement posted to its site. 

Dave Bittner: [00:03:30]  Cisco Talos says that the Astaroth malware, which ZDNet notes has also been tracked by IBM, Cybereason and Microsoft, has improved its obfuscation and evasion capabilities, particularly with respect to its use of YouTube channel descriptions, to carry encoded and encrypted command and control communications. So far, Astaroth, spread principally through phishing campaigns, has been largely confined to Brazil, but that could change quickly. 

Dave Bittner: [00:04:00]  The Office of Court Administration, which provides IT services for Texas courts, has been hit by ransomware, according to The Hill. Their websites were taken offline after the attack, but courts are continuing business by other means. They're distributing documents by Dropbox, for example. Which strain of ransomware is involved hasn't been disclosed yet, but the courts say they're not paying the gangs no matter what. 

Dave Bittner: [00:04:26]  The Washington Post followed up yesterday's report in The New York Times and elsewhere that the US FBI and Department of Homeland Security were preparing a warning about Chinese espionage directed against COVID-19 vaccine and treatment research with news that such warnings will probably be out within a week or so and not within the few days originally expected. The Post notes that the warning is expected to focus on nontraditional actors - that is, students and researchers already in place at US research institutions who are or will be activated to collect information on vaccines and treatments. China's Foreign Ministry has preemptively denounced the warning. Zhao Lijian, the spokesman for the Chinese Foreign Ministry, said, quote, "We firmly oppose and fight all kinds of cyberattacks conducted by hackers. We are leading the world in COVID-19 treatment and vaccine research. It is immoral to target China with rumors and slanders in the absence of any evidence," end quote. 

Dave Bittner: [00:05:26]  Given the threat the virus poses, it's unsurprising that intelligence services have actively collected information about its origins, effects, epidemiology and treatment. Russia, Iran and China are believed to have been particularly active in this regard, as has Vietnam, which FireEye says began collecting as early as January. Vietnam's interest has been focused largely on its Chinese neighbor. 

Dave Bittner: [00:05:52]  There's a bit of natural tension at play between the desire to encrypt data for privacy and security and the need to see into that data to ensure that bad guys or gals aren't taking advantage of that very use of encryption to help hide what they are up to. Brian Dye is chief product officer at Corelight, and he offers these insights. 

Brian Dye: [00:06:14]  We're definitely seeing a lot of encryption, which is good. Right? It gives a lot of security benefits, get a lot of privacy benefits. Most organizations that we see are in the 60 to 70% kind of encrypted traffic. And we find it's pretty interesting to think not just about the broad brush of how much is encrypted but about which flows are actually encrypted 'cause you've got a bunch of outbound content - right? - that in particular is going to have a lot of personal traffic that has an expectation of privacy, a bunch of inbound flows that you can choose to decrypt or not and then kind of internal or east-west flows where you have the choice to engineer invisibility. So you know, there's the broad stat, and then there's the - those three different kind of types of traffic that folks are really thinking about in many ways differently. 

Dave Bittner: [00:06:57]  How do you recommend folks approach those individual flows? Are there best practices here? 

Brian Dye: [00:07:03]  Best practices is a function of which geography you're in and kind of what compliance scheme you operate on. But I would definitely say... 

Dave Bittner: [00:07:09]  I see. 

Brian Dye: [00:07:09]  ...There's some design patterns, right? Outbound flows where folks have the expectation of privacy, those are generally not being decrypted for all sorts of reasons, especially if you're kind of in the EU in general. In areas where folks have the desire or the mandate to actually encrypt inbound, especially stuff aimed at their business systems, we're still seeing some of that. And then internal, I think, is becoming more and more encrypted, especially as folks think about zero trust. 

Dave Bittner: [00:07:36]  Do you find that there are any common misperceptions that people have when it comes to using encryption? 

Brian Dye: [00:07:43]  I think the most common one is the belief that encryption kind of puts this veil of blindness into the network. And as we've kind of talked about, that's really not the case. Right? You know, if you take a simple example like JA3 hashes, right. When folks first had encryption, we said, oh, wait - that's removing all this signal. So then, you know, folks like the Salesforce team came up with approaches like JA3, where you generate new signal into these encrypted environments. And then the cat-and-mouse game is continuing, right? 

Brian Dye: [00:08:12]  So we've seen some actions of attackers, for example, trying to hide from JA3 signatures by using pre-shared keys. Well, the trick is if you can actually find when pre-shared keys are being used - so essentially, a SSL instant encryption, right? Encryption communications are happening without an SSL handshake - now you've found the pre-shared keys. So now you've gone through the whole cycle of you have an insight mechanism, you have an evasion technique and you have a countermeasure. So that's kind of the oldest cat-and-mouse game in security, if you will. And it's absolutely continuing in the encryption world. 

Dave Bittner: [00:08:48]  And I suppose no sign of it slowing down. 

Brian Dye: [00:08:51]  No, we don't see that slowing down. It's kind of the fun yet terrifying kind of evergreen part of our world. And a lot of what we're trying to think about is, how do we help enable and connect different folks in the open source community that are doing some pretty thought-leading stuff here, right? 'Cause we definitely find that, you know, just like in the JA3 example, when you've got a couple of high-end defenders that are all seeing the same problem, just connecting the dots across them so they can work on it together, that has a lot of value before you talk about anything technical, right? Just helping us all build bridges so we can work together, that's the right starting point. 

Dave Bittner: [00:09:27]  That's Brian Dye from Corelight. 

Dave Bittner: [00:09:30]  Twitter has offered more information on its plan to label COVID-19 misinformation as such, Reuters reports. The labels will say, quote, "Some or all of the content shared in this tweet conflicts with guidance from public health experts regarding COVID-19," end quote. A learn more link will take users to some of that relevant expert guidance. In cases where Twitter judges the misinformation to be particularly risky, the social medium will display the warning before the user views the content. Confirmed misinformation will be labeled, as will certain disputed claims. 

Dave Bittner: [00:10:06]  It appears the false or disputed material will remain available, albeit flagged and linked to contrary views. And this is in keeping with the marketplace-of-ideas approach Twitter appears to have adopted. Twitter's public policy director Nick Pickles said, quote, "One of the differences in our approach here is that we're not waiting for a third party to have made a cast-iron decision one way or another. We're reflecting the debate rather than stating the outcome of a deliberation," end quote. This may be both a quicker and more permissive approach than other content moderation being mulled elsewhere. 

Dave Bittner: [00:10:41]  That more directive content moderation may be seen in the decisions by YouTube, Vimeo and Facebook to remove a trailer for a full-length film, "Plandemic," that pushes an anti-vaccine conspiracy theory about the origins of and response to the COVID-19 pandemic. The Washington Post reports that these platforms have decided the trailer, which at 26 minutes running time itself amounts to a short film, pushes misinformation likely to prove dangerous to those who follow its advice. 

Dave Bittner: [00:11:12]  YouTube says that its policy is to take down content that includes medically unsubstantiated diagnostic advice for COVID-19, like the "Plandemic" trailer. Facebook's rationale was more specific. Suggesting that wearing a mask can make you sick could lead to imminent harm, so we're removing the video. Vimeo said it was keeping our platform safe from content that spreads harmful and misleading health information. The video in question has been removed by our trust and safety team for violating these very policies. 

Dave Bittner: [00:11:45]  "Plandemic" features fringe scientist Dr. Judy Mikovits, who The Washington Post says has been associated with discredited research before. Among the film's claims is the assertion that the wealthy have deliberately worked to drive up infection rates in order to increase vaccination rates. Before it was taken down from Facebook at the end of last week, the "Plandemic" trailer had, Digital Trends reports, attracted 1.8 million views, including 17,000 comments and nearly 150,000 shares. And as usual, the hooey gets a head start on the straight dope. Or so the government hoods would have us believe...just kidding. 

Dave Bittner: [00:12:32]  And now a word from our sponsor LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless strong security with LastPass. Security is essential for a remote workforce. LastPass Identity helps make stronger security seamless through integrated single sign-on, password management and multifactor authentication. LastPass Identity enables remote teams to increase security. LastPass can help prevent against the uptick in cyberattacks targeting remote workers through biometric authentication across apps, workstations and VPNs for an additional layer of security across all critical devices. It can help manage user access. Regardless of where or how employees need access, LastPass ensures employees always have secure access to their work applications through single sign-on and password management. It helps your employees securely share. LastPass enables remote employees to securely share passwords across teams in order to securely collaborate and stay on top of critical projects. And it helps maintain control. LastPass enables IT to remain in complete control over which employees are accessing which resources no matter where they're working from. With LastPass Identity, you can keep your remote workforce secure and connected. Visit to learn more. That's And we thank LastPass for sponsoring our show. 

Dave Bittner: [00:14:14]  And joining me once again is Ben Yelin. He's from the University of Maryland's Center for Health and Homeland Security. Ben, always great to have you back. Interesting case you wanted to bring to our attention - this has to do with the automatic license plate readers, a topic we have touched on here before. What's the latest? 

Ben Yelin: [00:14:33]  Very interesting case that came out of the 9th Circuit over on the West Coast dealing with an automatic license plate reading system. So there was an individual who was seen committing a crime in a GMC Yukon. Investigators - law enforcement could not see the individual committing the crime. They just were able to get the make and model of the vehicle and traced it back through the license plate to a rental car company. Rental car company told the officers that this Yukon had been rented to an individual named Yang, but that individual had not returned the car on time. So the question in this case is whether this individual had a reasonable expectation of privacy in this vehicle given that he had violated the rental agreement and not returned to the vehicle on time. Therefore, he did not have a valid property interest in that vehicle. 

Ben Yelin: [00:15:30]  The rental company tried to locate the vehicle using its company-owned GPS system. Mr. Yang had disabled that system. So after that had happened, the investigators put the license plate into this automated license plate reading system. It was picked up. They ended up arresting Yang and charging him with this crime. 

Ben Yelin: [00:15:52]  So Mr. Yang tried to suppress the search by saying that even though the rental agreement had expired and even though he was supposed to have turned in the rental car prior to when this crime had been committed, he still retained - he still had a reasonable expectation of privacy in that vehicle. And there has been some case law saying that just because a lease has expired, that does not automatically eliminate the lessee's privacy interests in that property. And that certainly... 

Dave Bittner: [00:16:22]  Help me understand here - before we move on... 

Ben Yelin: [00:16:24]  Sure. 

Dave Bittner: [00:16:24]  ...I mean, if I rent a car and in the course of me driving the car, I do something that catches the eye of law enforcement, well, are they typically allowed to go to the rental agency and say, who rented this car? 

Ben Yelin: [00:16:38]  So they would need a warrant to do that... 

Dave Bittner: [00:16:40]  OK. 

Ben Yelin: [00:16:41]  ...Because you as a lessee have an expectation of privacy in that vehicle. 

Dave Bittner: [00:16:46]  I see. 

Ben Yelin: [00:16:46]  And I mean, you've been granted a temporary - it's a license, but it's a temporary property interest in that vehicle. So you know, for that period during the rental agreement, law enforcement would have to seek a warrant. Here, they did not. They just went to the rental car company and were like, hey, can you guys help us out? And they, without obtaining a warrant, put this license plate into this automated license plate reading system and got ahead. 

Dave Bittner: [00:17:10]  I see. 

Ben Yelin: [00:17:11]  But they did so without getting judicial approval to conduct the search. So the past case law basically says you eventually you lose your Fourth Amendment right to the rented property after the rental period has ended. Eventually is obviously, you know, a very vague term. We don't know if that's a few days, one week, several weeks. But just because that rental agreement has expired doesn't mean that your property interests have automatically been diminished. 

Ben Yelin: [00:17:40]  What the court is saying here is Mr. Yang did not have a reasonable expectation of privacy in the vehicle for a number of reasons. The first reason is there's no evidence that this rental car company had any policy or practice of allowing lessees to keep cars beyond the rental period, and the rental car company had made a bunch of attempts to repossess the vehicle. They tried to activate the GPS, so they were trying to assert their own property interest. So that's one element to the decision. Mr. Yang also argued that because of the Supreme Court decision United States v. Carpenter, a person has a privacy interest in the whole of his or her movements across locations. I know we've talked about that case a lot on... 

Dave Bittner: [00:18:25]  Yeah. 

Ben Yelin: [00:18:26]  ...This podcast and our "Caveat" podcast. The gist of the case is in order to obtain historical location information, the government has to have a warrant. And that's sort of what Mr. Yang was arguing here. 

Ben Yelin: [00:18:40]  So what the court here is saying as it relates to that Carpenter question is this search had not revealed the whole of Mr. Yang's physical movements. It was not tracking him from location to location. It just picked up his license plate on one particular instance. So Carpenter is not implied in this case. And because the rental agreement had expired, he no longer had a reasonable expectation in that piece of property. So the conviction for now is upheld, although you never know. It is possible that this case could make it up to the Supreme Court and we get more clarity on when a person loses their reasonable expectation of privacy as it relates to automatic license plate readers on rented vehicles. 

Dave Bittner: [00:19:25]  All right. That's an interesting one, for sure. Ben Yelin, thanks for joining us. 

Ben Yelin: [00:19:29]  Thank you. 

Dave Bittner: [00:19:35]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:19:53]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at 

Dave Bittner: [00:20:05]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.