The CyberWire Daily Podcast 6.26.20
Ep 1118 | 6.26.20

Patch Exchange already, will ya? GoldenSpy lurks in tax software Chinese banks prefer their foreign clients to use. Magecart gets cleverer. Another unsecured AWS S3 bucket, and this one’s not funny.


Dave Bittner: Microsoft urges Exchange server patching. Sure, it does your taxes, but it's got another agenda, too - the GoldenSpy backdoor may be in your tax software if you do business in China. Magecart card ups its game. DDoSecrets says they're not going to roll over for Twitter's Nixonian stick. Camille Stewart from Google and Lauren Zabierek from Harvard's Belfer Center on the Share the Mic cyber event and why systemic racism is a threat to cybersecurity. Rick Howard wraps up Cybersecurity Canon Week with guests Richard Clarke and Robert Knake, authors of "The Fifth Domain." And there's another unsecured Amazon S3 bucket, and this exposure could present a serious risk to some people who've already had trouble enough.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, June 26, 2020.

Dave Bittner: Microsoft continues to urge users of its Exchange email servers to patch and bring them up to date. A known - and it's worth emphasizing - patched vulnerability, CVE-2020-0688, has been under active exploitation by nation-state intelligence services since April. As ZDNet asks, why would any intelligence service worthy of its trenchcoats - we paraphrase and mix many metaphors - burn a zero-day when they could just waltz in through a known hole?

Dave Bittner: Here's a rundown of what you might be in for if you use Exchange and figure, hey, patch, smatch, I've got other things to do.

Dave Bittner: First, the older versions of Exchange didn't create a unique crypto key for the control panel, which means that those versions used identical validation and decryption keys in their control panels backend. Malformed requests to the Exchange control panel containing malicious serialized data can be unserialized, enabling the malicious code to run on a server's backend. And that code runs with system privileges, which lets attackers do pretty much whatever they want. So take a minute, spend a buck and patch Exchange. 

Dave Bittner: Security firm Trustwave says it's found a new malware family, GoldenSpy, embedded in tax software companies doing business in China have been required by their Chinese bank to install. It does the taxes; it also opens a system-level backdoor. 

Dave Bittner: Trustwave found the malware in the course of doing some threat hunting for a client that had recently opened some offices in China. Their local bank had required them to install a software package, Intelligent Tax, produced by the Golden Tax Department of Aisino Corporation. Here's some of the suspicious behavior that led Trustwave to classify GoldenSpy as malware. 

Dave Bittner: First, it installs two identical versions of itself, both as persistent autostart systems. If one stops running, its twin starts. And if one is deleted, the twin promptly downloads another copy. 

Dave Bittner: Second, while there's an uninstall option for Intelligent Tax that actually does uninstall Intelligent Tax, that option leaves GoldenSpy untouched, even after Intelligent Tax is nothing more than a memory. 

Dave Bittner: Third, GoldenSpy isn't downloaded and installed at the same time as Intelligent Tax. It waits two hours and then quietly downloads and installs itself without presenting any notification on the affected system. There's no obvious purpose for such a delayed no-notice installation other than a desire to escape the target's attention, to fly under the radar. 

Dave Bittner: Fourth, when GoldenSpy talks, it doesn't talk to the Intelligent Tax network infrastructure; instead, it chatters to a domain that hosts other variants of GoldenSpy. It makes three attempts to contact its command-and-control server and then randomizes its beaconing times. As Trustwave points out, that's a known way of steering clear of detection by security technologies installed to detect beaconing malware. 

Dave Bittner: Finally and most damningly, GoldenSpy operates with system-level privileges, which means it could be used to do, well, practically anything - install new malware, prepare reconnaissance, escalate privileges, create new users and so on. 

Dave Bittner: So sure, Intelligent Tax will do your taxes, but GoldenSpy is the kind of gravy you probably don't want slathered over your enterprise. Ask your bank exactly why they insist on this particular software. 

Dave Bittner: We note in passing that tax preparation software has carried some bad mojo in the past. It's an unrelated incident, but do recall that M.E.Doc, a tax prep solution widely used in Ukraine, was compromised to serve as the vector of NotPetya. Accountants look to your tools.

Dave Bittner: A Malwarebytes report describes how Magecart operators have improved their game. The paycard skimming malware is now being hidden in EXIF metadata of image files. There are several criminal gangs known to use Magecart. This particular upgrade appears to be the work of Magecart Group 9.

Dave Bittner: The extortionists who compromised Indiabulls have made good on their threat to begin releasing data if the company didn't pay the ransom. The Hindustan Times reports that the first tranche of company information has been leaked.

Dave Bittner: Where do vulnerabilities come from? Mostly, according to Snyk's study of open-source software security from indirect dependencies.

Dave Bittner: Twitter may have banned a DDoSecrets after the BlueLeaks information dump. But DDoSecrets rejects what they call the social platforms unexpectedly Nixonian move. And the group tells WIRED they'll be looking for other venues in which to post whatever they come up with in the future. 

Dave Bittner: And finally, researchers at vpnMentor have discovered another unsecured database. And this one is particularly nasty in its potential implications. A domestic-violence-prevention app, Aspire News App, built with what seemed to be intelligent good intentions by a US Georgia-based not-for-profit called When Georgia Smiled. The idea was to provide emergency services for victims of domestic abuse. Those included not only a help section with links to various resources, but also a function that enabled users to send emergency distress messages to a trusted contact person. The app looks like an ordinary news app, presumably, to better to escape the notice of an abuser should the abuser paw through the victim's phone. Among the ways that distress signal could be sent is a voice recording that gives the victims' details, home address, the nature of their emergency, and their current location. There were some 4,000 voice recordings left accessible to the Internet on a misconfigured AWS S3 bucket. TechCrunch independently verified the data exposure and noted that When Georgia Smiled - the not-for-profit behind the Aspire News App - was founded, backed and promoted by Robin McGraw and her husband, Dr. Phil McGraw. When Georgia Smiled secured the S3 bucket on June 24 - the same day both vpnMentor and Amazon Web Services told them about it. 

Dave Bittner: Neither CBS nor the Dr. Phil Foundation responded to TechCrunch's requests for comment. How would one disclose this data exposure to users without further endangering them is a touchy question because the usual forms of notification could easily place these users at risk. TechCrunch wrote, given the sensitivity of the data, we did not reach out to app users for fear that it would compromise their safety. Instead, they downloaded the app themselves, recorded a short snippet, and found that indeed it was out there in the cloud for those who might be looking to find it. As Dr. Phil has said, there are some sick people in this world and let's all be careful that we don't inadvertently abet them. 

Dave Bittner: All week our own Rick Howard has been interviewing the winners of this year's Cybersecurity Canon awards, which recognizes the must-read books in the cybersecurity space. This last interview is special. Not only are the authors getting inducted but they've also been selected as Lifetime Achievement authors. The book is "The Fifth Domain" and the authors are Richard Clarke and Robert Knake. Richard Clarke gets us started. 

Richard Clarke: Thank you. We wrote the two books about nine or 10 years apart. And the first book was a great success. Widely read and widely criticized. At the time - when they came out - criticized as being too alarmist. And the reason we wrote the second one 10 years on - and I think Rob would agree with this - is that 10 years on it doesn't seem alarmist at all. Ten years on, most of what we said would happen has happened. Cyberwar is a regular way of life. It is a regular phenomenon. Nation-states have cyber commands. They attack critical infrastructure. All of that came true. So we wrote the book to say none other than none now. We were right. 

Rick Howard: (Laughter) It's always good to be able to do that. 

Richard Clarke: But also to confess that we were wrong because we said, then, no company can defend itself successfully. And I think what we document in "The Fifth Domain" is that some companies are successfully defending themselves. And we wanted to describe what those companies were doing that other companies were not. 

Rick Howard: So, Robert, let's get you in here. You guys published the book last summer. How has the feedback been? What are you getting from all your peers? 

Robert Knake: I think it's been really good. I think it's the book that many of my colleagues in government wanted to write. That it sort of captured a lot of the thinking - and I try and credit as many of them as we can both directly and in the acknowledgments - sort of the thinking on what we were trying to do during the Obama years in terms of moving cybersecurity forward. And having a vision for spreading the message that cybersecurity is actually possible. That the defeatist attitude that many take in the field wasn't helping. And that the ideas of active defense, of threat hunting, of using the kill chain - that these are models that can actually defeat even the best adversaries, even the most tenacious adversaries. And so I think it captured a lot of what many of people were saying, yes, you know, this is the moment. And what we need now isn't necessarily to reinvent all the technologies in the stack. We need to acknowledge that what we need is motivation, investment, incentives. And if we can get those things right, we can get on a cycle of perpetually improving cybersecurity and stay one step ahead of our adversaries. And so I think it's generally been very positively received in the peer community. 

Rick Howard: It was definitely well received by the Canon committee. We all loved it. About half of us read it, and couldn't wait to get it on the Hall of Fame list. And I could literally spend the next seven hours talking to you guys about all the things you mentioned in the book. But we are here because of the pandemic. And this interview is a proxy for your acceptance speech of the Canon Hall Of Fame award, the Lifetime Achievement Award. So, Dick, any last words you want to say along those lines, and then we'll go to Robert. 

Richard Clarke: Well, Lifetime Achievement Awards are usually given to somebody my age, so I don't know why Rob's getting one. 


Richard Clarke: But I'll say this. Thank you. It's meaningful for both of us. It's meaningful to get the recognition. I think what we stand for is our history, Rob's history and mine. We both worked in the White House on policy. We both worked in the private sector both with cybersecurity companies and with companies that buy those products. And what we took away from all that experience is it takes a partnership of all of those, the cybersecurity companies, the companies that need to be defended, and most importantly, the government. And let's let's hope that next year, we have a government that will get back into the business at the policy level. 

Rick Howard: Robert, how about you? 

Robert Knake: Well, I think for me it's just a tremendous honor to be recognized along with Dick and with all the other inductees into the Hall of Fame. It's an incredible group of experts and practitioners. And so I'm just honored to have my name included with them. 

Rick Howard: So the two books are "The Fifth Domain" and "Cyber War: The Next Threat to National Security and What to Do About It." And now these two authors are officially inducted into the Cybersecurity Hall of Fame as lifetime achievers. So congratulations, you guys. And thanks for being on the show. 

Dave Bittner: That was the CyberWire's Rick Howard speaking with authors Richard Clarke and Robert Knake. The book is "The Fifth Domain." Be sure to check out all of the winners of this year's Cybersecurity Canon Awards. You can find them online. Just do a search for cybersecurity Canon. 

Dave Bittner: It's my pleasure to welcome to the show Camille Stewart from Google and Lauren Zabierek from Harvard's Belfer Center. We're going to be talking about ways in which voices not always heard in the security community and the business sector that support it might be better heard. They're both involved with the Share the Mic in Cyber event, which they hope will address some of the systematic oversights that can persist undetected. 

Camille Stewart: I saw the Share the Mic Now campaign on Instagram, and Lauren saw it as well. And I sent out a tweet. I just was excited about this movement to create space and elevate voices in different spaces. And so I put out a tweet asking folks if they would be interested in seeing this happen in cybersecurity and national security. And Lauren quickly responded and said she'd been thinking of the same thing, had actually reached out to another colleague to explore the idea. And we connected offline and decided to bring Share the Mic in Cyber to the cybersecurity community. 

Dave Bittner: And so Lauren, what are you hoping to get out of this? At the end of the day, what do you want people to walk away with? 

Lauren Zabierek: I would love for two things to come out of this. So first, I really want the community to come together. I'll be honest, I was not really aware of all the different practitioners within the cyber community. And just reviewing everybody's profile, I've been so blown away by everyone. So to be able to bring people together and perhaps get those people to a different platform and, you know, perhaps even give them, you know, more opportunities, I think, would be incredible. So bring the community together and then providing that platform for people. And who knows? Maybe something amazing can come out of it. 

Dave Bittner: Camille, what are your thoughts on that? 

Camille Stewart: So both of those things. I hope this is a catalyst. I hope that what we see from this is not just a connection between two people for a day on Twitter or LinkedIn. I hope we see this be the start of a relationship between the pairs. The start of our audience - everyone who's been engaged in the campaign, following new voices. I hope it yields career changes and opportunities. And I just hope it catalyzes consciousness in our community, in our sector about race issues about the fact that, yes, there is a pipeline issue. But there are already a number of really talented folks - Black folks of all races, and walks of life, and sexual orientations, et cetera who are already working in this space and could benefit from platform. Could benefit from, you know, connections, new job opportunities - all the things that help us all move forward in our careers. And so I hope this yields folks being a little bit more intentional about how they engage and how they build out their networks. 

Dave Bittner: So I want to switch gears here and talk about your recent article that was published by the Council on Foreign Relations and it's titled "Systemic Racism is a Cybersecurity Threat." Camille, what prompted you to write the article? 

Camille Stewart: So in the wake of George Floyd, Ahmaud Arbery, Breonna Taylor and all the other Black Americans being killed. I - like many of us - had a strong emotional reaction but also a strong intellectual reaction. I have long talked about the intersection of race and misinformation, disinformation and long understood how systemic racism, overt racism and race weave into foreign policy and national security and carry that with me in the work I do and talk to a lot of folks about that work. But I had never quite articulated it in the cybersecurity space. Although, I was doing that work. I felt like it was important to make that connection for people. 

Camille Stewart: So for the people who felt like this was a social issue or a domestic issue separated from national security issues or even if they understood, intellectually, that maybe it was a national security issue that maybe didn't think it was a technical issue or a cybersecurity issue, I wanted to make that direct connection for folks and start to pull out areas beyond just misinformation, disinformation because I think that is probably one of the few places folks recognize it - that and workforce - that cybersecurity is truly a threat to any mitigation we could put in place and how we mobilize technology in our society. 

Dave Bittner: What's your hope coming out of this? If we're able to take advantage of this moment to use it as a catalyst for positive change, how do you hope things will be different or better in the future? 

Camille Stewart: The most ambitious me hopes we dismantle systemic racism. The more pragmatic me is hoping that we have an industry, just a workforce in general that is more conscious of how systemic racism interacts with their work and is more action-oriented in being anti-racist, not just not being racist but being anti-racist. So being an active advocate for your peers, being thoughtful and intentional about how you include diverse voices and build teams, about thinking about how you recruit talent and how different experiences might yield a similar or complementary result but may not translate in the same way as you're used to on paper, how people, you know, ingest information and then reflect that back to you, just being more open to the differences in the lived experiences of folks who are in your space and how you can be an advocate for them, how you can help amplify them, how you can give them a platform to do the thing that they already wanted to do. 

Camille Stewart: And, you know, one big thing is just because it's not something that's affecting you but if you hear your colleagues say this system, this program, this event, et cetera has these disparate outcomes or is offensive, stand with your colleague, right? It might not be happening to you. But, obviously, it's important for them to bring it up. Your colleagues who are othered in some way, whether they're a minority or have a different sexual orientation, et cetera, don't bring things up that intersect with that, lightly. So for them to say I'm underleveled because I'm X or this program is offensive because of Y, that took a lot for them to say it. And you should listen to that. 

Dave Bittner: Our thanks to Camille Stewart from Google and Lauren Zabierek from Harvard’s Belford Center for joining us. There is much more to my conversation with Camille Stewart and Lauren Zabierek. We'll have a complete version of our interview here in our CyberWire podcast feed. If you're on Twitter, check out #sharethemicincyber. I'm pleased to have been a part of this event today. You can find my Twitter account @Bittner. I shared my account with Brandon Robinson. He's a senior sales engineer at Proofpoint. Camille Stewart's article at the Council on Foreign Relations is titled "Systemic Racism is a Cybersecurity Threat." Do check it out. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Don't forget to tune in this weekend for Research Saturday. I'm speaking with Eric Cornelius from BlackBerry on the "Decade of RATs" report. We'll be looking into some Chinese APT groups that are targeting enterprises with remote workers. That's Research Saturday. Don't miss it. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.