The CyberWire Daily Podcast 9.14.20
Ep 1172 | 9.14.20

Turning good words into bad. Crooks push those exploits through aging software while they still can. A big OSINT DB out of Shenzehn. TikTok’s fate grows narrower but murkier. Wildfire misinformation.


Dave Bittner: Social engineers use text from legitimate recent warnings. Cybercrooks go for whatever they can get from software about to reach the end of its life. A big database filled with individual information is leaked from a Chinese government contractor. In the race to do whatever it is U.S. companies hope to do with TikTok, Microsoft is apparently out, but Oracle is apparently in. Rick Howard looks at red versus blue. Our guest is Colby Prior, infrastructure engineer for AusCERT on running honeypots. And the FBI wants you to know, contrary to what you may have seen online, that Oregon wildfires are not extremist arson.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, September 14, 2020. 

Dave Bittner: A couple of stories illustrate the ways in which cybercrime continues to be a lagging indicator of vulnerabilities. The first deals with phishing over Twitter using old communications to lend plausibility to the phish bait. You'll recall the mid-July case in which some high-profile Twitter accounts were briefly hijacked by allegedly some misguided youths interested in, among other things, noodling original gangsta accounts. That incident has spawned predictable copycats that have nothing to do with the original hackers. The text of the warning Twitter distributed after the July 15 hijacking of high-profile accounts is being repurposed, HackRead reports, into bogus Tweets containing malicious links. The text in question reads, quote, "we detected what we believed to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools," end quote. That sounds legit because, after all, it was legit coming directly from Twitter just two months ago. But, of course, the verify your account link that follows might put you on your guard, as it should. The link will direct the unwary to a site designed to harvest credentials and other personal information. 

Dave Bittner: The other story has to do with malvertising and the criminal disposition to get the most out of near end-of-life software before such software finally crosses its virtual River Styx. Users of adult sites who navigate there with Internet Explorer 11 and view content with Adobe Flash Player are being served malvertising. Malwarebytes has described a group called Malsmoke, which ZDNet says has operated on a scale far above similar other cybercrime operations and has abused practically all adult ad networks. The malvertising redirects users to a site that hosts an exploit kit designed to use vulnerabilities in Adobe Flash Player or Internet Explorer to install malware on the device belonging to whoever was looking for this particular kind of action. The payloads most commonly served up have been Smoke Loader, Raccoon Stealer and ZLoader. Ars Technica, in noting that the aging systems are being used to infect site visitors with various forms of spyware and information stealers, manages to suggest that the real shameful secret here is that visitors to the sort of online naughtiness recently liked by the Twitter account formerly belonging to the Chinese ambassador to the Court of St. James are - well, it's hard to say this, but they're using an aging version of Internet Explorer. Don't tell their families, friends or colleagues. 

Dave Bittner: The Australian Broadcasting Corporation has obtained what appears to be a leaked database showing individuals against whom Chinese intelligence services is developing detailed target profiles. Some 24 million people are on a list maintained by Shenzhen-based Zhenhua Data, believed to be a Ministry of State Security contractor. The Washington Post's account of the database focuses on collection of social media posts and other open source intelligence on U.S. military, diplomatic and government personnel. The Post puts the take at some 2 million individuals, an order of magnitude less than ABC's tally, but then The Post may be counting only the Americans who were targets. ABC explicitly calls out all Five Eyes - Australia, Canada, New Zealand, the United Kingdom and the United States - as well as Malaysia as figuring among the countries targeted. The database is called The OKIDB for Overseas Key Information Database, and it claims to offer insight into the individuals who figure in it, as well as information about their families. That's chilling, but that's espionage. It's not the first time China has collected against friends and family. One of the less commonly remarked features of the 2013 and 2014 compromises of the U.S. Office of Personnel Management Data was the extent to which Chinese theft of Standard Forms 86 - completed questionnaires people with U.S. security clearances have to fill out - also revealed information about family members, friends, colleagues and neighbors. So it's not too surprising that the OKIDB would exhibit a similar pattern of collection. 

Dave Bittner: The Post observes that the material may be relatively old and that it's not entirely clear that it's being used by the Ministry of State Security but that, in any case, Zhenhua Data calls itself a patriotic company and numbers Chinese military and government agencies among its customers. Zhenhua Data's product may be an aspirational one they hope to sell or it may be in use. In any case, several lessons might be reasonably drawn from the reports. First, intelligence collection very often outruns immediate needs. When it comes to information, well, after all, you never know or such at least is a common mindset among the spooks. Second, a lot of good information can be had from open sources. Just because it's inexpensive doesn't mean it's not valuable. Value isn't the same thing as cost. Third, there is a kind of convergence of OSINT with market research. A lot of the data gathered by Zhenhua might well be collected by a marketing firm interested in targeting ads. 

Dave Bittner: Microsoft announced yesterday that ByteDance had turned down Redmond's offer to buy TikTok's U.S. operations. Oracle is the apparent winner in the competition for some form of control over TikTok in the U.S. But such control would appear to be more along the lines of a partnership structured to allay U.S. security concerns than it would be an outright purchase, according to The Wall Street Journal. Computing says that ByteDance has no interest in selling the social media platform. The Committee on Foreign Investment in the United States will now review the proposed trusted tech partnership to see if it meets the requirements of the relevant executive order. In any case, algorithms sold separately, as they might say in a TV commercial for the deal. 

Dave Bittner: And finally, the FBI said last Friday that it had investigated reports that Oregon wildfires had been set by extremists and determined them to be completely unfounded. Wildfires are endemic on the Pacific coast, and while this year's round has been unusually unpleasant, there's no evidence that the fires have been deliberately set. While scare stories in circulation have imputed the arson that wasn't to all varieties of extremists left, right and center, a preponderance of misinformed suspicion has been directed toward antifa, possibly because of the leftist group's alleged involvement in incendiarism during some urban rioting. But, again, that's urban and on a smaller Molotov cocktail scale than a coastal wildfire would be. Gizmodo reports that Facebook, where much of the misinformation has landed, began taking measures Friday to stop the spread of this particular rumor. 

Dave Bittner: And it is my pleasure to welcome back to the show the CyberWire's chief analyst and also chief security officer, Rick Howard. Rick, always great to have you back. 

Rick Howard: Hey, Dave. 

Dave Bittner: On this week's edition of "CSO Perspectives," you are tackling red teams and blue team operations. There is a lot to get into with that topic. How are you coming at it? 

Rick Howard: Well, I have to admit that, you know, pundits like me and, you know, practitioners like CISOs and things and network defenders, we throw a lot of terms around about red teaming and penetration testing, and they all kind of merge and mingle, and they're not the same. So I thought it might be useful just to kind of go through the four of them. What do you think? 

Dave Bittner: Yeah. Sounds good. Let's do it. 

Rick Howard: All right. So penetration testing is really a team of folks in your organization whose sole goal is to find holes in your defensive posture. They're not trying to emulate any kind of adversary. They're just trying to see if you've patched everything or you're vulnerable to a specific kind of technique. So that is penetration testing. 

Dave Bittner: OK. 

Rick Howard: The difference between those teams and, say, a red team is that the red team is trying to emulate a known adversary campaign sequence. Like, I looked up on MITRE ATT&CK Framework today a cool one called Cobalt Spider, right? Those guys have 34 tactics, techniques and procedures that they use and four software packages. So our red team trying to emulate Cobalt Spider can only use those TTPs and software programs. And so - and the purpose is to make sure that you are protected against that attack campaign. 

Dave Bittner: Right. So if you're in a particular vertical and you know that there are some bad guys who are aiming at you, you can say, hey, we need to be protected against this type of adversary. 

Rick Howard: Right. And you know me. I'm a first principle thinker. I'm always trying to find ways to reduce the probability of material impact. And if you know that adversary like Cobalt Spider is coming after you, this is one way you can have more confidence that your defensive posture is working, right? 

Dave Bittner: OK. 

Rick Howard: All right. So blue team on the other side of that is your defensive folks. These are your day-to-day operational folks in the SOC, on your infosec team. They're the ones trying to defend your enterprise, right? And so that's kind of basic. Then the one that always gets kind of confused is the purple team. It's when you combine the red team operations trying to emulate Cobalt Spider with the blue team trying to detect that activity and prevent it from working. So it's kind of a OPFOR (ph) exercise, right? And it serves a couple of purposes. One is it helps you figure out if you're protected but also that kind of purple exercise trains your people on their incident response procedures and gives you in a way to train your newbies and maybe second-tier analysts about how cybersecurity really works. So it took me a while to figure all that out, but that's what I think it is. 

Dave Bittner: All right. So we got pentesters. We got red teamers, blue teamers, purple teamers. That's a lot of people. And... 


Dave Bittner: I mean, can I have a plaid team? Can I just combine them all? Can I save some - can I buy, like, one really talented guy or gal who can handle all this? I mean, how do organizations come at this when it comes to dialing it in in terms of funds and resources? 

Rick Howard: Yeah, it's a great question. I was talking to Tom Quinn about this very thing this week. He is the CISO for T. Rowe Price. And I sat him down at the hash table and asked him, if the red team and blue team operations were essential, do we need to spend all this money and resources to get that done? 

Tom Quinn: There is no doubt. I - you know, I look at the recent ransomware attacks, you know, that have made the news and what industry those companies are in and alike. And I wonder out loud how many of them had red team and blue team capabilities and investments in place. You know, there's a phrase called Cyber Poverty Line. If a company is unwilling or unable - right? - it could either - to make an investment in that space to have a red team in place or a blue team, I think part of this dialogue - right? - is like it may not matter. I mean, sometimes this feels like rarefied air when we're talking about things like red team and blue team because your local bank or your local credit union, they're not having that conversation. They're struggling with just getting their computers to work. 

Rick Howard: So the way I understand it is red team operations are the only way to know for sure if your network can withstand an attack against a specific adversary campaign. 

Dave Bittner: So what we're saying here is that red team and blue team operations are indeed essential. But if you're a smaller or medium-sized organization, then what do you do? I mean, is there - are there haves and have-nots? 

Rick Howard: Yeah. There absolutely is, and I'm not quite sure - I'm not convinced that red teaming is essential. Now, Tom thinks it is, and he's probably right. He's way smarter than I am, all right? 


Rick Howard: But they are absolutely another lever to pull to reduce the probability of a material attack. I do know that for most network defenders, red team and blue team operations are not the first lever they reach for, right? If I was doing it, I would prioritize resilience first, then zero trust, intrusion kill chain prevention, stuff like that. And then if I got all that working smoothly, I might go to red team, blue team operations. 

Dave Bittner: All right. Interesting stuff for sure. If you want to hear all about this, hear more about this, check out "CSO Perspectives." That is part of CyberWire Pro. Go to our website and check it out. Rick Howard, great talking to you. 

Rick Howard: Thank you, sir. 

Dave Bittner: The AusCERT to 2020 Cyber Security Conference kicks off this week with a variety of speakers, tutorials, workshops and networking events. The CyberWire is a media partner for the event. And joining us today is Colby Prior infrastructure engineer for AusCERT, with a preview of a presentation he'll be making at the conference on running honeypots. 

Colby Prior: So I'm covering three different honeypots in, like, the workshop of kind of getting people some hands-on experience of pretty different types of honeypots. One of the common ones that you always come across is Cowrie. It makes a lot of sense when you think about it. You know, you're opening up SSH, like a management interface, into your server. When people get in, you kind of give them this fake Bash shell (ph) to go and play around and do stuff and pull down malware and try to execute it. And you get a copy of all of that. So that's kind of like the honeypot as I think most people know it. I'm also teaching people about a web-based honeypot, which is SNARE and TANNER, which it's not really what you think about when you think about a honeypot, which is like a website which is, you know, pretending to be vulnerable to different kinds of attacks like SQL injection. And it will even go through and emulate that into, like, a local SQL, like, database and things like that. And the third one is a client-based honeypot, which is really starting to stretch the terms of what honeypot means, in my opinion, but it's all kind of based around things like Javascript. So in a client-based honeypot, the malicious code is executing on the client's machine. You're reaching out to a malicious website and you're pulling down that JavaScript. And, you know, most people's Web browsers will happily go and execute that, and you don't really know what it's going to do. And it's, like, a useful way of running it in a sandbox environment to kind of crack it open and find out what actually makes that malware tick. 

Dave Bittner: And the folks who attend this, what do you hope that they walk away with? What sort of things are you hoping to impart them with? 

Colby Prior: I guess if I think about from my first experience when I started to get a little bit hands on with honeypots and stuff like that is they were always a little bit intimidating to me. The idea of running this fully sandbox environment where you're letting malicious attackers into your network to do these things is very intimidating. But people have gone a long way to make running all this stuff really, really easy. And, you know, I don't want to say it's trivial, but it's a lot more approachable than what I thought it was originally. And that's the kind of thing that I want to show to people, that this is a thing that they can utilize. But, you know, it does take, like, a little bit of experience. 

Dave Bittner: When you get it up and running and you're able to observe what's going on and you see, you know, folks from out there in the world hitting that honeypot, I mean, it sounds to me like it must be gratifying. It must be kind of fun. 

Colby Prior: Oh, it's really fun (laughter). That's kind of like the easy bit, which I wasn't fully expecting myself of getting it up and running, seeing people coming in and doing - it'll be mostly just automated attacks and seeing the different, like, real-life attacks that they're performing is just really fun. Actually taking that into useful intelligence is kind of the hard part. 

Dave Bittner: That's Colby Prior from AusCERT. The AusCERT 2020 Cyber Security Conference runs throughout this week. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed, and it wicks away moisture. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.