The CyberWire Daily Podcast 11.8.17
Ep 472 | 11.8.17

Fancy Bear's new moves. OceanLotus and Sowbug cyber espionage groups active. Notes from CyCon, and a look at industry news.


Dave Bittner: [00:00:00:07] Thanks again to all of our supporters on Patreon. You can find out how to become a supporter by visiting

Dave Bittner: [00:00:11:01] Fancy Bear has some new dance steps. OceanLotus and Sowbug snoop on ASEAN and Latin America, respectively. Notes on international law and the future of cyberwar from CyCon. And Appleby insists the Paradise Papers were not an inside job.

Dave Bittner: [00:00:31:23] Here's a quick note about our sponsor E8 Security. We've all heard a lot about artificial intelligence and machine learning. Hey, who of a certain age doesn't know that Skynet achieved self awareness and sent the Terminator back to take care of business. But that's Science Fiction, and not even very plausible Science Fiction. But the artificial intelligence and machine learning that E8 is talking about, isn't Science Fiction at all. They're here today, and E8's White Paper, available at, can guide you through the big picture of these still emerging but already proven technologies. We all need to turn data into understanding, and information into meaning. AI and machine learning can help you do that. See what they can do for you at And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:27:07] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, November 8th, 2017.

Dave Bittner: [00:01:37:20] Some industry news today, briefly, before we get to the cloak-and-keyboard stuff. Fallout from NotPetya continues to descend on earnings. The latest victim to report that the June pseudoransomware campaign continues to inflict financial pain, is the shipping giant Maersk, which is estimating NotPetya losses at somewhere north of $300 million. We're likely to hear more such reports from other companies as they continue their return to normal operations.

Dave Bittner: [00:02:06:24] There's less unpleasant industry news as well. The New York Times reported, in an exclusive, that Prague-based anti-virus firm Avast is preparing for an IPO that could be priced in the billions. In other business news, Security firm Proofpoint is a buyer. It's announced its purchase of Cloudmark for a reported $110 million.

Dave Bittner: [00:02:27:22] Cloudmark isn't the only acquisition target. US private equity firm Warburg Pincus is said to have increased its 21% stake in Israeli cybersecurity shop Cyren to a controlling 75%. Warbug Pincus invested $19.6 million in Cyren to acquire its current fraction of ownership.

Dave Bittner: [00:02:48:07] And container security company NeuVector announces that it's raised $7 million, which it intends to use to build up engineering and sales operations.

Dave Bittner: [00:02:58:10] Misconfigured AWS S3 buckets continue to make trouble. Accenture recently narrowly escaped what observers believe might have been a significant breach. Amazon is trying to give its AWS customers easier ways of avoiding missteps in the cloud. The cloud provider has moved to add encryption by default to customers' S3 buckets.

Dave Bittner: [00:03:20:06] The SINET showcase event is taking place in Washington DC today and tomorrow, highlighting the SINET16 innovation awards, presented to the companies SINET's panel of judges deems the most innovative and compelling. Robert Rodriguez is the Chairman and Founder of SINET, and I asked him to describe some of the trends he's seeing in cyber security.

Robert Rodriguez: [00:03:40:23] We've moved from a prevention and detection environment. We still do that of course, but we're more into response, incident response. The big word today: resilience. That's what board of directors and CEOs want to know. When we get hits, what does that mean to our resiliency? When can we be back up, how do we know my shareholder value loss, brand reputations, tangible and intangible. The other area that I think is interesting is the orchestration and automation. That's an area that we need to go to, and more companies are in that space. There's also an increase of companies in the deception space that is trending. However, when I talk to CISOs, I ask them, is it a nice to have or a need to have? And what I get from them is it's important, but it's a nice to have. And that doesn't mean that that's correct and accurate, but that's the feedback I've received from some of the CISOs that I know.

Robert Rodriguez: [00:04:41:10] I think also in terms of trends, let's talk about cultural trends in the marketplace. I think this is really important. Because we're in cyber security and there's a lot of risk out there, and there's been a lot of attacks in Equifax and Target and Home Depot and OPM over the years, the problem doesn't seem to be going away any time soon. I would say that the buyers, the CISOs have been harder to get to by the companies, and I'm getting feedback from the companies that, they want to start building more purpose driven type of events, that they focus on building really trust based relationships with the CISOs. They do it off site that is focused on a thought leadership discussion, not a pitch of the technology or solution that the company has. Whether it's in orchestration, or whether it's Internet response, they want to start doing these kind of things, and maybe some private off site networking and dinners because it's only about the relationships.

Robert Rodriguez: [00:05:46:06] And it's building, not just relationships, but trust based relationships. That's one of the things I'm hearing from the companies, and part of the challenge is for the CISO, whether they're industry or government, or in high demand. And when any thing's in high demand, sometimes you can be reclusive, because the noise is so great, what's out there that really makes sense. And also, everybody wants it. I mean, the vendors want them, the venture capitalists want them to introduce to their portfolio, companies, the event people want them to speak, when they go to Gartner, RSA, a lot of people want them to go to their dinners, and so they get pulled in different directions, and it just makes it harder to get to them.

Robert Rodriguez: [00:06:28:20] I think the word that corporate users today, building purpose-driven companies that needs to go down to the entrepreneur in defining a very strong mission, a strong sense of purpose, a strong sense of culture that we're all in here together. We're here to help the CISOs that are protecting the brand and reputation and critical infrastructure of the respective entities, and really listen to what their challenges are, what their problems are, and go into it as a team. Of course I want them to succeed with the sales, but I think sales need to come second, behind the relationship. And if they do that, I think they'll have greater success.

Dave Bittner: [00:07:09:21] That's Robert Rodriguez from SINET. The SINET showcase event is in Washington DC today and tomorrow at the National Press Club. We'll have more coverage of the event tomorrow.

Dave Bittner: [00:07:19:23] There's more news today about cyber espionage, and we turn to three spy stories.

Dave Bittner: [00:07:26:01] There wasn't much barking heard from Moscow dogs in yesterday's US off-year elections, at least not so far. But the Russian organs haven't been idle, either. McAfee notes that Fancy Bear, (and if you're keeping score at home, unofficially that's Russia's GRU, the military intelligence agency), after having phished CyCon with little evident success, continues to tune its activities. It's seeking to take advantage of a recently demonstrated Microsoft Office vulnerability (the Dynamic Data Exchange can be exploited to install malware) and it's baiting its phish hooks with fears surrounding the recent terror attack in New York City.

Dave Bittner: [00:08:05:03] At least two other active espionage campaigns are in progress. Volexity is tracking a Vietnamese threat group the company says is running an ongoing cyberespionage campaign against ASEAN neighbors. The researchers are coy about attributing their activity to any nation-state, but its interests appear to coincide with those of Vietnam's government. The threat actors are being identified with APT32, also known as OceanLotus, which FireEye described in May. APT32 is currently engaged in surveillance of ASEAN meetings convened in Manila.

Dave Bittner: [00:08:41:20] Symantec researchers find that espionage group "Sowbug," known since 2015, are still quietly active with its Felismus malware. Sowbug's targets have principally been in Latin America, but it's recently expanded its interests to include Asia. It looks like nation-state sponsored activity with an interest in diplomatic intelligence, but which nation might be running Sowbug is unknown. The targets are unusual in that Latin America is heavily overrepresented. Most such campaigns have shown more interest in Western European and North American targets.

Dave Bittner: [00:09:17:21] And while we're thinking of espionage and nation-state conflict, it's worth turning to the CyCon conference that's meeting in Washington, DC. Yesterday's sessions included an interesting panel on the Tallinn Manual and international law as it affects cyber operations. The panelists, many of whom had been involved in preparing Tallinn 2.0, stressed a commonly overlooked fact about this NATO publication on cyber conflict. It was developed to expound lex lata, the law as it stands, and not lex ferenda, the law as it ought to be. They saw this as essential to the manual's credibility. There was one significant area of dispute, and that was over sovereignty, how it's to be interpreted, how it informs permissible activity under international law, and how it interacts with a requirement for due diligence.

Dave Bittner: [00:10:07:08] This morning an international law expert, Denton's Peter Stockburger, picked up some of the themes addressed by the Tallinn panel. In particular he was interested in the ways in which international law surrounding attribution of cyberattacks has been evolving. Since customary practice is one of the sources of international law, Stockburger said it was worth keeping an eye on how formal attribution of attacks has developed over the last few years. The test for attribution has been, since the 1990s at least, the "Effective Control Test." That is, you could attribute a third-party attack to a nation-state only if that state could be shown to be in effective control of the third party. Support, even funding, would be insufficient. But now, especially since the US attributed the 2014 Sony hack to North Korea, there's been a movement, in practice, away from Effective Control to a new, less stringent test, "Control and Capabilities." Thus we now cite similar malware, IP addresses, common tactics, and other more circumstantial matters when we attribute a cyberattack to a state. This is a relatively new and not fully appreciated development, Stockbridge argued.

Dave Bittner: [00:11:19:10] New America's Peter Singer, who delivered the morning keynote, was in fine, full, futurist fig, giving the symposiasts much to think about concerning the ways in which emerging technologies like robotics, artificial intelligence, big data, and even human enhancements, are going to change the way militaries organize, recruit, train, and fight. They're going to be bigger than the steam engine, bigger than the airplane, bigger than the computer itself. We'll have more on his talk, and other presentations at CyCon, later this week.

Dave Bittner: [00:11:49:08] And leaving CyCon to return to the world of crime, in case you were wondering, Appleby, the Bermuda off-shore specialist law firm, says it was hacked, and that it wasn't an inside job. Some outsider got in to steal and leak the Paradise Papers. There's still no word on who the hackers were or how they got in. It's also unclear that the leaks reveal any illegal activity, but consensus remains that the optics are bad for those mentioned in dispatches. It's striking to see the way Appleby continues to insist that the leaks are the fruit of criminal hacking, and that the law firm is the victim here. And legally, it's hard to disagree with them.

Dave Bittner: [00:12:31:06] Now I'd like to tell you about a new White Paper from our sponsor Delta Risk. More than 90% of companies are using the Cloud, although the benefits are clear, moving to the Cloud comes with new and unique security challenges. In the White Paper, understanding the challenges of Cloud monitoring and security, Delta Risk Cloud security experts outline the key methods organizations can adapt, to gain clearer visibility into their network and critical assets. You can get your copy of the White Paper by visiting Delta Risk LLC, a Chertoff Group company, is a global provider of cyber security services to commercial and government clients. Learn more about Delta Risk by visiting And we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:13:25:19] And, I'm pleased to be joined once again by Joe Carrigan, he's from the Johns Hopkins University Information Security Institute. Joe, welcome back. You wanted to take us through a story today about being able to report vulnerabilities when you find them?

Joe Carrigan: [00:13:39:06] One of my roles at the Information Security Institute at Johns Hopkins University, is I am the coordinator for all of our vulnerability disclosures. So what that means is, when we find a vulnerability, we have a policy that says, the first thing we're going to do is notify the person who is responsible for maintaining this product library thing, whatever it is, that we found this vulnerability, and provide them with an opportunity to fix it, before we release it to the general public. And I've had to report a number of vulnerabilities over the past couple of years, that we've found. And one of the things I found was that it's very difficult to tell a company that you've found a vulnerability in their product.

Dave Bittner: [00:14:20:07] Did they not have an email address or are they just not set up to do it?

Joe Carrigan: [00:14:25:23] I'll talk about a specific company which shall remain nameless. There are companies out there that have stepped up, and they're starting to do this, particularly big software manufacturers like Microsoft, Google, Apple, they all...

Dave Bittner: [00:14:37:00] Sure, we hear about bug bounties and things like that.

Joe Carrigan: [00:14:39:10] ...Exactly, and every company should have this but, there was one company where I would get in touch with them, I'd called over to their offices and their engineering department was, "I don't know who you'd send that to." I eventually wound up using the support portal, and said, can I give this to you? We consider this vulnerability disclosed. And at one point in time from one company, I got back an email that said, "We received your vulnerability disclosure and we've notified our legal team."

Dave Bittner: [00:15:08:22] (Laughs) Of course they have. So, you're waiting for your summons? And somehow you've violated the Digital Millennium Copyright Act?

Joe Carrigan: [00:15:20:10] Right, by finding a vulnerability, like a good academic researching organization. So, I wrote them back and I said, I would recommend that you also send this to your engineering team. You're free to send it to whomever you please but, the legal people are not going to fix this problem for you, and we consider it disclosed, and we're going to disclose it to the public after our non disclosure period. So, there was this company that I'd made a number of disclosures to, and a news organization contacted the professor who was the advisor to the students who found these vulnerabilities, and said, "What do you do when you find these vulnerabilities?" He said, "Well you know, we try to tell the companies but, we generally have a hard time doing that."

Joe Carrigan: [00:16:07:19] So then the news organization contacted the company and asked the Vice President of communications of that company, why can't Hopkins disclose these vulnerabilities to you? And that got some attention. When a large news organization contacts you and says, you've got products that have security vulnerabilities in them, and the people that find them can't report them to you, and we got some immediate attention. And this company, I don't want to say anything about the company. The company actually took care of the problem, they solved it. And they're actually looking at starting a bug bounty now which is great. It's unfortunate that it takes that kind of pressure to do that. Every single company that manufactures a product, that can have a security vulnerability, so anything that is a computer, there's so much stuff that's actually a computer that you don't think of being a computer..

Dave Bittner: [00:16:59:06] What isn't a computer these days?

Joe Carrigan: [00:17:02:18] A router. Your router at your house that you have, that's probably a Linux computer inside.

Dave Bittner: [00:17:08:14] Your thermostat, your security camera, your refrigerator, your oven, your washing machine, they all have computers now, and they're connected to the Internet.

Joe Carrigan: [00:17:16:13] This all goes back to the surface area problem, the attack surface problem. But, these manufacturers all need to have a public way for people to put data into their realm of knowledge that somebody has found a vulnerability.

Dave Bittner: [00:17:31:19] So it needs to be beyond the general contact us form on the website, so that it properly gets routed, and gets the proper attention that it deserves.

Joe Carrigan: [00:17:40:07] It does, and you need to have a way for security researchers to reach out and get in touch with you.

Dave Bittner: [00:17:47:12] Okay. Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:17:50:00] It's my pleasure.

Dave Bittner: [00:17:53:00] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit

Dave Bittner: [00:18:05:08] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben, technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.