The CyberWire Daily Podcast 5.17.18
Ep 601 | 5.17.18

Competing for terrorist mindshare. ICS threat group update. AnonPlus vandalizes US state sites. GDPR's disclosure timeline. Congressional hearings. DarkOverlord collared.


Dave Bittner: [00:00:00:00] Hi, everybody. A quick announcement before today's show. The CyberWire is presenting our fifth annual Women in Cyber Security reception this fall at the New International Spy Museum in Washington, DC. We've got some great sponsors lined up including Northrop Grumman, Cylance, VMware, Delta Risk, and SecureStrux. We'd love to add your organization's name to that list. Go to to learn all about our Women in Cyber Security reception and to see how you can show your support by becoming a sponsor. That's We hope to see you there.

Dave Bittner: [00:00:42:02] Al Qaeda is back, howling online toward whatever lone wolves might be within earshot. The CHRYSENE ICS threat group may be looking beyond the Arabian Gulf. AnonPlus is after US state governments. What the EU will expect of you within 72 hours of discovering a breach. The US Congress wants answers about ZTE and Cambridge Analytica. And an alleged DarkOverlord is nabbed in Serbia.

Dave Bittner: [00:01:14:05] It's time for a message from our sponsor, Recorded Future. You've heard of Recorded Future. They're the real-time threat intelligence company. Their patented technology continuously analyses the entire web to give info sec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. Go to and subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. It's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:21:04] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 17th, 2018.

Dave Bittner: [00:02:33:19] Now that ISIS has been considerably disrupted, Al Qaeda is working online to regain terrorist mindshare lost to ISIS. They're calling from the familiar playbook, but with their own emphasis on inspiring attacks on infidel lands. Al Qaeda's organization has been more fluid than ISIS's had been. Al Qaeda, according to reports in Deutsche Welle, is engaged in "branding and rebranding" with a view to displacing its struggling rival, ISIS. The anniversary of the establishment of the modern state of Israel and the move of the US embassy to that country to Jerusalem figure prominently in the group's short-term messaging.

Dave Bittner: [00:03:15:00] Industrial cyber security firm Dragos this morning offered new details on the CHRYSENE threat group, specialists in hitting industrial control systems. Associated with the 2012 and 2016 Shamoon attacks on Saudi Aramco, CHRYSENE has, Dragos says, developed a sophistication beyond groups like Greenbug, who are also known as OilRig.

Dave Bittner: [00:03:39:18] In its update on CHRYSENE, Dragos doesn't discuss attribution, but the Shamoon 1 and Shamoon 2 attacks associated with the threat group have been widely thought to be the work of Iran. CHRYSENSE's target list concentrates on the petrochemical, oil, gas and electric generation sectors. The Dragos study notes CHRYSENE's concentration on initial penetration. It compromises a target and then passes the machine it's pwned on for further exploitation. CHRYSENE may be extending its target list beyond its original Arabian Gulf range. The threat group's operations have now been observed in Iraq, Pakistan, Israel, and the United Kingdom.

Dave Bittner: [00:04:21:20] AnonPlus, a hacktivist group believed to be based in Italy, has been attacking US state governments. New Mexico is the latest victim, but Idaho and Connecticut were also recently hit. AnonPlus, in its communiqués, follows the now familiar anarcho-syndicalist line. They have no leaders and so forth, and their principal declared interest is opposition to censorship. It's unclear how defacing a state's workman's compensation site, among others, fits AnonPlus's strategy, but the nuisance value is undeniable. This may be an instance of the familiar hacktivist disposition to hit targets of opportunity, going where defenses permit them to operate easily.

Dave Bittner: [00:05:04:24] GDPR takes effect a week from tomorrow, and researchers continue to find sensitive data exposed online. GDPR, the European Union's General Data Protection Regulation, is expected to shape both corporate and criminal online behavior. Legitimate organizations will struggle toward compliance, since the regulatory penalties for falling afoul of GDPR are potential business killers. Criminals are already using GDPR themed spam to induce worried staffers to cough up credentials in phishing expeditions. There are also concerns that breaches could be induced in enterprises with the aim of putting companies out of compliance. That could be done for hacktivist, competitive or extortion motives.

Dave Bittner: [00:05:49:06] 72 hours is a crucial window under the new data protection regime. Security firm, Imperva, has a useful timeline explaining what GDPR will require organizations to do within 72 hours of detecting a breach. At a high level of generality, a breached organization must investigate, notify regulators and affected individuals of the breach, specifically state what data was exposed, and express a plan for containing the damage going forward. Any failure to get this done within 72 hours must be explained to the regulators. Absent reasonable justification for the delay, the affected organizations can expect penalties.

Dave Bittner: [00:06:30:24] Drupal is a popular online content management system with millions of users worldwide. The platform recently found itself in the news thanks to a vulnerability that became known as Drupalgeddon 2.0. Ryan Barnett is a principal security researcher at Akamai, and he joins us with his insights.

Ryan Barnett: [00:06:50:19] The main issue in looking at this, it was a different API, or Application Programming Interface with Drupal, they called a form API. The main issue was the applications they can create arrays, right? Different ways to hold data. And the problem was there's actually a vulnerability in what's called renderable arrays and the bottom line is that an attacker, somebody who's non-authenticated, could send from their web browser even in a query string, data that would look like an array, and if they could have that be renderable they can do remote code execution which is probably the worst case scenario from a security perspective because then essentially it's as if the attacker is sitting at the keyboards, and they can execute any command they want, and essentially they're running with the privileges of whatever the application is running as of the operating system.

Dave Bittner: [00:07:47:18] And so once the update is made and they've made the vulnerability public, the concern is for the folks who don't upgrade right away?

Ryan Barnett: [00:07:54:03] Yeah, exactly. That issue is what bad guys, criminals, black-hats, whatever you want to call them, that's what they live on. Right? Is they realize there's going to be a lag from the time something is posted until you can actually get it patched on their system. In this particular case, they did a good job, meaning Drupal, of making these releases well-known in advance so people could plan. I was actually monitoring it on Twitter. I'm looking for different hashtags related to this issue, and it was rather surprising to see how many people were just standing by. Like, is it released yet? You know, I've got my team ready. Is it released yet? So, the time to fix, quote, unquote, is, is a key issue for everybody, right, not just the Drupal issue. But most people from what we've seen were able to upgrade pretty quickly and get patches installed.

Dave Bittner: [00:08:45:21] What have you seen since that date? How bad is it? Like you said, most people have been able to update, but I suppose there are those laggers out there.

Ryan Barnett: [00:08:54:02] Absolutely, it's, it's a law of percentages, right? And even if you take a step back and say, "Hey, 80% of people updated, great," but when you have millions of installs, that 20% significant, right? What was interesting in this scenario was the Drupal security team, the patches they made were purposefully vague. They made changes, but it wasn't quite clear from an attacker's perspective, wait a minute, as a remote user, how can I actually exploit this? So, that was done on purpose so Drupal actually did a good job there, right, not saying, "Hey, you know, attack here," and point big arrows at it, right? And there were long discussions and threads on multiple forums where people were trying to figure out how can we exploit this. "Hey, can we do this, can we do that?" and it went on for two weeks, and actually it was two weeks later around April 12th, another security vendor, they actually went ahead and released the blog post describing how to exploit it. [LAUGHS]. Their perspective on this or you can take different sides of this argument, was they thought some people, perhaps, like you said, if they didn't patch, they might think, "Oh, well, we don't need to", right, because it's not known that it's publicly being exploited. So, you know, from a security company's perspective, they say, "Look, this is a problem and here we're going to demonstrate how you do need to fix this." So once I reviewed that blog data, I knew immediately, uh-oh, here it comes, because then there was enough detail.

Dave Bittner: [00:10:23:00] So kind of a second wave.

Ryan Barnett: [00:10:24:19] Exactly, and it was within hours. I'd say about three hours and then, you know, we're able to see. We saw some attacks for the first two weeks, but the payloads they were trying to send, the malicious stuff, it wasn't formatted correctly. It really wasn't doing anything. It was king of benign. It wouldn't even work. But this second wave, as you said, when that came through, massive scamming attacks, because it was very easy for attackers to weaponize it at that point, and because these attack payloads are not specific to a specific site or implementation of Drupal, the kind of category of attacker I'd label this as is random opportunistic where they don't really care to break into website X, right? They're looking for any website that this can work on because they have end goals of installing their, you know, favorite toolkits to do different things. So the more IPs they can hit and, and web servers, and send this, the better. So they just want to do massive kind of spray scamming all over the place. So that's why it spiked up on our radar.

Dave Bittner: [00:11:32:24] That's Ryan Barnett from Akamai.

Dave Bittner: [00:11:37:05] The US House wants a full report from the Department of Homeland Security on security issues surrounding ZTE. The Senate Appropriations Committee also wanted some answers, and in their case they heard from FBI Director, Christopher Wray, who, while declining to name corporate names, expressed the Bureau's security reservations this way. Quote, "We at the FBI remain deeply concerned that any company beholden to foreign governments that don't share our values are not companies that we want to be gaining positions of power inside our telecommunications network. That gives them the capacity to maliciously modify or steal information, that gives them the capacity to conduct undetected espionage, that gives them the capacity to exert pressure or control," end quote.

Dave Bittner: [00:12:25:05] The US Senate Judiciary Committee was also busy. In their case they heard from Christopher Wylie, the whistleblower in the Cambridge Analytica case. Wylie said he had no knowledge of whether the now defunct company, in its use of Facebook data, had supported the activities of the Internet Research Agency, the now famous St. Petersburg troll farm. He did, however, say that Cambridge Analytica, quote, "made a lot of noise to companies and individuals connected to the Russian government," end quote. He dismissed the notion that Cambridge Analytica was an ordinary marketing research operation, saying that Cambridge Analytica specialized in disinformation, spreading rumors, kompromat, and propaganda.

Dave Bittner: [00:13:08:00] Finally, remember DarkOverlord? That's the hacking group that tried most famously to extort Netflix, threatening to release hacked copies of Orange Is The New Black. Serbian police have popped one alleged DarkOverlord ringmaster, an unnamed 38 year old man who lives in Belgrade, so far only identified by the initials, "S.S." The DarkOverlord's modus operandi was a bit different. Instead of trying to sell stolen data on the dark web, the group would steal data, demonstrate to the owners that they'd done so, and demand a ransom for returning it unreleased. Motherboard this morning heard from S.S.'s colleagues, who want everyone to know that they're still in business. So you've still got quarry out there, law enforcement. Good hunting.

Dave Bittner: [00:14:01:11] Now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption, and they'll round out what they can do for you with microsegmentation and analytics. VMware's White Paper on A Comprehensive Approach To Security Across The Digital Workspace will take you through the details and much more. You'll find it at See what Workspace ONE can do for your enterprise security, And we thank VMware for sponsoring our show.

Dave Bittner: [00:15:02:14] And I'm pleased to be joined once again by Dr. Charles Clancy. He's the Director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, welcome back. Last year, you testified before the House Energy and Commerce Committees, specifically the sub-committee on communications and technology. They were having a hearing on promoting security and wireless technologies, and you covered a lot of ground, but one of the things that caught my eye was something we talk about a lot which is this workforce issue, the shortage of qualified cyber security folks, but there was an even more specific area that was interesting, and that's when it comes to telecom infrastructure. We may be having a skills gap when it comes to universities training people to be prepared for this subset of the industry. What can you share there?

Dr. Charles Clancy: [00:15:52:11] Well, the cyber security industry is-- has, has a massive shortage of jobs nationwide, worldwide really. The statistics show that here in the Washington, DC metropolitan area, for example, there's 42,000 empty jobs in cyber security. So there's a huge shortfall that we need to address, and universities across the border are struggling to expand their curriculum offerings to keep up with the demand. Now I think that if you look at where a lot of those investments have been made, as many universities try to address that gap, they're focusing on many of the more traditional IT security challenges. So things like defending traditional IT networks from, from attacks or software engineering and writing secure code. All of these things are really important. We're starting to see a fundamental shift in the DNA of the Internet. As the Internet-of-Things comes along, it's not so much just the security of an app that's on my phone, or a cloud service that I might be using that's important, now I need to worry about the security of connective infrastructure. I need to worry about the security of telecommunications infrastructure. And so far we haven't really seen universities scaling up to be able to address that unique gap which is going to be an area that we will continue to see need for as the DNA of the Internet shifts from the social, mobile Internet to the Internet-of-Things.

Dave Bittner: [00:17:12:21] And as you have students come through your program, you advise a lot of these students in the research that you do, how do you handle the radio spectrum side of things? That's different than bits and bytes.

Dr. Charles Clancy: [00:17:25:21] Exactly. So, just as an example here at Virginia Tech, we've launched a new course in wireless and telecommunication security. We've launched a new course in embedded and industrial control systems security that will approach these somewhat unique fields from a security perspective, and we're seeing a lot of interest from students in those courses and particularly in employers. We have a number of large companies that are unable to hire people who have both cyber physical systems expertise and security expertise. Typically, they'll have one or the other, and they'll need to cross-train them after they hire them.

Dave Bittner: [00:18:02:16] Yeah, so perhaps an opportunity for some of those students coming up, an area that hasn't received a lot of attention.

Dr. Charles Clancy: [00:18:10:10] Indeed, and one that is going to need a lot of attention particularly as the nature of the Internet continues to shift more towards the Internet-of-Things.

Dave Bittner: [00:18:17:03] Dr. Charles Clancy, thanks for joining us.

Dr. Charles Clancy: [00:18:20:08] My pleasure.

Dave Bittner: [00:18:25:14] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:18:45:03] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:18:54:02] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media with editor, John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.