The CyberWire Daily Podcast 7.19.18
Ep 644 | 7.19.18

Fancy Bear's Roman Holiday. RAT phishing in Ukraine. AWS S3 bucket leaks robocaller data. Bug or abuse? NIST to withdraw outdated cybersecurity publications. Content moderation.


Dave Bittner: [00:00:03] Fancy Bear takes a Roman holiday, and the Italian navy takes note. A criminal espionage campaign is underway with Ukraine's government as its target. An exposed AWS S3 bucket leaks voter information. A security firm and a vendor dispute whether an issue is a vulnerability or a case of user abuse. NIST announces its intention of withdrawing some obsolete cybersecurity publications, and Congress presses tech companies about content moderation.

Dave Bittner: [00:00:38] And now a word from our sponsor ObserveIT. What in the world could old '80s technology have in common with insider threat management? Well, visit the ObserveIT booth at Black Hat in Vegas to find out. They're going back to the '80s to reminisce about throwback technology and show you how to take a 21st-century approach to your insider threat management strategy. Your Nintendo, floppy disks and OG Macintosh computer will all be there next to your dusty DLP solution to remind you why #ThrowbackThursday technology should stay in the past. It's time to go back to the future with ObserveIT for a more complete and modern approach to data loss prevention. Gain visibility and insights into user and file activity instead of simply locking data down with cumbersome tags, limitations and rules. And before you head out, take ObserveIT's quiz on which '80s pop culture icon best represents your insider threat management strategy. Whether you're Han Solo, Tron or Egon from "Ghostbusters," you're a pretty righteous dude. Visit and take that quiz today. That's And we thank ObserveIT for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:02:02] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 19, 2018. CSE CybSec Z-Lab reports finding Fancy Bear - also known as APT28, Sednit, Pawn Storm, Sofacy, STRONTIUM and Russia's GRU - engaged in an espionage campaign directed against the Italian navy. The Russian intelligence service is said to have installed an updated version of its familiar XAgent malware in naval systems. The campaign is being called Roman Holiday. Its goal appears to be the usual sort of collection against military systems.

Dave Bittner: [00:02:43] ESET researchers are analyzing three remote access tools used in ongoing campaigns against targets, mostly government agencies in Ukraine. The tools are called Quasar, Sobaken and Vermin. ESET characterizes the campaign as one of criminal espionage. The tools are used to access and exfiltrate sensitive files from government systems. ESET describes the three tools as follows. Quasar is an open-source remote access tool that you'll find on GitHub. ESET has found Quasar binaries in use as far back as October 2015. Sobaken is closely related to Quasar. It's heavily modified, largely by removing some functionality to make its executables smaller while leaving room for some additional evasion techniques. Vermin is a custom backdoor. ESET says it first appeared in 2016. Like Quasar and Sobaken, it's written in dot-net with its code protected to an extent against analysis using commercial or open-source protectors.

Dave Bittner: [00:03:48] None of these RATs are particularly sophisticated, but they're effectively constructed. Like so many other forms of malware, they're spread principally by social engineering with the payload typically carried by a maliciously crafted document transmitted as an attachment to an email. ESET says the attackers' skills aren't especially advanced, and they don't appear to have access to zero-days. But then you don't need mad skills or zero-days to be effective. The file names in the attachments are designed to be attractive to the recipients. Some examples the researchers provide are, as translated, "Directive on Providing Security for Military Personnel of Ukrainian Army and Their Family Members," "A New Draft of Directive Regarding Verification of Seizure," and "Purchasing Department Don OVK, Increase of Credit Limit." If that don't fetch them, then we don't know Kiev.

Dave Bittner: [00:04:43] When is a missed configuration a bug, and when is it abuse? It's a question worth thinking about. One would hope products came with defaults that favored security and privacy. But at some point, there's a question of user responsibility. It's now generally held that if you're using Amazon Web Services and you leave your data in an S3 bucket that you've made generally accessible to the internet at large - well, that's on you.

Dave Bittner: [00:05:08] One such case was disclosed this week by perennial hunters of sloshing buckets, security firm Kromtech. A database containing U.S. voter information was found exposed in an unsecured AWS S3 bucket by RoboCent, a robocalling firm specializing in selling its services to political campaigns. The material, which has now presumably been secured, included audio files of the sort one might use in a robocall. But more disturbingly, it also contained names, addresses, dates of birth, gender, and the inferred political orientation of some thousands of registered voters.

Dave Bittner: [00:05:46] Another case is more ambiguous or at least more contentious. Trustwave's SpiderLabs say they found a vulnerability in Reprise Software's RLM license management tool. Reprise says they won't patch anything because there's no vulnerability there at all. RLM, says Reprise, is designed to run in a segregated, non-privileged account. It's not supposed to be given administrator-level privileges, which is what SpiderLab saw. They're entirely clear on that point with all of their users, they told SecurityWeek. And in their view, the exposure and remote access vulnerabilities Trustwave reported are a matter of user headspace and timing, not a problem with RLM. That, says Reprise, isn't a bug but rather an abuse of their product. So tools don't compromise data; admins do.

Dave Bittner: [00:06:39] The U.S. National Institute of Standards and Technology, NIST, will withdraw 11 SP 800 cybersecurity publications on Aug. 1. Some of the publications address technologies that are outdated, deprecated or otherwise no longer in widespread use. Others are based on superseded laws, regulations or executive orders. Others fail to address newer technologies or security products. And some have been superseded by the NIST cybersecurity framework. The publications date back to 1995 with the most recent publications having been issued in 2008. You can find a list of the soon-to-be-withdrawn SP 800 publications on the NIST website.

Dave Bittner: [00:07:23] There's been recent news of a worm making its way through Android devices. Matt Cauthorn is VP of the security engineering team at ExtraHop, where they've been tracking this worm, and he joins us to share what they found.

Matt Cauthorn: [00:07:36] It's the android remote debug exploit. I think it's the ADB. There are two variants. One, it's - you know, in good faith for the developer community, Android devices allow you to enter this debug mode and get a root shell, an accessed shell with privilege on the system typically via USB. But there's another mode that allows you to do so over Wi-Fi, which is where at least part of the problem comes in. So obviously if you're exposing this remote access via Wi-Fi, then anyone that's sort of not paying attention or is a little bit negligent maybe on the manufacturer's side could leave it open and ready for exploit. So that's the main problem, is you get very - you get access to way, way, way too much data, kind of everything via this mechanism.

Dave Bittner: [00:08:23] And we've got some vendors who are shipping the products with this feature enabled.

Matt Cauthorn: [00:08:28] Unfortunately, yes, which - vendor defaults and this disposition - the default disposition of a lot of these devices is just not secure. You know, you're a manufacturer, and you want to produce a product for the market. And you want to get that to market quickly. You want to focus on developing features. The downside of that is, you know, security in the disposition of one of these devices. A lot of these are set-top boxes as of this morning, at least, for example. You make a shortcut or you're doing some debug and you forget to disable this functionality, and now you've given root access to the internet effectively, so yeah.

Matt Cauthorn: [00:09:05] And there's a miner that's out there of course because that's quite the rage these days. So - and it'll convert these devices into cryptocurrency miners. You know, I think many of the listeners, and myself included - you know, I have a Roku at home. And I install it. And you kind of set it and forget it. And you might not update it as much as you could or should. In a way, it's ironic because everyone is kind of a mini-sysadmin now even in the consumer space.

Matt Cauthorn: [00:09:36] If you consider all of the connected devices in a given household or organization, whether it's a full-tilt IT shop or not, everybody's kind of a - they need to be diligent with the systems that they run. And I don't know that we think about things that way. The problem is going to rage on. And it's going to take different forms. And it's going to do different things - but the core problem of really, really robust, high-velocity development cycles that are out there.

Matt Cauthorn: [00:10:02] And so the barriers to entry for an adversary or for bad intent are quite low, or even negligence that enables that intent. All I can say is if you have - you know, check in maybe - I don't know, maybe, like, at a monthly cadence, if possible, to check in and make sure you've got updates installed because I can tell for sure as of this morning, there's a lot of devices out there that have not been updated, or maybe even the manufacturers haven't even addressed the issue to begin with.

Dave Bittner: [00:10:31] That's Matt Cauthorn from ExtraHop.

Dave Bittner: [00:10:35] Members of the U.S. Congress press the tech industry on content moderation. Their concerns seem to center on the prospects of influence operations. That hostile foreign influence operations are ongoing is surely correct. They're always ongoing and have been for a very long time indeed. Whether they're best dealt with by legislation, policy, technical filtering or by the sort of efficient marketplace of ideas that classical liberals like John Stuart Mill would have prescribed is much up for grabs. Discuss among yourselves.

Dave Bittner: [00:11:07] Are there any lessons to be drawn from the history of the last 100 years? Much of that baleful history remains within living memory from journalistic airbrushing of Stalin's Holodomor in Ukraine to the widespread apologies for and denials of Pol Pot's democide in Cambodia to various forms of Holocaust denial that persists to this day. Or are there lessons to be drawn from the history of various belief manias that flare up and then die back like those repressed memories of alien abduction once widely thought to become accessible through hypnotic regression? Those are perhaps less tragic in their implications than the others, but they can have sad effects on their own smaller scale.

Dave Bittner: [00:11:51] Seriously, what can the history of public opinion teach us about the current controversies? And to our American audience, given that influence operations are essentially marketing in battle dress, how is it that the country that invented modern mass marketing should seem so helpless when it comes to putting the epaulets on Madison Avenue?

Dave Bittner: [00:12:15] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on a comprehensive approach to security across the digital workspace will take you through the details and much more. You'll find it at See what Workspace ONE can do for your enterprise security - And we thank VMware for sponsoring our show.

Dave Bittner: [00:13:16] And joining me once again is Daniel Prince. He's a senior lecturer in cybersecurity at Lancaster University. Daniel, welcome back. We wanted to talk today about digital histories and specifically the rewriting of those digital histories. What can you share with us today?

Daniel Prince: [00:13:32] Well, thanks for having me back on. So what started me thinking about this track is my uncle runs an archivist company producing basically the hardware that takes photographs of our documents, our historical documents. And in a conversation with him, he was saying how really the world's changed. And some of our public libraries are really concerned that there aren't going to be these documents that record specific decisions - so, like, official memos that was sent during the Second World War, for example.

Daniel Prince: [00:14:08] We won't have that. We have only email now. Everything's done via email, these electronic documents. So much of our digital lives, the histories that we have - our blogs and things that we've done are held online. And so we have things like the Wayback Machine and - that avails us to see what websites used to look like. But the concern here is the ability to go back and change these records of what our past used to be like. And that's really important for us to understand just as a social context going forward what happened.

Daniel Prince: [00:14:48] And so our ability to be able to communicate exceptionally fast using email, using instant messenger is actually corrupting our ability to be able to go back and look at our history. Now, that's the standard case of just what could happen in sort of day-to-day life. But then the concern becomes, what if individuals or organizations or nation states did that proactively? What if we started to move into the realm of misinformation? What if we started to see the manipulation of digital historical records or the suppression of certain digital or historical records to identify a specific type of propaganda? Could we actually detect that? Would we know?

Daniel Prince: [00:15:35] So when certain messages started to come out, could we go back and actually look at some of the material that there is online to say, is that accurate? And we're starting to see some of that with the - sort of the post-truth environment. We're starting to see some of that with things like Snopes, the fact-checkers that are online. But the veracity of that information is vitally important for us as a society to really be able to understand our past so that we can start to think about where we want go to in the future.

Dave Bittner: [00:16:06] And it strikes me that even being able to, you know, verify, what is the - I guess in a digital environment, is there a master copy of something? Is there an original? Are they all copies?

Daniel Prince: [00:16:18] Yeah. And that's one of the things that people kind of play on. You know, there's this redundancy aspect. You know, once it's into the internet, it's copied and replicated multiple times, which is one aspect of it. But when we start to think about cybersecurity - the confidentiality, integrity and availability - it's that integrity and that availability which is so key for our sort of social understanding of our policies and our culture that it is quite troubling because a lot of the information that's online, there is no real integrity system that sits around it or for the recording of public documents.

Daniel Prince: [00:16:57] And then the other aspect is it's so easy to take information offline, a key piece of information. So the availability comes in. And so what I'm concerned about is taking the integrity and the availability aspect of publicly available information - so we don't need to worry about the confidentiality - and making sure the veracity of the information that we as a society have and the trust we have in that information is there so that we can make appropriate decisions going forward. And so we're not just buying into people's political or certain organizations' or nation states' political agendas.

Daniel Prince: [00:17:33] The other challenge is - around the multiple copies is, are we sure that the copy that you have in your particular geographical area is the same as the geographical - or the copy I have in my geographical area? And we have seen, you know, examples of how information is being controlled because of things like national laws. Certain search results aren't able to be displayed in certain locations. This has an impact, as we know, so the way that search results are displayed have an impact on the way that people think about the problems and the environment they have. And so that subtle control, for all good reasons in some cases, can really impact the society's impression or thoughts around a particular subject. And so I'm really concerned about the integrity and the availability of publicly available information.

Dave Bittner: [00:18:30] Yeah, it's a fascinating topic for sure. Daniel Prince, thanks for joining us. And that's the CyberWire. A quick note to friend of the show Martine Groton (ph), who recently suffered a loss in his family. We're all thinking about you here, wishing you the best. For links to all the stories mentioned in today's podcast, check out our daily news brief at

Dave Bittner: [00:18:55] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:19:22] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.