The CyberWire Daily Podcast 7.31.18
Ep 652 | 7.31.18

Infrastructure security, especially power, finance, and elections. Preparation pays off. Proofpoint warns of new AZORult malware. Check Point tracks Master134 malvertising. Crime news.


Dave Bittner: [00:00:03] More warnings about Russians in the North American power grid. The U.S. Department of Homeland Security announces formation of a national risk management center. COSCO's preparation may have rendered the shipper more resilient to the cyberattack it sustained. Congress worries over election hacking and deep fakes. Electronic warfare is back, and an altcoin platform is hacked. A carder goes to jail, an alleged SIM swapper is arrested, and coaches behave badly.

Dave Bittner: [00:00:38] A few words from our sponsor Cylance. They're the people who protect our own endpoints here at The CyberWire, and you might consider seeing what Cylance can do for you. You probably know all about legacy antivirus protection. It's very good as far as it goes. But guess what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, Cylance thinks you need something better. They've just introduced version 2.3 of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems, behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit to learn more. And we thank Cylance for sponsoring our show. Major funding for The CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:45] From The CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 31, 2018.

Dave Bittner: [00:01:54] Warnings about Russian compromise of the U.S. power grid continue. Again, nothing has happened yet to disrupt electrical power generation or distribution, but it's worth noting that the cyber battlespace seems to have been prepped. Attacks that destroy equipment are more worrisome than are attacks that amount to short-term power outages. As Control Global's Unfettered blog points out, one hopes the power industry takes preparation to heart.

Dave Bittner: [00:02:22] The U.S. Department of Homeland Security is announcing today the formation of a national risk management center. Secretary Nielsen introduced the center during a government-sponsored conference in New York City. It's seen as a response to growing recognition that cyberattacks by sophisticated nation-state adversaries can cause systemic failure across society at large. One of the critical infrastructure sectors of most concern is of course the power industry. DHS personnel will work both in a new headquarters and embedded with industry partners.

Dave Bittner: [00:02:56] Here's one encouraging story about the benefits of preparation. The cyberattack that hit shipping firm COSCO at its Port of Long Beach terminal seems to have been contained and overcome without significant operational disruption. The Journal of Commerce credits this to COSCO's advance preparation for dealing with just such an attack. Go and do likewise, power industry.

Mark Orlando: [00:03:19] When a lot of people hear critical infrastructure, they think about the electrical grid.

Dave Bittner: [00:03:22] That's Mark Orlando. He's chief technology officer with Raytheon Cyber Protection Solutions group.

Mark Orlando: [00:03:29] Critical infrastructure encompasses far more than that - everything from life safety systems and telecommunications to oil and gas systems, many, many other industries. So it's a very large space to protect. And unlike the IT world, the information technology world, there's not a lot of standardization in that domain, in the critical infrastructure domain. So understanding the threats, how we can gain visibility into those threats and then how we can defend that infrastructure is much more of a challenge than it is in the IT world.

Dave Bittner: [00:04:04] Well, let's walk through, you know, some of the steps that would be taken if someone were looking to do us harm from a critical infrastructure point of view. Where do they begin?

Mark Orlando: [00:04:12] Right. So the first step in any attack is reconnaissance. And in most cases, reconnaissance does not involve touching or connecting to the target system. It involves gathering information, doing research about the target system, doing research about the organization in which that system resides, organizations connected to that organizations - so suppliers, research into who the business partners or suppliers, or in some cases, the customers and users of that system - where they reside, how data traverses those different environments, how control systems interact with that target system really attempting to understand not only how that target system works, key pieces of information like the manufacturer, if it's running any kind of software, what kind of control systems are in place, but also how it's situated within the environment.

Mark Orlando: [00:05:04] So for example, if we're talking about a control system in the electrical grid - power distribution, for example - is that system connected in any way to an IT network where you might have user systems? Are there supplier networks where you might have a third party coming in to do maintenance on that system? These are all things that an attacker will attempt to uncover during that research phase.

Dave Bittner: [00:05:31] And so once they gather the information that they think they need and they move on to actually starting their attack, what happens then?

Mark Orlando: [00:05:38] In most of the successful attacks that we've seen, it's actually a chain of attacks where an attacker is hopping through various systems, various networks to get to that end state, that end target. In many cases, that involves compromising, again, either a third-party network like a supplier network. It involves in many cases targeting users with social engineering attacks like spear-phishing, for example, to gain unauthorized access to those third-party systems, and then from that point jumping off and pivoting and looking for a way into that operational network where you can connect more directly to that target system.

Dave Bittner: [00:06:19] These systems are quite often one-offs. And I could see there being two sides to that. I could see that being - you know, for both the attacker and the defender, it could be a roadblock.

Mark Orlando: [00:06:31] Absolutely. Not only for the attacker in trying to gather information about a system that may not be as well documented, but also - as you said, for a defender, it's also a significant challenge because now we have to come up with a good way to instrument these systems so that we can understand when someone is gaining access, when someone is causing a troll system, for example, to send a signal to another system that might not be expected but might otherwise look normal. You know, instrumentation and making it so that we can detect these kinds of activities is also quite a challenge. I think we definitely have a long way to go in terms of understanding at a very technical and a very tactical level how we can harden these systems to attack, how we can identify and quickly respond to attacks when they occur.

Dave Bittner: [00:07:16] That's Mark Orlando from Raytheon.

Dave Bittner: [00:07:20] Worries about influence operations or direct manipulation of midterm voting also continue. Senator Shaheen, a Democrat of New Hampshire, says that officeholders and political parties are often targets of phishing attacks and that the experience reported by Senator McCaskill, a Democrat of Missouri, isn't an outlier. Other senators are interested in seeing what can be done about deep fakes - convincing but concocting video, audio or imagery that are thought to be the future of influence operations and black propaganda.

Dave Bittner: [00:07:54] The U.S. Army is undergoing one of its periodic rediscoveries of the importance of electronic warfare. This time, the precipitating cause is Russian jamming of U.S. forces operating in and around Syria. What's that, officer? No, we're not up to anything. It's just us out here on the police beat. And we see there's been another cryptocurrency theft. KICKICO lost $7.7 million to creative destruction hacking of its tokens. The story has a happy ending so far. The platform says it has recovered the stolen tokens and is in the process of returning them to their owners.

Dave Bittner: [00:08:33] The method the thieves used, however, is interesting. Security measures used to detect theft of altcoins often rely on detecting quick, unexplained changes in the number of tokens available on the market. And this in fact is what KICKICO's security did. To avoid detection, the thieves obtained the cryptographic key that controls the platform's smart contracts and used it to destroy existing coins and recreate them in the same amount. KICKICO became aware of what was up when users complained that all of a sudden their wallets were empty. The complaining users reported the loss of an aggregate of about $800,000. But upon investigation, it turned out that the criminals were more ambitious by an order of magnitude.

Dave Bittner: [00:09:19] CheckPoint reports that a criminal going by the name Master134 is running a successful malvertising campaign across the high bids advertising platform. Master134 has redirected stolen traffic from more than 10,000 compromised WordPress sites and resold it to AdsTerra, which in turn sold the traffic to advertising resellers. The malicious advertising carries ransomware, Trojans and so on. The hijacked traffic gives an initial appearance of connecting to legitimate sites and well-known brands, so beware.

Dave Bittner: [00:09:54] Proofpoint describes a new version of AZORult. It's observed in the wild. AZORult is an information stealer and downloader first noticed in 2016, where Proofpoint found it as a secondary infection of the Chthonic Banking Trojan. This version retains the original functionality but seems improved in every respect. Shortly after it appeared on the black market, it was seen distributing Hermes ransomware. As an effective downloader, it can of course be used to install any variety of different payloads.

Dave Bittner: [00:10:27] Russian debit card fraudster Mikhail Malykhin, who took a guilty plea back in 2016, has been sentenced. The judge presiding over his case in the U.S. federal court for the Central District of California called his crime reprehensible and sentenced him to 70 months in prison. Malykhin's theft, amounting to some $4.1 million, affected third-party administrators of flexible spending accounts and COBRA services. One of the companies he and his five criminal associates hit was driven out of business. Malykhin will also forfeit ill-gotten gains - to wit, $1.3 million in cash, $22,000 in gift cards, several gold bars and a classic pony car, a 1966 Ford Mustang.

Dave Bittner: [00:11:15] California police have arrested one Joel Ortiz, a college student from Boston, on charges alleging that he used SIM swapping to hack phone numbers and thereby steal more than $5 million in cryptocurrency. He faces 13 counts of identity theft, 13 counts of hacking and two counts of grand theft. The Santa Clara County DA invites any other victims to come forward. This is grand theft, but there's petty larceny stuff out there, too.

Dave Bittner: [00:11:46] If you're a parent hoping to expose your child to good values, hard work, fair play and so on by getting the little nipper involved in high school athletics, think twice before sending your child to Braden River High School in Manatee County, Fla. The county school district has announced the results of an investigation into Braden River's football program. They concluded that coaches at Braden River accessed an online service that stores video of high school football so colleges can see prospective players. Other high schools aren't supposed to have access to the system, but this particular coaching staff is said to have watched practice video from four rival schools. The penalty, if any, has yet to be determined. But who do these guys think they are, the New England Patriots?

Dave Bittner: [00:12:35] With all this, it's pleasant finally to close on a positive note. The Security Industry Association has opened nominations for its 2018 George R. Lippert Memorial Award, which recognizes distinguished, long-term, selfless service to the security industry. Nominations are due by Aug. 24. You can learn more at

Dave Bittner: [00:13:03] And now a word from our sponsor, ObserveIT. What in the world could old '80s technology have in common with insider threat management? Well, visit the ObserveIT booth at Black Hat in Vegas to find out. They're going back to the '80s to reminisce about throwback technology and show you how to take a 21st-century approach to your insider threat management strategy. Your Nintendo, floppy disks and OG Macintosh computer will all be there next to your dusty DLP solution to remind you why #throwbackthursday technology should stay in the past. It's time to go back to the future with ObserveIT for a more complete and modern approach to data loss prevention. Gain visibility and insights into user and file activity instead of simply locking data down with cumbersome tags, limitations and rules. And before you head out, take ObserveIT's quiz on which '80s pop culture icon best represents your insider threat management strategy. Whether you're Han Solo, Tron or Egon from "Ghostbusters," you're a pretty righteous dude. Visit and take that quiz today. That's And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:14:24] And joining me once again is Johannes Ullrich. He's from the SANS Institute and also the host of the ISC StormCast podcast. Johannes, welcome back. You wanted to talk today about TLS 1.3. What do we need to know about this?

Johannes Ullrich: [00:14:38] Yeah, thanks for having me again. And, well, TSL 1.3 is sort of in the final stages of actually becoming a real thing. The standard has been finalized, and it starts to show up in different implementations now. Now, the problem here is that according to some people, TLS 1.3 really pushes things a little bit too far when it comes to privacy and encryption, making it very difficult for a lot of devices that have to intercept TLS to actually do their job. Now, that's always controversial, of course. Now, why would you have to intercept a TLS? Well, for example, load balancers have to. Or many companies have systems that check for data exfiltration and such. And of course they have to intercept TLS.

Johannes Ullrich: [00:15:28] Now, with TLS 1.2, it wasn't really too difficult to set up a proxy that will take care of this. TLS 1.3 makes this really difficult because, well, it makes TLS faster. In TLS the way we use it right now, it takes about sort of four, five round trips to actually negotiate everything, set up a TCP connection and set up TLS. With TLS 1.3, we set up the TCP connection and in some cases, ideally, the TLS connection at the same time, which really cuts down this entire round-trip problem. So - well, on the other hand, now we don't have TCP and TLS separated, and that really breaks these proxies – so lots of problems coming down the pipe here for a security adviser to really try to figure out if you're going to a malicious site or if you're exfiltrating data.

Dave Bittner: [00:16:25] Now, just to back up a little bit, TLS stands for...

Johannes Ullrich: [00:16:29] Transport Layer Security. And it's a release of the newer version of SSL, Secure Socket Layer. So that's what we usually use with HTTPS when we are going to a secure website.

Dave Bittner: [00:16:41] So what do you suspect the consequences are going to be of this rollout?

Johannes Ullrich: [00:16:46] Well, I think what will happen at first is that a lot of sites just won't support TLS 1.3 because they have to wait for these man-in-the-middle devices really to become ready and to really support this new protocol. So I think it will delay the rollout, first of all. In the end, we'll have to see if the added privacy is something that people are willing to pay for in terms of not having all of their favorite websites work as they expected.

Dave Bittner: [00:17:17] And will it be seamless to the user? How much is it going to interfere with day-to-day operations?

Johannes Ullrich: [00:17:23] For the user it will be seamless if it works. Now, what may of course happen is if you run into these cases where these middleboxes intersect at TLS, then of course it may just break the site. And that obviously has a sort of - little bit of a problem where - what happens if TLS breaks a connection? That's sort of the intent here. It wants to alert the user, hey, you know, someone is trying to mess with your connection. But one problem has been in the past that then users try to find a way to get to the site without TLS. And that's of course actually, you know, less secure than doing it via TLS 1.2.

Dave Bittner: [00:18:05] All right, well, we'll see how it rolls out. As always, thanks for sharing the information. Johannes Ullrich, thanks for joining us.

Johannes Ullrich: [00:18:11] Thank you.

Dave Bittner: [00:18:16] And that's The CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at Thanks to all of our sponsors for making The CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at The CyberWire. And thanks to our supporting sponsor VMWare, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:18:51] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.