The CyberWire Daily Podcast 8.21.18
Ep 667 | 8.21.18

Fancy Bear bogus sites taken down. Some in the US Congress think they want hack-back laws. Cyber and sanctions. Operation Red Signature. Doxing Chinese Intelligence. Buggy medical devices.


Dave Bittner: [00:00:03] Microsoft springs its bear trap again and catches Fancy Bear. This time, the targets are more to the right than to the left. The U.S. Senate holds hearings on cybersecurity. Hacking back is expected to be on the table. The U.K. wants more sanctions on Russia. U.S. senators are looking into reducing sanctions' collateral economic damage. Operation Red Signature pokes at South Korean supply chains. Intrusion Truth doxes Chinese intelligence officers, and more news on medical device bugs.

Dave Bittner: [00:00:40] A few words from our sponsor, Cylance. They're the people who protect our own endpoints here at the CyberWire, and you might consider seeing what Cylance can do for you. You probably know all about legacy antivirus protection. It's very good as far as it goes, but guess what? The bad guys know all about it, too. It will stop the skids. But to keep the savvier hoods' hands off your endpoints, Cylance thinks you need something better. They've just introduced version 2.3 of CylanceOPTICS. It turns every endpoint into its own security operation center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit to learn more, and we thank Cylance for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:45] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 21, 2018. Microsoft announced late last night the takedown of six sites associated with Russian influence operations in the U.S. Redmond's Digital Crimes Unit ran the operation, which concentrated on bogus sites established over the last few months to impersonate public policy organizations. This time, conservative organizations received attention - the Hudson Institute, a conservative think tank that's investigated corruption in Russia, the International Republican Institute, a democracy promotion not-for-profit, and three sites built to look as if they were affiliated with the U.S. Senate. The sixth site was non-political. It spoofed Microsoft. Microsoft initially went no farther than attributing the operation to APT28. But others, and subsequently Microsoft itself, have pointed out that APT28 is the same Russian government threat actor also tracked as STRONTIUM or, our favorite, Fancy Bear. These are all, of course, associated convincingly with the GRU, Russia's military intelligence organization.

Dave Bittner: [00:03:01] So how did these takedowns work? Is this a case of hacking back, like a cyber letter-of-marque-and-reprisal? No. It's more lawfare than warfare, not that this should take anything away from the people at Microsoft who executed the takedown. And let us say bravo, Microsoft. What they did in this case, and they've done much the same in others, is to obtain and execute a court order transferring control of the offending domains to themselves, thereby neutralizing the activity. By Microsoft's tally, they've done this 12 times over the past two years, shuttering 84 websites set up by the GRU.

Dave Bittner: [00:03:39] Redmond quotes the special master a federal judge appointed in the case to the effect that there is good cause to conclude that these activities by the STRONTIUM, APT28, Fancy Bear threat actor are likely to continue. Microsoft notes that both major political parties are being targeted. And the company expects the Russian threat actors to broaden the scope of their attacks as U.S. midterm elections approach, so lawfare and not marque and reprisal.

Dave Bittner: [00:04:07] But there's some sentiment being expressed today on Capitol Hill in favor of legislation that would allow companies that suffered cyberattacks to hack back at their tormentors. Senator Sheldon Whitehouse, a Democrat of Rhode Island, issued prepared remarks he intends to deliver this afternoon at hearings of the Senate Judiciary Subcommittee on Crime and Terrorism, which is deliberating cybermatters today. The senator says, quote, "we ought to think hard about how and when to license hack-back authorities, so capable, responsible private-sector actors can deter foreign aggression," end quote. He calls this active cyberdefense. Thus, he sees hacking back as a national security move. That is, after all, what deterring foreign aggression amounts to.

Dave Bittner: [00:04:54] Leave aside, for the moment, that this might be seen as what SES-types - especially the lawyers among them - call an inherently governmental responsibility. There have certainly been private sector activities with national security implications before. Private military contractors would represent an extreme example - as would privateers, who've been out of fashion and legal authority since the latter part of the 19th century. But there are other examples.

Dave Bittner: [00:05:22] Before there was a well-established U.S. intelligence community, if you wanted to get something out of the ordinary done, the government was likely to retain a white-shoe Wall Street law firm - the way Teddy Roosevelt did when he wanted a canal in Panama. And, of course, contractors play a significant role in U.S. cybersecurity. Booz Allen Hamilton just got a $1,000,000,000 task order under the government-wide Continuous Diagnostics and Mitigation Dynamic and Evolving Federal Enterprise Network Defense Contract Vehicle. That's a defense award - not one for hacking back, but you get the drift here. And by the way, congratulations, Booz.

Dave Bittner: [00:06:00] And, of course, Microsoft has been dining out on Fancy Bear takedowns for two years. So what would one want done that a law authorizing hacking back might enable - and that isn't already being done? Hack-back skeptics point out the problems with turning computer network operators loose on one another. It might be difficult to contain retaliatory malware, and the temptation to hack back in anti-competitive ways might prove difficult to resist. In any case, we'll watch Senator Whitehouse's proposals with interest. Our hometown of Baltimore was a famous nest of privateers at one time. That was during the War of 1812. Nowadays, people around here work under government-wide acquisition contracts, not letters of mark and reprisal.

Dave Bittner: [00:06:47] We continue to track reports of cyber adversaries making use of fileless malware to evade detection. Travis Rosiek is chief technology officer at BluVector. And he offers his perspective on fileless malware.

Travis Rosiek: [00:07:01] Cyber adversaries have been extremely successful using this attack vector. And it's gaining a lot more attention from the mainstream media - from a Ponemon Institute as well as a McAfee report. McAfee report stated that they're seeing 425 percent-plus increase year over year in the volume of fileless-based attacks. And the Ponemon Institute, they've stated that fileless attacks are 10 times more likely to be successful than more of the traditional file-based attacks.

Dave Bittner: [00:07:31] Now, let's just back up a little bit. From your point of view, how do you define a fileless attack?

Travis Rosiek: [00:07:36] From my perspective and what comes to mind when I think of a fileless attack - so if you think of the attack life cycle, with the different stages of an attack, one piece of it they would consider fileless in nature. So from a adversary's perspective, you know, the cyber defenders are typically in a reactive mode. And fundamentally over the years, it's very much focused on using like signature-based mechanisms to identify attacks that have happened other places and preventing them from happening again. So adversaries are very opportunistic, and they leverage mechanisms that allow them to adapt and evolve rather quickly. So in the case of the fileless attack, there's no files written to the host or the disk. You know, part of the attack executes in memory only. And it also leverages trust in applications within a system.

Travis Rosiek: [00:08:26] So a very common one is leveraging PowerShell. So every IT admin uses PowerShell within a Windows environment. It's a trusted utility, and it's used for lots of different things. So their sweet spot they like to target is that gray area - what makes it the most difficult to ascertain benign from malicious. They know that's a trusted tool that's always going to be in the environment. You know, they don't have the download capabilities that could cause more attention to themselves, which makes it very difficult for an instant responder or an analyst to identify that the adversary is in the environment or acting.

Travis Rosiek: [00:09:03] The other challenge is a lot of these things don't necessarily create logs or things that go in and look at the see what happened on the system - nor do they really leave a footprint to search for hashes or other mechanisms. So it's very difficult. So the legacy security industry, you know, from a signature-based, file-based model, has really been trying to catch up. And clearly, it's not catching up as fast as the adversaries are being able to be successful.

Dave Bittner: [00:09:29] So what are the successful ways to go at this? How can you detect a fileless attack within your system or your organization?

Travis Rosiek: [00:09:37] Like anything, there's no silver bullet to cybersecurity - despite a lot of marketing you see from different vendors out there today. And one of the most painful things is really good cyber hygiene, proper network engineering and design. You know, the key is always to protect your critical information and segmenting or isolating core parts of your business from the things that are high risk. So, for example, part of your core IP or personal customer data that should be protected is air gapped or, you know, very tightly controlled and restricted from the systems that, you know, surf the internet or receive tremendous amounts of email on a daily basis. So having proper network design is one good way to help do that.

Travis Rosiek: [00:10:17] The speed of detection is always critical. So getting a heads up that there is some type of malicious code coming into the environment or to - targeting endpoints within your enterprise - getting that head start to kind of do the analysis or do more focused monitoring of those endpoints potentially can give you a jumpstart to doing that forensics analysis or doing triage because if you try to respond to it after the fact, like as I mentioned before, there is really limited amount of data that's left behind. So without having those breadcrumbs and log files, et cetera, it's really difficult to really identify what happened.

Dave Bittner: [00:10:58] That's Travis Rosiek from BluVector.

Dave Bittner: [00:11:03] A British mission to the U.S. will push for more sanctions against Russia. Her majesty's government remains rightly exercised about the Russian hybrid war that found its lethal way to English soil. The U.S. Senate is working to ensure that existing and planned sanctions don't rain collateral economic damage on U.S. and allied countries. And it's not all Russians today.

Dave Bittner: [00:11:27] Trend Micro has published a comprehensive look at Operation Red Signature, which they call, quote, "an information theft-driven supply chain attack targeting organizations in South Korea" - end quote. The campaign surfaced late last month. And Motherboard describes Intrusion Truth - apparently, a hacktivist group engaged in doxing members of Chinese intelligence services. Motherboard seems convinced, based on their exchanges with Intrusion Truth, that they are indeed the hacktivists they say they are. It would be interesting to rule out the possibility that that group is a hostile intelligence service - an intelligence service hostile to China, that is. A thought experiment - one could hire a company to dox a hostile intelligence service. Would that be hacking back or would that just be government contracting? Motherboard notes that some of the Chinese officers' dox subsequently showed up in U.S. federal charging documents. Coincidence or not - they're not sure.

Dave Bittner: [00:12:28] Finally, if you don't have enough to worry about, US-CERT is warning of vulnerabilities in Philips IntelliSpace Cardiovascular and Xcelera IntelliSpace Cardiovascular products. Philips says it's working to squash the bugs, which appear mostly to be of the privilege escalation and admin credential varieties. If you want to make people's flesh creep, use medical device and hacking in the same sentence.

Dave Bittner: [00:12:59] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at See what Workspace ONE can do for your enterprise security - And we thank VMware for sponsoring our show.

Dave Bittner: [00:13:59] And I'm pleased to be joined once again by Rick Howard. He's the chief security officer at Palo Alto Networks, and he also leads Unit 42, which is their threat intel team. Rick, welcome back. You wanted to sort of take us through an approach to buying cybersecurity products. You know, I think all of us who have mobile devices, we're familiar with app stores. And you've got this notion of an app store for buying cybersecurity products. What's going on here?

Rick Howard: [00:14:26] Yeah. I think the industry is about ready to change, all right. We are pretty much reached the maximum point of not being able to buy any more cybersecurity product. You and I have talked about this in the past that, you know, smaller organizations, you know, with two guys and a dog in the back room, you know, they have 15 to 20 security tools deployed. Medium-sized companies have about 50, and big companies like, you know, big banks or big government, they have over 150, OK, security tools. And none of us can manage one more point product. It just - it's too hard to do.

Rick Howard: [00:14:59] In order to deploy their solution, OK, for - as a network defender, I have to do - to deploy it to my network, I have to give it complete visibility and I have to have my internal infosec team integrate it with all the other security tools that I have already deployed. When buying a tool that doesn't integrate, that puts the load, the burden, on managing all that on your local infosec team. And like I said before, those guys just can't take any more work.

Rick Howard: [00:15:26] So what I think's going to happen in the industry is this idea of a cybersecurity app store. And the perfect place to deploy these things is at the firewalls, OK, because firewalls are the - everybody has firewalls. And they're at the exact right spot they need to be to be able to do any kind of interesting security algorithm that might show up, all right. And the reason that is is because firewall vendors - Palo Alto Networks - but all the firewall vendors have been experimenting with moving their intelligence collection piece and their processing piece looking for bad guys up to the cloud over the last five years.

Dave Bittner: [00:16:06] Right.

Rick Howard: [00:16:06] Right. We're all essentially becoming SAS operators, all right, because we essentially have unlimited collection capability up there and unlimited processing capability up there because if we tried to put all that down on a firewall, it would fall over because of too much stuff to do, right?

Dave Bittner: [00:16:22] Right.

Rick Howard: [00:16:22] So we - all of us have been doing that for the last five years, right? So - and then all of us have been experimenting with adding new functionality in the cloud, OK, meaning adding a new algorithm, a new application in the cloud so that we don't have to put that down on the firewall itself, all right. And so the next logical thing that we're going to start seeing here in the future is that's going - all the firewall vendors are going to be opening that up to third parties, meaning they're going to open it up to their customers. They're going to open it up to their partners.

Rick Howard: [00:16:55] And if this goes the way I think it's going to go, they're going to open it up to their competitors because it's going to be - if you - and it's going to work just like the Apple app store. Your firewall becomes like the iPhone. And if you want to deploy, let's say, the next behavioral analytics engine, you can go pick the Palo Alto Networks app or you can pick the Symantec app or you can pick the - you know, Fred's app, you know, the guy down in the garage with two guys and a dog back there, right?

Dave Bittner: [00:17:22] Right.

Rick Howard: [00:17:22] You can run them all at the same time and decide which one you like and say, hey, I like Fred's, OK, and just leave that one on and turn the other two off. And there is no fuss or no muss. You don't have to deploy a box. You don't have to train your staff. It's all running on the existing infrastructure anyway. So I truly believe that we're going to see a complete change - a complete flipping of the cybersecurity vendor consumption model. We're going to be at a spot where we're not going to - where we are today where we can't add one more. We're going to be adding hundreds more because it's going to be so easy to do and to evaluate. So that's where I think it's going in the future.

Dave Bittner: [00:17:59] So you think we're - is this - does this require a certain level of standardization where, you know, for these I guess in effect they're sort of plug-ins, right? I mean, they plug in to your firewall and so the suppliers - the vendors would have to meet a certain standard to be able to work with company X's firewall to be able to - I guess what's in it for them is opening themselves up to this market.

Rick Howard: [00:18:22] Exactly right. And network defenders are going to have to pick a vendor they like that does the basic infrastructure. And I'm thinking it's going to be one of the firewall vendors, right? And then once they choose that, they're going to trust that vendor to vet everything, just like most of us trust Apple and Google to vet their own apps in the app store.

Dave Bittner: [00:18:40] All right. Well, it's certainly interesting to think about. As always, thanks for sharing the information. Rick Howard, thanks for joining us.

Rick Howard: [00:18:46] Thank you, sir.

Dave Bittner: [00:18:51] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at

Dave Bittner: [00:18:59] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:19:26] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.