The CyberWire Daily Podcast 9.19.18
Ep 687 | 9.19.18

State Department cybersecurity issues. Iron Group's pseudoransomware. Bristol Airport's deliberate recovery. State of cryptojacking. Facebook offers campaigns help. US cyber strategy. Mirai masters.


Dave Bittner: [00:00:03] The U.S. State Department acknowledges an email breach. The criminal gang Iron Group is hitting targets with data stealing and data destroying pseudo-ransomware. Bristol Airport continues its slow recovery from whatever hit at the end of last week. A crypto-mining study is out. Facebook offers help to political campaigns. The new U.S. cyber strategy is out. ICOs get regulation. And Mirai masters get suspended sentences in recognition for the help they've rendered the government.

Dave Bittner: [00:00:39] A few words from our sponsor, Cylance. They're the people who protect our own endpoints here at the CyberWire, and you might consider seeing what Cylance can do for you. You probably know all about legacy antivirus protection. It's very good, as far as it goes. But guess what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, Cylance thinks you need something better. They've just introduced version 2.3 of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection, but security that's quick enough to keep up with the threat by watching, learning and acting on systems behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit to learn more. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:42] Major funding for the CyberWire podcast is provided by Cylance. From the Cyberwire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 19, 2018.

Dave Bittner: [00:01:54] The U.S. State Department confirms that it sustained a breach of its unclassified email system, with hundreds of staffers' information affected. Hundreds is said to amount to about 1 percent of the department's workforce. The breach occurred earlier this year, and the principal concern is exposure of personal information. The department acknowledged the breach after Politico obtained and asked about a sensitive but unclassified memo dated September 7. At that point, State said, yes, they had sustained a breach, that it was, of course, a sensitive matter that remained under investigation and that it had notified the employees whose data were exposed. The department told Politico, quote, "this is an ongoing investigation, and we are working with partner agencies as well, as the private-sector service provider to conduct a full assessment," end quote. The private sector service provider would be Microsoft. The State Department uses Office 365 to handle its unclassified email.

Dave Bittner: [00:02:54] The State Department has received a good deal of stick over the incident. And while State is by no means the only offender, it's recently come under senatorial scrutiny over some reports by internal and external investigators that suggests that all is not as secure as it should be over in Foggy Bottom. A letter on September 11 from Senators Wyden, Democrat of Oregon; Paul, Republican of Kentucky; Markey, Democrat of Massachusetts; Gardner, Republican of Colorado; and Shaheen, Democrat of New Hampshire, tasked the department with failure to meet federal cybersecurity standards, particularly with respect to authentication. Within security, there is the common notion of hard versus soft targets. To a certain degree, that's self-explanatory, with hard targets having the most sophisticated and in-depth defense. There's a good bit of nuance when it comes to soft targets, and Ray Watson from Masergy joins us to explain.

Ray Watson: [00:03:52] Soft targets is one of those words, kind of like cybersecurity or cloud, that really depends on the context in which it's being used. But in general, for something to be a soft target, it typically is a smaller budgeted company. It usually has less likelihood to do full incident response after an issue. And when we talk about what is a soft target, you usually talk in terms of the three S's, which would be the amount that they spend on cyberdefenses, the sophistication of both the defenses and the response and then also the ongoing support that they would be expected to receive.

Dave Bittner: [00:04:33] Now, does a soft target typically know that they're a soft target?

Ray Watson: [00:04:37] Yes and no. I think that there's definitely some groups out there that recognize that trying to defend themselves from adversaries on the public internet is probably outside of what they can do in their day-to-day operations. Specifically, churches and nonprofit groups and NGOs might be, you know, particularly aware of the fact that they are somewhat soft targets. But then there are some other folks out there where there's a lot of debate about whether we would classify this as a soft target. And the best example of this is our SCADA and industrial control systems, whereas a lot of people consider those to be - because of the large - the size of the attack surface, they consider those to be soft targets. Whereas a lot of the other folks on the other side are saying, you know, we're doing absolutely everything we can to harden those, to patch those and to get them so that they are actually hardened.

Dave Bittner: [00:05:32] So - but to - contrast that to me - I mean, I think you make a good point that there's certainly no lack of attention being paid on SCADA systems. So you're saying it's really the size of the attack surface. Despite trying to batten down the hatches, they may still have some, I guess, a soft underbelly, if you will.

Ray Watson: [00:05:51] Sure. And that sort of comes from the national security implicitions when they talk about things like terroristic targets, right? It has to do with the surface area divided by the amount of defenses that you have, you know, available to it. So - and in the cyber world, it's a little bit different because there's also entire categories of places that hold your data, that hold your data as a consumer or your data as a business that, their entire business should be considered somewhat of a soft target. And the reason I'm even bringing this up is because what was in the news a couple of days ago was the Russian Orthodox Church had been breached by a one of the nation states’ hacking groups that were out there.

Ray Watson: [00:06:33] And it really made me think of the fact that so many churches out there have data that we wouldn't necessarily want shared about us to the world and, certainly, data that we wouldn't want added to an online big data profile in some government database out there. But it's not really something that we talk about when we talk about defenses. And then just the very, very next day, Air Canada leaked around 20,000 records for their passengers. And even though everyone thought at first, well, how sensitive could that data be? It actually turns out that several thousand of them had their full passport information saved into their profile. So in that scenario, it's not just the fact that the attack surface is wide. It also has to do with the fact that it's not necessarily protected with the high levels of things such as multifactor authentication or rotating passwords or even firewalls, et cetera, that are out there to protect that data.

Ray Watson: [00:07:28] You know, one of the best examples to think about when we talk about protecting soft targets is the fact that adversaries almost always are looking for points to either pivot or to make lateral movement. CyberWire had a guest on the other day by the name of Fred Kneip, and he actually brought up one of the best examples of this that I've ever heard, which was - when we think about the massive data breach at Target, that, of course, came in from what I would consider a soft target, which was their HVAC vendor that had perpetual access to their systems. And so even though Target may have hardened all of their points of ingress for their corporate network, their extranet access to their partners actually had this big of an effect.

Ray Watson: [00:08:18] And I will tell you that another example of this that kind of really brings this to mind is when we think about bedbugs because business travelers are very, very likely to bring bedbugs into their homes - not because they're staying at dodgy hotels and hostels, et cetera, but just because they're staying at so many hotels, right? And when you think in terms of protecting your own home from pests or any kind of infestations like that, it's very, very easy to pick something up basically in a remote hotel that maybe didn't necessarily take good care of that.

Dave Bittner: [00:08:51] That's Ray Watson from Masergy. His Twitter handle is @RayRedacted.

Dave Bittner: [00:08:58] Palo Alto Networks is tracking Iron Group, a Chinese-speaking criminal gang that's distributing pseudo-ransomware. The malware steals and then destroys data. The ransom demand is just misdirection. The malicious code self-propagates across affected networks using backdoors exposed in a hacking team breach. This does appear to be a criminal data theft operation, unlike earlier episodes as NotPeta, which is generally regarded as having been a state-directed campaign.

Dave Bittner: [00:09:28] Bristol Airport still hasn't recovered from the ransomware-like attack it sustained at the end of last week. Authorities have been unclear on just what the attack was. While they've said they didn't pay any ransom, they've stopped short of calling it ransomware period or even ransomware full-stop, as they might put it in western England. Nor is there any insight being offered into how the airport systems became infected. The most publicly visible effect of the attack was the terminal’s departure boards going offline.

Dave Bittner: The caution the airport is showing is generally met with approval, and many observers have noted that Bristol continued flight operations without delay or undue disruption. Ransomware, or even malware similar to so-called ransomware, if we must so describe it, has proved difficult to eradicate from an infested enterprise. Just ask the city mothers and fathers of Atlanta, Ga., another place where passenger-facing systems at an airport were affected. In that case, the ransomware was much more widespread, with Atlanta's airport Wi-Fi seeming almost an afterthought among the disturbed networks.

Dave Bittner: [00:10:39] ESET points out that two other airports sustained notorious ransomware attacks last year. Both were in Ukraine. Kiev was hit by a Peta version in June. And Odessa was attacked with a Bad Rabbit variant in October.

Dave Bittner: [00:10:54] The Cyber Threat Alliance has a new study out on crypto-mining. Among their more interesting points is an observation that a crypto-jacking incident in an enterprise should be regarded as what they call a canary in the coal mine, a warning sign that something's wrong with security and that the enterprise is open to more immediately damaging attacks. They also point out that even as crypto-jacking grows in sophistication, its lower reaches have been commoditized. The script kiddies can readily get attack tools on the black market. And, of course, the widespread persistence of EternalBlue vulnerabilities, so often exploited by crypto-jackers, affords evidence that patch management remains an unsolved problem of cyber public health.

Dave Bittner: [00:11:37] Facebook has joined the companies offering to help political campaigns stay more secure during the U.S. midterm elections. The social media platform is offering to help the campaigns set up two-factor authentication.

Dave Bittner: [00:11:51] The U.S. Defense Department has issued a new cyber strategy. That strategy assumes a contested cyberspace in both war and peace and has the following major goals - mission assurance, enhanced U.S. military advantage, defense of critical infrastructure, securing defense information and systems and expanded cooperation with all partners - U.S. government, industry and allied.

Dave Bittner: [00:12:14] A U.S. federal district court has decided to allow juries to apply security law to cases involving initial-coin-offering fraud. This is expected to set a precedent for more regulatory action in ICO markets. Regulatory agencies are now thought likely to have fewer inhibitions about treating ICOs like securities.

Dave Bittner: [00:12:39] The three young hackers responsible for the Mirai botnet are getting their sentences suspended. Instead of jail time, they're cooperating with the FBI. The three, all still in their 20s, are Paras Jha, 22, of Fanwood, N.J., Josiah White, 21, of Washington, Penn., and Dalton Norman, 22, of Metairie, La. They assisted in the Kelihos botnet takedown and also helped mitigate distributed denial of service attacks that exploited a memcache vulnerability. Prosecutors put a good word in for them yesterday. And the federal judge responsible for their case in Alaska sentenced them each to five years probation. So stay on the straight and narrow, kids.

Dave Bittner: [00:13:28] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro-segmentation and analytics. VMware's white paper on “A Comprehensive Approach to Security Across the Digital Workspace” will take you through the details and much more. You'll find it at See what Workspace ONE can do for your enterprise security – And we thank VMware for sponsoring our show.

Dave Bittner: [00:14:30] And joining me once again is Daniel Prince. He's a senior lecturer in cybersecurity at Lancaster University. Daniel, welcome back. We wanted to talk today about asset-based risk assessment and some potential problems there. What can you share with us?

Daniel Prince: [00:14:45] Well, thanks for having me back on. So a lot of the work that we're doing here at Lancaster is really looking at the effectiveness of cybersecurity risk assessment and risk management, particularly in industrial control systems sites. So one of the problems that we're coming across now as that a lot of the risk assessment processes are based on health and safety processes, particularly in process automation and industrial control – and/or quality control, sort of risk management processes. And within those kinds of environments, most techniques - you often assume that - or you regularly have a non-malicious threat agent. And, in fact, often, you don't have a threat agent whatsoever.

Daniel Prince: [00:15:31] So if you think about quality control, the process that you're putting your systems through, it's part of a - standard physical (ph) degradation, for example. If you’re thinking about health and safety, you're not really thinking about there being - somebody maliciously trying to tamper with any of your systems. But when you talk about cybersecurity, there's always a threat agent that is trying to maliciously undermine the systems that you've put in place. And when we look at the set of risk assessment processes, although we often see the threat agent captured, in that, you know, the standard form - you need somebody to take advantage of vulnerability and so on, they're not factored in as effectively as the assets.

Daniel Prince: [00:16:16] All, really, risk assessment processes stemming from quality control and health and safety stem from understanding all of your assets and then building up your (unintelligible). What we're trying to advocate and develop work on is actually thinking about the threat agent and how they - processing how they work through the systems. And one of the things that we're finding that’s quite interesting is the asymmetry in information between the threat agent and the defender. And so, as a defender, you often know the whole of your network. What a attack from a threat agent might look like is completely sort of nonsensical from your point of you because you know everything.

Daniel Prince: [00:16:57] But from the attack agent point of view - the threat agent's point of view, the path that they're taking to achieve their goals is completely sensible. So we're looking and trying to look at new processes where we can factor in more threat agent kind of knowledge. And we balance that against the - sort of the asset-based approach and see if we can get better risk management concepts that come through from that.

Dave Bittner: [00:17:23] Can you give us an example? What does that exactly look like?

Daniel Prince: [00:17:26] So I think one of the key things for us is that asymmetry of information. When you're planning and thinking about just your assets, you're thinking about what's important to you. But one of the key things when we look at attacks, we really need to frame that as, what is important to the attacker to achieve their goals? And that also allows you to bring in this idea that you're potentially just collateral damage - to be able to achieve a higher order effect because you are part of a supply chain. So you're a link to another company or another organization that the attacker is trying to get to. It's not your information and your assets aren't important. It's just they have to use those. Or that's the easiest way that they've decided - the attackers have decided to get to their ultimate goal. And so one of the things we're finding is it's taking out that kind of almost egocentric, we're the most important part of the attack. And so you can start to develop better defensive remediation techniques by balancing out what's important to you but also what's important to the attacker.

Dave Bittner: [00:18:35] You know, it's an interesting insight. As always, Daniel Prince, thanks for joining us.

Dave Bittner: [00:18:43] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:19:02] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:19:10] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.