The CyberWire Daily Podcast 10.16.18
Ep 705 | 10.16.18

Facebook in Myanmar. Supply chain seeding attack update. Election hacking. NCSC reports. EU prepares sanctions (Russia feels ill-used).


Dave Bittner: [00:00:04:01] Social networking for genocide in Myanmar. Facebook takes down the Army's inauthentic and inflammatory pages. The supply chain seeding attack from China remains dubious. Probes of US election infrastructure and black market offers of voter databases have been reported. GCHQ sees cybercrime as a chronic threat but state-sponsored cyber operations as an acute problem. The EU prepares sanctions against a big country to the east. And farewell to Paul Allen, departed this life yesterday at the age of 65.

Dave Bittner: [00:00:43:11] Time to take a moment to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. Want to learn more? Check out their newest research paper entitled Building A Threat Intelligence Platform. ThreatConnect surveyed more than 350 cyber security decision makers nationwide. Research findings include best practices and the impact to businesses due to threat intelligence programs and how organizations who have fully mature programs have prevented phishing attacks, ransomware attacks and business email compromise. To check out the research paper, visit That's And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:02:04:19] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 16th, 2018.

Dave Bittner: [00:02:17:19] The New York Times is reporting in horrific detail on how Myanmar's military used social media, mostly Facebook, to incite genocidal violence against minority Rohingya Muslims. The operators, believed to number around 700, resorted to the usual tools of information warfare in social networks, inauthentic identities and inflammatory posts of bogus news stories. The goal has been to inflame the Buddhist majority against the Rohingya Muslim minority and to excite mutual suspicion between the groups, all designed to lead toward the destruction of the Rohingya.

Dave Bittner: [00:02:54:08] Yesterday Facebook took down 13 pages and ten accounts for engaging in coordinated inauthentic behavior on Facebook in Myanmar. The pages and accounts seemed, the social network said, to be independent voices interested in entertainment, beauty and general information but they were in fact run by Myanmar's military. According to Facebook, about 1,350,000 unique people followed at least one of these 13 pages.

Dave Bittner: [00:03:22:24] Facebook came under criticism early this year for the use Myanmar's army made of its platform. It banned senior army officers back in August but it didn't match the inauthentic accounts until this month.

Dave Bittner: [00:03:35:19] Part of the problem is Facebook's pervasive presence in Myanmar where, the New York Times says, its dominance is such that it's commonly confused with and identified with the Internet as a whole. This has led tragic credibility to the bogus stories of massacre and outrage the army has concocted to foment Buddhist outrage against their Muslim countrymen. The misuse of Facebook is raising more calls for content moderation. It may also lead to more complex considerations of what any platform's near total hold on a significant section of the Internet means for information control and manipulation.

Dave Bittner: [00:04:13:00] You may be familiar with the Center for Infrastructure Assurance and Security, that's CIAS, for their leadership in cyber security competitions. Since 2005 the CIAS has been developing and conducting competition programs to help educate, train and prepare individuals for the information assurance workforce. They've also developed the Cyber Threat Defender card game which teaches middle and high school children the fundamentals on how to secure a network. They're distributed over 12,000 decks across the world in four countries and they're currently operating in over 300 US classrooms. Larry Sjelin is Director of Game Development at CIAS.

Larry Sjelin: [00:04:51:14] We needed a way to engage students at the youngest levels possible and to help try to build this, this national culture in cyber security. Everybody has a laptop, everybody's got a phone, so everybody needs to start understanding their role in security when dealing with these types of tools. And so our director here, Dr. Greg White, who is a big fan of the collectible card game, Magic: The Gathering, thought that we could somehow teach cyber security through a card game. And so that's how we embarked on this program.

Dave Bittner: [00:05:30:07] I'm curious, I think when we think about cyber security, certainly when we think about electronic connected devices, so it's an interesting choice to make this a completely analog pursuit.

Larry Sjelin: [00:05:41:07] Yeah, it's really a low tech way to teach a high tech subject and one of the things that we are learning through the feedback that we're getting from the teachers that are using it plus the students is that they're able to really kind of see a network now in front of them as they lay their cards out, their assets and their defenses and their attacks deck and threaten them, they see this now where a lot of students have said, "I can hear the teacher lecture all day long but it didn't really make any sense until I could see the cards laid out in front of me."

Dave Bittner: [00:06:14:14] So if I'm a school who wants to take part in this, how can I reach out to get on board?

Larry Sjelin: [00:06:21:10] They can contact us through our website which is Schools and teachers can contact us and we'll put them on our mailing list and we will send them a class set which is 25 starter decks and 25 booster packs fully free and the way we are able to do this is through sponsorships from individuals and organizations. There's also a digital version of the game. That can be downloaded for free. That's a nice way to compliment the card game in the classroom plus also students can download this at home and continue to play the game, continue to learn from it. We have some new boosters that are coming out, one of them is focused on personnel so it's going to teach to the students various types of job positions out there, career fields, which will really help get kids interested at an earlier age and help build up the workforce.

Dave Bittner: [00:07:24:00] That's Larry Sjelin. He's Director of Game Development at the Center for Infrastructure Assurance and Security at the University of Texas at San Antonio.

Dave Bittner: [00:07:34:24] There's no further evidence for or against the Bloomberg report on Chinese supply-chain seeding attacks. Absence of evidence is, of course, not evidence of absence, but the story still seems thin. The lack of corroboration has begun to prompt theories that the whole account was a plant by elements within the US Intelligence Community hoping to make Sino-American relations even worse than they otherwise be. But as China-watching media outlet SupChina points out, whether Bloomberg has found a smoking gun or is just chasing ghosts, the damage to already frayed relations has been done.

Dave Bittner: [00:08:12:04] In the US, the Department of Homeland Security notices an increase in election-related incidents. "Numerous actors are regularly targeting election infrastructure, likely for different purposes, including to cause disruptive effects, steal sensitive data and undermine confidence in the election." That's from a Department document obtained by NBC News.

Dave Bittner: [00:08:34:16] Nonetheless DHS thinks midterm voting will go off relatively unproblematically. They are working to identify the threat actors and say that the behavior they're seeing, malicious emails and denial-of-service attacks mostly, are equally available to state and non-state actors.

Dave Bittner: [00:08:51:20] Here's some of the activity the security industry is saying it sees. Security firm Anomali reports a surge in black market trafficking of voter records. Working with cybercrime intelligence shop Intel 471, their researchers found offers on the dark web of some 35,000,000 voter records for sale. They're being priced by state, at costs ranging from $150 to $12,000. The data is said to include some personally identifiable information of the sort collected in voter databases, name, address, party affiliation and registration history. The states believed to be affected with a high degree of confidence are Georgia, Idaho, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Mississippi, Montana, New Mexico, Oregon, South Carolina, South Dakota, Tennessee, Texas, Utah, West Virginia, Wisconsin and Wyoming. The other states may be affected as well.

Dave Bittner: [00:09:47:09] A few things are worth noting. First, this is a report of a hacking forum offering, not a report of a set of exposed databases although Anomali does say that some researchers have sampled the offerings and that they look genuine. Second, while the data may well be illegally offered for sale, it may not have been illegally obtained. Most states' voter records of this kind are matters of public record, sometimes with the voters being able to opt out of the records being made public and with sales, by the states, restricted to certain categories of buyers. And third, interestingly, a buyer vaguely described only as high-profile has been running crowd-funding campaigns to purchase the data on a state-by-state basis.

Dave Bittner: [00:10:30:01] Anomali doesn't attribute the buying or selling to any particular actor but they do present it as an example of criminal activity and the characteristics of the data are more suggestive of gangland than of state espionage services. But the case is ambiguous and the story is still developing.

Dave Bittner: [00:10:48:15] In the UK, GCHQ's National Cyber Security Centre has warned, as it releases its annual report, that state-sponsored hacking is a bigger problem than ordinary cybercrime and that life-threatening cyber attacks can be expected at some point in the future. The acute threat, as the report issued earlier today puts it, comes from state actors. The chronic threat comes from criminals. NCSC Director Martin said, "I remain in little doubt we will be tested to the full, as a center and as a nation, by a major incident at some point in the years ahead." Since the NCSC achieved full operational capability two years ago, it's defended the realm against, on the average, somewhat more than ten attacks a week. The report also includes a shout-out to the Five Eyes, "The alliance, now nearly eight decades old, remains at the heart of our international partnerships."

Dave Bittner: [00:11:45:08] Lithuania, joining the Anglo-Dutch push to the EU to adopt clear cyber sanctions, reassures Italy that this isn't necessarily an anti-Russian gesture. Sputnik is under no such illusions. The West is after Russia and that's where the EU will deploy any sanctions. It does indeed seem likely that the EU will sanction Russia for the GRU's Novichok nerve agent attack in Salisbury, England, and for the attempted hack of the Netherlands-based international Organisation for the Prevention of Chemical Warfare. Russian officials of course deny that anything of this kind took place. Furthermore TASS is authorized to disclose that anti-Russian slander is a Western plot to undermine Russia's good faith efforts toward international norms of conduct in cyberspace. It's unlikely that this story will find many takers.

Dave Bittner: [00:12:37:00] And finally the tech world, indeed the world as a whole, bids farewell to Paul Allen, the co-founder of Microsoft. He succumbed yesterday at the age of 65 to the cancer he'd battled for some time. Our condolences to his family, friends and colleagues. May he rest in peace.

Dave Bittner: [00:13:01:00] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption and they'll round out what they can do for you with microsegmentation and analytics. VMware's White Paper on A Comprehensive Approach To Security Across The Digital Workspace will take you through the details and much more. You'll find it at See what Workspace ONE can do for your enterprise security, And we thank VMware for sponsoring our show.

Dave Bittner: [00:14:01:05] And I'm pleased to be joined once again by Mike Benjamin. He's the senior director of threat research at CenturyLink. Mike, welcome back. You wanted to touch today with some updates on Satori. Bring us up to date. What's the latest?

Mike Benjamin: [00:14:15:05] Well, as many people have read, the Satori malware is a Mirai based malware family that targets largely IoT devices although one of the updates we should talk about today is that it's moving a bit beyond IoT devices. And so the history of Satori is that the actor behind it took the Mirai malware which was, we can call it open-sourced unfortunately by the individual who authored it and this actor made quite a few modifications to it to attempt to obfuscate it, to attempt to make it spread more quickly. And the note that the author should, I hate to say receive credit, but be known for in terms of this variant is that he's been very quick to add exploits to the malware and then make use of them in a rather quick manner.

Dave Bittner: [00:15:03:17] And so what are you seeing in terms of updates and, and current exploits?

Mike Benjamin: [00:15:09:13] So the one that we've been watching most recently is attacking the Android Debug Bridge, a service that's enabled in certain Android devices that can allow access to the device remotely. Unfortunately the actor has found that a number of devices are on the open Internet running this service and has been using it to spread the malware. And so the actor deploys typically two different variants of the malware, one focused on DDoS attack and one focused on cryptomining and so we've seen both variants attacking the Android devices in addition to the more traditional appliances like DVRs, webcams and other items that Mirai more traditionally targeted.

Dave Bittner: [00:15:49:05] So what's the best way to protect yourself against this?

Mike Benjamin: [00:15:52:20] Well, it's patch, realistically, right? Have an understanding of what technology is out there, patch it and set it up by best common practices. With one exception the Satori malware has always used well-known exploits and while the actor's gotten faster at being able to utilize the exploits to spread their botnet, as an example we actually saw one of the installations of this late last year grow to as large as 500,000 devices and so the actor's been successful with adding new exploits but those were not new items. The one exception is he did manage to get his hands on an unknown exploit, a zero-day within some customer premises gear produced by Huawei and he used that to build one of his botnets late last year.

Dave Bittner: [00:16:36:01] Mike Benjamin, thanks for joining us.

Dave Bittner: [00:16:42:19] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:17:17:07] We hope you'll check out the CyberWire's Hacking Humans podcast where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I co-host that show with Joe Carrigan from the Johns Hopkins University Information Security Institute.

Dave Bittner: [00:17:36:17] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cyber security teams and technology. Our CyberWire editor is John Petrik. Social media editor Jennifer Eiben. Technical editor Chris Russell. Executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.