The CyberWire Daily Podcast 12.6.18
Ep 739 | 12.6.18

Huawei CFO arrested in Canada, faces extradition to US. Anonymous claims that Chinese intelligence hacked Marriott. Russian hospital phished. SamSam indictments, warnings. Facebook agonistes.


Dave Bittner: [00:00:03] Huawei's CFO is arrested in Vancouver on a U.S. sanctions beef. Anonymous sources tell Reuters Chinese intelligence was behind the Marriot hack. A Flash zero-day is used in an attack against a Russian hospital - SamSam warnings and new U.S. indictments. In the U.K., parliament releases internal Facebook emails that suggest discreditable data use practices. Facebook says the emails are being taken out of context. And DDoS downs Illinois homework.

Dave Bittner: [00:00:40] A few words from our sponsor Cylance. They're the people who protect our own endpoints here at the CyberWire. And you might consider seeing what Cylance can do for you. You probably know all about legacy antivirus protection. It's very good, as far as it goes. But guess what? The bad guys know all about it, too. It will stop the skids. But to keep the savvier hoods' hands off your endpoints, Cylance thinks you need something better. They've just introduced version 2.3 of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit to learn more. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:42] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 6, 2018. Canadian authorities detained Huawei's CFO Meng Wanzhou in Vancouver yesterday at the request of the U.S. Justice Department. U.S. prosecutors want Ms. Meng extradited to face charges related to alleged violations of sanctions against Iran. Huawei has been under suspicion of trading with Iran in violation of international sanctions imposed on the Islamic Republic to inhibit that country's ambition to acquire nuclear weapons.

Dave Bittner: [00:02:23] In the U.S., those suspicions go back to at least 2016 when the U.S. Commerce Department was investigating Huawei's smaller rival ZTE for sanctions violations. The penalties the U.S. subsequently imposed on ZTE brought that company to the brink of failure. During that inquiry, Commerce investigators found internal ZTE documents that showed ZTE was studying another company's ways of evading sanctions. That other company, named only as F7, is now believed, The Wall Street Journal reports, to have been Huawei.

Dave Bittner: [00:02:58] The daughter of Huawei's founder Ren Zhengfei, Meng Wanzhou has come to be regarded as the face of the company. The arrest apparently triggered a stock sell-off in European markets, which dropped to a two-year low after the arrest was announced. Huawei has, for some time, been under suspicion of collecting on behalf of China's intelligence services, which is why Australia, the U.S. and New Zealand have moved to exclude the company's products from forthcoming mobile networks.

Dave Bittner: [00:03:27] In the U.K., the head of MI6 used the occasion of a rare speech to strongly caution against allowing Huawei to expand its presence in British networks. And the country's largest telecom provider, BT, this week announced that it would jettison its Huawei-produced equipment. With the arrest in Vancouver, all of the Five Eyes have now taken certain measures against Huawei.

Dave Bittner: [00:03:51] How the collar will affect the Sino-American 90-day trade war truce is unclear. But there are few indications of relaxation in either Chinese industrial espionage or American law fare. In a development announced in a Reuters exclusive, there are now suspicions that the Chinese government may have been behind the Marriot breach. The long-term, quiet presence of hackers in the hotel chain's networks, as well as the apparent absence of criminal exploitation of the data that were stolen, prompted early speculation that a state intelligence service was behind the data breach.

Dave Bittner: [00:04:26] Reuters says now that private investigators attribute the Marriot data breach to Chinese intelligence services. Anonymous sources - anonymous because they weren't authorized to talk - told the news service that investigators found hacking tools, techniques and procedures previously linked to China's government. This evidence is, of course, both anonymously sourced and also circumstantial and should be treated with appropriate caution. Hacking tools are both shared and stolen. And techniques and procedures can be mimicked.

Dave Bittner: [00:04:58] For a cautionary tale of murky attribution, consider the reservations Microsoft researchers expressed early this week about last month's claims that Russia's Cozy Bear was behind a phishing campaign that afflicted the U.S. State Department and various think tanks. So the Marriott story is still developing.

Dave Bittner: [00:05:17] Researchers at security firm Cylance recently published a report titled "The SpyRATs of OceanLotus" describing a series of backdoors and the command and control servers used to service them. Tom Bonner is director of threat research at Cylance.

Tom Bonner: [00:05:33] So this was uncovered during an incident response investigation. We started to receive a few remote-access trojans related to this case. And pulling them apart, it quickly became apparent that, you know, the - it aligned nicely with OceanLotus, APT32 tactics. And from there, we started to investigate further, see what other malware and remote-access trojans we could uncover. And in the end, I believe we ended up with a list of about 120 different samples. So we've mapped those out in the key sort of malware families underpinning the OceanLotus attacks.

Tom Bonner: [00:06:13] The process initially started with AR. They were conducting an investigation for a particular company, found an interesting sample that they couldn't get to really load or run properly. So that sort of landed within threat research to take a closer look at. It turned out, actually, to be a new backdoor from ABT 32 group - very interesting. We've named this one Roland. Basically it comes sort of highly obfuscated - encrypted if you will - although the keys obviously sent with it, so it's quite trivial to decrypt that. But then the loader process is a little bit complex.

Tom Bonner: [00:06:54] And after that, it sort of loads a payload into memory that then starts communicating back to the attacker. That allows the attacker to run remote commands on an affected system. And for this particular backdoor, it's got a very comprehensive set of commands. So you can do anything from, you know, viewing system information, viewing files or uploading and executing files - even sort of unpacking raw archives. They've got their own custom archive formats.

Dave Bittner: [00:07:24] And in terms of communicating with the command-and-control server, what's going on there?

Tom Bonner: [00:07:28] This one's using a custom TCP-based communications channel. So if we go over the sort of family of RATs that we found - or families I should say - Roland was performing command-and-control communications using custom TCP sockets. There was another backdoor called Remy. And that was using HTTP.

Tom Bonner: [00:07:57] Another remote-access trojan called Splinter, that was again using a sort of custom C2 with TCP sockets. Another remote-access trojan called Risso (ph) - and this was using ICMP, so sort of ping packets basically. Another one, which has been well-documented by other vendors, called Denis, which is using DNS tunneling to perform its communications.

Dave Bittner: [00:08:20] Now, in terms of people protecting themselves against this, what are your recommendations?

Tom Bonner: [00:08:24] I mean, really sort of light approach - so I mean, on the endpoint, your antivirus EDR software is going to be a big help. You know, for larger organizations, I would certainly recommend having - monitoring egress points on the network, certainly to look for things like DNS tunneling and a lot of the C2 communications. But really, you know, as usual, the multilayered approach often works best.

Dave Bittner: [00:08:50] That's Tom Bonner from Cylance. The report is titled "The SpyRATs of OceanLotus." You can find it on the Cylance website.

Dave Bittner: [00:09:00] A Flash zero-day was used to attack a Russian hospital. The malware was carried in a Microsoft Office document attached to an email. Office is one of the remaining channels through which the widely deprecated Flash software can be distributed in malicious form. The Russian language document represented itself as an application for a job at the targeted hospital. Who was responsible for the attack is unclear, but informed speculation holds it was probably either a Ukrainian or a Russian operation.

Dave Bittner: [00:09:30] The zero-day was submitted to VirusTotal from a Ukrainian IP address, which could mean either a Ukrainian author or a Ukrainian discoverer. If the attacker was Russian, the incident would in all likelihood be either ordinary crime or a state-directed provocation. Some observers think it's likely the attack was mounted from Ukraine either by criminals, hacktivists or state security services and that it represented retaliation for the Kerch Strait incident, in which Russian units seized three Ukrainian naval vessels. If it's a state attack, the choice of target is questionable. There may not be many formal international agreements governing cyberwar. But if the existing laws of armed conflict are any guide, hospitals ought to be off-limits.

Dave Bittner: [00:10:18] A U.S. federal grand jury in Atlanta has brought additional charges against the two Iranian men previously indicted for the deployment of SamSam ransomware. The new charges specifically address the attack on the city of Atlanta. The two accused remain at large. They're of course not SamSam's only possible controllers. The FBI and U.S. Department of Homeland Security warn that SamSam is being actively deployed against critical infrastructure targets including utilities.

Dave Bittner: [00:10:49] The British Parliament's inquiry into Facebook's data handling and commercial practices continues to bring bad news for the social network. Internal emails look particularly bad. Parliament took these from a third party, Six Four Three (ph), that received them in discovery during a Pechiney-related litigation with Facebook. The emails appear to show that Facebook established a whitelisting program in which they would offer selected customers access to information about users' friends - that's friends in the Facebook term of art sense - through an API. It's unclear that users were informed that their data might be used in this way.

Dave Bittner: [00:11:28] There's also an anticompetitive aspect to this - or at least that's the way Parliament's Committee on Culture, Media and Sport, the group that's investigating, sees it. It appears to them that Facebook excluded potential competitors from the white list. Facebook founder and CEO Mark Zuckerberg has replied with denials that Facebook ever sold user data.

Dave Bittner: [00:11:50] He also points to work he says the company has done to exclude shady apps from interacting with its platform. And he suggests that the emails for the most part represent pre-decisional internal discussions. The social network has said Parliament cherry-picked the emails it released and that if they were considered in proper context, they wouldn't look bad at all.

Dave Bittner: [00:12:14] Finally, we sometimes have occasion to think about how deep and enduring aspects of American culture manifest themselves in cyberspace. One such cultural strain, a deeply ingrained laziness that moves Americans to expend a great deal of time, effort and sweat if doing so promises to get them out of doing something they'd rather not do, is on display in the state of Illinois this week.

Dave Bittner: [00:12:39] A high school student in the central Illinois town of Mount Zion was arrested and told to appear in court to face charges of computer tampering. Mount Zion police say the unnamed student conducted three distributed-denial-of-service attacks against the school district's network on November 20, 26 and 27.

Dave Bittner: [00:13:00] The goal of the DDoS campaign was to disrupt the school's online homework system. Whether the 18 year old was doing it for the lulz or really just didn't want to turn in a worksheet on the judicial system or some other assignment. We don't know. But we do know this - kids, stay in school. And turning your homework in shouldn't become a matter for the police.

Dave Bittner: [00:13:28] Now a moment to tell you about our sponsor, ObserveIT. It's 2018. Traditional data loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time-consuming to maintain and too heavy on the endpoint. They are high-maintenance and require endless fine-tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats, and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at That's And we think ObserveIT for sponsoring our show.

Dave Bittner: [00:14:37] And joining me once again is Dr. Charles Clancy. He's the executive director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, welcome back. We saw a story come by on ZDNet. This was written by Chris Duckett. And the title was "5G Stakes Couldn't Be Higher So We Advised Huawei Ban." And this is the - Australia's Signal Directorate. What's going on here? What are they concerned about?

Charles Cancy: [00:15:01] So there's been global concern, certainly from within the United States but also in much of the rest of the world, that as 4G networks have been built out and now as 5G is coming online, that the supply chain for this is limited in that there's only a handful of major vendors who are providing equipment. You essentially have a couple vendors in Europe, and then you have Huawei out of China. And with increasing cybersecurity concerns around Huawei, the world is trying to figure out how it wants to work with Huawei or doesn't want to work with Huawei when it comes to 5G.

Dave Bittner: [00:15:39] And the concern here is that Huawei has a - too close of a relationship with the Chinese government?

Charles Cancy: [00:15:46] Exactly, in that - sort of two facets there. One is that Huawei may have hidden backdoors in the equipment that would allow Chinese intelligence and military services to remotely access it, or even more directly, the fact that many countries lack the technical knowledge needed to operate their own telecommunications infrastructure and frequently will end up in a services relationship with Huawei where Huawei not only provides the equipment, but also operates the equipment on behalf of the country.

Dave Bittner: [00:16:18] Now, one thing the article points out here is this notion that these networks have a core and an edge and that that difference is being diminished with 5G. Can you explain to us, what are we talking about with an edge and a core, and how is that evolving?

Charles Cancy: [00:16:33] So within the early cellular networks and, in fact, all the way up through 4G, you had a very well-defined logical network. And you had a core network that was responsible for subscriber data and call records and call routing. You had a - kind of the intermediate network, which was the cell towers themselves. The cell towers represented the edge of the carrier network. And then the edge network continued from there, which connected all the way to your handset. So you have your handset on one end, the cell phones themselves, which are the property of the consumers. You have the cell tower in the middle. And then you have the core network, which needs to be protected.

Charles Cancy: [00:17:18] And as we saw with the legislation and regulatory activity hearing in the United States when a Huawei and ZTE ban was proposed by Congress last year, ultimately that language was modified to essentially say that it's OK to still use Huawei phones, but you shouldn't use Huawei routers in the core of your network. So the argument over the last year has really been that many countries are taking the position that in the core of the network, we definitely don't want any Huawei equipment. But on the edge of the network - for example, low-cost handsets - it may be OK to have Huawei devices because the impact to national security is lower.

Charles Cancy: [00:17:58] However, the Australians are making the case that the edge of the network is starting to disappear in 5G. And in fact, the 5G core network really is just a collection of services that live in the cloud. And so certainly there are cell sites that are responsible to connect phones to the network, but the strong physical linkages, the individual boxes in a network map, are vanishing and turning into essentially apps running in the cloud.

Charles Cancy: [00:18:27] So I think it's an interesting point that it's harder to make that differentiation. But I think, at the end of the day, what many of the carriers are going to care about - essentially whether or not they can use Huawei cellphones because Huawei cellphones are an inexpensive option that allow a much broader population to be able to afford smartphones.

Dave Bittner: [00:18:48] All right. Dr. Charles Clancy, thanks for joining us.

Charles Cancy: [00:18:50] Thanks a lot.

Dave Bittner: [00:18:56] And that's the CyberWire.

Dave Bittner: [00:18:58] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:19:24] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.