The CyberWire Daily Podcast 12.12.18
Ep 743 | 12.12.18

Operation Sharpshooter. Meng makes bail. Sino-American cyber tensions. Leadership crises in the UK and France. Congress doesn’t lay a glove on Google. 2018’s bad password practices.


Dave Bittner: [0:00:03] McAfee describes Operation Sharpshooter, an ambitious cyber reconnaissance campaign. Huawei CFO Meng makes bail in Vancouver, and China reacts sharply to the arrest. The U.S. is said to be preparing sanctions and indictments in response to various Chinese hacking activities. A no-confidence vote is called in the U.K. In France, President Macron makes concessions to the yellow vests. Google skates through its interrogation by Congress, and bad passwords get raided.

Dave Bittner: [0:00:40] A few words from our sponsor, Cylance. They're the people who protect our own endpoints here at the CyberWire, and you might consider seeing what Cylance can do for you. You probably know all about legacy antivirus protection. It's very good as far as it goes, but guess what? The bad guys know all about it, too. It will stop the skids. But to keep the savvier hoods' hands off your endpoints, Cylance thinks you need something better. They've just introduced version 2.3 of CylanceOPTICS. It turns every endpoint into its own security operation center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with a threat by watching, learning and acting on systems behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit to learn more, and we thank Cylance for sponsoring our show.

Dave Bittner: [0:01:43] Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [0:01:47] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 12, 2018. McAfee Labs Malware Operations Group reports its discovery of Operation Sharpshooter, a critical infrastructure cyber reconnaissance campaign. They conclude it's a nation-state operation, but they commendably are reticent about offering any specific attribution. They do note the campaign shows some code overlap with earlier operations by the Lazarus Group, which of course has long been associated with North Korea. Operation Sharpshooter's targets are global in scope, but they're concentrated in several sectors - nuclear, defense, energy and financial services companies.

Dave Bittner: [0:02:32] McAfee says Sharpshooter uses an in-memory implant to download and retrieve a second-stage implant. They call that implant Rising Sun. And Rising Sun, which sets the target up for further exploitation, uses source code from the backdoor Trojan Duuzer which the Lazarus Group deployed back in 2015. For now, at least, Operation Sharpshooter must be regarded as a reconnaissance effort - it would be prudent to regard reconnaissance of this kind as the first stage of a larger program - and also as possible battle space preparation for subsequent attacks. How does Operation Sharpshooter draw an initial bead on the target? Through social engineering. We're almost tempted to say through social engineering - how else? A Sharpshooter infestation starts with a malicious macro in a document, usually delivered via Dropbox, and representing itself as legitimate corporate recruiting activity.

Dave Bittner: [0:03:32] Huawei's CFO, Meng Wanzhou, has been granted bail. It's a hefty sum - $10 million Canadian or about $7.5 million U.S. The Vancouver judge who overcame his initial skepticism about bail also directed Ms. Meng to wear a tracker on her ankle, observe a curfew and pay the cost of her own surveillance. The complaint on which she was arrested had its origins in U.S. charges - that she was involved in Huawei's use of a cut-out company, Skycom, in the service of evading sanctions against Iran. So this is a sanctions-related fraud beef and not an espionage case, although there's been considerable suspicion in many countries over Huawei's connections to Chinese intelligence operations and their interest in industrial espionage.

Dave Bittner: [0:04:20] China's reaction has been sharp. The U.S. ambassador was called in for an explanation. That is a dressing-down. More seriously, Chinese authorities have, according to The Times of London, taken a former Canadian diplomat into custody. Michael Kovrig, now a senior adviser for the International Crisis Group, an organization that studies conflict prevention, is being detained for reasons that aren't entirely clear but that are generally regarded as retaliation for Ms. Meng's arrest. Chinese public opinion on the matter is running in a strongly patriotic direction.

Dave Bittner: [0:04:56] Sino-American tensions over cybersecurity are running high right now for other reasons. U.S. investigators are moving toward the conclusion that Chinese intelligence services were behind the epic Marriott data breach when the Starwood reservation system coughed up half a billion people's personal information during a quiet four-year campaign. The Washington Post said yesterday that the U.S. was preparing to take a tough line with China over cyber espionage and IP theft in particular, with a mix of sanctions, public denunciation and indictments. The indictments aren't out yet, but The Wall Street Journal says they're going to deal with alleged Chinese attempts to compromise large-managed service providers.

Dave Bittner: [0:05:38] Many organizations are embracing DevOps or DevSecOps to better integrate security throughout a product's lifecycle. Ali Golshan is co-founder and CTO for StackRox, a container security company. And he joins us with his perspective on DevOps.

Ali Golshan: [0:05:55] The major changes that we've been seeing in infrastructure, you know, from virtualization to public cloud - the major trends that we've been seeing is more and more businesses are obviously trying to focus on as much of their workforce and their resources on delivering value and kind of delight for their customers. Naturally, a lot of movement towards kind of online services created this model where developers and ops folks had to move faster, create faster and build it more granular level so you don't build these traditional monolithic applications.

Ali Golshan: [0:06:29] These trends, combined with the notion of, you know, wanting to move towards a continuous integration and deployment so you can build faster, test faster, build more resilient solutions, created this movement that then brought on, I think, what we now really classify as DevOps, which is this full lifecycle of product management from build, deploy, through runtime under various toolings and can - workflow consistencies that you bring along that process.

Dave Bittner: [0:06:55] Now, when it comes to integrating security into DevOps, how does that happen?

Ali Golshan: [0:07:01] This is where - for one of the first times in infrastructure or platform or just general design history, we've had this well-aligned model where security can be integrated at a much earlier stage. Traditionally, we had security as more of a linear function where you went through your building, you went through to deployment and security took over and bolted on security and helped lock everything down. Now because everything is more continuous, higher velocity, more granular pieces, security is becoming - it hasn't quite gotten there yet.

Ali Golshan: [0:07:32] This is obviously one of the things we're trying to focus on and help drive, but it's an integration not just on product. It's actually trying to leverage as much as the infrastructure as possible. It's part of the workflow, so it's not just that you can hand off things. It's you have to be integrated with DevOps teams and their workflows. This is where you see more of the security shifting left, working at the build, deployment to remove a lot of the risks and harden a lot of the system before it even gets to a point of deployment and production. And the last part of it where we're seeing security really try to focus on integrating and working with this particular workflow is around common languages or frameworks. This is where we're seeing, for example, Kubernetes becoming a really good platform or language for security folks and DevOps folks to work together on.

Dave Bittner: [0:08:15] Now, how do you keep security from being, I guess, a speed bump in the process?

Ali Golshan: [0:08:22] I think a speed bump is typically when - security in the past has taken this notion of what we call either point solutions or form factor specific, meaning I'm going to secure the network; I'm going to secure the perimeter; I'm going to create a WAF; I'm going to do segmentation here. Or it's been focused on a very particular form factor. I'm going to secure, you know, the VM, the hypervisor. You know, more and more of this stock is looking a little hyperconverged. And more and more, it's a full lifecycle from build, deploy and runtime.

Ali Golshan: [0:08:50] So the way security becomes more integrated is - it's a very philosophical - and very much a philosophical change for security, which is more taking the approach of being guardrails at a more granular, earlier, kind of continuous process stage versus trying to have these batch process checkpoints where I analyze all this, and I either have to say yes or no or fix things. So it's the continuous aspects of it. It's security going from being, you know, pointed and point solutioned and batched to a continuous model that is allowing security to become more integrated versus a speed bump.

Dave Bittner: [0:09:25] Yeah. It seems to me like, along with this, goes some sort of culture change within the organization itself.

Ali Golshan: [0:09:32] Absolutely. And I think this is where - in a larger market and our larger customers, we see it under digital transformation. But more practically, we're seeing it as - the mindset is, the companies trying to move fast offer value. There is an enormous amount of competition in every sector being built. Companies moving away from, you know, kind of models of trying to manage as little of their infrastructure and platforms as possible focus more of their time and management on the application side. And I think these naturally have led into this DevOps, DevSecOps. But the higher aspect of what we see is obviously you have to do more with less people, and you have to automate because you are dealing with massive scale. So I think these are the core principles that we've seen create this philosophy around this current market.

Dave Bittner: [0:10:18] That's Ali Golshan from StackRox.

Dave Bittner: [0:10:20] Two European political crises are nearing a kind of conclusion. British Prime Minister Theresa May survived a no-confidence vote today largely over the handling of Brexit. The prime minister needed a simple majority of the governing party to continue in office. The final tally was 200 against 117. The other crisis involves the yellow vest unrest in France. President Emmanuel Macron has publicly offered concessions on taxes to the gilets jaune, but he's emerging from the essentially populist furor in a somewhat weakened political position. Investigation of influence operations affecting the crisis is in progress. But in this case, any foreign - and by foreign, we mean Russian - influence operations, while likely enough on a priori grounds, would be an act of supererogation. The unrest seems to be overdetermined by various existing grievances.

Dave Bittner: [0:11:19] The U.S. House judiciary committee's quizzing of Google CEO Sundar Pichai yesterday is being lamented as a lost opportunity by op-eds in Bloomberg and WIRED to cite just two of several. Democrat and Republican members of the committee are seen as having swapped partisan shots at the expense of examining big-text manifold issues - privacy, monopolistic practices, data collection and monetization, charges of bias, particularly viewpoint bias and so on. The committee chair, Representative Robert Goodlatte, Republican of Virginia, did draw sharp attention to Google's data collection practices. They have, he said, an appetite for user data whose veracity would make the NSA blush - not, we hasten to note, that we necessarily agree that NSA has anything to blush about.

Dave Bittner: [0:12:11] Mr. Pichai did tell reporters that Mountain View was still trying to work through a lot of difficult issues involving content moderation. One of those issues involves Project Dragonfly, which has been the internally and externally controversial search engine Google has under development. It's widely regarded as a censorship tool Google's building at the behest of the Chinese government. Dragonfly is thought to represent the company's attempt to re-enter the Chinese market in a big way. The Washington Post says Mr. Pichai and his company emerged unscathed from the hearing room. They certainly escaped the kind of wire-brushing Mr. Zuckerberg's Facebook lieutenants received on Capitol Hill and especially in Westminster.

Dave Bittner: [0:12:56] Finally, Dashlane has offered up its 2018 list of the world's worst password offenders. It's an eclectic crew from worst to less worse. It includes Kanye West, the Pentagon, people who buy and trade cryptocurrencies, the manufacturers of Nutella, the sweetened palm oil spread with a distinctive blended flavor of cocoa and hazelnut, British barristers and solicitors the Lone Star State of Texas, the White House staff, the United Nations and, sad to say, the University of Cambridge. You can read their commentary on Dashlane's site. But we'll close by mentioning that Kanye West earned pride of place when he unlocked his phone with a string of uninterrupted zeros in front of cameras. OK. But it seems unfair to hold an entertainer to higher standards than Queen's Counsel or the Department of Defense or Oxbridge. Be kind and be secure. Treat yourself to a serving of Nutella comfort food and think up some strong passwords.

Dave Bittner: [0:14:03] It's time to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day, organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. Want to learn more? Check out their newest white paper titled "Threat Intelligence Platforms: Open Source vs. Commercial." As a member of a maturing security team, evaluating threat intelligence platforms or TIP, you may be asking yourself whether you should use an open-source solution, like a malware information sharing platform or MISP, or by a tip from one of the many vendors offering solutions. In this white paper, ThreatConnect explains the key technical and economic considerations every security team needs to make when evaluating threat intel solutions to help you determine which is right for your team. To read the paper, visit That's And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [0:15:39] And I'm pleased to be joined once again by Johannes Ullrich. He's the dean of research for the SANS Institute. He's also the host of the ISC StormCast podcast. Johannes, it's great to have you back. You know, here we are. The holidays are coming up quickly. And you had some tips and advice for folks when it comes to those devices you might find under the Christmas tree.

Johannes Ullrich: [0:16:00] Yes. One issue that always seems to be coming up is that devices that people buy come with malware already reinstalled. And sometimes, that has happened in a factory in the past where, for example, test systems were infected and then copied their malware over to these devices. We have seen this a lot with USB picture frames and the like. The other reason we have seen this is if you saved some money and you sort of got the open box special in the store, well, that device may have been used by someone else. And they often don't properly delete all of the software and malware, of course, that they may have either intentionally or accidentally copied to the device.

Dave Bittner: [0:16:46] So how do you know if a device has been properly, you know, restored to factory condition?

Johannes Ullrich: [0:16:53] You don't really know. And that's sort of a little bit of the problem. So you should assume it has not been restored to factory conditions. So before you connect the device to anything like your computer to sort of initialize it or copy over pictures or whatever, see if you can sort of do a factory reset yourself. Quite often, they have some reset button or so that you can use to do a factory reset. That would be a first step. And then, of course, before you connect the device to your computer, make sure that computer is running some up-to-date anti-malware and such so if something is still sitting on that device, well, hopefully, it will get caught by your anti-malware.

Dave Bittner: [0:17:37] Yeah. And also, I suspect it would be good to segment your home network if you can.

Johannes Ullrich: [0:17:43] Yeah. Segment your home network. It's always great if there's, like, a Wi-Fi device or such. If you are a geek like, you know, many of us...

Dave Bittner: [0:17:51] (Laughter).

Johannes Ullrich: [0:17:51] Set up a packet sniffer. See what's happening on the Wi-Fi. And I actually have seen a couple of things. There - I remember, like, a couple of years back, a weather station - and, of course, I set up a packet sniffer whenever I bring up a new device on my network. And...

Dave Bittner: [0:18:05] Of course you do (laughter).

Johannes Ullrich: [0:18:07] Promptly, I saw that it actually sent my Wi-Fi password back to the manufacturer in the clear. And so...

Dave Bittner: [0:18:13] Wow.

Johannes Ullrich: [0:18:13] So that's definitely a nice exercise to do, always fun with the kids to look at packet captures under the tree.

Dave Bittner: [0:18:22] (Laughter) Sit in front of a nice, warm fire.

Johannes Ullrich: [0:18:26] Nice, warm fire, yes.

Dave Bittner: [0:18:27] (Laughter).

Johannes Ullrich: [0:18:28] So that's - and of course, also, if you then don't like the device and you return it to the store, make sure you first erase all information, at least as good as you can. Sometimes, that's not always that easy.

Dave Bittner: [0:18:41] Yeah. No, it's a tough thing to navigate, trying to make sure - I guess, you know, sometimes, those open box deals aren't such a good deal.

Johannes Ullrich: [0:18:50] Yeah. And like I said, it's not always the open box deals. Sometimes, it's actually from the factory. They come, as you call it, certified pre-owned. You know, the...

Dave Bittner: [0:18:59] (Laughter) There's a special sticker that comes on the box, yeah.

Johannes Ullrich: [0:19:02] Yes (laughter).

Dave Bittner: [0:19:04] All right. Well, as always, Johannes Ullrich, thanks for joining us.

Johannes Ullrich: [0:19:07] Thank you.

Dave Bittner: [0:19:12] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMWare, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [0:19:40] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.