The CyberWire Daily Podcast 5.30.19
Ep 854 | 5.30.19

Malicious misdirection. Found on the subway. A summary of file exposure. Turla’s back, and as clever as ever. ICRC proposes rules of cyberwar. Baltimore ransomware update.


Dave Bittner: [00:00:03] Malicious misdirection served up from unpatched WordPress sites. A big, big set of dating site records has been found exposed online. It's in China, but the records seem to belong to anglophones. Many other files are exposed elsewhere, too, so it's not a single problem. Turla's back and still after diplomats. The International Red Cross proposes rules for cyber conflict. And Baltimore City calculates the cost of not patching. It's a lot higher than the cost of patching.

Dave Bittner: [00:00:36] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Have login credentials been compromised? Are attackers hiding in encrypted traffic? Enterprise security teams face questions like these every day. But without complete visibility inside your network, your investigation could take hours, or even weeks, and that's assuming you are able to detect potential threats in the first place. ExtraHop helps you rise above the noise of your complex attack surface with complete visibility, real-time threat detection powered by machine learning and guided investigations the SANS Institute calls fast and amazingly thorough. Learn more at, or be the blue team in the interactive demo. That's And we thank ExtraHop for sponsoring our show.

Dave Bittner: [00:01:33] From the CyberWire studios at DataTribe, I'm Dave Bitner with your CyberWire summary for Thursday, May 30, 2019.

Dave Bittner: [00:01:40] Zscaler reports finding a campaign of malicious redirection from WordPress sites in the wild. Those responsible are exploiting a cross-site-scripting vulnerability in the platform's widely used WP Live Chat Support plug-in. It's not a widespread attack, Zscaler says, not yet anyway. But the attackers have demonstrated the ability to redirect victims to malicious sites that serve up pop-ups, phony error messages and bogus subscription pages. The domain used to inflict all of this stuff is Blackawardago, a domain registered just two weeks ago on May 16.

Dave Bittner: [00:02:15] Coincidentally, that's the day after WP Live Chat Support developers released version 8.0.27 of their software, which closed the vulnerability exploited in the Blackawardago campaign. Users running current versions of WP Live Chat Support should be OK. It's another object lesson in the importance of patching. The city mothers and fathers of Baltimore should take notice, but more on Baltimore later.

Dave Bittner: [00:02:41] Another database has been found exposed online - this one a Chinese set of 45.2 million records culled from online data sites. Jeremy Fowler of Security Discovery found the exposed data. The lovelorn and hopeful in this case are mostly English-speaking, as Fowler's sampling of the data suggests. Moreover, most of them appear to be Americans.

Dave Bittner: [00:03:04] In any case, a number of quite disparate-appearing dating apps were using the same exposed depository. Fowler attempted to look up the domain owner, and he had some success. Unfortunately, the address listed was for Line 1, Lanzhou, which is a metro station in the subway line serving the community of Lanzhou. He stopped short of saying that this is some sort of malicious effort, but he does offer a cautionary note - quote, "Call me old-fashioned, but I remain skeptical of apps that are registered from a metro station in China," end quote.

Dave Bittner: [00:03:37] Well, in fairness to the app-makers, sometimes you have to work from wherever you can get Wi-Fi. One of our stringers once had to file from a Starbucks in a Safeway in a Washington Metro station because he couldn't get connectivity from the National Defense University. Sometimes you got to do what you got to do, and it's an app-eat-app world out there, friends. Still, the No. 1 to Lanzhou probably isn't the love train, either.

Dave Bittner: [00:04:01] But the dating apps themselves might well arouse a degree of skepticism, if only because they seem to cater to very different clienteles that probably have negligible overlap. For instance, to take Fowler's partial list, there might be a degree of commonality of interest between users of Mingler, an interracial dating app, and Christiansfinder, which, as its name suggests, would seem to cater to Christian singles looking for potential soulmates.

Dave Bittner: [00:04:26] But Christianfinder is unlikely to share many users with Cougardating, for cougars and spirited young men, as the site itself proclaims, and still less with FWBs - that is, friends with benefits. Some of the preferences realized in the sites Fowler himself hesitates to speculate about, although he does, but we'll pass over this in silence, as we're a family show.

Dave Bittner: [00:04:50] Whoever is working from that subway station, they've been busily collecting a lot of information that might be useful to various shady advertising enterprises or to criminals or even to state intelligence services.

Dave Bittner: [00:05:02] Digital Shadows shares some glum perspective unrelated to Cougardating or TalkBirdieToMe, which we think must be an app for frisky Baltimore Orioles fans. But that perspective is relevant, nonetheless. The company thinks some 2.3 billion files are similarly exposed. Some of that information is just the small-change chicken feed of the digital exhaust we distribute around cyberspace, but the other data may be practically gold. They found those files among the usual suspects - SMB-enabled file shares, misconfigured network-attached storage devices, File Transfer Protocol and rsync servers and Amazon S3 buckets. Admins everywhere, look to your configurations.

Dave Bittner: [00:05:45] The city of San Francisco recently passed legislation banning the use of facial recognition software and other related technologies. Civil libertarians see this as a step in the right direction, while some in law enforcement feel they may be losing an effective crime-fighting tool. Matt Aldridge is a solutions architect at Webroot, and he offers these thoughts.

Matt Aldridge: [00:06:06] This announcement from San Francisco, it covers the facial recognition technology, but it seems to also cover things like license plate recognition as well, so it's kind of quite a broad decree they've made, and it's relating to the municipal service providers - so the police, transportation, things like that. And the technology there - so with the license plates, obviously, it's pretty straightforward, reading those and processing that for things like parking violations, traffic violations, things like that.

Matt Aldridge: [00:06:34] On the police side, they're using it for facial recognition. And obviously, to do that, they need to keep a database of people of interest and the facial characteristics of those people in order to find a match when their officers are out and about using body cameras, or they're using cameras on infrastructure around the city.

Dave Bittner: [00:06:55] There are concerns from both the civil liberties side of things but also the technical side as well?

Matt Aldridge: [00:06:59] Absolutely. There's different streams of concern, like you say. So technically, the technology isn't perfect, and it does have false positives. But also, and probably more concerning is the fact that, you know, there's a lot of sensitive data being collected and stored, and that needs to be adequately protected, and in many cases, it isn't, and the kind of appreciation isn't there for the sensitive nature of the biometric information that's being collected and profiled around people.

Matt Aldridge: [00:07:27] That's the technical side is, really, how do you protect and secure that information? What kind of controls should there be about the retention of that information? How long should you keep these records? And then on the social side, it's more about people's privacy, about avoiding situations in the future where government policies may change, and this information could be used in kind of aggressive ways to pursue political goals, rather than purely for the kind of security goals that it was originally envisaged. So there's a lot of concerns out there both from a technical and social perspective.

Dave Bittner: [00:08:02] Yeah, I've seen some reporting also that there seems to be - the facial recognition software is less accurate when it comes to certain groups of people. Like people of color, even sometimes with women, the hit rate is not as high as it is with other groups.

Matt Aldridge: [00:08:16] Yeah, that's absolutely right. Some of that comes down to just the sort of physics of capturing the light and things like that. Other things to do with the way the machine learning is trained and the kind of volume of data that it's being exposed to when it's doing this sort of recognition - environmental conditions, weather, day, night, all these things can affect the systems. So you know, they're far from perfect.

Matt Aldridge: [00:08:39] I don't think that's necessarily a huge issue, as long as the systems are used in the proper way and as long as the limitations are understood by the likes of law enforcement, so that they don't rely on it in the same ways you don't necessarily rely on a kind of polygraph test or something like that. These things are, therefore, kind of guidance, but they can't be used - well, they shouldn't be used as a kind of convicting a person before they've even gone on trial. It's very imperfect technology.

Dave Bittner: [00:09:07] Do you suppose this will be first of many? Do we suspect that other cities will follow suit?

Matt Aldridge: [00:09:11] Possibly, yes. Possibly, certain cities may do. I would hope that some will start to at least have the conversations and start to legislate for how these things should be. If they are allowed, there are controls that need to be put in place around them to minimize the risk of breaches of the sensitive personal information that's being gathered and also to control how that data is retained, ensuring it's being purged properly, ensuring that any third parties involved are properly vetted and monitored and things like that.

Dave Bittner: [00:09:40] That's Matt Aldridge from Webroot

Dave Bittner: [00:09:44] Security firm ESET is taking a close look at the Turla threat actor's latest capers, many involving Powershell exploits. Turla - often called Snake or, more classically, Urobouros - is a long-running Trojan-wielding espionage campaign that, for the most part, goes after diplomatic targets. It's thought to be the work of one of the Bears, our friends over in the Russian intelligence services.

Dave Bittner: [00:10:09] The International Committee of the Red Cross has released a study of the potential humanitarian costs of cyber operations. The report cites, as part of its motivation, the need to address the effect of incidents such as WannaCry, NotPetya and attacks on the Ukrainian grid have on delivery of essential goods and services to civilian populations. It also cites the increased willingness to conduct offensive cyber operations by countries other than Russia and North Korea.

Dave Bittner: [00:10:36] The ICRC study is intended to inform the laws of armed conflict of how new cyber technologies might be constrained to ameliorate suffering from operations in this newly contested domain. The topic is an important one. As infrastructure that delivers goods and services human beings need, just insofar as they're human beings - water, food, medical care, power - it's important to consider how to prevent attacks on that infrastructure from hitting uninvolved civilians. The Red Cross study, to which a number of cybersecurity firms contributed, is intended to be a step in that direction.

Dave Bittner: [00:11:12] Did we mention Baltimore up at the top of the show? We did. Any who, coming back to news about Charm City, Baltimore thinks the ransomware attack on the city's systems will cost it around $18 million when all is said and done; that's according to The Baltimore Sun. The city's budget office presented this estimate to the city council yesterday.

Dave Bittner: [00:11:32] The city's IT department has already spent $4.6 million on recovery since the attack hit on May 7. It thinks it will spend an additional $5.4 million by the end of 2019. These are direct remediation costs, and they're confined to this year. Whether additional charges will pop up and whether the city will be paying for fixes into 2020 remains to be seen, but some city council members think these preliminary figures are likely to go up.

Dave Bittner: [00:11:59] So if you're keeping score, that comes to $10 million. Where will the other $8.2 million go? That represents an estimate of lost and at least delayed revenue from such sources as property taxes, real estate fees, fines, water bills and so on. These, too, may also be lowball estimates. We're just spit balling here, but we guess it would have cost less to patch those systems two years ago. You know what else? You could probably even pay for regular secure backup and still come in ahead.

Dave Bittner: [00:12:35] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in; it's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. According to a recent CA Technologies research report, 53% of organizations confirmed insider attacks within the last 12 months. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data. But to stop insider threats, you need to track a combination of user and data activity. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT free - no installation required - at That's And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:13:47] And joining me once again is Craig Williams. He's the director of Talos Outreach at Cisco. Craig, it's great to have you back. You all recently published a report here; it was titled, "Talos Releases Coverage For Wormable Microsoft Vulnerability." What's going on here?

Craig Williams: [00:14:02] Well this is one of those, you know, once-every-few-years vulnerability that comes out, where just by the sheer nature of the vulnerability, anyone with a security background is going to immediately have the hair stand up in the back of their neck. If you're not familiar with RDP, it's basically the remote desktop protocol, which is what allows you to connect to computers remotely in Windows. Because of that, many, many people and even smart people and even security-conscious organizations have exposed it to the Internet for one reason or another. I want to be clear here, that's a bad idea.


Craig Williams: [00:14:37] Don't do it.

Dave Bittner: [00:14:37] OK, there's no ambiguity.

Craig Williams: [00:14:37] Yeah, don't do that.

Dave Bittner: [00:14:40] OK.

Craig Williams: [00:14:41] But they have, perhaps for troubleshooting or to allow someone to work remotely - they forgot to close the firewall hole when they were done doing something. And so if you look at, you know, a Shodan scan of the Internet before this advisory came out, I think there was over a million of these exposed to the Internet. And so it gets worse, right?

Craig Williams: [00:14:59] Now, normally, when this type of vulnerability would happen, only a very, very tiny subset of operating systems would be affected, right? If you look back with, like, WannaCry, the WannaCry vulnerability, there was a large number of systems affected, but a relatively small subset of Windows. In this particular one, if I remember correctly, it's everything older than Windows 7 and including Windows 7. Yeah, it's not a good scenario.

Dave Bittner: [00:15:25] Well, let's dig into some of the specifics here. What is this capable of doing?

Craig Williams: [00:15:30] Well, it's going to get remote code execution, and it runs as system. So it's pretty much complete compromise of everything.

Dave Bittner: [00:15:38] So walk me through here. Just - I want to rewind and just cover some of the basics here. So I've opened up my system to the Internet with RDP. Someone can then do what?

Craig Williams: [00:15:49] Well, it's unauthenticated. So they don't need a user, they don't need a password. They can simply be scanning the Internet, which we know they are now. We're seeing a huge number of systems scanning the Internet. And once they see it, they can send a certain special sequence of instructions and achieve remote code execution and then potentially have their malware run on your box with system-level privileges, which will give it access to everything.

Craig Williams: [00:16:13] It's just about as bad as it gets, and it's affecting a tremendous amount of Windows machines on the Internet just because it covers so many versions. And unfortunately, much like SMB, while it should really never be exposed to the Internet, it very, very often is, even in organizations that you would hope know better.

Dave Bittner: [00:16:34] And so what are the recommendations here? What are you all at Talos suggesting people do?

Craig Williams: [00:16:40] Well, you know, obviously, the first one is patch. Now, obviously, patching is not always available for everything, you know, and then there's also the caveat of, well, are you really sure you patched all the machines? So while I would say try and patch, it's also important that you make sure that you don't have that port open on your firewall. And you know, also make sure that somebody is not running it just on a different port. We see that a lot. People think they're clever because they run it on, like, x-plus-one port, and it's not a great solution because people who scan for it can see that identified as well.

Dave Bittner: [00:17:10] Now, you all have published some snort rules with this?

Craig Williams: [00:17:14] Yes. So the exploit scenario - and I think, as we're recording this, there's no public exploits. We're not going to give away all the details, but several security companies have designed private exploits. We've identified code paths that have to be taken in order to get code execution. And so what we're detecting is basically something that would be required for an attacker to actually get code execution. And so if everything is working correctly, we're going to block those attempts using firepower in the snort rules before the actual malware code gets to the system.

Craig Williams: [00:17:47] So this is an important distinction. I'd love to discuss it with you, right? A lot of people don't understand how people write signatures for an intrusion prevention system.

Dave Bittner: [00:17:55] Yeah.

Craig Williams: [00:17:55] You know, if you're just trying to be fast and if you don't really understand what you're seeing - you know, I've seen some vendors who will literally cut and paste a string out of the malware, and they'll be like, done - covered. That's bad (laughter).

Dave Bittner: [00:18:10] How come?

Craig Williams: [00:18:10] Well, I mean, think about the way that malware can be designed, right? You know, at a really high level, malware can be as creative as a book, right? Anything you could write in the book is perfectly valid. And so trying to just string off a piece of that book, it's pointless, right? The next sample could be completely different.

Craig Williams: [00:18:28] So instead, if you look a little deeper - well, how is the malware getting loaded? - that's where you find what we would call the vulnerability. And so if you can find the condition that actually causes the rogue code execution or condition before that that's sufficiently rare that it would never be used legitimately, and we can actually block that, then it never matters what the malware payload is. We're always going to block the condition necessary for that malware payload to get executed. And so by doing that, we can actually write one signature and cover all the variance, as opposed to having to write, you know, potentially an infinite number of malware signatures.

Dave Bittner: [00:19:00] Yeah. All right. So I mean, this is a serious one. This is a biggie.

Craig Williams: [00:19:05] It's about as bad as it gets.

Dave Bittner: [00:19:06] Yeah.

Craig Williams: [00:19:07] You know, when Microsoft puts out their advisory and then immediately puts out a blog post about the next wormable Microsoft vulnerability, you should panic.

Dave Bittner: [00:19:16] (Laughter) If not panic, at least pay attention, right?

Craig Williams: [00:19:19] Yeah. Yes, your hair should stand up. You should turn on the coffee machine. And you should sit down and read. Go to the Talos blog, read. Check out your podcast. Make sure that we're all on the same page, and then deploy some protections.

Dave Bittner: [00:19:29] All right. Fair enough. Craig Williams, thanks for joining us.

Dave Bittner: [00:19:37] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIt, the leading insider threat management platform. Learn more at

Dave Bittner: [00:19:49] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, our staff writer is Tim Nodar, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.