The CyberWire Daily Podcast 6.6.19
Ep 859 | 6.6.19

BlueKeep proofs-of-concept. BeiTaAd plug-in is a serious Android pest. Cyber espionage against the EU’s Moscow embassy. Influence operations. A motive for GPS spoofing?


Dave Bittner: [00:00:03] BlueKeep proof of concept exploits have been developed, and people are urged to patch. An annoying disruptive advertising plug-in comes bundled with a couple of hundred Android apps in the Play Store. The EU's Moscow Embassy seems to have been the focus of Russian cyberespionage since 2017. Influence operations feature a small core of sites surrounded by many amplifying accounts. And a possible motive for GPS spoofing.

Dave Bittner: [00:00:36] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want - actionable intelligence. Sign up for the Cyber Daily email, and every day, you'll receive the top trending indicators Recorded Future captures crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today, and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates. That's And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at

Dave Bittner: [00:02:01] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 6, 2019. Microsoft and NSA, among others, have been urging users to apply Microsoft's patch for the BlueKeep vulnerability. BlueKeep, to review, is a remote desktop protocol vulnerability - CVE-2019-0708 - that afflicts older but still widely used versions of Windows systems. Several researchers independently say they've seen BlueKeep proof of concept exploits. For the most part, they're not sharing these with the wide world. But instead, they're hoping the demonstrations will motivate people to patch. The worries around BlueKeep are that it's well-adapted to use by worms that could propagate themselves across the internet the way WannaCry did a bit more than a year ago.

Dave Bittner: [00:02:53] File this one under I for irritating.


Dave Bittner: [00:02:57] Lookout Security has taken a look at the Android apps hawked in the Google Play Store. And it's noticed, to everyone's dismay, that far too many of those apps...


Dave Bittner: [00:03:06] ...Like, around 230 of them - have a bundled advertising plug-in.


Dave Bittner: [00:03:13] And installing this one is a little like inviting some wide boy, some fairground snake-oil barker into your life.


Dave Bittner: [00:03:21] Quit it. The plug-in at issue is BeiTaAd, and it sounds positively maddening. It's not as if this is just mildly irritating but not really a problem. No, it's a problem. BeiTaAd uses obfuscation normally seen in malware to help obtrude itself into users' attention, bypassing some of the protections you might have in place. Once it's in, it yammers wildly across lock screens, hoots video ads while the phone's supposed to be asleep and when you yourself might be asleep or otherwise occupied and so forth.


Dave Bittner: [00:03:58] More than 440 million devices are believed to be infested. BeiTaAd can be hyperactive enough to render a phone effectively unusable.


Dave Bittner: [00:04:11] Seriously, quit it. Any who, Lookout sees a depressing trend here. It's the old familiar offense-defense seesaw. Lookout says, "This BeiTaAd plug-in family provides insight into future development of mobile adware. As official app stores continue to increase restrictions on out-of-app advertisements, we are likely to see other developers employ similar techniques to avoid detection," end quote. And that's just great.


Dave Bittner: [00:04:41] Seriously, stop it.

Dave Bittner: [00:04:44] And now, for real, here's something you'll really like. Say, friend, would you like to take a chance on a swell prize? Well, step right up and take our listener and reader survey at Help us improve the quality, relevance and value of our content. The survey is short, and it should take you less than five minutes or so to complete. And of course, your participation is completely voluntary, anonymous and confidential. What can you win? Well, could we interest you in a pen, a pad, a sticker or even a swell CyberWire pint glass made out of real glass? Act now,

Dave Bittner: [00:05:21] As organizations move their assets to the cloud, keeping up with security and compliance issues can be challenging, to say the least. Josh Stella is co-founder and CTO of Fugue, a cloud infrastructure automation and security company. He advocates a testing technique called chaos engineering.

Josh Stella: [00:05:40] Cloud is a very different place than the data center. In the data center, security was usually imposed in the form of a perimeter - you know, having the corporate network, making sure there were intrusion detection systems and firewalls properly configured - and changes to those configurations were done via change control boards. You know, there was a process. Well, the cloud has really kind of turned this on its head because in the cloud, a developer can build a new network in literally seconds and can change it in seconds. You're no longer putting in a purchase request, filling out forms. You're just hitting an API call that says, give me a network, or give me compute instances.

Dave Bittner: [00:06:22] And so what are the real-world implications of that in terms of standing up defenses?

Josh Stella: [00:06:28] The Gartner published - I don't know - a couple of years ago now that somewhere between 80 and 90% of data breaches on the cloud are due to misconfiguration of cloud resources by the customer using that cloud. It's pretty easy to go find lots of headlines about, you know, millions of people's personal records being publicly exposed on the internet, for example, because somebody configured an S3 bucket and flipped one little switch out of the thousands and thousands of possible configurations that said, make this open to the world. And this happens over and over again, and that's a pretty serious real-world, you know, implication.

Dave Bittner: [00:07:11] Now, one of the things that you speak of and, I suppose, champion, is this notion of chaos engineering. Can you describe to us - what does that mean?

Josh Stella: [00:07:20] Chaos engineering was made famous by Netflix several years ago. And the idea was randomly break stuff, and if your system is architected correctly, it will continue to function. They famously put out a tool called Chaos Monkey that would go and take down servers. And so in the Netflix infrastructure view of the world - it's often called immutable infrastructure - the system as a whole should recover from that. A new server should appear to fill in the role of the old one.

Josh Stella: [00:07:52] You cannot predict what's going to happen in the production environment. You can try, but you're going to fail. You cannot predict what's going to go wrong, when it's going to happen. But the way chaos engineering applies to security is, let's go open dangerous ports in the firewalls. Let's go turn on public access to things that should be hidden. Let's go do all kinds of things randomly to the environment - remove tagging from things so that they disappear from security monitors and cost monitors. Let's just go do destructive things to the infrastructure, and if we have a really resilient system, those things will be corrected very quickly. And that's a big part of what Fugue does. We have the ability to give our customers self-healing infrastructure.

Dave Bittner: [00:08:41] So it's really a sophisticated kind of stress test, I suppose.

Josh Stella: [00:08:45] That's a pretty good description. And just like a stress test, you don't know what's going to happen until you try it. I think that's a pretty good description. A lot of what folks are doing now around security is they're guessing what's going to go wrong and build scripts to look for that or have monitors watching for things that are predictable that could go wrong. But what they're missing is bad guys are really creative. And so are developers. So are good guys who don't mean to do harm but might by accident. And so you simply can't predict everything that's going to go wrong. So that stress test idea is right. You know, you push the system and see what actually fails that you're not handling.

Josh Stella: [00:09:24] It's a really different way of thinking about infrastructure and security and configuration and not something you could do in the data center because humans had to go out and do the work. Now, because of these APIs, the same things that give the developers the ability to get things wrong, it gives security the ability to automate getting it right.

Dave Bittner: [00:09:43] That's Josh Stella from Fugue.

Dave Bittner: [00:09:47] The EU's mission to Moscow suffered a long-running sophisticated cyberespionage event that began in February 2017 and continued through its discovery in April, BuzzFeed reports. Russian organizations, probably intelligence services, are believed to be behind the attack, which netted the hackers an undisclosed haul of information. The EU did not disclose the incident, evidently not wishing to roil political waters on the eve of European elections, in which Russian influence operations became a sensitive matter.

Dave Bittner: [00:10:19] It's worth reviewing, in this context, Symantec's reports on Russian influence operations in the 2016 U.S. elections. The report indicates Moscow's efforts to have been more extensive, more patient and more balanced ideologically than previously assumed. A core group of main accounts, often bogus news services, was supported by a very large number of auxiliary accounts responsible for amplification. Messaging was designed to appeal to left and right roughly equally, with the most disaffected partisans most heavily targeted.

Dave Bittner: [00:10:53] So the playbook appears to be, roughly speaking, this. Establish some core accounts. Place divisive messages designed to inflame the disaffected, and then amplify the messages with herds of ancillary social media accounts. Symantec thinks the accounts were heavily automated - lots of bots - but that the automation was designed to be tweaked and steered by human operators to adjust the events, responses and newly perceived opportunities.

Dave Bittner: [00:11:19] Insofar that there is a common denominator among the accounts, it's inauthenticity, presenting yourself as something or someone you are not - a concerned progressive, let's say, or a principled conservative or whatever suits your disruptive purpose - because again, the message isn't important. What's important to the information operator is disruption, not conviction. This would seem to suggest that bot-hunting - looking for and suppressing coordinated inauthenticity - may offer more promise than the sort of largely algorithm-driven content moderation that YouTube has announced this week, which hasn't succeeded in pleasing people on any side of any particular divide.

Dave Bittner: [00:11:59] There's been a wave of Russian GPS spoofing since last autumn. Some of it was in the Baltic region. Some of it was in the Black Sea. C4ISR Networks suggests a possible motive for the Black Sea incidents, at least; it may have been executive protection against drones. The incidents seem to have been highly correlated with Vladimir Putin's movements, and there's some speculation that it was intended to keep any hostile drones away from the Russian president.

Dave Bittner: [00:12:30] To close this segment on a serious note, today, of course, is the 75th anniversary of D-Day. It's being marked by national leaders and veterans. The veterans won't be with us much longer. The generation that fought the Second World War is passing swiftly. The nation recently marked another somber milestone with the passing of the last of the U.S. Army's code talkers. The Navajo who served in the Marine Corps are better-known, but the Army also had its secure communications specialists, 17 of whom were from the Mohawk Nation.

Dave Bittner: [00:13:02] The last Akwesasne Mohawk Army code talker, Louis Levi Oakes, died last week at the age of 94 and was buried on June 1 with full military honors. Technician Oakes served in the South Pacific, New Guinea and the Philippines, and he earned a Silver Star for his valor. Soldier, rest, and our condolences to your family and friends.

Dave Bittner: [00:13:40] Now it's time for a few words from our sponsor, BlackBerry Cylance. They're the people who protect our own endpoints here at the CyberWire, and you might consider seeing what BlackBerry Cylance can do for you. You probably know all about legacy antivirus protection. It's very good as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit to learn more. And we thank BlackBerry Cylance for sponsoring our show.

Dave Bittner: [00:14:49] And joining me once again is Johannes Ullrich. He's the dean of research at the SANS Institute and host of the "ISC StormCast" podcast. Johannes, it's always great to have you back. We wanted to talk today about MTA-STS, which is a protocol that Google seems to be throwing their weight behind. What do we need to know about this?

Johannes Ullrich: [00:15:09] Well, it really tries to solve the problem that we have with the privacy and with integrity of email. When it comes to HTTP, to browsing the web, pretty much all websites that matter these days are using HTTPS. And we do have some mechanisms, like strict transport security, in order to ensure that any man in the middle can't downgrade us to HTTP.

Johannes Ullrich: [00:15:36] With email, that's a little bit more complicated. The problem with email is that that the connection that really matters here is the connection between mail servers. And of course, as an end user, we don't really have an influence over this. Now, they came up with a real great way to secure that connection, and that's STARTTLS. So if your mail server connects to my mail server, my mail server will tell it, OK, I'm supporting STARTTLS. Let's switch to TLS. Small problem with that - this initial negotiation is still in the clear. It's not protected, and there have been ISPs - there have been countries that essentially just remove that STARTTLS advertisement.

Johannes Ullrich: [00:16:21] So what we really have to do is we have to figure out, does a mail service support STARTTLS? Should I expect this particular feature to be enabled? And that's what MTA-STS is trying to solve.

Dave Bittner: [00:16:35] And so what's going on here under the hood? How is it actually working?

Johannes Ullrich: [00:16:39] So what actually happens here is that your mail server will first do a DNS lookup for specific record that I have to set up to check, does this domain support STARTTLS? If that record exists, then your mail server will check my website to then retrieve my STARTTLS policy. It's not really that hard to set up. But yes, there are a couple of moving parts. You have to add that DNS record. You have to add a specific file to your web server in order to enable this.

Dave Bittner: [00:17:15] And with Google throwing their weight behind it, does that mean it's likely to gain some traction?

Johannes Ullrich: [00:17:22] That's my hope here because we all exchange email with Gmail users at one point or another. So Google being one of the big email providers implementing this really, I hope, helps. The other part of this that Google implemented is, if you are supporting this feature, Google will actually send you a report once a day - a quick summary. It's just a one-line JSON snippet telling you how many email connections Google Mail Service established with your mail service, how many of them use STARTTLS, how many didn't use STARTTLS.

Johannes Ullrich: [00:17:59] So that also helps you a little bit find out - do you have your system misconfigured, or is, actually, someone trying to play tricks with some of your systems? At this point, I think Google is the only large, at least, email provider supporting this particular part of this feature.

Dave Bittner: [00:18:17] Now, are there any potential issues with backward compatibility or anything along those lines?

Johannes Ullrich: [00:18:23] Well, for the most part, if a mail server that you exchange email with doesn't support this feature - it's just being ignored - the one problem, of course, if you are enforcing STARTTLS, then you better make sure it works. So if now STARTTLS is broken because you forgot to renew certificates, you didn't configure it on all of your mail servers, then, of course, mail connections will fail if the other side isn't forcing this feature.

Dave Bittner: [00:18:51] I see. All right. Well, we'll keep track of it. Interesting development. Johannes Ullrich, thanks for joining us.

Johannes Ullrich: [00:18:59] Thank you.

Dave Bittner: [00:19:04] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at

Dave Bittner: [00:19:16] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.