Dave Bittner: [00:00:04] The Australian National University hack and data loss look to many observers like the work of Chinese intelligence services. The GoldBrute botnet is scanning vulnerable RDP servers. MuddyWater is back, undeterred by leaks and learning from the best. The RIG exploit kit is delivering Buran ransomware. Achilles says he's got the goods. The Nuclear Regulatory Commission IG looks at cyber inspections. And big tech prepares for big antitrust.
Dave Bittner: [00:00:38] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want - actionable intelligence. Sign up for the Cyber Daily email, and every day, you'll receive the top trending indicators Recorded Future captures crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:49] Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.
Dave Bittner: [00:02:04] From The CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, June 7th, 2019.
Dave Bittner: [00:02:11] As investigators continue to look into the cyber incident at the Australian National University, signs point to Chinese intelligence services as the operators behind the recent hack. It's consistent with other Chinese operations, which have aimed either at the cultivation of sources or the acquisition of intellectual property. In this case, the ANU hackers appear to have been engaged in recruitment. The attackers exfiltrated some two decades worth of personal data that the Sydney Morning Herald says includes bank account numbers, tax information and academic records of both students and staff.
Dave Bittner: [00:02:48] Investigators believe one of the campaign's principal objectives was to groom Australian students headed into civil service careers for recruitment as agents. ANU graduates are heavily represented in public service. The evidence pointing to China is circumstantial. First, only a small number of countries have the technical wherewithal to execute an attack of this kind. Second, an even smaller subset of those would be interested in doing so. And third, the attack seems to fit the pattern displayed in other Chinese cyberespionage campaigns.
Dave Bittner: [00:03:21] Why would an intelligence service be interested in financial and academic records? For any number of reasons. The more one knows about prospective agents, the easier it is to get your hooks into them. You might wish to develop the sort of rapport that might be useful in recruitment. You studied Li Bai's poetry? What a coincidence. Me too. I always found "Quiet Night Thought" particularly moving. Or maybe - you wouldn't believe the trouble I had with the credit department at regional - what? You too? Let's talk.
Dave Bittner: [00:03:51] Or you could accustom them to doing small innocent favors that lead to less innocent favors that lead to quite guilty favors. I've completely lost touch with Chloe. You remember her from ANU? You wouldn't happen to have a copy of a staff directory you could give me? I'd so love to get back in touch. And who wouldn't want to help out Chloe? And the next staff directory might be from an Australian Signals Directorate contractor, and then maybe an internal memo would be much appreciated because that nice person is interested in investments. Eventually, you would get the point where you feel you have to refuse, but by then, you may have given away things that, the nice person points out, well, people just wouldn't understand. Better for you if you keep playing ball.
Dave Bittner: [00:04:35] And rougher still, it's also possible to turn up material that might be useful in compromising a target. I notice you wrote an honors essay on Li Bai's "Waking From Drunkenness On A Spring Day." Did your drinking problems at Canberra lead you to that particular poem? Or perhaps worst of all, something like this. It would be a shame if your second cousin in Sanxiang lost his job. Actually, losing his job might be the least bad thing that could happen. Chinese operators have been behind this kind of hack before, and it fits well into traditional espionage craft.
Dave Bittner: [00:05:11] The risks of remote desktop protocol vulnerabilities are coming into sharper focus. Morphus Labs warns that a botnet, GoldBrute, is scanning and brute-forcing about a million and a half RDP servers. There are several known RDP vulnerabilities out there, and there are patches available, including patches for BlueKeep, which Microsoft and NSA and their sisters and cousins and their aunts are really urging everyone to patch.
Dave Bittner: [00:05:38] Iran's hacking group MuddyWater, also known as Seedworm, might have seen more of its tools leaked online, but that hasn't made it pull in its horns. ClearSky warns that the threat group is actively impersonating government accounts and using at least two new techniques. Microsoft documents carrying malicious macros, an exploitation of CVE-2017-0199 - that is, Microsoft Office WordPad Remote Execution Vulnerability w/Windows API. These, of course, aren't new attack tactics, but they're new for MuddyWater and represent Iranian intelligence and security services' long-standing determination to learn lessons and improve their game. It doesn't have to be novel, and it doesn't have to be innovative. It just has to be well-executed, and it just has to work. These work, especially against unprepared victims.
Dave Bittner: [00:06:30] The RIG exploit kit is now being used to deliver Buran ransomware. Buran looks like gangland for-profit work, although of course, there is often a degree of penetration and control of the Russian mob by organs of the Russian state. The best defense against this Russian strain of ransomware are updated security software - since Buran arrives via exploit kits - sound offline backup and properly suspicious users. That, of course, is good advice at any time. Our linguistic desk helpfully points out that Buran means blizzard.
Dave Bittner: [00:07:06] Researchers at security firm Advanced Intelligence are calling out another criminal active in dark web markets. He goes by the name Achilles, speaks English and is suspected of being Iranian. He's selling, he claims, credentials that would give the buyer access to security companies, charities and at least one international organization, UNICEF. There is no confirmation yet that Achilles can deliver the goods he's offering, but he enjoys a good reputation in this very bad neighborhood. His criminal clients consistently give him strong reviews, so maybe there's something there. In any case, Achilles bears watching.
Dave Bittner: [00:07:44] Cryptocurrency firms are under attack, as usual. Github users lost some $9.7 million, and blockchain startup Komodo - not to be confused with security firm Comodo - hastily patched a vulnerability in its wallet.
Dave Bittner: [00:08:00] The U.S. Nuclear Regulatory Commission is short on cyber workers. A report by the commission's inspector general found that the NRC's cybersecurity inspections, quote, "generally provide reasonable assurance that nuclear power plant licensees adequately protect digital computers, communications systems and networks associated with safety, important to safety, security and emergency preparedness," end quote. But the NRC, as much as it trains current staff to conduct cyber inspections, still finds itself facing a familiar problem. Good cyber talent is in high demand and not that easy to hire, especially into the government. The IG also found that the current cyber inspection program is risk-informed but not fully performance-based. The report urges the commission to work on appropriate performance measures.
Dave Bittner: [00:08:51] And finally, as the antitrust sharks circle big tech, big tech is putting K Street shark repellent into the Beltway waters, hiring lobbyists to fend off the regulatory predators. And Facebook is reported to have begun bringing in more defense talent to its legal team. The administration seems to be serious about the feedings, which for now are divided between justice and the Federal Trade Commission. Congress is also taking an interest.
Dave Bittner: [00:09:22] Now it's time for a few words from our sponsor, BlackBerry Cylance. They're the people who protect our own endpoints here at the CyberWire, and you might consider seeing what BlackBerry Cylance can do for you. You probably know all about legacy antivirus protection. It's very good as far as it goes, but you know what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hood's hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show.
Dave Bittner: [00:10:32] And joining me once again is Robert M. Lee. He's the CEO at Dragos. Robert, welcome back. You know, I thought we could run through some of the ICS environments that you all deal with. And why don't we start with natural gas? Give us an idea. Here in the United States, what is the lay of the land with our natural gas system? How is it controlled, and what are the threats?
Robert M.: [00:10:54] Absolutely. So when it comes to natural gas, it's at an interesting changing point for the industry. For years, although it was still critical and important, there wasn't as much national attention on it because it wasn't as critical to the bulk electric system. As we have moved away from coal and move more towards renewable sources, we still need a quick way to be able to generate power, which is natural gas. And so natural gas is starting to feed the electric grid, much more so - even a lot of larger energy companies buying up natural gas companies, which means that that national focus has definitely increased.
Robert M.: [00:11:28] There are threats that have targeted natural gas already, and we've heard about these over the years. We've never seen destruction or disruption as a result of an intentional attack, but of course, it's still something that weighs very heavily on folks' minds, especially when we start seeing the criticality the industry increase. What they're sort of up against today is a variety of risk that they're trying to mitigate. One of the factors for them is they do have sort of that traditional SCATA approach, meaning they have very long distances - right? - a lot of pipelines, very large landscape that they have to cover as well as very boutique kind of systems. You know, a gas compressor station along the side of a pipeline is not really normal knowledge for a lot of those, even in the industrial control and security community.
Robert M.: [00:12:14] So for them, they're trying to reduce that risk - not only the physical threats and the things you have to deal with, like crazies along the pipelines, but also in the fact that their threats can get out to those locations. And it's not some easily tapped infrastructure. It's not like they could drive to every single gas compressor station and every single aspect of the pipeline and storage wells and all that and throw a managed switch on there and start tapping that traffic. It's not really achievable in that way. So they're much more around ingress and egress filtering and understanding if they can identify threats from the control center down or back up again from those sites. And at the same time, they're just dealing with the nature of the politics.
Robert M.: [00:12:50] So you got some good organizations like the Downstream Natural Gas ISAC, who's trying to do a lot of advocacy and outreach in that sector. But I expect this will be a very turbulent next couple years for them as they try to figure out how to articulate what the real risk is while minimizing it without letting, as you noted, the hysteria get taken away as congressional members and others start asking questions on - oh, no. What is the threat to this new industry? Well, it's not really new, but this industry that's new in its criticality to the electric grid. So fantastic opportunity for them. Definite challenges, but as always, we got some fantastic people taking on that challenge.
Dave Bittner: [00:13:25] And what would be the impact of an interruption of natural gas service?
Robert M.: [00:13:30] It could be significant. It depends on a lot of factors, but one of the factors to consider is other generations' sources of power in that region as well as time of the year. So as an example of a particularly bad scenario, if we're talking about the dark sort of months of the year, we're not getting as much in terms of, like, solar. And we move towards solar more in the grid, and we also combine that with it being winter in places like the Northeast or Northwest. You know, a significant outage could actually have loss of life impact when it comes to people in that region. Now, we're not talking about everybody in the region dying, but nobody should take any loss of life lightly. So we're talking a number that is uncomfortable mostly just because we're talking about people's lives there.
Robert M.: [00:14:15] So I think there's a realistic scenario where an attacker can make planned and coordinated strikes against pipelines that have real repercussions, but it still is much more difficult and nuanced than people make it out to be. But the complexity of a natural gas pipeline is not the same as the complexity of the overall grid, which means to take down a giant portion of the grid for any significant portion of time is a very complex problem. It's not as complex in gas pipelines, but it is still not trivial by any stretch of the imagination.
Dave Bittner: [00:14:45] Robert M. Lee, thanks for joining us.
Dave Bittner: [00:14:52] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Prevention-based tools leave you blind to any threats inside your network. By adding behavioral-based network traffic analysis to your SOC, you can find and stop attackers before they make their move. ExtraHop illuminates the dark space with complete visibility at enterprise scale, detects threats up to 95% faster with machine learning and guided investigations that help Tier 1 analysts perform like seasoned threat hunters. Visit extrahop.com/cyber to learn why the SANS Institute calls ExtraHop fast and amazingly thorough - a product with which many SOC teams could hit the ground running. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:15:51] My guest today is Frank Downs. He's director of cybersecurity practices at ISACA, an international professional association for IT auditors and cybersecurity professionals. Our conversation today focuses on his experience as an adjunct professor in cybersecurity and the challenges he sees the community facing when it comes to educating the next generation of cybersecurity pros.
Frank Downs: [00:16:15] There's kind of a two-prong problem here with getting everybody - actually, there's more like a three-pronged problem here when we're talking about getting everybody up to snuff for cybersecurity. First and foremost, we have this continually growing gap of - a great quote that was told to me by one of our members was, every time someone buys a new iPad or iPhone or computer or laptop, the internet gets a little bit bigger, right? And we - with the pace of new devices coming online every day, we're not making cybersecurity professionals or training cybersecurity individuals fast enough. So the gap keeps growing. If you take a look at our State of Cyber report every year we put out, the gap is still there, and it's still concerning.
Frank Downs: [00:16:59] The second thing is, when it comes to training these professionals, is that you're using more traditional - primarily more traditional methodologies, such as passive learning for the individuals, for the students. That means - think of when you were in college, right? You would sit in these big halls. And you would have people sit, and they would all learn math from one person who would put it up on the chalkboard. And then it was your job to take it all in and then regurgitate it when it came exam time. That doesn't really work for cybersecurity. That doesn't really work for cybersecurity at all. You can't just, you know, sit down, have a passive death-by-PowerPoint experience, go in, sit down, take a multiple-choice exam and then all of a sudden be good at cyber. You're right. It just doesn't work that way. And so we have to change more thoroughly the method of learning across the board, not just in academia.
Frank Downs: [00:17:50] And thirdly, there needs to be greater awareness, in my opinion. There was a study that was put out last year where nine out of 10 students - nine out of 10 millennials graduating - said that they didn't even consider cybersecurity as a career path. Not like they thought about it and then said no - as in it just never even crossed their mind as an option, which means there's lack of awareness. And they took a look at that one out of 10, and one of the things that they really had in common was that they had somebody who worked in the field directly or had told them about it in school. So that lack of awareness that's even an option is also concerning. So it's a three-pronged approach - three-pronged problem, if you will - that we are working with and trying to remedy.
Dave Bittner: [00:18:39] Yeah. I mean, it's a really interesting insight, and I wonder - I mean, what you describe there of - you know, that's literally old-school technique of a professor at the front of a big lecture hall, which I certainly experienced, you know, way back in the day. Do we need to be shifting something more along the lines of a trade school?
Frank Downs: [00:18:57] That's a good point because that's exactly how I learned, too, back in the day. And I imagine neither you nor I want to talk about how back in the day that was, right?
Dave Bittner: [00:19:04] That's right.
Frank Downs: [00:19:05] I think you might be onto something there, but I don't want to overgeneralize, right? Because right now there seems to be the strong push of college is bad, trade school is good, right? It's - everything seems to be flipped on its ear. And that's not necessarily the case, right? Trade school is good, and college is good. But I think we needed to look at something on a more basic base level - right? - a more basic level of how do we train these individuals, whether it is in some type of trade school or whether it is in college, right? Because what we've seen is individuals who do best in the field have some type of experience.
Frank Downs: [00:19:40] I'll give you a great example. I've had several students over the last several years who have come to me and have said, I want to get a job in this field, but I don't even know how to do this. And I'm really concerned about it, right? Now these are my graduate students in - that I would - that I teach at night, and I teach them cybersecurity. And they were really concerned - right? - because most of these students come in, and their big thing is we would like to get a job. Meanwhile, I talk to every - all these different professionals in the field, many of these executives, and they go, we need more people for these jobs. There's clearly a miscommunication there, right?
Frank Downs: [00:20:13] And I told the student, I said, you really shouldn't be concerned. You've done so much practical hands-on stuff here that when you go to this interview, compared to X, Y or Z individual or applicant, you're going to blow them out of the water. That, and you actually know what the NIST policies are. I can't make you comfortable, but I can encourage you that things will go well. And I'll tell you what. She was one of our best students. She came back and said, you were 100% correct. They said the majority of the people who are applying to this have no actual hands-on experience, haven't actually worked with malware, haven't actually worked with PAC analysis and so forth. So when they knew that I could do these things, and I even showed them, that combined with the misunderstanding of the NIST policies, well, they gave me a job.
Frank Downs: [00:20:56] So I think - and that was in a college environment, right? That was in a grad school environment. Now can this be replicated in a trade-like experience? Yes. And as a matter of fact, it is on a regular basis. There are several different things that ISACA is working with partners on having more of a trade school environment wherein individuals can come, can sit down and don't have to go - don't necessarily experience this more formal education path and are able to reskill into the field of cybersecurity. So I think it's an issue that is both impactful for trade schools and for traditional academia as well.
Dave Bittner: [00:21:33] So the institutions that are doing it right, those colleges and universities even down to the community college level, the ones who are - who, in your estimation, are setting up the proper mix of things here. What do they have in common? What are they doing that that sets them apart?
Frank Downs: [00:21:55] There's two things that I've seen in a lot of successful academic institutions and schools and programs. One is they're ensuring that the students are getting real experience. Whether that takes the form of a range - right? - or whether that takes the form of a lab that they do in class, they're actually working with real malware. They're working with real denial-of-service attacks. They're stopping these things. They're responding to incidents. And people are living them - right? - because there's no substitute for experience. There's no substitute for sitting down saying, oh, yes, I've dealt with Spectre, right? I've dealt with Meltdown. We can work with these things.
Frank Downs: [00:22:32] The other thing that they're doing is they have partnerships and or programs that help these individuals get lined up with a job and can point them, or at least prepare them, to be competitive in the job market. I think that some institutions who aren't doing as well have this consistent mentality of, well, you got your degree, didn't you? Go ahead and get that job. That's not me. When you're starting to see some schools actually take a step back - and what's really, really interesting is you're seeing some schools do this with certain, like, liberal arts majors for example, right? You - it's no longer - and speaking as a liberal arts major - getting an English degree doesn't necessarily equate to getting a job.
Frank Downs: [00:23:13] And you're seeing a lot of these more successful schools say, OK, well done. You got the English degree. Good job. You may notice that it's a little hard to get a job. We have this program that is a - either cybersecurity or IT or technical or engineering program that we can put you through and give you these additional skills that can make you more attractive, which I'll be perfectly honest with you, speaking from experience, it wasn't always my English degree that got me my job. In fact, it pretty much never was my English degree that got me the job.
Frank Downs: [00:23:41] Now, I could write. And that did help at the job. And I could communicate. And as you probably know, in the field of IT or cyber or any other field, someone who can do the job and communicate it effectively, that - I mean, that's really valuable. So in the long term, they're setting these students up. But not all of these programs in these institutions are doing that, which makes it a lot more difficult for these students to then succeed.
Frank Downs: [00:24:03] People need to know that this is an option. So I think we're finally getting a good beachhead established in trade schools and academia and reskilling programs for adults. However, I think there needs to be - I think we don't really have a good long-term solution until, as a field, we've successfully infiltrated, say, that high school and middle school level of learning and understanding. We're going to need to actually come together and build a more consistent and capable workforce through having a consistent training mechanism and methodology. When I start seeing these classes offered in high schools, and it's a curriculum they can take, then I'll be a little more encouraged. And I think we are going in that direction. That's just going to take some more time. It's really - because like I said, we're fighting this fight on multiple fronts.
Dave Bittner: [00:24:51] That's Frank Downs. He's the director of cybersecurity practices at ISACA.
Dave Bittner: [00:25:00] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:25:13] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.