The CyberWire Daily Podcast 7.12.19
Ep 883 | 7.12.19

Buhtrap gets into the spying game. US cyber operations against Iran considered: there are both strategic and Constitutional issues. Election security. Water bills. And again with the WannaCry.


Dave Bittner: [00:00:03] Buhtrap moves from financial crime to cyber espionage. There may have been as many as three distinct U.S. cyber operations against Iran late last month. The U.S. legislative and executive branches continue to try to sort out constitutional issues surrounding cyber conflict. The U.S. intelligence community tells Congress that there are active threats to upcoming elections. One city's cyber woes will be expressed in water bills. President of the University of West Florida joins us to tell us how her institution is adapting to meet the workforce needs for cyber security professionals. And WannaCry may ride again if you don't patch. 

Dave Bittner: [00:00:47]  Now a moment to tell you about our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book "SOAR Platforms: Everything You Need To Know About Security, Orchestration, Automation, And Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at That's, and we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:01:58]  Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at 

Dave Bittner: [00:02:13]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 12, 2019. 

Dave Bittner: [00:02:21]  Buhtrap, the threat group previously known for criminal raids on Russia's financial sector, has moved on to cyber espionage, targeting organizations in Eastern Europe and Central Asia. ESET says Buhtrap has recently been exploiting a local Windows privilege escalation vulnerability, CVE-2019-1132, against its victims. 

Dave Bittner: [00:02:44]  Bleeping Computer reads the move from theft to espionage, which may have been in progress for some time, as an instance of the growing interpenetration of criminal gangs and intelligence services in many parts of the world. That interpenetration may involve leaks and false flag operations. As ESET's timeline indicates, Buhtrap's backdoor was first noticed operating against Russian businesses in April of 2014. In the fall of 2015, it was used against Russian financial institutions, and shortly thereafter, the first intrusions into unspecified government networks were observed. The group's source code leaked in February of 2016, and now it's appearing in espionage operations. 

Dave Bittner: [00:03:29]  Lawfare takes a look at U.S. cyber operations mounted as a response to Iranian attacks on shipping in the Gulf region and, of course, Iran's shoot-down of a U.S. Global Hawk drone. They conclude that perhaps three distinct actions took place. Here are the operations that have been reported. First, there was apparently an attack against the command and control system of missile units. Second, there were allegedly attacks against the networks of an intelligence organization closely linked to Iran's Revolutionary Guard. And third, there are said to have been attacks directed against the networks of Kata'ib Hezbollah, a paramilitary organization linked to Iran's government. Lawfare notes that U.S. Cyber Command has issued no statements on the matter and seems, as the journal put it, quote, "content to wait out the news cycle without correcting the record," end quote. 

Dave Bittner: [00:04:21]  We note the vagueness of the target descriptions that have appeared in the media. Computer systems used to control rocket and missile launches could mean any number of things, for example. A digital command network, a fire direction computer, a voice over IP phone a battery commander might use to get instructions from higher-ups, the device a launcher section chief uses to receive email - all of these or some combination of them. We tend to imagine these operations as being similar to hacks conducted against other enterprises, and perhaps such vagueness, from Cyber Command's point of view, is a feature, not a bug. 

Dave Bittner: [00:05:00]  The operation displays the sort of strategic ambiguity that can be valuable in deterring an adversary. You might want to let the adversary know that you have the capability of disrupting their operation, but you'd probably want to leave them guessing about the exact cards you held. But strategic ambiguity is one thing. Constitutional ambiguity is quite another. 

Dave Bittner: [00:05:21]  The U.S. executive and legislative branches are still sorting out, with the kind of check and balance acrimony customary in such matters, exactly what authorities the president has to conduct cyber operations without explicit congressional authorization. The question isn't clear. Representative Langevin, Democrat of Rhode Island, is the most recent member to call for an accounting, but he's not asking for a declaration of war, either - just proper constitutional oversight, and what counts as such oversight is always a matter for inter-branch wrangling. Representative Langevin has offered an amendment to the National Defense Authorization Bill. If it sticks, the bill would give the administration 30 days to fork over copies of all of the National Security Presidential Memoranda concerning Defense Department operations in cyberspace. Presumably, that means offensive operations, which is where the dispute lies. 

Dave Bittner: [00:06:15]  U.S. intelligence community officials briefed Congress this week on potential threats to the 2020 elections. Their consensus was that, of course, there's a risk of interference in the upcoming elections, with unspecified active threats in the offing. The briefings themselves were classified, but their upshot seems fairly clear from press reports. The threat foremost in the collective congressional mind is Russia. The intelligence officials are said to have addressed both threats and the measures being taken at the federal level to counter those threats. 

Dave Bittner: [00:06:47]  The Federal Election Commission has decided, in this regard, that political campaigns may legitimately accept cybersecurity services from vendors at a discount or even for free. The concern had been that such offers might constitute an illegal in-kind contribution, but the FEC says, no, it doesn't, at least provided the vendors offer comparable services under similar conditions to other non-political not-for-profits. 

Dave Bittner: [00:07:14]  Among the effects of Baltimore's ransomware incident, the Baltimore Sun reports, will be very large water bills as the city slowly brings its billing systems back online. Residents are told they'll receive a bill covering three or more months. Smart money is on more. Your water tab will be a whopping big one, Charm City, which is what happens when a municipal government throws the dice on security and craps out. 

Dave Bittner: [00:07:40]  Finally, there are renewed warnings this week about the possible return of WannaCry. But WannaCry's no problem anymore, right? I mean, it hit two years ago. After all, the EternalBlue vulnerability it exploited to spread was patched a long time ago, right? Well, yes, and the malware, as it was, would affect only unpatched systems. Unfortunately, there remain an awful lot of unpatched systems out there. Recent Shodan searches estimate that the number of unpatched endpoints in the U.S. alone is running as high as 400,000, so let's say you're among the great unpatched. Please patch. If not for your own sake, do it for the rest of us. Herd immunity wants you. 

Dave Bittner: [00:08:27]  And now a few words from our sponsor, Dragos, the leaders in industrial cybersecurity technology. Threats to industrial organizations are proliferating as Dragos recently identified the most dangerous threat to ICS. Xenotime, the activity group behind TRISIS, has expanded its targeting beyond oil and gas, illustrating a trend that will likely continue for other ICS-targeting adversaries. Learn more about the eight public threat activity groups Dragos tracks at and how taking an intelligence-driven approach to ICS security is the most comprehensive defensive strategy to combat industrial adversaries. To register for a free 30-day trial of Dragos' ICS threat intelligence, visit And we thank Dragos for sponsoring our show. 

Dave Bittner: [00:09:30]  And joining me once again is Mike Benjamin. He's senior director of threat research at CenturyLink's Black Lotus Labs. Mike, it's great to have you back. I wanted to touch base with you today about DNS tunneling and hoping that you could describe to us, first of all, what it is and why folks are choosing to use it. 

Mike Benjamin: [00:09:46]  Yeah. Thanks, Dave. So we all know DNS. We - you know, every computer uses it to resolve hostnames to IPs and find mail servers and all this other stuff in our environments, whether we're a house or business. And so many of us don't think much about it being there. Many folks don't even restrict to what can query what through their environments. However, you'll find environments that allow DNS through but don't allow any other services out or in. In many cases, they're content filtering and man-in-the-middle proxying HTTP traffic but letting DNS through. And so that's a dangerous scenario because that allows someone to send arbitrary traffic. And you might think, it's DNS. How can it be arbitrary? But the question asked of the DNS server is provided by the user or the host. 

Mike Benjamin: [00:10:37]  And so DNS tunneling is a situation where the hostname that they look up can contain encoded characters. You think about basic binary encoding with Base64. Base64 messages can be split up into hostnames, run thousands of queries, and if you control the server that's authoritative for that question, you've now successfully sent data through an environment where you should not be able to send data. And so it's a very common attack that we see for a pen test or group coming into environment to show why DNS should be locked down, but we also see it used for exfiltration of data by more sophisticated actors, and it can be pretty allowed inside an environment. 

Dave Bittner: [00:11:18]  Now, what is the rationale for why folks would leave DNS accessible when they'd be filtering other things? 

Mike Benjamin: [00:11:25]  They're not thinking of it as an attack vector. That's the most simple example. The other is that when they host authoritative zones inside a business - you'll find many businesses have a sort of private zone for their internal data centers, their internal hostname resolution - they often don't think about the fact that those are recursive resolvers to the open Internet, and so they may be locking down the name lookup to just that handful of hosts. Those things, because the very nature of DNS tunneling - they don't ask the same question, they're not cached questions. And so therefore, if I break my Base64 message into 10,000 queries, all 10,000 can make it through to the authoritative server, and I can still succeed. So fully locking it down can be a difficult thing to do. 

Dave Bittner: [00:12:15]  Now, when folks are trying to hide data within these DNS queries, how are they going about doing that? 

Mike Benjamin: [00:12:21]  Yeah. That's a great question. I've said now twice that Base64 is a simple way to do it. However, most folks will know that you can decode a Base64 message, so they will then XOR it. They will then even encrypt it. And so anything that can get it through to a hostname resolvable set of characters is viable, and any obfuscation, encryption - any other methodology can allow that to happen. And so while it might be very easy to go grab a group of data and try to brute force it with some simple Base64 and XOR decoding, the encrypted messages can be far more difficult. And so there is - you think about encryption methodologies as not a very difficult thing to do, so pretty low threshold for fully obfuscating what's going on inside that payload. 

Dave Bittner: [00:13:10]  And in terms of mitigation, what are your recommendations there? 

Mike Benjamin: [00:13:13]  Well the first is logging, you know? You'll find that, as a security community, we all talk about protection and then monitoring. So we need to monitor what's going on inside of the DNS servers. The nice thing about DNS tunneling is it tends to be very allowed. So I mentioned that the actor needs to control the authoritative name server. And so in a typical attack here, what you'll find is that there'll be tens of thousands of queries all to one domain. That should stand out as an anomaly in those log sets. You'll also find often that the domain that's utilized tends to be a newly registered domain or something that at least has a very low volume and a baseline. And so simple statistic anomalies on domain lookups can immediately make these sort of attacks jump to the top of the list. 

Dave Bittner: [00:14:01]  All right. Well, interesting information. Mike Benjamin, thanks for joining us. 

Dave Bittner: [00:14:09]  Now it's time for a few words from our sponsor, BlackBerry Cylance. They're the people who protect our own endpoints here at the CyberWire, and you might consider seeing what BlackBerry Cylance can do for you. You probably know all about legacy antivirus protection. It's very good as far as it goes, but you know what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hood's hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit to learn more, and we thank BlackBerry Cylance for sponsoring our show. 

Dave Bittner: [00:15:16]  My guest today is Martha Saunders. She's the president of University of West Florida, a public institution with nearly 13,000 students. They've made significant investments in their cybersecurity programs and have been named a National Center of Academic Excellence in Cyber Defense Education by the NSA and the Department of Homeland Security. 

Martha Saunders: [00:15:38]  We're in Pensacola, right on the Gulf, about 20 miles from the Alabama line - so in the panhandle. We have about 13,000 students. By national standards, that would make us midsize. By Florida standards, we're kind of on the small side. Our part of Florida - there's very strong military influence here, and one of the reasons cybersecurity has hit so fast and so hard for our university is partly because of that connection. 

Dave Bittner: [00:16:10]  And so what part does cybersecurity play with UWF? 

Martha Saunders: [00:16:14]  We started our Center for Cybersecurity really not even five years ago. We are always tuned in to workforce needs, what we need to be doing next. We realized that that was certainly a growing area with lots of demand and lots of opportunities. So we started the center, not quite sure which direction we were going to go, and quickly took hold here. We got our CAE designation in, you know, record time, and we are now one of the eight CAE regional resource centers in the nation, and we serve the southeast in that capacity. 

Martha Saunders: [00:16:59]  We partner a lot with the state. We partner with industry. We partner with other universities as well to do a number of things. We train students. We have the only CAE-designated Bachelor of Science in cybersecurity in the state, and we also offer - will soon offer a Master of Science in cybersecurity. But the niche that has really been very compelling and high-demand for us is to find ways to upscale and rescale individuals and organizations for cybersecurity jobs. We all know there is a high demand. There are a lot of jobs waiting to be filled, and we can't just go raid each other's stables for workforce. There's just too much demand. And so it became very clear that there were great opportunities to upscale existing workforce and rescale in order - and we're doing that with the state and doing an awful lot of training in that way. 

Dave Bittner: [00:18:12]  So what are the unique needs and demands of folks who are coming to you who may be in a mid-career change or are looking to go after cybersecurity careers and may not be, you know, right out of high school? 

Martha Saunders: [00:18:29]  I think - I guess the challenge is making the right connection for them. People come into this area from a lot of different directions, a lot of different paths. It is highly multidisciplinary, so we could have someone coming from a political science background that would find a perfect niche, but we have to match their existing skills to the job demand. And that's labor-intensive. It requires good counseling and good coaching. 

Dave Bittner: [00:19:02]  How does a university like yours keep pace with the velocity of change in cybersecurity? 

Martha Saunders: [00:19:08]  It is moving fast, and we stay connected, and we listen. One of the advantages of a university like ours is that we are quite agile. We can move responsibly. We have advisory committees that come in from industry and say, all right, I know we told you last week your students need to be learning A, B and C. All right, now it's D, E and F. How quickly can you adapt? And we can move very quickly. So I think that has been a good opportunity for us in that we listen and we can respond readily. 

Dave Bittner: [00:19:45]  And what do you see as the future of education in cybersecurity? What's on your horizon? 

Martha Saunders: [00:19:52]  I think that cyber, like anything else as we know it today, will evolve and change. Our job at a university is to be ahead of the change, to be ready to adapt for that change. And there certainly are plenty of challenges out there. Hiring qualified faculty is a challenge that I'm sure many universities face. Also, getting the proper security clearances for our students so that they are ready to go straight into a job has been an interesting challenge as well. 

Dave Bittner: [00:20:29]  And what is your advice for that person who thinks that cybersecurity is something they want to explore and they want to start shopping around for a university like yours? Any tips for things they should be looking for? 

Martha Saunders: [00:20:42]  I think it is such a diverse field now. I would certainly advise them start looking around. Do your searches. See what each university offers, what credentialing a certain industry may offer. One of the areas that I think is greatly in need are small businesses. The same stresses are there, but how do you prepare small businesses for the challenges and the threats of security challenges? So I think a student would also want to think about the industry that may interest them. Maybe they're interested in health care and that - what kind of challenges, cybersecurity challenges, might exist there. And think about where they want to live, what industry they might want to serve, and back up from there. Plenty of opportunities for them. 

Dave Bittner: [00:21:32]  Yeah, I mean, that's an interesting insight. I think - it makes me wonder, at a facility like yours, an institution like yours, is there - are there opportunities on campus where, if someone has an interest in health care and cybersecurity, that those are things they can explore simultaneously? 

Martha Saunders: [00:21:51]  Yes, and we do that, again, through our Center for Cybersecurity. We have people on hand to counsel the students and say, why don't you - you know, here are the skill set you're bringing to us. Here are some directions that you might want to go. That, again, requires - it is labor-intensive. It requires making sure that we are listening equally to the industry and what they're telling us and then to our students and what their needs are. 

Dave Bittner: [00:22:23]  That's Martha Saunders. She's president at University of West Florida. 

Dave Bittner: [00:22:33]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence, and every week, we talk to interesting people about timely cybersecurity topics. That's at 

Dave Bittner: [00:23:15]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.