The CyberWire Daily Podcast 7.25.19
Ep 892 | 7.25.19

News about Russian and Chinese government threat actors. Powerful crimeware active in Brazil. BlueKeep really needs to be patched. Messenger Kids issues. Dispatches from the cryptowars.


Dave Bittner: [00:00:03] Word on the street is Fancy Bear has taken to wearing a monocle. A new Chinese cyber espionage campaign is identified. Intrusion Truth tracks APT17 to Jinan and China’s Ministry of State Security. Guildma malware is active in Brazil and may be spreading. BlueKeep is out in the wild and now available to pentesters. Facebook’s Messenger Kids app has been behaving badly. And an update on the cryptowars, with some dispatches from the American front. 

Dave Bittner: [00:00:38]  And now a word from our sponsor ExtraHop, the enterprise cyber analytics company delivering security from the inside out. The cloud may help development and application teams move fast, but for security teams already dealing with alert fatigue, tool sprawl and legacy workflows, cloud adoption means a lot more stress. You're building your business cloud first; it's time to build your security the same way. ExtraHop's Reveal(x) provides network detection and response for the hybrid enterprise. With complete visibility, real-time detection and guided investigation, Reveal(x) helps security teams unify threat detection and response across on-prem and cloud workloads so you can protect and scale your business. Learn more at That's And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:01:37]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday July 25, 2019. Security researchers at Lookout have announced the discovery of Monokle, which the company describes as a new and sophisticated set of custom Android surveillanceware tools. There are some indications that there may be an iOS version lurking somewhere, but for now the Android toolkit is in use in the wild. Lookout attributes Monokle to the Special Technology Centre, Ltd., also known as STC, Ltd. or simply STC. The company is based in St. Petersburg, Russia, and along with two other companies, was sanctioned in 2016 by a U.S. executive order for its work on behalf of GRU. That work involved information operations against U.S. elections. 

Dave Bittner: [00:02:27]  Monokle is advanced mobile malware designed to collect and exfiltrate personal data from infected devices. Lookout says Monokle uses familiar methods but in novel ways, and that it's been extremely effective against its targets. Its functionality includes profiling of the users it targets to gain a sense of what interests them. So if the Bears are sporting some new eyewear, what of the Pandas? Well, they haven’t been idle, either. 

Dave Bittner: [00:02:55]  Proofpoint yesterday published a report describing the activities of a Chinese Advanced Persistent Threat group it calls Operation LagTime IT. The security firm tracks the group internally as TA428. We parenthetically express some regret that they haven’t named the threat group after a cute animal. At any rate, LagTime is a cyber espionage operation that collects against East Asian targets, for the most part government agencies that oversee government information technology, domestic affairs, foreign affairs, economic development and political processes. The campaign uses a Remote Access Trojan, Cotx RAT, as well as Poison Ivy payloads. These it distributes by phishing, which remains probably the most common vehicle of cyber espionage. 

Dave Bittner: [00:03:43]  Hacktivist group Intrusion Truth has linked the threat actor APT17 to the Jinan bureau of the Chinese Ministry of State Security. APT17 has sometimes been known as Axiom or Deputy Dog, and it’s been implicated in a number of operations over the last few years. Intrusion Truth make a case that a Ministry of State Security officer by the name of Guo Lin is running front companies that engage in cyber espionage on behalf of the Chinese government. 

Dave Bittner: [00:04:13]  Intrusion Truth also says APT17 engages in some domestic crime on the side - selling data stolen from Chinese targets. This may be read at least as the familiar interpenetration of the more ambitious security services and the more rapacious criminal gangs - that’s been seen for some time in Russia, where elements of the mob act on behalf of government organs. But the nature of the theft here suggests something more than that. As Intrusion Truth puts it in their blog, quote, “Either, APT17 has some sort of domestic remit, acquiring data on Chinese citizens and selling it to the MSS - but that is unlikely because China’s new intelligence law compels companies to provide information required by the government, and the price list certainly wouldn’t be circulated online - or the MSS has lost all control of APT17, which is hacking Chinese victims and selling the data to the highest bidder," quote. The white hat doxers of Intrusion Truth have achieved a certain cachet over the last three years. Their identification of individuals involved in the Chinese hacking groups APT3 and APT10 in 2017 and 2018 eventually found official confirmation in the form of U.S. Justice Department indictments of some of the people Intrusion Truth named in their reports. 

Dave Bittner: [00:05:34]  There’s unambiguously criminal activity out and about as well. Security company Avast has published an account of Guildma malware. They're calling it a powerful combination of RAT - that is, a remote access tool - with spyware and a password-stealer and banker malware. It's being distributed for the most part in Brazil and usually arrives as a baited attachment in phishing campaigns. The usual cautions about phishing-awareness, of course, apply. Guildma has been in use since 2015, and while Brazil remains its principal zone of action, the criminals behind it have also hit targets in Argentina, Chile, China, Ecuador, the European Union, Peru and Uruguay. 

Dave Bittner: [00:06:17]  Integrating a threat intelligence program into your organization presents a specific set of challenges. There's making sense of streams of incoming data, separating the signal from the noise and filtering in such a way to make the intelligence actionable. And while you're at it, you'll want to make sure the systems you put in place are scalable. Eric Murphy is VP of security research at SpyCloud. 

Eric Murphy: [00:06:39]  In general, it's kind of defining what your paradigm or what your methodology is. So the two general concepts are - are you a reactive organization or are you a proactive organization? In general, most - I guess the standard operating procedures for CISO's these days - and this goes back, you know, the last 20, 30 years - is to build what is perceived to be as a reactive org (ph). So you build out a SOC, a security operations center. You staff it with analysts. And you kind of look for threats as it relates to your perimeter. The proactive approach is almost the opposite of that, where you kind of follow these data science practices. You have an ingest (ph) pipeline of some sort. And you're actively involved in, say, the criminal communities or trying to understand the trends as it relates to your vertical or your business. So those are kind of the fundamental differences. 

Dave Bittner: [00:07:34]  And is it right to say that it's not all one or the other? That many organizations have a - they sort of dial in a mix between the two? 

Eric Murphy: [00:07:42]  Yes, I think that's an accurate statement. I think most kind of err on the side of reaction or reactionary, and that's mainly due to kind of the tooling available or how big your organization is. Keep in mind that this practice has been around for a very long time, so most of the, you know, enterprise or security software out there kind of focuses on that. 

Dave Bittner: [00:08:06]  And so what's your advice for folks who are out there trying to consider how they can integrate threat intelligence into their organization? How do they begin? 

Eric Murphy: [00:08:14]  I think it's - it first starts with understanding what the threat landscape is. And a lot of times, that's very easy to say, right? Like, let's do some basic threat modeling and understand what the threats are. But what I actually mean is there's a difference between a perceived threat and an actual threat. If you have a better understanding of, say, the criminal communities or the types of people that target your business, that's always a really good starting point. So it starts out with building kind of an intelligence function into your security organization. From a tech standpoint, it's first establishing how you're going to gain visibility not only into your organization but outside of your organization and then instrumenting the proper security layers, right? So the application, network, host, human - that sort of thing. And then it's a matter of really finding the right kinds of talent that understand the criminal world, more or less. So it starts with building out the proper tech, staffing appropriately and then building out your data pipelines. 

Eric Murphy: [00:09:17]  For example, you would build out a human intelligence team, HUMINT. That team is responsible for managing human assets or developing assets in the field. These could be actors. These could be higher-level criminals. It's the relationship part that informs kind of what trends or what's hot at any given time. That's one facet. The other facets include - you know, or traditionally might be, like, signals intelligence, which today has kind of been adopted for the web. But it's - I guess we think about it in terms of active and passive intelligence. The human side is - falls into the active category, again, developing those assets, obtaining data - that sort of thing. The passive side, then, would be developing the technologies to either scrape or pull data from sources that are deemed sensitive or interesting in some way. 

Dave Bittner: [00:10:10]  That's Eric Murphy from SpyCloud. 

Dave Bittner: [00:10:14]  Assessment and penetration-testing company Immunity is selling a BlueKeep version as part of its CANVAS penetration testing suite, ZDNet reports. Let’s be clear about this - immunity isn’t trading on the black market or selling crimeware to the mob. But the reason you incorporate an exploit into a pentesting kit is because there’s a greater-than-zero possibility that the hoods will be using it. Still, people in the security community are uneasy with this. Various security firms say they’ve developed proof-of-concept exploits for BlueKeep, but they’ve kept the details to themselves lest criminals take advantage of them. Once a vulnerability is weaponized, even for good, there’s of course a greater likelihood that it will get into the wrong hands. BlueKeep, by the way, is already being exploited in the wild. Researchers at security firm Intezer have found it incorporated into the latest version of the WatchBog cryptojacking botnet. If you haven’t already done so, please patch for BlueKeep. 

Dave Bittner: [00:11:14]  Not to pile on that social network based out of Menlo Park, but they’re having an uneasy week, public imagewise. Naked Security reports that Facebook has had to tell parents that a group chat option in its Messenger Kids Android app circumvented the core feature of that app - parents' ability to restrict the child-user to communication with only parentally approved contacts. The issue seems to have been a simple glitch without any nefarious monetization agenda at its root. But the optics, as they say, aren't good. 

Dave Bittner: [00:11:47]  And finally, we’ve noted that U.S. Attorney General Barr fired another shot in the cryptowars this week, making a constitutional argument that, quote, “the Fourth Amendment strikes a balance between the individual citizen's interest in conducting certain affairs in private and the general public's interest in subjecting possible criminal activity to investigation," quote. The other side pushed back with arguments to the effect that no one has any idea of how to ensure access to noncooperating encrypted systems without dangerously weakening security for everyone. 

Dave Bittner: [00:12:19]  Critics also maintain that, as a matter of fact, the extent to which going dark is an actual problem has been exaggerated, and the government's ability to access the traffic it needs to access for legitimate law-enforcement and intelligence purposes has in general been underestimated. There are also political objections from those who believe they discern, in the attorney general's remarks, a disposition to see data security in terms of first-class citizens - that is, the government and especially the Defense Department and the intelligence community, but also big business - and second-class citizens, which is, basically, private citizens. In any case, the Department of Justice is convinced that going dark is a real problem, and it seems prepared to double down on an anti-encryption position it’s held at least since the early days of the Obama administration. But one suggestive bit of reporting on CNN hints at either a motive or a retrospective justification for the renewed offensive in the cryptowars. Special counsel Mueller's investigation of Russian election influence collected a lot of messages that would have been really good. But, darn it, too many of them were encrypted. It will be interesting to see if this particular story has legs. 

Dave Bittner: [00:13:35]  And now a message from our sponsor ObserveIT. 

Unidentified Person: [00:13:40]  Great party, huh? 

Dave Bittner: [00:13:41]  Yeah, yeah, great party. Could you excuse me for just a moment? Hey, you. What are you doing? What - Oh no. Looks like another insider got into our systems when we weren't looking. I am going to be in so much trouble with the boss. 

Unidentified Person: [00:14:01]  Did someone say trouble? I bet I can help. 

Dave Bittner: [00:14:04]  Who are you? 

Unidentified Person: [00:14:04]  To catch insider threats, you need complete visibility into risky user activity. Here; I'll show you how ObserveIT works. 

Dave Bittner: [00:14:12]  Wow. Now I can see what happened before, during and after the incident. And I'll be able to investigate in minutes. It used to take me days to do this. 

Unidentified Person: [00:14:22]  Exactly. Now, if you'll excuse me, I think there's a cocktail over there with my name on it. 

Dave Bittner: [00:14:27]  But wait. What's your name? Oh, well. Thanks, ObserveIT, and whoever she is. 

Dave Bittner: [00:14:35]  ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. Get your free trial at 

Dave Bittner: [00:14:54]  And I'm pleased to be joined once again by Michael Sechrist. He's chief technologist at Booz Allen Hamilton, and he leads their managed threat services intelligence team. Michael, it's always great to have you back. I wanted to touch base about some of the things we've been tracking in terms of ransomware. We've seen some cities who have been choosing to pay the ransom. And I can't help wondering - even though they think they're getting their data back, could there be issues here with data integrity? 

Michael Sechrist: [00:15:22]  Yeah. Thanks for having me back again. Definitely - this is an issue that we're concerned with as well for what we're seeing in this space. Again, this is potential for some sort of integrity attack on the data itself and having sort of these companies or cities, in this case, that are potentially under a ransomware attack. When they receive sort of the files back, how do they know that they're not being altered or that there's not some sort of backdoor being implemented into the data they're receiving? This, again, gets to, you know, known good and known bad for a company and for an organization or a city. It's something that we are working closely to try to mitigate and build internally within our clients. 

Dave Bittner: [00:16:11]  So let's dig into that a little bit. When you say known good and known bad, what are you talking about? 

Michael Sechrist: [00:16:16]  Building a process in place within a company structure that - or within an organization, like even a city government, that can associate what - and determine what - something that they've produced is what they've produced, or is this something that's potentially been altered by a third party and in an unauthorized way? So getting to an authorized and unauthorized sort of content or media or file is a difficult challenge in and of itself based on sort of the ecosystems that are in place digitally across these organizations. But having sort of a way - and one of the ways we believe is the best way is to build a intelligence lifecycle that's well-functioning within these organizations - but building a way that you can associate known good and known bad for your company or enterprise. 

Dave Bittner: [00:17:09]  Yeah. I'm thinking about these cities who've been going through this. And I suppose any organization that's gone through a ransomware incident and has decided that paying the ransom is their best option - perhaps, their only option - I suppose that if they're faced with that, that probably means they don't have a functional backup system, which would also lead me to believe that they probably don't have some way of tracking data integrity. 

Michael Sechrist: [00:17:35]  That's a potential for sure. Obviously, you know, a lot of the ransomware problems that we're seeing are due to not having appropriate offline backups of critical data and forcing enterprises to kind of engage in a potential payment of a ransom. You know, this is guidance that's been issued by the US-CERT for years and from others that that's definitely a critical component that's needed. But that's a very difficult thing for an enterprise or an organization to tackle in and of itself. What is your most critical data? And how are you going to, you know, build an offline capability to restore it in times of crisis? That's one, but then the other question we're asking here is - you know, the data that is restored, how do we know that that is the data that we consider our data or data that is good and data that is authorized on behalf of the enterprise? And that's a much more difficult question. You know, it is reliant on the organization to know that information and to know what's potentially been altered. And that requires kind of almost a central repository of truth at these companies or these enterprises. And that's kind of what we're getting at. That's why the intelligence lifecycle is so important because it really should be your own internal mechanism for deriving the truth of data in your enterprise. 

Dave Bittner: [00:18:57]  All right. Well, Michael Sechrist, thanks for joining us. 

Michael Sechrist: [00:18:59]  Thank you. 

Dave Bittner: [00:19:05]  And that's the CyberWire. 

Dave Bittner: [00:19:06]  Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at 

Dave Bittner: [00:19:21]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:19:32]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.