The CyberWire Daily Podcast 8.22.19
Ep 912 | 8.22.19

North Korean and Chinese cyber espionage. Updates on Texas ransomware. Steam zero-day released.

Transcript

Dave Bittner: [00:00:03] LYCEUM is active against the oil and gas sector in the Middle East. Leaving government service? That nice offer from the headhunters you got on LinkedIn may be the beginning of an approach by Chinese intelligence. An autonomous car expert's been indicted for alleged theft of trade secrets. Imperva discloses a possible breach. Exploitation attempts against VPNs have been reported. And why did the chicken cross the road? The AI's not sure, but it thinks the chicken used LIDAR. 

Dave Bittner: [00:00:37]  It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want, actionable intelligence. Sign up for the Cyber Daily email, and every day you'll receive the top trending indicators Recorded Future captures crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:01:47]  Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com. 

Dave Bittner: [00:02:14]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 28, 2019. 

Dave Bittner: [00:02:23]  Secureworks has identified a new threat group active in the Middle East. They're calling it LYCEUM. It may have been active as early as April of 2018, with some signs of activity in South Africa. But since late spring of this year, it's increased its operations significantly. It's currently engaging Middle Eastern infrastructure targets, specifically in the oil and gas sector. 

Dave Bittner: [00:02:46]  While Secureworks says it sees some stylistic similarities to known threat groups COBALT GYPSY - itself connected to OilRig, Crambus and APT34 - and COBALT TRINITY, also known as Elfin or APT33, it says that it can't connect either the malware itself or the attack infrastructure to any of those actors - quote, "as of this publication, there is insufficient technical evidence to support an attribution assessment," end quote. Other outlets are less circumspect. Bleeping Computer runs with LYCEUM's association with Hexane, tracked earlier by Dragos. Technology Review calls a culprit, Iran. The campaign's goal is, apparently, espionage. 

Dave Bittner: [00:03:31]  Chinese intelligence services continue to use LinkedIn as a way of approaching people they'd like to recruit as assets. The New York Times reports that former government officials are attractive potential targets. Counterintelligence officials in France, Germany, the U.K. and the U.S. have all warned against the recruitment efforts. This appears to be an update of traditional espionage tradecraft - approach a potential recruit, establish some common ground and proceed until they're too compromised to spit your hook. The hook is often a job offer, sometimes done through the cutout of a headhunting firm. The lure is often a trip to China, perhaps on a paid speaking, research or consulting gig. From that point on, from the intelligence services' point of view, it's all customer relationship management. Prospects who've recently left or are soon to leave the government service are particularly vulnerable. Not only are they likely to have information and, better yet, contacts the Chinese services would like to use, but they're at an unsettling point in their life, moving from a familiar government career into the unfamiliar private sector. Government agency HR and security people handling transitioning employees might take note. Some help is probably in order here, more than just getting them to turn in their badge and signing separation paperwork. 

Dave Bittner: [00:04:53]  One of the stars of the self-driving car world, Anthony Levandowski, has been indicted by the U.S. attorney for the Northern District of California. Mr. Levandowski, who had been a founding member of Google's self-driving car team, is charged with 33 counts of theft of trade secrets. It's alleged that a few months before he resigned from Google, Mr. Levandowski downloaded company files relating to the company's LIDAR sensor and self-driving technology. He was arraigned in San Jose yesterday. 

Dave Bittner: [00:05:24]  It's a common practice in network defense to segment your network, to split it into sections to limit exposure, or perhaps to be able to dial in different access controls for different areas of risk. Microsegmentation takes this notion to an even more sophisticated level. Peter Smith is CEO at zero trust segmentation firm Edgewise. 

Peter Smith: [00:05:46]  So microsegmentation at its most basic level is just saying that you're going to create groups of systems and shrink the boundary just around those small groups of systems. And those groups of systems are typically aligned with either a type of data or a specific business application. So for instance, you could plausibly create a microsegment containing a variety of databases that all have the same class of data. And, really, the point is - let's say it's a replicated Postgres database. There's no reason to segment them out individually. Once you have access to one, you effectively have access to all of the data across all of the databases. So you're grouping them together based on their risk, based on the risk of a breach, and putting a perimeter around those. 

Peter Smith: [00:06:37]  A different example would be to say you're going to put a perimeter around a business application. A good example of that would be I'm going to put a perimeter around just the components that make up my SharePoint infrastructure. And that could be a web front end, an application tier, one or more databases on the back end, and you're putting a boundary just around that one business application. So you can think of it as cordoning off data types or cordoning off business applications. 

Dave Bittner: [00:07:11]  And what are your recommendations for folks who want to get started with this? How do you educate yourself and figure out what the best approach is? 

Peter Smith: [00:07:19]  You know, microsegmentation is, frankly, quite difficult. And what you need to do first is determine what your objective is. Is your objective to protect specific critical applications and their assets, or is your objective to fully segment the entire environment? Either way, you need to choose a starting point. And that typically centers around a specific application that you wish to protect. 

Peter Smith: [00:07:46]  My advice, personally, is to start with your backup infrastructure. And I know that sounds counterintuitive. Why would you care about your backup infrastructure? But the reason you care about it is because it has every piece of protected information you could ever wish to protect. It is the most compelling target I can think of in the cloud or in the data center. If you get into the backup infrastructure, you've got all the keys to the castle. 

Peter Smith: [00:08:17]  It's also worth noting that most backup systems are effectively command and control systems. So to give you an example, backup infrastructure has to deal with a variety of scenarios. I need to quiesce a database before I back it up so that I've got a crash-consistent copy of the database files. Well, to do that for Postgres, MySQL, MongoDB, Oracle Database, MS Equal (ph), they all have different commands that need to be issued. Do you think the backup software vendor builds special routines that only allow those individual commands to be run? Of course not. They've got a mechanism that allows you to run, really, arbitrary commands to do the quiesce functions, to prep file systems for backup, so on and so forth. And what that means is that if I can get into your backup system, I basically have entered the superhighway of connectivity that allows me to command and control every system in the environment and access all data that is sensitive and precious to you. 

Peter Smith: [00:09:23]  The last point I would make is that as you're exploring the world of microsegmentation, the backup infrastructure is a perfect candidate because it generally is not the primary supporting function of the business. If you happen to make a fat finger, per say, on the backup infrastructure, you're not going to take down the revenue-generating application for the business. So it's both safe. It's both a very big target for both the command and control capabilities as well as the data that it holds. 

Dave Bittner: [00:09:56]  That's Peter Smith from Edgewise. 

Dave Bittner: [00:10:00]  Imperva has disclosed an issue affecting its Cloud Web Application Firewall, the product formerly known as Incapsula. The source and scope of the incident remain under investigation, but it appears to involve exposure of customer data through September 15, 2017. The company will release more information as its investigation turns up details. Imperva recommends that customers change their passwords, implement single sign-on, enable two-factor authentication, generate and upload a new SSL certificate and reset their API keys. 

Dave Bittner: [00:10:34]  Pulse Secure is also reaching out to customers who may have been affected by the widely reported attempts to exploit a vulnerability in its popular virtual private network software, urging them to apply the patch that's been available since April. It's an interesting case. The patch has been available for some time, but the vulnerability drew considerable attention from hackers in the wild only after it was publicly discussed at Black Hat. Researchers at the threat intelligence firm Bad Packets reported that on August 22, they began seeing what they call opportunistic mass scanning for vulnerable servers. The scanning originated from hosts in Spain. 

Dave Bittner: [00:11:14]  Finally, the BBC takes up some breathless warnings that artificial intelligence is getting really good at writing fake news stories and that the GPT-2 text generator developed by researchers at OpenAI is too dangerous to be let out in its fully trained form to the general public. Not only will it write almost-convincing fake news stories, but it will even finish jokes in an almost-convincing way - emphasis on almost. The BBC's tests fell short of full conviction, although they do suggest that some human writers might well fail a reverse Turing test, leading readers to think, dude, you write like a machine, and don't mean that in a good way. 

Dave Bittner: [00:11:56]  It's also unclear how new this really is. The Postmodern Generator, for example, has been dazing and confusing comp lit and lit crit TAs with bogus scholarly argle-bargle for a generation now, long enough, no doubt, for some users to have received tenure. But take the business of finishing jokes, please. The Borscht Belt has little to fear because the AI seems humorless. Here's what happened when the AI consultancy The Envisioners tested it on the old family of jokes that begin, a man walks into a bar. The AI thought this was how it should go. A man walks into a bar and ordered two pints of beer and two scotches. When he tried to pay the bill, he was confronted by two men, one of whom shouted, this is for Syria. That's all we'll reproduce because the rest isn't really suitable for a family show. Also, it's not funny. 

Dave Bittner: [00:12:50]  Now, a funny version would have had the guy talking into his hand or producing a small piano from his pocket. But anyway, share your versions among yourselves, and maybe share them with the AI. The issues, some are saying, is that the AI is just trained by being turned loose on the internet. Everybody remember Tay, Microsoft's attempt at artificially intelligent voice assistant a few years ago? Redmond was going for a sassy teen girl persona, and, boy, did they succeed in a certain way. After a week on the internet, Tay had become a foul-mouthed racist sociopath. Redmond had to put Tay in a timeout that, as far as we know, is still going on. Ay-ay-ay (ph), machines, you're breaking your human parents' hearts. 

Dave Bittner: [00:13:40]  Now it's time for a few words from our sponsor, BlackBerry Cylance. You probably know all about legacy antivirus protection. It's very good as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show. 

Dave Bittner: [00:14:44]  And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Joe, it's great to have you back. 

Joe Carrigan: [00:14:54]  Hey, it's good to be back, Dave. 

Dave Bittner: [00:14:55]  I saw an article come by. This was from FCW, which is Federal Computer Week. And the article is titled "Cyber Reskilling Grads Grow Skills But May Not Be Headed For Cyber Jobs." This is written by Adam Mazmanian over at FCW. Give us the background here. What's going on? 

Joe Carrigan: [00:15:15]  So the federal government, the office of the CIO, has this program called the Cyber Reskilling Academy. And it's designed to retrain feds for cybersecurity positions. 

Dave Bittner: [00:15:25]  OK. 

Joe Carrigan: [00:15:27]  They just graduated their first cohort in July. 

Dave Bittner: [00:15:30]  OK. 

Joe Carrigan: [00:15:31]  Suzette Kent, who is the federal CIO, said at a roundtable discussion that she's very happy with the outcome. They had 30 people who were selected from a pool of 1,500 people, so it's a pretty tough selection process. 

Dave Bittner: [00:15:44]  Right. 

Joe Carrigan: [00:15:45]  Right. And these graduates were able to get some credentials. They got the GIAC, which is a global information assurance certification for security essentials and certified incident handler. Now, here's the interesting thing. These people who were selected for this cohort were all from the GS-12 to GS-15 pay grades, right? These are people who are more senior in their careers. 

Dave Bittner: [00:16:09]  So the GS system is how government pay grades are ranked. 

Joe Carrigan: [00:16:13]  Correct. 

Dave Bittner: [00:16:13]  The higher the number, the more you make. 

Joe Carrigan: [00:16:14]  These folks have essentially trained and are now skilled enough to become entry-level cybersecurity workers, right? 

Dave Bittner: [00:16:21]  Thanks to this academy. 

Joe Carrigan: [00:16:22]  Thanks to this academy. 

Dave Bittner: [00:16:23]  OK. 

Joe Carrigan: [00:16:23]  However, the problem with that is that the entry-level cybersecurity positions usually rank around the GS-7 to GS-9 range, depending on how much experience and education you have. 

Dave Bittner: [00:16:32]  And that's substantially... 

Joe Carrigan: [00:16:34]  Substantially less. 

Dave Bittner: [00:16:34]  ...Lower salaries. 

Joe Carrigan: [00:16:35]  Yeah, it's not surprising to me that these folks are not moving on to - into the cybersecurity field. The benefit - I'm not saying this is a total write-off. That's not at all what I'm saying. I like the idea that you're taking senior people and introducing them to the skills and problems of cybersecurity. That is going to pay off down the road. We have a real shortage in this country of cybersecurity workers, particularly within the federal government. 

Joe Carrigan: [00:17:00]  So I think that they should be targeting this training towards people who are GS-9 and below so that they can actually say to people - government employees, we are going to give you an opportunity to move into this field where you'll have room for rapid advancement through the government, and not telling people, in order for you to move into this high, advanced field, you have to take a really huge pay cut. 

Dave Bittner: [00:17:22]  Right, right. Now, I know - I mean, one of the things from your line of work at Hopkins... 

Joe Carrigan: [00:17:27]  Right. 

Dave Bittner: [00:17:28]  ...Sending people out into the world, the government is a place where there are opportunities that there may not be in private business. 

Joe Carrigan: [00:17:37]  Correct. Well, one of the things that I will say the U.S. federal government does very well when compared to industry is that if you go into an entry-level position, they are not expecting you to have any experience. You might have to have a certification, like an A-plus certification - or Security+, rather, certification - but that's relatively easy to acquire. That's a very low barrier to entry. 

Dave Bittner: [00:17:57]  Right. 

Joe Carrigan: [00:17:57]  You can take a training class, pass the test, and you will qualify for these - as an entry-level for a lot of these positions. 

Dave Bittner: [00:18:04]  So you don't see these requests where you apply for a job where it's - it says an entry-level position, must have 10 years' experience (laughter). 

Joe Carrigan: [00:18:13]  Right, and a CISSP. 

Dave Bittner: [00:18:14]  Right, right, right (laughter). 

Joe Carrigan: [00:18:14]  I've actually seen entry-level postings that require a CISSP. Nobody with a CISSP is going to take your entry-level, $40,000-a-year job. Sorry, that's not going to happen. But the federal government actually knows that, and they actually do that very well. 

Dave Bittner: [00:18:27]  So perhaps what's out of alignment here is the notion that this program, this Cyber Reskilling Academy, is going to fill empty jobs in cybersecurity within the federal government. 

Joe Carrigan: [00:18:40]  Yeah, I don't think that that's going to happen, at least not with what they did with the first cohort. Now maybe the first cohort was a test. It was only open to people who were not in IT, which I find interesting. The second cohort, which has already been selected, is open to anybody. Anybody could apply for a position in the second cohort. I'd like to see what happens with this. Again, I don't diminish the value of the training for these GS-12 through GS-15 people. These are senior people who are - who now have a glimpse into the horrors that we look at every day. And I think that's important. It has real value. 

Dave Bittner: [00:19:12]  Yeah. All right, well, it's interesting. Again, the article is over at FCW. It's "Cyber Reskilling Grads Grow Skills But May Not Be Headed For Cyber Jobs." Do check it out. Joe Carrigan, thanks for joining us. 

Joe Carrigan: [00:19:24]  My pleasure, Dave. 

Dave Bittner: [00:19:30]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:42]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.