The CyberWire Daily Podcast 8.26.19
Ep 914 | 8.26.19

BioWatch info potentially exposed. Scammers indicted. Ukrainian cryptojacking exposed sensitive data. Social engineering notes. Boo birds and lawsuits. Data use and privacy. Low-earth orbit hack.


Dave Bittner: [00:00:03] BioWatch info exposed. Patched vulnerabilities are weaponized in the wild. Romance and other scam indictments name 80 defendants. Cryptomining and data exposure. Social engineering with a sheen of multifactor authentication. Suing the boo birds and the people who let them in. The road to happiness is paved with mutually exclusive good intentions. And alleged identity theft from low-Earth orbit. 

Dave Bittner: [00:00:33]  It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We here at the CyberWire have long been subscribers to Recorded Future's Cyber Daily, and if it helps us, we're confident it will help you, too. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:01:29]  Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at 

Dave Bittner: [00:01:57]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 28, 2019 (ph). It's good to be back. 

Dave Bittner: [00:02:06]  The Los Angeles Times reports that data concerning the U.S. Department of Homeland Security's BioWatch program were exposed for over a decade on a contractor's unsecured server. The data included some sensor locations, lists of bio agents that could be detected and some contingency plans. The vulnerable site has been shuttered and the data moved behind a DHS firewall. None of the data reported to have been vulnerable to hackers seems to have been highly sensitive, although, of course, no responsible agency wants such information gurgling around out there on the internet. DHS doesn't know and is unlikely to ever know whether any unauthorized parties accessed the information. 

Dave Bittner: [00:02:48]  According to ZDNet and others, attackers are weaponizing vulnerabilities in Webmin servers, Pulse Secure and Fortinet VPNs. Users are urged to patch. 

Dave Bittner: [00:02:59]  SecurityWeek reports that the U.S. Department of Justice unsealed an indictment naming some 80 defendants in a range of online frauds ranging from business email compromise to romance scams. The two lead defendants and several co-conspirators are Nigerian nationals. 

Dave Bittner: [00:03:17]  InternetUA says the cryptomining rig Ukraine's SBU dismantled at the South Ukraine Nuclear Power Station apparently exposed data about the plant's physical security. Such data are sensitive, and in Ukraine they are considered state secrets. 

Dave Bittner: [00:03:33]  Phishing attempts are mimicking multifactor authentication login screens, Naked Security says. They aren't really multifactor authentication screens, of course. They're simply malicious links. But the appearance is more convincing than what's usually been seen in earlier attempts. Sophos advises avoiding email links, being aware of domain names and forgoing any shortcuts to determining whether accounts are being misused by some third party. 

Dave Bittner: [00:04:00]  Mike Weber is vice president at Coalfire Labs, and we caught up to discuss the most recent release of their annual Penetration Risk Report. But first, he shared some of the trends he was tracking at this year's Black Hat Conference. 

Mike Weber: [00:04:14]  I would say that most organizations - they know what they need to - they want to expect, but they don't want to get stuck doing what others have done. So one of the things that we've seen in faults of organizations with solutions in the cloud are different. What we're finding in vulnerabilities through our penetration testing - they're changing a bit. So when we look at what we saw over, you know, in past years - 2016, 2017 - we're finding, you know, the traditional vulnerabilities across enterprises and software. There are soft, you know, weak security mechanisms on the inside of a company. Perimeters are reasonably robust. And the application issues are your traditional OWASP Top 10. 

Mike Weber: [00:04:53]  Now that we see these companies going to the cloud, we're finding more of the misconfiguration vulnerability as the top of the heap - organizations that are trying to deploy a cloud solution, that are trying to be, you know, cloud provider agnostic. So if they want to move from Amazon S3 over to Azure Blob or whatever they want to do, you know, they want to make it so that it's very flexible in that solution so they can change - they - you know, so they're not completely tied to a provider. I get it. It's a great business reason. However, in building those and deploying them, sometimes you're not leveraging the security controls that are inherent in some of these services or in the suite of services you can get from a single provider, based on whether or not understanding that it isn't available or there isn't an equivalent or the equivalent is something different that has a different nomenclature. And it can get very confusing when developing these solutions for the cloud, particularly when using hybrid clouds or mixed providers. We saw that reflected in our Penetration Risk Report. 

Dave Bittner: [00:05:47]  Well, let's dig in a bit and talk about your Coalfire Labs Penetration Risk Report. What are some of the key findings? What did you discover by putting the data together? 

Mike Weber: [00:05:57]  Well, last year, we found - we found the sweet spot. We thought that what we were going to see is we were going to see, you know, from a company size perspective - you know, large companies, lots of money; small companies, no money; medium-sized companies, you know, growing or whatever. We found that the medium-sized companies were in this sweet spot. They were more secure. By the way, we defined secure through the collection of the data that mid-sized companies were more secure than their large or small brethren. 

Mike Weber: [00:06:25]  This year, when we looked at it, it's kind of - it sort of flipped on its head. So this year, we found that these large companies have improved significantly within our dataset. So large companies end up being in the sweet spot for this year. But what's interesting is when you look at our dataset, our dataset has so many more cloud providers - software as a service solution, infrastructure as a service, platform as a service - you name it. Large companies - you know, our dataset does collect information from the largest cloud providers in the world and also very, you know, niche small companies that are putting their solutions in the cloud as well. 

Mike Weber: [00:07:03]  But when you look at the type of business and how that demographic information has changed, it also changes the type of work we're doing. So we're doing more work for these cloud providers, which are generally the larger companies, which has changed, basically, the security posture that we've identified. When you remove them, we're similar to that sweet spot, leaning toward the middle. But because everything's going to the cloud, I think this is going to be a change that not only our business is going to see, every security assessment company is going to see as well. And we need to adapt. You know, as a company, we need to adapt to these changes. And our clientele have to adapt to ensure that they're positioning themselves for this future world that is very cloud-centric. 

Dave Bittner: [00:07:49]  Based on the information that you've gathered here, that you're assembling for this report, what are your recommendations going forward? 

Mike Weber: [00:07:56]  For organizations that are moving to the cloud, not to disregard the complexities of these cloud organizations. As an example, within our top vulnerabilities last year, I think security misconfigurations didn't even make the top five. This year, it's No. 2. So understanding how that defense in depth has to be deployed across a cloud model. 

Mike Weber: [00:08:17]  Also, looking at solutions from a threat model perspective. Classical threat modeling on applications applied to solution architecture early in the development life cycle is key to getting a good understanding of, you know, the significance of some of the controls that are built into these cloud platforms as well as what needs to be built into the application or solution to be able to augment it. 

Dave Bittner: [00:08:40]  That's Mike Weber from Coalfire Labs. You can find their Penetration Risk Report on their website. 

Dave Bittner: [00:08:47]  Crown Sterling is suing Informa subsidiary UBM, the well-known trade show impresario whose offerings include Black Hat. Crown Sterling, an emerging security company that's emerging into the marketplace from Newport Beach, Calif., alleges breach of contract. It's over the poor reception its presentation received at Black Hat. The boo birds were out in force. The presentation that was poorly received, "Discovery of Quasi-Prime Numbers: What Does this Mean for Encryption," was based on a paper, "Accurate and Infinite Prime Prediction from Novel Quasi-Prime Analytical Methodology," by Crown Sterling's CEO Robert E. Grant and Crown Sterling physicist and data science consultant Talal Ghannam. Crown Sterling says it stands by its presentation. Ars Technica quotes Grant as saying, quote, "Crown Sterling has announced a legitimate multidimensional encryption technology that challenges the paradigm of today's encryption framework. We understand that the discovery completely transforms the way we secure data and that some members of the security industry are resistant to change or accepting of new technologies that do not conform to traditional approaches. We completely stand behind all content presented at Black Hat 2019, and we look forward to presenting further developments about the company and our quantum AI encryption technology," end quote. In a press release announcing their lawsuit, Crown Sterling's chief operating officer, Joseph Hopkins, said that, quote, "we were assured by Black Hat and its public code of conduct that our presence would be treated openly and fairly. That did not happen," end quote. The critics call the method Crown Sterling presented snake oil. Their vigorous assertation of that view prompted the lawsuit. In addition to naming UBM in their suit, Crown Sterling is also going after 10 Does - as in John Doe, a person unknown or at least not named - from among the boo birds. In fairness to Crown Sterling, we note that some of the boo birds were feisty enough to warrant ejection from the conference room. In fairness to the boo birds, a mathematician published a proposed refutation of Crown Sterling's results last month.

Dave Bittner: [00:10:58]  BuzzFeed reports that Facebook has yet to deliver data it promised academic researchers to support studies into the effect of social media on democratic institutions and processes. The problem, according to BuzzFeed, is that Facebook has reneged on its offer and that it's citing privacy concerns that, by implication, are convenient and arguably bogus. It's for research, after all, and research in the service of democracy. Alex Stamos, now of Stanford University and formerly Facebook's lead security executive, has come out swinging on behalf of his former company. He's engaged various news outlets, including Gizmodo, BuzzFeed and The New York Times, with tweets about their reporting of the Cambridge Analytica scandal and other privacy matters. If you want to understand why academic research is being inhibited, he suggests, look in the mirror, reporters. It would be easy to dismiss this as a vaguely Nixonian attack on dishonest journalism, by which the complainer means journalism I dislike because it makes me look bad, but, actually, Stamos has a point. Of course, Facebook is skittish about sharing data with academics when such data might involve the company in privacy violations. The company is in enough hot water over its data handling. But it's one thing to raise outrage over data handling and quite another to complain that data aren't being shared freely enough. Inconsistent preferences are never a good thing. The road to unhappiness is paved with mutually exclusive good intentions. 

Dave Bittner: [00:12:30]  NASA's inspector general is conducting an inquiry into what may turn out to be the first known case of crime committed from space. The New York Times reported Friday that astronaut Anne McClain told investigators that she accessed her estranged wife's bank account during a six-month tour aboard the International Space Station. She denied moving any money from the account and is quoted in heavy as saying she simply checked the account to monitor the couple's finances, as she has done throughout their time together. The astronaut's spouse, Summer Worden, filed a complaint with the U.S. Federal Trade Commission, alleging that McClain had committed identity theft. Miss Worden said that she didn't detect any theft from the account. Worden's parents independently complained to NASA's inspector general, alleging that Miss McClain had improperly gained access to private financial records in the course of the divorce and attendant child custody fight. So perhaps we see something new under the sun, an allegation of identity theft committed from low-Earth orbit. 

Dave Bittner: [00:13:38]  Now it's time for a few words from our sponsor BlackBerry Cylance. You probably know all about legacy antivirus protection. It's very good as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your end points, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every end point into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit to learn more. And we thank BlackBerry Cylance for sponsoring our show. 

Dave Bittner: [00:14:41]  And joining me once again is Craig Williams. He's the head of Talos Outreach at Cisco. Craig, it's always great to have you back. You and your team have been tracking some RATs and some stealers using something that you're referring to as Heaven's Gate. There's a lot going on here, so can you sort of give us an overview? What are we tracking here? 

Craig Williams: [00:15:01]  Let's look at why this exists first. And, you know, what's the problem with malware? And what are the challenges that malware out there face? Well, detection. Antivirus systems, systems like AMP, have gotten really good at detecting malware. And so it's basically a cat-and-mouse game between the good guys and the bad guys. 

Craig Williams: [00:15:16]  And this is basically a new loader that's doing some cool stuff that we wanted to make sure people were aware of. And the reason it's called Heaven's Gate is an old technique that basically allows 32-bit malware running on a 64-bit system to hide the API calls by switching to a 64-bit environment. So it's a really weird technique. It works. It's well-known. And so when you combine that with some of the very sophisticated packing techniques in this malware, you can load known malware samples and have them pretty much go undetected through a lot of security systems. 

Craig Williams: [00:15:51]  The things we're seeing it used with right now are really cryptomining and, you know, malware families like Remcos. So it's pretty common. It's pretty effective. And so that's why we wanted to make sure that we documented it, so that, you know, everyone can be aware of how it works, how competitors can notice the blog and can fix their detection because at the end of the day, you know, that's what Talos is really out to do, right? We want to wreck malware's ability to operate. We want to stop their ability to do business. And if we have to help our competitors do that, we absolutely will. 

Dave Bittner: [00:16:19]  And so where are we when it comes to being able to detect this? 

Craig Williams: [00:16:23]  Oh, naturally, we're great. 

Dave Bittner: [00:16:25]  I mean the royal we, not the Cisco we (laughter). 

Craig Williams: [00:16:28]  It depends on where you are when you see it, right? So if you're flying by a wire like a, say, a Firepower appliance or a network intrusion prevention system, this is going to be a tricky one - right? - because it's packed. But there are certain things you can look for, right? If you're looking at the way, you know, a -p executable is built, you can look for certain things that maybe shouldn't be there, right? And if you have it on the end host, well, there's definitely a lot of stuff you can do to look at because normal software is not written like this, right? Normal software doesn't have all this crazy looping and jumping around. It's really only found in malware that wants to be evasive, and particularly the Heaven's Gate technique. 

Dave Bittner: [00:17:08]  Is this the sort of thing that we're seeing more and more of, this - I mean, you described it as sort of an odd way to do something - this, you know, using - running 32-bit code and switching to 64-bit mode. You know, these - are the folks out there by necessity getting more and more clever? 

Craig Williams: [00:17:28]  Yes. I mean, that's really what it is. You know, if you have to think about it linearly, I think the best way to think about it is a malware author wants to do X, right? So the malware author designs malware to do X. Well, then the AV company has to stop that because they notice it and it's a risk to their clients. And so the AV company then designs protection around whatever technique that is. Well, then the malware author's technique is no longer effective. And so then he has to evolve his technique in a way that bypasses whatever the AV companies are looking at. And so it's really just a game of cat and mouse until someone builds the best mousetrap. And you'll even notice in the blog, there's a list of types of antivirus file names that it's looking for, and it's not even looking for it in a linear way. It's doing it all over the code base, so it's much harder to see. 

Dave Bittner: [00:18:15]  That's interesting. So even sort of the basics - I guess what you would consider bread-and-butter parts of the functionality of this malware - they're being clever with to make it harder to find. 

Craig Williams: [00:18:25]  Right. And what happens is when it does hit that particular check, if it does find that antivirus file, it will terminate, and it won't execute any further. 

Dave Bittner: [00:18:34]  Oh, I see. And so... 

Craig Williams: [00:18:36]  You can imagine if you're running this in the sandbox, it's problematic. Or if you're trying to automate analysis, it's problematic because they're checking for those types of tools. 

Dave Bittner: [00:18:44]  Yeah. Interesting. All right, well, the blog post is titled "RATs and Stealers Rush Through Heaven's Gate with New Loader." That is on the Talos Intelligence blog. Craig Williams, thanks for joining us. 

Craig Williams: [00:18:55]  Thank you. 

Dave Bittner: [00:19:01]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:19:13]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.