The CyberWire Daily Podcast 9.10.19
Ep 924 | 9.10.19

US National Security Advisor to be replaced. Stealth Falcon’s new backdoor. DDoS, social engineering investigations proceed. Exfiltrating an agent. Patch Tuesday notes.


Dave Bittner: [00:00:03] John Bolton is out as U.S. national security adviser. A new back door is attributed to Stealth Falcon. Wikipedia's DDoS attack remains under investigation. So does a business email compromise at Toyota Boshoku and a raid on the Oklahoma Law Enforcement Retirement services. Vulnerable web radios get patched. The U.S. is said to have exfiltrated a human asset from Russia in 2017. And Microsoft patches 79 vulnerabilities, 17 of them rated critical. 

Dave Bittner: [00:00:38]  It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want - actionable intelligence. Sign up for the Cyber Daily email, and every day, you'll receive the top trending indicators Recorded Future captures crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today, and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates. That's And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at 

Dave Bittner: [00:02:17]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 10, 2019. Some news broke today out of Washington concerning senior administration personnel. NBC News, The Washington Post and other outlets report today that President Trump has asked for and received the resignation of National Security Adviser John Bolton. As the president tweeted, he found himself in disagreement with many of Mr. Bolton's suggestions, as did others in the administration. He thanked Mr. Bolton for his service and accepted his resignation. The president intends to appoint a successor this week. 

Dave Bittner: [00:02:56]  ESET says it's associated a hitherto overlooked back door with Stealth Falcon. The previously unreported binary back door, ESET calls Win32/StealthFalcon. Stealth Falcon itself has been conducted by the University of Toronto's Citizen Lab with the distribution of spyware against a range of Middle Eastern targets. Citizen Lab reported that Stealth Falcon had been engaged in surveillance of journalistic and diplomatic targets of interest to the United Arab Emirates. ESET doesn't say this directly, but the campaign is regarded as being probably a United Arab Emirates operation linked to Project Raven, which Reuters described earlier this year. ESET does quote Amnesty International to the effect that Stealth Falcon is the same threat actor as Project Raven. 

Dave Bittner: [00:03:46]  The distributed denial of service attack that struck Wikipedia over the weekend remains under investigation. But BleepingComputer reports some speculation that the incident was the result of a botnet testing round. The story is still developing, and investigation continues. BleepingComputer also noted that the U.K.'s National Cyber Security Centre, the NCSC, recommends dusting off DDoS protection advice it's offered for some time. Here are the five essential practices NCSC thinks any organization would benefit from. 

Dave Bittner: [00:04:18]  First, understand your service. This means recognizing the places in your service where your resources could quickly become overloaded or exhausted, and determine who's responsible for maintaining service at each of those crucial points. Second, look to upstream defenses. Make sure your service providers are ready to deal with resource exhaustion where they're distinctly well-placed to help. Third, look to scaling. That is, ensure you're equipped to deal with surges in demand. Fourth - and this is good advice in any aspect of cybersecurity - have a response plan. You should design your service and plan your response to an attack so that the service can continue to operate, albeit in a degraded fashion. Finally, test and monitor your services. Exercise your response plan, and be sure you're in a position to recognize when you've come under a denial of service attack. 

Dave Bittner: [00:05:13]  Toyota Boshoku, a parts unit of Toyota Group, continues to investigate a business email compromise scam in a European subsidiary that may have cost the company 4 billion yen, which comes to approximately $37 million. According to Infosecurity Magazine, the incident occurred on August 14. And if it followed the usual business email compromise template, the theft depended on social engineering. 

Dave Bittner: [00:05:39]  Another case of apparent theft enabled by social engineering appeared in the Western Hemisphere. A pension fund for retired Oklahoma state highway patrol officers was also the victim of a raid that seems traceable to a compromised employee email account. In this case, the Oklahoma Law Enforcement Retirement System said that roughly $4.2 million were looted on August 26. Fifth Domain reports that the fund said the theft came after an employee's email account was hacked. The FBI is investigating, and the state and the fund are being tight-lipped about the matter while the investigation proceeds. They do say that they've succeeded in recovering some $477,000 of stolen funds. Oklahoma is confident that they'll recover the rest of the money too, but how they'll manage that remains to be seen. 

Dave Bittner: [00:06:30]  In a disclosure coordinated with manufacturer Telestar-Digital, Vulnerability Lab reports that Dabman and Imperial web radios were vulnerable to exploitation through an undocumented Telnet service on the standard port 23. Telestar has fixed the vulnerabilities. 

Dave Bittner: [00:06:48]  One of the many force multipliers the internet has enabled is crowdsourcing. Whether you're raising money for a nonprofit, funding a fancy new bit of electronics or making sure your favorite podcast keeps their doors open, the ability to gather a wide range of people for a common cause is a powerful tool. Ashish Gupta is CEO of Bugcrowd, where they've built their business crowdsourcing vulnerability testing. Full disclosure - Bugcrowd is a CyberWire sponsor, but this interview was booked through our usual journalistic procedures. 

Ashish Gupta: [00:07:19]  The whole idea was, how can you democratize things for anybody to research on different assets and any company to make crowdsourced cybersecurity part of their layered security model? And to that end, we've seen a continuous increase in the use of crowdsourced cybersecurity. In fact, in 2019 we saw as much as 50% more public programs that are being run by customers to ensure that they've built a stronger security posture because they're seeing the value that our research has provided them in terms of vulnerabilities that they can find before they're used by a adversarial actor and fix those vulnerabilities in time. 

Dave Bittner: [00:08:02]  Before folks came to crowdsourcing these sorts of efforts, what would have been some of the barriers or roadblocks or even speed bumps that got in the way of this sort of collaboration? 

Ashish Gupta: [00:08:14]  The first thing that used to be a challenge was, how do you find the right resource that can provide you with that feedback? The second one was getting over the initial fear of what? - you're going to allow a hacker to come into my environment? But educating folks that they are the white hat hackers who are ethical in nature and want to make the digitally connected world safer was a really good thing in the last few years, and we hear much less of that. And then the third one was now that I've found this, how do I fix this? And how do I teach my engineering team to build more secure code? 

Ashish Gupta: [00:08:51]  You know, I myself started off as an engineer. I learned how to do C++ programming and, yes, I do admit it, I do know COBOL and Fortran. And to that end, you know, we knew how to build code and get product out to market, but making it secure was something we learnt on the job. And having that capability also is super important. And this is the reason we do partnerships with folks like Secure Code Warrior to ensure that our engineers - our customers' engineers - are informed on how to build secure code as well. 

Dave Bittner: [00:09:24]  What is the transition like for organizations? When they decide to make a shift and start implementing these sorts of open source opportunities, what does that look like for them? 

Ashish Gupta: [00:09:36]  Yes, you know, the thing is that the whole world has been using pen testing for quite some time, so they're used to the fact that they can bring people in to deliver specific reports that will show what kind of vulnerabilities might be in the environment or what kind of compliance they're meeting or not meeting. And to that end, just making it more easy to have an assessment that brings a larger number of eyes to the attack surface has enabled us to provide as much as 10 to 11 times the number of high-risk vulnerabilities to customers that have already gone through pen tests. 

Ashish Gupta: [00:10:17]  The decision really comes down for them is, how do they build a layered security model and how does everything else that they're doing, which they should continue to do - whether it's a firewall or endpoint protection system or even have internal teams - can be complemented very well with a crowdsourced security model? Because you can have a specific program developed for a specific application with very targeted resources that are going to deliver the kinds of vulnerabilities that you don't get from typical scanners and other things. 

Dave Bittner: [00:10:52]  Are there any common misperceptions that you run across where people think that they may run into some issues with this? 

Ashish Gupta: [00:11:00]  Yeah, you know, it used to be the case where folks would be worried about, quote, unquote, "a hacker" because they defined a hacker the same, whether it was a black hat hacker or a white hat hacker. We have seen that misconception go away, increasingly, not that it's completely gone. The second misconception I would say is how do you focus in on the right way of launching a program? And what do you want to get out of the program? And we've done a lot to help customers understand that it's pretty important to pay that assurance debt down, you know, get all the low-hanging fruit addressed before you go out and build a public program, as I was talking about. 

Ashish Gupta: [00:11:43]  That has been very successful for customers because it addresses both misconceptions I just talked about. Here, they get more comfortable with the feedback that they're receiving from researchers. They're also able to provide researchers with the feedback that's needed because it's a smaller group of folks and that allows for researcher help with the program and, to that end, also get vulnerabilities and make the programs that much more successful. It's a whole idea of increasing the price of attack by bad actors while reducing the benefits from these attacks for those bad actors. 

Ashish Gupta: [00:12:18]  So I'll just give you an example. The very same issue and vulnerability that was part of the problem that delivered the Equifax challenge for Equifax, our researchers found almost four months earlier for a Fortune 500 financial services organization. And the financial services organization, when they were provided the fully triaged report from us and our platform - prioritized that obviously very high - were able to fix that many, many months before Equifax was hit by that same problem, saving a ton of reputational and financial risk. 

Dave Bittner: [00:12:54]  That's Ashish Gupta. He is the CEO at Bugcrowd. 

Dave Bittner: [00:12:59]  The Washington Post reports that in 2017, the U.S. exfiltrated an asset - a source, an agent - from Russia. The asset had provided the U.S. with information about 2016 Russian election hacking by Fancy Bear and Cozy Bear. The U.S. intelligence community became concerned for the safety of the asset after the previous administration released a report detailing Russian cyber operations directed against the U.S. election and after the current administration shared certain sensitive information in high-level meetings with Russian officials. Russian sources have confirmed that an official - a relatively low-level one in Moscow's account - who worked for the Russian president has been in parts unknown since sometime that year. The Post says it's believed the asset and his family were pulled out of Europe, and thus, out of harm's way during a vacation in Montenegro. 

Dave Bittner: [00:13:53]  Today is Patch Tuesday, and updates have appeared. Microsoft has released two advisories and addressed 79 vulnerabilities. Seventeen of those vulnerabilities are classified as critical. And so, as Bleeping Computer reports, Windows admins have a busy week ahead of them. 

Dave Bittner: [00:14:12]  Finally, a note on the naming conventions applied to the state-directed threat actor menagerie - falcons tend to be Emirati. Bears, of course, are almost invariably Russian, whereas pandas are Chinese. Pandas, of course, aren't true bears, but rather, relatives of raccoons. So don't be confused on this point. Kittens, kitties and domestic cats reside around Tehran. North Korea is sometimes associated with cobras. These conventions aren't followed everywhere by everyone, of course. Other snaky metaphors have been used for Russian actors, for instance, like ouroboros, the snake that swallows its own tail. Not every North Korean group gets an animal name, and not every Chinese group is an actor. The animals don't always go with the big four threat actors who display inveterate opposition to the Five Eyes. Lebanon's services, for example, have been associated with caracals and India's with elephants. 

Dave Bittner: [00:15:09]  The Five Eyes themselves don't seem to get animal names, which seems a pity. It would be nice to greet someone in a Cheltenham pub crawl with a, yo, Regal Lion, say hello to Naughty Unicorn, or to holler in a Maryland bar, hey, the drinks are on Thumping Buffalo and Screaming Eagle. The other three eyes have obvious animals, too - dingoes, beavers, loons, kangaroos, kiwis, penguins and so on. So researchers, get naming. 

Dave Bittner: [00:15:44]  And now, a word from our sponsor ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at That's And we thank ObserveIT for sponsoring our show. 

Dave Bittner: [00:16:40]  And joining me once again is Michael Sechrist. He's chief technologist at Booz Allen Hamilton, and he also leads their managed threat services intelligence team. Michael, it's great to have you back. I wanted to touch base with you about what your team is tracking when it comes to these increased tensions we've been seeing globally with Iran and also with Russia. 

Michael Sechrist: [00:17:00]  The past decade and more has shown us that geopolitical tensions spill over into cybersecurity landscape. And organizations need to take stock not just of kind of tactical indicators and things that they're seeing within their security operation centers, but also this wider context of what potentially is happening and where your kind of operations are in different countries and across the world so that you can better prepare for what's next in terms of the fight that might be existing on a nation-state to nation-state level. 

Dave Bittner: [00:17:31]  And how do you advise your clients on how they can set their expectations and best prepare for what may come? 

Michael Sechrist: [00:17:39]  What we try to do is to build in an intel life cycle here that pulls in the tactical, as well as the strategic. So that is monitoring for kind of early warning indicators in the geopolitical landscape that have had spillover effect in the past and ones that we think - we might not have precedent for but what we would expect to see. Obviously, when we're seeing kind of potential for sort of kinetic conflict taking place, then we also kind of have our antenna up for - the cybersecurity conflict in this space is going to grow as well. And that means that then we're tracking closely any sort of actor group that has been associated with the countries being pulled into the fray before and how those actor groups have certain tactics, techniques and procedures that we want to alert our clients on that have also kind of potential to be pulled into some - such sort of cyber conflict - to prepare for, to look for and to protect against. 

Dave Bittner: [00:18:36]  And I think it brings up this notion of data integrity because I believe the Iranians are known for sending out wipers. 

Michael Sechrist: [00:18:44]  That's correct. I mean, so - you know, destructive malware is, you know, something we've seen implemented in a lot of different cases. You know, it has linkages, potentially, to certain nation-states in some cases. We don't expect that to go away. We expect that to be potential tool that's used in certain times of conflict. It is a very serious tool. I think that those who engage and use it and know what they're trying to do know the serious ramifications of that. 

Michael Sechrist: [00:19:08]  There was a kind of breakthrough moment recently in sort of the geopolitical to cybersecurity transitional landscape, so to speak, where, you know, the Israelis, you know, confirmed that they conducted a kinetic operation to take out a facility in Palestinian territories that was potentially linked conducting cyber operations against the state of Israel. And so that is a - you know, having sort of that cybersecurity attack to kinetic measure option on the table now - having that sort of as an example - bit of a watershed moment in the industry. And it's pretty recent, as of a couple of months. So we're not sure how that could potentially spill over to other countries, but it's something we're certainly tracking closely. 

Dave Bittner: [00:19:50]  All right. Well, Michael Sechrist, as always, thanks for joining us. And that's the CyberWire. 

Dave Bittner: [00:19:59]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:20:10]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.