The CyberWire Daily Podcast 10.17.19
Ep 951 | 10.17.19

Cozy Bear never really left. Iran denies it suffered a US cyberattack. Malicious WAV files. Darknet dragnet hauls in child exploitation ring. Graboid infests Docker hosts.


Dave Bittner: [00:00:03] Cozy Bear isn't back. Cozy Bear never really left at all. Iran says the Americans are dreaming. There was no cyberattack in retaliation for Iran's implausibly deniable missile strikes on Saudi oilfields last month. Malicious audio files are dropping cryptominers and reverse shells into victim systems. An international dragnet collars hundreds in a dark net child exploitation sweep. And Graboid is out there worming its cryptojacker into susceptible Docker hosts. 

Dave Bittner: [00:00:37]  And now a word from our sponsor, LookingGlass Cyber. Organizations have been playing a dangerous game of cyber Jenga, stacking disparate security tools, point solutions and boxes one on top of the other, hoping to improve their security posture. This convoluted and overloaded security stack can't hold up in today's microsegmented, borderless and distributed networks. As the enterprise network grows, organizations need a flexible protection around their unique network ecosystems. By weaving security into the investments your organization has already made, formerly disjointed tools can communicate with one another to disrupt and distract the adversary without revealing your defenses. With a software-based approach to unifying your security stack, security teams can easily scale their protection to fit their needs with one integrated software solution requiring no specialty hardware. Meet the Aeonik Security Fabric. Learn more at That's And we thank LookingGlass Cyber for sponsoring our show. 

Dave Bittner: [00:01:46]  Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing one billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to 

Dave Bittner: [00:02:08]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, October 17, 2019. 

Dave Bittner: [00:02:16]  Cozy Bear, Fancy's quieter cousin, is back or, as ESET puts it in a study released this morning, Cozy Bear never left. Operation Ghost was discreetly successful in penetrating and collecting against a number of European diplomatic targets, including at least one country's Washington embassy. Cozy Bear, which ESET calls the Dukes and others APT29, is probably a unit of Russia's SVR foreign intelligence service. Although the FSB is also sometimes associated with the group, both the SVR and the FSB are institutional descendants of the old Soviet KGB. Operation Ghost was characterized by patient determination and careful use of steganography. Cozy Bear came to widespread attention when its tracks were detected in the U.S. Democratic National Committee during 2016. Fancy Bear noisily blew the gaff for both groups. Had Fancy Bear not stomped through with nary a concession to quiet decorum, Cozy Bear might have rested quietly undisturbed and alertly observant in the political party's networks for many more months. 

Dave Bittner: [00:03:24]  There's been nothing new on that U.S. cyberattack against Iranian propaganda capabilities since two U.S. officials talked to Reuters about it on background. But Iran's minister of communications and information technology did tell the Fars News Service that, as far as Iran could tell, nothing happened. Quote, "the Americans must have dreamed it" - end quote. The security firm BlackBerry Cylance has discovered malicious code that evades detection by hiding in .wav audio files. The payload is often an XMRig Monero CPU miner. The other payload commonly dropped is a Metasploit code that establishes a reverse shell. BlackBerry Cylance researchers found both payloads in the same environment, which suggests to them that the hoods responsible are running a two-pronged campaign to deploy malware for financial gain and establish remote access within the victim network. Hiding in a .wav file seems to have been effective in moving the malware undetected through defenses, which is one reason why this episode is being widely understood as a variation on these steganographic obfuscation more commonly associated with image files. 

Dave Bittner: [00:04:32]  Managing an organization's public key infrastructure can be one of those necessary but unglamorous security-related jobs. And as time goes on, the complexity surrounding it can spin out of control. Chris Hickman is chief security officer at Keyfactor. And he offers these insights on PKI. 

Chris Hickman: [00:04:50]  Public key infrastructure is a set of policies, procedures, highly skilled and trained individuals, people that come together to implement a set of technologies designed to secure assets within the organization and identify those assets and people in a way around a shared key set, which is a public key and a private key. So the concept being that your keys uniquely identify you or your device. You have one that remains private at all time, and then you have one that you can send out, if you will, to identify yourself to other people. And there's a relationship between the public and private key that allows you to have a very secure connection or very secure identity or very secure authentication, digital signature or encryption. 

Dave Bittner: [00:05:41]  And so what are the benefits that come with that? And what are some of the challenges associated with it as well? 

Chris Hickman: [00:05:47]  So the benefit is it's standardized. It's universally used across platforms and devices. It's a technology that's been around for a fair bit of time, going back into - you know, commercially available since the late '90s, early 2000s. So it's proven technology. And while the standards have progressed and - or cryptography has changed, you know, PKI is one of those technologies that's kept up with those changes so that it's as secure today in the way it's implemented today as it was back then. The challenges, however, is it's a set of unique requirements. And as I said, it's not just technology. It's a combination of policies and procedures, training people and then implementing technology in a way over top of that that allows you to have the confidence within the organization that what you implement on day one is as secure every day there forward. There is uniqueness in the way PKI works. 

Chris Hickman: [00:06:44]  Great example - there is specialized hardware, like hardware security modules. There are servers that need to be offline. And all of those things sort of culminate into organizations often getting in over their heads. We see organizations struggle with implementing software and technologies that have a lifecycle beyond, you know, a couple of years. So a good example is when you implement a PKI, you're establishing a cryptographic route of trust across the organization that can be valid up to 20, 25 years. That requires a tremendous amount of thought and planning. As we often see in organizations, people come and go and their roles change. The knowledge that they have about how to run the specific PKI within an organization tends to go with them. People end up making decisions to support the business' requirement for uptime and the business' requirement for, you know, issuing certificates for this new business or line of business or this new application and so on and so forth. And they end up making decisions that compromise or reduce the overall level of trust. 

Dave Bittner: [00:07:51]  So what are your recommendations, then, for folks who want to get on top of this, who want to take a smart approach to it? What do you suggest they do? 

Chris Hickman: [00:07:59]  So we see a lot of organizations struggling to take what they've already got, which is a PKI, all too often that was built for a very specific purpose in an application. Somebody said, hey, we need cert. Let's click next a few times and build a PKI and that becomes the de facto standard in the organization. And over time, people just sort of say, hey, I need a cert for this. I need a cert for that. And it sort of becomes the enterprise PKI. More often than not, we find customers then struggling to do things like scale - right? - where they have an application now where they need a cert on every single device to do, you know, secure management, let's say, of that device as an example. And they can't scale to the tens of thousands or hundreds of thousands of certificates that are required. And they don't think about the management. 

Chris Hickman: [00:08:52]  All too often, people are looking at certificates of how do I get them to that device, not how do I manage them when they're on that device? So we recommend to people, first of all, that they take a little bit of a step back, and they take a look at, OK, what has happened historically? Where am I at? What confidence do I have, if I have an existing PKI, in that PKI? How do I feel that it is still secure from the day that I built it? And how does that translate into my current needs and requirements? And then what do my future requirements look like, and how confident am I that I have the ability to service them? Then once that I have serviced them, how am I going to manage that to make sure that all the decisions that I make don't lead to me degradating the overall security of the system? 

Chris Hickman: [00:09:36]  At that point in time, we often find that customers make a decision either to basically start over. And when we say start over - not necessarily repeat the same mistakes but to look for a better way to add cryptoasset into their environment or the benefit of it while reducing the risk in the overall resourcing associated with that. They'll often make a decision to say, OK, you know what? We're going to need to issue certs. We don't know how to run a PKI. Let's look for some help to do this. And that's very often where we have a conversation with them about the ways that they can be successful with the technology, have the policies and procedures, get their people trained up but not have to take the day-to-day care and feeding into account and freeing up those resources to do other things in the organization. 

Dave Bittner: [00:10:21]  That's Chris Hickman from Keyfactor. 

Dave Bittner: [00:10:25]  Paige Thompson, the accused Capital One hacker, will be tried this coming March. Prosecutors have opposed moving the defendant out of custody to a halfway house because the amount of evidence they've acquired - between 20 and 30 terabytes of data - are so daunting that they make the defendant a flight risk. 

Dave Bittner: [00:10:43]  An international dragnet took down hundreds of people who posted and consumed child pornography on the darknet. The law enforcement action extended to 38 countries, the U.S. Department of Justice said in an announcement yesterday, and resulted in the arrest of 338 people. The ringleader was one Jong Woo Son, proprietor of an apparently loathsome site known as Welcome To Video. The site was a moneymaking operation where users could purchase material using bitcoin. The bitcoin sales were the site's undoing. U.S. Internal Revenue Service Criminal Investigation special agents tracked the bitcoin transactions, which enabled them to locate the relevant darknet server, identify the website's administrator and track them physically to South Korea, where Jong Woo Son resides. He faces a U.S. federal indictment, but he's already doing time in a South Korean prison for his activities. Washington may get to take a crack at him but only after Seoul is done with the guy. 

Dave Bittner: [00:11:42]  The IRS takes the occasion to point out that altcoin doesn't amount to some kind of cloak of invisibility. As IRS Criminal Investigation Chief Don Fort put it, quote, "regardless of the illicit scheme and whether the proceeds are virtual or tangible, we will coordinate to work with our federal and international partners to track down these disgusting organizations and bring them to justice," end quote. And Justice Department officials observe that the darknet isn't some inaccessible refuge for outlaws. Law enforcement can reach them there, too. It's an ugly story all around. Two suspects committed suicide before their search warrants were executed. And there were children being actively exploited. The Justice Department said the law enforcement action resulted in the rescue of at least 23 minor victims residing in the United States, Spain and the United Kingdom. So congratulations to the authorities on the rescue, and may the children find peace and healing. 

Dave Bittner: [00:12:40]  After all of this nastiness, we return with relief to more ordinary crime that, in contrast, can seem almost wholesome. Security firm Palo Alto Networks yesterday described the Graboid worm, a cryptojacker that infests unsecured Docker hosts. The researchers came across about 2,000 such unsecured hosts in the course of their study. Palo Alto sniffs that Graboid may be capable of short bursts of speed but overall is relatively inept. Unsurprisingly, Graboid exploits improperly configured hosts. So please look to your Docker configurations, friends. A cultural note - the name Graboid is a well-chosen homage to the horror classic "Tremors," an underappreciated bit of cinema that our film desk gives two thumbs way, way up and would give even more if they had additional thumbs. That's what the desk says, anyway. The giant worms in "Tremors" were normally pretty torpid, but seismic vibrations would spur them into a brief frenzy of activity. We salute Palo Alto Networks for cultural literacy and good taste in movies. 

Dave Bittner: [00:13:50]  And now a word from our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book "SOAR Platforms," everything you need to know about security, orchestration, automation and response. The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at That's And we thank ThreatConnect for sponsoring our show. 

Dave Bittner: [00:15:04]  And joining me once again is Robert M. Lee. He's the CEO at Dragos. Rob, it's always great to have you back. I noticed that you all have teamed up with Splunk to develop some interesting learning opportunities for the ICS community. You're going to be contributing to something called Boss of the SOC at Splunk's upcoming conference coming up here soon in Las Vegas. 

Robert M. Lee: [00:15:27]  A lot of respect and love for the Splunk team. Over the years, I think they've done a really good job not only creating a good product and similar, but they've always been good about engaging the community. And when I think of things that I like about Dragos and our own company, it's got that community-driven approach. One of the things that Splunk did was create this Boss of the SOC, or BOTS, and it's essentially taking a data set related to attacks and things that are taking place and almost creating, like, a CTF out of it. Very similar I think in theory to, you know, very - kudos to Ed Skoudis and the SANS team and what they did with NetWars - but taking kind of that capture the flag kind of feel to a defensive challenge and bringing it out to the Splunk audience and people around the world. I think they trained people in a variety of countries last year doing this all over the year. 

Robert M. Lee: [00:16:17]  And so they approached me and basically said, hey, we'd love to help educate people about ICS, like, this industrial control systems stuff, our industrial world. I don't think a lot of people have gotten a lot of access to those data sets. Can we partner up on it? I said, absolutely. So there's kind of two phases here. The first is we had them come into our office in Maryland, and we have a variety of real industrial ranges using industrial equipment from our partners and others. And what I would define as real is the fact that there's actual physical process. It's not just systems and virtual machines, but it's real equipment, real gear. One of the ranges we have is a beer brewery for science and analytics purposes, of course. 

Dave Bittner: [00:17:01]  How convenient. 

Robert M. Lee: [00:17:03]  We produce a wide variety of beer at Dragos, like TCP IPA and Little Bobby Bock (ph). 

Dave Bittner: [00:17:08]  Nice. 

Robert M. Lee: [00:17:09]  And so we wanted to let them play around in that environment. We did some attacks against it, and they were able to gather off data. And so phase one is to bring that ICS data set to that Splunk audience. Now, we're also a Splunk partner where our technology, the Dragos platform, has an app or a connection into the Splunk system so that the alerts and things that we see in industrial networks can connect up so the folks in the enterprise SOC can see it as well. And so phase two is the BOTS participants will be able to get the view of that Splunk app. 

Robert M. Lee: [00:17:46]  So all the data will be run through the Dragos platform. And that way there's context and insight and actual environmental context there for them. So it's not just random protocols and data, but, oh, it's a - you know, here's a DNP3 or IEC 104 or whatever protocol, you know, running to a specific piece of equipment. Now they can understand all that. So phase one - overload them with data, get the feet wet in an ICS. Phase two - put the Dragos platform in there as well so they can get the additional context and really just start exposing people to more of this industrial world and the challenges we face. 

Dave Bittner: [00:18:20]  And is that really the take-home here, that through that exposure, perhaps spark an interest in people? 

Robert M. Lee: [00:18:27]  Absolutely. I think when we look at this, there's obviously the value to Dragos of, like, marketing, and there's the value of hopefully showing people the value of our product. But I - we don't really spend a lot of time on that stuff. We probably should. I think marketing and sales definitely has a place, but what I prefer to do is take more of an educational approach and just show people what they should be doing. And if we're the right answer for them, then great. So what we like to get involved on is more of the education stuff. Even if you're not going to be a customer, I want you to know about industrial systems. Even if you don't work at a site that is industrial, you should have an understanding about how your world operates. 

Robert M. Lee: [00:19:05]  One of the things that I love about the security community and the security practice is we have a lot of creative and insightful and curious people that are lifelong learners. And so to give them a whole new thing they've never been exposed to before is a really unique and exciting opportunity that I hope will bring people into the industrial community. And hopefully we'll see more, you know, transplants over into our field and get more people excited about our industrial world. 

Dave Bittner: [00:19:33]  All right. Well, Robert M. Lee, thanks for joining us. 

Dave Bittner: [00:19:41]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:19:53]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.