The CyberWire Daily Podcast 11.21.19
Ep 975 | 11.21.19

Refined Kitten paws at ICS. Debunking BlueKeep rumors. FBI warns Detroit of cyber threats. The UN’s long deliberation over cybercrime. Cryptowars. 5G security and a 5G czar. Ransomware updates.


Dave Bittner: [00:00:03] Refined Kitten seems to be up to something, perhaps in the control system world. Microsoft debunks claims about Teams, BlueKeep and Doppelpaymer ransomware. The FBI warns the auto industry that it's attracting attackers' attention. A new attack technique, RIPlace, is described; Phineas Fisher's bounty considered; the UN, the AG and the course of the crypto wars. Does America need a 5G czar? And ransomware all over Louisiana. 

Dave Bittner: [00:00:36]  And now a word from our sponsor ExtraHop - delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) Cloud today at That's And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to 

Dave Bittner: [00:01:53]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 21, 2019. Microsoft describes how Iran's APT33, also known as Elfin or Refined Kitten, is engaged in attacks against industrial control systems, WIRED says. Microsoft is presenting their findings today at the CYBERWARCON event in Arlington, Va. Essentially, Redmond believes it sees activity that suggests preliminary reconnaissance and battlespace preparation by Refined Kitten. Iran has mounted destructive attacks in the past, but the present activity suggests that, unlike Shamoon, which Iran turned loose on Saudi Aramco networks in 2012, this one may be directed against industrial controls as opposed to IT systems. 

Dave Bittner: [00:02:42]  Microsoft also rebutted claims that Microsoft Teams served as the vector for the Doppelpaymer ransomware infestation suffered earlier this month by some Spanish companies, ZDNet reports. Redmond has also quashed rumors that the ransomware is being spread via the BlueKeep keep vulnerability. 

Dave Bittner: [00:03:01]  CNN has obtained a warning the FBI has quietly circulated within the auto industry, warning that the U.S. automobile sector is at heightened risk of cyberattack. The bureau's warning didn't say who the bad actors were, and it painted the threat with a fairly broad brush, noting that there was the possibility of data breaches, persistence on company networks and, of course, ransomware. May Detroit look to its defenses. 

Dave Bittner: [00:03:27]  Nyotron today published the results of research into ransomware that covers a newly discovered Windows file system attack technique that allows attackers to encrypt files in a way that escapes detection by most anti-ransomware products. They call the technique RIPlace but spelled so that the first three letters in capitals are R-I-P. And they've also released a free tool that allows users to check their Windows systems for susceptibility to the attack. 

Dave Bittner: [00:03:55]  Bugcrowd's CTO makes a glum prediction about Phineas Fisher's $100,000 offer for anti-corporate hacktivist work. He believes it will have some takers. The purse is certainly large enough, and some will be motivated to go for it. That it was funded by stealing from bank accounts won't bother the bounty hunters much. 

Dave Bittner: [00:04:16]  Firewall and security firm SonicWall recently published their third-quarter threat data report outlining some of the information they're gathering from their own sensors around the world. Bill Connor is president and CEO at SonicWall. 

Bill Connor: [00:04:30]  I think the first observation is malware's down overall, but it's really gotten more nefarious, as I said. It's more targeted. And let's just pick one of the big categories - is ransomware. Ransomware itself worldwide went down 5% through the first nine months of this year. In the U.S., it went down 24%. Germany - almost 80%. U.K., it went up over 200%. Now, it's interesting, because while it's down, you know, over 20% in the U.S., as you can tell, it's gotten more targeted, going after banks and municipalities, hospitals. 

Bill Connor: [00:05:14]  So what's happening is you see a lot of country, states and you see a lot of actors that are now taking (ph) ransomware. And when ransomware started maybe five years ago, it was a couple of thousand dollars or $10,000 that they were looking to get. Now, it's hundreds of thousands of dollars, if not millions, and that is the nature of what's changed. They're going after higher, more focused targets with bigger liabilities associated with it. 

Dave Bittner: [00:05:42]  Do you suspect that the attackers are growing more sophisticated? Is there an increase in their level of professionalism? 

Bill Connor: [00:05:50]  Yeah, that's 100% accurate, David. What's happening is, because it's a bigger target with more money at stake, they've gotten more sophisticated tools. And now you can go on the dark web and have ransomware as a service, literally 24-by-7. They - you go buy it for, you know, under a hundred bucks, and you can then target that however you would like and at whom you would ever like. And so it's really gotten more dangerous in terms of that, and that's why the overall numbers are a little bit misleading in terms of it. 

Dave Bittner: [00:06:29]  Was there anything in this round of the report that you found particularly unexpected or surprising? 

Bill Connor: [00:06:35]  Well, I think there's several things that we've not talked about. One that I think your listeners need to pay attention to is IOT. Everybody this holiday season, thinking, with Thanksgiving and Christmas coming up, a lot of gift gadgets going into homes - new phones, be it listening devices, you know, the Siris and all the other different listening devices people are putting in their home. And the problem with that - and cameras, all those pieces - you need to have - be security and privacy aware. I think, next year, you'll see in 2020 increasingly those vehicles targeted. So if you put it on your network, make sure you enable the security of that capability, either with your home firewall or the encryption or protect it so others just can't come in and work on your Wi-Fi and have access to your devices - goes with TVs, as well. 

Bill Connor: [00:07:31]  Really take this season - because as we say in the report, IoT is up 33% just in Q3 of this year. And it is one of the fastest-growing areas, and the attack service is incredibly large. Don't think of it as, just now, IoT in the office with your thermometers and office systems. Think of it now as a home target relative to that. 

Dave Bittner: [00:07:56]  For many of us, our families kind of rely on us to help recommend those high-tech products for the home, and maybe it's also incumbent on us to help provide or ensure that when those things are purchased and installed, they're secure. 

Bill Connor: [00:08:14]  I think that's the key leave-behind, David. You know, when you have kids - I don't know if you've got kids. But when they were younger, you used to get the toys, and the big thing was, remember to get the batteries, right? 

Dave Bittner: [00:08:25]  (Laughter). 

Bill Connor: [00:08:26]  Now, the big thing is, hey, when you turn it on, when you plug it in, when you put the app in, let's make sure the right security and privacy settings are set up. And just go back and double check your router and your Wi-Fi in your home to make sure you've got that encrypted so others just can't drive by and jump in there. 

Dave Bittner: [00:08:45]  That's Bill Connor from SonicWall. They recently launched their third-quarter threat data report. 

Dave Bittner: [00:08:53]  The United Nations General Assembly will take its final vote on the Russian-led proposal to establish a working group to develop international norms that would aid in the suppression of cybercrime, Computing reports. Thirty-six human rights groups signed a letter opposing the measure. The U.S. and most EU member states also object, seeing nothing in the proposed norms that would do much to reduce cybercrime - a great deal of which, some sourly observe, originates in Russia - but that would do a lot to justify national control of internet traffic. But such throttling of civil society is probably, from the point of view occupied by Russia and its co-sponsors - which include China, North Korea, Cuba, Nicaragua, Venezuela and Syria - a feature and not a bug. 

Dave Bittner: [00:09:39]  In the light of this push in the U.N. and of calls for a balance between privacy and security, end-to-end encryption seems likely to be the next bullseye on the back of Big Tech, who may find themselves cast in the unlikely or at least recently unfamiliar role of paladins of civil liberties, according to The New York Times. Have encryption, will travel. 

Dave Bittner: [00:10:00]  Many of the recent moves in the ongoing crypto wars, particularly in the West, have been cast as moves designed to protect children from exploitation. So U.S. Attorney General Barr has called for a technical means that would enable law enforcement to find, track and bag child abusers, and who could be opposed to that? Only child abusers, right? Well, sure, but the objection is that undermining encryption weakens not only privacy but security itself. And so those on the other side of the crypto wars, like the American Enterprise Institute, aren't buying it, not entirely, as much as they'd like to hold predators accountable, too. Even the kids benefit from strong encryption. 

Dave Bittner: [00:10:41]  Five U.S. senators have written Amazon to request an explanation of the data handling and security practices of its smart doorbell subsidiary, Ring. There are privacy dimensions to their inquiry, but the letter's focus is on national security. The senators are particularly interested in Ring's potential for exploitation by foreign intelligence services, and they express particular interest in the access to Ring data Amazon may have given the Ukrainian development teams it employs. 

Dave Bittner: [00:11:11]  Some U.S. senators are arguing that 5G is a matter of such vital national importance that there ought to be a federal 5G czar, The Washington Post reports. It's presented as a kind of anticipatory Sputnik moment. You don't want the Chinese to get ahead of you here, do you, Washington? Absent such federal direction, the several states will no doubt continue to evolve their own regulatory regimes. Among the first to do so is California. The Golden State's Internet of Things Security Law was signed in September and goes into effect in January. It's unclear how the law will be interpreted in the courts. Much will turn on how they unpack the requirement that connected devices have reasonable security, Help Net Security points out. The bill does prohibit private parties from suing under the law. That would be reserved to the California attorney general, key attorneys, county councils and district attorneys. 

Dave Bittner: [00:12:08]  The state of Louisiana continues to recover from the ransomware attack it sustained Monday. Officials had hoped to have the Office of Motor Vehicles in particular back online by noon yesterday, but the recovery is proving more protracted than they believed it would be. OMV's website is back up but not yet accepting transactions. The state hopes to have the OMV offices up and running sometime today. The Louisiana Office of Technology Services appears to be following a deliberate plan as it brings state agencies back online. Criticality determines priority; thus emergency services and payroll have been addressed first with other functional areas to follow. 

Dave Bittner: [00:12:47]  Ransomware, of course, is not just a Louisiana problem. Their cousins across the Atlantic have recently taken a big ransomware hit. Le Monde reports that Rouen University Hospital-Charles Nicolle was attacked with ransomware on November 18 and is still working toward recovery. One of the largest medical centers in northern France, Rouen CHU has 2,500 hundred beds and employs some 10,000 personnel. About 6,000 of the hospital's computers are infested and offline. The attack is serious and particularly dangerous. 

Dave Bittner: [00:13:20]  Recent studies in the U.S. by Vanderbilt University and others suggest that there's a significant correlation between attacks on hospital networks and patient mortality rates, particularly deaths due to cardiac problems. May the patients in Rouen be safe, and may the authorities collar those responsible for the attack. 

Dave Bittner: [00:13:43]  It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We here at the CyberWire have long been subscribers to Recorded Future's Cyber Daily, and if it helps us, we're confident it will help you, too. Subscribe today, and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. That's, and we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:14:45]  And I'm pleased to be joined once again by Michael Sechrist. He's chief technologist at Booz Allen Hamilton. He leads their Managed Threat Services intelligence team. Michael, it's always great to have you back. I wanted to touch today on third-party malware risks and some of the ways that you recommend to mitigate those. What can you share with us? 

Michael Sechrist: [00:15:03]  Sure. Thanks again for having me back. So one of the significant concerns as well that we're seeing is how to prevent against third-party or critical suppliers that might provide access or have some sort of capability back into a command-and-control function or a malware. There's plenty to do in order to protect and defend against that type of attack or that type of risk overall for an enterprise. A couple ideas and ways that we do that here is to focus the enterprise on profiling the connections that go back to the vendors so that we have sort of an idea of what base line and what good and normal look like and then able to profile against that as to what anomalous activity would be something you'd want to investigate further. 

Michael Sechrist: [00:15:52]  We do this also by evaluating, you know, network traffic on our managed threat service side through full packet captures and other sort of passive out-of-band monitoring systems. But in order to get a handle on what good looks like and what bad looks like, we need to work closely with the enterprises and have that understanding with their vendors to know if this third-party is communicating in a potentially malicious or suspicious way. 

Dave Bittner: [00:16:19]  I suppose part of this is the communication beyond the networked communication that you have. In other words, if you all detect something going on, you know, a couple links down the chain, you need to be able to share that concern to everyone along that chain. 

Michael Sechrist: [00:16:36]  That's correct. Yeah. It's very important to kind of get that root cause analysis whenever you're dealing in a potential incident and to know kind of how that potentially malicious event or incident is, you know, their - kind of the chain of communications is occurring, the - just reliant on a potentially infected third party, or is it, you know, leveraging some other potentially infected website or device that's reliant somewhere else? You know, it's very important to get at root cause. 

Michael Sechrist: [00:17:05]  It's very difficult to do that when you're dealing with third parties, because, again, it's potentially dealing with an event that came and is infecting another potential company, right? So you're reliant on that information-sharing capability. And having that - kind of that free-flow set up and not just something that's potentially, you know, a one-off communication, but some back-and-forth with your critical suppliers or your third parties that you leverage is very important to establish upfront. 

Dave Bittner: [00:17:32]  Yeah, I suppose it's important that this whole process be collaborative and so that it doesn't fall into some mode of being adversarial. 

Michael Sechrist: [00:17:41]  Yeah, very important to not create a fear or a threatening, you know, base model for information sharing but as something that's proactive that can also be transparent to other parties so that they can investigate and kind of validate findings. That's very important to establishing sort of veracity in what you're saying to not only those that might be internal at your company but to others that know that there was an incident and want to best protect themselves from that happening to them. 

Dave Bittner: [00:18:14]  How do you balance sharing the information that needs to be shared with these sorts of things, versus protecting your company's interest - your secrets, your methods and so forth? 

Michael Sechrist: [00:18:26]  A good way to do that is - one, I think, is to establish an intelligence program that understands when to sanitize or scrub information that is potentially sensitive to a company and to have those processes and - you know, worked out prior to an event so that you're not scrambling to figure out, you know, what to release in times of a crisis but that you have sort of a standard operating procedure in place to just do that, you know, routinely. So you got to work out those - that kind of muscle memory early on. And that usually jumps from the form of not only an intelligence program but, you know, working through cyber exercises internally or with your partners in a group format and kind of building out best practices from what you derive from those exercises. 

Dave Bittner: [00:19:13]  All right. Well, Michael Sechrist, thanks for joining us. 

Michael Sechrist: [00:19:16]  Thanks so much. 

Dave Bittner: [00:19:21]  And that's the CyberWire. 

Dave Bittner: [00:19:23]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:19:34]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carol Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.