The CyberWire Daily Podcast 12.5.19
Ep 983 | 12.5.19

Data center ransomware. Third-party breach hits telco customers. Buran and Buer on the black market. The Great Canon opens fire. Russia trolls Lithuania. Big bad BEC.


Dave Bittner: [00:00:00] Hey, everybody, Dave here with some exciting news. We are pleased to announce our new subscription program, CyberWire Pro. It's launching early in 2020. For cybersecurity professionals and others who want to stay abreast of our rapidly evolving industry, CyberWire Pro is a premium news service that will save you time as it keeps you informed. You can learn more and sign up to get launch updates at That's Do check it out. Thanks. 

Dave Bittner: [00:00:34]  Data center operator CyrusOne sustains a ransomware attack. Another third-party breach involves a database inadvertently left exposed on an unprotected server. Buran ransomware finds its place in the black market, as does the new loader Buer. China's Great Cannon is back and firing DDoS all over Hong Kong. Russian trolls are newly active in Lithuania. And a business email compromise scam fleeces a Chinese venture capital firm of $1 million - enough for a nice seed round. 

Dave Bittner: [00:01:09]  And now a word from our sponsor, KnowBe4. Endpoint security, firewalls, VPNs, authentication systems - we've all got them. But do they really provide the comprehensive level of security your organization needs to keep the bad guys out? Are they giving you a false sense of security? The unfortunate reality is that each of these security layers can provide hackers with a backdoor right into your organization, and KnowBe4 will show you how. They've got an exclusive webinar with Kevin Mitnick, the world's most famous hacker and KnowBe4's chief hacking officer. He'll show you the three most common causes of data breaches, he'll share demos of significant vulnerabilities in common technologies, and he'll share his top tips for security defenders. Go to, and register for the webinar. That's And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:02:09]  Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to 

Dave Bittner: [00:02:31]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 5, 2019. The large U.S. data center company CyrusOne has sustained a significant ransomware attack. According to ZDNet, the ransomware strain involved is REvil, also known as Sodinokibi. CyrusOne, which owns and operates 45 data centers in the Americas, Europe and Asia, as of this afternoon, hadn't addressed the attack on its website. But some of its customers have advised their own customers in turn that they may experience some service disruptions. Sources tell ZDNet that CyrusOne is working with law enforcement and that it's quietly working with its customers to resolve problems with data availability. 

Dave Bittner: [00:03:17]  The exposed AWS S4 bucket that U.K.-based Fidus Security found earlier this week now has a known owner. TechCrunch traced it to Deardorff Communications, which apparently does some marketing work for Sprint. The database, found on an unprotected cloud server, contained just over 261,000 cellphone bills and other documents belonging to AT&T, Verizon and T-Mobile subscribers. It's thought that these were collected as part of a campaign to induce people to switch carriers. The information exposed in the incident included bank statements, subscribers' online usernames, passwords and account pins. Deardorff Communications told TechCrunch that they secured the database yesterday. 

Dave Bittner: [00:04:02]  McAfee offers some updates on the Buran family of ransomware it first described in May. Buran - that is blizzard - is widely traded in Russophone criminal markets where it's flacked as a stable, offline "cryptoclocker." That's their word, not ours. We think they probably meant cryptolocker. With flexible functionality and support 24/7, the RIG Exploit Kit is a common delivery mechanism. 

Dave Bittner: [00:04:29]  Elsewhere in the criminal-to-criminal market, Proofpoint is following Buer, which it describes as a new loader. Buer has been distributed through malvertising that redirects to the Fallout Exploit Kit. It's also being pushed by phishing, the payload carried in malicious Word document macros. The going price for Buer is $400. 

Dave Bittner: [00:04:50]  China's Great Cannon distributed denial-of-service tool is back in battery and firing against Hong Kong dissident organizers. AT&T's Alien Labs says that the Great Cannon, which had been relatively quiet for some months, has been turned against LIHKG, a service widely used by protesters. The tool injects malicious JavaScript into webpages behind the Great Firewall. These, in turn, hijack users' connections to make repeated request of the targeting site. LIHKG says that Cloudflare has been a help to it during this period of attack and also that it thinks it has reason to believe that what it calls a national level power is behind the attacks. There's little doubt that such power is being applied by Beijing, so that national level power would be China. The point is interdiction. The Chinese government, which has ratcheted up the level of kinetic violence it's prepared to use against the ongoing protests, wants to be sure that it's jammed the protesters' communications. 

Dave Bittner: [00:05:53]  Small cities and towns are finding themselves in the crosshairs lately, falling victim to ransomware attacks, phishing schemes and other online scams. They've also got their hands full preparing to secure upcoming elections. Sean O'Brien Brehm is chairman and CEO with @RISK Technologies. 

Sean O’Brien Brehm: [00:06:10]  I don't think anyone in the world would have guessed that someone in a polling county in Pueblo, Colo., would be directly assaulted from somebody from Moldova, Russia or East Timor, for that matter. So I think where we're at is people are doing the best they can with the resources and funding and knowledge that they have. 

Dave Bittner: [00:06:34]  And when you describe the spectrum of things that we're up against, I mean, what are the various types of attacks, and where are they coming from? 

Sean O’Brien Brehm: [00:06:41]  If you look at the attacks, they range from something very simple, which is, you know, 20 - 10 years ago, when you wanted to zip up a bunch of files, you right mouse clicked on it and you hit WinZip, and the files were zipped up. And then someone says, well, why don't I build some encryption that goes on top of that so I can then encrypt the files? And then someone else comes along, goes, wow, why don't I take that technology that was meant for good and turn it to evil? 

Sean O’Brien Brehm: [00:07:09]  So on one end, you've got a very simple attack, which is merely taking good technology and taking in the bad technology with ransomware. Then you have the more targeted environments where - well, I'll go ahead and build some kind of spyware I can - so I learn a little bit about you, and then I can more effectively orchestrate my attack. And then you have the really, really good guys who are going to do non-malware-based attacks using rootkits or great tradecraft and just being network traffic-based attacks. 

Sean O’Brien Brehm: [00:07:40]  So - and unfortunately, when it comes to elections, all of the above apply. Because when you think about it, if you really just want to create doubt in the election, just go ahead and do what I call, you know, kind of the sore losers of the internet. When you think about a lot of people that do ransomware, you may remember when we were kids and we played baseball on the lot or we played basketball or soccer or football. The guy who brought the ball sometimes doesn't like losing, so he takes his ball and go home, right? 

Dave Bittner: [00:08:10]  (Laughter). 

Sean O’Brien Brehm: [00:08:10]  That's really what a ransomware guy is, right? It's like he's really not going to be that good at maybe potentially hacking you. He bought a kit. So he's just going to take his ball, go home and ransom you. And when you think about a more advanced attack, those are going to be where I just slow the network down. But both of them get the same results, especially when you think about elections, right? 

Sean O’Brien Brehm: [00:08:30]  If I ransom something and shut it down so it doesn't have a - it doesn't work at all, I still degrade the American people's trust in the election process. If I slow it down such that people are waiting out in line as the poll lines and eventually, someone's got to come out there and say, the poll's lines are so long. I'm sorry, after this person, no one else can vote. Now you're getting into a really sophisticated attack that creates even more doubt than maybe, oh, well, this county was blue. So they were doing it on purpose to avoid red from voting. Or this county was red, and they were keeping blue from voting. 

Sean O’Brien Brehm: [00:09:05]  So despite whether it's a sophisticated attack that might create greater dispersion and doubt or a less-sophisticated attack that clearly was based upon ransomware, both are going to erode trust in the fundamental principles of democracy, which is their ability to vote. 

Dave Bittner: [00:09:22]  Now, the states and the cities or the towns and the counties that have to contend with this, in your estimation, are they outmatched, or do they have a chance at rising up to this challenge? 

Sean O’Brien Brehm: [00:09:35]  You know, having worked with people that work in a government, being a former guy that used to work in the government, especially, you know, a former military officer, you know, servant leaders are servant leaders, right? They're going to do the best they can with the tools they have. So when you think on a daily basis inside the DOD, that's instilled in the rugged individualism of being American. People will rise to the occasion. So I don't think it's a fact that the average, rugged individual won't go out there and try and get this done. I think the issue is what resources they have available to them. It's not so much that you've got this mismatch between this Herculean rock star hacker that's the best in the world. They're just going against people that are doing the best they can with probably not enough resources or knowledge on what they're up against. 

Dave Bittner: [00:10:19]  That's Sean O'Brien Brehm from @RISK Technologies. 

Dave Bittner: [00:10:24]  Britain's National Crime Authority announced today that a Russian gentleman, one Maksim Yakubets, has been indicted in the U.S. on charges related to his alleged involvement in two distinct international hacking and bank fraud capers that ran from May of 2009 through the present. The indictment came from a joint investigation by the NCA, Britain's National Cybersecurity Center, the NCSC and the U.S. FBI. Mr. Yakubets, a 32-year-old Muscovite, is alleged to be the proprietor of Evil Corp, which the NCA describes as the world's most harmful cybercrime gang, responsible for losses in the hundreds of millions of pounds in the United Kingdom alone. He is alleged to have employed dozens of henchmen and presumably henchwomen, too, who operate his gang from the romantic venue of Moscow cafe basements. 

Dave Bittner: [00:11:14]  So is Mr. Yakubets in custody? Alas, no. He's safely in Russia. But should he decide to vacation abroad, the U.S. will be ready with extradition paperwork and a proper escort stateside. If he's considering a holiday spot, we hear the Maldives are lovely this time of year and that either the Secret Service or the U.S. Marshals Service will happily arrange a junket through Guam for him. He should bring his friends, make it a company outing. They've worked hard. 

Dave Bittner: [00:11:43]  And finally, if you needed any more motivation to take the risk of business email compromise seriously  that's BEC, the scam technique in which someone spoofs a company bigwig's email address and tells the finance department, for example, to get their skates on and transfer a lot of cash, pronto, to some account they may or may not have heard of – look east, and then a little bit farther east. It happens everywhere. But in this case, security firm Check Point says the victim was an unnamed venture capital firm in China that thought it was dealing with an unnamed tech startup in Israel. 

Dave Bittner: [00:12:15]  It was dealing with that startup, but the scammers succeeded in interposing themselves into the communication. The crooks posed as employees of an Israeli startup interested in raising funds from the VCs. They used email addresses with a domain that was similar but not identical with the company's actual domain. They succeeded in getting the VCs to give them $1 million. The gaffe was blown when the real startup noticed that it hadn't received the investment it had negotiated. But by that time, it was too late. The money was gone, baby, gone. 

Dave Bittner: [00:12:52]  And now a word from our sponsor, ExtraHop, delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection in response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) Cloud today at That's And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:13:50]  And I'm pleased to be joined once again by Robert M. Lee. He's the CEO at Dragos. Rob, it's great to have you back. I wanted to take a little trip down memory lane with you, and I want to start with a personal story of my own. My grandfather spent his entire professional career working in a steel mill - in the melt shop of a steel mill - started sweeping the floor at 17 and retired at 65 with his gold watch and spent his entire life in that same company. And I remember him telling me stories about how along the way, the technology changed when it came to making steel. Part of that was better chemistry, better testing. He said, you know, they shifted from knowing the steel was right by the color and the smell to actually being able to test things. 

Dave Bittner: [00:14:37]  And eventually, computers came on board, and that increased the quality of the steel, and it increased the safety of the plant. And I tell you that story to ask you this. Can you take us through - can you think of a good example to kind of give us some insight and some perspective as to how that has affected ICS, how that path has happened in ICS, and what are some of the implications of that process that we're living with today? 

Robert M. Lee: [00:15:03]  I mean, that was beautiful, man. I know you asked me for an example, but that was a much better example. 

Dave Bittner: [00:15:07]  (Laughter). 

Robert M. Lee: [00:15:09]  But I'm going to remind you. That's great. And you should be proud of that. I mean, that's wonderful to see kind of the evolution of that industry. 

Dave Bittner: [00:15:14]  Yeah. 

Robert M. Lee: [00:15:15]  And that's what we're seeing everywhere. We're seeing - you know, back in the day, if you will, before networking and IP-based technologies and ARPANET and DARPANET, we had control systems. And control systems were isolated systems - sometimes pneumatic, sometimes not - of just systems that were serving a purpose of taking an input and getting to an output. I mean, it's a physical kind of system. And then we saw connectivity, and we started seeing these environments that were never networked before starting to become networked. And the same way they might have had a power plant that was good at producing power, but now, you could network it so you could actually get information off the plant and make it a little bit more efficient, and to make it safer and more productive. 

Robert M. Lee: [00:16:02]  Then we saw site-to-site interconnectivity, and we started seeing even things like SCADA or supervisory control and data acquisition systems, basically the control systems that sit above control systems to be able to make multiple plants and multiple sites efficient and work together more effectively and safer and more productively. And then we're starting to see this advent of what some - the community, you know, some - our European partners would call, like, industry 4.0. 

Robert M. Lee: [00:16:31]  We're starting to see beyond site-to-site but even company-to-company and the immersion of the industrial world in every aspect of our lives and connected in where the operator - you know, their shift schedule is timed in with maintenance schedule, is timed and with recharging of maybe consoles or using - I could think of, like, Caterpillar. And they're doing some amazing work about, you know, hey, instead of having the same operator use the same backhoe every single day, why don't we rotate it around and let us know which ones are the right ones to take advantage of for their maintenance schedule? 

Robert M. Lee: [00:17:10]  And it's the interconnectivity of not only just plants now but every individual component and learning from the larger community. We're seeing cloud-based technologies be able to drive efficiencies and refining, which is saving so much money or allowing companies to generate so much more money that they could rebuild the facility every couple years, you know. I mean, it's just amazing. The downside of that, of course, is you're increasing connectivity to where systems have much more control and have more input, which means the ability to modify those systems from an adversarial-based approach exists in ways that it never did before at the same time that adversaries are learning industrial systems to not only go and exploit a system but learn the industrial operations and how to manipulate the physical process. 

Robert M. Lee: [00:17:58]  So you have a community that's doing the right thing. They're learning and evolving and building a better world. But just by the very nature of that, you're introducing opportunity for adversaries to go and disrupt that now-interconnected world. So the thing that I usually like to tell executives and others in this space is the security component of this is just a natural evolution of the fact that you're able to take more advantage of what you're doing and then take more advantage of the systems than you've ever had before. And it's a component just to deal with that risk and let that beautiful industrial automation and the value that it's bringing to safety and productivity be there and be present and get the full value out of it. 

Robert M. Lee: [00:18:43]  So it's been wonderful to watch the world evolve in this way. And I think it's - it can be easy to opine about, well, I want to go back to manual controls, or I want to go back to when it was different. And those days weren't better. It's just the things that we are doing are making a better world. We just need to be thoughtful in the way that we do it. 

Dave Bittner: [00:19:02]  You know, I think it strikes me also, thinking about some of the conversations I had with my grandfather towards the end of his life, that I think he had a little bit of frustration that the folks who were still in the plant who had that institutional knowledge who could go and knock on the door of the folks who were running the computers and say, hey, something doesn't smell right, like, it literally doesn't smell right - to make sure that you don't discount the opinions from those folks who are out there on the floor of the plant. 

Robert M. Lee: [00:19:35]  Well, I think that's well stated, and this goes to the topic of not only IT but IT security and operation security, whatever you want to call it. But the mission is still the mission. The mission hasn't changed. And the people closest to the mission are going have the best expertise, and that's generally the operators and engineers. And you want to codify that knowledge and scale that knowledge as our workforce changes, but you don't want to dismiss it. 

Robert M. Lee: [00:20:00]  One of the first things I tell any company that's going down the path of industrial security is to build the culture first. Like, take a box of donuts, a case of beer, go meet your operators and engineers. They're going to tell you more things than that system ever could. The human expertise of that operator or engineer is going to be better than the individual system. But the tradeoff is you can't scale that. You can't document every component of it. And so as we get more and more of a large industrial world, we need to scale knowledge. We need to document knowledge, but that does not mean dismissing the expertise we have because it's really just that expertise that we're trying to pull from. 

Dave Bittner: [00:20:40]  All right. Well, Robert M. Lee, thanks for joining us. 

Dave Bittner: [00:20:48]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:21:00]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where their co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.