The CyberWire Daily Podcast 12.12.19
Ep 988 | 12.12.19

False flags and attack kit hijacking. Maze ransomware in Pensacola. China’s own OS. Crypto Wars update. TrickBot phishing. And Krampus spoils Christmas.


Bennett Moe: [00:00:03] Flying false flags and borrowing someone else's attack tools as the mast you run them up. The Pensacola cyberattack has been identified as involving Maze ransomware. China moves towards building its own autarkic operating system. U.S. Senate Judiciary Committee hearings take an anti-encryption turn. TrickBot is phishing with payroll phishbait. And Krampus malware is punishing iPhone users as they shop during the holidays. 

Dave Bittner: [00:00:34]  And now a word from our sponsor, the upcoming Cybersecurity Conference for Executives. The Johns Hopkins University Information Security Institute and Ankura will host this event on Wednesday, March 25 in Baltimore, Md., on the Johns Hopkins Homewood campus. You can find out more at and click on Sixth Annual Cybersecurity Conference for Executives. Learn about the dos and don'ts of risk management with industry leaders and other cyber professionals. Check out the details at, click on the Sixth Annual Cybersecurity Conference for Executives. And we thank the Johns Hopkins University Information Security Institute for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to 

Bennett Moe: [00:01:43]  From the CyberWire studios at DataTribe, sitting in for Dave Bittner, I'm Bennett Moe with your CyberWire summary for Thursday, December 12, 2019. 

Bennett Moe: [00:01:53]  Attribution is difficult enough under the best of conditions, and it becomes even more challenging when the pirates, the privateers and the nation-states' virtual men of war fly false flags. So much attribution depends on an accumulation of circumstantial evidence that, for example, code reuse or employment of a certain command-and-control server might easily lead one astray. One example of false flagging is the use by Russian security and intelligence agencies of Iranian cyberattack tools and infrastructure. Recorded Future has been watching how that has played out, and this morning published an update on what it's calling "Operation Gamework," a report on how that hijacking has proceeded. 

Bennett Moe: [00:02:31]  Three Iranian threat actors have had their operation kit co-opted by a group Recorded Future's Insikt Group tracks as BlueAlpha. The first two Iranian operators are APT33, also known as Elfin, and APT35 - or, if you prefer, Charming Kitten - both of which are directed by the Iranian Revolutionary Guard Corps. The third is a group tracked as MUDDYWATER, whose right place in the organizational charts is less clear, but which by general consensus is held to be working for Tehran. Recorded Future has seen convincing signs that BlueAlpha's activities show considerable overlap with the Gamaredon Group, which itself has been tied to attacks against Ukrainian targets and which the Ukrainian security service has linked to Russia's FSB, that country's federal security service. 

Bennett Moe: [00:03:16]  Recorded Future's conclusion is that BlueAlpha is itself an FSB operation, and that it succeeded in getting its hands on MUDDYWATER, Elfin and Charming Kitten, probably without Tehran's cooperation and possibly without Tehran's knowledge. Why would FSB bother with this? For several reasons. They've apparently already compromised Iran's operators with implants into their tools and infrastructure, which makes Iran's APTs both available and accessible. They're also convenient. Tehran has taken considerable trouble to direct successful cyber operations against its principal regional rival, Saudi Arabia. And Russia is interested in the Saudis as well. 

Bennett Moe: [00:03:54]  And finally, of course, using someone else's kit makes it easier to fly a false flag. One of the famous Russian threat groups that's been associated with the FSB is, of course, Cozy Bear, famous as the outfit that first made inroads into the networks of U.S. political parties during the last presidential election cycle. 

Bennett Moe: [00:04:12]  The Florida Department of Law Enforcement has sent out a notification that the cyberattack the city of Pensacola sustained on December 7 was, in fact, a ransomware attack. Ars Technica says that the ransomware was a variant of Maze, a strain that came to prominence earlier this year in attacks against Italian targets. It was apparently a broad-targeted phishing attack that led to the infection. 

Bennett Moe: [00:04:33]  The criminals prospect a large number of email addresses with spam. When they get beaconed that someone has clicked the link, they see if the organization the clicker belongs to is likely to be, first, deep-pocketed, and second, poorly prepared. If the answer to both is yes, then the attack proceeds in a more focused and determined way. It seems, by the way, that early speculation about the possible connection with the terrorist murders at the Pensacola Naval Air Station and the cyberattack was unfounded, that the shootings and the cyberattack occurred within hours of one another appears to be mere coincidence. 

Bennett Moe: [00:05:06]  There's been a lot of discussion lately about cloud security, so Dave Bittner spoke with Dean Sysman, CEO and co-founder of Axonius, about the challenges of securing S3 buckets. Here's Dean. 

Dean Sysman: [00:05:17]  So it all starts from when we moved from the on-premise or the high-parameter type of security to the cloud and the no-perimeter type of security. There are two major shifts that are causing the change in security that we're seeing as applied to S3 buckets. One is that the environment can be accessed from anywhere, right? So somebody can go online and access the cloud environment, even in unauthenticated manner from a Starbucks Wi-Fi. And the second aspect is that the environment is extremely dynamic. 

Dean Sysman: [00:05:50]  So most of the time, it's not even people who create the asset. It's code that's written by developers or architects or whatever it is. So when we think about the storage aspect, which is what is S3 is of Amazon cloud - or this is true for everything - if you look at the security team, their ability to keep track of which storage buckets and which access points their organization has becomes extremely difficult because it's no longer able to do it manually. So what ends up happening is there are a lot of just publicly open storage buckets, and these are just, you know, lists of files that anybody can access online. And nobody figured out that these should not have publicly accessible access. 

Dave Bittner: [00:06:37]  And so what's the solution here? How do we face this one? 

Dean Sysman: [00:06:40]  Like all things, it all starts with understanding what you have. We're in a very dynamic environment. The first step is to say, if not - we're automating the provisioning of this environment or we're automating the access of it, we should be also automating the visibility and monitoring of it. There should be some form of tool or some form of automation that constantly keep track of which S3 buckets we're utilizing, which ones are being created, which ones are being accessed and then apply the correct security policy to it. 

Dave Bittner: [00:07:12]  Now, when these buckets end up being exposed, what typically has happened? Is it an initial configuration flaw? Is it that something's changed along the way? 

Dean Sysman: [00:07:22]  It could be a number of things. And I don't have the statistics, but I'd say one of the most common ones is just that nobody is just keeping track of it. It's a miscommunication between the people who are setting these up, who usually just care about, you know, achieving some form of task in their jobs, and security, who are unaware of the fact that somebody spun up all these storage options and they just don't know that it's happened. By default, usually the access becomes public, and then nobody's aware of the fact that there could be a lot of confidential information in there. And what usually ends up - is there are a lot of both hackers and just other bodies who scan, you know, the range of the S3 buckets and start looking for information that could be confidential or shouldn't be publicly accessible. And very quickly, they find these leaks, and breaches end up happening. 

Dave Bittner: [00:08:15]  So what are your recommendations for folks to stay on top of this? How do they come at it? 

Dean Sysman: [00:08:21]  Yes, I would say if you have a very build-focused team, as in you'd rather build your own tools or build your own monitoring, you have to automate the process of monitoring and maybe even approving the creation of S3 buckets. I mean, there are a lot of online guides on how to do that using the AWS console. But if you're more of buy mentality or you just - you decided this is a problem you don't want to focus your time and resources on, then there are a lot of tools out there that just help you cover and understand what your assets are in the cloud, S3 buckets among them. And I wouldn't want to mention any specific ones, but obviously that would be the best way to just make sure that you're constantly monitoring and this doesn't happen. 

Dean Sysman: [00:09:04]  One of the things that we don't cover enough in the media when we talk about these things is how hard the jobs have become on the - you know, the people who are trying to defend us, right? And I'll explain what I mean, is that it's very sexy to say, OK, this breach happened. This is a disaster, right? Like, the negative emotions coming from this publication is very strong. But one of the things we're not talking about enough is how organizations have moved very quickly to embrace technology while not realizing the cost associated with making it safe. 

Dean Sysman: [00:09:36]  And the best analogy that I have is, if you would have taken a Ferrari and used, you know, the brakes from a Chevy or, like, you know, a 15-year-old car, nobody will want to drive the car, right? Because it's so powerful and the engine is so strong, you have to have the brakes that fit the speed of that car. And same goes for cybersecurity. Organizations are utilizing more and more technology in order to become more effective and more successful. But they don't understand the implications of how much investment you have to make in the security side of it to account for those advancements. 

Bennett Moe: [00:10:09]  That's Dean Sysman from Axonius. 

Bennett Moe: [00:10:12]  China's approach to internet sovereignty proceeds. Computing reports that Tianjin Kylin Information, or TKI, and China's Standard Software, also known as CSS, have formed a joint venture to produce a domestic operating system. The two companies are making their own contribution to Beijing's push towards information autarky. 

Bennett Moe: [00:10:31]  Forbes summarized yesterday's hearing in the Senate Judiciary Committee and sees the U.S. Senate sympathies shifting towards the Justice Department's restrictive position on encryption. Quote, "It ain't complicated for me," Senator Lindsey Graham, Republican of South Carolina and chair of the committee, told representatives of Facebook and Apple, who were in attendance. He explained, quote, "You're going to find a way to do this, or we're going to do it for you," unquote. That's probably more huffing and puffing than it is firm legislative agenda, but it does suggest some movement against permitting companies to use strong end-to-end encryption in their products. 

Bennett Moe: [00:11:05]  Finding a way around strong encryption has been a matter of interest to the U.S. Justice Department since the previous administration, at least, where former FBI Director Comey was the public face of a push towards ordered liberty - that is, for giving investigators means of reading private encrypted traffic when circumstances warranted it. To be sure, Justice has always argued that such an ability would be hedged about with appropriate oversight and safeguards consistent with constitutionally guaranteed rights. That's the liberty part in the ordered liberty. But the other side in the cryptowars hasn't found that entirely reassuring. It may have become less reassuring after the report of the Justice Department's inspector general on the slipshod execution and oversight found in the FBI's crossfire hurricane investigation into possible Russian influence in the 2016 Trump campaign. 

Bennett Moe: [00:11:51]  But Justice may have found its persuasive heavy artillery in child protection. For a long time, the biggest gun in advocacy is rhetorical battery. It's hard to close your ears to the guns when they're barking on behalf of the children. And in fact, we're hearing a similar preparatory bombardment from across the Atlantic, where the home secretary is laying down a child safety barrage in Westminster's debates over encryption. TrickBot, even after it's apparently been hired by Pyongyang's hacker masters, has continued its phishy ways. IBM reminds us that payroll-themed spam is spreading to malware. Be skeptical and think before you click. Not everything that looks like payroll is really payroll. Sure, we all want to be paid, but don't let greed and fear overwhelm good judgment. 

Bennett Moe: [00:12:33]  And finally, the media trust has found a malicious campaign they're calling Krampus-3PC named after the scary anti-St. Nicholas of Central European folklore who visits households not with gifts and good cheer, but with punishment for misbehaving children. Krampus uses a redundant redirection mechanism to more effectively collect personal information. The campaign targets iPhone users, and whether they've been naughty or nice doesn't matter to this Krampus as long as they've been out shopping. Krampus operates mostly from compromised news sites, and its immediate bait is a pop-up coupon for discounts at a retailer. Click and it's got you - maybe your credit card, probably your phone number and probably your geolocation, too. And again, if you must shop, then shop you must, but think before you click. 

Dave Bittner: [00:13:23]  It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We here at the CyberWire have long been subscribers to Recorded Future's Cyber Daily, and if it helps us, we're confident it will help you, too. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show. 

Bennett Moe: [00:14:24]  Dave also spoke with our newest CyberWire partner, Tom Etheridge, VP of services at CrowdStrike. 

Dave Bittner: [00:14:30]  I wanted to start out by just spending a little time to get to know you a little bit, introduce you to our audience. Can you take us through what your professional journey has been like, how you got your start, and what led you to where you are today? 

Tom Etheridge: [00:14:43]  Certainly. Thanks, Dave. It's a pleasure to be here. My background is that I've spent probably the better part of 20 years working building services organizations for security software companies. I'm a 3 1/2-year veteran here at CrowdStrike. Prior to that, I've built services organizations for security technology companies such as ArcSight, Imperva, Netegrity. And really, my focus has been around building scalable, impactful, customer-focused services organizations that help clients uplift their existing capabilities around cybersecurity and protection of their critical assets. 

Tom Etheridge: [00:15:28]  Started my career in consulting, actually. Prior to joining Netegrity back in early 2000 time frame, I worked for about seven or eight years at KPMG, cutting my teeth, working primarily in the government - federal government and DOD space, providing all different types of consulting services to clients. And at that time, the security market space was really focused around network security, perimeter defense. As I started to evaluate opportunities to look at moving into that space, a lot of technology companies were building more robust technologies and capabilities to help clients secure their overall critical infrastructure. And that's when I decided to move into that market space, which was really in its infancy back then. 

Dave Bittner: [00:16:16]  So what is your day to day like these days at CrowdStrike? 

Tom Etheridge: [00:16:20]  So we are a very busy company, and I run a very busy services organization. Our primary focus is providing incident response and forensic services to folks that have been victimized by some of these cyber incidents in the market. We also run more of a proactive advisory services practice as well that does everything from providing incident preparation and planning services, testing and technical assessment services to ensure organizations have the right tools and technologies and people and processes in place to improve their overall visibility, preparedness and ability to respond to breaches. We do a lot of work globally. I have a global responsibility. And the business that we're in is obviously growing, a growth business. We have a lot of - unfortunately, a lot of victim organizations that reach out to us and ask for support in helping these - helping them solve these really complicated problems. 

Dave Bittner: [00:17:22]  How would you describe your own leadership style, as you're heading up a team that has a global reach? How do you go about that? 

Tom Etheridge: [00:17:31]  Well, I'm a big believer in hiring the right people with the right skill set, but also the right motivations. We're a very mission-focused organization, and we embed that in our recruiting and our sourcing of talented people to come join our team. I'm also a firm believer in empowerment and enabling employees to bring their unique skills and experiences to the table. We try to operate in a very transparent and open environment and putting people in positions where they can be successful and help us scale and deliver successful engagements to our clients I think is part of what we eat, sleep and drink every single day. 

Dave Bittner: [00:18:14]  Well, Tom Etheridge, thanks so much for joining us here at the CyberWire. We're looking forward to chatting with you in the days to come. 

Bennett Moe: [00:18:25]  And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at Thanks to all of our sponsors for making the CyberWire possible. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Puru Prakash, Chris Russell, John Petrik, Jennifer Eiben, Dave Bittner, Peter Kilpe, and I'm Bennett Moe. Thanks for listening.