Axios Codebook

July 26, 2018
Welcome to Codebook, the cybersecurity newsletter that forgot to ask his mom what Leafminer means (see below). Sometimes she knows.
Tips? Please reply to this newsletter — your replies come straight to me.
1 big thing: Georgia GOP nominee's trail of cyber fights

Photo: Jessica McGowan/Getty
At a moment when the issue couldn't be more pressing, Georgia's Republicans have just chosen a candidate for governor who has a record of courting controversy on cybersecurity.
Georgia Secretary of State Brian Kemp's Tuesday primary victory was bolstered by an endorsement from President Trump — and follows a long history of sometimes bizarre incidents relating to both hacking and election protection.
The details: A month after the 2016 presidential election, Kemp incorrectly accused the Department of Homeland Security of trying to hack his agency's systems.
- What really happened: An employee at a Homeland Security-run Georgia law enforcement training facility checked to see if applicants for a security post had firearms licenses. He cut and pasted material from Georgia's website into Microsoft Office.
- That caused Microsoft Office to send Georgia's web servers a benign request for general technical information, known as an "HTTP OPTIONS" request. Georgia's firewall interpreted it as a "medium severity" attempt to scan state systems.
Here's where it gets weird: On Dec. 6, 2016, Kemp sent the Department of Homeland Security a tough-talking letter calling this ordeal an "unsuccessful attempt to penetrate the Georgia Secretary of State's firewall."
It was a surreal accusation that DHS, a federal law enforcement and infrastructure protection agency, had broken the law by attempting to breach infrastructure.
- Kemp's claim led other states to claim they, too, had been attacked by the Department of Homeland Security. Sean Hannity asked Julian Assange what he'd heard about the attacks during a radio interview.
- DHS investigated, alerting Kemp that they and Microsoft could definitively show the "attacks" were actually the HTTP OPTIONS requests (none of the other states accusations played out, either).
- On December 13, Kemp wrote DHS refusing to accept the investigation without a full Microsoft report and, without giving DHS a chance to provide that report, wrote incoming President Trump and likely Trump administration members asking for their assistance in the investigation.
- A Microsoft report, dated Dec. 16, 2016 — obtained by Codebook via a public records request — confirmed DHS's account.
Kemp is currently the central defendant in a lawsuit over Georgia's refusal to use election machines that leave an auditable paper trail.
- While there are no perfect security solutions, paper ballots can be audited to make sure voting totals have not been tampered with.
- Georgia's longtime election partner contracted to maintain election machinery, Kennesaw State University, deleted servers full of evidence in the case. Kennesaw is no longer a state vendor, according to the Secretary of State's office.
- Kemp oversaw the state's work with Kennesaw State, which also fueled headlines after a security researcher found vulnerabilities in its networks in 2016. Kennesaw is no longer a state vendor, according to the Secretary of State's office.
Before the 2016 election, Kemp was a loud voice in a debate over whether DHS and the Election Assistance Commission should provide help to states that ask for it.
- Like many other secretaries of state, he viewed any federal involvement as an incursion on states' constitutional authority to administer elections.
- Homeland Secretary Jeh Johnson would nonetheless increase DHS's voluntary offerings after the election by declaring elections critical infrastructure.
Codebook contacted the Kemp campaign for comment on this story, but did not receive a reply.
Editor's note: This story has been updated with information that Kennesaw State is no longer a vendor for Georgia.
2. "Leafminer" group targeting the Middle East
A newly discovered group, dubbed Leafminer by the researchers who found it, is targeting the Middle East, Symantec reports.
The details: Symantec linked several extremely varied attacks together after discovering a server full of hacking resources and targeting information.
- Leafminer is largely interested in Saudi Arabia, but has attacked other countries, including Kuwait, Lebanon and Israel.
- The vicims span a variety of sectors, with the most in government, energy and finance.
- The main method of attacks include affixing malware to popular websites ("watering hole attacks"), scanning networks for vulnerabilities, and brute-forcing credentials.
Leafminer has two custom malware tools in its arsenal but uses a lot of publicly available tools. It also relies on a number of publicly available prewritten code clippings, known as exploits, to avoid network secuirty.
Symantec found scanning information on 809 potential victims on the group's hacking resource server.
3. Outlaws attacking? Why, it's ERP!

Kansas delegate Todd Tiahrt dressed as Wyatt Earp at the 2012 Republican National Convention. Photo: Chris Maddaloni/CQ Roll Call via Getty Images
Enterprise Resource Planning (ERP) software, software that merges a wide variety of corporate data into a single database, is an increasingly popular target for hackers, according to a government warning from US-CERT. CERT is basing the new advisory on a report by Digital Shadows and Onapsis.
Why it matters: ERP software is foundational to how modern companies operate and puts a huge variety and volume of data into a single database. That provides a single archive for hackers to target and potentially gain access to all of a company's usable data.
4. Kronos banking malware resurfaces
A new version of the Kronos banking malware is targeting Germany, Japan, and Poland, according to a new report from Proofpoint. The update to the long-dormant malware is known as Osirus.
Why it matters: The return of Kronos is not as notable for the current attacks as for the malware's strange backstory. The United States is currently prosecuting Marcus Hutchens for originally authoring and selling the malware. Hutchens became a folk hero in security last year when he discovered a "kill switch" in the fast spreading "WannaCry" malware, allowing him to deactivate WannaCry before it spread to the United States.
5. So maybe I was approached by a spy
Julia Ioffe of GQ wrote a story about repeat experiences with an unusual Uber driver during her stay at the Aspen Security Forum last week. That Uber driver, who she calls "Gloria," asked questions about international security, revealed that she had once been part of a delegation to North Korea and knew details about Ioffe's personal life.
Ioffe speculated that, maybe, Gloria is a spy.
I also had Gloria as an Uber driver in Aspen. I just thought she was a little odd.
Notes on Gloria:
- She has a star rating over 4.8. If she is a spy, maybe she's in the wrong business.
- She asked me what I thought about the Kim regime, and high-fived me after I said his volatile behavior was probably a calculated strategy. It felt kind of dangerous for my Uber driver to high-five me in the back seat. I would not have given her more than 4 stars.
- Aspen doesn't have enough Uber or taxi drivers. It's not a surprise that everyone ended up with Gloria. It took me more than an hour one morning to get a driver from any service to get to the conference. Aspen needs more spies.
6. Odds and ends
- Security firm Tenable is going public today. (Tenable)
- Former Trump Homeland Security Adviser Tom Bossert believes "No one is minding the store" at the White House on cyberthreats (Yahoo News)
- Google is launching its own brand of USB cybersecurity key. (HelpNet)
- A software bug at LifeLock left customer email addresses visible, (Krebs)
- The blockchain makes it possible to incentivize someone to kill Betty White. (Motherboard)
- Facebook shares plummeted 20% on earnings news yesterday, in part due to its recent controversies. (Axios).
- Around half of government websites are prepared for upcoming email security rules. (Agari)
It turns out a leafminer is "the larva of an insect that lives in and eats the leaf tissue of plants." That's from Google, not my mom.
Codebook will return on Tuesday from New York.