The CyberWire Daily Podcast 1.31.20
Ep 1015 | 1.31.20

Winnti looks into Hong Kong universities. Dust begins to settle over UK and EU decisions on Huawei and 5G. Notes on crime. And the 2015 Ashley Madison hack is back.


Dave Bittner: [00:00:04] The Winnti Group is interested in Hong Kong protesters. The UK, the US and the EU all look for a cooperative way forward into 5G. DDoS for hire hits an independent Serbian media outlet. Ransomware may have hit a US defense contractor. EvilCorp is back. The Sodinokibi ransomware gang is running an essay contest, and the 2015 Ashley Madison breach keeps on giving in the form of blackmail. 

Dave Bittner: [00:00:36]  It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want - actionable intelligence. Sign up for the Cyber Daily email, and every day, you'll receive the top trending indicators Recorded Future captures crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay a step or two ahead of the threat. Go to and subscribe for free threat intelligence updates, and we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:01:46]  Funding for this CyberWire podcast is made possible in part by McAfee - security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee - the device-to-cloud cybersecurity company. Go to 

Dave Bittner: [00:02:11]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 31, 2020. 

Dave Bittner: [00:02:19]  The Winnti Group, for some time associated with the Chinese government and previously best-known for financially motivated attacks and industrial espionage, has turned its attention to Hong Kong. Security firm ESET reports finding that Winnti is using its eponymous Trojan to drop the ShadowPad backdoor into machines at five Hong Kong universities. The apparent purpose of the extensive campaign is to collect intelligence on protests of the mainland's role in the city. 

Dave Bittner: [00:02:48]  ShadowPad has many modules well-adapted to collection. One of them, for example, is a key logger. The universities have been prominent in the protests over the now-withdrawn extradition law promulgated last year, and the security services have an obvious interest in keeping a close eye on them. ESET says it notified the universities of what its researchers found. 

Dave Bittner: [00:03:11]  The US has welcomed the EU's decision on 5G network security, seeing it as amounting to European acknowledgement of the unacceptable risks untrusted suppliers bring. US Secretary of State Pompeo said in a statement, quote, "we call on our European allies and partners to implement the EU recommendations by adopting strong, risk-based security measures that exclude high-risk suppliers from all parts of their 5G networks." 

Dave Bittner: [00:03:39]  The statement twice mentions what makes a supplier high-risk. They are companies based in third countries that lack democratic checks and balances, and the EU has recommended that such suppliers should face restrictions that others don't. The secretary of state also notes with gratification that the European Union's toolbox calls upon EU member states to exclude high-risk suppliers from critical and sensitive parts of their 5G networks, which includes the radio access network. 

Dave Bittner: [00:04:09]  How to use the tools in the EU's 5G security toolbox is up to the member states, but they'll at least have to report to the EU on what they're doing. German security officials have expressed unease over evidence the US has provided that supports the contention that Huawei is engaged in espionage. But Guillaume Poupard, who directs France's cybersecurity agency ANSSI, told Bloomberg that as far as he was concerned, he hadn't seen any smoking guns - maybe elsewhere, but not in Europe, he said. Still, French authorities have taken good care to keep Huawei away from Airbus headquarters in Toulouse. 

Dave Bittner: [00:04:47]  Italy's Industry Undersecretary Mirella Liuzzi said this week that Italy wouldn't prevent Huawei or ZTE from trying to play a role in Italy's 5G networks, that it wouldn't keep them from the doorstep but that they would exercise due caution. Britain's confidence in its ability to exercise its own version of due caution rests on the work of the Huawei Cybersecurity Evaluation Centre, the HCSEC, a 40-person unit in Banbury vetted by GCHQ that's charged with checking Huawei equipment for security issues before permitting it into the country's networks. 

Dave Bittner: [00:05:24]  The HCSEC has been in operation for almost six years. Its facility is a Huawei facility overseen by an NCSC-chaired board whose members are drawn from other elements of the British government. The vice chair is a Huawei executive appointed by the company. The oversight board reports annually. Its last report, rendered in March of 2019, found that the HCSEC was, for the most part, able to operate independently of Huawei, but some of its other conclusions were less encouraging, such as this final one. Quote, "overall, the oversight board can only provide limited assurance that all risks to UK national security from Huawei's involvement in the UK's critical networks can be sufficiently mitigated long-term," end quote. 

Dave Bittner: [00:06:10]  Computing reports that Secretary of State Pompeo is also confident the US and UK will reach a mutually satisfactory understanding over Huawei. The British policy announced this week will exclude Huawei from core elements of the 5G network, which would presumably include the critical networks the Huawei oversight board alluded to in its last annual report. It will also cap the company's participation in the remainder at 35%. 

Dave Bittner: [00:06:38]  The website of Serbian independent media outlet TV N1 has been disabled by distributed denial of service attacks this week, possibly DDoS for hire purchased from operators in China. The attacks come, says Balkan Insight, during a squabble with state-owned media over broadcast rights. But apart from some rumbling about a general hostility to independent media, observers fall short of accusing Serbian state media with putting out a hit on TV N1. 

Dave Bittner: [00:07:08]  Electronic Warfare Associates, or EWA, a Virginia-based US defense contractor, has been hit with a Ryuk ransomware attack, ZDNet reports. Four sites associated with the company are said to have been affected. EWA has so far offered no comment on the reports, ZDNet says, and the scope of the incident remains unclear. 

Dave Bittner: [00:07:30]  Bleeping Computer reports that Microsoft has seen a resurgence of the EvilCorp cyber gang phishing with malicious Excel files. 

Dave Bittner: [00:07:39]  Digital Shadows says that the Sodinokibi ransomware crew is offering a $15,000 prize for the best essay on a hacking topic. The researchers leave open the question of whether this represents a serious sharing of expertise or just threat actors showboating. Showboating or not, we can't recommend that you compete, friends. Best leave this one alone. 

Dave Bittner: [00:08:02]  And finally, while the guilty flee when no one pursues, we saw recently in the case of a completely bogus sextortion scam that had absolutely nothing on the victims sometimes, the guilty do indeed have pursuers. Remember Ashley Madison, the adultery facilitation site whose advertising slogan was and still may be - we wouldn't know because we don't hang out in those neighborhoods - life is short; have an affair? Well, they were breached back in 2015, and the effects of that breach are being felt anew. 

Dave Bittner: [00:08:35]  Researchers at Vade Security have found data stolen in the 2015 Ashley Madison breach resurfacing in highly specific blackmail attempts against former customers of the online networking service. The shakedown notes that Vade offers for your consideration are long. They're filled with hideous, all too human details on credit card transactions, interests the user checked when they signed up for Ashley Madison, even notes on the chemical male assistance products the user purchased. We're not sure either what chemical male assistance products are, such things not being our bag, but it doesn't sound like the kind of thing you'd like discussed around the water cooler at work. 

Dave Bittner: [00:09:15]  The blackmail is clever in that the ransom demand is contained in a password-protected .PDF attached to the email, the better to make it past filters. So the lesson here would seem to be that while life may indeed be short, illicit pleasures are far more fleeting. But shame and guilt can last a lifetime, unless, of course, you're shameless, in which case the blackmail won't matter much. 

Dave Bittner: [00:09:45]  And now a word from our sponsor, PlexTrac. PlexTrac is the purple teaming platform that enables red teams to report security issues and blue teams to remediate them through a single web-based interface. PlexTrac offers public-private cloud and on-premise deployment options. You can learn more and request a demo at That's And we thank PlexTrac for sponsoring our show. 

Dave Bittner: [00:10:24]  And joining me once again is Emily Wilson. She's the VP of research at Terbium Labs. Emily, it is great to have you back. I wanted to touch base today about some things that I know you all are tracking when it comes to account takeovers and this whole notion of access as a service. What can you share with us today? 

Emily Wilson: [00:10:42]  Sure - happy to be back. So one of the things that we're tracking here that we've been tracking for a while is the way that services are developing in criminal marketplaces. We're all familiar with account takeover. We know that credentials are being sold and marketed for fraudsters to then go take over accounts themselves. But there's something that's been developing over the last couple of years and over the past few months in particular that I'm thinking of as access as a service. 

Emily Wilson: [00:11:08]  So instead of having credentials to go take over an account yourself, for example, a vendor might offer what is essentially a value-added service - so saying, hey; what are you trying to do? Can I do that for you? Can I get you there with some additional benefits or resources that I have on my end so you can enjoy all of the fruits of the labor without taking on the risk yourself? 

Dave Bittner: [00:11:33]  Can you give me an example? 

Emily Wilson: [00:11:34]  So this is largely - currently, at least - around travel or hospitality brands. So you could think about transportation companies or perhaps hotels, for example. Say you want to stay at a hotel and you want to have all of the benefits of someone who's been staying at that hotel for 20 years and has the points and the tiered access and, you know, the platinum, diamond, you know, whatever-you-want-to-call-it tier of access. 

Dave Bittner: [00:12:01]  Right. 

Emily Wilson: [00:12:01]  This would give you an opportunity to book a stay with them or perhaps book some sort of travel using all of those benefits and points and tiered status without having to, for example, take over an account that has those. Someone else is going to take care of that for you. 

Dave Bittner: [00:12:18]  I would still be able to book it as myself, but then someone else would have a bank of stolen points or whatever those sorts of benefits are that they would apply to my stay, for example? 

Emily Wilson: [00:12:28]  That's one example. There are a few different ways it can manifest, depending on the vendor. But it could be that they're going to bump up your account for you, and maybe that they're going to book a stay using somebody else's legitimate points. You know, this gets into really interesting questions about the development of the insider threat model. Or is this a question of the malicious actor having ongoing access and is just trying to cause some havoc? It's a really interesting development. It's something that I'm planning on keeping an eye on. 

Dave Bittner: [00:12:56]  What does this say in terms of the maturation of the market here that these things are available as a service? 

Emily Wilson: [00:13:03]  One, I think it's interesting to see what sort of brands are appearing for these kinds of services, you know, what sort of brands that have points or status or, you know, loyalty rewards are then trickling over, are then generating demand in these criminal communities. We've seen it for a long time with things like beauty brands that have points, but then airlines and hotels are a natural next step. 

Emily Wilson: [00:13:29]  So then what comes after that, right? What - where is this going to go? And I think that's a really interesting angle. The other angle here is, what other areas are venders going to take on additional risk to offer a value-added service to their fraud consumers? How does this fit into the maturation of the overall fraud economy and not just the account takeover or account access wing of fraud? I'm curious to see where this goes. 

Dave Bittner: [00:14:00]  Yeah. It's interesting how the - it seems like the barriers to entry continue to be lowered. 

Emily Wilson: [00:14:05]  To be lowered, I think, not only in the classic criminal communities as we might consider them, the ones that are on the dark web or in the deep web. But also, as we see this kind of - this fraud demand or this fraud marketing spill over in to things like social media, how does that impact your buyer base? If you have previously had a buyer base that's primarily cybercriminals on cybercriminal forums who are of a type, who are used to engaging in this kind of activity, if you then take that and make it available to people who are in a Facebook group or perhaps are on Twitter, is somebody going to be interested in dipping their toe into some of these what may seem like victimless or sort of low-level frauds to say, yeah, I want access to stream that TV show? Who am I harming? 

Emily Wilson: [00:14:54]  You know, how does that begin to open up demand from a different part of the market? And are there people who are going to see this and say, yeah, you know, actually, if I can travel first class and I'm not going to get caught, which is a big question mark, maybe I'll try that. And so I think we have a lot to watch play out here. 

Dave Bittner: [00:15:14]  Yeah. All right. Well, Emily Wilson, thanks for joining us. 

Dave Bittner: [00:15:21]  And now a word from our sponsor, LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless strong security with LastPass. Each entry point in your organization can compromise your business's security. LastPass Identity can minimize risk and give your IT team a breakthrough integrated single sign-on, password management and multi-factor authentication. LastPass Identity enables you to manage and control user access for all access points in your organization. Add an additional layer of security to every single login through multi-factor authentication. Securely authenticate into your work using biometrics such as fingerprint or face, deliver a passwordless login experience for your employees while securing every password in use through enterprise password management, and gain an integrated view across all access and authentication tasks to know which employees are accessing what, when and where. To learn more, visit That's And we thank LastPass for sponsoring our show. 

Dave Bittner: [00:16:47]  My guest today is Michael Sutton. He's founder of StoneMill Ventures, a venture capital firm primarily focused on cybersecurity companies at the seed stage. Our conversation focuses on what kinds of things someone in his position likes to see and hear from prospective startups, as well as some of the pitfalls to avoid. 

Michael Sutton: [00:17:07]  I think it's a target-rich environment right now. There's a lot of money flowing in. Cyber remains hot. It's tough to rise above the noise. And there are a lot of startups out there, but there is money to be had. And good entrepreneurs can actually be selective and make sure that they find the right investors. 

Dave Bittner: [00:17:26]  But what sort of recommendations do you have for people to make the most of that time that they do have with you? 

Michael Sutton: [00:17:32]  Sure. I think it's important to, you know, by all means, like, talk to that entity upfront. You know, you could be pitching to a lot of different people. It could be an angel group. It could be a VC. It could be a family office. And they're all going to want to see things a different way. So understand, you know, hey, what is my timeframe? How many people am I speaking to? Who is going to be in the room? What is their background and expertise? And do your own background research. 

Michael Sutton: [00:18:02]  Like, I'd say one mistake that I often see when I'm pitched to, like, I have a technical background. You know, I've spent the majority of my career building security solutions. So don't spend three slides telling me why security is a problem. I fully understand that. Let's save that time and, you know, use it for something else. Whereas that - those three slides may be very important if you're going in to, say, a family office that doesn't necessarily have a deep background in security. So do your research. Understand who you're speaking to. And tailor your deck accordingly. You don't have to just have one deck. 

Dave Bittner: [00:18:34]  Do people get second chances? If I come in front of you and I'm not fully prepared or I make some mistakes, is it pretty much a one-and-done affair or is there opportunities to come back? 

Michael Sutton: [00:18:47]  Certainly for me, there is. Like most investors, I invest in a relatively small subset of what is originally pitched to me. But I generally don't say, you know, you're not the right guy for me, no need to talk further. That's not generally how it ends. It's me providing them with feedback to say, hey, this isn't right for me or it's not right for me at this time and here's why. And, you know, here's the things that would make me be interested. It is pretty common that I talk to people six months later, and sometimes I do have a different opinion at that point. 

Dave Bittner: [00:19:19]  But what sort of advice do you have for these folks who are hopeful in terms of the best things that they can do in their preparation? They're putting together their package for you. What are some of the top recommendations you have for them? 

Michael Sutton: [00:19:32]  Yeah. There's certainly a lot of stuff online in terms of draft or template pitch decks. So you want to spend some time looking at good pitch decks and talk to fellow entrepreneurs. You know, no doubt, especially in the security community, you're going to rub elbows with people who have been successful and have gone on to raise capital and build strong companies. And talk to them. Say hey, you know, how did you go through this process? You know, it's a friendly community. 

Michael Sutton: [00:20:02]  And don't be shy to reach out and talk to people and, you know, get feedback because yeah, that - and your pitch deck is not done. You should spend far more time than you realize narrowing it down. You don't want to beg. I mean, hey, if it's five slides and you're able to capture everything, fantastic. That's really hard to do. But if you can pull it off, you've probably put an awful lot of thought into it. But, yeah look at what has succeeded. Get advice from other people. 

Dave Bittner: [00:20:30]  How much does someone's personality play into this? In other words, does it ever come to pass that someone comes in front of you with a - just an absolutely fantastic idea, but you just can't get past the fact that there's, you know, there's something about them that puts you, you know, ill at ease? 

Michael Sutton: [00:20:48]  Well, I'll answer that from two angles. Like, it absolutely is important that you develop some kind of rapport because back to the trust issue, like, this is somebody that I'm entrusting with my money. But also, like, for me, I like to be a very active investor. You know, I don't want to just make my investment walk away. I want to make sure that I'm always available to them, helping them out, whether that's as a board member, in a advisory capacity, or I'm just, you know, on their speed dial. 

Michael Sutton: [00:21:13]  So that, for me, is a really important part of the investment decision. This is somebody that I enjoy working with, and, you know, I just enjoy spending time with them. Some investors may not feel this strongly because they're not necessarily an active investor. But at the same time - and I think that this is true especially in the security community, where you have some very brilliant technical people that may not be great public speakers - maybe they're not the best at giving a pitch. But for me, I'm OK with that. You know, it's not, you know, I'm focused more on the content. 

Michael Sutton: [00:21:49]  And I'll probably, if they piqued my interest, I'll probably have to spend time with them after that pitch meeting to dig a little deeper and get, you know, some of the insights that maybe I would have normally wanted to get just directly from that pitch meeting. But I'm OK with that. You know, I don't think people should shy away from this just because giving a pitch in front of people isn't necessarily their thing. We're used to that. 

Dave Bittner: [00:22:13]  That was Michael Sutton from StoneMill Ventures. 

Dave Bittner: [00:22:21]  And that's the CyberWire. For links to all of today's stories, check out our daily news brief at 

Dave Bittner: [00:22:27]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIt, a Proofpoint company and the leading insider threat management platform. Learn more at 

Dave Bittner: [00:22:39]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: [00:22:47]  CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. See you back here next week.