The CyberWire Daily Podcast 7.27.20
Ep 1138 | 7.27.20

Vigilante action against Emotet. Third-party risks and data breaches. Cerberus is for sale. And WastedLocker ransomware and the fortunes of crime.


Dave Bittner: A vigilante appears to be interfering with Emotet's payloads. A fintech breach is blamed on a third-party service provider. A list of Cloudflare users is dumped online. There's a going-out-of-business sale over at the Cerberus cybergang. Malek Ben Salem from Accenture Labs on deepfake detection. Our own Rick Howard gathers the Hash Table to sort some SOCs. And Garmin, restoring its services after last week's attack, may have been the victim of Evil Corp's WastedLocker ransomware.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 27, 2020. 

Dave Bittner: A vigilante is contesting control of the Emotet infrastructure with its criminal masters, ZDNet reports. About a quarter of all Emotet payloads are thought to be affected. The specific method of interference is replacement of the images that carry the malicious Emotet payload with harmless animated GIFs. Emotet, you will recall, had for some time been reckoned among the more dangerous strains of crimeware in circulation. Its botnet went silent in the first week of February but returned in its present form earlier this month. The vigilante's work was first observed last Tuesday. Who the vigilante might be is unknown, but speculation runs from it being an individual or crew from the security industry to independent white hats to a rival criminal gang trying to take market share from Emotet. 

Dave Bittner: Digital banking app-maker Dave, also a tech unicorn and no relation to this host of your podcast, yesterday confirmed that it had sustained a data breach that exposed more than 7 million users' data, ZDNet reports. The data lost include names, phone numbers, emails, birth dates and home addresses. Social Security numbers were also lost but were apparently encrypted, and passwords accessed in the breach are said to have been hashed. 

Dave Bittner: Dave attributes the compromise to a breach at Waydev, a third party which was once a service provider. The data have appeared on more than one hacking forum. The most prominent release was by the Shiny Hunters on Raid, where the data were posted without charge. For its part, Dave says that it's working with the FBI and that it's brought in CrowdStrike to help recover from the incident. 

Dave Bittner: Interfax reports that Ukraine's National Security and Defense Council reports that some 3 million Cloudflare users have been named and their IP addresses identified in a dark web dump. This story is still developing. 

Dave Bittner: Hard times in the world of crime, at least for the gang responsible for Cerberus. The Android banking Trojan is up for sale. BleepingComputer reports that security intelligence firm Hudson Rock found the for-sale signs malware-as-a-service racket is auctioning itself off for a reserve price of $50,000. If you'd prefer not to bid, then the whole shebang - customer list, installation guide and source code - can be yours for $100,000 cash on the virtual barrelhead. 

Dave Bittner: Why the sale? According to the post offering to sell Cerberus, it's a matter of time. The gang broke up and the maintainer can't sit on the site 24/7 to provide users the promised support. We hope Cerberus disappears, but it will probably be back under new management. 

Dave Bittner: Last week's attack on Garmin is now believed to have been WastedLocker ransomware, BleepingComputer says. The BBC reports that the extortionists demanded a $10 million ransom from Garmin. The company is continuing to restore its services. Aviation services were first back up last week, and service for wearables returned over the weekend, although some users are still complaining of problems. The company has been relatively tight-lipped concerning what it's characterized as an outage, but Garmin has reassured its customers that to the best of its knowledge, none of their data are at risk. 

Dave Bittner: The perpetrators are thought to be the Evil Corp Russian cybergang. Evil Corp was placed under U.S. sanctions in December of last year, and that complicates the risk calculation of any victim that might be considering paying the ransom. We note that there's been no suggestion we've seen that Garmin is interested in doing this. Paying Evil Corp would itself constitute a violation of U.S. sanctions and could expose any victim who paid to legal consequences. 

Dave Bittner: So what's up with Evil Corp? Here we turn to British tabloids and the American feds for enlightenment. Fleet Street, which glories in lurid tales of crime, has published some screamers over the weekend about Maksim Viktorovich Yakubets, generally regarded as Evil Corp's proprietor. Permit us to share some of them. 

Dave Bittner: The Daily Mail calls him a 33-year-old Russian playboy hacker who drives a customized $250,000 Lamborghini that sports vanity plates featuring the word vor - that is, thief. He shares the Russian underworld's odd predilection for making pets of exotic big cats - in his case, a pet tiger and lion cubs. The Mail cites as evidence of his immunity from molestation by Russian police Mr. Yakubets' selfie videos of doing doughnuts around cop cars in his tricked-out Lambo, which apparently don't even get him a traffic ticket. 

Dave Bittner: The Sun points out, complete with glamour shots and wedding photos, that Mr. Yakubets is married to the glamorous and well-connected Alyona Benderskaya, whose daddy is a senior retired officer in Russia's FSB, one of the KGB's successor agencies. Papa is said to have popped for a 250,000-euro wedding at a golf club, which the Sun reports on rather breathlessly as if all of this is a bad thing or something. Maybe there's something to that, since traditionally golf was regarded as a decadent Western sport over in Russia. But times change. And as for those 250,000 pounds spent on cake, DJ, hall-renting, catering, specially printed paper napkins and so on, well, come on. It was the bride's special day. Where's the love? 

Dave Bittner: But anywho, any of that high-octane social juice is said to explain in part why Mr. Yakubets enjoys the apparent immunity he does from arrest in Russia. A more significant piece of the explanation, at least as seen through Anglo-American eyes, is that Mr. Yakubets is in cahoots with the FSB. That is, his gang is among those the official Russian organs call upon for various services against those they wish to damage in cyberspace. That's what the U.S. Treasury Department said when they lowered the sanctions boom last December. 

Dave Bittner: So Mr. Yakubets is wanted by the U.S. FBI for conspiracy and conspiracy to commit fraud, also for wire fraud, bank fraud and for intentional damage to a computer. The bureau is offering up to $5 million for information leading to Mr. Yakubets' arrest and conviction. He and his associates remain at large, and they're expected to do so until they either wear their welcome out at home or decide to do something rash like vacation in Florida, which when we last checked had an extradition agreement in place with the United States. Still, trying to check in at the Disney World Four Seasons seems like a logical next step for one consumed by criminal hubris, or at least someone with a major urge to visit the happiest place on Earth. And whatever they may say, that ain't the Arbat. 

Dave Bittner: Rick Howard is the CyberWire's chief security officer. He is also our chief analyst. But more important than any of that, he is the host of the "CSO Perspectives" podcast over on CyberWire Pro. Rick, great to have you back. 

Rick Howard: Thank you, sir. It's great to be here. 

Dave Bittner: We are deep into Season 2 - I guess not too deep - Episode 2 of Season 2. And you are kicking off something you're calling your Hash Table interviews. What's going on here? 

Rick Howard: Yeah. We're bringing in a new element. We're calling it the Hash Table interviews. We talked about this last week, but I cajoled a bunch of my friends and thought leaders and just really smart people about coming on and talking about a specific topic. And this show will be the first time that we do that. And it turned out really well, all right? So I think you guys will all be pleased with the results. 

Dave Bittner: Yeah, yeah. I was able to listen to a preview, and it is compelling content. Take us through. What's some of the stuff you're covering this week? 

Rick Howard: Well, the thing I wanted to point out here is that, you know, we've been talking about what are the skill sets for, you know, just generally cybersecurity people, but specifically in this episode, what does a SOC analyst need? And for the last five or six years, CISOs have been talking about just table stakes these days as not really having a deep computer science background or some deep technical math background. A little bit helps, but what you really need is be able to learn on your own - OK? - and - 'cause I'm not going to solve your problem for you. I'm going to hand you this big dripping bag of problems and make - and expect you to figure it out. 

Dave Bittner: Right. 

Rick Howard: So - and so that's kind of been the general theme. But I was talking to Kevin Ford on the show. He's the CISO over at the state of North Dakota, which is a - just a fascinating job, and we could probably spend three hours talking about that. But he has a different take, or at least an additional take on this, right? But before I play the clip - OK? - just you have to know that Kevin cut his teeth as a young network defender at NASA, all right? That's a cool job. 

Dave Bittner: Yeah. 

Rick Howard: He was a master information assurance and security specialist. So he's kind of a space nerd, just like you and me. 

Dave Bittner: Yeah. 

Rick Howard: So here's the clip. 

Kevin Ford: You know, I'm looking for the astronauts. I'm looking for the people who won't buckle. And generally, those people are the people who are - will have a conversation with you and be very genuine. They won't be afraid to tell you they don't know something. They won't be afraid to tell you, hey, you know, I'll try to do this, but no guarantees. Because I want people I can trust, not a bunch of yes men and women when we're doing incident response. 

Kevin Ford: I want people who aren't afraid to fail. So that's something I really try hard to instill in the team is that, you know, don't be afraid to fail. We need to try things. And one of my metrics is hold-your-beer moments. So however many hold-my-beer moments we've had within the SOC in a week, I take more as good as long as things - you know, as long as smoke's not coming out of the machines and something's on fire, right? But if we've tried some pretty interesting things and failed, OK, well, at least we tried. And now we know. And we've learned lessons. You know, the more lessons you've learned by the time you have, you know, your big event or your big breach, the better off you're going to be. 

Dave Bittner: Wow. Interesting stuff. 

Rick Howard: I love both of those points, right? 

Dave Bittner: Yeah. 

Rick Howard: He's looking for people who will not buckle in a crisis, which is - you know, I guess I just always assumed that, but it's great to point it out, and also people willing to try - and I love this phrase he uses - hold-my-beer events - right? - inside the SOC. It kind of reminds me of - remember Samuel Jackson in "Jurassic Park"? 

Dave Bittner: Yeah. 

Rick Howard: They had to bring back the power to the whole thing. And he's - you know, they basically do a reboot of the system. And when he does it, he goes, hold onto your butts, OK? 

Dave Bittner: Yeah, yeah. 

Rick Howard: That's my hold-my-beer moment. 

Dave Bittner: (Laughter). All right. Well, we'll look forward to checking it out at "CSO Perspectives" over on CyberWire Pro. Do check it out. Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And joining me once again is Malek Ben Salem. She is the - America's (ph) security R&D lead at Accenture Labs. Malek, it's always great to have you back. I wanted to touch today on deepfakes. And, particularly, how do you go about detecting if someone has generated a deepfake? 

Malek Ben Salem: Hi, Dave. Yeah. As you know, deepfakes are becoming a real problem. You know, deepfakes, first, are known as these manipulations to image, sound or video content. They can be subtle, but, you know, they may have drastic consequences. And so Accenture wanted to look into this problem. 

Malek Ben Salem: There are a number of deepfake detection models that have been proposed that look at the, you know, the facial expressions and extract the subject's facial expressions from the frames in a video. And based on that, they're trying to predict whether the video is a deepfake or not. 

Malek Ben Salem: But there have been limitations to those models. They mostly rely on CNN, the convolutional neural networks, which show great ability in detecting the deepfakes when they trained with data. But their main limitation is that they cannot generalize, meaning that if you expose them to data that they have not seen before, to videos they have not seen before, they are unable to accurately predict whether the video at hand is a deepfake or not. 

Malek Ben Salem: So within my lab, what we wanted to look at is address this problem of lack of generalizability, or what we call overfitting, to the training data that was used to build the model. And in order to do so, we built some additional models that work hand-in-hand with the full-face CNN model to make this prediction. So you end up with an aggregate model - a primary model that is the full-face CNN and a secondary model that itself is made up of weaker models that look at certain features within the image or within the facial expression. So you may have a model looking at chin. You may have a model looking at, you know, blur in the image, et cetera. All of these secondary or weaker models are making their own predictions. Secondary model is evaluating all of them and making its own prediction. And then we aggregate that with the main, full-face CNN model to come up with a final prediction whether the video at hand has been deepfaked or not. 

Malek Ben Salem: And this approach, we think, will be much more robust, less vulnerable to overfitting, and we'll be able to predict deepfakes at a reasonable accuracy when it sees previously unforeseen data. 

Dave Bittner: So is the idea here that, you know, I could have a video clip; I could load it into the type of system that you're describing, and it would - I don't know - come back with a percentage number or something and say, with this amount of confidence, we think this either is or is not a deepfake? 

Malek Ben Salem: Exactly. And we'll come up with that likelihood assessment of whether this is a deepfake video or not. 

Dave Bittner: And is this, to a certain degree, a game of cat and mouse? I mean, as the deepfakes get better, and I suppose they would react to the type of things that you're developing here to try to stay one step ahead of you. 

Malek Ben Salem: This has been, yeah, a cat-and-mouse game, and it will continue to be so, as in anything in security, I suppose. So we'll just have to keep improving this technology as our adversaries keep improving theirs. 

Dave Bittner: Yeah, yeah. All right, well, interesting work, for sure. Malek Ben Salem, thanks for joining us. 

Malek Ben Salem: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.