The CyberWire Daily Podcast 8.18.16
Ep 166 | 8.18.16

Who is Boson Spider? Legit zero-days among Shadow Brokers' leaks.


Dave Bittner: [00:00:03:19] The Shadow Brokers seem to have legitimate files, even if they do sound like the Incredible Hulk. Some observers of the breach see Russian intelligence services, some see disgruntled insiders, and others see both. North Korea comes under fresh scrutiny with respect to SWIFT bank fraud. Cisco continues its pivot away from routers and switches and toward security. CrowdStrike talks about Boson Spider. And we have really nothing to say about Pokémon today.

Dave Bittner: [00:00:35:12] Time to take a moment to tell you about our sponsor, Cylance. Are you looking for something beyond legacy security approaches? Of course you are. So you're probably interested in something that protects you at machine speed and that recognizes malware for what it is no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence but it's real protection. Visit to learn more about the next generation of anti-malware. Cylance: artificial intelligence, real threat protection and we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:32:01] I'm David Bittner, in Baltimore with your CyberWire summary for Thursday, August 18th, 2016.

Dave Bittner: [00:01:38:11] The Shadow Brokers case continues to play out in the news cycle. A bit later in this show we'll hear some thoughts on the matter from the University of Maryland's Ben Yelin, but to review the current bidding, no one appears willing to step up and pay the 1,000,000 Bitcoin, roughly $576,000,000, for whatever it is the Shadow Brokers are offering. This isn't surprising on at least four counts. First, the auction site has a dodgy look, with some very flaky payment terms and conditions. Second, the auction site has been rickrolled. Third, more than half a billion dollars is a lot of money, even for Wealthy Elite, the announced marketing demographic. And, fourth and most importantly, it seems unlikely that money is the real goal here.

Dave Bittner: [00:02:21:24] What the Shadow Brokers have released so far as a teaser is, most observers think, likely to be genuine NSA files. Much of the material is related to ways of subverting firewalls and other security products, and at least two security vendors, Cisco and Fortinet, have confirmed that zero-days referenced in the files are indeed genuine. Both companies have begun issuing patches. Analysts writing in Wired see this episode as showing the unwisdom of hoarding as opposed to disclosing zero-days, even in the small numbers NSA is believed to stockpile them. A study by Columbia University, whose results were released earlier this month, credibly suggested that the scale on which NSA collected undisclosed zero-days was far smaller than many had long suspected.

Dave Bittner: [00:03:07:05] Edward Snowden, commenting online from his Moscow place of retirement, and actually sounding a bit sympathetic to NSA, thinks it unsurprising that the agency was successfully attacked, after all, it's a very attractive target to the opposition, but surprising that the success was so loudly advertised. Most observers have, however, concluded that the Shadow Brokers' operation can be credited to Russian intelligence services. Most observers, but not all. The alternative theory is that the files were either physically exfiltrated on a storage device by some disgruntled insider, "Snowden junior," as one observer called the conjectured insider, or that they were incompletely staged on a server by some agency operator who committed a serious mistake, and that the wrong person noticed. None of these explanations is mutually exclusive, and what the physical theft and error-in-staging theories have going for them is the presence of things in the files that aren't normally remotely accessible.

Dave Bittner: [00:04:05:02] Suspicion of North Korean involvement in recent SWIFT bank fraud reemerges. The DPRK is chronically short of hard currency. Investigators are revisiting the theory that the theft from the Bangladesh Bank represents part of a state-sponsored criminal campaign to shore up Pyongyang's hard currency reserves.

Dave Bittner: [00:04:24:04] In industry news, Cisco continues its pivot away from switches and routers and toward increased reliance on cybersecurity, cloud, and Internet-of-things offerings. This shift in strategy has a downside for Cisco's highly qualified workforce. The company has announced that it will cut 5500 jobs, or some 7% of its workforce. Company executives have also said they intend to look for more acquisitions in their strategically favored lines of business.

Dave Bittner: [00:04:52:06] We spoke recently with CrowdStrike's Adam Meyers about recent trends, and their investigation of the Boson Spider cyber gang. Here's what he had to say.

Adam Meyers: [00:05:01:01] Looking at Boson Spider, we had first kind of observed it back in August of last year and they used Angler as well to deliver their payload. They used bulletproof hosting services which are another component of the e-crime ecosystem. Once you have, you know, your malware, one, you want to spread it and that's where Angler came in and then the other thing you need to do is you need to be able to control it. You need some sort of command-and-control. The way that you can kind of keep your command-and-control up and running, one of the components that they'll use, is known as a bulletproof host which is just a hosting service that might be law-enforcement-resistant or they'll, they'll tip off the attacker when, you know, a subpoena or a search warrant or a holdall order comes down. Then once they had their infrastructure set up and they actually had it deployed out to a number of hosts, they offered an affiliate model for a monetization. And so effectively what that means is that anybody that wants to leverage their botnets to steal credentials or, or steal information can pay a subscription cost effectively to get access to that botnet, and then use it, you know, within their own malware as a service type of subscription.

Adam Meyers: [00:06:16:01] And so if you look at who their victims were they were generally financials and in one affiliate network, they were targeting US banks and some Canadian banks. Other affiliates targeted Japan, Singapore or Hong Kong. So that gives not only an understanding of how they're using this and against whom, but also potentially who is their customer set and what they're interested in. So, if we see Boson Spider shut down, which we actually did pretty recently, then, you know, if we start seeing all of a sudden a new Dridex, which is another malware as a server's botnet, if we see one of their-- a new customer come online there and they start targeting Japan or Hong Kong then we might have a better understanding of that. Whoever that threat actor is that was using the Boson Spider infrastructure has now moved over to Dridex.

Dave Bittner: [00:07:08:05] One of the interesting things about this particular botnet was that it used domain name generating algorithms.

Adam Meyers: [00:07:14:00] When you want to control a botnet you use a command-and-control domain or IP address and good guys want to block that so if we know that Boson Spider had a domain of, we would, you know, identify that, we would block it and then they would be unable to control their botnet. And so what they do is they write an algorithm that kind of takes a bunch of different random pieces of data and uses that to generate domains on the fly. So the domain that they're talking to at 9:47am on August 9th won't be the same domain that they're talking to perhaps at 11:47am on August 9th. And if you understand that algorithm and you can reverse engineer it then you can actually use that to predictively block those domains. So through our intelligence analysis, customers are able to take that and then use those domains to block this actor on their infrastructure and stop them from being able to take advantage of any of their accounts or their credentials.

Dave Bittner: [00:08:19:03] That's Adam Meyers from CrowdStrike.

Dave Bittner: [00:08:23:11] Studies by Dell and Okta highlight the difficulties of upgrading legacy systems, and the security penalties involved in failing to do so. LogRhythm's CTO Chris Petersen commented to the CyberWire that many legacy systems were never designed to withstand cyber attacks. Operations that depend on such systems need, he said, quote, "A security strategy based on rapid detection and response," end quote. This is, Petersen added, especially important for the IoT. Quote, "As the rise of IoT further compounds risk, companies must assume that both old and new systems can be compromised. They need to automate the security monitoring of their infrastructure to ensure the fastest detection, response and neutralization possible," end quote.

Dave Bittner: [00:09:07:11] We also heard from RedSeal CEO Ray Rothrock, who suggested the Dell study in particular should serve as a reminder of the importance of prioritizing defenses. Quote, "Every organization has legacy systems, some more than others, the trick is to think about your network, understand the risk associated with any given piece of software or operating system, fix those that pose a high risk, monitor those that do not," end quote.

Dave Bittner: [00:09:32:14] Finally, we are pleased to report that we see no new developments on the Pokéfront.

Dave Bittner: [00:09:37:06] We do, however, have an alternative theory as to the source of the Shadow Brokers' prose style. On yesterday's show we noted that our linguistic staff conjectured that the style came from uncritical use of Google Translate, but ultimately rejected this hypothesis after a few admittedly rough-and-ready trials. But alert listener Jess Baran contacted us to suggest an alternative theory. The Shadow Brokers sound an awful lot like the Incredible Hulk. She offered links to some Hulktweets as evidence. Perhaps there's a Hulkspeak generator out there available for general use. In which case, Ms Baran, thanks for the insight, and, "Hulk smash Google Translate." The Shadow Brokers are more Hulk than the Hulk. Oh, and General Thunderbolt Ross was unavailable for comment. Dr. Banner is believed to still be on sabbatical.

Dave Bittner: [00:10:31:01] Time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want, actionable intelligence. Sign up for the Cyber Daily email and every day you'll receive the top trending indicators Recorded Future captures crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates. That's and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:11:42:00] Joining me is Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, we've been following this story about the group calling themselves the Shadow Brokers who have leaked data they claim comes from the NSA. What's your take on this?

Ben Yelin: [00:11:56:15] Yes, this is potentially a very serious breach. The release on this Shadow Brokers site appears to be computer codes the NSA uses to break into the networks of foreign governments so its malware devices. And these are some of the NSA's most closely held tools now being potentially in the hands of both an unreliable group and now available to the general public and possibly to hostile actors, both state actors and otherwise. We don't yet know who is behind the hacking. What I find interesting is that Edward Snowden, who as we know leaked documents from the NSA three years ago, is claiming that the Russian Government has hacked into this NSA technology as sort of a threat against the United States because the United States has been posturing about punishing Russia for the rumored leaks into the Democratic National Committee System. So this is a very significant breach. I think the NSA is scrambling to figure out how this happened and I think it's going to have pretty wide ranging consequences.

Dave Bittner: [00:13:05:18] And so let's dig into that. What do you think some of the consequences could be?

Ben Yelin: [00:13:09:09] Well, I think one of them is that it undermines the Federal Government's claim-- when we had-- earlier Dave and I talked about the Apple case and Apple had made the argument that once it developed software to break encryption that sort of software is going to be available to hostile users. And the NSA and the FBI had said that was not going to be the case. Now we have the situation where the most sensitively held tools for the National Security Agency, this malware that we use to get information from hostile governments now has been released to the public and now will be available to hostile actors. So I think it's in some ways a slap in the face to the FBI and the NSA. The one somewhat saving grace is that this is not the most recent technology. This leak appears to be of some of the malware tools that were being used in the middle of 2013 and onwards for the next couple of years. So it is slightly outdated and perhaps the silver lining here is that the hackers access was cut off at some point before the most recent technology was developed. But I think it still will have very wide ranging and potentially serious consequences.

Dave Bittner: [00:14:23:18] We'll keep an eye on it, stayed tuned. Ben Yelin, thanks for joining us.

Dave Bittner: [00:14:30:05] And that's the CyberWire. To subscribe to our daily podcast or news brief visit The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.