The CyberWire Daily Podcast 1.18.17
Ep 267 | 1.18.17

Carbanak gang is back. GhostAdmin works on data theft. Trolling security researchers. M&A notes. Pardons, commutations, and extraditions.


Dave Bittner: [00:00:03:15] Carbanak is back, and in the cloud. GhostAdmin quietly assembles a few good bots. Malware writers troll security researchers on VirusTotal. Oracle issues a big patch. Apple is said to be preparing a smaller one. M&A activity is in the news. Australia investigates fallout from the Yahoo! Breaches. Experts warn European election officials and politicians to be on the lookout for Bears. And US President Obama issues some pardons and commutations, General Cartwright and Private Manning are on the list. Not so Mr. Snowden.

Dave Bittner: [00:00:40:24] Time for a message from our sponsor, E8 Security. You know, to handle the unknown unknown threats you need the right analytics to see them coming. Consider that insider threat and remember that an insider threat isn't necessarily a malicious actor. Sometimes it's just a well intentioned person who's careless, compromised or just poorly trained. You know, you can learn a user's behavior and score a user's risk. E8 can show you how. Did you know, for example that multiple Kerberos tickets granted to a single user is a tip off to compromise? E8 can show you why. Get the white paper at and get started. Detect, hunt, respond. E8 Security. We thank E8 for sponsoring our show.

Dave Bittner: [00:01:35:11] Major funding for The CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:39:01] This is Dave Bittner, in Baltimore with your CyberWire summary for Wednesday, January 18th, 2017.

Dave Bittner: [00:01:45:12] Some developments in cybercrime appear at midweek.

Dave Bittner: [00:01:48:22] The Carbanak financial fraud gang is back, and according to Forcepoint researchers it's quietly hiding its command-and-control within legitimate Google services. The malware is embedded in a Trojanized rich-text file, typically delivered as an image which the victim is invited to open with a double-click. Upon doing so, VBScript malware executes. Once established, it sends and receives commands via Google Apps Script, Google Sheets, and Google Forms services. Traffic to these legitimate services is unlikely to trip warnings, and so lends stealth to the criminal campaign.

Dave Bittner: [00:02:24:24] Carbanak hoods, working mostly from Russia, Ukraine, and China, are interested for the most part in stealing data and credentials from financial institutions which they subsequently employ in fraud. Some estimates place their cumulative take at around a billion dollars. Its use of cloud services strikes many analysts as disturbing.

Dave Bittner: [00:02:44:09] There's also some new bot-herding malware out and about. Unlike the well-known Mirai malware, this code, called "GhostAdmin," isn't targeting the Internet-of-things, nor is it optimized for distributed denial-of-service attacks. Instead, it enables remote execution of commands on infected machines, and aims at data theft and exfiltration. MalwareHunterTeam has described GhostAdmin to BleepingComputer, the researchers regard it as a descendant of the older CrimeScene malware.

Dave Bittner: [00:03:15:12] Bleeping Computer has an interesting account of how malware authors are trolling security researchers on VirusTotal. In addition to conventional abusive trolling and defamation, they're also voting malware samples "harmless." The object of their wrath is the aforementioned MalwareHunterTeam, who've been at work of course on GhostAdmin. Bravo to the researchers at MalwareHunterTeam, may they prevail over the trolls.

Dave Bittner: [00:03:41:18] In patch news, Oracle has released its first quarterly security update of the year, and it's large. Some 270 patches will keep Oracle admins busy and gainfully employed. And Apple is said, by Threatpost, to be working on patches for vulnerabilities in iTunes and the App Store disclosed Monday by Vulnerability Labs.

Dave Bittner: [00:04:01:24] The Yahoo! Breaches may or may not have soured the deal with Verizon, which as far as we've heard, is still proceeding, but they are receiving attention from investigators in Australia. Prime Minister Turnbull has ordered an inquiry into the effects of those breaches on members of his government

Dave Bittner: [00:04:19:16] Many organizations consider threat hunting a critical part of their cybersecurity strategy, going after malware that their automated systems may have missed. We checked in with David Bianco from Sqrrl, a cleverly named company that specialized in threat hunting for his take.

David Bianco: [00:04:36:20] Some people think that hunting is actually the end goal, like finding the bad guy is the end goal of hunting. Which makes perfect sense, but I think is actually not true. The reason that I recommend organizations do hunting is not so that they can really find bad guys in their network, it's actually so that they can drive the automation to be better at finding bad guys. They find new ways to discover security incidents that they're concerned about and then they automate those ways. If you think about it, that makes even a lot more sense, because you don't want to tie up the human analysts doing the same hunts over and over. So you'd find a useful hunt and maybe you've found something that really was actually malicious data exfiltration. You said, "Great, this technique works and I wanna be able to run it, every day, every week" however often, but you don't necessarily wanna tie up a human's time doing all that, so the correct thing to do with that then would be to create more of an automated analytic that you can run on a schedule and review the outputs, rather than having spend somebody's time to do the data searching and the, the analysis technique manually, you automate all that and so that frees up your hunters to go and create new and different hypothesis or work on new and different and improved analysis techniques, so that they can further their automated detections effectiveness.

David Bianco: [00:06:11:08] My main advice when it comes to getting started with threat hunting, is don't be afraid to start small and build on that. You can get benefits from hunting with not even having a dedicated hunting team, just having some people doing it on a part time basis. That you know, the more organization and strategy can bring into the process, the better that you will be, but it doesn't mean that if you don't have a fully mature hunting team right off the bat, then you shouldn't bother doing it. You definitely should do hunting to be the level that you're capable of doing now and build on that over time, so that you can build up that level of maturity.

Dave Bittner: [00:06:52:19] That's David Bianco from Sqrrl.

Dave Bittner: [00:06:55:20] In other news involving mergers and acquisition, Bitdefender has bought French security partner Profil, and Kudelski is acquiring M&S Technologies. Microsoft has announced its purchase of natural language processing shop Maluuba, and Hewlett Packard Enterprise is buying hyperconvergence vendor SimpliVity.

Dave Bittner: [00:07:16:17] French security agencies warn that country's politicians to expect unwelcome attention in cyberspace. Eugene Kaspersky is delivering a similar message, telling the World Economic Forum to expect a range of cyberattacks during Europe's 2017 elections. He expects this threat to grow "worse and worse," and says that candidates in German and French elections particularly should expect attacks and take steps now to upgrade their security. Kaspersky declines to offer any attribution of the famous attacks on US political targets. Attribution, he says, is tricky, and his company wasn't asked to perform it in any case.

Dave Bittner: [00:07:53:19] The prime animal-of-interest in the threat to elections, of course, remains Fancy Bear, of DNC hack fame. That's roughly speaking the conclusion of researchers at ThreatConnect, CrowdStrike, and FireEye.

Dave Bittner: [00:08:07:23] US President Obama, in his last week in office, pardons former Marine General Cartwright for his conviction of lying to investigators looking into Stuxnet leaks. He has also commutes the sentence of Private Manning, convicted of giving classified information to WikiLeaks. Note that this form of clemency is a commutation, not a pardon. Manning will leave prison in May, after serving seven years of a thirty-five sentence. The pardon and commutation both receive decidedly mixed reviews. It's unclear whether WikiLeaks' Julian Assange will honor his pledge to accept extradition to the US in the event of Manning's release. Some sources are saying yes, others no. Assange is currently under investigation by US authorities.

Dave Bittner: [00:08:52:18] Absent from the list of pardons is one for Edward Snowden, former contractor at NSA and current resident of Moscow. Mr Snowden did send a congratulatory shout-out in Private Manning's direction. In any case, the Russian Foreign Ministry has said that Mr. Snowden's temporary residency permit would be extended "for a few more years."

Dave Bittner: [00:09:18:04] Time for a message from our sponsor Netsparker. You know, when you want automated security, you want it to be automatic. Netsparker delivers a truly automated web application security scanner. It can be surprisingly labor intensive to scan websites and other solutions need a lot of human intervention. To take one example, with other scanners you have to configure URL rewrite rules to properly scan a website. Not with Netsparker. They say it's the only scanner that can identify the set up and configure its own URL rewrite rules. Visit to see how Netsparker's no false positive scanner frees your security team to do what only humans can. And don't take their word for it. If you'd like a free trial, go to, you'll get a 30 day fully functional version of Netsparker desktop. Scan your websites with no strings attached. That's and we thank Netsparker for sponsoring our show.

Dave Bittner: [00:10:18:13] Joining me once again is Rick Howard, he's the CSO at Palo Alto Networks. He also heads up their Unit 42 Threat Intel team. Rick, you all have a white paper that you published, it's called First Principles for Network Defenders, A Unified Theory for Security Practitioners. That sounds pretty serious, sounds like there might be a lot of math in there.

Rick Howard: [00:10:39:04] Yeah, I'm sorry, but I will tell you, there is no math. I just point to it a lot.

Dave Bittner: [00:10:44:00] What's the paper about?

Rick Howard: [00:10:45:18] Well, I got inspired by this, I was reading Elon Musk's biography last summer and regardless of what you think of Mr Musk, whether you love him or hate him, one thing you can say about him is he doesn't go after little bitty problems, he goes after these giant hairy, big problems, that no one wants to touch, you know, the electric car, solar panels, you know, put a person on Mars by 2025. And his philosophy on dealing with these problems is he doesn't wanna take the next incremental step, what everybody else has done. He takes a blank white board and says, okay, we're gonna do this, we're gonna figure out how to do it from scratch and we're gonna understand everything from the ground up about how to do this. So in order words, he is a first principle thinker. So having been inspired by all this, I said, "I wonder what the first principles for network defenders are?" and that's how we started down this path with this white paper.

Dave Bittner: [00:11:40:00] And so what did you discover? What are security's first principles?

Rick Howard: [00:11:44:03] Well, I mean, I'm looking, I'm thinking about it and I got a blank white board now and I'm looking around, I don't want to do what anybody else is doing and I'm saying, well what is the thing? If I, if I boil everything down to what I should be doing, if I give you the elevator pitch of what our security organization does and we do a gazillion thing and every network defender in their day job does a gazillion things. But if you could boil it down to what is the essential thing, the atomic thing that we do and what would you say that is? And the conclusion I came up with is, our job is to prevent material impact to our organization. And that sounds really simple, okay, but when you think about all the things that we do and how we get distracted with, you know, kinda bright, shiny objects every day, it helps to focus on those things.

Rick Howard: [00:12:29:21] Because every organization faces many, many kinds of attacks. I would say not, you know, 70 percent of hem are material to the business. So for example, if somebody defaces my commercial website, yeah, that's embarrassing to me, but it's not gonna be martial to my company. A more lucrative or more material impact would be someone stealing our intellectual property, that's the thing I'm gonna get fired for. So, I think we should focus on those kinds of things and that would be the first principle, I think, going forward.

Dave Bittner: [00:13:00:16] If your website was defaced, certainly there'd be people in the organization, you know, screaming that we're having reputational damage and things like that?

Rick Howard: [00:13:09:15] They absolutely would, okay, and yes, in some organizations that might be a major disaster, in some organizations, it might not have any influence at all. I'm just saying you'd have to decide what is material to your organization and focus on those things. And kind of, you'd still have to deal with the other stuff, but I wouldn't put it in the top first priority cubicle.

Dave Bittner: [00:13:28:00] Alright, Rick Howard. The white paper is First Principles for Network Defenders, A Unified Theory for Security Practitioners. Check it out. Thanks for joining us.

Dave Bittner: [00:13:38:17] And that's The CyberWire. Thanks to all of our sponsors who make The CyberWire possible and especially to our sustaining sponsor, Cylance. Find out more about how Cylance can protect you at Don't forget to follow us on Twitter and on Facebook.

Dave Bittner: [00:13:52:07] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.