The CyberWire Daily Podcast 1.20.17
Ep 269 | 1.20.17

Carbanak gets trickier and more ambitious. Ransomware updates. It's beginning to look a lot like 1949 (at least from Moscow).


Dave Bittner: [00:00:03:19] Carbanak gets trickier and more ambitious. In other cyber crime news, ransomware takes off after more databases. There's a new ransomware as a service offering, in the black market, a new strain of Android ransomware hits Russian speaking users. Locky's back, but in a feeble sort of way. Cybercriminals lock files at a cancer services not-for-profit. Russian policy wonks seem to suggest that we're not at the point in history where 2016, yielded to 2017, instead, calling all cold warriors, 1948 just ticked over into 1949.

Dave Bittner: [00:00:43:17] Time for a message from our sponsor, E8 Security, we're talking about putting your data together with E8's analytics for security that can handle the unknown unknowns. Consider what might warn you to malware on your system, listening a running programs on a rare, or never seen before, open port is one of them. It's easy to say that, but could you say what counted as rare or never seen before? Or would that information jump out at you as you reviewed logs, if you had time to review your logs and, by the time the logs reached, the news would be old. But E8's analytical tools recognize and flag that threat at once, enabling you to detect, hunt and respond. Get the white paper at and get started. That's, E8 Security, your trusted partner and we thank E8 for sponsoring our show.

Dave Bittner: [00:01:41:12] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary and week-in-review for Friday, January 20th, 2017.

Dave Bittner: [00:01:52:17] There's a fair amount of extortion news at week's end. Ransomware criminals who've been hitting, Elasticsearch and MongoDB databases have begun to devote similar attention to CouchDB and Hadoop. The tools for attacking MongoDB and Elasticsearch as well as a list of vulnerable installations are now being sold by Kraken0 on the black market for about $500. The attacks on databases have been unusually damaging, sometimes wiping the data beyond reasonable prospect of recovery.

Dave Bittner: [00:02:24:05] Elsewhere in the criminal markets, the Satan ransomware as a service is being offered to criminals who lack the time, resources or technical chops to come up with their own attacks. They offer a wizard to walk aspiring crime lords through the process as criminal markets and the ways the goods for sale there, are designed and hawked, continue to ape legitimate markets. Bleeping Computer has the details through researcher, Xylitol, they offer a very thorough look at Satan - the malware, not the fallen angel. Unfortunately, there is, so far, no readily available way of decrypting files that fall victim to Satan, so remember to back up your data.

Dave Bittner: [00:03:02:17] Fortinet has discovered a new strain of Android ransomware that targets Russian speaking users. It's unusual in at least two respects, first, it's demand is very large, 545,000 rubles, about $9,100 at least an order of magnitude more than the cost of the Android devices whose screen it locks. Second, it asks for payment by credit card, as opposed to the customary cryptocurrency. This suggests several possibilities; Android end points are highly valued in certain markets, or, the hoods behind this one are inexperienced or overreaching, or the goal is actually carding, perhaps as gravy on the top of the main course of extortion.

Dave Bittner: [00:03:43:20] Locky ransomware seems to be making a minor come back after it's temporary eclipse during the holidays, but it may be on it's way to super session by the Spora ransomware strain.

Dave Bittner: [00:03:54:15] An unusually repellent extortion attack has hit an Indiana cancer services not-for-profit. The Muncie-based Red Door has seen it's files encrypted. Police are investigating, but it's worth noting that even the most benign and uncontroversial not for profits, can find themselves in cybercriminals' crosshairs. Back your files up and, if you're a security professional, looking for a chance to do some pro bono work, take a look around at your favorite charities and consider offering your services.

Dave Bittner: [00:04:24:03] Trustwave and Forcepoint are tracking the evolution of Carbanak. The gang, long known for attacks on financial services that are thought to have brought in, something north of, a cool billion dollars, have begun, as we noted yesterday, to use legitimate Google services for their command and control traffic. It's worth noting that Forcepoint and Trustwave have said they've reached out to Google for some cooperative way of addressing this problem. What's equally interesting, is the way in which Carbanak seems to have expanded their target set. They now appear to be going after businesses in the retail and hospitality sectors too.

Dave Bittner: [00:04:59:11] Many observers are talking about a de facto state of cyber war between the United States and Russia. This seems overstated, where for example is the physical destruction? To say nothing of the casualties one associates with warfare. But it might not be an exaggeration to call it a de facto state of cyber cold warfare, this is especially so, since, what we now call information operations, were prominently featured in the first Cold War, as propaganda, disinformation, running agents of influence and so on. But, the Washing Post has a piece on a speech one of President Putin's advisors gave back in February, it seems to offer a look at cyberspace under Eastern eyes.

Dave Bittner: [00:05:39:12] Andrey Krutskikh, told Infoforum 2016, that we're living in 1948. That is, we're living in the last year of the US monopoly of nuclear weapons. In 1949, Krutskikh said, Truman had no choice but to start taking the USSR, aka Russia, seriously. Krutskikh promised that in cyberspace, we were about to move into 1949. If he's right, one hopes there's a George Kennan for the cyber age out there, if there is, we'll read his or her forthcoming long telegram with interest.

Dave Bittner: [00:06:13:16] As the Trump administration takes office, former New York mayor, Rudy Giuliani, has been designated as a lead for cyber security policy. The role is more facilitator than director, still less czar, but the appointment has attracted attention because of the patchy security on Mr Giuliani's consultancy's website. We heard from Mike Patterson, CEO of Plixer International, who sees a lesson here for everyone. The problems with Giuliani's website, Patterson says, "Reinforce the magnitude of the problem they face coming into office. When it comes to targeted attacks, which they will definitely be facing, there is almost no defense. Because of this, they may consider entirely new communication methods with all new hardware and software protocols. This will make bridging their discussions to the Internet, very difficult and, as a result, much more secure." He foresees airgaps and toughness on crime.

Dave Bittner: [00:07:08:01] Finally, are we forgetting anything? Oh, there's apparently some big event going on about 40 miles south of us today. What did we miss? All right, just kidding, it's inauguration day down in the district of Columbia.

Dave Bittner: [00:07:20:19] Wherever you are and, if you're in the United States, whomever you voted for, we hope you'll join us in wishing both President Obama and President Trump the best of luck as they step into the next phase of their, and our, lives.

Dave Bittner: [00:07:37:18] Time for a moment from our sponsor, Netsparker, you know how to tell a false positive from a real threat? Netsparker does. If it's exploitable, it's real, Netsparker's distinctive automated scans drive out the false positives, save you money and improve security. Their approach is proof based scanning, Netsparker's innovative scanning engine, automatically exploits the vulnerabilities that identifies in websites and presents you with a proof of exploit. You don't need to verify the scanner findings to see if they include false positives, if Netsparker tells you it's bad, trust them, it's bad. Remember if it's exploitable, then it is definitely not a false positive. Learn more at But wait, there's more, and we really do mean more. Go to for a free 30 day trial of Netsparker desktop. It's fully functional. Scan your websites with Netsparker and let them show you how they do it. That's

Dave Bittner: [00:08:34:21] And we thank Netsparker for sponsoring our show.

Dave Bittner: [00:08:43:13] Joining me once again is Emily Wilson. She's the director of analysis for Terbium Labs. Emily, we've been making our way through the report that you put out recently, separating fact from fiction, the truth about the dark web. A lot of people have this perception that the dark web is full of terrorists and bad guys. But your report brought out the fact that maybe that's not the case.

Emily Wilson: [00:09:09:09] It's definitely a question that we get asked fairly frequently and understandably so. This is a situation where people want to know what kinds of things are taking place in what's considered to be a more unregulated part of the Internet. We run into some interesting situations here, both with extremism, a category for weapons and then a category for what we call, weapons of mass destruction, an absence of evidence issue. Absence of evidence is not evidence of absence, it's merely an indication of rarity. We found one incident of extremism in the work that we were doing, in the sample that we took. The study is based on a random sample of URLs and, we thought that was really interesting because these events are some of the most popular topics of conversation for people who are first looking at the dark web. Once you get past drugs and fraud then you naturally turn to more extreme, nasty activity and really these things are very rare.

Emily Wilson: [00:10:10:18] That's interesting for a few reasons because, one, just because they're rare, doesn't mean they don't happen, we certainly see extremism pop up from time to time; whether you're dealing with a Mujahideen handbook, or, the official ISIS site that popped up last fall; and was quickly taken down by anonymous. Or, something like weapons, where we know that weapons exist on the dark web, we've seen them, we know where they are, but, we didn't see any in our sample, which I think is a really good indicator of how rare these things are. I think the other thing to keep in mind about weapons is, to take that with a grain of salt. The larger and more intricate the weapon, the more you run into an issue of how are you actually going to ship that?

Dave Bittner: [00:10:57:07] This doesn't mean that ISIS isn't online it just means that ISIS chooses not to use this particular locality to do their business.

Emily Wilson: [00:11:06:04] Sure, and I think that there was a tendency to lose the nuance in encrypted and anonymous communication as necessarily being on the dark web. I think it's a few things; so, certainly encrypted communications and fully private communications are important to people who are trying to plan and carry out terrible attacks. I think also there are plenty of tour hidden services and our study was based on a sample of tour hidden services in this case. There are plenty of hidden services that are designed to never be shared or are designed to be shared with a select group of individuals and when you are dealing with something that is that important, it is unlikely that that link is going to out to anyone else and so it's going to be very difficult to measure, or capture or find.

Dave Bittner: [00:12:03:02] Time to take a moment to thank our sponsor, Cylance, are you looking for something beyond legacy security approaches? Of course you are. So, you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security, with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection. Visit to learn more about the next generation of anti-malware. Cylance, artificial intelligence, real threat prevention and we thank Cylance for sponsoring our show.

Dave Bittner: [00:12:59:16] My guest today is, Simone Petrella, she's the chief cyber security officer at CyberVista, where she leads product development and delivery of cyber security training and education curriculums, as well as workforce initiatives for executives, cyber practitioners and continuing education.

Simon Petrella: [00:13:15:14] I actually think that one of the best things that's happening to the cyber security workforce discussion right now is a widening of that aperture to people that have different disciplines in their background. I think one of the biggest misnomers in cyber security is that it really is one particular, technically niche field. And, in reality, it's not, it's multi-disciplinary and so, what really makes an organization and individuals successful when they go into cyber security is bringing that wealth and breadth and depth of background into their particular functional task. I can tell you, from my own personal experience, I had a lot of success on the threat intelligence side, hiring either people who are trained as attorneys, or were former attorneys, because of the critical thinking and the assessment components and we were able to train them up on the technical skills required to specifically focus on cyber security after the fact.

Simon Petrella: [00:14:09:18] I think there is a huge benefit to even just pursuing those backgrounds as a foundational baseline for those that want to get interested in cyber security. Frankly, that's what makes the field so exciting. Right now there are jobs which require people to have a wide spectrum of skill sets. So, it's not just an area that needs to be the purview of only the hyper technical.

Dave Bittner: [00:14:35:13] And what are you hearing from the employers? Are they saying that the people coming out of school are properly prepared? Or is there a gap there?

Simon Petrella: [00:14:43:04] There was a very interesting study done by CSIS, the Center for Strategic International Studies and intel on security around this very issue and, by and large, employers surveyed found that the people they were bringing onto jobs, out of university, were not properly prepared for the job tasks that they were expected to perform, once they gained employment. So, there's still a gap.

Dave Bittner: [00:15:12:11] Can you contrast some of the differences in skills that the private sector, versus, the public sector are looking for?

Simon Petrella: [00:15:18:21] So, the biggest contrast when it comes to private versus public sector is that the private sector, to date, currently has a completely defensive mission. So, in the government sector there is clearly an emphasis on defense but there is also a significant amount of expenditure, in time and resources, on offensive capabilities and exploitation activities. Those are definitely appealing for those that are the most hands on and proactively going out and doing things on networks. The commercial sector is for authority and legal and just economic reasons, focused on the defense of their own networks and so that is, in particular, not only very focused on defense, but it's increased focus on the integration of all the disciplines within cyber security that contribute to that defense.

Simon Petrella: [00:16:12:02] So, it's not just whether you have a background in vulnerability management, identifying which applications are updated to which point and which ones need patches and, then, how are you actually monitoring the activity that's going on on a network, on a day to day basis. How is the output or information you're receiving from any one of those disciplines feeding the decisions and business operations of it's adjacent units? That integration and optimization of how those defensive capabilities work together is extremely critical in commercial, just because they've had less time to really put it together. Whereas on the government sector, the DOD in particular, has had a longer run time to really get that right.

Dave Bittner: [00:16:57:07] What would your advice be to the employers in such a highly competitive environment, where they're vying for the most talented people. What are the ways, in your opinion, that they can set themselves apart from the other people trying to hire those skilled workers?

Simon Petrella: [00:17:14:13] I think the hardest thing is now the way that that's currently happening is, usually through salary and incentive programs. My recommendation to employers is to take more of a community based approach to how they look at their staffing. The beauty of cyber security as a profession is it really is cross functional and so the job functions of a cyber security professional in the healthcare market are not terribly dissimilar to what you would need to do in the financial services sector. You're really just need the context of what you're protecting and so I think there needs to be more of a community model in the actual industry to pool the resources that they're currently spending to either create, on the job training programs, and very costly training opportunity and maybe put in a fraction of that amount to essentially create a bigger pool of candidates that they all can select from. Because right now, they're fighting over the same very small, finite pool of candidates.

Dave Bittner: [00:18:17:04] I understand you're the chair for industry, for the upcoming NICE conference. What do you want people to know about that?

Simon Petrella: [00:18:24:17] I would love people to know that the NICE conference, which is the National Initiative for Cyber Security Education, is a wonderful opportunity for employers, academic, industry and government to come together and really identify ways, as a community, to solve the cyber security workforce issue. Employers in particular, really have an operative seat at that table in order to articulate the most required skill sets that they need while there's an audience of government and academia and training providers who have the capabilities and willingness to build curriculums to actually serve that potential population. It's going to be on November 7th and 8th of 2017, at the Dayton Convention Center in Dayton, Ohio.

Dave Bittner: [00:19:11:13] That's, Simone Petrella, from CyberVista.

Dave Bittner: [00:19:19:04] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit Thanks to all of our sponsors, who make the CyberWire possible and special thanks to our sustaining sponsor, Cylance. Learn more about how Cylance prevents cyber attacks at The CyberWire Podcast is produced by Pratt Street Media, our editor is John Petrik, our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Have a great weekend everybody.