The CyberWire Daily Podcast 2.7.17
Ep 281 | 2.7.17

Brokerages in Taiwan face DDoS extortion. Polish banks hit in watering hole attack. Cyber vigilantes. Information operations. ShadowBrokers update?


Dave Bittner: [00:00:02:23] Brokerages in Taiwan threatened with DDoS. Polish banks compromised in watering hole campaign. Cyber vigilantes poke at unsecured printers and dark web hosting. China ratchets up its effort to control its Internet. The US shares classified intelligence on Russian influence operations with European allies, and works on its own information operations capability and a former NSA contractor probably faces espionage charges related to the ShadowBrokers.

Dave Bittner: [00:00:37:08] It's time to take a moment to tell you about sponsor CyberSecJobs. If you're an information security professional seeking your next career or your first career, check out and find your future. CyberSecJobs is a veteran-owned career site and job fair company for information security professionals and students. Job seekers can create a profile, upload their resumé and search and apply for 1000s of jobs. It's great for recruiters too. If you're an employer looking to source information security professionals, contact CyberSecJobs about their flexible recruitment packages designed to meet your needs. Here's one of the current hot jobs. WakeMed is looking for an Information System Security Officer to help safeguard sensitive information. You'll find this and other great opportunities at We thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:40:24] Major funding for the CyberWire is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, February 7th, 2017.

Dave Bittner: [00:01:50:18] Authorities in Taiwan are investigating extortion threats made against five brokerages. The extortionists, who claim to represent the "Armada Collective," a group that's been active elsewhere, say they'll subject the brokerages to distributed denial-of-service attacks if they're not paid some $9700. The brokerages haven't paid.

Dave Bittner: [00:02:10:18] The Armada Collective has been observed intermittently at least since October 2015, with much of the research on the criminal group being done by DDoS protection shops Cloudflare and Akamai. Many of their earlier attacks have been largely bluffs, and the group has never come close to mounting the one terabyte per second attack traffic they claimed. Whether this group is the familiar Armada Collective or not, the Taiwanese shops are wise to have refused payment. Other earlier victims have been too easily spooked - payments totaling more than $100,000 have been observed headed for the Armada Collective.

Dave Bittner: [00:02:47:01] Several Polish banks suffered a malicious JavaScript infestation after employees innocently visited the Financial Supervisory Authority, a Polish government regulatory agency. The infection could lead to installation of a remote access Trojan. Polish media are generally attributing the incident to a foreign intelligence service, read, of course, "Russia", but many observers aren't so sure, and believe this could have been the work of a criminal gang instead. Sometimes it's difficult to make the distinction.

Dave Bittner: [00:03:16:00] It doesn't appear that any depositors' accounts were looted. We heard from High-Tech Bridge’s CEO, Ilia Kolochenko, who tells us that this is another example of hackers finding creative ways to compromise financial institutions, and not just in Poland, either. "We should expect that cybercriminals will find more creative and reliable ways to compromise their victims. Trustworthy websites, such as governmental ones, represent great value for cybercriminals, even if they don't host any sensitive or confidential data." In this case, we note the compromised government website was useful as a watering hole to infect visitors.

Dave Bittner: [00:03:53:15] The use of JavaScript in the Polish attacks is becoming something of an outlier. It's not that JavaScript has become noticeably more secure, but rather that criminals are turning to file types less likely to arouse suspicion. Researchers at Microsoft and Intel Security find attacks increasingly based on LNK and SVG attachments.

Dave Bittner: [00:04:13:13] Cyber vigilantes have been at work recently. One of them, who goes by the nom de hack "Stackoverflowin" has caused vulnerable networked printers to push out old-style asci art in what looks like a picture of Frankenstein's Monster, and the warning that the printer had been roped into a botnet. Stackoverflowin, who claims to be a secondary school student in the UK, has said, according to CSO magazine, that there really isn't a botnet. He's just trying to raise awareness of vulnerabilities. Young master Stackoverflowin, we think, is skating on thin legal ice.

Dave Bittner: [00:04:49:12] On Friday another vigilante, this one unnamed, compromised, doxed, and defaced Freedom Hosting II. Freedom Hosting II is a dark web service that caters to people who wish to have an anonymously hosted site accessible through Tor, but who lack the know-how to set one up. The hacker claimed to have found large quantities of illicit information in Freedom Hosting II.

Dave Bittner: [00:05:12:00] Does this sound familiar? Your favorite band announces tour dates and you sit by your computer ready to buy tickets the moment they become available online. And, in what seems like nanoseconds after they go on sale, boom, they're sold out. Or at best, you may be able to get a seat in the nosebleed section. Well, those tickets were probably scooped up by bots. Recently, Congress tried to crack down on ticket buying bots. We spoke with Rami Essaid from Distil Networks for the details.

Rami Essaid: [00:05:39:22] The Bots Act is a new piece of legislation that was introduced in Congress and passed through both chambers and assigned. The point of it was to eliminate ticket scalping online. People like Lin-Manuel who is the Producer Hamilton, and a lot of different artists were getting tired of ticket scalpers making more money on their shows than they were. And, at the same time, consumers felt like they couldn't afford to go to shows anymore. Whether it's a concert like Taylor Swift or a play, the ticket industry, there is so much, demand that middle men were coming up, buying up tickets and marking them up significantly. So, Congress got involved to pass a law that said it was illegal to buy tickets using bots. a thing forever. Like, before we even had the Internet, that when you had one person that was gonna go manually and buy the tickets and then manually stand outside and sell them, it was manageable. Now that you have bots and you buy and sell these tickets online, the scale at which these scalpers are operating made it really hard to manage and made it improbable that real users and fans are gonna get their tickets at a fair price.

Rami Essaid: [00:06:28:13] Ticket scalping has been a thing forever, before we even had the Internet. But when you had one person that was going to go manually and buy the tickets, and then manually stand outside and sell them, it was manageable. Now that you have bots and you buy and sell these tickets online, the scale at which these scalpers are operating made it really hard to manage and made it improbable that real users and fans are going to get their tickets at a fair price.

Rami Essaid: [00:06:53:10] So the Bots Act says we can fine you up to X amount per ticket that you buy, if you use bots. In New York there was a state legislation that said we can even send you to jail for it.

Dave Bittner: [00:07:04:20] So is the Act in effect, and it having any success?

Rami Essaid: [00:07:09:14] It is in effect. It is not having any success, that we've seen. They have not prosecuted anybody under this Act. The State Attorney has prosecuted some people under the New York Act, so there was some significance there. But I think it was like Whack-A-Mole- one company gets squashed down and another one springs up. We haven't seen it really make a big difference in online ticket sales, and resales and scalping. We're seeing it be just as prevalent as ever before.

Dave Bittner: [00:07:38:11] How can they protect themselves against these kinds of attacks?

Rami Essaid: [00:07:41:04] There's companies like us, and I don't mean to just pitch us, there's several companies out there that have realized that this needs to be a purpose-built solution, and offer a product or a service to help companies mitigate bots. This problem has gotten enough awareness that there are computing solutions out there to help companies solve this problem.

Dave Bittner: [00:08:01:23] And without giving away too much of your secret sauce, what are the things that you look for to identify that something is indeed a bot?

Rami Essaid: [00:08:09:19] Well, we have a multi-layered approach. We fingerprint every connection coming in, any device coming in and, based off of tracking every device, we look at the behavior and we say, we profile a website using machine learning and identify what normal user behavior looks like, and find anomalies to that. At the end of the day, the bad guys, what they're doing is spoofing each of these different signals. We've layered in dozens and dozens of signals to hopefully find one that they have not spoofed, which allows us to then identify them as potentially malicious.

Dave Bittner: [00:08:42:12] That's Rami Essaid from Distil Networks.

Dave Bittner: [00:08:46:04] China continues its long march toward exerting national control over its Internet, establishing an interdepartmental authority that will check and vet Internet hardware and services. Foreign observers see this as both a means of social control and, arguably more importantly, an anti-competitive regime designed to freeze foreign businesses out of the Chinese market. Chinese authorities say no, the latest measures are designed to remedy the disordered development they say the country's Internet services have exhibited.

Dave Bittner: [00:09:17:13] As fears of election hacking and influence operations rise in Europe, the United States moves to share intelligence developed during the last election cycle with officials in France, Germany, the Netherlands, and Norway. The intelligence being shared includes the classified version of the US Intelligence Community's investigation of Russia's information operations. The US is also said to be preparing its own information operations capability, to be wielded by the State Department's Global Engagement Center.

Dave Bittner: [00:09:47:16] Yesterday the US House of Representatives passed, by voice vote, email privacy legislation that would restrict law enforcement access to stored emails.

Dave Bittner: [00:09:57:17] Finally, Hal Martin, the former NSA contractor arrested when investigators allegedly found very large troves of highly classified material at his Glen Burnie, Maryland, home, will probably be charged with espionage. Martin's lawyers have portrayed him as a zealous patriot who took material home to study so he could do a better job at the Agency. But prosecutors are said to be seeing a significant overlap between what Martin is alleged to have taken and the NSA tools purveyed by the ShadowBrokers.

Dave Bittner: [00:10:33:05] Time for a message from our sponsor E8 Security. You know, once an attacker is in your network, there's a good chance they'll use command and control traffic to do the damage they have in mind. Could you recognize it? E8's analytics can. Here's what malicious C2 traffic might look like: newly visited sites, visits to a website that doesn't have the features a legitimate site usually does, like a high number of pages, a fully qualified domain name or a distinct IP address, or the association of a website with a limited number of user agents. It's tough for a busy security team. It's easy for E8's behavioral intelligence platform. For more on this and other use cases visit and download their white paper. E8 Security - Detect, hunt, respond. We thank E8 for sponsoring our show.

Dave Bittner: [00:11:31:04] Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, you all are seeing a big update in ransomware, yes?

Dale Drew: [00:11:39:21] We are seeing an explosion in ransomware. Ransomware is becoming probably one of the more popular mechanisms of bad guys getting quick cash, as well as reeking havoc against their victims.

Dave Bittner: [00:11:52:13] Is this the old adage of, you know, "Why do rob banks?" That's where the money is.

Dale Drew: [00:11:56:11] That's exactly right, and it's the least amount of effort required these days. There's still other mechanisms for bad guys to get cash, whether it's loading malware on your machine that will record your key strokes to get access to your bank password or your credit card numbers, but ransomware is probably the most express way for bad guys to get access to quick money right now. It's because not only do they load malware the same way that they load malware traditionally. You know, you get an email, you click on it and that malware is loaded on your system, but they encrypt critical files relatively rapidly and then they ask you for a ransom to unencrypt it. Once a user pays, we've seen situations where the bad guy will then ask for another ransom, because now he knows what your tolerance levels. Then when the bad guy gets as much money as he possibly can, in a lot of cases the bad guy does not provide the password to unencrypt.

Dave Bittner: [00:12:55:12] We see conflicting stories about that. I see reports where many people are paying the ransomware. Some of them do get their files back, and yet law enforcement is pretty much in agreement that you shouldn't pay the ransom.

Dale Drew: [00:13:09:05] Yes and I'd say it's two-fold. I'd say we see a lot of password recovery happening on the consumer side, more than we're seeing it on the business side. But more importantly, the primary reason either from law enforcement and from industry not to pay ransom is because, when you pay ransom you're also placed on a list of people who will pay ransom, and that's the same thing for people pay ransomware for DDoS. Once a particular bad guy has realized all of the money that he'll be able to make on you from a ransomware perspective, he's able to sell your name to a list of people who pay ransom for other bad guys, to find out what your account sold is for a future ransom.

Dave Bittner: [00:13:52:01] So keep those backups up to date.

Dale Drew: [00:13:53:10] Yes. The most effective measure in protecting against ransomware is to back up your systems. Patch your systems so you cannot be susceptible to malware in the first place. But no matter what, back up your systems on either a USB drive or a cloud provider, so that if your files are encrypted, you can easily wipe your system and reload your backup.

Dave Bittner: [00:14:15:06] Dale Drew, thanks for joining us.

Dave Bittner: [00:14:19:15] That's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit Thanks to all of our sponsors for making our show possible, especially to our sustaining sponsor Cylance. For more information about how they can help you visit

Dave Bittner: [00:14:35:17] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, our social media editor is Jennifer Eiben, our technical editor is Chris Russell, our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.