The CyberWire Daily Podcast 4.12.17
Ep 326 | 4.12.17

Patch Tuesday notes. Cyber threats to healthcare, New Helsinki information operations center forming. Updates on WikiLeaks and the ShadowBrokers


Dave Bittner: [00:00:03:06] Yesterday was Patch Tuesday. Cyber threats to health care include ransomware, breaches, and device hacking. NATO and non-NATO partners establish an information operations center in Helsinki to contest Russian influence in cyberspace. Analysts continue to pick over the latest from the Shadow Brokers. And WikiLeaks' Vault 7 seems to out cyber operators as fans of Star Trek, anime, and Ape Escape. No surprises there, eh?

Dave Bittner: [00:00:33:18] We'd like to take a moment to thank our sponsor, Palo Alto Networks, you can find them at The use of software as a service application takes data security beyond traditional network parameters. SAS environments can create gaps and security visibility and pose new risks for threat propagation, data leakage and regulatory non-compliance. With Palo Alto Network's integrated platform you get detailed software as a service visibility and granular control, data governance, automated risk remediation and malware prevention so your organization can achieve complete SAS protection. With Palo Alto Networks you get the broadest most comprehensive cyber security for all cloud and SAS environments. Make sure your apps and data stay secure and protected. Remember secure clouds are happy clouds. Find out how to secure yours at and we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:01:44:11] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner, in Baltimore with your CyberWire summary for Wednesday, April 12th, 2017.

Dave Bittner: [00:01:53:24] Microsoft yesterday issued fixes for the Office zero-days that have been much discussed over the past week. At least two of the bugs are being actively exploited in the wild, which should lend urgency to the patching. Netskope reports that one of the vulnerabilities is being exploited by the Godzilla botnet, and the resurgence of the Dridex banking Trojan via Word zero-days has been widely reported as well, with much research contributed by Proofpoint. McAfee and FireEye have said they'd warned Microsoft about the vulnerabilities, but Microsoft had until now been quiet about the steps toward remediation it planned. Now Redmond has taken a swat at forty-six bugs, fifteen of them rated "critical."

Dave Bittner: [00:02:35:22] The exploitation of the vulnerabilities in the wild tended to begin, as it so often does, with phishing, the phishbait in the case of the Word vulnerability reported by researchers at security firm, Optiv, being a malicious document that, when opened, executes a script to install additional payloads. Michael Patterson of security firm, Plixer International, pointed out to us that phishing tends to succeed when it becomes more plausible. The ready availability of personal data to bad actors, whether obtained legitimately via unwise sharing over social media, or illegitimately through breached information traded on the black market, contribute to successful phishing.

Dave Bittner: [00:03:12:03] The other patched bug being exploited in the wild is an Internet Explorer flaw that enables privilege elevation attacks.

Dave Bittner: [00:03:20:13] A third zero-day, this one affecting Office 2010, 2013, and 2016, is carried in Word by a malicious EPS image. This one's not yet patched, but Microsoft has released interim guidance pending a security update.

Dave Bittner: [00:03:36:05] For its part on Patch Tuesday, Adobe fixed fifty-nine vulnerabilities, forty-four of them code-execution bugs. The affected products include Adobe Reader, Adobe Campaign, the Creative Cloud App, Photoshop, and Flash Player. And SAP published twenty-seven security notes in its round of patches yesterday. Most of them are "missing authorization checks," but a few are more consequential.

Dave Bittner: [00:04:00:23] A number of attacks against, and threats to, medical information and health care providers have been reported. A Tweeter by the screen name of "Flash Gordon" found, using the Shodan search engine, information on more than nine-hundred thousand elderly diabetes patients exposed online in, apparently, a telemarketer's database. And security company Forcepoint sees a trend—attackers are using the ransomware-as-a-service platform known as "Philadelphia" for commodity attacks against medical targets.

Dave Bittner: [00:04:31:14] Many security experts see the health care sector as still playing cyber catch-up, which is understandable—the sector collects, holds, uses, and necessarily shares a great deal of sensitive information, and so it faces a tough challenge. Trivalent's John Suit, for one, told us that recent incidents show that data protection has been unable to keep up with the sector's rapid digitization. He recommends protecting data at the file level: "encryption, shredding, and secure storage, which renders personal patient data useless to unauthorized parties.”

Dave Bittner: [00:05:05:02] Turning to cyber conflict, specifically information operations—specifically the UK, the US, France, Germany, Sweden, Poland, Finland, Latvia, and Lithuania—have agreed to establish a joint info ops center in Finland. The Helsinki center is aimed against Russian influence operations, especially against the prospect that such operations will play a malign role in future elections. The new center recognizes the seriousness of propaganda, especially given its technology-enabled increased reach and rapid spread. It also suggests recognition that aggressive information operations are usually best addressed by informational means. For example, RT's coverage of the alleged Kelihos botmaster, in which the Russian state-aligned service claimed the suspect arrested on his Spanish vacation was behind last year's DNC hacks. In an interview yesterday with The Hill, former US Director of Central Intelligence and NSA Director Hayden sensibly cautioned members of Congress against calling election hacking an "act of war." Not all hostile acts constitute a casus belli.

Dave Bittner: [00:06:12:05] Hacker House looks at the Shadow Brokers' latest leaks and concludes they suggest the existence of tools to root- Oracle/Sun Solaris Unix servers.

Dave Bittner: [00:06:21:18] And, finally, researchers at Symantec and elsewhere continue to pick over WikiLeaks' last Vault 7 round of alleged CIA hacking documents, connecting the tools noted therein to the Longhorn campaigns that appeared in sixteen countries beginning in 2011. The Hill and others make something of pop-cultural references that appear in the doxed files—they're said to be loaded with allusions to Star Trek and anime. But closer inspection reveals that there's less here than meets the eye, so the name-check reporting might best be viewed as so much fan service for Langlophobes. Mr. Spock gets a couple of shout-outs, but so do Flash Gordon, Ape Escape, Bad Lip Reading, and Brazilian Jiu Jitsu. The homage to anime seem to extend little farther than Gai and Shu, who you'll no doubt remember from the series "Guilty Crown." Or so a friend tells us. All of this seems innocent enough as naming conventions go, and even to argue for a pleasantly broad range of civilized curiosity on the part of the alleged (we stress, alleged) cyber operators. We confess one of our stringers has spent the day noisily advocating for Babylon Five over Star Trek, but in matters of popular culture, tastes vary but, had it been all "Sailor Moon" all the time, we would have feared for the Republic. A quick question, though, for retired DCI Hayden: General, if you don't mind sharing, what was your high score on Ape Escape?

Dave Bittner: [00:07:50:12] Time to take a moment to tell you about our sponsor Control Risks. For 41 years across over 130 countries Control Risks has partnered with the world's leading companies to help them succeed in complex physical, political and virtual risk environments. They've been with their clients as risks have evolved. From kidnapping in the jungles of Colombia to extortion by cyber attack. In an increasingly interconnected world cyber risks are everywhere you operate. Control Risks has a comprehensive view of cyber security as a business risk within a context of geopolitical, reputational, regulatory and competitive complexity. And thanks to their unique heritage they provide clarity and actionable guidance that only decades of risk experience can bring. Control Risks brings order to chaos. Let them show you what over 40 years in the risk business has taught them. Find out more at Control That's Control And we thank Control Risks for sponsoring our show.

Dave Bittner: [00:08:59:12] And joining me once again is Emily Wilson, she's the Director of Analysis at Terbium Labs. Emily welcome back. You know, the dark-web is its own ecosystem. There are markets that come and go, people set up shops, shops close. Take us through that ecosystem, the evolution of that ecosystem.

Emily Wilson: [00:09:17:01] Sure, I mean you think about the standard conversation there, you have something like a Silk Road that kind of existed and was very popular and then was taken down, and I think we are on Silk Road three or four now. With each interaction less trust and less of an expectation of it coming back to its original levels, you know, new ownership for example.

Emily Wilson: [00:09:38:16] Then you have other markets like the Real Deal, which really built up our reputation, especially in the latter half of last year as being a place for some of these major databases for sale or some of these major exploits. In comparison to other markets like AlphaBay, which is more of general market, you can get your drugs or your fraud or what have you. I think the volatility there is definitely difficult for sellers to navigate or for buyers to navigate for that matter. I don't see too many conversations about vendors and where they're moving when markets go down but buyers definitely, and buyers follow their vendors. When you find someone you trust you're going to follow them wherever they go. And so, if they're only on one market and that market goes down, there's a vacuum.

Dave Bittner: [00:10:22:01] And what is there in terms of barriers of entry for setting up a shop?

Emily Wilson: [00:10:26:24] For setting up a new market I think there's a fairly decent barrier to entry there. I mean, first you need to have a site that is going to be technically sound enough that vendors and buyers are willing to go there and there definitely have been standards set in the market. You know, people are trying to differentiate themselves enough to draw people away from other markets, but at the same time there are these security constraints, which is why, when new markets are available, people will typically put them up and ask the community to assess them and try and pull new vendors in saying "we are just as secure but we do these things differently". Not all that different from the kind of competition we see in regular retailers.

Dave Bittner: [00:11:05:12] So, in terms of the markets coming and going, how volatile is it? Are there ones that have been around for a long time and they're the tried and true markets and then fly-by-nights. How does it work?

Emily Wilson: [00:11:15:23] Sure, I mean Alphabay is definitely the clearest example of something that's been around for a little while and definitely has earned a reputation for being fairly stable. They have uptime and downtime just like the rest of the dark web, they face DDoSing; they were down for a couple of hours yesterday. Every time these sites kind of come up and go down the major markets in particular, you have to ask yourself is this the exit scam? Nucleus, people held out hope for a while when nucleus first went down. And so then in addition to kind of the major markets going up and down, it's trying to make a judgment call on these new markets when they pop up. Are they gaining traction? Are they going to ever become truly popular? And would they become popular in their own right or is it going to be a result of some other market going down and that's the next best thing? Trying to judge what the next best thing will be is difficult I think when you have something like an Alphabay and really there's not an equivalent.

Dave Bittner: [00:12:14:21] So it can really be sort of an ethereal thing. A site might come up and have that special something that will attract attention and others simply won't.

Emily Wilson: [00:12:22:24] Sure, and then you have to ask yourself if this site goes down are we going to see the vendors split into, the drug vendors will go focus on something that's more like the Majestic Garden, which is just a psychedelic site, and the fraud vendors, will they go over to kind of carding specific sites? Or are we going to see an exodus to another fairly large market like Hansa or Valhalla? Or are we going to see people maybe take up banners on some of these newer markets.

Dave Bittner: [00:12:51:20] It's a different world. Emily Wilson, thanks for joining us.

Dave Bittner: [00:13:00:03] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance uses artificial intelligence to help protect you, visit

Dave Bittner: [00:13:13:06] A quick reminder that we're partnering with our friends at Recorded Future to produce a new podcast focused on threat intelligence. It comes out once a week and we hope you'll check it out and help spread the word. You can search on iTunes for Recorded Future or visit

Dave Bittner: [00:13:29:19] The CyberWire podcast is produced by Pratt Street Media, our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.