The CyberWire Daily Podcast 5.15.17
Ep 349 | 5.15.17

WannaCry ransomware—a pandemic. Baijiu spyware in East Asia. APT32 seems to be spying for Vietnam. Al Qaeda calls to lone wolves. Influence operations and tactical operations. The long arm of the law reaches out to tech-support scammers.


Dave Bittner: [00:00:01:12] Hi everybody. Dave here. Before we start the show, we've got some special news. Thanks to podcast listeners like you The CyberWire has grown to be one of the top cybersecurity podcasts in the world. We couldn't have done it without you and we're truly grateful that you value what we do and choose to make The CyberWire part of your day. We want to continue to produce the news you've come to rely on and with your help, we're looking to develop more programs and launch new initiatives that tell the critically important stories taking place in our industry today. And so, we've launched a Patreon page for The CyberWire and we hope you'll check it out. Go to, sign up and become a CyberWire Patreon today. That's Thanks. Now here's our show.

Dave Bittner: [00:00:47:22] WannaCry ransomware became a pandemic over the weekend. Johannes Ullrich joins us to help sort it out. A temporary lull is feared likely to be more temporary than most would like. Baijiu espionage malware is spreading through GeoCities. Another APT, APT32, is also devoted to espionage, apparently in alignment with the government of Vietnam. Bin Laden's son is working to inspire lone wolves. National authorities seek to draw influence operations lessons from the concluded French presidential campaign. Armies make tactical use of cyber operations. And there's a dragnet out for tech-support scammers.

Dave Bittner: [00:00:59:17] Time to take a moment to tell you about our sponsor, Recorded Future. You've heard of Recorded Future. They're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give info sec analysts unmatched insights into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting and collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updated from Recorded Future. It's timely, it's solid and the price is right. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:33:06] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, May 15th, 2017.

Dave Bittner: [00:02:44:01] Today's leading news is the developing story of WannaCry ransomware, which broke out in the wild on Friday and has since become, effectively, a ransomware pandemic. WannaCry ransomware hit hard late last week and enterprises worldwide are bracing for further waves of infestation. The hitherto obscure strain of ransomware propagated in wormlike fashion against systems running older Microsoft software. It exploited the vulnerability the Shadow Brokers leaked last month as the weaponized EternalBlue tool. Affected systems are running old, and in some cases pirated, versions of Microsoft operating systems, specifically Windows XP, Windows 8 and Server 2003. The rate of infection has been very high, temporarily slowed by discovery and activation of a "kill switch," but most observers expect renewed attack as the unknown controllers upgrade the malware.

Dave Bittner: [00:03:37:03] News of the incipient pandemic broke early Friday, with initial reports mentioning infestations in a handful of countries. Early interest focused on the UK's National Health Service, several of whose facilities suffered disruptions serious enough to send staff home, reroute ambulances and impede patient care. Another early infestation hit Spanish telco Telefonica, which took hasty and extensive emergency measures to contain WannaCry's spread. The number of affected countries rose steadily over the weekend until it reached presently reported levels of more than 150, which is close enough to "everywhere" as to make no difference.

Dave Bittner: [00:04:15:22] President Trump has directed Homeland Security Adviser Thomas Bossert to coordinate the US Government's response and organize the search for the responsible threat actors. In the United Kingdom, the National Cyber Security Centre is taking the lead, and late yesterday the Centre warned that the threat was by no means over:

Dave Bittner: [00:04:33:24] Microsoft took the unusual step of issuing patches for software that's beyond end-of-life and are no longer supported. The fixes covered Windows XP, Windows 8 and Server 2003. Microsoft characterized the decision as one taken with a view to protecting their customers' ecosystem. We'll have more on WannaCry and its implications later in the show, when we speak with the SANS Institute's Johannes Ullrich. In the meantime, there is some news out of cyberspace that's unrelated to the ransomware pandemic.

Dave Bittner: [00:05:03:05] Cylance reported Friday the discovery of Baijiu malware, which abuses a popular Japanese web hosting service and spreads through phishing. The phishbait is a subject line drawing upon sympathy for and interest in victims of a 2016 North Korean flood. Cylance researchers say Baijiu installs an espionage toolkit using the TYPHOON downloader through some backdoors Cylance calls LIONROCK. Baijiu is evasive and Cylance warns that, "Appropriating the GeoCities' free, high-bandwidth, civilian infrastructure also helps BAIJIU hide in plain sight and signals a troubling new trend in attack techniques that is almost surely not restricted to Yahoo’s GeoCities." The campaign appears to originate in East Asia but beyond that researchers are being circumspect concerning attribution.

Dave Bittner: [00:05:53:24] FireEye has warned of another ongoing cyberespionage effort, the activities of APT32, also known as OceanLotus. APT32 appears to be "aligned with Vietnam's government," and its targets include Vietnamese dissidents, foreign governments and foreign corporations.

Dave Bittner: [00:06:12:06] The late Osama bin Laden's son, Hamza bin Laden, is competing with ISIS for jihadist mindshare. The younger Bin Laden has taken to the Internet to advise those seeking martyrdom on how best to achieve it. The Qaeda leader's goal is inspiration. He's howling at the lone wolves out there online.

Dave Bittner: [00:06:31:16] Ukrainian soldiers are receiving hate message via SMS from an unknown but probably Russia-aligned actor exploiting vulnerabilities of 2G networks to man-in-the-middle attack. As the hybrid war in Eastern Ukraine continues, other nation's militaries are upgrading their own capabilities. Brazil's Army is standing up its Cyber Defense Command and the Israeli Defense Forces expect their Computer Service Directorate to be entrusted with both defense and counter-attack. In the United States, the Army sends a clear signal that it's serious about the tactical uses of cyberspace. It's integrating cyber operations into its premier training establishment, the National Training Center at Fort Irwin, California.

Dave Bittner: [00:07:13:14] Finally, in some good news on cyber law enforcement, there's a global dragnet underway against tech-support scammers. Seven men in Florida have already been scooped up and more arrests are expected soon.

Dave Bittner: [00:07:30:13] As our sponsors at E8 Security will tell you, bliss is not only knowing what's going on in your networks but being able to distinguish the goodness from the badness. That's their promise for their behavioral analytics. And they've willing to show you too, so go to for a small scale checkout where you can see for yourself. Their behavioral analytics platform gives you insight into every stage of the attack life cycle across your network, users and end points, even those often overlooked little things in the Internet of Things. The bad actors can spoof an identify, they can steal a credential but their crimes will betray them. That's what behavioral analytics can do for you. You can check it out for yourself at Don't let the data trees get in the way of seeing the risk forest. And enjoy the ride. And we thank E8 for sponsoring our show.

Dave Bittner: [00:08:28:24] Joining me once again is Johannes Ullrich from SANS and also The Internet Storm Center StormCast podcast. So as we record this, it's mid-morning Monday. In terms of the WannaCry ransomware, where do things stand?

Johannes Ullrich: [00:08:41:22] Well, it really all started on Friday with this massive spread of this WannaCry worm. At this point, according to some of the online counters that track this particular infection, there are about 180,000 infected systems worldwide, pretty much any country is infected at this point. What really helped us on the weekend was that the malware actually checks if a very particular domain is reachable and it doesn't run if it's reachable and luckily that domain got registered relatively quickly towards the end of Friday and somewhat slowed down the spread of this particular malware.

Dave Bittner: [00:09:22:19] So are we seeing new variants hit the net this morning that can work around that limitation?

Johannes Ullrich: [00:09:28:18] Yeah, there are a couple of variants that were reported over the weekend that, for example, made subtle changes to that domain name but they didn't really spread as far as, or as fast as the original.

Dave Bittner: [00:09:41:03] And we've seen reports from a variety of anti-virus vendors saying that they're able to protect you against this?

Johannes Ullrich: [00:09:47:13] Yeah, anti-virus will help in hindsight, once they have the signature for it, of course and now some anti-virus vendors, they do have products that for example look for behavior like malware that encrypts files like this case. But really what we're talking about here are the vulnerable systems. These are systems that really escape sort of any basic cyber hygiene, that haven't been patched for whatever reason, that may even be running old versions of Windows. So it's very possible that they don't run any up to date anti-virus either.

Dave Bittner: [00:10:21:17] Yeah, we, we saw certainly over the weekend, Microsoft being critical of the government for, as they describe it, "stockpiling these sort of vulnerabilities." Any thoughts on Microsoft coming at NSA?

Johannes Ullrich: [00:10:34:15] Yeah, I can see where Microsoft is upset because they're really stuck with having to deal with the fallout here. They even released a patch for Windows XP on Friday, which was highly unusual given that Windows XP is now out of support for a couple of years. It would be nice if the government would have shared these particular vulnerabilities ahead of time. There is some indication that some sharing actually happened there, because the patch was actually released in March about a month before this particular vulnerability was made public by the Shadow Broker groups, so it's very possible that the government actually did share details about vulnerability before, or after it became evident that the vulnerability would have been made public.

Dave Bittner: [00:11:22:19] And I've heard other people make the argument that is it really the government's responsibility for Microsoft's quality assurance of their products?

Johannes Ullrich: [00:11:31:15] That's certainly true too but in general it is considered the responsibility of the security researcher to notify the vendor of vulnerabilities. Now, this is already a tricky issue here, given that the security researchers also put in quite a bit of work to find these vulnerabilities, so in some ways they should be rewarded for it, but bounty programs of course are a way to deal with this with security researchers. Not clear how this would work with government entities.

Dave Bittner: [00:12:01:14] And in terms of the bigger picture with the cryptowars, people are using this as ammunition saying that, you know, the government says, "trust us with your keys," this may be an example of ammunition to say, "Well, the government can't protect these zero days, why should we trust them with, with backdoors to encryption?"

Johannes Ullrich: [00:12:20:19] And that's exactly a good argument here, that these encryption backdoors will be leaked just like these exploits have been leaked in the past. So there's really no guarantee that the government is any good in sharing these kind of backdoor secrets.

Dave Bittner: [00:12:37:17] We heard this morning, former Secretary of Homeland Security Michael Chertoff was on NPR and he made an interesting point that countries like China who are being particularly hard hit, they may be getting hit due to the amount of pirated software that they run.

Johannes Ullrich: [00:12:51:12] That's probably true in some ways that they're not as good in patching software because they're somewhat afraid that the software will be turned off if they're patching because it is pirated. But these are also countries that often run just out of date systems, out of date hardware because they can't afford the latest, greatest hardware that runs Windows 7 or Windows 10. So that's also why you see more out of date systems and unpatched systems in these countries.

Dave Bittner: [00:13:20:24] And back to WannaCry, are people paying and are they getting their files back?

Johannes Ullrich: [00:13:25:14] There are some people paying. I haven't checked today yet but all weekend there were about 100 people that paid according to the Bitcoin blockchain. It's not clear if they're getting their files back. Now, the process is rather manual and convoluted. You first have to pay and then again, it's not really clear how much you have to pay because the exchange rate between US dollar and Bitcoin keeps changing. Then you have to actually contact the people behind this particular malware and have to tell that you paid and they will sort of manually issue you a recovery key. They post some business hours that are actually fairly limited during which you should contact them. Given all the pressure from law enforcement in this case, it's very possible that they'll actually disappear given that they didn't really make an awful lot of money in this case.

Dave Bittner: [00:14:20:11] Yeah, perhaps they bit off a little more than they could chew.

Johannes Ullrich: [00:14:22:21] Right.

Dave Bittner: [00:14:23:16] Johannes Ullrich, thanks as always for joining us.

Dave Bittner: [00:14:28:01] And that's The CyberWire. Thanks to all of our sponsors who make The CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance protects you using artificial intelligence, visit The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.