The CyberWire Daily Podcast 5.17.17
Ep 351 | 5.17.17

Gothic Panda seems to have a government job. Not all extortion is ransomware (ask Disney). WannaCry update. The ShadowBrokers are back. So is WikiLeaks


Dave Bittner: [00:00:00:20] Before we begin, I want to give a quick shout out to everyone who's donated to our Patreon page. Thank you very much. You can learn more at

Dave Bittner: [00:00:13:14] APT3, also known as Gothic Panda, is fingered as an agent of China's Ministry of State Security. An unreleased Disney flick is held for ransom. WannaCry may be sloppy but it's still dangerous. OT has a harder time patching against WannaCry than IT does. The ShadowBrokers are back and still talking crocodile. How to be preemptive against phishing. And WikiLeaks releases more of Vault7.

Dave Bittner: [00:00:43:12] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company, whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily and, if it helps us, we're confident it can help you too. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:40:10] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, May 17th, 2017.

Dave Bittner: [00:01:44:12] The spread of the WannaCry ransom worm worldwide remains this week's leading story and we'll turn to it later in the podcast. For now, we'd like to cover other material that may have gotten lost in all the WannaCrying. Recorded Future announced this morning their conclusion that APT3 is being run on behalf of a Chinese government agency, the Ministry of State Security. APT3 is also known as Gothic Panda. There's a panda bear family out there that's no more related to Cozy Bear and Fancy Bear than raccoons are related to grizzlies or, for that matter, President Xi to President Putin.

Dave Bittner: [00:02:25:00] APT3 is generally held to have been responsible for Operation Clandestine Fox, Operation Clandestine Wolf and Double Tap. Clandestine Fox was a use-after-free exploit against Microsoft Internet Explorer discovered in April 2014 by FireEye. It was found in defense and financial services networks.

Dave Bittner: [00:02:46:03] Clandestine Wolf exploited an Adobe Flash zero-day. It was served up in phishing emails to targets in the aerospace and defense, construction and engineering, tech, telecommunications and transportation sectors.

Dave Bittner: [00:02:59:14] Double Tap, described by FireEye in November 2014, exploited multiple known vulnerabilities in Microsoft software, including remote code and privilege escalation bugs. It was distributed by spearphishing and showed a reliance on social engineering, as opposed to difficult-to-come-by zero-days.

Dave Bittner: [00:03:17:19] The common denominator in all three operations is, of course, espionage, and the list of Clandestine Wolf targets suggests that the espionage is in large measure economically motivated industrial espionage.

Dave Bittner: [00:03:30:17] Last week, on May 9th, tipsters, whose identity is unknown but who go by "intrusiontruth" said that APT3 was the work of Guangzhou Boyu Information Technology Company, also known as Boyusec for short. Recorded Future undertook an open source intelligence investigation of the organization and this morning announced they have high confidence that Boyusec is doing contract espionage, both traditional and economic, for China's Ministry of State Security.

Dave Bittner: [00:04:00:08] On Monday of this week, Disney's CEO, Bob Iger, told an employee town hall meeting that the entertainment giant was being shaken down by extortionists who threatened to release a stolen copy of a forthcoming Disney movie. The Hollywood Reporter said Iger characterized the demand as a huge sum in Bitcoin. Disney refused to pay and, true to their evil words, two digital copies of Pirates of the Caribbean: Dead Men Tell No Tales, turned up this morning on Pirate Bay, that gray market emporium for all sorts of things swiped, swapped or stolen. Dead Men Tell No Tales is slated for release this Friday. The files are thought to have been stolen from a post production vendor who was adding dialog to the movie.

Dave Bittner: [00:04:43:05] One of the hardest attack vectors to protect against is phishing. It's just human nature that a certain number of people, no matter how well trained, are going to click the link in the phishing email. Area 1 Security specializes in protection against phishing and they caught our eye with a system they describe as preemptive defense. Oren Falkowitz is CEO at Area 1 Security.

Oren Falkowitz: [00:05:03:15] We find statistically that, when attackers send simple, very unsophisticated plain phishing messages to organizations, if they send just ten there's a 90% success rate of one person opening the message, clicking on a link, downloading a file or entering their username and password.

Dave Bittner: [00:05:22:23] And so you're describing something that you refer to as preemptive cyber security. What does that mean?

Oren Falkowitz: [00:05:27:24] Statistically, today, in the cyber security industry, organizations learn about a year after they've been breached or had damage, that they've been a victim of a cyber incident which the root case of was phishing. So the idea behind preemption is to take an action at a point in time where you can see a different outcome, where no data is lost, where no machines are impacted, where no networks are breached. And it turns out that there are also really good corollaries in life for this method and applying them to cyber security makes a lot of sense. So a good example of this would be a flu vaccination. You know, every year, there is an outbreak of the flu, there are new strains of it, but humans, people, right, they don't walk around in fear of someone coughing on them, they take a vaccination to protect themselves. And the same thing can apply in this space, where we identify proactively hundreds of thousands of phishing websites and other, you know, phishing attacks that go against organizations, that go against people and we can give them a vaccination before they cause damage.

Dave Bittner: [00:06:27:11] So, how does the technology like this work? Are you analyzing links that people click on? What's the process?

Oren Falkowitz: [00:06:33:21] Attackers in the cyber security space have set up their phishing campaigns in a way that they exist before they get sent to users, before they get distributed. And so, what we focus on is creating technologies that, one, can identify and can learn what are those patterns of attack before they impact the user. And the second is technologies that take action on behalf of our users to vaccinate them in real time, to protect them, so that they don't have to think about it and they can go about their job without the worry of being coughed on.

Oren Falkowitz: [00:07:07:19] If an attacker was to send an email with a link to a website that looks like a commercial banking login, right, a website that looks like you're logging into your bank, well, I would just analyze the link and tell you that this is a malicious page, but you'd have to do that at such speed, right, that, you know, there's still some risk for damage. What we've done is that that website, before it can be sent to the user, before it can be embedded as a link in an email, that website has to exist and be accessible on the world wide web and part of our sensory technology is finding those sites before they are ever sent and so we're able to preempt them so users don't have to worry and we don't have to analyze them in the moment. We go ahead and find them before and that is the notion of preemption.

Dave Bittner: [00:07:50:23] That's Oren Falkowitz. He's from Area 1 Security.

Dave Bittner: [00:07:56:11] Returning to WannaCry, the ransomware campaign is so massive and unselective as to amount to a pandemic affecting old, unpatched, pirated or beyond end-of-life Windows systems. Their take has now risen above $70,000 in pay-off money but that's small change when contrasted with the number of victims. Their backend is essentially manual and the victim interface doesn't look up to snuff either. A few people have recovered access to their files by paying up but most experts are cautioning victims against taking that route. The criminal infrastructure is so dodgy that the odds won't be in your favor.

Dave Bittner: [00:08:33:22] The advice people are receiving is to patch their software and backup their files but for one important class of the affected systems, that advice may be less than helpful. We hear from industrial control systems security experts Joe Weiss of Applied Control Solutions and Eddie Habibi of PAS. They point out that many ICS are built on vulnerable versions of Windows but that those versions were all modified and adapted by the big industrial control system vendors to handle complex systems-of-systems that can't tolerate downtime. Patches must be thoroughly tested for unintended consequences before they're applied to industrial systems and thus such systems have a patch cycle inherently longer than the ones you may be accustomed to for the business software on your office's laptops. So if you're one of the suits at a highly automated manufacturing plant or utility, go easy on your sysadmins. They're not being lazy or negligent, it's just that patching is a far tougher challenge in their world than it is elsewhere.

Dave Bittner: [00:09:34:23] The ShadowBrokers are back and talking. Their leak of the EternalBlue exploits enabled the WannaCry pandemic. The Brokers continue their implausible charade of monetizing exploits, allegedly stolen from NSA, while simultaneously saying they're really in it for the glory of facing off against a worthy opponent, that is, those Professor Moriarties, those Jokers, those, those Doctor Dooms of the Equation Group.

Dave Bittner: [00:09:59:06] The ShadowBrokers said yesterday they'd taken the month of May off to watch WannaCry and "Your Fired", that is, l'affaire Comey, but they promise to be back in a big way in June, when they say they'll launch a monthly leak subscription service.

Dave Bittner: [00:10:15:16] Finally, WikiLeaks has dumped another set of Vault7 documents. These purport to originate with the CIA. Some of them are said to describe methods of impeding PowerPoint and degrading the quality of presentations composed in the popular presentation software. The wording in the documents suggest the authors think PowerPoint users have it coming. Should we take this to mean that Langley is full of Edward Tufte disciples? Maybe not.

Dave Bittner: [00:10:46:03] As our sponsors at E8 Security will tell you, bliss is not only knowing what's going on in your networks but being able to distinguish the goodness from the badness. That's their promise for their behavioral analytics and they're willing to show you too. So go to for a small scale checkout where you can see for yourself. Their behavioral analytics platform gives you insight into every stage of the attack lifecycle across your network, users and end points, even those often-overlooked little things in the Internet of Things. The bad actors can spoof an identity, they can steal a credential but their crimes will betray them. That's what behavioral analytics can do for you. You can check it out for yourself at Don't let the data trees get in the way of seeing the risk forest and enjoy the ride. And we thank E8 for sponsoring our show.

Dave Bittner: [00:10:58:00] And I'm pleased to be joined once again by Dr. Charles Clancy. He's the Director of the Hume Center for National Security and Technology at Virginia Tech. We wanted to talk today about the Vault7 and the ShadowBrokers' releases of information and really you wanted to contrast the two of them?

Dr. Charles Clancy: [00:11:51:20] I did. I think it's important to understand, when you hear about all these leaks of cyber capabilities, from now both NSA and CIA, that there is a difference between leaking tactics, techniques and procedures, or so-called TTPs, versus the actual tools themselves, the actual code behind zero-day exploits, for example. So if you look at a lot of the data that's been released so far, particularly in the Vault7 leaks, it's been mostly documents, PowerPoint, that really talk about how the CIA does what it does and based on that, some security companies have been able to fingerprint certain TTPs and attribute, with some degree of confidence, a wide range of hacks across the world to the Vault7 TTPs.

Dr. Charles Clancy: [00:12:49:03] ShadowBrokers, on the other hand, is more than that. It includes a lot more of the source code, which is-- has an even greater devastating impact because now you're not just fingerprinting attacks and building defenses against the techniques and procedures that are being used, but you actually can build sort of malware, specific malware identifiers and hashes that can be used to detect and block the actual exploits themselves.

Dr. Charles Clancy: [00:13:14:11] So there's a lot of debate ongoing right now as to the total impact. I think the folks that are in the trenches in the intelligence agencies who are working these problems would claim that there is a huge impact to national security as a result, collectively, of these leaks. But, at the same time, there are plenty of unpatched computer systems out in the world and there is lots of opportunity to be had just doing basic, run-of-the-mill phishing attacks against unpatched Windows computers, which remains the largest threat surface that hackers, whether you're part of an intelligence agency or organized crime, leverage today.

Dave Bittner: [00:13:48:18] While these releases of information are certainly interesting and damaging, you know, sometimes the old fashioned ways are the easiest ways in.

Dr. Charles Clancy: [00:13:56:20] Indeed. So for those that are looking to have a good defense against these sorts of things, please, just keep your software up to date, have antivirus installed and basic cyber hygiene will win out most of the time.

Dave Bittner: [00:14:11:13] Alright. Dr. Charles Clancy, thanks for joining us.

Dave Bittner: [00:14:16:09] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance protects you using artificial intelligence, visit And, of course, you can show your support for the CyberWire by supporting us on Patreon. Visit to find out about how to become a contributor and all of the benefits we've put together for those who give.

Dave Bittner: [00:14:40:07] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.