The CyberWire Daily Podcast 5.25.17
Ep 357 | 5.25.17

Worm alert. Stumblebums or masterminds? Widia commodity ransomware in its early stages. Taking the fight to ISIS in cyberspace.


Dave Bittner: [00:00:01:05] A big thank you to all of our supporters on Patreon - you can find out more at

Dave Bittner: [00:00:10:11] A vulnerability in widely-used networking software leaves it open to a worm infestation. Were the WannaCry hackers annoying stumblebums, or are there deeper games afoot? Help desk scammers say they'll rid you of ransomware - they won't. Researchers watch "Widia," commodity ransomware that's still an early stage work-in-progress. The Manchester terrorist looks more like a known wolf than a lone wolf. And US Cyber Command would like ISIS to know that they're in the Fort's crosshairs.

Dave Bittner: [00:00:43:13] Time to tell you about our sponsor, Recorded Future. You've heard of Recorded Future - they're the real-time threat intelligence company. Their patented technology continuously analyses the entire web, to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily - they do some of the heavy lifting in collection and analysis that frees you to make the best-informed decisions possible for your organization.

Dave Bittner: [00:01:06:20] Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, and suspicious IP addresses. Subscribe today and stay ahead of cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and the price is right. That's, and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:47:15] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Thursday, May 25th, 2017.

Dave Bittner: [00:01:57:14] WannaCry was notable for being a "ransomworm." The US Department of Homeland Security warned that a vulnerability in Samba, the free Linux and Unix networking software, leaves it susceptible to similar worm infestations. According to researchers at Rapid7, there were no signs of exploitation in the wild, at least in the first twenty-four hours after discovery and disclosure.

Dave Bittner: [00:02:20:11] The precise scope of the threat posed by EternalBlue and EternalRocks remains unsettled, but there is widespread concern that active exploitation may be taking more disturbing forms than the stumblebum extortion of the first WannaCry wave.

Dave Bittner: [00:02:34:09] Symantec's attribution of the WannaCry attacks to North Korea is being picked up by other observers, with some dissenting voices being raised. The dissent is founded largely on grounds of a priori caution, attribution of this kind being necessarily circumstantial, but they also cite evidence in the code pointing to the possibility that the Lazarus Group's spoor Symantec followed was the result of some unknown third-party copying earlier malware. The mixed nature of the attack also baffles some: were the attackers stumblebums who copied malware ineptly and simply delivered it via the slick EternalBlue exploit they got courtesy of the ShadowBrokers, or were they playing some deeper game?

Dave Bittner: [00:03:15:13] We've seen suggestions of a deeper game exploiting EternalBlue and EternalRocks in other sources, including Croatia's CERT and security companies like Sedco, Forcepoint, Cyphort, and Cyber Detection Services, and the story will clearly continue to develop over the coming weeks.

Dave Bittner: [00:03:32:22] The argument in favor of North Korean stumblebums would be consistent with a vast, loose effort that wasn't prepared to take in all the cash a campaign of that size could have been expected to generate. That the overt goal of WannaCry was financial is also consistent with a North Korean origin: Pyongyang is cash-strapped, especially now that sanctions imposed by China, formerly the DPRK's main trading partner, have begun to bite harder. On the other hand, there are plenty of warnings that North Korea's hackers are dangerous and capable, so perhaps the extortion is just misdirection. In any case, Symantec is fairly confident they've got the attribution right.

Dave Bittner: [00:04:12:10] A variant of the familiar help-desk scam is taking advantage of widespread public concerns over WannaCry. The scammers call, tell you you're infected, then offer to "take over your machine" to fix the infection. The UK's Action Fraud Center sounded the alert, but it's reasonable to expect this approach wherever the help-desk scam flourishes.

Dave Bittner: [00:04:32:21] SentinelOne reports a new ransomware strain, "Widia," interesting in that it looks like early-stage commodity-level crimeware. Widia asks for a credit card payment as opposed to customary Bitcoin, but it seems more scareware than true crypto ransomware. It throws up a screen that says your files are encrypted, but actually they're not. SentinelOne thinks the authors will eventually add the malicious encryption they now lack. It's early, so stay tuned and stay alert.

Dave Bittner: [00:05:01:08] It's also worth noting that the incident shows there's no obvious and unavoidable relationship between cryptocurrencies and cybercrime. Bitcoin in particular, and Blockchain technologies more generally, represent efficient ways of transferring funds, but they're by no means uniquely associated with criminal elements, and they're fast on their way into the economic mainstream.

Dave Bittner: [00:05:23:10] While WannaCry was a ransomworm, the most common vector for a ransomware infection continues to be phishing. A recently released survey of enterprise security leaders by the magazine Computing suggests that ransomware is among the likeliest attacks to get through corporate defenses.

Dave Bittner: [00:05:40:12] There's no question that cybersecurity has earned attention in the boardroom, but attention doesn't always mean alignment. Yong-Gon Chon is CEO of Focal Point Data Risk, and they recently released a cyber balance sheet report, which takes a closer look at the breakdowns between board members and their security teams.

Yong-Gon Chon: [00:05:58:20] Some of the key findings in the report really show a lack of alignment between what board members and security leaders actually view as the value of cybersecurity programs. For instance, security leaders really see their role as providing security guidance, or as a business enabler, and the reaction to that from a board member is that that's really more aspirational, and that security's job is to protect our organization and our assets from liability associated with data breaches. So board members see security's role as data protection, and helping the organization to manage risk.

Dave Bittner: [00:06:41:15] And so what do you think is driving that disconnect?

Yong-Gon Chon: [00:06:44:22] I think there are several factors that drive that disconnect. I think the first thing really talks to the communication barrier. Within the cyber industry, there's a lot of emphasis on jargon. We talk about things like "data exfiltration" instead of just calling theft "theft". We talk about things like "zero days", we talk about "exploits and vulnerabilities" instead of saying, "These are errors," and "These are bugs," and "These are mistakes." And I think that emphasis on jargon doesn't allow board members to embrace the communication and build the right types of trust and confidence, because board members are accustomed to speaking the language of business, and that language of business is very much cemented in financial terms, and enterprise risk terms.

Yong-Gon Chon: [00:07:35:20] Board members have had 13 years to get acclimated to audit terms as a result of Sarbanes Oxley, so they think about things in terms of materiality, and material weakness, or controlled efficiencies, and because of that language barrier, we see it as a key factor in showing that disparity.

Dave Bittner: [00:07:56:22] so which side do you think has to make the adjustment? Is this a matter of the IT folks having to learn to speak the language of the board, or the board having to learn the language of IT, or is it meet somewhere in the middle?

Yong-Gon Chon: [00:08:09:18] I think it's meet somewhere in the middle, but I do believe there is more effort that needs to be applied from the security leader's side. When a board member looks at a security status report that's being presented to them, they want to see things that represent a relationship to the business, and so if the cybersecurity function doesn't show how it supports the business making money, that's a real challenge. So the security leader needs to be able to translate a lot of these concepts in such a way that helps them build trust.

Dave Bittner: [00:08:49:08] That's Yong-Gon Chon from Focal Point Data Risk.

Dave Bittner: [00:08:54:23] As members of Manchester suicide bomber Salman Abedi's network are rolled up in counter-terror operations - and the six arrests so far include his father and a brother - he looks less than ever a true lone wolf, inspired but not controlled by ISIS. Unfortunately, he may also have been a known wolf. Investigation into the Manchester bomber's radicalization suggests his family warned the authorities, and Abedi's brother had, according to NBC News, been under surveillance as a possible terrorist in Libya for some months before his arrest. There are also reports that suggests members of Abedi's family were concerned about his radicalization and brought that to the authorities' attention.

Dave Bittner: [00:09:36:19] Testimony before the US Congress this week offered a glimpse, albeit through a glass and darkly, of the US military's cyber offensive against ISIS. The organization conducting it, "Joint Task Force Ares," was established by USCYBERCOM's commander, Admiral Rogers. It's led by Lieutenant General Paul Nakasone, commanding general of US Army Cyber Command, and it operates in support of USCENTCOM, the American combatant command operating in the Middle East.

Dave Bittner: [00:10:05:07] Understandably they won't provide much in the way of details, but Admiral Rogers summed up the Task Force's operations this way: “We have been very public and acknowledged the fact that we’re using cyber offensively against ISIS not just because we want ISIS to know that we’re contesting them, but because quite frankly we also think it’s in our best interest for others to have a level of awareness that we are investing in capability and we are employing it – within a legal, law of armed conflict framework, not indiscriminately."

Dave Bittner: [00:10:35:23] Good hunting, Joint Task Force Ares.

Dave Bittner: [00:10:42:20] As our sponsors at E8 Security can tell you, there's no topic more talked about in the security space than artificial intelligence - unless, maybe, it's machine learning. But it's not always easy to know what these could mean for you. Go to and see what AI and machine learning can do for your organization's security.

Dave Bittner: [00:11:03:04] In brief, they offer not a panacea, not a cure-all, but rather an indispensable approach to getting the most out of your scarce, valuable, and expensive human security analysts. Let the machines handle the vast amounts of data. If you need to scale your security capability, AI and machine learning are the technologies that can help you do it, so visit, and see how they can help address your security challenges today. And we thank E8 for sponsoring our show.

Dave Bittner: [00:11:39:10] And I'm pleased to be joined once again by Ben Yelin - he's a senior law and policy analyst at the University of Maryland's Center for Health and Homeland Security. Ben, welcome back. I had a story come by from Ars Technica, it was about the Supreme Court being asked to rule if cops need a warrant for cell site data. What's going on here?

Ben Yelin: [00:11:57:01] So one of the newest tactics for law enforcement across this country is to glean information from cell site data. So sell-site data can reveal at least which cell tower a person was closest to if you're trying to figure out whether a potential criminal was at a particular location at a particular time; it can provide that information. Of course, this implicates the Fourth Amendment's span on unreasonable search and seizures.

Ben Yelin: [00:12:24:02] Up until now, lower courts have held for the most part that the collection of cell site towers, that's done without a warrant, is indeed constitutional - and the constitutional basis for these decisions comes from a 1979 case called Smith v. Maryland. That case held that if a person voluntarily submits information to a third party, basically some sort of business record - so in that case they were talking about a person's landline phone calls, which we would now consider metadata: what time the call was made, the number that made the call, the number that received the call.

Ben Yelin: [00:12:57:20] Since you are voluntarily giving that information to a third party, you lose your reasonable expectation of privacy, and thus a warrant is not required, and lower courts have held that the collection of cell site information is analogous. You should at least be aware that when you're making a call from your cell phone, you are submitting location data to your cellular service provider, and once you do that, you've lost the expectation that they are not going to share that information with law enforcement.

Ben Yelin: [00:13:29:02] So far, the Supreme Court has had chances to review cases on this subject, and they have turned all of those opportunities down. There is the sort of informal rule of four, that if four of the nine justices choose to take a case then the case will be heard in front of the Supreme Court. We'll have see - there are currently five outstanding cases across the country, based on the warrant list collection of cell site data, so it seemed like the time is ripe to clarify this issue, especially since our laws, and the doctrine from Smith v. Maryland, the third-party doctrine is potentially outdated in our digital world.

Dave Bittner: [00:14:08:15] All right, we'll keep an eye on it. Ben Yelin, thanks for joining us.

Dave Bittner: [00:14:13:21] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors who make The CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit

Dave Bittner: [00:14:31:09] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thank you for listening.