The CyberWire Daily Podcast 5.31.17
Ep 360 | 5.31.17

Exploit-of-the-month club open for business. Disinformation technology. Lazarus Group tied to North Korean intelligence (again). Extortion is big, but carding is still with us. Spammy apps in Google Play.


Dave Bittner: [00:00:00:00] If our podcast is an important part of your day we hope we'll consider supporting us on Patreon. Visit to find out how.

Dave Bittner: [00:00:11:23] The ShadowBrokers open their exploit-of-the-month club at the low, low price of $22,000 in Zcash. Group-IB finds more evidence that the Lazarus Group is a North Korean intelligence unit. Extortion, both real and bluffing, grows in underworld popularity, but carders are still with us, alas. President Macron tells President Putin everyone's on to his use of Russia Today and Sputnik News for disinformation. And if you're a regular Joe or Jane looking for some Android action, take this advice straight from the shoulder: steer clear of Star Hop and Candy Link.

Dave Bittner: [00:00:49:11] And now for something you'll really like, some research from our sponsor Cylance on Snake Wine a modest little vintage, but you'll be amused by its pretension and grossed out by the viper curled up in the bottle. But seriously in this case Snake Wine is an APT campaign Cylance has found prospecting Japanese victims. Attribution is as interesting as it is unclear. It looks like APT28 in some ways, but not others. Whether it's the Russians, the PLA or someone else entirely Snake Wine is served by phishing and seems likely to be used in disinformation efforts. You don't need to know who done it to get protected. Visit the spotlight piece on Snake Wine at Lay off that venom, denatured or not. Once again to learn more visit And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:47:13] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, May 31st, 2017.

Dave Bittner: [00:01:57:17] The ShadowBrokers have released more details of their exploit-of-the-month club. It will cost you about $22,000 per month to join. The club say the Brokers, whose identity remains at least publicly unknown, "is being for high rollers, hackers, security companies, OEMs and governments."

Dave Bittner: [00:02:17:08] Symantec and others have linked WannaCry to North Korea by its evident connection to the Lazarus Group. Skepticism about that attribution has been based in part on doubt that the Lazarus Group really is a tool of DPRK intelligence services. Researchers at Group-IB, a Russian security firm with offices in Moscow and New York, have published the results of their investigation into the Lazarus Group. They conclude that, yes indeed, the Lazarus Group is in fact an agent of the North Korean government.

Dave Bittner: [00:02:46:10] Group-IB looked at evidence found in the threat actor's command-and-control infrastructure. The Lazarus Group's attacks used three layers of IP addresses, and Group-IB succeeded in identifying the two addresses at the bottom of the campaigns against Sony and Bangladesh Bank. The first address is assigned to China Netcom, a Chinese company. Group-IB researchers, however, claim they have unconfirmed reports that this address was assigned to North Korea on an interim basis. About the second address they have few doubts. As the researchers express it in their reports, " refers to a North Korean Internet service provider. The Whois service indicates that this address is allocated to the Potonggang District, perhaps coincidentally, where the National Defense Commission is located, the highest military body in North Korea."

Dave Bittner: [00:03:40:04] That's consistent with earlier Intelligence Community conclusions that the Lazarus Group is in fact simply Bureau 121 of the DPRK's Reconnaissance General Bureau. BAE Systems had on other grounds reached the same conclusion in February. It's noteworthy that the Group-IB's attribution doesn't depend upon discerning similarities in attack code. The researchers find the Russian-language snippets in the code to be bad Russian, and suggest the North Koreans put them there as intentional misdirection.

Dave Bittner: [00:04:09:22] This latest research simply ties the Lazarus Group more closely to North Korea. To attribute WannaCry to the Lazarus Group, as Symantec, Kaspersky, and others have done, is while compelling, still circumstantial. New York-based security firm Flashpoint has noted, without insisting too much on the point, that the code used in the WannaCry campaign points to some fluency in Chinese, but also to broken Korean. There is, of course, as Flashpoint notes, a large Chinese diaspora, and it's possible to achieve fluency in a non-native language. Anyone who read Lord Jim in high school will recall that Joseph Conrad came late in life to English from his native Polish, and he seemed to do just fine. It's also possible to deliberately botch a language in which you're fluent. We is being looking at you ShadowBrokers and is thinking you is been doing that same thing to high rollers and OEMs. Sorry our editorial staff insists on showing off their near-native proficiency in ShadowBroker English.

Dave Bittner: [00:05:08:07] Moving on, NIST, the National Institute of Standards and Technology, recently issued a call for revisions to it's cybersecurity framework. Ely Kahn is co-founder of the threat hunting company Sqrrl, and he checked in with us for an overview of the framework.

Ely Kahn: [00:05:24:14] The NIST risk management framework is, in my opinion, one of the more exciting things happening inside government today. It is becoming the de facto standard. For not only how the government, but industry as a whole manages cybersecurity risks. So there's been lots of frameworks developed over the time. NIST 800-53 has been sort of one of the primary documents around security controls. But those were really just lists of security controls. And missing sort of the risk framework to wrap around them, that is really designed to help an executive think about how they want to manage cyber risks as a whole. So what are the risks that they're willing to accept. What are their overall risk levels that they want to push off to insurance type of controls, and then ultimately what is the risk tolerance levels.

Dave Bittner: [00:06:14:19] How does this framework play into the recently released presidential executive order on cybersecurity?

Ely Kahn: [00:06:20:16] So it's actually at the core of it, the executive order calls for every government agency to adopt the risk management framework as their central way for managing risk within their organization. Now it's not overly prescriptive, it's not saying exactly how each agency needs to implement that risk management framework. But it does say it must adopt it. But then going through a process that looks at those inherent risk levels and then very thoroughly decides you know, what are the risk controls that it should adopt, based on its inherent risk levels. And ultimately, you know, what are the risks that it's willing to accept, which would be the delta between its inherent risks and the controls that it adopts.

Dave Bittner: [00:07:04:20] And what kinds of comments and suggestions are being submitted in terms of the framework?

Ely Kahn: [00:07:10:12] There's been a lot of different comments and suggestions, a lot of them around further defining how to decide what risk controls are appropriate for certain risk levels. And also comments on you know maybe some specific risk controls that weren't flagged in the risk management framework that should be identified. But from our perspective there are some categories of controls that should have been included that weren't.

Dave Bittner: [00:07:37:03] For example?

Ely Kahn: [00:07:37:23] Certainly one that we're quite focused on is this idea of threat hunting. And the risk manager framework you know, specifically calls out automated detection processes, as being important controls. But misses the idea of a threat hunting and a more human driven detection processes. You we see threat hunting as a human driven iterative approach to detect cyber threats that have evaded detection by other defenses. Really it evades detection by your automated defenses. And what we're advocating for is to be explicit in that you can't rely just on automated detection. You just can't just rely on your automated rules and your Sim, or your other sensors. You need these human driven processes also to proactively look for threats that have evaded detection from your automated defenses.

Dave Bittner: [00:08:30:24] That's Ely Kahn from Sqrrl.

Dave Bittner: [00:08:33:24] Criminals are increasingly turning to extortion, both crypto ransomware and traditional blackmail. Sometimes the blackmail is a bluff. As Disney claims was the case in the Pirates of the Caribbean extortion attempt. Hackers did not, CEO Iger says, get into Disney's servers, they were simply trying to hustle Team Mouse into paying up. Other blackmail is unfortunately quite real, as is the case with a threat to post before and after pictures of a Lithuanian plastic surgery clinic's patients.

Dave Bittner: [00:09:05:01] Older forms of commodity crime are still with us too. Chipotle this week disclosed that it sustained a breach in its point-of-sale systems that affected most locations in North America. Customer paycard information is said to be at risk.

Dave Bittner: [00:09:20:12] French President Macron is disinclined to let Russian information operations pass unremarked. In a joint news conference held Monday with Russia's President Putin, he called out Russian attempts to influence elections, specifically citing Russia Today and Sputnik as, agents of influence, spreading disinformation. The two presidents' dialog was characterized as frank and sincere, which we take to be diplomatic language for "see you at knifepoint" and "I'm gonna get you sucker."

Dave Bittner: [00:09:49:06] And finally there are other issues in Google's walled garden. Android users shopping for diversion in Google Play should avoid Star Hop and Candy Link. Both apps are serving spam. And lest you be confused by the ambiguities of the word spam, we mean the bad kind of spam, all these tiresome heckling messages that cumber your device, and not the tasty Hormel confection made of pork with ham, salt, water, potato starch, sugar and sodium nitrite. Now if we could find an app that served that kind of Spam, we'd be all over it. As would every other person of taste and discernment. And with that we conclude our special linguistic and gastronomic edition of the CyberWire Podcast.

Dave Bittner: [00:10:36:12] It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyses the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future Cyber Daily, and if it helps us, we're confident it can help you too. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:11:29:20] And I'm pleased to be joined today by Justin Harvey, he's the global incident response leader at Accenture. Justin welcome back to the show. We wanted to talk today about using offensive capabilities to test security. This whole notion of red teaming, but why don't we start off with that? Tell us, what do we mean when we're talking about red teaming?

Justin Harvey: [00:11:48:18] Well red teaming has actually be an evolution or an evolutionary process. Years ago organizations really wanted to know if we have vulnerabilities in our networks and in our systems. And that's really where vulnerability management and vulnerability scanning came in. There was a need to see well, can any of these actually be exploited? We know we have vulnerabilities but can those be exploited to show an effect. And that was what we would call penetration testing. And then red teaming came along, and red teaming is a little bit more evolved then penetration testing in the sense that, can you string along a few of these exploits against vulnerabilities on systems or networks in order to accomplish a mission. The next step after red teaming is adversary simulation which is, can you utilize these exploits against known vulnerabilities in you network and the system in order to accomplish a mission that would, and then the punchline is, "In order to override a business process and in order to impact a business critical function."

Dave Bittner: [00:13:02:15] So I'm an organization and I want to set up a red team to test my own defensive capabilities, how do I go about doing that?

Justin Harvey: [00:13:10:03] That's a great question. In my opinion, it should really be after you've got a strong blue capability. Blue is the opposite of red in the security world, which is strong security operations. You've got a Sim in place you're doing log management, you have great use cases, great threat intelligence, and you think that you've got that nailed pretty well. The red team is really there to provide the blue team a sparring partner. And the blue team is looking day to day at logs, they're going through analysis, they're looking at the events and the alerts, and it gets to be quite tiresome. And when you have a red team, this is a funny term, a friendly adversary, someone who you know isn't going to wreck your systems, or to create unavailability issue, or steal your data. It really gives you a sparring partner to draw some great conclusions, and see how your blue team would really react during an investigation, or during an attack.

Dave Bittner: [00:14:08:20] Alright interesting stuff, Justin Harvey, thanks for joining us.

Dave Bittner: [00:14:14:09] And that's the CyberWire, thanks for all of our sponsors who make the CyberWire possible. Especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit The CyberWire Podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.