The CyberWire Daily Podcast 6.15.17
Ep 371 | 6.15.17

Hidden Cobra strikes from Pyongyang. Microsoft patches last of ShadowBrokers' leaked exploits. Sanctions coming over Russian election influence operations. Electrical and natural gas sectors brace for CrashOverride.


Dave Bittner: [00:00:00:17] A big thanks to all of our Patreon supporters. Come on, you can do it, too, all the cool kids are doing it.

Dave Bittner: [00:00:11:08] The FBI and the Department of Homeland Security warn that Hidden Cobra is actively pursuing DDoS campaigns. Microsoft patches the remaining ShadowBrokers' exploits, even in deprecated systems. The US Congress votes to sanction Russia for election influence operations. Electrical and natural gas sectors work to protect themselves against CrashOverride. Mergers and acquisitions seem to be followed by layoffs. Hexadite is said to be the latest case.

Dave Bittner: [00:00:42:20] Time to share some research from our sponsor Cylance. WannaCry ransomware is still out there, even as people patch their systems against it. But we can rest assured that there will be more campaigns like it. Our sponsor Cylance has released the results of their own study of WannaCry and its highly modular structure, dropper, worm payload, ransomware service, ransomware payload, user interface, RDP process injection utility, file deletion utility into a client bundle. Phew. As crimeware gets re-used, you can expect to see these pop up elsewhere. So stay alert. Or, better yet, let Cylance's artificial intelligence see and stop attacks before they can execute. Visit and see what they've got to say about WannaCry. That's for a look at what AI can help you see coming the next time. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:42:06] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, June 15th, 2017.

Dave Bittner: [00:01:52:06] The US FBI and Department of Homeland Security warn that North Korea's government is responsible for a botnet being called "Hidden Cobra" that's been making trouble for some time. Believed to be connected to that well-known threat actor the Lazarus Group, Hidden Cobra used DeltaCharlie malware to herd botnets for distributed denial-of-service attacks against media, aerospace, infrastructure and financial targets.

Dave Bittner: [00:02:17:06] US businesses appear to have received the most attention, but Hidden Cobra's hood is thought to cover the globe. Kaspersky Lab, in a comment on US-CERT's warning, says that the tools mentioned in the technical advisory have been observed in the wild in some 26 countries, including, in addition to the US, France, Brazil and Russia.

Dave Bittner: [00:02:36:24] As was the case with the WannaCry threat actors, who've also been connected, although with less consensus, to the Lazarus Group and the North Korean regime, Hidden Cobra shows a strong preference for beyond-end-of-life and unpatched Microsoft Windows instances.

Dave Bittner: [00:02:51:03] Recognizing the magnitude of this problem, Microsoft this week has taken the unusual step of issuing patches for retired Windows versions. The exploits addressed, the last of those leaked by the ShadowBrokers, include ExplodingCan, which targets old versions of the Internet Information Services webserver to permit remote code execution, EsteemAudit, a flaw in Windows Remote Desktop Protocol and EnglishmanDentist, which permits remote code execution in Object Linking and Embedding.

Dave Bittner: [00:03:21:17] Redmond says it's decided to patch because of the unusually elevated threat of state-actors using exploits in the wild the ShadowBrokers leaked in April. It's warned users not to expect patching of deprecated systems to become the norm. Indeed, some observers have criticized Microsoft's decision as likelier to prolong the agony than to ameliorate the problem.

Dave Bittner: [00:03:43:14] The US Congress has voted overwhelmingly to sanction Russia over its probing of US electoral machinery. Other recent sanctions have addressed Russian incursions into Ukraine. Sanctions are now being leveled in response to election influence operations.

Dave Bittner: [00:03:59:03] Those operations have been shown recently to have been more extensive and persistent than hitherto believed. Most of the Russian activity, beyond the now well-known doxing of the Democratic Party and Clinton presidential campaign, seem to have concentrated on accessing voter registration data. Those data were put to use in eleventh-hour spearphishing campaigns and also in some preliminary attempts at altering voter information in state databases.

Dave Bittner: [00:04:25:21] There's much understandable dudgeon in Congress over Russian influence operations and for all the furor one might be forgiven for concluding that this is something new. In fact it's not. Historians and security experts point out that such activities, both black propaganda and election influence operations, are nothing new. The website War on the Rocks, for one, usefully traces their history back eight decades. The publication tells a story more lurid than the most overheated conspiracy theories today, whether left or right, have imagined.

Dave Bittner: [00:04:56:14] From roughly 1937 on, US Representative Samuel Dickstein was on the payroll of the NKVD, the Stalin-era's ancestor of the KGB and now, of course, the FSB. Dickstein, Democrat of New York, was the founding co-chair of, wait for it, the House Un-American Activities Committee, later famous as the young Representative Richard Nixon's launching point to national prominence. Representative Dickstein not only served as an agent of influence but he also assisted NKVD illegals in obtaining passports and other materials necessary to their free operation in the United States. His successes were limited largely on the Soviet side. His NKVD handlers were on several occasions purged and shot.

Dave Bittner: [00:05:42:16] What is new today is the enabling role the Internet now plays in rapid dissemination of unfiltered fish stories and in opening up many new access points to information that up through the first two-thirds of the 20th century would have required a black-bag job to obtain.

Dave Bittner: [00:06:00:06] A special Congressional election in the US state of Georgia draws attention to voting system security weaknesses and Georgia is unlikely to be alone. The special election, which concludes June 20th, is being watched closely as an index of the general vulnerability of US election systems.

Dave Bittner: [00:06:18:10] If you're in IT, chances are you've got coworkers coming to you from time to time to ask for your help with their personal devices, their laptops or mobile devices. FireMon recently conducted a survey of 350 security IT pros and found that 83% of them regularly help coworkers with personal computer problems. And 80% of them say it takes more than an hour per week. That adds up. Michael Callahan is chief marketing officer at FireMon.

Michael Callahan: [00:06:46:05] What we thought people were going to say was they were spending almost all of their time just firefighting, right? And-- which a lot of them were, just to keep up with the latest risk or the latest threat or incident or whatever it was. What we found was that they were saying quite a bit of their time was actually spent helping out their colleagues' personal IT issues, so their laptops, their phones, their tablets, which was surprising to us.

Dave Bittner: [00:07:11:08] So I can imagine many of our users who work in IT furiously nodding their heads in agreement at the notion that, that they get, they get, you know, commonly asked to help coworkers with their personal devices. I'm curious because, you know, it strikes me that, that this is sort of part of the politics of everyday office life. You know, if the head of HR comes to me and says, "Hey, I'm having trouble with my phone, or, you know, I can't figure out how to save this file on my laptop," I can't imagine someone just sort of shuffling that person away and saying, "No, I don't have time for you."

Michael Callahan: [00:07:46:08] I think that's true. You can't just say no because at some level it does impact the business, even though it's their personal devices. So, even if, like, the IT wasn't helping, then the person is going to probably try to self-help which takes away from their time to focus on their normal job because they're trying to download a patch or unfreeze something or whatever.

Michael Callahan: [00:08:05:05] So it is a little bit just of the daily politics. Over 80% of the IT people said that they, they were being asked to help fix things, personal things of their colleagues. So, it wasn't like 5% or 10%. It was almost everyone, right? So, it wasn't 100%, but it was 80%. About the same amount, 80% of them, said of that group, said it takes more than an hour a week. So that the impact is actually not immaterial across an organization.

Dave Bittner: [00:08:31:11] If this is a reality and, you know, for non-technical reasons it would be hard to shut down this sort of things, what, what are your suggestions for how organizations can deal with it?

Michael Callahan: [00:08:43:16] I don't think it's going away, right? To what you just said, you can't just say “sorry” and close your door. So I think there's another-- another approach that has to happen is there is going to be an amount of time that people will need to devote to this. There's a couple of things that the IT teams could do. They could have particular office hours where they open themselves up, so at least it's a little more contained. Although the downside of that is computers don't break between, you know, nine and ten in the morning. It's, it's at varying times.

Michael Callahan: [00:09:12:21] But you could possibly consolidate some of the requests. Could you do things to free up more time so that the IT staff wasn't as stressed out? So when they're trying to manage the security infrastructure, give them tools that helps them automate that. So give them the tool so that they're able to manage some of the more business-related stuff maybe a little more effectively.

Dave Bittner: [00:09:32:16] That's Michael Callahan from FireMon.

Dave Bittner: [00:09:36:12] CrashOverride malware is receiving close attention at high levels of government and industry. Dragos analyzed CrashOverride from samples obtained during investigation of last winter's Ukrainian power grid hack. Related sectors are watching the electrical industry's response closely. DNG-ISAC and others suspect the malware may have implications for the natural gas industry as well. DNG-ISAC, the security information organization of the Downstream Natural Gas sector, is working closely with their counterparts in the electrical power sector to develop an effective response to CrashOverride.

Dave Bittner: [00:10:12:06] Bitfinex, the world's largest Bitcoin exchange, began experiencing DDoS attacks Tuesday. They continued through yesterday and the exchange seems not yet to have fully recovered.

Dave Bittner: [00:10:23:24] In industry news, Microsoft confirmed last week that it was buying Hexadite. VentureBeat reports that Hexadite laid off most of its US-based workforce on the day of the announcement.

Dave Bittner: [00:10:35:17] And finally, to return to our earlier notes about the long-standing Russian policy of seeking to influence US politics, we should note in the interest of clarity and historical accuracy that Richard Nixon was never identified as a paid Soviet agent. Whatever Mr. Nixon's dog Checkers' provenance may have been, it almost surely wasn't Moscow Central.

Dave Bittner: [00:11:01:07] Time for a message for our sponsor Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely. Because that's what you want, actionable intelligence. Sign up for the Cyber Daily email and every day you'll receive the top trending indicators Recorded Future capture crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, and suspicious IP activities.

Dave Bittner: [00:11:50:18] Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:12:11:16] Joining me once again is Emily Wilson. She's the director of analysis at Terbium Labs. Emily, you know, we hear about these high-profile attacks but you want to make the point that maybe those aren't the things that in day to day operations people need to be focused on.

Emily Wilson: [00:12:27:13] Absolutely. I think, you know, we hear about attacks whether it's something like Yahoo!, or LinkedIn or Ashley Madison or TalkTalk, you know, depending on your industry and what you're interested in. We hear about these breaches and that's great. And, you know, these are-- I think the press that we see around these can help to drive conversations about security and privacy as a whole. But I think it creates this sort of misconception that breaches happen to big companies and only to big companies or that you only need to worry about the breaches that happen to big companies. And I think that really draws attention away from the fact that most of the data that I, at least, see all day every day isn't coming from the Yahoos of the world. It's coming from, you know, the place you get your car serviced or, you know, the dentist that you see.

Dave Bittner: [00:13:21:22] So it's-- I mean, an analogy would be how people are worried about, you know, an airplane crashing when they're-- you're more likely to get run over by a car crossing the street.

Emily Wilson: [00:13:30:12] Absolutely. And I'm not saying we shouldn't make our planes safer but you should also look both ways before you cross and you should make sure that your brakes are working.

Dave Bittner: [00:13:39:00] So, when we see all these stories about zero days, maybe that's not what we should be chasing after.

Emily Wilson: [00:13:45:07] Yeah. I think in the same way that it's not the best use of energy or resources to focus only on big breaches and preventing big breaches, you know, I think there's a tendency to focus on the latest, sexiest exploit or the, you know, the most popular strain of ransomware right now when really what's happening every day, you know, this equivalent of, you know, kind of getting rear-ended, for example, are really the very simple things you don't want to hear about, you don't want to talk about. Like phishing or, you know, people poking at, you know, known vulnerabilities in databases, right, the MongoDB, for example.

Dave Bittner: [00:14:22:01] Right. The everyday sort of boring things that you have to deal with, the blocking and tackling doesn't get very much attention. Obviously that-- so, so I guess what we're saying is, you know, beware of chasing shiny objects.

Emily Wilson: [00:14:35:08] Absolutely. The shiny objects are always going to be there, and they're going to come along, and they're going to be interesting, and we should talk about them. But I think it creates this idea that, you know, these breaches when they happen, they happen big and they happen loud and they happen in isolation, and you should be worried about one major attack. Well, you know, have you talked to your employees about clicking on links in their emails? Have you done it recently? How recently?

Dave Bittner: [00:15:01:00] Emily Wilson, thanks for joining us.

Dave Bittner: [00:15:05:11] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit

Dave Bittner: [00:15:18:02] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.