The CyberWire Daily Podcast 6.27.17
Ep 379 | 6.27.17

Petya goes WannaCry one better. Westminster email hack. ISIS in Maryland and Ohio websites.


Dave Bittner: [00:00:01:03] We know a lot of you value the CyberWire and that it helps you do your jobs better, and we hope you'll check out our Patreon page at and become a regular supporter. Thank you.

Dave Bittner: [00:00:14:15] Another ransomware pandemic breaks out—this one looks more sophisticated and dangerous than WannaCry. Ukraine is again the center, but it's moving out fast. Notes on the Parliament email hack in the UK, and ISIS isn't doing much cyber damage but its hacktivist sympathizers are really tugging on Superman's cape.

Dave Bittner: [00:00:38:15] Time to take a moment to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily, we look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you, by automatically collecting and organizing the entire web, to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email, to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future, and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:44:07] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Tuesday, June 27th, 2016.

Dave Bittner: [00:01:53:19] If you're running unpatched and outdated software, you're at risk. That's not exactly news, but a new ransomware pandemic that broke out today like wildfire is. The campaign—of uncertain origin, although the Ukrainians think they know who's behind it—is hitting targets in Europe and elsewhere today. Ukraine is particularly affected, again, with banks (including ATMs), many government offices, and electrical utility networks (including those engaged in monitoring radiation levels at the former power plant in Chernobyl) suffering heavily. The Russian oil firm, Rosneft, also reports being affected (and has expressed its own suspicions by expressing the hope that the attack isn't connected to ongoing legal disputes with its domestic rival, Sistema, a large firm controlled by billionaire oligarch Vladimir Petrovich Yevtushenkov. Moscow-based security company, Group-IB, believes the attacks on Ukraine and Rosneft were simultaneous and coordinated. Other major infestations are reported by the Danish shipping concern, A.P. Moller-Maersk, pharmaceutical company Merck (this one in its US operations), Deutsche Post (its operations in Ukraine), French manufacturing concern, Saint-Gobain, and the British advertising agency WPP. More are sure to come.

Dave Bittner: [00:03:14:24] The ransom note's text has appeared in English, but Ukrainian authorities blame Russian hackers, especially since the attack coincides with tomorrow's observance in Ukraine of Constitution Day. On this interpretation, the attack's spread is due either to the inherently difficult-to-control nature of malware, deliberate misdirection, or willingness to take such targets of opportunity as present themselves. Researchers at security firms, including Kaspersky and Flashpoint, think the ransomware is a variant of Petya (also known as Petrwrap). We heard from Vectra Networks' Chris Morales, who notes two things about this iteration of the attack. First, the attackers have apparently added a worm-like component to Petya that gives it a transport mechanism that facilitates its rapid spread to new targets. (You will recall that WannaCry also spread as a worm.) Second, Morales notes that this version is unusually destructive because it encrypts infected machines' boot records, not just their files. Morales said, "By the time you find one infected machine you can assume dozens more have been infected." In addition to worm-like propagation, there's another similarity to WannaCry: this variant of Petya is exploiting the EternalBlue vulnerability CVE 2017-0145), an alleged NSA exploit leaked by the ShadowBrokers. Petya is also said to be exploiting CVE 2017-0199, a code execution flaw in Microsoft Office and WordPad. Both, of course, are known flaws. Jake Kouns of the cyber company Risk-Based Security, observed that one would have hoped, unfortunately in vain, because this time around Petya's spreading very rapidly, that the recent experience of WannaCry would have "served as a big wake-up call" and inspired close attention to patching and mitigation.

Dave Bittner: [00:05:10:02] Security researchers at AlienVault are tracking the infestation and response. They tell us that the ransom note and the attack code match Petya, and that their telemetry also confirms attacks spreading well outside Ukraine. AlienVault's Chris Doman says the sample he's looked at "Writes a message to the raw disk partition, clears the windows event log using Wevtutil, shuts down the machine, leverages PsExec to spread, and encrypts files matching a list of file extensions. AlienVault believes that, by late morning today, the attackers had received more than $3000 so, like WannaCry, they're basically getting basically chickenfeed, and that AlienVault hasn't seen confirmation that the attackers have actually restored the machines of those victims who've ponied up the ransomware . Interestingly, according to AlienVault, the samples one of the early Ukrainian victims shared deployed "Loki" malware and didn't subsequently install Petya, so there may be a couple of coincidental infections circulating simultaneously. The same happened with WannaCry. Jaff malware hit in an apparently unrelated campaign at about the same time.

Dave Bittner: [00:06:19:04] That Ukraine is at the center of this outbreak is, of course, curious and it does suggest that the motive of the attackers may be other than the obvious one of criminal gain. But it's too early for attribution. We'll continue to follow this story as it develops.

Dave Bittner: [00:06:34:13] We regularly remind you that there's a shortage of qualified cyber security professionals to fill the ever growing number of available positions. IBM is advocating a practical look at that problem, with the notion that, in addition to blue collar jobs and white collar jobs, there are what they refer to as new collar jobs. David Jarvis is security and CIO lead at the IBM Institute for Business Value and he explains.

David Jarvis: [00:07:00:21] What new collar is it's these emerging technical roles that require technical skill and aptitude, but, you know, maybe don't require a full four year traditional bachelor's degree. Obviously, lots of jobs require that but I think it's important that we can reopen the aperture on candidates and so, looking at cybersecurity, I think this is a perfect blend of the concept so we're really looking at new employee profiles, we're looking at new types of roles and we're looking at developing new partnerships to help address this gap.

Dave Bittner: [00:07:36:24] So take me through some of the details of that. When you talk about new partnerships, what kinds of things are you talking about?

David Jarvis: [00:07:43:05] There are about 1200, I think, community colleges in the US roughly give or take a couple of 100 and I think about 300 to 400 of them have some sort of cybersecurity degree program, certificate or classes or courses and there are a lot of people that are coming out of these programs that are very qualified that have the technical skills and aptitudes that are needed but may be dissuaded by the job market because it says that you need a four year degree to even apply for a particular job. I think, as part of a new collar approach, looking at these cyber security programs at community colleges, looking at some federal state and government programs, looking at veterans' programs, trying to tap that source of talent as well, trying to cultivate these new and different relationships don't just recruit at the same 20 or 30 universities you've always recruited at. If we're really going to solve the cyber skills crisis, I think we're going to have to think a little bit differently, expand our aperture and build some new bridges.

Dave Bittner: [00:08:49:16] I'm thinking about the people in HR who are recruiting, who certainly are facing these challenges of trying to get qualified people. I can imagine that they're used to doing things a certain way, they're used to having checkboxes of how many years you went to college or what certifications you have. I can see there being some resistance, even from the point of them being able to measure these sorts of things.

David Jarvis: [00:09:15:20] Yes, certainly. I think having a stronger partnership between the security needs of the organization between the security personnel, no matter how many people are part of it, and HR having that conversation and thinking about not looking at maybe degrees and certifications and those kinds of check boxes but really now thinking more about skills and what skills are essential today for the security function and what is going to be important in the future and get those down on paper - document them, look at different career and outline these clear career paths and skill progressions as opposed to just a list of checkboxes.

Dave Bittner: [00:10:02:18] That's David Jarvis from IBM.

Dave Bittner: [00:10:07:04] Observers of last week's hack of Parliament's emails in the UK note poor password discipline, and point out the cognitive dissonance implicit in Her Majesty's Government's push for backdoors when Westminster's email system was so easily pwned. The prime suspects continue to be the Russian security services. That attribution is, of course, tentative and circumstantial. Evidence being cited against that conclusion, evidence that weighs in favor of a criminal or a hacktivist - or even the proverbial teenager in the basement—is mostly the crude and obvious approach the attackers took. That, of course, is not dispositive: Cozy Bear was quiet and, well, cozy in the networks of the US Democratic Party, but Cozy's sister, Fancy Bear, was loud, expansive, and noisy, not, apparently, giving a hoot who knew she was ransacking Mr. Podesta's correspondence. So subtle and insinuating ways aren't always the hallmarks of intelligence services.

Dave Bittner: [00:11:06:15] ISIS defacements of government web pages in Ohio are joined by similar vandalism in Maryland's Howard County. That, we note, is right in the backyard of a local US intelligence service. That intelligence service wasn't itself affected, but if you go after Howard County you're really tugging on Superman's cape. We've said it before and we'll say it again, Joint Task Force Ares, tally-ho and good hunting.

Dave Bittner: [00:11:37:09] A quick note from our sponsors at E8 Security, they understand the difference between a buzz word and a real solution and they can help you disentangle them too, especially when it comes to machine learning and artificial intelligence. You can get a free White Paper that explains these new, but proven technologies at We all know that human talent is as necessary to good security, as it is scarce and expensive. But machine learning and artificial intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that, while we might assume supervised machine learning, where the human teaches the machine, might seem to be the best approach, in fact, unsupervised machine learning can show the human something unexpected. Cut through the glare of information overload and move from data, to understanding. Check out and find out more. And we thank E8 for sponsoring our show.

Dave Bittner: [00:12:39:19] And I'm pleased to be joined once again by Justin Harvey, he's the global incident response leader at Accenture. Justin, welcome back. We have seen reports about a new type of malware that's recently come along, I'm thinking of things like Brickabod, these are the malware that are going out and actually causing harm to IOT devices. What's your take on this?

Justin Harvey: [00:13:01:19] Well, I think this speaks to the greater danger of Internet of things devices. They're catching on like wildfire, more and more vendors and companies are starting to Internetize, if that's a word, their devices in order to get some home automation, or automation through mobile devices and computers. The issue here is that in an environment such as a person's home that is not very well equipped to deal with adversaries, meaning we all have Internet firewalls, which some of them have a bit of Internet detection, or Internet prevention system built in, we've all got AV. These IOT devices typically are running an embedded operating system, many times at some form of raspberry pie Linux or a cut down version of Linux, but there's no real impetus for many of these vendors to spend the extra time and money to put in and harden these systems. I think that, when they were first developed, maybe the companies were thinking we have to get to market quick, we have to speed up our time to market and our development cycles, security is always a secondary thought, or the last thought that vendors have and you couple that with a governance structure or laws that don't really put the level of responsibility back to vendors, or even consumers. That's where this has all led today.

Dave Bittner: [00:14:37:11] And we've seen stories where there's actually been people who are claiming to be gray hats, or maybe even consider themselves white hats, where they're going out and looking for IOT devices that haven't yet been turned over to botnets. They're preemptively bricking them and their point is that, well, if you're not going to protect this device, we're going to disable it so at least it will be neutral, although broken, rather than being used for bad.

Justin Harvey: [00:15:04:21] I think that that is a really bad idea for a couple of reasons. First, you are harming a device or you're making an assumption that that particular device is not performing a critical function. You never know when your code could go haywire, when you're operating off of the wrong information and you are affecting a mission critical device - perhaps in a hospital, perhaps in an airport - you never know. Without knowing that asset information, you're taking a risk. The second point here is that it is a form of computer fraud, at least in the United States, so you are breaking a law, even though you have great intentions, it falls into the same category, I guess, as offensive security operations. Well, they hacked me, so I'm going to hack them back and it all comes back to you never really know what or who is on the other end of the connection.

Dave Bittner: [00:16:08:12] Right, better safe than sorry.

Justin Harvey: [00:16:10:22] Exactly.

Dave Bittner: [00:16:11:22] Justin Harvey, thank you for joining us.

Dave Bittner: [00:16:16:06] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, using artificial intelligence, check out If you find this podcast valuable, we hope you'll consider becoming a contributor. You can go to to find out how. The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe and I'm Dave Bittner. Thank you for listening.