The CyberWire Daily Podcast 6.29.17
Ep 381 | 6.29.17

Ransomware, nyet; wiper, da. Shipping, manufacturing, and Big Law may share some common risks. WikiLeaks and the ShadowBrokers are back again.


Dave Bittner: [00:00:01:05] Thanks again to all of our supporters on Patreon. You can check out to find out more.

Dave Bittner: [00:00:09:14] It's not ransomware, but a wiper, and a nasty one too. That's the current take on the Petya variant that's circulating around the world and how are these three things alike - shipping, manufacturing, and Big Law? The ShadowBrokers are back, and WikiLeaks' Vault7 disgorges what looks like a creepy stalking tool. Other non-Petya ransomware attacks. And officialdom seems to cling bitterly to Windows XP.

Dave Bittner: [00:00:37:06] Time for a message from our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company, whose patented technology continuously analyses the entire web, developing Cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely. Because that's what you want, actionable intelligence. Sign up for the Cyber Daily email, and every day you'll receive the top trending indicators Recorded Future captures crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates. That's and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:51:01] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Thursday, June 29th, 2017.

Dave Bittner: [00:02:01:16] The Petya pandemic continues, and its story at least has grown more complex. It's picked up at least two new names, ExPetr (from Kaspersky) and Nyetya (from Cisco). We'll stick with "Petya" for now, but researchers think that, while the current outbreak used code strings from Petya, it's sufficiently different to warrant a new name. Specifically, it now appears to most that what we've been calling "Petya" really isn't ransomware at all, but rather a wiper masquerading as cryptoransomware. Those few who've paid the ransom seem not to have recovered their files and, indeed, there may be no way for them to do so. Not only has the German email service the attackers used to host their payment account suspended that account, they don't want to be a party to crime at all, but the victims who paid up got nothing for their Bitcoin. So, as suspected, the goal here probably isn't really money, but disruption, and geopolitical throwing one's weight around. These features lead many to conclude that Petya's current instantiation is an act of cyber warfare, not cybercrime. Most observers think it originated with Russia (as Bleeping Computer puts it, "the obligatory part where we blame Russia"). While the evidence is circumstantial, it's more than reflexive finger-pointing. Russia is engaged in a serious hybrid war against Ukraine. The incident has prompted NATO to announce plans to step-up cyber defense cooperation with Ukraine.

Dave Bittner: [00:03:23:06] Microsoft says a malicious update to tax accounting software MEDoc was the initial vector. Since then, researchers at Kaspersky have also found a watering hole attack in a website belonging to the Ukrainian city of Bakhmut. A watering hole, of course, is a maliciously crafted website that infects visitors who graze over to it in bovine fashion. This kind of watering hole is a bad thing. Think of the Badwater alkaline pool in Death Valley, not some sort of refreshing oasis for camels or wildebeests. Stay away from Bakhmut, the website, we mean. The city itself we hear is perfectly nice, and even has a big salt mine you can visit that features what the Bakhmut boosters say is the world's largest underground room. At any rate, the effects of the campaign have been particularly heavily felt by manufacturers, logistics companies, and curiously, big law firms. Maersk, the Danish shipping giant, was hard hit. The company has begun its recovery, but port operations continue to be affected. Maersk runs major ports around the world, including facilities not only in Europe, but in Asia and North America as well. One of the North American facilities affected is San Pedro, the port of Los Angeles.

Dave Bittner: [00:04:33:21] Among manufacturers, big pharma company, Merck, has disclosed that its operations have been disrupted by the campaign. In Big Law, DLA Piper is among the targets said to have been clobbered. American Lawyer magazine commends DLA Piper for being forthcoming about its experience, and says that Piper's not alone. Clients are restive. So, what do logistics, manufacturing and lawyers have in common? The conjecture is unpatched Windows systems vulnerable to the EternalBlue exploit this round of Petya incorporated. Logistics and manufacturing enterprises use hard-to-patch instances of Windows in various ICS applications. Law firms tend to be patching laggards, perhaps because similar complexities present themselves in e-discovery. There was also a little-noticed ransomware outbreak last week. It hit Ukraine pretty exclusively, and it's been completely overshadowed by the news of Petya, but the little-known malware, "PSCrypt," was aggressive and damaging. It seems to have been designed to hit Ukrainian targets only, which is odd, showing a national focus not usually seen in cyber crime. This points, of course, to a Russian hand, either security services or some of those "patriotic hackers" Mr. Putin has recently praised. So ransomware or wiperware, there are two prudent steps any enterprise should take. First, patch. Second, securely backup your data offline so you can restore operations should an attack get through.

Dave Bittner: [00:06:04:20] Yesterday two sources of leaks resurfaced. WikiLeaks offers a manual for "ELSA" from Vault7. They claim ELSA is a CIA tool for tracking users of Wi-Fi enabled devices using Extended Service Set Data from nearby Wi-Fi networks. This strikes many observers as creepy and vaguely stalkerish, a little like that sleazy "Girls around me" app we heard people talking about a few years ago. And the ShadowBrokers, still speaking their odd and unnatural dialect, which we think we're going to start calling "Omrachish" since the lingo needs a name, and flacking their exploit-of-the-month club, promise they're about to name-and-shame an Equation Group operator - they're calling him "doctor person" - who's tweeted rudely about them. After taking a bow for Petya, Nyetya, and ExPetr, enabled by their EternalBlue dump, the Brokers get down to business and their Omrachish is always worth quoting in full. “TheShadowBrokers is having special invitation message for 'doctor' person theshadowbrokers is meeting on Twitter. 'Doctor' person is writing ugly tweets to theshadowbrokers not unusual but 'doctor' person is living in Hawaii and is sounding knowledgeable about theequationgroup. Then 'doctor' person is deleting ugly tweets, maybe too much drinking and tweeting? Is very strange, so theshadowbrokers is doing some digging. TheShadowBrokers is thinking 'doctor' person is former EquationGroup developer who built many tools and hacked organization in China.”

Dave Bittner: [00:07:30:04] This promises to be a Twitter flame war, the operator in question may have taken up their challenge. In any case, someone has claimed the @drwolf Twitter handle and says he'll be doxing himself sometime soon. Finally, a few quick notes on things not connected to Petya. South Korean banks are continuing to fight off extortionists threatening distributed denial-of-service attacks, nice availability you got there, shame if somethin' happened to it. Officials of Her Majesty's Government are blaming the Westminster email hack of last week on sloppy and inattentive password practices, so get serious, London. And, speaking of London, Computing magazine reports that eighteen-thousand Metropolitan Police computers are still running Windows XP. Well, you might say, surely some of them have been upgraded. And so they have, eight, count 'em eight, of the Bobbies' machines are now running Windows 10. That's one, two, three, four, five, six, seven, eight. That's it. Eight, by the Great Hornspoon. Eight.

Dave Bittner: [00:08:38:18] As our sponsors at E8 Security can tell you, there's no topic more talked about in the security space than artificial intelligence. Unless maybe it's machine learning. But it's not always easy to know what these could mean for you. So go to and see what AI and machine learning can do for your organization's security. In brief, they offer, not a panacea, not a cure all, but rather an indispensable approach to getting the most out of your scarce, valuable and expensive human security analysts. Let the machines handle the vast amounts of data. If you need to scale your security capability, AI and machine learning are the technologies that can help you do it. So visit and see how they can help address your security challenges today. And we thank E8 for sponsoring our show.

Dave Bittner: [00:09:33:20] And I'm pleased to be joined once again by Rick Howard. He's the Chief Security Officer at Palo Alto Networks and he also heads up Unit 42, which is their threat intel team. Rick, we've talked before about the capture the flag competitions and they're really a great way to test people's skills and get them involved with cyber security.

Rick Howard: [00:09:51:08] Yes, and they've actually turned into an integral lead for cyber security nerds, so instead of going out and playing baseball, we can run these contests, have a little friendly competition and then have some crowing rights if you do well on these things.

Dave Bittner: [00:10:08:04] And there's an upcoming competition that you wanted to highlight?

Rick Howard: [00:10:10:03] Yes. We like capture the flag for lots of reasons, and we've talked before about the well documented cybersecurity shortage of qualified personnel. Lately, I've come to believe that you don't really need a full fledged computer science or electrical engineering or other technical degree to get a start in this field. At the tier one level, at the entry level, it's enough that you have a basic understanding of networks and computers, a bit of skill in scripting language of your choice, maybe a cursory understanding of the adversary attack life-cycle, maybe finally a certificate from a vendor saying you're qualified to maintain one of their boxes like a firewall, sim or something like that. That is a good way to get into the system. However, the one question I ask everybody that comes interviewing with me for a job is what are you running at your house? If the advocate is not running a limits machine that she built herself, then she's not smart enough or curious enough to work for me. At this point, we're looking for people who are not afraid to get their hands dirty, to learn on their own and to solve problems without a lot of guidance from the leadership team. That's what captured flag helps us do; we can hone our skills with it. It's a place they can go and try out those things. We've just finished our own internal captured the flag contest last month for our own internal security teams and intelligence teams. It was a big hit. We also sponsored a contest at the University of Alabama in Birmingham this past February, designed to encourage women and Alabama high school students, to consider cyber security as a potential field of study, as they matriculate to college.

Rick Howard: [00:11:53:23] What we're doing right now is hosting a worldwide online capture the flag contest for anybody that thinks they might like to dip their toes into the cybersecurity space, or even for the seasoned veterans who want to test their skills. It is called Labyrinth and it's running continuously until 23 July at four pm. The best news is that we're offering several cash prizes, totaling some $32,000. So participants will attempt to solve cyber puzzles designed for newbies and seasoned practitioners. I think it is a great way that we can enhance our education in the field and bring everybody together and talk about cybersecurity.

Rick Howard: [00:12:36:02] These challenges bring amazing learning opportunities together across all levels and our goal here is to drive threat intelligence education by sharing challenges based on the daily life of the Palo Alto Network's engineers. That's what we're trying to do, so tell everybody that we're having a big contest. It's online right now and we want to see how well you do.

Dave Bittner: [00:12:55:09] Alright, check it out, it's called the Labyrinth Capture the Flag Challenge. Check it out at Palo Alto Networks. Alright, Rick, thank you so much for joining us.

Dave Bittner: [00:13:06:01] And that's the CyberWire. For Links to all of today's stories, along with interviews, our glossary and more, visit Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, using artificial intelligence, visit Thanks to all of our supporters on Patreon, you can check it out at And don't forget to leave a review for our show on iTunes, it really is one of the best ways you can help people find our show. A reminder that I'm a regular on the Grumpy Old Geeks podcast, we have a weekly discussion of security, it's a rollicking good time, with a little bit of salty language - so you've been warned. You can check it out wherever all the fine podcasts are, that's Grumpy Old Geeks. The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe and I'm Dave Bittner. Thank you for listening.