The CyberWire Daily Podcast 6.30.17
Ep 382 | 6.30.17

What's up with Petya/Nyetya/NotPetya? It's a wiper—the extortion is just misdirection. WikiLeaks dumps "OutlawCountry" from Vault7. The ShadowBrokers raise prices. Russia says boo to cybercrime.


Dave Bittner: [00:00:01:06] The CyberWire podcast is made possible in part, by listeners like you, who contribute to our Patreon page. You can learn more at

Dave Bittner: [00:00:12:21] The jury's back, and Petya/Nyetya/NotPetya is judged a wiper, and not ransomware after all. (Judgment, of course, subject to reversal on appeal.) Ukraine blames Russia, but whoever done it had EternalBlue before the ShadowBrokers leaked it. WikiLeaks Vault7 disgorges OutlawCountry, a Linux attack tool. The ShadowBrokers raise their rates. Russia calls for international cooperation to stamp out cybercrime. (And Captain Louis is shocked, shocked that gambling is taking place at Rick's.)

Dave Bittner: [00:00:44:23] Time to take a moment to tell you about our sponsor, Recorded Future, the real time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web, to give cybersecurity analysts unmatched insight into emerging threats. We read their dailies here at the CyberWire and you can to. Sign up to Recorded Future's Cyber Daily email, to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and more. Subscribe today and stay ahead of the cyber attacks. They watch the web, so you have time to think and make the best decisions possible for your enterprise's security. Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and it's on the money. That's, and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:50:03] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Friday, June 30th, 2017.

Dave Bittner: [00:01:58:16] Consensus has it that the Petya/Nyeta/NotPetya ransomware campaign isn't really ransomware at all, but rather misdirection for a quieter campaign designed to install at least an information-stealing Trojan, and perhaps other malware as well. So if you've been infected, the trending advice from the security community is don't pay the ransom, you won't get your files back that way. It seems there hasn't been much of a gesture in the direction of file recovery. So it's best to consider Petya/Nyetya/NotPetya a wiper. The extortion screen is just razzle-dazzle, smoke and mirrors, and pay no attention to the man behind that curtain. The target of the campaign still looks like Ukraine, the original locus of the infection, but gaining access to systems worldwide is surely not an unwelcome side benefit. Observers and investigators see a slow accumulation of circumstantial evidence pointing to Russian security organs as the responsible parties.

Dave Bittner: [00:02:54:03] One interesting development has come in from F-Secure. Researchers at the security company believe they've found signs that EternalBlue, the exploit used by both WannaCry and Petya/Nyetya/NotPetya, and allegedly stolen by means unknown from NSA's Equation Group, was incorporated into the current campaign's code some six months ago, which is well before the ShadowBrokers released EternalBlue in April. This suggests either a connection between the ShadowBrokers and the Petya controllers—perhaps they're the same, or working for the same people—or that the controllers had independent access to the exploit. In any case, more people who've looked at the malware think that Petya/Nyetya/NotPetya has only a superficial connection with the original Petya, which was indeed a classical instance of ransomware hawked by a hacker who went by "Janus" (he took his name after a James Bond villain, not the Roman god of doors and portals). Janus operated through much of 2016 before going dark in December. He achieved a degree of easy, cheap-jack Robin Hood'ish fame for the way in which he offered up decryptors for competing strains of criminal ransomware.

Dave Bittner: [00:04:02:17] But Janus is now back, and saying he'd like to help with this newest, relatively distant descendant of his crimeware. He tweeted his concern on Wednesday, saying he was examining the Nyetya/NotPetya code, and suggesting that he wasn't responsible. He probably wasn't. The original Petya was straightforward extortion, and Janus was looking for cash. This week's Petya/Nyetya/NotPetya controllers are almost certainly after something else, probably staging spyware and doing battlespace preparation for future attacks. It's clearer now how the malware infected its initial victims. The threat actors got into the patch server used by M.E.Doc, a Ukrainian software firm that makes a widely used tax accounting product, a kind of Ukrainian TurboTax. Once there, they installed the malware in such a fashion that any customer who downloaded a MEDoc update got Petya/Nyetya/NotPetya instead. From there the malware wormed itself across various local area networks.

Dave Bittner: [00:05:03:22] So it seems fair to chalk Petya/Nyetya/NotPetya up to espionage and hybrid warfare, not cybercrime. Ukraine thinks the Russians did it, and they've called in international help, including Interpol and the FBI, to help their security and intelligence organizations with the investigation. To return to the EternalBlue exploit used in the campaign, this is in some ways a good news/bad news story. The good news is that if you were patched and up-to-date, you were probably not affected. The bad news is that patching can be a lot harder than it sounds, particularly in systems that touch indispensable legacy software. If indeed EternalBlue is an NSA exploit that leaked into the wild, and most—including Microsoft—conclude that the ShadowBrokers are telling the truth at least on this count, the big unanswered question is, how did the exploit leak? So far that's publicly unknown, and members of Congress are getting a bit restive about the matter, asking NSA for a fuller accounting of the undisclosed exploits it holds, and how it controls them.

Dave Bittner: [00:05:51:20] That such controls are not bulletproof may be seen in the results of a Defense Department Inspector General's report on NSA's self-protection against insider threats. The study was prompted by the Snowden affair, and the results were mixed. Privileged account management was found to be particularly loosey-goosey, with work to be done. WikiLeaks has opened Vault7 again, this time with "OutlawCountry." They claim it's a CIA-developed tool for exploiting Linux systems. The concentration on Linux suggests an interest in attacking servers.

Dave Bittner: [00:06:35:03] And how about those ShadowBrokers, those speakers of Omrachlish? They've declined with cheeky false-modesty not to comment on Petya/Nyetya/NotPetya. As they put it, "Another global cyber attack is fitting end for first month of theshadowbrokers dump service. There is much theshadowbrokers can be saying about this but, what is point and having not already being said?" And what can we do but agree, what indeed is point having not already been said? They haven't yet made good on their promise to expose an Equation Group operator and tie him or her to American espionage against China, but the brokers have doubled the price of membership in their exploit-of-the-month club. It will now set you back $65,000 in Zcash or $46,000 in Monero. June sales of memberships did so well, the brokers claim, that the market practically obliges them to charge more. They're also introducing a "VIP service." We can't figure out exactly what you get—could it be that mint Mr. Bogachev missed on his platinum rewards hotel pillow, we wonder?—but whatever it is it can be yours for a cool $130,000. So hop to it, Wealthy Elite.

Dave Bittner: [00:07:47:01] Russia has called for an international crackdown on cybercrime, to which one can only say, "Hey, yeah, sure, you're right, Mr. Peskov. Stop me before I hack again" eh Vlad? Next Tuesday, of course, is Independence Day in the US, the day we observe and celebrate the Amexit of 1776. We'll publish the Week that Was as usual on Sunday, and the CyberWire Daily News Briefing and post our Daily Podcast as usual on Monday, but Tuesday will be a holiday for us. Enjoy the 4th. We'll be here Monday, and we'll be back as usual next Wednesday.

Dave Bittner: [00:08:26:00] Here's a quick note about our sponsor, E8 Security. We've all heard a lot about artificial intelligence and machine learning. Hey, who of a certain age doesn't know that Skynet achieved self awareness and sent the Terminator back to take care of business? But that's science fiction and not even very plausible science fiction. But the artificial intelligence and machine learning that E8 is talking about isn't science fiction at all. They're here today and E8's White Paper, available at, can guide you through the big picture of the still emerging, but already proven technologies. We all need to turn data into understanding and information into meaning. AI and machine learning can help you do that. See what they can do for you at E8 And we thank E8 for sponsoring our show.

Dave Bittner: [00:09:18:01] Joining me once again is Emily Wilson. She's the Director of Analysis at Terbium Labs. Emily, you and the folks over at Terbium recently published some research about online fraud guides. What can you share about that?

Emily Wilson: [00:09:29:16] Yes, so we've been looking at these fraud guides that are for sale on most of the major markets, these are the kinds of things that really only appear on the major markets. You have effectively PDFs or word documents that contain either fairly sophisticated, or fairly mundane instructions on how to defraud different institutions and this can be everything from here is exactly how, step by step, you find or create a false identity and defraud this particular bank from this particular company for this particular kind of account to here's how you get free pizza.

Dave Bittner: [00:10:02:19] So really running the whole gamut of petty crime, but all the way up to fairly sophisticated things with big dollars.

Emily Wilson: [00:10:11:05] A very good example, I would say, of a way to remind us that the dark web really is just another part of the Internet. People can be very crafty, people can be very clever, people can do very interesting or very creative things and then, at the end of the day, people just want pizza.

Dave Bittner: [00:10:26:20] [LAUGHS]. So what kind of prices are we talking about to buy a guide, to do various types of fraud?

Emily Wilson: [00:10:33:21] You'd be surprised at how inexpensive or expensive it can be. I know we saw a couple of outliers on the far end that were getting into the tens of thousands, I think we even saw one for hundreds of thousands of dollars - something having to do with real estate; either the vendor made a mistake putting the price in or .. I don't know what's in that guide. If you want to buy it and let me know, I'd be curious to hear.

Dave Bittner: [00:10:57:12] Well, there's no way to know for sure that it's actually being sold at that price is there?

Emily Wilson: [00:11:01:18] That's the price that's listed for the market listing, so really that's the transactional price. You pay that in Bitcoin if you want to be able to access it. In terms of general pricing though, these are fairly inexpensive. You can buy individual guides - there are some that are available effectively for free, for a couple of dollars, you can get some that range up to the 40, 50, 80, 100 and then, in some cases, a couple of the things that we bought for this research were big packs of 200 or 500 guides for about $10.

Dave Bittner: [00:11:35:13] Before we went on the air, you mentioned one particular one that was interesting about phishing.

Emily Wilson: [00:11:40:00] Yes. You won't be surprised. You have this big pack of how to defraud - best fraud guide on whatever market - and buried in these 200 or 500 PDFs, there's a guide on phishing. Only it's not phishing, it's fishing with an F. It's how to catch king fish; it's a PDF about how to go out and catch large fish in the sea.

Dave Bittner: [00:12:04:10] So we don't know if perhaps some machine learning has gone bad in gathering it up, or just maybe somebody who has a pretty good sense of humor.

Emily Wilson: [00:12:09:23] Yes, no, I definitely appreciate the advice. I'm always looking for new hobbies.

Dave Bittner: [00:12:13:17] Never know. All right, Emily Wilson, thank you for joining us.

Dave Bittner: [00:12:21:02] Now I'd like to tell you about some research from our sponsor, Cylance. You've heard a lot lately here and elsewhere about WannaCry, a sloppy but dangerous ransomware campaign that became a pandemic. Our sponsor, Cylance, has a few things to say about it that you may not have heard elsewhere. WannaCry spread as a worm and a nasty surprising one, so a lot of legacy defenses didn't stop it. But Cylance says its AI did. In fact, if you'd had Cylance's artificially intelligent software running on your systems, you'd have been proof against WannaCry infestations. Go to and check out the post on Cylance versus WannaCry. Their math driven models make the unknown cyber threats known and stop them from hitting you. Visit and see what they can do for you. While the next WannaCry is just a gleam in the attacker's eye. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:13:24:02] The Sands Institute recently published a report integrating prevention, detection and response workflows - Sands' survey on security optimization. The report was sponsored by ThreatConnect and joining us from ThreatConnect to discuss the survey findings are Drew Gidwani, Director of analytics, and Andy Pendergast, VP of Product and Co-founder. We begin with Drew Gudwani.

Drew Gidwani: [00:13:46:16] To do security better, and by that I mean the four primary functions of security - prevent, detect, respond and predict - you need to align your people, your processes and your technology. You need to take down silos and data and workflow, as well as interconnectivity between the different security products, end point, networks, etc., that enterprises typically deploy to be able to coordinate action across them. Not having silos is just a prerequisite, it adds some efficiencies and capabilities that otherwise wouldn't be there inherently, but it also, perhaps more importantly, is a prerequisite to enabling more advanced automation across the technologies and better workflow across the teams. That should enable skill to better prevent, detect, respond and predict against threats to the network, to the business processes of the organization.

Dave Bittner: [00:14:50:17] Why do you suppose that there's this tendency for different groups to end up in silos in the first place?

Drew Gidwani: [00:14:57:00] I believe it's part of the human condition. As any system grows in complexity and size, including and especially human systems, you are going to have silos because roles are segmented, people need to focus on one aspect of what they're doing usually, especially as you get in larger areas, you start wearing less hats and focusing on one hat, maybe two. As that happens, communication typically becomes more sparse, across those different functions.

Andy Pendergast: [00:15:32:24] To add to that, Dave, I would say that there is a different evolutionary pace for some of the disciplines that we see across the security operation spectrum.

Dave Bittner: [00:15:41:11] That's Andy Pendergast.

Andy Pendergast: [00:15:42:21] Some of these things have mature faster, or they've been around for longer and certain buzzwords hit critical mass at different times. What we see is that, especially in our customers, different parts of the organization grow, they get budget, the talent pools that they can hire from are available at different times and at different rates and, as a result, you see different levels of maturity and sophistication for processes and that's where the silos really start to get entrenched.

Dave Bittner: [00:16:10:00] Talk me through some of the key findings on the survey.

Drew Gidwani: [00:16:12:16] So I would say one of the biggest findings is that, along the vein of silos that we just discussed, it's really difficult to scale security operations linearly with the size of a company and what we find there is that, if people are trying to stay at the forefront of the functions that we talked about earlier, all of the detection, response, prediction, they really need to find force multipliers at each stage and, again, we're dealing with different groups, with different skill sets, different missions and they may even be located geospatially on different continents. I think that the big takeaway is that, when we start to see breakdowns in the scaling there, we can also start to see that there are major impacts to the risk posture, or visibility across the organization and it's pretty unilateral that, as company's have had issues centralizing and automating, they are starting to see a lot of these problems come to the forefront.

Andy Pendergast: [00:17:09:15] The survey does address the two major issues, or two major challenges companies see with scaling being lack of skills and lack of funding. Those are two very hard problems to solve. There are lots of initiatives, including Sands which specializes in creating a better educated security workforce on many different levels and many different skill sets. Therefore, there are people addressing those problems but I suspect that we're not going to solve the skill gap any time soon, in the next five to ten years even so the demand for security becomes ever more present, as we shift ever more into the digital age and there are more and more threats out there and more and more surface area for attacks to occur. Looking for force multipliers, as Drew suggested, is really the focus of what we at ThreatConnect look to do to try to either inform decisions with intelligence, so that you can work smarter with less or allow your teams to work better together with data from both inside the enterprise and outside the enterprise.

Drew Gidwani: [00:18:32:04] I think the most paramount ideal is that there needs to be an organization wide attitude, there needs to be a mentality that's cultivated that the whole intel life cycle is everyone's problem and this really goes counter to the whole silo mentality that people may inadvertently develop. We especially saw, in our private lives as analysts, there were times were somebody would throw something over the fence and say that's an incident response problem, I did my job. However, when you start to have those very discreet lines in the sand, it's very difficult for people to break out of that mentality, it's very difficult for an organization to evolve alongside the threats that they're facing. Along that line, I think executives need to articulate a vision - that's really where the entire organization, down through management, down to the individual analyst that's sitting there in the trenches all day, doing the work, everybody can use that as a rubric to guide their decision making and if everybody's on the same page with the vision, then it naturally follows that collaboration can start to thrive there. We've got all these moving targets. We've got nascent disciplines, we've got maturing technology and then, of course, the threats aren't exactly staying still on their own. So it comes down to those people having the tools, being equipped to do their job and then, once you set them loose, there really needs to be a mindset of iteration. We always talk about being better scientists, we have to experiment, we have to try things, we have to measure and see what's working and what's not, so that we can refine these things because you're certainly not going to get it right on the first try.

Dave Bittner: [00:19:59:24] Our thanks to Drew Gudwani and Andy Pendergast from ThreatConnect for joining us. The Sand Survey: Integrating Prevention, Detection and Response workflows, Sands Survey on Security Optimization can be found on the Sands website.

Dave Bittner: [00:20:18:03] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, check out The CyberWire podcast is produced by Pratt Street Media, our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe and I'm Dave Bittner. Have a great weekend. We'll see you back here on Monday. Thank you for listening.