The CyberWire Daily Podcast 7.13.17
Ep 390 | 7.13.17

Motives behind NotPetya, other operations. Verizon customer data exposed. Industry notes. Licensing hackers in Singapore.


Dave Bittner: [00:00:00:00] I want to thank our latest Patreon supporters. If you haven't checked it out yet, please do so. It's at Thanks.

Dave Bittner: [00:00:11:18] Signs that NotPetya was covering up a broad espionage campaign are reported. State-sponsored hacking seems when not simple spying to aim at eroding trust. Verizon sufferers a major customer data breach said it derived from a vendor's misconfiguration of an Amazon S3 bucket. Industry notes venture funding and an acquisition. Singapore will license white hats. And Russia wants you properly signed in to adult sites. Or at least one of them anyway.

Dave Bittner: [00:00:43:08] Time for a message from our sponsor Recorded Future. You've probably heard of Recorded Future, they're the real time threat intelligence company. Their patented technology continuously analysis the entire web to give info sec analysts unmatched insight into emerging threats. We subscribe to and read their cyber daily. They do some of the heavy lifting in collection and analysis, that frees you to make the best informed decisions possible for their organization. Sign up for the cyber daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and the price is right. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:46:23] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner, in Baltimore with your CyberWire summary for Thursday, July 13th, 2017.

Dave Bittner: [00:01:57:07] Booz Allen has published research that suggests NotPetya may have been in large part misdirection. The company's Cyber4Sight researchers think they've discovered signs that Telebots, aka Sandworm, that is most believe Russia's GRU, used the destructive campaign to conceal traces of long-running, widespread cyber espionage against a large number of targets. The evidence they cite like most such evidence, is circumstantial but subjective.

Dave Bittner: [00:02:26:02] First over a one to two day period, four VirusTotal users uploaded the compiled VBS backdoors together with other malicious files. Including the TeleBots telegram-based backdoor. PowerShell post-exploitation scripts, and Mimikatz. Second the uploads for the most part were conducted months before NotPetya hit on June 27th. Third, in several cases, these users also uploaded files associated with the MEDoc update utility to VirusTotal. The researchers conclude from this that "MEDoc-related processes may have facilitated the installation vector for this software." Booz Allen conjectures that the threat actors' goal was to collect information, and that the fig leaf of ransomware was decently thrown over the operation to conceal that goal. As usual further work is needed. As Booz Allen's report puts it, "Information from incident response activities demonstrating actual exfiltration of data would need to be made available to check the hypothesis."

Dave Bittner: [00:03:30:13] US Energy Secretary Perry said this week that the threat to power plants, nuclear and otherwise, is real and that the Government and industry are working to address it. Recent probes have been ascribed to Russian threat actors. Members of Congress are asking for a report on the matter.

Dave Bittner: [00:03:48:05] Influence operations, as conducted against elections, phishing of critical infrastructure, as recently seen in the US power grid, and broad malware campaigns like NotPetya, may well be motivated by a common goal. According to DarkTrace, if you're looking for a common factor, consider the apparent common aim of fostering general mistrust of otherwise trusted institutions and practices.

Dave Bittner: [00:04:12:18] Verizon has sustained a major data breach: some 14 million subscriber records are affected, including sensitive credentials. It appears to be a third party breach: the data were exposed on an unprotected Amazon S3 server controlled by Nice Systems, a Verizon vendor. People who called customer services over the past six months are affected. This is another S3 issue of the sort that's come to prominence over the last two months. It can be all to easy to misconfigure your Amazon S3 bucket. An article in the Observer, linked in today's CyberWire Daily News Briefing, runs through the ways in which such configurations can go wrong. Most of the mistakes involve setting permissions at the right level. Security firm Detectify suggests that enterprises get themselves into S3 Trouble by using APIs or software to create objects and buckets. In any case handle S3 with care.

Dave Bittner: [00:05:08:04] We received some reaction from Jeff Hill, of security company Prevalent, who finds the episode "eerily similar to the Deep Root Analytics data exposure" from last month. It's a pedestrian case not some exotic hack, and it illustrates again the value of attention to IT and security basics. Hill also said it should teach an object lesson in the importance of monitoring your vendor's security controls.

Dave Bittner: [00:05:32:11] As part of President Trump's recently signed cybersecurity executive order all federal agencies are required to submit a framework implementation action plan ,as well as a set of metrics that show how they're protecting their most valuable information assets from cyber attacks and breaches.

Dave Bittner: [00:05:49:09] Thomas Jones is a federal systems engineer at Bay Dynamics. And he joins us with an overview of the requirements.

Thomas Jones: [00:05:55:18] The framework actually comes out of Nest, it's been around for I guess about three years now. And what it does is it actually aligns certain segments of our security with certain risk-based metrics. As they go along they're trying to move over towards more of a, instead of you know secure everything, patch everything or criticality based methodology for approaching cybersecurity incidents. They're moving to a risk-based approach.

Dave Bittner: [00:06:26:17] How is that going to be implemented in the real world? What kind of effects will that have on the various agencies who have to implement it?

Thomas Jones: [00:06:33:09] Well initially this year what they had to do by July 14th, they had to actually turn in their FISMA reports. And the FISMA over the last three years have been realigned to actually fall into the same pattern as the now, cybersecurity framework.

Dave Bittner: [00:06:49:21] And what does, I'm sorry, what does FISMA stand for?

Thomas Jones: [00:06:52:00] It's a Federal Information Security Modernization Act. So yeah, FISMA has been around for ages, you know ten, 15 years. Over the last three years they've been aligning everything with this cyber framework. Which is a risk based management framework. It ties to two other Nest documents, 836 and 37. The idea is shifting to you know, we see a critical patch when a not very important system, we give it the same level of resources as we would for a system that happens to house the keys to the kingdom. Crown jewels of the organization.

Thomas Jones: [00:07:29:22] No around the cybersecurity framework, you identify what systems are in the environment. How they relate to the valuable assets in your environment. And use to buy resources based on the importance of those systems.

Dave Bittner: [00:07:42:04] Now it's my understanding that President Trump's recently signed Cybersecurity Executive Order. Puts in place some new accountability for people as well?

Thomas Jones: [00:07:51:08] Yeah, that's actually one of the biggest changes coming out of the OMB Mandate. He's actually spelled out that he even wants the heads of the agencies, or a designated high level individual within the agency to be responsible for producing the metrics. And managing the overall implementation of the cybersecurity framework within the organizations themselves.

Dave Bittner: [00:08:12:02] And so what's been the reaction to these changes within folks who have to deal with them?

Thomas Jones: [00:08:16:19] At a low level most of this has been going on for ten or 15 years. The rank and file don't see a huge change. What this really affects is a very high level within the organization. Where people actually being held accountable. Where it now becomes very important actually to meet your cap requirements. And there's a cross agency priorities that was set back in 2015. So those cap requirements actually have percentages you're supposed to achieve in terms of things like, how many people are using pin cards or two factor authentication, as opposed to username password. And now there is some level of accountability there for the people higher up. Overall the response has been pretty good.

Dave Bittner: [00:08:58:10] That's Thomas Jones from Bay Dynamics.

Dave Bittner: [00:09:02:22] Taking a quick look at our CyberWire event calendar. If you're headed to Black Hat at the end of the month while you're in Vegas, stop by our event sponsor Deep Instinct and say hello. You'll find them at Booth 873, and there are links for more on the CyberWire's Event Tracker at

Dave Bittner: [00:09:20:02] Speaking of Deep Instinct, they feature in today's industry news, having recently raised $32 million. Nvidia is reported to be a major investor. The social media risk management experts, our Baltimore neighbors at ZeroFox, have also attracted significant funding: $40 million in Series C. OwnBackup, a software-as-a-service backup firm, has received $7.5 million in Series B. And Cisco upgrades its own security capabilities with the acquisition of Observable Networks.

Dave Bittner: [00:09:52:01] Finally, there are two new licensing initiatives worth noting. Singapore's comprehensive cyber security legislation contains a provision to put the legal behind the ethical of ethical hacking. If you're going to work as a white hat, you'll need a license. Hacking without a license, even for the best of motives, will get you up to two years in the pokey, and a fine that could run as high as $36,000.

Dave Bittner: [00:10:16:20] And in Russia, if you want to surf over to Pornhub, not that you would, you'll henceforth have to log in with a registered social media account. So if you're asked to sign in with your Vkontakte profile, it's not because Prime Minister Medvedev is concerned for your soul, but rather because he doesn't want you watching a couple of less than flattering and not full enthusiastic short films about himself, that critics have posted to the well-known adult content site. Pornhub offered the Russian government Internet watchdog Roskomnadzor a free account if they left them alone, but the authorities are reported to have said spacebo, nyet. Maybe they got a preferred alternative, and broadband out to the dacha? Who knows?

Dave Bittner: [00:11:05:24] Time to take a moment to tell you about our sponsor ThreatConnect. Are you going to Black Hat this year? Of course you are. And when you go you will not want to miss talking to the experts at ThreatConnect. The team will be there at booth number 120 answering questions, sharing insights and doing demos. Of course they'll also be handing out some of their famous T shirts and raffling off an incredible Sona surround sound system. And who would not want to get in on an opportunity to win an awesome surround sound system? In addition to all of the activities at the booth, executives will also be on hand, and available to meet in the ThreatConnect Media Suite. Visit to learn more. That's Surround sound, sounds awesome.

Dave Bittner: [00:11:47:22] And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:11:56:12] Joining me once again is David Dufour, he's the senior director of Engineering and Cybersecurity at Webroot. David welcome back. We wanted to cover homoglyph attacks today. Let's start from the beginning. What are we talking about here? Describe what's going on?

David Dufour: [00:12:10:09] Sure, thanks for having me back David. You know a homoglyph attack it, they've been around a while and it's a little bit technical but they're super-interesting from a purely threat perspective. A homoglyph attack is when someone may register a URL in a non-western character code, like you know Korean, Japanese, Chinese, even some German characters. And when they register that it's in a Unicode format. A Unicode represents you know thousands of characters, so that we can type in different languages, in our computers.

David Dufour: [00:12:43:13] Well the older coding format most of your listens will know is called ASCII. And so when I register let's say a Chinese URL in a Unicode format with a Chinese character, and it gets converted to Punycode or an ASCII format it's possible that I'm gonna get a popular website like Google, or Amazon, or you know, some social media site, that's gonna show up in my browser. So they figured out how to register some random URL in a foreign language and have it show up in your browser as what appears to be a legitimate site with a proper SSL encryption and all of that.

Dave Bittner: [00:13:21:00] So from the users point of view, I'm seeing everything that I would expect to be, and to be correct?

David Dufour: [00:13:27:22] That is exactly right. So if you look at it, it's gonna look like you're at the proper site. And where we're seeing this used is in our favorite topic, phishing attacks. Where someone's going to send you a link in an email, and it's going to say, and you're friend's going to say, "Hey, go check this out." And you're going to click on it, and it's going to pop up a URL that in your browser may look like the proper URL, so you're going to enter your credentials. But in fact because of this type of hack, you're actually at a site that's trying to phish those credentials from you.

Dave Bittner: [00:14:04:08] And is there any way to defend against this?

David Dufour: [00:14:06:20] Well many of the common browsers were susceptible to this. Most of them have resolved that. So from a browser perspective you're going to be relatively safe now moving forward. But like with all phishing attacks, the number one way to prevent this is to type URLs into that address bar. Don't click on those links that come in emails.

Dave Bittner: [00:14:27:12] So make sure you're running the latest version of whatever browser you use?

David Dufour: [00:14:31:04] Yes, that's correct.

Dave Bittner: [00:14:32:07] Alright David Dufour, thanks for joining us.

Dave Bittner: [00:14:36:17] And that's the CyberWire. For links to all of today's stories along with interviews our glossary and more visit the Thanks to all of our Sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit Thanks once again for all of our supporters on Patreon, and to find out how you can contribute to the CyberWire go to The CyberWire Podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.