The CyberWire Daily Podcast 8.4.17
Ep 406 | 8.4.17

MalwareTech arrested over Kronos banking Trojan. "Bateleur" in the wild. Long DDoS hits Chinese telco. Russian influence operations no longer novel? FBI investigates HBO hack.


Dave Bittner: [00:00:01:10] The CyberWire podcast is made possible in part by listeners like you who contribute to our Patreon page. You can learn more at

Dave Bittner: [00:00:13:23] Security researcher MalwareTech is arrested as the alleged author of the Kronos banking Trojan. Carbanak hoods release "Bateleur" into the wild, phishing in chain restaurant waters. A long DDoS attack in China seems aimed at extortion. German elections prepare for Russian influence operations but the novelty may have worn off Moscow's line. US states and DHS work toward cooperative cybersecurity. And the FBI is investigating the HBO hack.

Dave Bittner: [00:00:47:19] Time for some notes from our sponsor Cylance. We've been following WannaCry, Petya, NotPetya and other forms of destructive ransomware for weeks. Cylance would like you to know that they can prevent Petya-like ransomware from executing in your system and they'd also like you to know that they've been doing that since October of 2015. How's that for getting ahead of the threat? Their success against NotPetya demonstrates the benefit of their temporal predictive advantage. Cylance Protect stops both file and file-less malware. It runs silently in the background. And best of all, it doesn't suffer from the blindspots in legacy defenses that NotPetya exploited to such devastating effect. If you don't have Cylance Protect and you'd like to learn more about how it can defend your enterprise, head on over to and find out how their AI driven solution can predict and prevent the unknown unknowns from troubling you. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:50:13] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, August 4th, 2017.

Dave Bittner: [00:02:00:18] It's said that what happens in Vegas stays in Vegas. Sometimes what goes on elsewhere stays in Vegas, too, and sometimes it's you that does the staying.

Dave Bittner: [00:02:09:09] You'll recall that WannaCry was impeded back in May when its "kill switch" was inadvertently tripped by a security researcher who registered a domain name mentioned in WannaCry's code. That researcher, Marcus Hutchins, or "MalwareTech," as he likes to be known, enjoyed a minor hero's triumph and has taken a few victory laps since. The most recent lap was a small celebrity reception at DEFCON last week in Las Vegas.

Dave Bittner: [00:02:34:07] Unfortunately on Wednesday things went south in a hurry for Mr. Hutchins, age 23. The FBI picked him up and arrested him on a computer fraud and abuse charge. The Bureau was acting on an indictment a Wisconsin Federal grand jury filed on July 11th of this year. The indictment alleges that, sometime between July 2014 and July 2015, Hutchins and a conspirator, whose name has been redacted from the court documents made available publicly, advertised, sold and received payment for the Kronos banking Trojan.

Dave Bittner: [00:03:06:16] Kronos first came to light when it was offered for sale in Russian-language crimeware markets in July 2014. The asking price was some $7,000. Hutchins, who lives with his parents in Devon, England, is said to have been the author and maintainer of the malware. His name-redacted co-conspirator is alleged to have been the one who offered it for sale. Their preferred market was the recently shuttered AlphaBay.

Dave Bittner: [00:03:31:19] The conspirators face six charges, one of computer fraud, one of wiretapping or aiding wiretapping, one of accessing a computer without permission, and finally, three charges of creating and distributing wiretapping technology. Hutchins is expected to enter his plea in a Nevada courtroom today. The charges could add up to forty years in Club Fed, although a sentence of between five to ten years is thought likelier, should the innocent until proven guilty Mr. Hutchins eventually be convicted.

Dave Bittner: [00:04:01:22] Few would be prepared to argue that Kronos or other banking Trojans are Good Things but the case is not necessarily a slam dunk, according to legal commentary in the Washington Post by George Washington University law professor Orin Kerr.

Dave Bittner: [00:04:15:16] The case may be an important one, since the indictment alleges violation of an infrequently used anti-wiretapping law. That law, 18 United States Code Section 2512, makes it a crime to make, sell, or advertise, quote, "any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications," end quote. The Government's theory holds that devising and selling the malware count as purveying such a wiretapping device and doing so with guilty knowledge that it will be used in a prohibited way.

Dave Bittner: [00:04:55:04] There's other news of crimeware today. The hoods behind the familiar Carbanak financial Advanced Persistent Threat are circulating another crimeware tool. Bateleur is being used against targets in the hospitality industry. Bateleur, which is distributed as the payload of a phishing email, is said to take screenshots and steal credentials. Chain restaurants in the US appear most affected.

Dave Bittner: [00:05:19:03] Kaspersky Lab reports that the biggest DDoS attack so far this year, in terms of duration, was experienced by Chinese telecom operators. The attack lasted 277 hours or more than 11 days. The attackers' motive appears to have been extortion.

Dave Bittner: [00:05:36:23] German federal elections are scheduled for next month, and "of course" Russian intelligence services are expected to attempt to influence or otherwise undermine them. Observers think such attempts unlikely to succeed, for one thing, the element of surprise is gone, with influence operations already factored into public opinion.

Dave Bittner: [00:05:56:10] In the US, the Department of Homeland Security reports that 33 states and 36 local governments sought cybersecurity assistance for 2016 elections. Longstanding, well-known roadblocks, secrecy and security clearances, continue to impede such assistance.

Dave Bittner: [00:06:14:09] In other US news, investigations into Russian influence operations targeting the 2016 elections proceed, as special prosecutor Mueller has moved to establish a grand jury. The Administration is working to contain leaks, and Congress is making continued noises about misuse of intelligence collected against foreign targets but which contained information about US citizens.

Dave Bittner: [00:06:37:04] And finally, the HBO hack is now under FBI investigation. Despite corporate assurance to the contrary, many still fear email doxing. The hackers have notoriously compromised unreleased Game of Thrones scripts. Security firms including Panda and ESET have warned people against downloading torrents containing stolen episodes, since torrents are notoriously polluted with malware. Some people complain that's a lot of security company FUD, and maybe they're right, but we know one thing, we'll just wait to watch the episodes over old-fashioned TV. We can wait. Anyway, we already know winter is coming.

Dave Bittner: [00:07:20:07] Now some news from our sponsor Cylance. Cylance has integrated its artificially intelligent Cylance Protect engine into VirusTotal. You'll know VirusTotal as the free online service that analyzes files and URLs to identify viruses, worms, Trojans and the other kinds of badness antivirus engines and website scanners pick up. Well, Cylance has pledged to help VirusTotal in its mission of making the security industry more perceptive and the Internet a safer place. It's like public health for cyberspace. Free tools and services help keep everyone's risk down.

Dave Bittner: [00:07:54:00] Cylance sees their predictive approach to security as a contribution to the fight against cyber attacks and they're now fully integrated as one of the analysis engines available in VirusTotal. Visit and look at their blog for more on their contribution to our online immune system. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:08:20:02] Joining me once again is Emily Wilson. She's the director of analysis at Terbium Labs. Emily, you wanted to share a story that came by recently about some gentlemen who were selling some guns online and ended up being busted for that.

Emily Wilson: [00:08:34:03] Yeah, I think this really caught my attention, you know, I see headlines from time to time, typically in Europe, of someone who has been caught with guns that they, you know, believed were purchased on the dark web, or sometimes a vendor who is going to sell them. But what caught my attention recently was the story about a couple of vendors from the old market Black Market Reloaded, right? This has been down for ages, this is not new. It's been a few years now and these couple of vendors, charges are just being brought now against them for having sold guns on the dark web. It's a reminder that this does happen. It, it doesn't happen often. It is fairly rare, certainly relative to other kinds of information, whether other kinds of goods and services, whether credit cards or drugs or what have you but interesting to see the long tail of that, see it come around.

Dave Bittner: [00:09:20:07] It strikes me that certainly here in the United States, guns are not hard to get, to buy or sell. It's fairly easy to, to do so what would drive someone to the dark web to set up a market there?

Emily Wilson: [00:09:32:21] Yeah, I think that's interesting. I think, you know, a couple of things that come to mind, not everyone is buying and selling in the US. You may have a situation where it's really easy to get your hand on guns here but, you know, it makes more sense to sell them elsewhere. Or you may have people, for whatever reason, who would prefer to transact in something like this on the dark web, whether they aren't sure how to tap into kind of a personal or a local network, if, if they can't purchase guns for some reason elsewhere and see this as a good way to go about it, if they think this is going to be safer. I think there are some similar arguments for people who-- you know, why would you choose to purchase drugs on the dark web? Guns are a little bit different, right? Most of these drugs are illegal. But I can certainly understand the appeal, in theory, of going through some sort of anonymous online service where it shows up at your door as opposed to needing to talk to that guy down the street.

Dave Bittner: [00:10:35:01] And yet even being on the dark web, they attracted the attention of law enforcement.

Emily Wilson: [00:10:38:18] They do, they do. I saw something recently, I think it came out of the UK, signs of terrorism including, you know, activity on the dark web. So be careful using Tor.

Dave Bittner: [00:10:51:07] Emily Wilson, thanks for joining us.

Dave Bittner: [00:10:58:11] Time for one more message from our sponsor Cylance. You know, good policy is informed by sound technical understanding. The crypto wars aren't over. Cylance would like to share some thoughts from ICIT on the surveillance state and censorship and about the conundrum of censorship legislation. They have concluded that recent efforts by governments to weaken encryption introduce exploitable vulnerabilities into applications and developed nation state dragnet surveillance programs will do little to stymie the rise in terrorist attacks. These efforts will be a detriment to national security and only further exhaust law enforcement resources and obfuscate adversary communiqués within a massive cloud of noise. Back doors for the good guys mean back doors for the bad guys and it's next to impossible to keep the lone wolves from hearing the howling of the pack. Go to and take a look at their blog for reflections on surveillance, censorship and security. That's And we thank Cylance for sponsoring our show.

Dave Bittner: [00:12:09:00] My guest today is William Saito. He's the special advisor to the cabinet office for the government of Japan, in charge of science and technology and information technology policy. The summer Olympics are coming to Japan in 2020 and Mr Saito has taken an active role in ensuring that Japan's cyber security posture is strong for the games and beyond.

William Saito: [00:12:29:07] In the last six months, I think the reality of the Olympics is really hitting us and obviously there are a lot of things where our Cyber Security Bureau has revamped the new laws so we coordinate, you know, various related agencies so that not only is the IT aspect but the OT aspects are covered synchronously. But the other thing that we're doing that we couldn't apply last year but is being executed out of the spring is HR development in the area of cyber. So we've allocated several millions of dollars, $25 million or thereabouts, depending on the exchange rates, to train cyber security professionals in this area, not just for the Olympics but, you know, as a country in general.

Dave Bittner: [00:13:15:04] Yeah, I, I saw in an article that you were quoted, you were talking about how when it comes to Japan that it's not really a technical issue, that there are some human factors here.

William Saito: [00:13:24:08] Yeah, and I think that's true for a lot of countries. For a country like Japan, we have a lot of great programmers. We have people that, you know, can quote, unquote "hack things" and take things apart and are curious there. The issue that I see in many countries, but especially highlighted in countries like Japan, is the ability of the technical folks to communicate to the upper leadership and management types, and then vice versa. The unfortunate part in a country like Japan is lots of technical issues like cyber they try to pawn off and pretend that they don't know about because their studies may not have included anything in IT assigned to it. So I'm finding that it's important to really cross-pollinate between the sciences, aka the such as the SEM people, and the humanities, aka the management leadership people, so that they can talk to each other.

Dave Bittner: [00:14:15:17] So they've established the Industrial Cyber Security Center of Excellence. Tell us about that.

William Saito: [00:14:22:04] Right, so obviously we, and most countries, are lacking several thousands, if not tens of thousands, of cyber security professionals, and they don't form overnight. We have to pick and choose and the area that we're focusing on, with emphasis on the Olympics, is the critical infrastructure that is either related or dependent on cyber security. Every country defines critical infrastructure differently, but you can assume you have the electrical industry, the finance industry, and so on. The professionals there require to not only maintain the integrity of the system, to be able to respond correctly and to put a defensive posture in place that management can agree on.

Dave Bittner: [00:15:01:21] Are you in communications with any of the folks from Rio, Brazil? Are there any lessons that have been learned from that Olympics?

William Saito: [00:15:08:03] Yes, so the Olympics has been a great opportunity. We've had our folks in the thought at Rio. I was in discussions and know lots of people and we have lots of technical exchange between people in London as well. So the IOC, the Olympic community, no one wants to see a bad Olympics but there are lessons learned and there's no point reinventing the wheel. I think there are a lot of interesting outcomes, not only from Rio but all the way back to London, that we learned from and we're building upon and our, our, obviously, intent is to share that to whoever follows on the Olympics. But, yeah, there's actually a close group of CISOs and cyber security professionals that really work with each other prior to one's own games. So, Japan's cyber security professionals have been working for more than four years with London and Rio.

Dave Bittner: [00:16:01:03] And is there a sense that you'll be ready?

William Saito: [00:16:03:24] My concern is, speaking for Japan, not our ability to pull off the Olympics. I think, honestly, Japan will have a perfectly fine Olympics. It'll go smoothly. There won't be any really outstanding problems and stuff. My real issue here is we're not doing cyber security for the sake of the Olympics. Olympics is just one of the crossroads. And what I want to take and use this opportunity is how do we become a more cyber resilient country and in doing so that we better utilize ICT and greater efficiency, greater productivity, especially in a country like ours which is quickly aging and quickly shrinking. And so, one of the things that you see in Japan and around the cabinet office are new posters. We have the Olympic posters, but the new poster will say, "Beyond 2020," and it's exactly that. You know, what happens to us, as a country, after 2020? And I think IT and cyber will play a critical role in that, not just preparing for the Olympics but what benefits do we reap post-Olympics?

Dave Bittner: [00:17:15:15] Japan is dealing with an aging population, as you mentioned, and a shrinking population so there are going to be fewer people around to take care of that aging population and so you'll have to rely on technology and the security that goes with that.

William Saito: [00:17:27:08] Yeah. Ironically, terms like artificial intelligence, robotics, machine learning, those aren't buzz words here. Those are terms that we really need to apply and we really need to use. These aren't things that are going to be in our next generation of cell phones. These are going to be taking care of our parents and grandparents. Japan is, in some sense, going to be the most reliant on some of these cutting edge technologies, not from a feature nice to have, but as a society must have. And in order to do so, it has to be safe and secure. So, how do you not only create these safe and secure products and services, but vice versa, how do you create an environment that's safe and secure so that people can develop these new technologies and not have it go crazy or get sued because, you know, there's a breach or something? I mean, one of the things we're trying to work on, don't know if it'll pass, but the next session of our parliament, you know, we will be creating tax incentives for investments in cyber security and hopefully that will alleviate some of the issues and costs that are associated with the hesitation for, you know, companies that need to implement it.

Dave Bittner: [00:18:35:08] Out thanks to William Saito. He's the special advisor to the cabinet office for the government of Japan.

Dave Bittner: [00:18:44:17] That's The CyberWire. Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out more about how Cylance can help protect you using artificial intelligence, visit

Dave Bittner: [00:18:57:14] Don't forget that one of the best ways you can help support our show is to leave a review on iTunes. It really does help people find the podcast.

Dave Bittner: [00:19:05:05] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. Have a great weekend, everybody.