The CyberWire Daily Podcast 8.17.17
Ep 415 | 8.17.17

Email brute-forcing. Aadhaar woes. Leaked Equation Group exploits remain a problem. Hijacked Chrome extensions. Pulse wave DDoS. FBI interviews "Profexor." Extremism and vigilantism. OurMine hacks HBO Twitter, Facebook.


Dave Bittner: [00:00:01:02] Last night as I was tucking him into bed, my ten year old son looked up to me and said "Daddy, why don't I have a bicycle?" And I said "Son, if only more people would sign up to support the CyberWire at, maybe you could have a bicycle." I'm kidding, of course. My son doesn't know how to ride a bicycle. But we would appreciate your support at

Dave Bittner: [00:00:27:22] Holyrood defends itself against email brute-forcing. India's national ID system is compromised again. ShadowBroker-leaked exploits continue to do damage. Hijacked Chrome extensions prove difficult to eradicate. New variants of Locky and other ransomware are out. "Pulse wave" DDoS attacks are observed. Researchers find DDoS-as-a-service for sale in Chinese online markets. Governments express suspicion of foreign IT. An extremist site loses host, but its content will go on, even as opposing vigilantes mistakenly dox innocent targets. And OurMine hijacks HBO social media accounts.

Dave Bittner: [00:01:11:22] As our sponsors at E8 Security can tell you, there's no topic more talked about in the security space than artificial intelligence, unless maybe it's machine learning. But it's not always easy to know what these could mean for you, so go to and see what AI and machine learning can do for your organization's security. In brief, they offer not a panacea, not a cure-all, but rather an indispensable approach to getting the most out of your scarce, valuable and expensive human security analysts. Let the machines handle the vast amounts of data. If you need to scale your security capability, AI and machine learning are the technologies that can help you do it. So visit and see how they can help address your security challenges today, and we thank E8 for sponsoring our show.

Dave Bittner: [00:02:10:00] Major funding of the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, August 17th, 2017.

Dave Bittner: [00:02:20:19] The campaign against the Scottish Parliament's email services continues, but the BBC reports that defenses at Holyrood seem to be holding firm.

Dave Bittner: [00:02:30:17] India's Aadhaar personal identification system, a government program that assigns citizens a twelve-digit number linked to biometric information, has sustained a data exposure incident. Flaws in the eHospital app developed by the National Informatics Centre has made Aadhaar numbers available to a free and dodgy Android app, Mygov, whose developer was arrested in late July. This particular incident is thought to have affected a few thousand citizens, but investigation is still in progress, and it's not know if there was any other exploitation of the software issues. Most adult Indians - 99% percent, according to reports - are enrolled in the national identification program.

Dave Bittner: [00:03:14:10] Exploits leaked by the ShadowBrokers continue to damage enterprises. WannaCry has resurfaced in a South Korean LG service center, and businesses affected by NotPetya are still tallying their losses. In some cases those losses are being reckoned in the hundreds of millions. We spoke with Brad Stone from Booz Allen's Cyber Foresight Threat Intelligence Solutions Team about their research into the attack and their conclusion that there may be more to the attack than initially suspected.

Brad Stone: [00:03:43:02] I think all of us, similar to when we saw WannaCry, were watching Bitcoin accounts and others to kind of see if this is a classic ransom. You know, where's the financial benefit? And as soon as we started seeing things like the email and other ways for the payment to not really be monitored, it started to make us think, "Wow, what else is going on here?" And so, in particular, kind of pulling together now, is this leveraging, what we were seeing from other great groups, but then also looked at the fact of, wow, this end result of the actual ransom at the top looked more like a cover-up to activities focused on Ukraine that had been going on for months. You know, we suspect probably deployed that type of malware to kind of wipe the forensic elements and evidence of that. The best kind of analogy is to think of an arson, torching a building to kind of cover their tracks.

Dave Bittner: [00:04:34:19] And so take us through some of the details of this. So you're saying that there was infiltration earlier on, and that this NotPetya attack was there to cover their tracks?

Brad Stone: [00:04:44:07] Yes. So, our analysis leads us to suspect that TeleBots, a known unit that we track and watch destroyed, you know, thousands of machines with a focus on Ukraine, really causing a lot of substantial collateral damage across the globe. But, in particular, the evidence shows that, prior to that malware being launched, they had been actively pursuing theft of information from specific targets. So think of this almost as a three-pronged attack, first starting off with leveraging a campaign focused around the M.E.Doc tax software as kind of an initial entry point. Then, moving into the second phase, we're seeing some telltale signs of TeleBots using some other capabilities to do exfiltration, other activities, and then finally, with the kind of NotPetya variant put over top to kind of clean that environment. were dealing with this and then you have the ransom on top of it.

Brad Stone: [00:05:41:06] And the way we were able to kind of piece together the information is, at one level, kind of watching the submission of folks cleaning up prior to the variants. We're always out there looking at, you know, what's happening with malware across the globe in different areas, trying to track these different campaigns and actors and their different TTPs and how they're using it. We were able to kind of see, in particular, with things in Ukraine, some cleanup that was occurring that led to this quick view of while organizations were dealing with this and then you have the ransom on top of it.

Brad Stone: [00:06:15:22] So, not only do you have an organization kind of using a worm-enabled ransom in a different way, then the other tremendous element of this is if we start looking at what about the unintentional consequences to the rest of the world? The damage to their organizations is substantial, which completely changes the game for these other organizations where, maybe in the past, it's, "I'm not in that market. That threat actor is not focused on me." But when folks are leveraging easily obtained tools, worm enabling them, we have a quick global impact. So your average CSO out there today doesn't only just have to worry about what's important to their industry, their company, but having that broader awareness is now part of their daily routine, and it just adds to the challenges that they're already facing.

Dave Bittner: [00:07:02:10] That's Brad Stone from the Booz Allen Cyber Foresight Group. You can find their report on the TeleBots group and Petya on their website.

Dave Bittner: [00:07:11:21] Hijacked Chrome extensions are being purged from Google Play, but the malicious software the extensions carry has shown itself surprisingly effective at evading security checks established to routinely catch such attacks. Morphus Labs warns that one of the malicious extensions is particularly active in Brazil, where criminals are phoning marks and telling them to install it as an update to their bank's security module. It seems hardly necessary to point out that installing software on the authority of a cold call is unwise, but there you have it. Confidence games continue to work because most of us are disposed to have confidence in the people we cross paths with. Ask any social engineer, they’ll tell you.

Dave Bittner: [00:07:53:09] Morphus Labs notes, we must say in fairness to the people who fell for the calls, that the conversations were professional, plausible, and highly targeted, often asking for a specific employee by name. In any case, when Morphus informed Mountain View of its discovery, Google removed the offending extension, called "Interface Online", from the Play store on Tuesday. It reappeared Wednesday and had to be eradicated again. In both infestations, Virus Total reported that none of the 58 most widely used anti-malware products had detected it. Morphus has suggested some steps Google might take to limit the damage a hijacked extension might do, including blocking an extension's access to passwords unless the user gives explicit permission, and not allowing extensions to override system proxy rules.

Dave Bittner: [00:08:40:21] New ransomware strains, including versions of Locky, Cerber, and ShorTcut's 2016 open-sourced PHP ransomware product, are circulating in the wild. Researchers at several companies, including Cybereason, Heimdal, and Comodo are tracking them. Some of the strains, especially the Cerber variants, have acquired evasive functionality that looks for signs that a target might be defended.

Dave Bittner: [00:09:05:23] There are also some developments in the distributed denial-of-service world. Researchers at the security firm Incapsula report seeing what they call "pulse wave" DDoS, in which waves of highly repetitive pulses hit targets over hours or even days. The technique, Incapsula says, is a new one; it will bear watching.

Dave Bittner: [00:09:25:09] There are also developments on the commodity side of DDoS. Cisco's Talos researchers report finding an increase in Chinese black market sites offering DDoS for hire services.

Dave Bittner: [00:09:36:16] With both ransomware and DDoS remaining a threat, there are indications that some companies are quietly stockpiling Bitcoin with a view to be able to pay off their attackers, a practice most security and law enforcement experts recommend against. But then, everyone's got their own cost-benefit calculation.

Dave Bittner: [00:09:55:10] Governments turn a cold eye toward foreign-made software and hardware. In the US, Kaspersky remains under controversial suspicion over alleged connections with Russian intelligence services. India has told a number of Chinese device manufacturers to give proof of security and appropriate data handling if they expect to continue to do business in the subcontinent. And, in Russia, the Security Council head warns that widely used foreign software is implicated in longstanding Western plots to destabilize the country.

Dave Bittner: [00:10:26:22] The Russian concerns mirror US suspicions in an almost ridiculous fashion. There may be a break, however, in US investigation of the last election cycle's DNC hack. An unnamed man - he's so far publicly identified only by his nom de hack, "Profexor" - has turned himself in to Ukrainian authorities and is talking to the FBI. Profexor is not charged with anything, but he says he developed the remote access tool used against the DNC and that Fancy Bear obtained and used a copy.

Dave Bittner: [00:10:59:07] Have you heard? Winter is coming, and we don't have to see any pirated Game of Thrones script to know that. In any case, a chill wind has blown through HBO's social media accounts. Variety reports that the OurMine hacking group, which has hit media companies before, late Wednesday took over HBO's Twitter and Facebook accounts. OurMine poses as a white hat group, not a white walker group, and has invited HBO to contact them for security advice. The incident is believed to have no connection with that other phony white hat, "Mr. Smith."

Dave Bittner: [00:11:36:12] Now I'd like to tell you about an upcoming Webinar from our sponsor Delta Risk. With threats to the healthcare industry at an all time high, IT and information security professionals in hospitals, health care provider firms and insurance firms have more concerns than ever about patient data and business continuity. In the 45 minute Webinar, Preparing for Cyber Risks to Health Care Operations: Be Ready Not Sorry, experts from Stanford Children's Health, Delta Risk and Hunting Management Group will discuss essential elements of how to respond to a cyber attack and properly prepare a business continuity plan. Save the date for August 23rd at 1:00 pm Eastern Time, by visiting Delta Risk LLC, a Chertoff Group Company is a global provider of cybersecurity services to commercial and government clients. Learn more about Delta Risk by visiting and reserve your seat for this interactive discussion, and we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:12:42:00] And joining me once again is Emily Wilson. She's the Director of Analysis at Terbium Labs. Emily, welcome back. You are recently back from Black Hat, and some interesting observations you have in terms of Black Hat and how people are dealing with the Dark Web these days.

Emily Wilson: [00:12:58:18] Yes, it was an interesting year this year. We were at Black Hat last year and we had a booth, and the reactions were broadly people coming over looking for swag, as people do at trade shows, let's be honest about why we're all actually there. But asking, you know, "Hey, Dark Web, what's going on? What is the Dark Web?" Or people who knew about the dark web, kind of vague curiosity. This year people came over very directly, "Hey, I'm working on this. I want a Dark Web data source. What can you do for me?" And very different kinds of conversations. Conversations about privacy and about GDPR. It was a much bigger jump this year than I was expecting it to be from last year.

Dave Bittner: [00:13:38:01] So, is it your take that we're sort of over the hump of people not having awareness of the Dark Web?

Emily Wilson: [00:13:42:22] It's certainly moving faster, gaining awareness more than I thought we would. The way I'm thinking about it right now, I think we're starting to see the Dark Web, and data leaks as a whole, becoming something like social media was five years ago, where it was clear it wasn't going away. It was clear it was a place of interesting information and people, not necessarily knowing what they want to do with it, said, "Oh, I should have one of those."

Dave Bittner: [00:14:10:10] Now, you know, using the analogy of social media, I think years ago, when people weren't quite sure what to make of it, particularly people who were used to old school marketing, they would look for gurus, they would look for experts. And, of course, that allowed there to be people who maybe didn't really know much about it, but claimed that they did. Are we in that zone right now, where there's a lot of confusion as to what really is the Dark Web and what people are selling and what you need to know?

Emily Wilson: [00:14:37:13] I think we're seeing, not only with the Dark Web but with a lot of data in the industry as a whole, and I think something like machine learning or AI would fit into this category as well, is we're stuck in this intersection of trying to discuss advancements and new technologies and new data sources and explain them as compelling and hype them up, right? There is that marketing piece of this and we often do that with something like fear or confusion or mystery, while at the same time trying to be realistic and pragmatic about what you can actually do with this information once you have it.

Dave Bittner: [00:15:10:18] So is it a matter of just taking the time for this to settle down, or do we have to establish some standards? Where do we need to go?

Emily Wilson: [00:15:17:21] It's a great question, and if I had an answer I think maybe we could call me a guru. [LAUGHS] I think we'll start to see the conversation continue to be shaped by GDPR as something like personal information becomes an even higher priority in conversations. In terms of other things like data sources or AI or machine learning, I think we'll see consolidation in the industry over the next several years, and I think we'll start to see people be more realistic about these technologies or about what you can use data for, as we consolidate and as people are scrambling a little bit less to differentiate themselves.

Dave Bittner: [00:15:53:05] Alright, an interesting take. Emily Wilson, thanks for joining us.

Dave Bittner: [00:15:58:19] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.