The CyberWire Daily Podcast 8.18.17
Ep 416 | 8.18.17

Ransomware updates. ShadowPad backdoor may have got into the supply chain from a Chinese APT group. Apple Secure Enclave decryption key released. Profexor and Fancy Bear. Misconfigured AWS S3 exposes voter data. Countering extremism online. FBI continues to warn against use of Kaspersky products.


Dave Bittner: [00:00:01:01] Yesterday, dear listeners, I shared the story of my son, who does not know how to ride a bicycle. When I got home, he had this to say to me.

Son: [00:00:08:16] But I need a bicycle to learn how to ride a bicycle!

Dave Bittner: [00:00:12:18] Maybe next we'll get him a puppy.

Dave Bittner: [00:00:20:24] Ransomware strains, old and new, are back in circulation. ShadowPad backdoors are tentatively attributed to Chinese espionage operations in the supply chain. A hacker releases the decryption key for Apple's Secure Enclave. Profexor may actually not know much about Fancy Bear's romp through the DNC. Another misconfigured AWS bucket exposes data on voters in Chicago. The difficulties of countering extremism online. The FBI has a roadshow warning companies of the risks of using Kaspersky security products.

Dave Bittner: [00:00:59:07] We've got a quick note from our sponsor, E8 Security. We've all heard a lot about artificial intelligence and machine learning. Those of us of a certain age remember when Skynet achieved self awareness and sent the Terminator back to take care of business, but that's science fiction. The artificial intelligence and machine learning that E8 is talking about isn't science fiction at all. And it's here today. E8's White Paper available at can guide you through the big picture of these still emerging but already proven technologies. We all need to turn data into understanding and information into meaning. AI and machine learning can help you do that. See what they can do for you at, and we thank E8 for sponsoring our show.

Dave Bittner: [00:01:53:15] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, August 18th, 2017.

Dave Bittner: [00:02:04:22] Ransomware, old and new, rampant and defeated, is back in the news at week's end.

Dave Bittner: [00:02:09:15] Spam representing itself as distribution of a court order is in fact distributing a newly observed strain of ransomware. Researchers at security firm Emsisoft say "SyncCrypt" avoids detection by concealing its malicious zip file inside a JPG image. There's as of yet no free decryptor available for affected systems. Emsisoft points out that SyncCrypt's method of distribution is "highly effective" because most anti-virus products aren't detecting the jpg files that carry the ransomware as malicious. Only one product in VirusTotal, Dr. Web, detected SyncCrypt as malicious when Emsisoft ran its samples through.

Dave Bittner: [00:02:49:10] Two older varieties of ransomware, Locky and Mamba, are back in the wild, circulating in evolved and unfortunately enhanced forms. Locky had been largely quiet in 2017 after hitting hospitals last year. Security company Malwarebytes notes that it returned in a large campaign on August 9th. Locky traces its coding heritage to the Dridex banking Trojan, and, like Dridex, the secret to its success seems to be volume. It's being distributed in a large, old-school spam campaign delivering either corrupted Microsoft Office documents or malicious zip files. The new version is reporting through a fresh command-and-control infrastructure.

Dave Bittner: [00:03:30:07] Trend Micro and Kaspersky report that Mamba ransomware, also known as HDDCryptor, is back, and being distributed in the "IKARUSdilapidated" campaign Comodo has been tracking. Mamba is perhaps best known for its 2016 use against the San Francisco Municipal Transportation Authority. It encrypts hard drives as opposed to simply making files unavailable, and the ransomware is commonly spread by corrupted websites.

Dave Bittner: [00:03:57:22] There is some good news on ransomware, this from Avast. The Prague-based security firm has developed and released a free decryptor for LambdaLocker. So bravo, Avast.

Dave Bittner: [00:04:09:02] NetSarang, South Korean maker of widely used enterprise connectivity products, acknowledges that recent builds of its software are afflicted with ShadowPad backdoors. The vulnerability appears to have been inserted from the company's supply chain as it ran through China. Similarities to tools and procedures used by PlugX malware lead Kaspersky researchers to attribute the backdoor to the Chinese Winnti APT espionage group. NetSarang patched the flaw in its August 5th builds, which Kaspersky says is fast work. Users are urged to stop using old versions and update promptly.

Dave Bittner: [00:04:47:10] In other patching news, Cisco has fixed two serious bugs in its Application Policy Infrastructure Controller, and Drupal addresses access bypass issues in its CMS software.

Dave Bittner: [00:04:58:22] Beyond Security has disclosed a proof-of-concept Chrome exploit. Google will not patch older affected versions of Chrome, instead advising users to move to the current version.

Dave Bittner: [00:05:09:24] A hacker going by "xerub" has published the decryption key for Apple's Secure Enclave Processor firmware. The Secure Enclave coprocessor within iOS handles cryptography for data protection key management. Mostly it processes Touch ID, unlocks the phone with the user's fingerprint, and approves purchases the fingerprint sensor authorizes. Apple says user data aren't at risk, but the leak will give the curious, whether well- or ill-intentioned, opportunities to explore the software.

Dave Bittner: [00:05:42:04] In election hacking and influence operations news, "Profexor," the Ukrainian hacker talking to Ukrainian authorities and the US FBI about Fancy Bear's operations against the DNC during the last US election cycle, may not have any particular insight to offer after all. The P.A.S. tool he's associated with probably wasn't involved, according to experts, and it was not mentioned in the GRIZZLYSTEPPE report cited by the New York Times. CrowdStrike, the security firm retained by the DNC to fix its security issues, told KrebsOnSecurity that it did not find evidence of P.A.S. in the DNC's servers. And the GRIZZLYSTEPPE report is itself now regarded as problematic, more a compendium of behavior observed by various Russian threat actors than a study of election hacking.

Dave Bittner: [00:06:30:21] There are reports that WikiLeaks declined to publish discreditable information about Russia that was fed to Julian Assange's leak service during the time it was leaking material from US sources. This will surprise few who've watched WikiLeaks with attention over the past few years. When one asks the source of WikiLeaks releases, a recurrent answer that suggests itself is "Moscow."

Dave Bittner: [00:06:53:04] A Washington Post op-ed expresses the opinion that President Putin overplayed his hand in attempts to manipulate elections. The efforts probably had little effect on outcomes beyond sowing a degree of mistrust (surely one of its objectives), but it did anger Washington and put most of Europe on high alert.

Dave Bittner: [00:07:11:20] There are, of course, other concerns about voting systems, particularly election-related databases. ES&S, supplier of voting machines to many US jurisdictions, learned from an UpGuard warning that it had misconfigured its Amazon S3 bucket, exposing records on approximately 1.8 million voters. Only Chicago voter data was affected, for unknown reasons, and ES&S says it's secured the database. Personal information was publicly exposed, but neither vote totals or voter registration were affected.

Dave Bittner: [00:07:44:07] This is the latest in a series of misconfigured Amazon Web Services databases. It's worth recalling that ensuring such data isn't publicly exposed is the user's responsibility. But Amazon is trying to help. The cloud provider has introduced Macie, a security service designed to automatically discover and protect sensitive data in AWS customers' buckets.

Dave Bittner: [00:08:06:17] US President Trump announced today that US Cyber Command will be elevated to a full combatant command. The president said in a statement, "The elevation of United States Cyber Command demonstrates our increased resolve against cyberspace threats and will help reassure our allies and partners and deter our adversaries." There will also be a review of whether Cyber Command should split from NSA, where it was spun up less than a decade ago. That review will be led by Defense Secretary James Mattis.

Dave Bittner: [00:08:36:20] CyberScoop reports that the FBI is quietly advising companies, for OPSEC reasons, to stop using Kaspersky products. The Bureau's counterintelligence officers have been briefing companies on the threat they think the Russian company's software could present, and urging them to stop using it, and to refrain from including it in new products. Users of industrial control systems, especially in the energy sector, are receiving the briefings on a priority basis. Kaspersky says the suspicions are baseless. The FBI briefings are having mixed effect. Big tech firms are relatively unreceptive, but big SCADA users, spooked in part by Russian operations against the Ukrainian grid, are said to be listening attentively.

Dave Bittner: [00:09:24:12] Now I'd like to tell you about an upcoming webinar from our sponsor Delta Risk. With threats to the healthcare industry at an all time high, IT and information security professionals in hospitals, health care providers firms and insurance firms have more concerns than ever about patient data and business continuity. In the 45 minute webinar Preparing for Cyber Risks to Healthcare Operations: Be Ready, Not Sorry, experts from Sanford Children's Health, Delta Risk and Huntzinger Management Group will discuss essential elements of how to respond to a cyber attack and properly prepare a business continuity plan. Save the date for August 23rd at 1pm Eastern time by visiting Delta Risk LLC, a Chertoff Group company, is a global provider of cybersecurity services to commercial and government clients. Learn more about Delta Risk by visiting and reserve your seat for this interactive discussion, and we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:10:29:20] And I'm pleased to be joined once again by Malek Ben Salem. She's the R&D Manager for Security at Accenture Labs. Malek, welcome back. You want to take us through today a cloud security maturity model. What do we need to know about that?

Malek Ben Salem: [00:10:38:15] Ah, yes. So we know that organizations are continuously moving operations to the public cloud but, as they do so, they need to protect their sensitive workloads. So my colleagues at Accenture Security and, in particular, Dan Mullin has worked on a cloud security maturity model where they came up with five simple steps to follow in order to climb that security maturity ladder in the cloud. The first step is to augment the cloud providers built-in security features with third party security packages designed specifically for the cloud. Many organizations basically use their existing on prem security tools and they start applying them to the cloud. But this approach means that they replicate their segmented network architecture of a legacy environment to the cloud, which also means that they can incur some additional costs because of virtual security appliances must be provisioned and configured within each of the virtual private networks.

Malek Ben Salem: [00:11:57:08] The second step is to pre-bake security into architecture and design patterns that are aligned to approve technology stacks. And Amazon, Microsoft, and Google all offer templates to support a secure configuration directly in their technology stack.

Malek Ben Salem: [00:12:16:07] The third step is to streamline the testing and auditing activities, by taking a unified approach to security and providing security functions via an abstraction layer. Through that abstraction layer, developers can develop and reuse pre-built packaged routines to manage encryption across multiple platforms. So this obviously reduces implementation variation, it promotes good reuse, and it lowers development costs.

Malek Ben Salem: [00:12:50:23] The fourth step that we recommend is to pre-provision some hooks into these workloads running on the cloud in order to allow some instrumentation and enable an easy integration of SOC monitoring directly into the critical application data and infrastructure hosted in the cloud.

Malek Ben Salem: [00:13:10:08] And then finally, the fifth step is to adopt DevSecOps, a holistic methodology to achieve security consistency from design through operations. So, for example, companies could automate the design review and verify that those secure code patterns are integrated earlier in the software development lifecycle. By following these steps, we're sure that companies can protect their sensitive workloads running on the cloud.

Dave Bittner: [00:13:41:06] Alright, good information as always. Malek Ben Salem, thanks for joining us.

Dave Bittner: [00:13:50:05] Now a few words about our sponsor DomainTools, the company that helps security analysts turn threat data into threat intelligence. They've got some new insight into DNA forensics which, as they explain in a new white paper, is where intuition meets experience. Their integration of human and machine intelligence brings into high relief the footprints intruders into your networks leave behind. Go to to learn more. DomainTools takes indicators from your network and connects them with nearly every active domain on the internet. Fortune 1000 companies, global government agencies and leading security solution vendors use the DomainTools platform to investigate and mitigate threats. Find out more by going to to learn about the leverage the domain name system can bring to the investigations of virtually every cyberattack that's snuffling around in the wild today. Check out, and we thank DomainTools for sponsoring our show.

Dave Bittner: [00:14:57:01] My guest today is Joseph Carson. He's the Chief Security Scientist at Thycotic, a cybersecurity company focused on protecting privileged accounts and providing enterprise password management among other services. Our conversation centers on phishing, specifically how phishing campaigns have grown more sophisticated in the age of online personal information.

Joseph Carson: [00:15:19:15] One of my main goals for my job and responsibility at Thycotic is to really understand the techniques and the mechanisms that hackers and cybercriminals use in order to really manipulate people, in order to really get them to, you know, reveal their sensitive information or to share their credentials of their email accounts and so forth. So, earlier this year, me and a team, we decided to conduct some sample research into some public available information that would allow us to run a really effective campaign. And what you really look for is, you look for, do you have the possibility of gathering the actual email templates? You know, authentic templates that are actually sent to people. Can you capture those and can you actually create and manipulate them in such a way that it really looks like it's coming from that source or trusted organization? So, one that we did, which was basically we looked at something that was time sensitive and something that people hate, and something that people are willing to do so share their information, or to click on that link, or to enter their credentials, or transfer money that's time sensitive, authentic-looking and they don't want to wait because it has some elements that means that penalty is greater. Ne that we decided to run which a vehicle speeding ticket campaign.

Joseph Carson: [00:16:40:10] So, of course, with things like speeding tickets, you look at what time's the office location for actually calling in for callers is available. So you find out that the office times are, you know, Monday to Friday, nine to five. So the most effective time and the longest window of opportunity you have is after 5pm on Friday, because the next available time that you can call back in to enquire about any type of complaint is on the Monday morning. You target your schedule to go out at 5:30pm on a Friday evening. Many templates are available of those speeding tickets, so you can go and look for those templates and gather them from authentic received speeding tickets and then reuse that template to create your own authentic and, of course, spoofing the email and the domain that those campaigns of phishing emails are coming from.

Joseph Carson: [00:17:26:17] The next thing that you really look into is that a lot of people have shared personal information, so if you're targeting a specific company and, in some countries the vehicle information is available; the type and make and model of people's cars are available online. A lot of them are due to, you know, of course, selling and buying, for checking for what was insurance claims or crashes and so forth of vehicles. So a lot of that information's available, and you can go and gather information about the car model, license plate and registration details of vehicles etcetera. A lot of people have shared things like their home addresses. So now, with all that information available, what you can now do is intelligently collect that all information, automate it in such a way that it pre-populates these templates with the person's first and last name, their home address, their telephone number, their vehicle information, and then the street in which of course close to their home, where the speeding ticket was issued. And then, of course, being time sensitive, what's great about these types of campaigns is that when you make it time sensitive that you say that, "Okay, if you pay within the next 24 hours or you go and fill in this information, if you don't do that within 24 hours, then the penalty increases."

Joseph Carson: [00:18:39:24] So Saturday it doubles, by Sunday it triples. So the last thing you want to do is wait until Monday to basically challenge the actual ticket. Because the information is so authentic, the source is so trusted that you don't want to wait because the penalty gets greater and greater. And this particular campaign, when we ran it, we actually had close to 100% success rate. Because of the time sensitivity, people are willing to sacrifice clicking, downloading, giving up their information in rather than actually have that type of penalty or legal issue when it comes to Monday.

Joseph Carson: [00:19:14:13] Now, the interesting thing was that there was a few that did not; we weren't successful of gaining the information. And it was quite interesting that those who finished work on Friday at 5pm and didn't read their emails until Monday morning, they were the ones. The ones that didn't work at the weekend were the one who were able to avoid us actually compromising and gaining access. The only real ways that organizations can really make sure of the authenticity is when they get into making sure that their emails are signed of authentic signatures, that you can check the trust of those. When organizations are not doing that today, they're really exposing themselves to being on the end of either being the issuer of those phishing campaigns or on the receiving end.

Dave Bittner: [00:19:59:02] I can imagine people going to their boss and saying, you know, "I'm protecting the organization by not checking my email over the weekend."

Joseph Carson: [00:20:07:02] [LAUGHS] Absolutely.

Dave Bittner: [00:20:09:01] And so what happens next, when people fall for these sorts of things, even in a situation like yours where you're really trying to discover the vulnerabilities within a company? Is this a matter of training your employees? Is there a technical fix for this?

Joseph Carson: [00:20:24:13] Absolutely, there's multiple methods. A lot of the things we end up identifying is that the awareness and education and cyber hygiene of employees is important, also the technical security control as you can put in place in order to minimize the risk as well. Things like having multi-factor authentication is another important area. Making sure that the systems on those machines are up to date and have the latest trusted sources, so that when you do enter a spoofed email in, or the URL of the website you're going to is not the authentic one of the company, that you can actually detect those types of things.

Joseph Carson: [00:21:00:16] So a lot of different techniques can be put in place, but it's really about protecting the identify of that employee, making sure they're aware of the responsibilities and making sure that they can identify potential risks, and then providing technology that really helps provide that balance between security, identifying, challenging the user to do multi-factor authentication. So even if we were to comprise those credentials that the user gave us, we would not be able to use them because multi-factor authentication would be in place. So really making it much more difficult and also making the awareness of the employee as best as you can.

Dave Bittner: [00:21:37:09] That's Joseph Carson from Thycotic.

Dave Bittner: [00:21:39:23] There's an extended version of this interview available to our Patreon subscribers. You can find out more at

Dave Bittner: [00:21:49:20] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit

Dave Bittner: [00:22:02:13] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.