The CyberWire Daily Podcast 8.25.17
Ep 421 | 8.25.17

Clouds, crooks, cheats, and cryptocurrencies. Vault7 leaks liaisonware. Rumors about FSB officers charged with treason. FBI arrests Chinese national in OPM hack. Extremism online flows more than it ebbs.


Dave Bittner: [00:00:01:01] If you consider yourself not just a listener but a fan of the CyberWire we hope you'll head on over to and show your support, thanks.

Dave Bittner: [00:00:13:18] The four C's come together: clouds, crooks, cheats and cryptocurrencies. Locky continues to circulate in evolved forms. WikiLeaks dumps some curious alleged liaisonware documents from Vault7. Russian sources report that FSB officers facing treason charges in Moscow may have given up some connected hackers to the Americans. The FBI makes an arrest in the OPM breach. The Daily Stormer is way offline, but ISIS and its parasitic slave trading gangs are decidedly online. And, another consequence of NotPetya seems to be a pet food shortage.

Dave Bittner: [00:00:53:14] We've got a quick note from our sponsor E8 Security. We've all heard a lot about artificial intelligence and machine learning, those of us of a certain age remember when Skynet achieved self awareness and sent the Terminator back to take care of business, but that's science fiction, the artificial intelligence and machine learning that E8 is talking about isn't science fiction at all, and it's here today. E8's white paper, available at can guide you through the big picture of these still emerging but already proven technologies. We all need to turn data into understanding and information into meaning, AI and machine learning can help you do that. See what they can do for you at And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:47:13] Major funding for the CyberWire podcast is provided by Cylance, I'm Dave Bittner in Baltimore with your CyberWire summary for Friday August 25th, 2017.

Dave Bittner: [00:01:57:02] As the week comes to a close there's been a kind of convergence of some large cyber themes, the clouds, the crooks, the cheats and the cryptocurrencies.

Dave Bittner: [00:02:06:01] Some criminals, security firm Trend Micro reports, are exploiting online games with malicious Chrome extensions, thereby stealing in-game currency. The malware takes cookies from running Roblox processes, Roblox is the popular, massively multiplayer social media gaming platform, but it could be adapted to pull information from any website. If you install it you're giving it a hunting license for your information. The malicious extension is available for sale in the Dream Market underground forum for the low, low price of just 99 cents.

Dave Bittner: [00:02:39:06] Trend Micro uses the occasion of their discovery to offer a useful reminder, "this is a good time to remember to always verify the permissions required before any Chrome extensions are installed, if you are unsure about these permissions it's better not to install the extension in the first place. This particular malicious extension requires the read and change all your data on the websites you visit permission, which should be a hint of its malicious behavior." A hint, like a hangover, is a hint you shouldn't drink so much.

Dave Bittner: [00:03:10:00] Why would someone want to steal in-game currency? To sell it to gamers undercutting the prices charged by legitimate games.

Dave Bittner: [00:03:18:02] There's also the issue of cheating. Cheats, as gamers will tell you, offer an advantage over the sometimes difficult and frustrating rules of play. Researchers at security company SentinelOne have discovered that some cheats for the popular Counter Strike: Global Offensive game are installing cryptocurrency miners on victim machines. This particular miner goes after Monero and it's called OSX.Pwnet.A. The miner is working for a guy who seems to go by the name of Finn. SentinalOne seems to onto him. For one thing, they seem to be insinuating that the gentleman is a brony; make of that what you will.

Dave Bittner: [00:03:56:11] Unwelcome cryptocurrency miners are being distributed in other ways too, Netskope Threat Labs has found the Zminer malware hosted in an Amazon S3 bucket. They say "the kill chain begins with the delivery of a drive by downloader Zminer executable that downloads payloads from Amazon S3 cloud storage to a victim's machine, and then uses the machine's computing resources to perform coin mining. They note that the miner helps ensure its own smooth operation by disabling Windows Defender on infected machines.

Dave Bittner: [00:04:29:08] And cryptocurrency wallets themselves are under attack, researchers at Duo Security note that criminals are exploiting some of the weaker forms of two factor authentication, notably SMS and email authentication, to get into the wallets. They advise adopting more cryptographically secure forms of multi-factor authentication.

Dave Bittner: [00:04:49:01] Locky ransomware continues to circulate in its newly evolved forms. As always, the best advice to prepare for recovery should you be infected is to securely backup your files, so you can be ready to resume work.

Dave Bittner: [00:05:02:13] Turning to espionage and conflict, WikiLeaks has resumed its leaks of alleged CIA documents from Vault7. This week the documents describe ExpressLane, unusual in that it appears to have targeted partner organizations, most of them US organizations like the National Security Agency, the FBI and the Department of Homeland Security. The program is alleged to have worked by requiring installation of a software update as a condition of doing business with Langley, and, says WikiLeaks, those updates also installed back doors.

Dave Bittner: [00:05:35:03] Russian sources are reporting the reason behind the arrest in December of last year of three men on charges of treason, arrested were Deputy Head of Information Security Center, CDC, of the FSB Sergei Mikhailov and two associates. It's believed they were instrumental in giving up prominent wanted hackers to the CIA, which then presumably turned the information over to the FBI and US Secret Service.

Dave Bittner: [00:06:00:21] The FBI has made an arrest in the OPM breach, the suspect is a Chinese national, Yu Pingan of Shanghai, who was picked up Monday when he arrived at Los Angeles International on his way to attend a conference in the US. On Wednesday he appeared before the Federal Court for the Southern District of California on charges of having written the Sakura malware believed to have been used by the Chinese government to accomplish the breach.

Dave Bittner: [00:06:26:20] Even as core territory in Iraq and Syria shrink to insignificance, ISIS posts a Spanish language video promising to reconquer al Andalus, the Iberian Peninsula, lost to the Umma in the 15th century. Another ISIS inspirational video receiving wide circulation purports to show a ten year old American boy threatening President Trump. ISIS killing has been a leading cause of the Middle Eastern refugee crisis which has spawned human trafficking on a large scale. Some traffickers, slave trading gangs, as the Times of London calls them, are posting torture images to Facebook in an attempt to extort ransom money from their captive's families.

Dave Bittner: [00:07:06:23] These posts and the most recent wave of hacked celebrity pictures are inducing some observers, UN agencies among them, to ask why tech companies aren't addressing such incidents with the focus and alacrity they brought to booting the loathsome Daily Stormer from their services. Is the outrage selective? The decisions arbitrary? Or is the problem simply more complex than it seems?

Dave Bittner: [00:07:30:17] And finally, turning to less unpleasant matters, there's another consequence of NotPetya in the UK, cat food shortages in London and the Home Counties. Mars subsidiary, Royal Canin, was affected, and deliveries of cat food have lagged with some customers waiting two weeks. Another Mars pet food brand, James Wellbeloved, is also thought to have been affected, but they're more in the dog food line and there have been fewer complaints. Perhaps it's just that the dogs aren't quite so fussy.

Dave Bittner: [00:08:05:06] Time to tell you about some research from our sponsor, Delta Risk. Every year Delta Risk conducts hundreds of cybersecurity assessments, including penetration testing for a wide range of commercial and public sector clients. Their pen testers identified the attack vector's bad actors most commonly used to get initial access to a network. Download Delta Risk's e-guide, "Hackers secrets revealed, five lessons learned from security assessments to get the full technical findings from external pen tests," otherwise known as ethical hacking. You'll find this guide at Delta Risk LLC, a turn off group company, is a global provider of strategic advice, cybersecurity and risk management services to commercial and government clients. Learn more about Delta Risk by visiting And we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:09:04:23] Joining me once again is Dale Drew, he's the Chief Security Officer at Level 3 Communications. Dale, welcome back. You have some updates for us, some new threat intelligence on phishing and malware, what do you have to share with us today?

Dale Drew: [00:09:17:05] So, Level 3 maintains a threat intelligence system that monitors its global backbone and Internet traffic going through our backbone, and we see a pretty significant amount of total Internet traffic that we sort of categorize and analyze for potential threats. We recently added industry data, so every IP address we analyze we sort of build a behavior profile for it and categorize it on malicious or potential malicious activity, and that's been pretty insightful for us to be able to identify bad actors on the network. But we recently added industry data to that to be able to get early warning indicators about when people are attacking specific industries. And the trend data that we're starting to accumulate from that is pretty interesting. So I'll give you an example, we identified the top five industries that are getting hit with malware on a rolling average 30 day and phishing attacks. On the malware side the five leading industries that are getting just clobbered with malware attacks are tech services, these are consulting firms that provide support for other organizations, educational, so schools, colleges and such, manufacturing, retail food services, retail trade, like clothing stores and hardware stores and so on and then healthcare.

Dale Drew: [00:10:47:18] We see this pretty consistently over the past 30 to 60 days, what we think it means is two things, we think it means that-- because we don't see a corresponding phishing attack associated with this, so we think that these industries tend to have more infrastructure exposable on the network and they're getting compromised via their exposed infrastructure. And they also have high value targets, whether it's infrastructure or data.

Dave Bittner: [00:11:15:04] And what about on the phishing side?

Dale Drew: [00:11:17:07] Yes, and then on the phishing side it's pretty much the same sorts of things, and I was pretty surprised, this is why, I would normally expect to see a pretty strong correlation between phishing and malware, and that just wasn't the case. And so what we saw in phishing is the top five industries were your information firms, your construction firms were number two, utilities, power was the top one, supply chain management, and so organizations that provide supply chain services to other companies, and then entertainment. This to us meant that they may not have as much public facing infrastructure or have more secure public facing infrastructure, so they're going after the weaker link, which is the employers, they're sending emails to those employers in an attempt to gain unauthorized access to the systems so they then have access to that enterprise. So, again, our advice is, if you're in any one of those industries, you know, educate your employees on phishing email, do things like mark email as external when it comes from the public internet, and protect against phishing attacks.

Dave Bittner: [00:12:27:09] Was there anything on either of these lists that surprised you, I guess by not being on the list? Anything you expected to be there that didn't show up?

Dale Drew: [00:12:34:09] You know, I expected more critical infrastructure organizations to be on these lists, frankly. We've definitely seen a shift of the more sophisticated attacks, where the bad guys are targeting supply chain management, so supply chain was not a surprise to me, as well as targeting large pieces of infrastructure, DNS hosting, web hosting, telecommunications, power, transportation and so on. And so, going after that major piece of infrastructure so they either get access to confidential data, personally identifiable information or a capability with regards to the reach and scope of some of those global infrastructure providers, and didn't see a whole lot of that on the malware or even the phishing side with these. We did see attacks against utilities going fairly high, but not other infrastructure organizations that I would expect.

Dave Bittner: [00:13:28:19] Alright. Interesting stuff as always, Dale Drew, thanks for joining us.

Dave Bittner: [00:13:36:24] Now a word about our sponsor, the upcoming Cybersecurity Conference for Executives. The Johns Hopkins University Information Security Institute and Compass Cybersecurity will host the event on Tuesday September 19th in Baltimore, Maryland, on the Johns Hopkins Homewood Campus. The theme this year is emerging global cyber threats, and the conference will feature discussions with thought leaders across a variety of sectors, you can find out more and register at the Learn more about the current and emerging cybersecurity threats to organizations and how executives can better protect their enterprise's data. Speakers include cyber lawyer, Howard Feldman, IOT engineering expert, Dr. Kevin Kornegay and healthcare data security thought leader, Robert Wood. You can find out more at the And we thank the Cybersecurity Conference for Executives for sponsoring our show.

Dave Bittner: [00:14:42:14] My guest today is Nicole Eagan, she's Chief Executive Officer at Darktrace, a fast growing cybersecurity firm that in July of this year raised $75 million in a series D round of funding. The company was founded in 2013 by former University of Cambridge Mathematics and Machine Learning specialists, as well as intelligence experts from MI5 and GCHQ.

Nicole Eagan: [00:15:06:09] We we started the company in 2013 we really felt that a different approach was necessary, and we took what I'd say is an inside out view. Regardless of the attack vector, it doesn't matter if it's spearphishing, malware or an APT, the goal of the attacker is always to get inside the network. And so we felt if we could learn what was normal and not normal inside the network and then to check that which was unusual, that would change the dynamic and give companies and organizations a better shot at early threat detection.

Dave Bittner: [00:15:44:15] And so, you all are really all in when it comes to artificial intelligence and machine learning, you know, if you walk around the show floor of any of the cybersecurity trade shows there's no shortage of companies who are offering AI and ML and to the point where I think it's hard for people to sort through it sometimes. What is your take? What is your approach to AI and ML?

Nicole Eagan: [00:16:07:11] As you said, we are absolutely all in when it comes to AI and ML, in fact, if you go back to 2013 I think we were one of the first companies to actually come out and really embrace machine learning for cyber defense, and there's a couple of really interesting ways that we use AI and ML. The first way we use it is we use unsupervised machine learning, so in other words, self learning in real time inside a network, as opposed to other methods that might look at historical attack data, for example. So we're self learning inside the network, no prior knowledge, and the way use that machine learning is to understand the pattern of life of every user and every device inside the network, and we refer to that as working very much like the human immune system, so we call it the Enterprise Immune System. Subsequently we came up with another interesting new case which was not only do you use the machine learning to detect threats but to autonomously respond to those threats.

Nicole Eagan: [00:17:08:10] We rolled out a module called Antigena, which does basically do autonomous response, so, in other words, even if it's an unknown attack that the security team has never seen before, or maybe it's something like ransomware, similar to WannaCry, that just moves at machine speed, the machine learning can automatically take action. Now, what was interesting as we rolled out that type of machine learning autonomous response, is whether or not human security teams were really ready for it. And what we learned there is that in many cases the human security experts wanted to see the recommendation, the option that the artificial intelligence was recommending that it would take before it responded, so we've done a lot of work in actually adding what we call a human confirmation mode to the AI.

Nicole Eagan: [00:18:00:21] The third way that we're using machine learning is really part of our RNG road map, and that is to actually have the supervised machine learning watching our world class team of security experts, learning from them and figuring out how they actually investigate and research remediation steps, and so that's kind of the next stage that you'll see coming from Darktrace.

Dave Bittner: [00:18:25:01] Looking towards the horizon, what are some of the specific challenges that you think we're going to be facing in the immediate future? Things that perhaps we're not dealing with today?

Nicole Eagan: [00:18:35:15] I think one of the biggest challenges we see is IOG devices. I think a lot of enterprises we walk into underestimate the amount of IOG that's already in their environment, a lot of times there's IOG devices similar to shadow IT, no-one's telling the IT or security team that they're bringing them in, we've seen everything from internet connected cappuccino makers, we even had an internet connected fish tank in a casino that was used as a jumping on point into the network to attempt to access all data, that's more common than you would think. In fact, when we dropped our trace into an average enterprise network we usually see 20% to 30% more devices than the IT and security teams thought they had, and all of those things can be kind of the low hanging fruit or a jumping off point into the corporate network.

Dave Bittner: [00:19:28:22] I want to switch gears a little bit and talk about you and your executive team, certainly the size of the company that Darktrace is, and the level that you are at, there are very few women holding chief executive officer positions at companies with the size and success of yours, but, when I look at your executive team list you have several women in high positions, I'm curious, for the women in the cybersecurity industry who are coming up through the ranks, do you have any advice for them? Do you have any words of wisdom from the things that you've learned on your journey to be the head of a successful company like Darktrace?

Nicole Eagan: [00:20:06:05] Yes, we do, as you mentioned, have, actually, we have several women on our board of directors, we have quite a few women at the executive level, and, interestingly enough, throughout our company we actually are a 50-50 split of men and women, and in many cases those women are in positions in development, our mathematician group, our machine learning or deep learning team, you know, in addition to other roles across, you know, groups like sales, marketing and others. So, in terms of advice, pay attention to the company culture, of the company you're joining, so if you're a recent college graduate and you're evaluating opportunities, you know, pay attention to the cultural issues, ask the questions about the company culture, and, as you did with Darktrace, take a look at the website and try to determine, you know, what are the most senior positions that women have been able to achieve within that company and make sure that you have an environment where your mentors and your coaches may include a mix of both men and women. So I think that's really an important criteria when women are starting in their career or even evaluating making a career change.

Dave Bittner: [00:21:26:01] That's Nicole Eagan, she's the CEO at Darktrace.

Dave Bittner: [00:21:31:19] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence visit

Dave Bittner: [00:21:43:22] The CyberWire podcast is produced by Pratt Street Media, our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.