The CyberWire Daily Podcast 8.29.17
Ep 423 | 8.29.17

Cyberespionage in South Asia. NHS hack confirmed as ransomare. Notes on Hancitor. WireX Android botnet taken down. Fat-fingering BGP. Topical phishbait.


Dave Bittner: [00:00:01:00] We know a lot of you value the CyberWire, and that it helps you do your jobs better, and we hope you'll check out our Patreon page at and become a regular supporter. Thanks.

Dave Bittner: [00:00:14:20] Reports of cyber espionage against both India and Pakistan. Notes on Hancitor malware. WireX Android DDoS botnet is discovered and taken down by an industry consortium. A BGP fumble hit Japan's Internet, not hackers. Hurricane Harvey and Game of Thrones phishbait are in circulation, and, no, not that GPS.

Dave Bittner: [00:00:41:23] Time to take a moment to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's cyber daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eye-balling the Internet yourself no matter how many analysts you might have on staff, and we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the cyber daily email to get the top trending technical indicators crossing the web: cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:47:23] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, August 29, 2017.

Dave Bittner: [00:01:57:23] Symantec reports that sights in India and Pakistan have been the targets of a sustained cyber espionage campaign using Ehdoor spy-ware. The spying goes at least as far back as October 2016 and seems to have focused on collecting information on regional security matters. Symantec says, the campaign looks like the work of a single nation state, but it doesn't specify which one. Other observers note that India has been experiencing a heightened state of tension with China, but that's merely an indicator and doesn't rise even to the level of circumstantial evidence. The spy-ware was installed via a phishing campaign. The phishbait used represented itself as links to stories on South Asian security matters, maliciously altered reports from Reuters, The Hindu and Zee News. The stories covered military affairs, issues surrounding Kashmir and news of Indian secession movements. These topics would be of interest to targets in both India and Pakistan. Since both countries were targeted, it seems likely the threat actor represented some third nation. Some observers are reminded of the back-doors installed in an earlier espionage campaign mounted against Qatar. Those back-doors were known as "Spynote", and "Revokery". They're different from Ehdoor, but they worked in a similar fashion.

Dave Bittner: [00:03:16:19] The NHS Lanarkshire attack has been confirmed as ransomware. It's not WannaCry, but exactly which ransomware variant hit the NHS systems remains unclear. Health care services continue to experience interruptions in parts of Scotland with patients asked to defer non-urgent care and some operations canceled. Observers note that ransomware is playing an increasingly important role in attacks and tended to disrupt as well as extort. For now, this incident seems motivated by extortion, but the story is still developing.

Dave Bittner: [00:03:50:02] Cylance research on Hancitor exposes how the malware's three-step exploitation of low level Windows vulnerabilities enables it to accomplish its work. Hancitor is being used by the Man 1 threat group. It's distributed in maliciously crafted macros contained in Microsoft Word documents. Man 1, whoever they are, don't use commodity malware, and Hancitor was put together with some care.

Dave Bittner: [00:04:16:02] Recently, there was a good bit of hub-bub surrounding a Wisconsin tech company's decision to give employees the option of using an implantable RFID chip to allow building access and to purchase food at work. Some feared ubiquitous tracking while others see an inevitable shift toward a more effortlessly connected future. Avi Reichental is CEO at XponentialWorks, a venture investment advisory and product development company with a focus on connected devices, and he offers his perspective.

Avi Reichental: [00:04:44:22] The reality is we are going to become more connected. We are already, I mean, we haven't lost the rudimentary human to machine interface today that puts our brain on-line. We call it smart on our cell phone. Rudimentary in the sense that we are meant to use fingers and eyes to put our brains on-line. One can see very rapidly the advent of the more sophisticated human to machine interfaces that would put our brains on-line. The question is, how do you get the benefit of mind extension, of awareness of information, of entertainment, without the unintended consequences of losing privacy, losing identity, losing safety, and basically being violated as a human being in the sacred space that is you?

Dave Bittner: [00:05:44:20] Yet, time and time again, we've seen, even with social media, that people seem to be remarkably willing to trade privacy for convenience?

Avi Reichental: [00:05:54:01] Yes, and I think that this is why we see this explosion of investments into the convergence of exponential technologies, and that's how we see now that the rate and pace of technological disruption and convergence far exceeds the ability of society to comprehend and think through it, and completely out-strips the capacity of our legislative and regulatory bodies, governing bodies, to not only comprehend but to put the proper checks and balances in place.

Dave Bittner: [00:06:37:14] And, so, where do you see those different forces converging?

Avi Reichental: [00:06:41:23] I think, first and foremost, we really need to remember that companies that are introducing this incredibly powerful yet invasive technology have a responsibility to make it as safe as possible and have a responsibility to also educate the users and the various legislative and regulatory bodies about all of the amazing applications, but also about all the unintended consequences. I think that it's particularly when the companies that are enabling the technology have the deep pockets to do it, and then, of course, we need to think of how to disrupt government as we know it in a good sense, good disruption that begins to make our legislative bodies and law enforcement and regulatory bodies more tech-savvy and part of the conversation from the get-go, not from a point of view of fear, intimidation, but to embrace technology. Technology is here to stay. Technology on the whole creates a lot more good than bad, but in every new chapter of technological advancements we have just as many capable, smart people working on the bad side of it than the good.

Dave Bittner: [00:08:12:18] That's Avi Reichental from XponentialWorks.

Dave Bittner: [00:08:17:19] Collaborative work by several security companies appears to have contained an Android distributed denial of service botnet. WireX was detected on August 17 hitting hospitality, adult and gambling sites as well as some domain registrars. The botnet was disabled by Akamai, Cloudflare, Flashpoint, Google, Oracle, RiskIQ and Team Cymru. So, bravo to them all, but beware, the appearance of an Android DDoS botnet is a relatively novel phenomenon and bears watching going forward.

Dave Bittner: [00:08:51:07] Phishbait currently chumming the Internet attracts both the noble, that would be Hurricane Harvey relief scams, and the base, that would be bogus Game of Thrones unreleased episode come-ons. So, unfortunately, you'll have to take care before you donate to hurricane relief efforts in Houston. By all means give, but don't trust the begging emails. And, Game of Thrones, well, if you're bent on streaming pirated video, you're on your own. You've been warned.

Dave Bittner: [00:09:19:20] A BGP fumble, that's "Border Gateway Protocol" briefly shut down Japan's Internet last Friday. The outage lasted a couple of hours, but threw a scare into authorities as well as ordinary Janes and Joes. The Register characterizes it as being caused by someone fat-thumbing a Border Gateway Protocol advertisement.

Dave Bittner: [00:09:40:21] Finally, to return for a moment to Scotland, you may have found some of the coverage of the NHS Lanarkshire ransomware confusing as it reported "Global Positioning System" hacking. Some headlines even called out Global Positioning System outages. Be reassured, that seems to have been verbal confusion. The GPS that's known to have sustained disruption was "General Practice Surgeries", not the global positioning system. Americans, in particular, may have been puzzled by the acronym, unless, of course, they watched Doc Martin on BBC America, in which case it made perfect sense.

Dave Bittner: [00:10:22:16] A quick note from our sponsors at E8 Security. They understand the difference between a buzz word and a real solution, and they can help you disentangle them too, especially when it comes to machine learning and artificial intelligence. You can get a free white paper that explains these new, but proven technologies at We all know that human talent is as necessary to good security as it is scarce and expensive, but machine learning and artificial intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that while we might assume supervised machine learning, where the human teaches the machine, might seem to be the best approach, in fact, unsupervised machine learning can show the human something unexpected. Cut through the glare of information overload, and move from data to understanding. Check out and find out more. We thank E8 for sponsoring our show.

Dave Bittner: [00:11:24:24] Joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, welcome back. You know, we talk a lot about threat intelligence, and today, you wanted to take us through some things that teams can use when it comes to open source threat intelligence.

Justin Harvey: [00:11:40:00] Yes. The principle behind open source threat intelligence monitoring is to harness the collective power of the Internet, I guess, or the globe of all of these security researchers out there. There's a big parallel between the war, or the battle that we are fighting on the cyber level, and real-world war or kinetic war-fare. With kinetic war-fare, there's an intelligence component. People on the ground. People in the air. Analysts back in intelligence centers that are essentially synthesizing in real-time all of the battlefield data.

Justin Harvey: [00:12:18:22] In the cyber arena, we still have to fight the same war. We, just like with kinetic war-fare, we have a battlefield, we have real adversaries, and we have threat intelligence. The only difference is every company cannot afford, or they're not able to have, a threat intelligence component. So, one of the things that many organizations are doing, they are leveraging the collective power and knowledge of the open source. The best way to pipe-line and to analyze that information, or collect that information, is to utilize Twitter. The unique thing about Twitter is that all of the security researchers, all of the companies like Accenture, and even many organizations that have been hit by cyber attacks, are sharing that data, and it's not just tactical threat intelligence. It's not just indicators that you need to know to grab to put into your systems. It's also strategic threat intelligence. So, it's the tactics; the techniques; the procedures that the adversaries are using. We're also using open source intelligence monitoring to see emerging attacks. So, as soon as we heard about WannaCry: as soon as we were hearing about Petya, NotPetya, we were starting to see all of the reports coming in via Twitter. Now, clearly you still need to have someone on your team. Typically, it's one or two people that are curating that information and seeing if it's relevant or actionable by your organization, but as with emerging cyber attacks around malware and destructive malware, ransomware, whatever, you can also get ahead of zero-day. So, even if a zero-day has been announced, there's still a period of time between when the zero-day is announced and there is a vendor patch, and being able to know about that vulnerability or cyber attack much earlier in the process so those precious hours and/or days could really make the big difference between whether your environment is taken completely down or whether you're able to survive it.

Dave Bittner: [00:14:22:18] Right. Interesting information as always. Justin Harvey, thanks for joining us.

Dave Bittner: [00:14:28:24] That's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, check out If you find this podcast valuable, we hope you'll consider becoming a contributor. You can go to to find out how.

Dave Bittner: [00:14:49:19] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.