The CyberWire Daily Podcast 8.30.17
Ep 424 | 8.30.17

Phishing and watering hole alerts. Is DPRK stealing Bitcoin? NHS Lanarkshire ransomware identified as Bit Paymer. Onliner spambot has hundreds of millions of email addresses. St. Jude pacemaker patch.


Dave Bittner: [00:00:01:06] My ten year old son looked up from his hospital bed and said, "Daddy, I'm sorry I fell off that bicycle you bought me. Do you think we'll be able to afford to have this broken arm mended?" I wiped a tear from his cheek and said, "Son, if enough people sign up to support The Cyber Wire at, we'll get that arm mended.

Dave Bittner: [00:00:22:24] I'm kidding of course. It's actually the anesthesiologist we couldn't afford to pay, but pain builds character. Patreon.Com/TheCyberWire. Thanks.

Dave Bittner: [00:00:36:03] Don't take the Hurricane Harvey phishbait, the IRS says that email telling you to download a questionnaire and return it to the FBI isn't from them. Why you really don't want that tutorial in tumbling Bitcoin. Sources accuse North Korea of stealing cryptocurrency. Trickbot is back and it's swiping Bitcoin. The ransomware strain in Scottish hospitals is identified. More than 700 million email addresses found in the Online spambot. A UK retailer suffers a breach. Some industry notes and St. Jude pacemakers get a firmware patch.

Dave Bittner: [00:01:14:06] It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web, to develop information security intelligence that gives analysts unmatched insight into emerging threats. When analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at The CyberWire have long been subscribers to Recorded Future's Cyber Daily, and if it helps us we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:09:05] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your Cyber Wire summary for Wednesday, August 30th, 2017.

Dave Bittner: [00:02:18:24] You may wish to donate or get involved in some other way with Hurricane Harvey relief to help the afflicted down in Houston. That's of course good, but unfortunately you should be wary of whom you connect with online. Scammers are using fraudulent Hurricane Harvey relief efforts as both con games and phishbait. The US Federal Trade Commission warned this week of many active relief scams in progress, and noted with regret that this happens whenever there's a natural disaster. Some of the scammers have even registered domains to assist their bunco. If you're in doubt about the legitimacy of a charity you're unfamiliar with, the Better Business Bureau's Wise Giving Alliance isn't a bad place to go for some quick commonsense vetting. Or do what's even easier, and deal with a charity you're familiar with.

Dave Bittner: [00:03:05:10] There is of course other phishbait being dangled in the US in-boxes. Here's an always popular gambit: the IRS is telling you the FBI wants to hear from you.

Dave Bittner: [00:03:16:06] The Internal Revenue Service warns that there's some fairly convincing but entirely bogus spoofed emails that represent themselves as coming from the IRS. They don't. If the faint whiff of Shadowbrokerese in the text doesn't tip you off, the diction in the phishing emails isn't bad for a non-native speaker of English, and in some respects resembles the my-eyes-glaze-over dullness of some regulatory communications, the fact that the email includes the FBI's seal as well as that of the IRS is a tipoff. And, no, changes in US Tax Law, with a capital T and a capital L, haven't transferred responsibility for "the belonging of offshore companies" from the IRS to the FBI. So don't bite. If you should receive such an email, the IRS would very much like you to forward it to them. Use the address

Dave Bittner: [00:04:09:00] There are also some baited watering holes out there. Security researchers at the firm Comparitech have found a come-on boosted by high Google search rankings. If you wish to learn how to "mix/tumble/launder Bitcoin," and you probably shouldn't, an outfit called Darkwebmarkets will give you a good, concise tutorial in that dubious art. Unfortunately the tutorial will also take you to malicious sites that will divest you of your cryptocurrency. Comparitech says the tutorial is actually pretty interesting, but no, don't go there. Don't take the course, because that would involve taking the bait. But don't even try to visit the site out of curiosity. Doing so could, Comparitech warns, boost its Google ranking even higher, enabling the crooks behind the bad links to lure even more of the unwary.

Dave Bittner: [00:04:58:15] Speaking of Bitcoin, sources in East Asia are calling attempted raids on South Korean Bitcoin exchanges a North Korean operation. Pyongyang has a history of turning to online crime to meet its financial needs. This may be the latest instance of such a campaign. Details are sparse, so observers are treating the reports with moderate skepticism. Still, given Pyongyang's track record and the unsettling tensions the DPRK's missile tests have aroused among anyone within range, all would do well to take the potential threat seriously. State cyber operations do tend to accompany security crises.

Dave Bittner: [00:05:36:03] A clearly criminal threat to cryptocurrency owners is being described by researchers at security firm Forcepoint. They've found an evolved version of the familiar Trickbot banking Trojan circulating in the wild. This Trickbot instance is going after cryptocurrency wallets.

Dave Bittner: [00:05:53:13] The ransomware that hit NHS Lanarkshire in Scotland, disrupting healthcare operations, has been identified as "Bit Paymer," a fairly recently discovered malware variant. Samples of Bit Paymer were posted to VirusTotal on July 11th. This ransomware is regarded as well-coded malware devised by programmers of some ability, much better than the repurposed commodity stuff most online crooks use. NHS Lanarkshire reports that its operations have largely returned to normal.

Dave Bittner: [00:06:24:23] Researchers have found that the Online spambot, known for distributing the Ursnif banking Trojan, holds some 711 million email addresses and 80 million SMTP credentials. The well-known victim registry site Have-I-Been-Pwned calls it the biggest batch of stolen credentials it can recall uploading. A lot of them are probably bogus, but even a fraction of 711 million is still a pretty big Twinkie. Where the addresses came from is unknown. There doesn't appear to have been any major breach or set of major breaches that could account for it.

Dave Bittner: [00:06:58:23] The UK retailer of second-hand tech, CeX, disclosed to its customers that up to two million of them may have had their personal details accessed by unauthorized parties. The usual advice applies: change your passwords, be on the qui vive for spearphishing, and so on.

Dave Bittner: [00:07:16:14] Taking a quick look at our Cyber Wire event calendar, Incident Response 17 is coming up in September and we're proud to be a media partner. Joseph Loomis is CTO at Cybersponse, and he joins us to tell us more.

Joseph Loomis: [00:07:29:04] It's really a way that the community can come together as one, to redefine how security no longer has to be such a manual process but more of a machine and person working together in a very tight relationship so that they can ultimately fight against the adversaries in the same manner, with an equal opportunity to defend themselves.

Dave Bittner: [00:07:49:18] Give us an idea of what people can expect from the conference.

Joseph Loomis: [00:07:53:00] They can actually expect a lot of workshop, a lot of knowledge transfer, education, best practices, networking is probably one of the most powerful things, where you have a mentee meeting up with a mentor that they can learn and build that relationship where you have the junior level executives and analysts meeting other senior, more experienced. So your minor leagues are meeting the major leagues basically and now they can build those bonds and relationships. They can work on recruitment, team-building. It's a combination of a workshop and consortium or movement.

Dave Bittner: [00:08:31:04] Can you give us an idea of what some of the sessions will be like?

Joseph Loomis: [00:08:34:06] A lot of the sessions are going to be talking about capabilities that products today can do to lever them in regards to helping them on the human capital side. A lot of the agenda specifically is going to be speaking to best practices that we have right now that are defined in the framework. For example, how do you select the right tools? How do you do proper vendor analysis and bake-offs? How do you simplify your practice and bring in the right consultant or framework? How do you actually use certain tools. Basically imagine if you were a carpenter and you were learning how to use a hammer and a skill saw. We're teaching them non-specifically around what tools to use, meaning by vendor title, how to use a hammer, period.

Dave Bittner: [00:09:23:23] So who are you targeting here? Who is the ideal attendee for the conference?

Joseph Loomis: [00:09:27:06] Three different tracks. We have the executive level track for the community. We have the managerial track, which is the person typically in the trenches with the team, almost like a sergeant. You have your analysts, which are your soldiers. If you look at it from sea level, there's your general managers are your sergeants and analysts are your soldiers. It's the first open community approach that's completely free to attend as long as you operate in one of those three capacities. You're executive at an organization, you're a manager in an organization of a team, or you're actually a team member. This is not a sales oriented event. It's an event that allows people to come and learn, not try to buy products.

Dave Bittner: [00:10:09:17] That's Joseph Loomis from Cybersponse. The Incident Response 17 conference is coming up in September, on 11th and 12th, in Pentagon City, Virginia. You can find out more at

Dave Bittner: [00:10:23:22] You may recall that last year St. Jude Medical, manufacturer of pacemakers and other healthcare devices, was embroiled in a conflict with security firm MedSec and stock speculators Muddy Waters. MedSec and Muddy Waters disclosed St. Jude device vulnerabilities in the course of shorting St. Jude stock. St. Jude patched some issues in January. It has done so again. The US Food and Drug Administration has approved a firmware patch for the company's pacemakers. The flaw it addresses is thought to affect some 465 thousand patients.

Dave Bittner: [00:10:58:24] In industry news, SolarWinds has made its first-ever acquisition, picking up Netherlands-based email security shop SpamExperts. The buyers in this case say they liked SpamExperts intelligence engine, a lot.

Dave Bittner: [00:11:13:21] Bugcrowd is getting a new CEO: Ashish Gupta will replace founder Casey Ellis. Ellis isn't leaving; instead, he'll become Chairman and CTO.

Dave Bittner: [00:11:24:16] LookingGlass Security Solutions has raised $26.3 million in mezzanine funding. Participants in this round included new investors Eastwood Capital and Triangle Peak Partners. The company also received additional investment from current backers Alsop Louie Partners, Neuberger Berman, and New Spring Capital. LookingGlass intends to use the funds for expansion into five continents. Antarctica, as always, seems to be the odd continent out.

Dave Bittner: [00:11:57:21] A few words about our sponsors at E8 Security. If you've been to any security conference over the past year, you'll surely have heard a lot about artificial intelligence and machine learning, we know we have. E8 would like you to know that these aren't just buzz words. They're real technologies and they can help you derive meaning from what an overwhelmed human analyst would see as an impossible flood of data. Go to and let their White Paper guide you through the possibilities of these indispensable emerging technological tools. Remember, the buzz about artificial intelligence isn't about replacing humans, it's really about machine learning, a technology that's here today. See what E8 has to say about it and they promise you won't get a sales call from a robot. Learn more at We thank E8 for sponsoring our show.

Dave Bittner: [00:12:52:03] I'm pleased to be joined once again by Robert Emily. He's the CEO at Dragos. Robert, we were talking about ICS stuff, industrial control systems. I think in general, when I describe you, I describe you as being a voice of reason in that industry. A lot of times when there's hype, I turn to you to cut through that hype and tell me do I need to be concerned or not. Tell me, when do I need to be concerned?

Robert Emily: [00:13:19:13] I do try to push back on a lot of the hype out there because I know that folks get scared pretty quickly sometimes without reason. But there are some cases where we should be concerned. I think one of those cases that we've seen was the crash override framework that my firm did analysis on from the attack that was used in 2016 to take down a portion of Ukraine's dark web. I don't think it's run to the hills build a bunker kind of concerning, but I think it's concerning in that acid owners around the world need to be paying attention. The reason for that is the adversary didn't just build malware that was taking advantage of vulnerabilities. A lot of what we look at in IT sometimes is very vulnerability-centric. This framework was really not taking advantage of knowledge of how we do electric operations. Last time we talked about stage one, stage two type kill chain and what does it really look like to a stage two ICS attack. Crash Override is a stage two attack. It's what it actually looks like to do disruption to industrial environment.

Robert Emily: [00:14:22:16] What's so concerning is there is no vulnerability to patch away. There's no fix to the system. The protocols are being used exactly as they should on the network. It is an aspect that an adversary took the time to learn how electric grid operations are run and put that knowledge into a framework that allows it equally to be disruptive. Right now, the Crash Override framework and that trade craft is immediately transposable to every electric and distribution power site in Europe, most of Asia, most of the Middle East and, with less than a day of development, scalable to North America. The balance here is it's light. It's going to be a couple of hours of outages. It's not good but it's not build bunkers. Our grid is actually really well prepared in the sense that we've built it very well to be able to bring it back if anything goes wrong. The downside is there is now public trade craft of how to do disruption and there's obviously an adversary interested. I think for that reason, grid operators need to be taking a little bit extra precaution and people outside of our community in our industrial environments need to be thinking about how you can lever the industrial environment against itself to achieve this.

Dave Bittner: [00:15:38:06] Robert Emily, thanks for joining us.

Dave Bittner: [00:15:42:20] That's the CyberWire. Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit

Dave Bittner: [00:15:54:08] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jen Eiben. Our technical editor is Chris Russell. Our executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.