The CyberWire Daily Podcast 9.5.17
Ep 427 | 9.5.17

Influence operations in Germany. More Turla. KHRAT looks like political spying. Exposed AWS S3 and MongoDB databases hit. Ransomware notes. Cyber gangland rumbles.


Dave Bittner: [00:00:01:04] We know a lot of you value the CyberWire, and that it helps you do your jobs better, and we hope you'll check out our Patreon page at, and become a regular supporter. Thanks.

Dave Bittner: [00:00:15:01] Election influence ops begin in Germany. Turla's spoor is tracked to the Pacifier APT. Cambodia takes an authoritarian turn, possibly extending to domestic spying via RAT. Rival jihadists remain active online; US Cyber Command working to deny them cyberspace safe havens. There are more exposed AWS S3 databases. MongoDB databases are hit with a ransom wiper. PrincessLocker and Locky ransomware continue to romp in the wild. A free RAT backdoors criminals. And a disgruntled customer doxes a booter service.

Dave Bittner: [00:00:56:09] A quick note from our sponsors at E8 Security. They understand the difference between a buzzword and a real solution, and they can help you disentangle them too, especially when it comes to machine learning and artificial intelligence. You can get a free white paper that explains these new but proven technologies at We all know that human talent is as necessary to good security as it is scarce and expensive, but machine learning and artificial intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices, too. Did you know that, while we might assume supervised machine learning, where the human teaches the machine, might seem to be the best approach, in fact, unsupervised machine learning can show the human something unexpected? Cut through the glare of information overload, and move from data to understanding. Check out and find out more. And we thank E8 for sponsoring our show.

Dave Bittner: [00:02:02:01] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Monday, September 5th, 2017.

Dave Bittner: [00:02:11:24] German authorities have long been concerned about the security of the Federal elections, scheduled for September 24th, and have sought to increase cyber readiness appropriately. Election-related cyber operations appear to have begun. Julia Klöckner, leader of Chancellor Angela Merkel's Christian Democratic Union, says the political party's website was hit with 3,000 attacks yesterday. The kind of attack was unspecified. It's not yet publicly known whether they were probes, DDoS, or what have you, but Klöckner says they originated from a large number of Russian IP addresses.

Dave Bittner: [00:02:46:23] That's circumstantial evidence of Russian involvement, of course, but Russian attempts to erode confidence in German elections and the country's political system as a whole have long been expected. German security services have been preparing for such an eventuality over the past year.

Dave Bittner: [00:03:02:19] With the elections less than three weeks away, influence operations will bear watching. Polls continue to give Chancellor Merkel's party a comfortable lead over its Social Democrat rivals.

Dave Bittner: [00:03:15:02] More research exposes other activities attributed to Russian intelligence services. Last week the Bratislava-headquartered security firm ESET described renewed Turla activity. On Friday, researchers at the cybersecurity company Bitdefender connected the Pacifier APT to the Turla Group. Bitdefender has been tracking Pacifier since 2016, and says the Advanced Persistent Threat had been active since 2014 at least. Its dropping of multistage backdoors is consistent with other reports of activity by Turla.

Dave Bittner: [00:03:49:17] Cambodia's government has been taking an increasingly authoritarian turn with respect to political discourse recently. Prime Minister Hun Sen on Sunday ordered the shuttering of the country's major opposition newspaper, the Cambodia Daily. The government had earlier closed some 15 radio stations broadcasting the Voice of America and Radio Free Asia.

Dave Bittner: [00:04:10:23] In a development that may be related to tighter censorship, a wave of KH Remote Access Trojan infections is moving across Cambodia's networks. KH RAT is not, apparently, criminal in motivation the way most similar RATs are. Instead, it appears designed to establish surveillance over domestic political opposition.

Dave Bittner: [00:04:31:07] Researchers at Palo Alto Networks Unit 42 report that this particular campaign first surfaced in June of this year. The most recent wave is using spam and phishing emails, many of which are baited as information about the Mekong Integrated Water Resources Project, to compromise machines and steal information that includes the system's language and IP address. It uses keylogging, screenshots, and remote shell access to observe user behavior. It also uses a bogus Dropbox cloud storage service that in fact directs to a Russian IP address. The actors behind the campaign appear interested in refining their target list, probably as battlespace preparation for a more focused spearphishing campaign.

Dave Bittner: [00:05:14:24] Unit 42 doesn't attribute KH RAT to the Cambodian government, while they do note that the malware has been hosted on a Cambodian government site. That in itself could mean little. After all, ransomware has found its way on occasion onto US Government sites. The researchers do think that the group behind the campaign is sophisticated and that it bears watching. As they put it on their blog, "We believe this malware, the infrastructure being used, and the TTPs highlight a more sophisticated threat actor group, which we will continue to monitor closely and report on as necessary."

Dave Bittner: [00:05:51:03] Sometimes rival, sometimes cooperating jihadist groups continue online recruiting and inspiration efforts. US Cyber Command is said to be conducting cyber operations that mirror US kinetic action against ISIS. The intention is to deny the caliphate physical and virtual safe havens.

Dave Bittner: [00:06:09:16] More misconfigured AWS S3 buckets expose information that ought to have remained private. UpGuard found resumes submitted to security firm TigerSwan exposed by recruiting vendor TalentPen. Kromtech researchers found user information belonging to Time Warner Cable customers exposed by Broadsoft, which developed Time Warner Cable's MyTWC app. It's worth noting that in both cases the party responsible for the data exposure is a third-party vendor, which again highlights the risks inherent in the data supply chain.

Dave Bittner: [00:06:44:00] A large-scale ransom campaign has hit MongoDB databases. Security researchers call it a continuation or resumption of the MongoDB Apocalypse that began last December and continued into early spring. The attackers are searching for exposed, accessible MongoDB databases, wiping their contents, and replacing the missing content with a ransom demand. Three criminal groups appear to be active. 26,000 servers have been affected, with one group, presumably the bigfoot of the criminal trio, responsible for hijacking 22,000 of them.

Dave Bittner: [00:07:19:21] The attacks come at an unfortunate time for MongoDB. Last month the company quietly filed for an IPO that would take it public before the end of 2017. The expected valuation is thought to be at least $1.6 billion.

Dave Bittner: [00:07:35:11] Other ransomware currently endemic in the wild include PrincessLocker, now being distributed via the RIG exploit kit, and, of course, a recently evolved version of Locky, which is particularly spooking enterprises in India. The Indian government has warned users to be on their guard.

Dave Bittner: [00:07:53:14] Finally, in cybergangland there are some currently running beefs among those who trade in the black markets.

Dave Bittner: [00:08:00:03] Security firm Zscaler has been watching a newish remote access Trojan, Cobian RAT, whose developer is offering a "free builder" that would let other crooks develop custom versions of the malware for their own use. That same developer, Zscaler says, has also included a back door to his own command-and-control infrastructure. Cobian hasn't been much of hit in markets anyway. Its functionality, particularly a buggy keylogger, isn't really up to criminal snuff, but news of the back door will probably make it a hit on the market.

Dave Bittner: [00:08:33:02] And the DDoS booter service TrueStresser - we'll call them gray hats, since it's possible to imagine legitimate uses for what they offer - has been hacked by a hacked-off customer who late last Thursday uploaded a bunch of stolen data to Hashbin and Pastebin. His message to TrueStresser is worth quoting as an example of what poor customer service can draw upon any provider, legitimate or, in this case, illegitimate. We bowdlerize the language because, of course, we're a family show, but connoisseurs of potty-mouths can easily infer the original. We quote: " [SIC] Truestresser database leaked, [effing] scammers that's what happen when you ban people for no reason and you dont know how to manage your site, [what the heck, fellows] all php files downloaded when I went to that [scatological slang] but hey who cares here is all the info." So there. Be nice to your customers. One side note: it appears that TrueStresser is renting infrastructure from another DDoS stresser service,

Dave Bittner: [00:09:39:05] Now, I'd like to mention an offer from our sponsor, ThreatConnect. You've heard a lot, if you work in security, about orchestration. Well, maestro, take it from ThreatConnect that the tempo of cyberoperations is decidedly prestissimo, and that's very, very fast indeed. To keep up with that pace, you need to harmonize threat intelligence with analytics and orchestration. That's how you'll get the context and insight to make sound, timely decisions, put the stress on the right events, and automatically tune your security controls to keep your enterprise making its beautiful music. You can learn all about this in ThreatConnect's September 14th webinar. Register at Andy Pendergast, ThreatConnect's Vice President of Product, and John Oltsik, Senior Principal Analyst at the Enterprise Strategy Group, will give you the score. That's Thursday, September 14th, 1:00 PM Eastern Time. Registration is free, and it's at And thanks again to ThreatConnect for sponsoring the CyberWire.

Dave Bittner: [00:10:44:12] And I'm pleased to be joined once again by Johannes Ullrich. He's the Dean of Research at the SANS Technology Institute, and he also hosts the ISC Stormcast podcast. Johannes, welcome back. You had an interesting topic today. You wanted to talk about DDoS extortion emails?

Johannes Ullrich: [00:10:59:16] Yeah. DDoS extortion emails is something that doesn't seem to go away. Now, about two years ago, we had some very active groups that performed very powerful DDoS attacks against banks and the like. And there are now a lot of copycats here, for this particular scheme. But they don't actually have the capability to launch these large DDoS attacks. Instead, what they do is they sent an email asking for an unspecified number of bitcoins in order to prevent a Denial of Service attack. And they just hope that the victim will pay up, never realizing that the criminal here doesn't actually have the capability to launch these Denial of Service attacks.

Johannes Ullrich: [00:11:44:13] What we have seen in a couple of cases is where the criminal actually does launch a very small, short Denial of Service attack. It's just usually five minutes or so, in order to demonstrate their firepower. Typically, this is really just meant to scare the victim. The Denial of Service attack is pretty small and not too difficult to defend against. But again, a small Denial of Service attack like this may scare the victim into paying up. So, this is a little bit game of nerves here, where you just have to sit tight and hope for the best, that if you do receive a letter like this, that the actual Denial of Service attack will not happen. Paying up typically is the wrong thing to do here, because it does not prevent additional demands that will arrive later. It wants to figure out that you are easily scared into paying up to these demands.

Dave Bittner: [00:12:41:10] And so beyond just sort of hoping that it's not the real thing, what kind of protections can an organization put in place to protect themselves against DDoS attacks?

Johannes Ullrich: [00:12:50:23] Given the frequency and ubiquity of these DDoS attacks, you definitely should have your defenses in place. And defenses usually mean that you have to sign up for some kind of DDoS prevention service. The problem with real and powerful DDoS attacks is there's really not much that you can do on premise within your own network to defend against it. You need your ISPs. You need outside providers to filter the traffic as far away from your network as possible.

Dave Bittner: [00:13:24:14] So, are these folks generally targeting larger businesses, or smaller businesses, who might not have the sophistication to protect themselves?

Johannes Ullrich: [00:13:33:01] The fake letters, we have seen against all kinds of businesses. They seem to be targeting, a little bit, businesses that are likely to be attacked, like financials. Now, sometimes they also try to hit businesses at very critical points in time, like large traffic days, or for example e-commerce businesses around the holiday season, where you do have a lot of business happening. And that, of course, makes these businesses particularly vulnerable.

Dave Bittner: [00:14:02:05] Alright. Johannes Ullrich, thanks for joining us.

Dave Bittner: [00:14:06:19] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, check out

Dave Bittner: [00:14:19:09] If you find this podcast valuable, we hope you'll consider becoming a contributor. You can go to to find out how.

Dave Bittner: [00:14:27:18] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jenifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.