The CyberWire Daily Podcast 10.19.17
Ep 458 | 10.19.17

Leviathan group exploits patched .NET flaw. North Korean cyber ops. Russian suspicions. Cutlet Maker ATM malware, Sockbot Minecraft malware. Ransomware and backups.


Dave Bittner: [00:00:01:02] Thanks again to all of our Patreon subscribers. If the CyberWire is something that makes you feel more informed and safer every day, we hope you'll check out our Patreon page. It's at

Dave Bittner: [00:00:15:07] A cyber espionage campaign exploits a recently patched.NET vulnerability as Leviathan phishes with torpedo recovery programs. What does Pyongyang want in cyberspace? Apparently a lot of the same things it wants in physical space. Some observers think Putin thinks the Americans started the whole destabilization struggle. Cutlet Maker malware jackpots ATMs. We check in with Dinah Davis from Code Like A Girl dot IO. The BoundHook stealth tool is demonstrated. Ransomware is still a threat. And a New York Judge thinks the NYPD didn't get the memo about the importance of backups.

Dave Bittner: [00:00:56:07] Time for a message from our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire Web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive, and your intelligence more comprehensive and timely; because that's what you want - actionable intelligence. Sign up for the Cyber Daily email, and every day you'll receive the top trending indicators Recorded Future captures crossing the Web: cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:09:22] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, October 19, 2017.

Dave Bittner: [00:02:20:13] A recently patched .NET vulnerability - CVE-2017-8759 - is being exploited in the wild by a threat actor believed to be operating from China, possibly under Chinese government control. Most recently, Proofpoint has seen this threat group active against a US research center and shipbuilding industry targets. Proofpoint is calling the cyber espionage group Leviathan. Leviathan is using torpedo recovery programs as their phishbait.

Dave Bittner: [00:02:50:10] F-Secure last year observed the group's NanHaiShu malware deployed against Philippine targets. F-Secure hasn't attributed the activity to the Chinese government, but others perceive connections between the threat actor and attempts to advance Chinese interests in disputes over territorial waters in the South China Sea. Those disputes have been with many of the nations bordering what every country, save China, regards as international waters, but the Philippines have been particularly affected.

Dave Bittner: [00:03:19:11] What's North Korea up to in cyberspace? By general consensus, little good. Writing in the Diplomat, two George Washington University experts, Frank Cilluffo and Sharon Cardash, argue that Pyongyang's intentions must be understood in the context of that country's perceived self-interest. Why the ongoing involvement of the Lazarus Group with theft, most recently another bank heist? Cilluffo and Cardash point out that North Korea's missile and nuclear ambitions are expensive and the country is cash-strapped. They also argue that the DPRK's development of a non-negligible cyber capability is an attractive tool the Kim regime can use to make up for it's conventional military shortfalls.

Dave Bittner: [00:04:01:04] But as always, attribution is murky. Security firm Trend Micro, which does a great deal of work in East Asia, points out that North Korean computers are as hackable as anyone else's, and that they're susceptible to manipulation into false-flag, or simple criminal operations. So the caution is a useful one: a cyber Tonkin Gulf incident is as much to be deplored as a cyber Pearl Harbor. Still, all things considered, security specialists in government and out of it do well to keep a close eye on North Korea.

Dave Bittner: [00:04:33:08] Russian President Putin has long had a number of beefs with the United States, but apparently some diplomatic activity in January 2012 really set Mr Putin off. Specifically, the newly appointed US ambassador to Moscow held some prominent meetings with dissident and opposition leaders. Reports indicate that Putin perceived the ambassador's meetings as the opening shots of an American campaign to destabilize the Russian government, with some observers dating the beginning of his strong interest in influence operations to that episode.

Dave Bittner: [00:05:06:18] The ATM malware Cutlet Maker is able to jackpot the cash machines - a video of what this looks like is available on Bleeping Computer - and Kaspersky has found it for sale in criminal markets for $5,000. Cutlet Maker comes bundled with a password generator, and an app that can tell the crooks what's inside the particular ATM they're working.

Dave Bittner: [00:05:28:20] With the ongoing shortage of qualified candidates for cyber security jobs, businesses struggle to attract and retain women and minorities to the industry. Dinah Davis is Director of R&D at Arctic Wolf Networks, and founder of Code Like A Girl.IO. Code Like A Girl describe themselves as "a space that celebrates breaking down society's perceptions of women in technology." We check in with Dinah from time to time throughout the year, for updates on the Code Like A Girl community.

Dinah Davis: [00:05:58:06] One of the hard things is always talking about the hiring pipeline, right? There's even fewer women in security than there are women in tech; and how are we going to change that pipeline issue? And I think that like some positive things are we are seeing change there. Anecdotally - I'm sure we could get the data - but anecdotally, I am seeing more women graduate, more women being influential in, in the first couple of years out of school. I think we still have a huge gap in the, like, ten to 15 year experience. That's like where there was no recruitment done. Focus towards getting more women in computer science.

Dinah Davis: [00:06:37:00] We have these amazing women from the 80s, when we had higher rates of women in technology, who, who were pioneers for us, but we had this massive drop in the early 90s that persisted really until just maybe like three years ago. And even, you know, the upside on that isn't, isn't huge. It's not like we're gone from 20% to, like, 40%. We might be gone from, like, 20% to 25% at schools that have been focused on, on changing that ratio. So it's good, like, the pipeline is, is getting bigger. I think we are starting to fix that problem, but when you're looking for experienced women, you still--it's really hard to find them. And the women who are there, they're amazing. They're, they're highly sought talent, right? So they're, they're getting asked for multiple jobs, or recruiters are always asking them to come and interview, because everyone wants to increase their gender diversity, but, but it's not there.

Dave Bittner: [00:07:33:08] In terms of the, the Code Like A Girl community, are people optimistic that the, the workplace environments that they'll be going into have sufficiently changed? That it's going to be a kind of place where they want to stick around?

Dinah Davis: [00:07:45:13] Well, I would love to say yes, but I'm not sure we're there yet. I think that's in evidence from a lot of what's been in the news over this past spring, with Susan Fowler and some of the newer things that were happening this summer. I don't think that, that we are there, but there's much more awareness of it than there ever was before. And when women bring things forward now, they are being taken seriously whereas, you know, two or three years ago you look at that Ellen Pao case, and she lost. I don't think Ellen would lose today.

Dave Bittner: [00:08:21:12] As someone who does hiring, what do you wish that some of the men who do the hiring in our industry knew?

Dinah Davis: [00:08:28:02] That women will not necessarily brag about themselves enough in an interview, and that that will make them look like they maybe are not be as good as the men, when that is not the case. I think there's just a sense of us--we don't want to overstate our ability, we want to be very honest. And while it's not that the men aren't being honest, they're just more confident about it. So I mean, even for myself, I make sure when I go into interviews, when I've been interviewing, and push myself to, like, pretend I'm talking about my best friend instead of talking about myself. And how would I explain myself as my best friend instead of as myself? And I probably highlight things a bit more, probably be little less humble, right? Because you're showcasing yourself in an interview. You're not there to show who's the humblest, you're there to, like, really show the talent you have. And I think that that comes a bit more naturally to some men - not all men, but to some men - than it does to women.

Dave Bittner: [00:09:26:12] That's Dinah Davis from Code Like A Girl. You can check out all of their resources at codelikeagirl dot io.

Dave Bittner: [00:09:34:17] CyberArk describes a proof-of-concept it's calling BoundHook, that enables post-intrusion application hooking and stealthy manipulation in Intel's Skylake microprocessor. Microsoft calls BoundHook more stealth technique than exploit, since it functions to conceal activity in an already compromised machine.

Dave Bittner: [00:09:54:10] More malicious apps surfaced in Google's Play Store. Among them Sockbot, malware that ropes Minecraft-playing devices into a botnet.

Dave Bittner: [00:10:03:20] Locky seems to be holding its place atop the ransomware leaderboard. Locky ransomware's constants appear to be a close association with Necurs, and the dissemination of an awful lot of spam, according to a Trend Micro study.

Dave Bittner: [00:10:18:01] And finally, in a story that's ripped from the wait, it actually is a headline. Anyway, a New York judge is shocked to learn that the NYPD's large evidence database isn't backed up. The headline in question appears in Ars Technica, which reports that the New York Police Department's Property and Evidence Tracking System - PETS - is in effect a single point of failure. If it went down, were corrupted, or say it were hit with ransomware, the NYPD would lose everything stored therein. We'll give the last word to Manhattan Supreme Court Judge, Arlene Bluth: "That's insane," she simply told the ADA. If it pleases the court, your Honor, you're right. That's insane.

Dave Bittner: [00:11:05:23] As our sponsors at E8 Security can tell you, there's no topic more talked about in the security space than Artificial Intelligence; unless maybe it's machine-learning. But it's not always easy to know what these could mean for you. So go to and see what AI and machine-learning can do for your organization's security. In brief, they offer not a panacea, not a cure-all, but rather an indispensable approach to getting the most out of your scarce, valuable, and expensive human security analysts. Let the machines handle the vast amounts of data. If you need to scale your security capability, AI and machine-learning are the technologies that can help you do it. So visit and see how they can help address your security challenges today. And we thank E8 for sponsoring our show.

Dave Bittner: [00:12:00:09] And I'm pleased to be joined once again by Ben Yelin, he's a Senior Law and Policy Analyst at the University of Maryland's Center for Health and Homeland Security. Ben, we had a story come by from Wired, really taking a look at President Trump's cyber security Executive Orders so far. It's been a few months since the order came out and we're sort of taking stock of what's happened, so bring us up to date here.

Ben Yelin: [00:12:23:09] Well, it was received very well when it was first put out on May 11th, it got bipartisan praise. He had claimed during the campaign that he was going to come up with a cyber security Executive Order in the first 90 days, and though it was a little late he ended up fulfilling that promise, which I think was significant. The criticism has started to mount since the Executive Order was enacted. For one, the administration has missed some of it's self-imposed deadlines, and at least according to some experts, many agencies are still in their planning and information-gathering stages. Which is fine, but time starts to become a factor, especially when we've had what this, this article calls, "destabilizing cyber attacks." We had the WannaCry attack, the NotPetya ransomware outbreak this summer, we've had attacks on the integrity of our election systems. So, the criticism now is focusing on how quickly the policies, which have received bipartisan praise, are actually going to come to fruition.

Dave Bittner: [00:13:24:09] And what kind of teeth does the policy have in terms of pushing, you know, the agencies along to meet the deadlines?

Ben Yelin: [00:13:31:22] Well, you know, Executive Orders don't carry the same weight as Federal Statutes. They are sort of self-imposed. I don't think any individual who would potentially be affected by this, this Executive Order, would have the standing to sue based on any of these delays. So it is sort of self-enforced, which is why it's particularly difficult. One of the problems they've been having, and this is true across all agencies, is staffing. The Administration has been very slow to staff some of these agencies. I know this article mentions NIST as one of the agencies that's had problems staffing. And then, he also has a number of councils, including a national infrastructure advisory council which advises DHS on matters of cyber security, in which we've seen some members resign over unrelated political issues, and also based on the slow implementation of this Executive Order. So when you start to lose that expertise, both the private sector members that sit on some of these boards, and you fail to staff up some of these public agencies, that's when we'll really start to see some of these delays.

Ben Yelin: [00:14:39:14] Stakeholders are starting to get concerned that the Federal response is not keeping up with the threats that we're facing. They don't want us to have to wait for some of 911 type cyber event where, metaphorically, everything comes crashing down. That's the worry that many of the stakeholders have on this issue.

Dave Bittner: [00:14:57:12] Ben Yelin, thanks for joining us.

Dave Bittner: [00:15:01:15] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using Artificial Intelligence, visit

Dave Bittner: [00:15:18:18] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.