The CyberWire Daily Podcast 10.30.17
Ep 465 | 10.30.17

Reaper looks like a criminal booter on the Chinese black market. BadRabbit shows some moves. Catch-All malicious Chrome extension. Android currency miners in Google Play. Indictments in Russia probe.


Dave Bittner: [00:00:01:10] Our thanks to everyone who's left a review for our show on iTunes and also for those of you supporting us on Patreon. You can find out more at

Dave Bittner: [00:00:13:18] The Reaper botnet is still quiet, looking like a booter-for-hire. BadRabbit shows some odd stealth, and some interesting strategic selectivity. A malicious Chrome extension steals everything you put on a website. Currency miners on phones seem to be the one kind of crime that doesn't pay, but that's not stopping crooks from stuffing them into Google Play. The first indictments in the US probe of Russian election influence operations are out, and a class action suit is filed over the Equifax breach.

Dave Bittner: [00:00:46:18] Time to take a quick moment to tell you about our sponsor, Recorded Future. You've probably heard of Recorded Future. They're the real time threat intelligence company, and their patented technology continuously analyzes the entire web to give Infosec Analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis, that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web: cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. Subscribe today and stay ahead of cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right, and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:49:10] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, October 30th, 2017.

Dave Bittner: [00:02:00:09] The Reaper IoT botnet remains puzzlingly quiescent. It may also be smaller than initially believed. Security company Check Point's tally of a million, widely reported last week, was based on extrapolation from an observed size of 30,000. It's not a bogus number, but it is an extrapolation. Other security firms have come up with lower infection totals. NetLab 360 initially put the total somewhere between ten and 20,000 devices, now up to nearly 30,000. Radware and Ixia have arrived at numbers similar to NetLab 360's, but the botnet could expand swiftly. NetLab 360 reports observing a queue of about two-million devices vulnerable to exploitation by a Reaper control server. While most researchers see signs of amateur missteps by Reaper's developers, the botnet's development platform lends itself to attacks other than the expected DDoS. But as things stand, Reaper looks like a booter or stresser service intended for China's domestic DDoS-for-hire black market. That's Arbor Network's assessment, anyway. They've told KrebsOnSecurity that, quote, "Reaper appears to be a product of the Chinese criminal underground. Some of the general Reaper code is based on the Mirai IoT malware, but it is not an outright Mirai clone.” End quote.

Dave Bittner: [00:03:23:11] Researchers at Morphus Labs are describing a new malicious Chrome extension that they're calling Catch-all. Catch-all does what its name suggests; it intercepts and captures all of a user's interactions with sites reached through the browser. Morphus researcher, Renato Marinho, has details up on the SANS Institute's Internet Storm Center Infosec Forum. He's been tracking malicious Chrome extensions for some time. This campaign, which has been observed in Portuguese language emails, phishes its way into victims' machines posing as an email with links to photos sent via WhatsApp. If you follow a link, you'll download a dropper which will present a bogus Adobe Reader install screen, and at that point Bob's your uncle - or rather, their uncle - since Catch-all will indiscriminately pull in all the data you enter into any website you visit.

Dave Bittner: [00:04:14:05] Security researchers are reporting an odd discovery about BadRabbit. FireEye and Cylance say the ransomware skips encryption if it detects Dr. Web antivirus software. Dr. Web published the same findings. Cylance thinks it's a stealth measure having to do with the way Dr. Web protects the master boot record, and that BadRabbit also keeps an eye out for McAfee products that operate similarly to Dr. Web's. FireEye thinks it looks fishy, and that BadRabbit may not be the typical criminal ransomware this spawn of NotPetya would have us think.

Dave Bittner: [00:04:47:00] FireEye's Nick Carr offered some perspective on what they think is up with BadRabbit. On the 24th, the company began to detect and block attempts to infect clients with a drive-by download posing as a bogus Flash update. Carr said, quote, "The infection attempts were referred from multiple sites simultaneously, indicating a widespread strategic web compromise campaign." End quote. FireEye has been seeing this sort of malicious JavaScript framework in the wild since February of this year, including its usage on several of the sites from today’s attacks. According to Carr, quote, "This framework acts as a profile that gathers information from those viewing the compromised pages, including host and IP address info, browser info, referring site and cookie from referring site. Malicious profilers allow attackers to obtain more information about potential victims before deploying payloads." End quote.

Dave Bittner: [00:05:42:20] FireEye sees BadRabbit's approach as involving 'strategic web compromises' that enable attackers to select targets carefully and cease operations swiftly. Carr explained further, quote, “When we say strategic web compromises, this means an attacker hosts malicious code on an unknowing victim’s website that is then used to infect the true targets. The websites are carefully selected for compromise so that they will have the most direct reach to the ultimate targets, with minimal collateral damage. In the case of BadRabbit, many strategic compromises were Eastern European travel and media websites used to then profile visitors and deliver the payload." End quote. India's Computer Emergency Response Team has issued a medium security alert for BadRabbit, which seems about right.

Dave Bittner: [00:06:32:22] It's not clear that mobile devices have the computational oomph to mine useful amounts of cryptocurrency, but that hasn’t stopped the hoods from trying. Trend Micro reports a resurgence of Android miner malware in the Google Play store. They detect the malware as ANDROIDS_JSMINER and ANDROIDS_CPUMINER. They'll run down your battery and degrade performance.

Dave Bittner: [00:06:57:00] In industry news, cyber security startup Cryptonite has emerged from stealth - that's cryptonite with a C. With investment from Gula Tech Adventures and early stage support from the US Department of Homeland Security's Science and Technology Directorate, Cryptonite specializes in helping networks protect themselves, by containing infections and blocking lateral movement.

Dave Bittner: [00:07:19:09] US Special Counsel Robert Mueller this morning announced charges against two individuals emerging from the Russian influence probe. Paul Manafort, briefly President Trump's campaign manager during the run-up to the Republican convention, and Manafort's associate, Richard W. Gates, were indicted by a Federal Grand Jury, Friday, on 12 counts of conspiracy against the United States, conspiracy to launder money, unregistered agent of a foreign principal, false and misleading FARA statements, false statements, and seven counts of failure to file reports of foreign bank and financial accounts. More indictments are widely expected, and the US Senate and House are moving forward with investigations of activities surrounding political opposition research consultants, Fusion GPS.

Dave Bittner: [00:08:07:22] And in civil litigation, as night follows day, so does the plaintiff's bar follow the data breach. A class action lawsuit has been filed against Equifax on behalf of those who suffered identity theft as a result of the credit bureau's loss of their personal information. What took you so long, Counselor?

Dave Bittner: [00:08:31:10] Time for a message from our sponsors at E8. We've all heard a great deal about Artificial Intelligence and machine-learning in the security sector, and you might be forgiven if you've decided that maybe they're just the latest buzzwords. Well, no thinking person believes in panaceas, but AI and machine-learning are a lot more than just empty talk. Machine-learning, for one thing, is crucial to behavioral analytics. You can't recognize the anomalous until you know what the normal is, and machines are great at that kind of base lining. For a guide to the reality, and some insights into how these technologies can help you, go to and download E8's free white paper on the topic. It's a nuanced look at the technologies that have both future promise and present day payoff in terms of security. When you need to scale scarce human talent, AI and machine-learning are your go-to technologies. Find out more at And we thank E8 for sponsoring our show.

Dave Bittner: [00:09:34:22] And I'm pleased to be joined once again by Emily Wilson. She's the Director of Analysis at Terbium Labs. Emily, welcome back. You brought to my attention a recent Ponemon study on third party breaches, and interesting narrative there. It was sort of, 'not your breach, but it's still your problem'. Take us through what we need to know here.

Emily Wilson: [00:09:54:12] Absolutely. The 'not your breach, still your problem' is definitely a topic that keeps coming up again and again. We're seeing, obviously, industry-wide more people looking at and feeling the impacts of data breaches. And typically people are thinking about the con--you know, people are concerned about breaches. You know, "Hey is, is this my data and, more specifically, is this my problem, is this my system?" But, you know, companies don't always have the benefit, and call it a benefit, right, of it being something that they can control or they can contain. And Ponemon's looking at data around how people are assessing and evaluating, not only third party risk, but what they're calling Nth party risk. The third parties you trust with your data, then who are they sharing that data with?

Dave Bittner: [00:10:39:00] And how can you get control over that? Is it, is it a matter of disclosure? That basically anyone, anyone you do business with, who has access to your data, you require them to tell you who they're going to share the data with and how?

Emily Wilson: [00:10:51:21] That's one approach to it, and Ponemon has a, a nice breakdown. I, I would encourage--I know plenty of the listeners are going to be familiar with the Ponemon reports. This one's from September this year; Third Party Risk Ecosystem. I'd rec, I would recommend reading it. You know, they talk about different ways companies are approaching this, and some of it is in contractual language; but then also, you know, a lot of this relies on a third party disclosing to you that they've had a problem, which means the third party needs to know that they've had a problem. And that's a, an entirely separate issue.

Dave Bittner: [00:11:22:07] Right, we've got--I mean, the statistics are sobering there, that it can take--I, I don't know what the current number is, but we've certainly heard up to a year, before you even know that someone has been inside your system.

Emily Wilson: [00:11:34:00] Right. And that ends up showing up in, in this report. Only 35% of respondents were confident that a third party would notify them if they'd had a data breach. And that drops down to 11% for an, an Nth party, right? Someone outside of a third party. And so when you look at that, if only 35% of the respondents were confident that a third party would share that with them, you know, how does that number drop even further when, you know, again, that's, that's notifying then when they know there's a problem.

Dave Bittner: [00:12:04:03] Are we heading towards this, this, this time when perhaps the safest approach is just assume that the data's been breached?

Emily Wilson: [00:12:11:05] I wish I could be as optimistic as saying that we are heading toward that time. I think companies need to now assume that they have been breached, or that one of their partners has been breached. As we've been seeing, even with a company like Yahoo!, you know, we, we recently heard that the, the number of accounts exposed there was even higher than we originally thought, and that dates back to, what, to 2014?

Dave Bittner: [00:12:33:15] Mm-hm. Mm-hm.

Emily Wilson: [00:12:34:15] So, you know, I think we're going to see, over the next coming years, we're going to, you know, continue to hear about breaches that people are discovering two or three years later. I, I think you absolutely have to assume that there has already been or soon will be a problem.

Dave Bittner: [00:12:48:16] Alright. Emily Wilson, thanks for joining us.

Dave Bittner: [00:12:53:09] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using Artificial Intelligence, visit A quick request to head on over to iTunes and leave a review for our show and to subscribe there. It is really one of the best ways you can help other people find The CyberWire podcast. We do appreciate it. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.