The CyberWire Daily Podcast 11.1.17
Ep 467 | 11.1.17

Ransomware old and ransomware new, but can you distinguish it from a wiper? Influence operations hearings on Capitol Hill.


Dave Bittner: [00:00:01:09] Remember, you can become more than just a listener of the CyberWire podcast, you can become a supporter. Visit and find out how.

Dave Bittner: [00:00:12:24] Ransomware in Japan may prove to be a wiper. Ukraine blames NotPetya operators Black Energy for BadRabbit. Pyongyang feels London is picking on it. Phishing Facebook in Nordic nations. Security firms sell their certificate authority business. Twitter won't sell any more ads to RT or Sputnik. And during hearings on influence operations, Senators wonder why Facebook wasn't suspicious when people paid for their advertising in rubles.

Dave Bittner: [00:00:46:00] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company, whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And, when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily, and if it helps us, we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:40:18] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Wednesday, November 1st, 2017.

Dave Bittner: [00:01:50:15] A new ransomware campaign, ONI, has been observed in operation against Japanese targets. Like a number of other apparent ransomware efforts, WannaCry and NotPetya prominently among them, ONI may blur the lines between ransom and simple disruption. Cybereason, which has been tracking ONI, says the ransomware - or wiper, if that ultimately proves a more accurate description - was deployed only to active directory servers, or to what Cybereason calls "critical assets".

Dave Bittner: [00:02:20:20] Ukrainian authorities speaking at a Reuters cybersecurity summit attribute BadRabbit ransomware to BlackEnergy, the threat group they also believe was behind NotPetya. There's no surprise in this, as Russia has long ago been the principal suspect in these attacks. Ukraine, and many security experts, believe Black Energy operates in the interest and under the direction of the Russian government. Moscow denies this, as it denies carrying out cyberattacks against Ukraine.

Dave Bittner: [00:02:49:19] A North Korean spokesman has denounced the UK's attribution of WannaCry ransomware to Pyongyang as a "wicked attempt" to ratchet up sanctions against North Korea. But global banks are not disposed to take the DPRK's protestations of innocence at anything approaching face value. The financial sector is taking steps to secure itself not only against the sort of SWIFT exploitation that diverted millions from Bangladesh Bank's holdings through fraudulent wire transfers, but also against the more destructive wiper malware the DPRK has deployed against other targets.

Dave Bittner: [00:03:26:13] Security firm Webroot has just blogged its picks for the ten worst ransomware infestations of 2017. They are, counting down from number ten: Jigsaw, which deletes one of the victim's files every hour; Cryptomix, spread mostly through exploit kits; Cerber, which has made its mark in the ransomware-as-a-service market; Spora, spread through a bogus Chrome update that pops up from compromised legitimate websites; Jaff, still appearing in new variants; Nemucod, famous for its fake shipping invoice emails; CrySIS, this one's a nasty little piece of work that also removes automatically backed-up files; and then, in order, the big three: Locky, WannaCry, and NotPetya. Those are the worst of 2017 so far, but we still do have two months left to go.

Dave Bittner: [00:04:15:16] Returning to the two Koreas, there's also some more traditional cyber espionage news. A South Korean lawmaker has accused the North of stealing sensitive warship plans.

Dave Bittner: [00:04:26:18] When it comes to cybersecurity, medical devices have the added complication of sometimes having people's lives on the line, and a typical hospital can have hundreds or even thousands of devices with varying degrees of connectivity and vulnerability. Deloitte recently conducted a survey of medical professionals to gauge their understanding of the risks of connected medical devices. Russell Jones is National Co-Leader of Medical Device Safety and Security for Deloitte.

Russell Jones: [00:04:54:08] One of the questions was, "What do you think is the biggest challenge facing the medical device industry with regard to cybersecurity?" 30.1% of the respondents said that identifying and mitigating the risk of fielded and legacy devices, was probably the biggest challenge they're facing around, you know, medical device cybersecurity.

Dave Bittner: [00:05:13:07] Is that a matter of, of sort of the unknown unknowns out there in, in the, in their facilities? That their devices that are connected, that they don't really know what the vulnerabilities might be?

Russell Jones: [00:05:22:23] The big problem, I think, in the industry both with healthcare delivery organizations and with device manufacturers, is asset management, right? So, for healthcare providers, if you go talk to the Head of Clinical Engineering or Biomed Engineering, they can tell you the overall population of medical devices throughout the hospital or throughout the health system, but it's a little bit harder to get their arms around what is the subset that are connected medical devices. And then, you know, even if they've got a handle on that subset of, you know, devices that are connectable, right - either connected to the network or could be connected - then having the ability to kind of do security risk assessments to those devices, understanding what the actual true, you know, risks are, impacting patient safety or, or confidentiality of patient information, and then being able to actually do something about it in terms of, you know, putting controls in place and the like, that's the, the struggle right now, you know, in the US healthcare system.

Dave Bittner: [00:06:27:07] Is there any sense that the situation is getting better or worse, or, or, is it sort of staying at an even level?

Russell Jones: [00:06:35:08] I would say at this point, there is acknowledgment and recognition and a lot of coverage in the media about the issue, but I think many organizations are still struggling with really being able to get a handle round the issue, particularly healthcare providers because of things like not having the funding, you know, necessary to go and deal with the problem, or having the capacity or the, the expertise to be able to go deal with the problem. You know, there are some healthcare organizations that have a pretty good approach to deal with the problem, and they are actually working the problem; but when I look at the overall US healthcare system, over 6,000 plus hospitals, the vast majority are struggling, you know, dealing with the issue today.

Dave Bittner: [00:07:20:22] And I see in your report, Deloitte has some recommendations. Can you take us through those?

Russell Jones: [00:07:27:15] So I would say that, that one of the most important things to do is to conduct security risk assessments - whether you're a healthcare delivery organization or device manufacturer - to really understand what the actual cyber risks are to your, you know, medical devices, and then be able to really prioritize what your response is going to be to go and address those risks. Try to mitigate them through controls, security controls - whether they are technical or whether they are organizational, administrative - to really kind of get your arms around what kind of resources you're going to need to go and address, you know, the risk. What kind of funding you're going to need, you know, what kind of, you know, leadership are you going to need. What kind of support you're going to need from the device manufacturers if you're a hospital, you know, in order to conduct that kind of a risk assessment. Or if you're a device manufacturer, you know, security risk assessments of your own, you know, fielded devices, that kind of really understand what those risks are and be in a better position to kind of help your customers, you know, the healthcare providers.

Russell Jones: [00:08:32:11] Another thing we talk about is having a document hierarchy. This is more of a recommendation for medical device manufacturers. By that, we mean having better documentation in place around the whole cyber risk, you know, security risk management of devices. Whether they're fielded, whether they are in the pipeline, or in the process of going through the product development lifecycle, you know, having good documentation in place around how you do security risk management for your devices, how do you do internet response, you know. Having all the support and kind of like policy, procedures, standards and guidance in place, in a way that's more formal, right? To manage that, you know, risk around the devices through the whole development life cycle.

Dave Bittner: [00:09:23:13] That's Russell Jones from Deloitte.

Dave Bittner: [00:09:27:08] A phishing campaign underway in the wild is seeking to obtain Facebook or YouTube credentials. Security firm F-Secure has been tracking the crooks for two weeks as they've advanced slowly from Sweden to Finland to Germany. If you recall entering your credentials in response to a dodgy pop-up prompt, you'd do well to change them.

Dave Bittner: [00:09:47:22] Cyber companies continue to sell their certificate authority business. DigiCert has closed its purchase of Symantec's certificate authority unit. Comodo has also joined the trend, setting up a separate new company, Comodo CA, which will be owned by Francisco Partners, a private equity firm.

Dave Bittner: [00:10:06:19] There have been no further charges announced from US Special Counsel Mueller's investigation of Russian influence operations, beyond those released Monday morning; but more indictments are expected. The reach of the investigation appears to be spreading, and the various political operators who had to do with Fusion GPS - and there's no shortage of them - are feeling the discomfort of special-counsel heat. Congress is making pious rumblings about shoring up laws regulating lobbying firms that represent foreign clients.

Dave Bittner: [00:10:38:05] The US Congress is also continuing its own inquiry into influence operations, concentrating this week on the way in which Russian services used social media interactions to do whatever it was they were up to. The best informed opinion seems to hold that Moscow wanted to do what it's done for nearly a century: erode the credibility of Western institutions generally, and American ways in particular.

Dave Bittner: [00:11:01:17] Twitter, embarrassed by ways in which its platform served as a megaphone for various Russian trolls and media outlets, has announced that it will no longer accept advertising from either RT, formerly Russia Today, or Sputnik News. Both media outlets will still be able to tweet, just not buy ads. We heard from the Media Trust's Chris Olson, who sees this as a step toward Twitter's establishment of more controls over its service. Olson said, quote, "They have identified two parties whose activity is not clear, with behavior possibly violating company ethos, if not direct policies, and blocked them. As the situation continues to unfold, there will be more buying entities blocked from more digital platforms." End quote.

Dave Bittner: [00:11:45:22] Facebook has been front and center on the Capitol Hill hotseat this week. The company revised its estimates upward about how many people saw Russian ads targeted at the 2016 US Presidential election. They now believe about 126 million users saw the ads. The Media Trust's Olson commented on Facebook's testimony as well. He said, quote, "One thing is clear from the ongoing Senate Judiciary and Intelligence Committee hearings, Congressional leaders are very concerned that buyers of political ads on digital platforms are not subject to the same disclosure rules as traditional broadcast media." End quote. And by that he means, such familiar tropes as, "I am Senator Foghorn, and I approve this message." Congress is considering a proposed Honest Ads Act to bring comparable transparency to online advertising. Olson continued, quote, "This means any consumer-facing website or mobile app operator should know their buyers and buyer activities. They should not only enforce digital policies, but also continuously monitor compliance and terminate relationships with offenders." End quote.

Dave Bittner: [00:12:52:07] One of the pieces of testimony that gave Senators an opportunity to roll their eyes was this: not only did Russian ad buys come from the Internet Research Agency St. Petersburg troll farm, but said trolls even paid for the ads in rubles. That's rubles, not even Voppercoin, still less Yankee greenbacks. As the Senators might have put it, "Slava putinu. Mr. Zuckerberg, didn't that raise any eyebrows at 1, Hacker Way, Menlo Park?"

Dave Bittner: [00:13:26:21] A few words about our sponsors at E8 Security. If you've been to any security conference over the past year, you've surely heard a lot about artificial intelligence and machine learning; we know we have. But E8 would like you to know that these aren't just buzzwords. They're real technologies, and they can help you derive meaning from what an overwhelmed human analyst would see as an impossible flood of data. So go to and let their white paper guide you through the possibilities of these indispensable emerging technological tools. Remember, the buzz about Artificial Intelligence isn't about replacing humans, it's really about machine-learning, a technology that's here today. So see what E8 has to say about it, and they promise you won't get a sales call from a robot. Learn more at And we thank E8 for sponsoring our show.

Dave Bittner: [00:14:22:07] And joining me once again is Johannes Ullrich. He's from the SANS Technology Institute, he's also the host of the ISC Stormcast podcast. Johannes, welcome back. You wanted to share some information about some honeypots. What do we need to know?

Johannes Ullrich: [00:14:36:09] Yeah. Really one technique that is gaining more and more team sort of on the defensive side is the idea of deception. Now, deception itself isn't new - you mentioned honeypots. Honeypots have been used historically, mostly be researchers, but not so much in enterprise in order to defend your networks. However, hunt teams have found it more recently to be really, really useful to have some bait left in the network in order to identify hackers. In particular when it comes to identifying malicious insiders, this technique has been shown to be quite useful.

Dave Bittner: [00:15:15:17] And so, what's the technique? How do you implement it?

Johannes Ullrich: [00:15:18:05] So, one thing, for example, this technique is implemented is by leaving documents on workstations that include a little web bot bug. Now, you're probably familiar with web bugs - these are these little images that are being downloaded from a web server in order to track whether or not someone opened a document. Now in this case, they're being used to trigger an alarm whenever one of these documents is being opened. So, for example, you would leave documents on your network that have enticing names, like Business Proposals or Passwords and the like, and then you are setting up a web server that will send you an alarm whenever that web bug inside this document is being triggered.

Dave Bittner: [00:16:00:22] So, the web bug is just a little image that's, I guess, remotely hosted and so whenever that file gets called for, that's what triggers the alarm?

Johannes Ullrich: [00:16:12:10] Correct. That's what's happening, and that gives you a good indication that this particular workstation has been compromised. So this is not a technique that requires any specific malware techniques. It's really trying to detect an attacker that is already in your network ,which of course is why you typically set up these hunt teams, in order to identify attacks that already succeed to some extent and penetrate your network somewhat. The big advantage here is that you really shrink down the time it takes you to detect these attacks. You will probably have seen these reports from Verizon and others that it takes months for companies to detect attacks like this. With techniques like this, this can often be shrunk down to days.

Dave Bittner: [00:16:55:17] I see. All right, interesting information, as always. Johannes Ullrich, thanks for joining us.

Dave Bittner: [00:17:03:18] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help you using Artificial Intelligence, visit

Dave Bittner: [00:17:15:09] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.