The CyberWire Daily Podcast 11.3.17
Ep 469 | 11.3.17

BadRabbit misdirection? Fancy Bear's wish list. AWS misconfigurations. Data breach notes.


Dave Bittner: [00:00:01:06] The CyberWire podcast is made possible in part by listeners like you who contribute to our Patreon page. You can learn more at

Dave Bittner: [00:00:13:18] Bad Rabbit looks like misdirection. Fancy Bear's wish list is out and it's very long and very global. US prosecutors may be preparing to indict half a dozen Russian officials in the DNC hack. Malaysia continues to recover from a major series of data breaches. GhostWriter poses a man-in-the-middle threat to AWS users who misconfigure their accounts. And it was Halloween, but the ShadowBrokers weren't much in evidence. Perhaps they were unrecognizable in their Wonder Woman and Mighty Thor costumes.

Dave Bittner: [00:00:49:10] Time to take a moment to tell you about our sponsor, Recorded Future, the real time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web to give cybersecurity analysts unmatched insight into emerging threats. We read their dailies here at the CyberWire and you can too. Sign up for Recorded Future's Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and more. Subscribe today and stay ahead of the cyber attacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security. Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and it's on the money. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:51:03] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Friday, November 3rd, 2017.

Dave Bittner: [00:02:01:08] BadRabbit's odd behavior, sophisticated, noisy, and brief, may have an explanation. It appears the campaign may have been misdirection, or at least that's the way it looks from Kiev. Ukrainian police have told Reuters that the same threat actor behind the ransomware campaign operated a quiet phishing campaign during BadRabbit's activity. The goal, investigators think, was to obtain undetected remote access to financial and other confidential data.

Dave Bittner: [00:02:29:01] Ukraine believes the actors behind BadRabbit to be the same Russian security services responsible for NotPetya. Researchers at cybersecurity firm Webroot rate NotPetya as a nastier piece of work than its rough contemporary, WannaCry, which by comparison was a crude and primitive effort. The enduring concern about NotPetya accounts for more than a little of the concern with which BadRabbit was immediately greeted.

Dave Bittner: [00:02:55:09] The AP publishes what it characterizes as a "hit list", and by that we mean a long list of hacking targets, not of people marked for assassination, so maybe "wish list" might be better. It comprises Fancy Bear's persons of interest. It is a long list, casting a wide, indeed global net, and goes far beyond Fancy's notorious interest in the Clinton campaign. Many of the people on the list are the sort who would be prospected in classical espionage operations. Aerospace and defense sector workers are on the list, as are political figures from both major US parties, Democrats in the majority, but Republicans also represented, the Papal nuncio to Kiev, and the Ukrainian Army officer who wrote that Android gunnery app, POPR D-30, whose compromise CrowdStrike reported last December. Fancy Bear, as longtime listeners will know, is widely believed to be a unit of Russia's GRU, the country's military intelligence establishment.

Dave Bittner: [00:03:55:06] Fancy Bear has also been active recently in phishing Bellingcat, a journalistic organization that pays considerable attention to Russian affairs. In this case they've been using Blogspot to mask their credential harvesting efforts.

Dave Bittner: [00:04:10:12] US prosecutors have identified at least six Russian government officials allegedly involved in the Democratic National Committee hack during the last election cycle. Indictments are expected early next year. This investigation is distinct from the inquiry being carried out by Special Counsel Robert Mueller.

Dave Bittner: [00:04:29:11] Security researchers at Skyhigh Networks are warning of "GhostWriter," a vulnerability in which misconfigured Amazon Web Services S3 buckets are not only exposed to public view, but can also be exploited in man-in-the-middle attacks. About 4% of the buckets accessed from within enterprise networks are thought to be susceptible to GhostWriter, Skyhigh says.

Dave Bittner: [00:04:52:16] The more familiar problem of data loss from AWS S3 misconfiguration also persists. Nearly 50,000 Australians recently had their information exposed. Personal records from employees working in government agencies, banks and a utility were compromised in a third-party contractor's misconfigured cloud account. Earlier in October Dow Jones also sustained a breach caused by an unsecured AWS S3 bucket, more than 2,000,000 customers are believed to have been affected.

Dave Bittner: [00:05:23:09] A very large data breach has hit Malaysia, as more personal data of more than 46,000,000 mobile subscribers have been found for sale on the dark web. The breach affected at least a dozen telecom providers. Since the total number of people affected exceeds the population of Malaysia, the incident is believed to have also affected foreigners living in or transiting through the region. Other data may have been lost as well, from employment site Jobstreet, perhaps 17,000,000, and a number of Malaysian government agencies, including the Malaysian Medical Council, the Malaysian Medical Association, Academy of Medicine Malaysia, the Malaysian Housing Loan Applications, the Malaysian Dental Association and the National Specialist Register of Malaysia. Several million individuals were affected by these breaches as well. Investigation is in progress. There are reports of stolen data being used for phishing and spamming.

Dave Bittner: [00:06:17:13] And finally, Tuesday was of course Halloween, which the ShadowBrokers have told is being Brokers favorite holidays, when they trick for treats Wealthy Elites. But where are Brokers being these days, we are asking? They are last heard from two weeks ago, when they announced a big, big sale, like the boss is on vacation and we are all go crazy. They be picking on good researcher Matt Suiche and praising good reporter Marcy Wheeler. But no new exploits, not so much Twitter, but Brokers say Kaspersky should sue Wall Street Journal for libel. And did Brokers mention new, low, low prices?

Dave Bittner: [00:06:53:05] Oh, come on guys, everybody knows you're not in it for the money. But these days their offerings look like a remainder table at a shopping mall book store.

Dave Bittner: [00:07:05:24] Here's a quick note about our sponsor, E8 Security. We've all heard a lot about artificial intelligence and machine learning. Hey, who of a certain age doesn't know that Skynet achieved self awareness and sent the Terminator back to take care of business? But that's science fiction and not even very plausible science fiction. But the artificial intelligence and machine learning that E8 is talking about isn't science fiction at all. They're here today. And E8's White Paper, available at, can guide you through the big picture of these still emerging but already proven technologies. We all need to turn data into understanding, and information into meaning. AI and machine learning can help you do that. See what they can do for you at And we thank E8 for sponsoring our show.

Dave Bittner: [00:07:58:09] And I'm pleased to be joined once again by David Dufour. He's the senior director of engineering and cybersecurity at Webroot. David, welcome back. You've been seeing some evolution in the way ransomware is working?

David Dufour: [00:08:09:21] That is correct actually. We're seeing it become more sophisticated in the way that it's distributed, the way that it's used in the industry, and by industry I mean the bad guys, and how they're propagating it and, and I think I-- we've spoken before about how we're seeing a growth in worms again, and those worms now are able to deploy and use ransomware as well. But one of the-- a couple of key things about the ransomware that we're seeing here at Webroot is the prevalence of dynamic key shifting, where the first erasions of ransomware you could typically, once the key was out there, you could use that key across multiple instances of that ransomware to unlock it. But the bad guys have gotten pretty smart and they're able to dynamically generate keys based on system information, so that if you want to be able to unlock a specific encrypted instance you have to be able to actually go out, pay that Bitcoin, typically, to be able to get the unique key generated for your system.

David Dufour: [00:09:12:04] And additionally we're seeing some growth in the quality assurance of ransomware in terms of the purveyors of ransomware solutions, if we may call them that, are wanting to ensure they have high quality ransomware with really actually high quality customer support, because what's happening is, the low quality solutions sometimes may not decrypt properly so people don't get their data back, and once that becomes known on the Internet, that if you are infected by a certain strain and that strain does not decrypt, people do not pay the ransom. So to maximize their ROI investment on the ransomware they've generated they're spending a lot of time doing QA and providing really good quality customer support to ensure that they have a good reputation for the ransomware they're-- you know, they want their ransomware to have a quality name so people will pay that ransom.

Dave Bittner: [00:10:09:15] Yeah, there's a little-- I guess, a bitter irony there, huh?

David Dufour: [00:10:12:22] Yes, exactly. So that's really what we're seeing right now. It is becoming more sophisticated in terms of the way it executes. Previously you would see single or not highly threaded instances, now ransomware instances are becoming very threaded in the way they are encrypting files and the speed at which they can encrypt a device and things of that nature. So there's a lot of sophistication going on in the growth, in the spread, in the quality of the ransomware itself. And I think it was in 2010 we saw the, you know, the first real instance of ransomware, and right now, I think, in 2016, 2017, we're approaching 500 different strains of unique ransomware out there.

Dave Bittner: [00:10:53:06] So back up your files, right?

David Dufour: [00:10:55:12] Yes, definitely back up your files. And another little scary tidbit, last year we saw about a billion dollars in cost, people paying an expense for dealing with ransomware, this year we see it trending towards about five billion, and that's only going to grow.

Dave Bittner: [00:11:10:02] Yeah. Alright, David Dufour, as always, thanks for joining us.

Dave Bittner: [00:11:17:20] Time to share some information from our sponsor Cylance. We've been following WannaCry, Petya, NotPetya and other forms of destructive ransomware for weeks. Cylance would like you to know that they can prevent Petya-like ransomware from executing in your system, and they'd also like you to know that they've been doing that since October of 2015. How's that for getting ahead of the threat? Their success against NotPetya demonstrates the benefits of their temporal predictive advantage. Cylance Protect stops both file and fileless malware, it runs silently in the background, and, best of all, it doesn't suffer from the blindspots in legacy defenses that NotPetya exploited to such devastating effect. If you don't have Cylance Protect, and if you'd like to learn more about how it can defend your enterprise, contact them at and find out how their AI driven solution can predict and prevent the unknown unknowns from troubling you. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:12:21:22] My guests today are Sherrie Caltagirone and Andrew Lewman. Sherrie is the Executive Director of the Global Emancipation Network, a non-profit that uses technology to try to put an end to global human trafficking. Andrew is Vice-President at DarkOwl, one of their technology partners.

Sherrie Caltagirone: [00:12:39:15] Human trafficking is an enormous problem. Assets are between 20 and 45,000,000 people are being trafficked around the world today and, yes, that is 100% margin of error. So basically what we can take from that is that the data that we have is completely unreliable. We don't have a repeatable method of coming up with these numbers again. So one of the things that we're trying to do at Global Emancipation Network is to bring together all of the disparate data sources that exist in trafficking. So sometimes that takes the form of, like, a sex ad on back page or sometimes it's, you know, a visa blacklist where we are looking at labor trafficking. So there's many different stakeholders who own the data. Sometimes it's government actors, like law enforcement agencies or groups in the United States like the Department of Homeland Security and other times it's other non-profits like ourselves who are actually interacting with victims.

Sherrie Caltagirone: [00:13:41:23] So it really runs the gamut then who has the data but the biggest problem that we're trying to counter then is to break down all of the silos and to allow the data to exist in one, single location where we can run data analytics across it and begin to look at trafficking as the data problem that it really is, because when we do that, when we're working collectively on the problem, as a data problem, then we can sort through it using these cybersecurity and data analytics methods to find traffickers, find victims and really study those trends on recruitment and whatnot that allows us to scale our efforts.

Dave Bittner: [00:14:23:00] I see, and so, Andrew, what part in all of this are you all at DarkOwl playing?

Andrew Lewman: [00:14:28:05] So DarkOwl is a startup that has been crawling all of the dark nets out there and collecting and collating the data and this helps investigations and research and analytics into what are the attributes of the traffickers, the nicknames, the techniques they use and provides a large database for them to work off of to help with Sherrie's comment there about needing more content in one place to do successful analytics on.

Dave Bittner: [00:14:57:24] Give us an idea, why don't I start with you, Andrew, give us an idea of what is it like on the dark web? I mean, these people are-- they're trying to not be found and yet in a way they have to be able to find each other.

Andrew Lewman: [00:15:10:07] Right, so there's the fundamental conflict they have to resolve in that they're trying to keep themselves private from law enforcement but also public enough that people can find them to buy their services. So they've-- you know, there's a lot of lingo used, they hang out in forums you wouldn't normally see on typical websites you visit, they talk in code both about how to actually get, quote, "the product," the people from one country to another, to the destination, to the buyer, and at the same time they have to advertise, you know, "I have the following people available for services," whatever those services might be.

Dave Bittner: [00:15:50:03] So, Sherrie, in terms of having to sort of wrap your hands around this, this shift to the dark web, this shift online, is this a recent development? And how does this affect your efforts, your ability to try to stop these sorts of things?

Sherrie Caltagirone: [00:16:09:16] Well, one of the things that we have really working in our favor is that the majority of trafficking online actually exists on the open web. It's anything that you or I could type into our web browser and that makes it a lot easier for us to collect that information. But what Andrew and I have been trying to do then, in our collaboration, in terms of the dark web then, is to look at poly-criminality elements, and what that really means is that these transnational organized criminal elements, they are just looking at ways of making money. They don't really care if they're moving drugs or weapons or, sadly, people, it's all sort of the same to them. And so by tracking some of those other elements we can also learn a lot about human trafficking.

Dave Bittner: [00:16:55:11] And so, Andrew, from your point of view, from a technical point of view, how does this sort of data compare or differ from other types of data that you all are normally looking for?

Andrew Lewman: [00:17:06:22] It's unfortunately similar in that whether you're talking about a drugs dealer trying to sell drugs to people around the world or whether they're trying to sell trafficked children or laborers, it's all sort of the same mentality from their part, increasingly. There used to be specialization where certain criminal organizations or gangs would specialize in one thing, like drugs or firearms or identities and humans. Now they're sort of all blurring because, as Sherrie said, it comes across as it's just a product, we don't care, we don't ask what's in the box anymore, so to speak, we can get it from point A to point B. You know, technically a lot of what we're seeing is they're moving to peer to peer chat, like direct chat or heavily encrypted chat, and there's enough of those apps out there for legitimate reasons, but, of course, criminals will take it and use it to coordinate with people in country, their customers and potential buyers.

Dave Bittner: [00:18:06:07] So, Sherrie, you know, after 9/11 there was the popularization of the saying, "If you see something, say something." For those people who are in the cybersecurity world, is there a way that they can help out what you're doing? Are there things that they should keep an eye out for where if they see things, are you interested in getting reports from people? Or what kind of help are you looking for?

Sherrie Caltagirone: [00:18:28:24] Absolutely, actually that's one of the things that makes me the most passionate leading Global Emancipation Network is really watching the light bulb turn on for these people who usually work in these tech heavy fields like cyber intelligence or cybersecurity in that they realize that it doesn't matter if they're hunting hackers doing their day job, you can take those exact same skill set and their training and apply it to hunting traffickers, right, it's just another adversary. And so, actually, a lot of our volunteers on our staff come from that background in particular. So it translates really well. One of the things that we say, and you're right, it's if you see something say something, but you need to know what you are looking for, right? Traffickers tend to use a coded lexicon that means certain things to people who know what it means. For example, most of the trafficking things that we see, they fall under two categories, one are age related and that's, you know, advertising an underage victim which automatically qualifies for trafficking and then others are around movement and those are things that indicate that someone has just arrived in town or they're about to go to another location, things like that.

Sherrie Caltagirone: [00:19:45:12] So if there is anyone out there who usually works in the cybersecurity spaces and wants to get more heavily involved in tracking a new kind of adversary we absolutely would welcome them and please get in contact with us.

Dave Bittner: [00:19:58:03] And if you want to find out more about the Global Emancipation Network, their website is Our thanks to Sherrie Caltagirone and Andrew Lewman from DarkOwl for joining us.

Dave Bittner: [00:20:14:08] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence check out

Dave Bittner: [00:20:27:00] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Have a great weekend, thanks for listening.