The CyberWire Daily Podcast 12.5.17
Ep 488 | 12.5.17

Andromeda takedown (with an arrest in Belarus). Mirai is back; Reaper still threatens. PayPal phishing. Tech support scam evolves. Cryptowars notes. SEC goes after an ICO.


Dave Bittner: [00:00:01:03] Our advertisers hope you don't discover this one weird trick to get the CyberWire ad-free - alright, so you go to You pledge ten bucks a month and you get an ad-free version of the podcast. It's that simple!

Dave Bittner: [00:00:17:01] An international police operation takes down Andromeda, and possibly the criminal mastermind known as Ar3s. Mirai is back, and so are warnings about Reaper. There's a PayPal phishing expedition in progress. A new variant of the familiar tech support scam features a bogus blue screen of death. Germany's Interior Minister considers backdooring the IoT. The US Securities and Exchange Commission is going after dodgy ICOs. And we're not going to talk about the Internet of Those Kinds of Things. Don't act so innocent, you know who you are.

Dave Bittner: [00:00:53:18] Now I'd like to tell you about a White Paper from our sponsor, Delta Risk. More than 90% of companies are using the cloud, although the benefits are clear, moving to the cloud comes with new and unique security challenges. In the White Paper, Understanding the Challenges of Cloud Monitoring and Security, Delta Risk cloud security experts outline the key methods organizations can adapt to gain clearer visibility into their network and critical assets. You can get your copy of the white paper by visiting Delta Risk LLC, a ChertOff Group company, is a global provider of cybersecurity services to commercial and government clients. Learn more about Delta Risk by visiting And we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:01:52:03] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Tuesday, December 5th, 2017.

Dave Bittner: [00:02:02:17] An international police operation has taken down the Andromeda botnet. Police in Belarus, working with the FBI, Europol's European Cybercrime Center, Joint Cybercrime Action Task Force, which is J-CAT, and the Luneburg Central Criminal Investigation Inspectorate in Germany have dismantled the long-running Andromeda malware ring. Authorities worked closely with both Microsoft and security firm, ESET, in executing the takedown.

Dave Bittner: [00:02:29:09] Traded freely in the dark web souks, Andromeda, also known as Gamarue, Avalanche, and Wauchos disseminated malware through a widespread set of botnets. Andromeda has been active for about six years, and it was a troublesome criminal operation. As with most such takedowns, it's always possible that the botnets could resurface at some future time in a revenant form, but for now, at least, they're out of commission, so good work, officers.

Dave Bittner: [00:02:57:18] There's been one fairly high-profile arrest in the case. The Investigative Committee of the Republic of Belarus said it's charged one man and taken him into "preventative detention," where he's said to be cooperating with investigators. They don't give his name, but they do say he was a resident of Gomel. Recorded Future's researchers indicate that the gentleman is a very big fish in the cybercrime pond, a criminal "mastermind" whose nom-de-hack was "Ar3s," spelled with the "e" represented by a numeral "3." Ar3s developed the Andromeda bot software in 2011, but he's thought to have been a serious player in the underworld since about 2004. He was fingered in an FBI sting: undercover operators bought crimeware from him, made the identification, and then dimed him out to their Belarussian colleagues.

Dave Bittner: [00:03:46:08] An interesting side-note on Andromeda. The malware was designed to determine during reconnaissance whether a prospective target machine's keyboard linguistic settings were for Russia, Belarus, Ukraine, or Kazakhstan. If they were, then the malware wouldn't install. This is suggestive in the light of recent FBI warnings that cybercriminals are increasingly operating with the connivance of host governments. It's not dispositive, of course, but it is suggestive.

Dave Bittner: [00:04:14:01] The Mirai botnet has resurfaced. Attacks were reported over the weekend in North Africa and South America, with Argentina particularly affected. Reaper, the evolved botnet based on Mirai code, has yet to live up to its much-feared potential, but researchers at CenturyLink and reports at Cybrary warn that Reaper is a loaded and cocked weapon, ready to fire at large swaths of the Internet. One hopes, of course, that Reaper will continue to overpromise and under deliver for its botmasters, but prudence dictates keeping an eye on it.

Dave Bittner: [00:04:46:05] It's an ongoing game of cat-and-mouse between attackers and defenders, as tools and techniques develop to defend against a particular type of attack. Attackers move on and find another way in. Lately, we have been seeing more incidents of attacks on the software supply chain. Adam Meyers is VP of Intelligence at CrowdStrike and he explains.

Adam Meyers: [00:05:06:05] They started looking for software packages that companies and enterprises that the attackers were interested in were reliant on, and there's a whole kind of slew that we've published in a blog post recently where the attacker identified either an open source or a closed-source software package, and they backdoored that package and used that to then deploy their remote access toolkit, or whatever tool they would like to deploy, against the targeted victim. A really notable case of this recently was NotPetya. We saw NotPetya being deployed via a software update mechanism in a particular Ukrainian software product.

Dave Bittner: [00:05:49:07] For most people, with regard to the supply chains in the physical world, they would think "how would someone sneak something into my manufacturing process" but, on the software side, it's a bit different.

Adam Meyers: [00:06:00:14] Exactly. If you think about a complex supply chain attack, it is somebody putting a backdoor in a piece of hardware that you're going to install on a sensitive network etc. In the case of these more recent attacks, they're finding software packages that people are reliant on for lots of different things. There is a pretty well-known case that was dubbed "the ShadowPad" by security researchers that was focused on a software package by NetSarang and it was a whole host of different enterprise tools that various enterprises would be using. We have seen this targeting Windows and Mac as well. There were two incidents where Proton RAT was deployed via a supply chain attack against various multimedia-related tools.

Dave Bittner: [00:06:54:14] Help me understand, and forgive me for the simplicity of this question, but in a world where we have things like Checksums, how can someone monkey with some software without it being noticed?

Adam Meyers: [00:07:04:24] That is a great question. What they are actually doing is they're getting into the software build process at the vendor. They're not just backdooring the already built tool, they're backdooring inside of the build process, which is something that these vendors are not very focused on trying to detect. They're not going to be able to identify that there's a backdoor in the product that they then compile and then distribute.

Dave Bittner: [00:07:30:20] I see. It gets in before the Checksumming would even take place.

Adam Meyers: [00:07:34:16] That's right.

Dave Bittner: [00:07:35:16] What's to be done here? How can people protect themselves against these things?

Adam Meyers: [00:07:39:19] The first step is identifying that you have a problem. I think that raising these issues and getting some of the IT security personnel, the compliance people, the CISO and the CIO to understand that the risk and the threat from some of these software packages is step one. Step two is identifying what software packages you're dependent on as an organization. Lots of companies that we talk to, if we ask them what software they have running, what versions are running, they don't really have a good answer. In many cases, they don't even tell you how many systems are on their enterprise. Therefore, having that kind of visibility into what systems and software you're using across the enterprise are critical as well. From there, that's where you have to start doing some risk-based decisions around those software packages and understanding what kind of testing goes into it, understanding that vendor's development process and do they adhere to various standards or are they just building software and shipping it whenever they get the chance.

Adam Meyers: [00:08:48:15] Then identifying critical assets on the enterprise and ensuring that they have been walled off so, if it is a critical system that is running some software package that you have maybe no understanding of or a low degree of trust in, then making sure that it doesn't need to talk to other systems or even necessarily to the internet in many cases. That is where you have to really start looking at each product and coming with a risk analysis around each individual product.

Dave Bittner: [00:09:16:20] That's Adam Meyers from CrowdStrike.

Dave Bittner: [00:09:21:01] PayPal users are receiving phishing emails warning them that their payments aren't going through. Those who swallow the bait will be directed to a page that asks them to enter their PayPal credentials and user information.

Dave Bittner: [00:09:33:17] A variant of the familiar Microsoft tech support scam displays a phony blue screen of death and then offers to sell you a cut-rate security product that won't solve your problem, because you really don't have a problem in the first place.

Dave Bittner: [00:09:47:12] Google is working to clamp down on applications and websites that ask for too much information. At the end of January, Mountain View will warn proprietors of apps and sites that violate Google's privacy-related terms of service. How violators will be punished beyond this good talking-to remains unclear.

Dave Bittner: [00:10:05:14] A volley in the crypto wars comes from Berlin, where Germany's Interior Minister, Thomas de Maiziere, wants essentially all IoT devices backdoored so government investigators could access them at need. He's also mulling asking that kill-switches be installed in certain devices to yank them from the Internet, also at need. While one can imagine investigatory and incident-response use-cases for both proposals, it's difficult to see them attracting much favor from the backdoor-skeptic tech sector.

Dave Bittner: [00:10:37:15] Cryptocurrencies have for some time now been regarded as the wild West, and called that by headline writers who like to write stuff they've read before. We're not hating when we say this, brothers and sisters—hey, we've been there before.

Dave Bittner: [00:10:50:01] Well, pardner, there's now some law west of the Pecos. It's not wearing a badge, not exactly, because the Feds, like the Federales, don’t need no stinking badges. And it's also not wearing a hogleg, neither, because this law doesn't need to carry a six-shooter. We're not talking about Tom Destry, Junior, either. This law is the US Securities and Exchange Commission.

Dave Bittner: [00:11:09:19] The SEC is cracking down on fraudulent Initial Coin Offerings, or ICOs. It's been moving cautiously in this direction since early summer, and yesterday it opened a complaint in a New York Federal court against one Dominic Lacroix. The SEC calls Mr. Lacroix "recidivist securities law violator," and they think his offering, "Plexcoin," to be just a scam, a "fast-moving Initial Coin Offering fraud that raised up to $15 million from thousands of investors since August by falsely promising 13-fold profit in less than a month."

Dave Bittner: [00:11:42:24] PlexCoin says it will do lots of things for you, if you invest, including giving you a place where you can invest for "guaranteed returns." And in fairness, who's to say they’re not right? Our financial desk points out that you could guarantee zero return, or even a negative return. Right?

Dave Bittner: [00:12:01:14] Most ICOs don't share this appearance of alleged fraudulence, but all investors should take heed, and if they're the desperado kind, just keep moving West until you run out of frontier. We've heard California's pretty wide open.

Dave Bittner: [00:12:14:10] And, finally, some of you have written in to ask why we haven't been talking about a vulnerable app that interfaces an Android phone with a Bluetooth-connected small electromechanical device. After all, it's said to be potentially leaky across the network, and leaky in an unusually personal way, and the warning came from NIST itself, the National Vulnerability Database. We aren't talking about this because we're a family show, and don't have much to say about the IoTKoT—the Internet of Those Kinds of Things. And, CERT? NIST? MITRE? We're surprised at you. Especially that whole "awaiting analysis" part. Yes, you're not blinding anyone with science just by writing "CVE-2017-14487." Look it up.

Dave Bittner: [00:13:06:18] Now I'd like to share a message from our sponsor, Nehemiah Security. Fellow cybersecurity leaders, when your CEO asks department heads for a status update, do you envy your colleagues like the VP of sales or CFO, who only have to pull a report from a single system, instead of deploying a team of people to check multiple systems and then waiting for them to report back? Do you wish you had a single place to get the information you need to communicate with the CEO? Nehemiah Security is here to put that power in the hands of the cybersecurity leader. It's time for a quick solution that allows you to go to one place to get the security information you need, quickly and in business terms your CEO can understand. Nehemiah Security gives cybersecurity leaders the ability to report cyber risk in terms of dollars and cents. Visit to learn more and get a free customized demo just for cyberwire listeners. Visit today. And we thank Nehemiah Security for sponsoring our show.

Dave Bittner: [00:14:16:22] And joining me once again is Justin Harvey. He's the Global Incident Response Leader at Accenture. Justin, welcome back. We wanted to talk today about cyber ranges. Why don't you start at the beginning here. Tell us what are we talking about?

Justin Harvey: [00:14:29:06] Well, the cyber range is a platform that is designed to essentially contain threats in a simulated environment. The trouble that a lot of security operation centers and incident response teams are running up against is that they don't have a means to practice their craft. They only have to essentially respond to threats in real time in order to know if they have what it takes in order to defeat the adversary, or to remediate, respond, etc. What a cyber range does is it's typically a virtualized system that mimics the existing environment that you have today in a contained and enclosed area, with all the same tools that you use with active directory, with exchange, and by utilizing this cyber range your team or your incident response team, your security operations team, can essentially drill their skills and test out their processes and procedures on these cyber ranges.

Dave Bittner: [00:15:33:07] To use a sports analogy, is this a practice like you play scenario?

Justin Harvey: [00:15:38:11] Exactly. Imagine if you needed to practice like you play and you don't have a batting cage or you don't have the ability to scrimmage so that's really what the design of the cyber range has.

Dave Bittner: [00:15:52:13] Is this an expensive thing to spin up?

Justin Harvey: [00:15:54:19] Like many technologies and platforms in the industry today, there's the bare bones systems that are relatively easy to cook on your own and get them up and running, and the prices can go up higher depending on the complexity, depending on the campaign so the types of threats that you want to simulate, as well as how realistic do you want your cyber range or reflective of the enterprise you want it to be.

Dave Bittner: [00:16:23:04] If someone's looking to explore this, what's the best way for someone to get started?

Justin Harvey: [00:16:27:15] Well, the best way to get started is to have your incident response teams and your security operation centers doing what they do best, having their processes and procedures and their technology down to a science, and then getting started by interfacing with numerous vendors out there that have cyber range products for sale.

Dave Bittner: [00:16:48:01] Justin Harvey, thank you for joining us.

Dave Bittner: [00:16:52:07] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, check out

Dave Bittner: [00:17:04:16] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thank you for listening.