The CyberWire Daily Podcast 12.12.17
Ep 493 | 12.12.17

Catphishing for spies. Banking Trojans. Spider ransomware. CoinHive comes to Starbucks. SEC stops another ICO. BrickerBot retired?


Dave Bittner: [00:00:00:23] Just a quick reminder that one of the ways you can help support our podcast is to leave a review for our show over on iTunes. It really is one of the best ways to help people find the show. Thanks.

Dave Bittner: [00:00:12:24] Berlin says Beijing's been catphishing, and Beijing says no way. Banking Trojans in Google Play look for Polish accounts. Spider malware spins out of the Balkans. Transferring risk doesn't mean you can ignore it. The SEC calls cease-and-desist on another ICO. That venti in Buenos Aires may have come with a CoinHive miner. The Doctor puts down his tools and closes BrickerBot.

Dave Bittner: [00:00:42:01] It's time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how many analysts you might have on staff. We're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the cyber daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today to stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture/com/intel. We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:54:01] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your Cyber Wire summary for Tuesday, December 12th, 2017.

Dave Bittner: [00:02:04:12] In an unusual announcement, Germany's security agency BfV revealed the results of their long counterintelligence inquiry into how Chinese intelligence services use Social Media. LinkedIn drew particular attention, and BfV director Hans-Georg Maaßen said China is using the platform to collect information on targeted individuals. The Chinese services are said to have catphished more than 10,000 Germans. Most of the fictitious profiles used were swiftly taken down, but some journalists got a peek before the catphish spit the hook and vanished, and the profiles appeared to be what the BfV said they were. The Chinese Foreign Ministry dismisses the German report as "groundless" and "hearsay," desiring Berlin to "speak and act more responsibly."

Dave Bittner: [00:02:50:22] It would be surprising indeed if such an obvious way of prospecting people for recruitment or other exploitation weren't being pursued. This is just espionage tradecraft updated for social media: instead of an intelligence officer telling a potential agent at a cocktail party, "Why what a coincidence, I'm a stamp-collector too," now they do it online.

Dave Bittner: [00:03:11:24] ESET reports finding two apps in Google Play, "Crypto Monitor" and "StorySaver," that in fact carry a banking Trojan aimed principally at Poland's financial sector. Crypto Monitor is an app that tracks cryptocurrency prices, and StorySaver represents itself as a third-party tool for downloading Instagram stories. Both of them scout infected devices for banking apps connecting to fourteen Polish banks. If they find them, the apps display phony login screens and steal user credentials.

Dave Bittner: [00:03:43:10] Netskope has identified a new ransomware strain, "Spider," that appears to originate in the Balkans, probably in Bosnia. It's carried by an infected Microsoft Word document, and, if an unwary user opens it, encrypts files and demands a ransom in Bitcoin.

Dave Bittner: [00:04:00:21] Taking out insurance against cyberattack is a sensible way of transferring risk, but Watchguard thinks it sees signs of small businesses in particular thinking that insurance enables them to rest easy with poor cyber hygiene. This is particularly the case with respect to vulnerability to ransomware infestations.

Dave Bittner: [00:04:19:16] Marcelle Lee is a threat researcher at LookingGlass and she recently authored a report on the Bad Rabbit ransomware strain. She joins us with her insights on the malware campaign.

Marcelle Lee: [00:04:29:23] We have an international team and one of our researchers is actually based in Ukraine, which is where the bad rabbit activity first surfaced in Ukraine and Russia. Bad Rabbit is a multi-stage piece of malware. The way that it gets lodged on a system is basically through an infected website. So most of the websites that were infected were based in Russia or Ukraine. And there's basically some malicious Java script that's been running and has been injected into these websites. Once a user visits the website, that malicious JavaScript will run and what the JavaScript does is basically harvest information about the host machine, so operating system, location, things of that nature. It sends that information off to a remote server and then at that point an Adobe Flash Player update window pops up, as they do, and if the user clicks on that then that's basically the dropper for the malware, so the malware will be loaded on the host at that point in time.

Marcelle Lee: [00:05:40:01] None of this is the actual malware itself, it's just the mechanism to get the malware onto the host machine. Once you've clicked the fake update, the malware is dropped and all the ensuing activity begins. There's a number of different things that happen, but the primary thing is the file encryption. After it goes through the whole encryption process, then the system basically reboots and you get kind of an amusing message saying, "Oops, your files have been encrypted," like it happened by accident or something. So then you're instructed with that message to visit an onion site, dark net, to obtain the decryption key and you're instructed to pay using Bitcoin, which is pretty typical for ransomware.

Marcelle Lee: [00:06:28:04] Some interesting things about this malware were the Game of Thrones references. We're not really sure if the author just liked Game of Thrones and thought it would be fun to throw some references in there. Or what the deal was with that, but just something out of the ordinary. There's definitely some similarities with the NotPetya malware that came out earlier this year. The message that pops up on the screen looks virtually exactly the same.

Dave Bittner: [00:06:54:06] Is this a situation where if you pay the ransom you will get your files back?

Marcelle Lee: [00:06:58:20] I would say maybe, but if you look at the Bitcoin wallets that were associated with this malware, at least the ones that we've seen, there's been very few transactions. Basically nothing new has happened in those wallets since the end of October when this first came out. Typically the recommendation is not to pay ransom because it just really encourages further activity of that nature. We recommend not to pay the ransom.

Dave Bittner: [00:07:25:20] Bad Rabbit is engineered to spread through your network. It just doesn't park itself on a single host.

Marcelle Lee: [00:07:31:07] Correct. One of the things we observed in our analysis was leveraging SMB to reach out to other hosts, so if it did find other hosts on the network then it would literally spread itself to those. So that worm aspect as well.

Dave Bittner: [00:07:44:21] What are your recommendations for how people can best protect themselves against Bad Rabbit?

Marcelle Lee: [00:07:50:12] First of all, keeping software updated. That's nothing new. Everybody knows you should keep your software current to hopefully prevent any vulnerabilities being leveraged. Disabling JavaScript in browsers is a good thing to do, whether or not people want to go to that effort is another thing. But you can disable JavaScript and just white list applications or websites that actually need it. Utilizing browser security tools is another good practice. A lot of browsers do have built in security mechanisms that you can leverage. Again, that's something that typically has to be turned on. Of course, user education is always good. Helping our users understand when something is potentially malicious and what not to click on, which in my humble opinion is everything. The user education piece is always tricky and I'm a huge advocate of making users part of the solution and not just always considering them part of the problem. Because I think if there's better awareness, more meaningful awareness, then they're more apt to help. It's a positive reinforcement versus negative reinforcement. Way more effective.

Dave Bittner: [00:09:02:11] That's Marcelle lee from LookingGlass. You can read her full report on the Bad Rabbit ransomware on the LookingGlass blog.

Dave Bittner: [00:09:12:12] The US Securities and Exchange Commission has stopped another ICO, this one for an operation called "Munchee." Munchee had set up a $15 million token sale that would have funded the MUN coin, which would have been a payment system for restaurant reviews. The SEC reviewed them yesterday with a cease-and-desist order. The problem was that offering an instrument for sale with an expectation of return makes that instrument, legally speaking, a security, and if you're offering securities in the US you ought to be registered with the SEC. Munchee also struck regulators as using what TechCrunch called "the typically spammy and scammy marketing efforts most ICO floggers use now."

Dave Bittner: [00:09:54:05] In any event Whoppercoin was there first, and besides, the SEC's writ doesn't run to Moscow, so there was no similar issue with Burger King Russia's invitation to eat your way to riches, sandwich by sandwich. Munchee's site calls the company, "The new decentralized block-chain based food review and social platform." The site is still up, but the links behind the home page don't appear to be working.

Dave Bittner: [00:10:17:16] This isn't the only blockchain-based activity going on in café society. The blockchain apparently came to the barista, and it seems the barista knew nothing about it. At least one Starbucks Wi-Fi provider may have used the coffee shop's network to install a Monero miner in unwitting patrons' devices. It appears that patrons who belonged to the coffee shop's rewards program in Argentina were unwittingly enlisted in CoinHive, whose JavaScript cryptocurrency miner extracts Monero. This seems to be the work of a third-party vendor and not Starbucks itself.

Dave Bittner: [00:10:50:19] The vigilante known variously as "The Doctor" and "The Janitor," the one responsible for Brickerbot, has indicated he's retiring. He claims to have bricked more than ten million vulnerable IoT devices, thereby preventing them from being herded into malicious botnets. Doctor Janitor never got much love, he was regarded by many as a destructive, self-righteous pest, and a lawbreaker, too.

Dave Bittner: [00:11:15:09] He himself felt misunderstood. As he put it in his valediction, reproduced in part by Bleeping Computer, "There's also only so long that I can keep doing something like this before the government types are able to correlate my likely network routes. I have already been active for far too long to remain safe. For a while now my worst-case scenario hasn't been going to jail, but simply vanishing in the middle of the night as soon as some unpleasant government figures out who I am." Please.

Dave Bittner: [00:11:46:03] Doctor Janitor was always far likelier to face public prosecution and a nickel in Oakdale than to vanish as an unperson down some Ministry of Love memory hole. At any rate, the Janitor says he's retired, and presumably moved to a nice active senior residence at Dunhackin. He did publish some of his source code in his exit manifesto, but not his SSH crawler, which he deemed, "too dangerous to publish," the way Tony Stark always insisted Iron Man's armor was just too overwhelming to place into the hands of the common man, that armor had the power of the transistor, after all.

Dave Bittner: [00:12:20:07] He did leave some advice behind, however, that's worth reading, it's most easily accessible at Bleeping Computer, because it advocates hygienic and policy measures for taking some of the DDoS risk out of the IoT. He urges the community to start using Shodan audits to find vulnerable ports and services, pushing IoT vendors to do better at security updating, working toward IoT security standards, and volunteering to fix vulnerable systems.

Dave Bittner: [00:12:46:12] And hackers, a pro-tip: that kind of volunteer work may be a better outlet for your energies than a license-plate shop at Virginia Correctional Enterprises, not to mention breaking rocks in the hot sun.

Dave Bittner: [00:13:02:23] Now I'd like to share a message from our sponsor Nehemiah Security. Fellow cyber security leaders, when your CEO asks department heads for a status update, do you envy your colleagues like the VP of sales or CFO who only have to pull a report from a single system instead of deploying a team of people to check multiple systems and then waiting for them to report back? Do you wish you had a single place to get the information you need to communicate with the CEO? Nehemiah Security is here to put that power in the hands of the cyber security leader. It's time for a quick solution that allows you to go to one place to get the security information you need quickly, and in business terms your CEO can understand. Nehemiah Security gives Cyber Security leaders the ability to report cyber risk in terms of dollars and cents. Visit to learn more and get a free customized demo just for Cyber Wire listeners. Visit today. That's We thank Nehemiah Security for sponsoring our show.

Dave Bittner: [00:14:13:01] I'm pleased to be joined once again by Rick Howard. He is the Chief Security Officer at Palo Alto Networks and he also heads up Unit 42, which is their threat intel team. Rick, welcome back. Not long ago you and I were talking and singing the praises about DevOps, but you are someone who continues to evolve with your views and opinions, and today you want to present to us that maybe it's time to think twice about DevOps. What are we doing here, Rick?

Rick Howard: [00:14:40:19] Exactly that. I want to say that DevOps is a philosophy, that's how I come to terms with this. And it's this idea that we should look at the way we deploy and update things in our environment as a system of systems, just like car manufacturers make cars. The leaders of those manufacturing plants, they watch the system move through until they make the car and they are very specific about taking every piece of inefficiency out of that system. The way we do it in automation and IT is some marketing guy comes up with an idea and we throw it over to a proof of concept developer and they build stuff. They throw it over the fence to the quality control folks and they get up to a version of 1.0. Once they get it there they throw it over the fence to the operators who install it and maintain it. None of those people talk to each other in that process. So, the glue that moves it from process to process is not there.

Rick Howard: [00:15:39:19] DevOps is this idea that we should automate the entire process and view it as a system of systems. I still believe in that philosophy. But when you read the literature about DevOps, it's kind of highfalutin and not a lot of specifics about how you might go around doing this. What's emerged in the last six months that I've seen is this idea of site reliability engineers and they originated out of the Google team back in 2004, when they were trying to figure out how to scale this search engine that they had come up with. What they did was they handed the network management off to a bunch of developers. That's an interesting idea because when developers get stuff, they automate it.

Rick Howard: [00:16:20:16] So the Google site reliability engineers, they scaled this operation, they automated everything, the glue that moves the part from piece to piece to piece so we can get it installed and maintained. They are so good at what they do, it's almost autonomous, not just automatic, it's almost autonomous, meaning that their software can look for problems, roll it out, fix it, roll the fix back in, all within the same day. All within the same couple of hours. Their philosophy on how to do this with their IT admins, is that the Google IT admins shouldn't touch a box to fix anything more than 50% of the time because they want those folks to be automating the next process so they can scale even further.

Rick Howard: [00:17:04:19] DevOps, in my mind, is a philosophy, where site reliability and engineering is really how to get it all done. Here is my concern, all that is fantastic and there's a lot of people working on it, Google, Netflix, SalesForce, and Facebook are all examples of organizations who do this really well, but security people are still on the outside of that whole movement and it doesn't make sense to me that as we automate the process from front to back, you're leaving the security expertize out of the system. My advice to everybody listening is they need to get engaged with this conversation. They need to insert themselves into this DevOps philosophy and this site reliability engineering how-to stuff, become very useful to the whole process so that security is not left out, or in a couple of years our whole network defender community is going to be irrelevant because we're not contributing to the effort.

Dave Bittner: [00:18:05:15] I'm definitely going to check it out. I'm going to read up on site reliability engineering, I can tell you that.

Rick Howard: [00:18:13:03] My work is done here.

Dave Bittner: [00:18:16:03] Rick Howard, thanks for joining us.

Dave Bittner: [00:18:20:24] That's the CyberWire. Thanks to all of our sponsors for making The CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, check out

Dave Bittner: [00:18:32:20] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of Data Tribe, where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.