The CyberWire Daily Podcast 12.18.17
Ep 497 | 12.18.17

Zealot and Monero mining. Bitfinex DDoS. Triton/Trisis shows risks of committing safety and control to the same systems. Bitcoin crime. M&A news. Hair of the dog.


Dave Bittner: [00:00:00:14] Thanks again to all of our listeners, who have also become supporters. You can find out how at

Dave Bittner: [00:00:11:04] Zealot uses Shadow Brokers' exploits to install a Monero miner on victim systems. Bitfinex suffers another DDoS attack as Bitcoin valuations remain high. The Triton attack on industrial safety systems shows the risk of mixing control with safety. An exposed database of California voters is investigated. Thales will buy Gemalto, and are suffering from social media hangover? Try a little hair of the dog that bit you.

Dave Bittner: [00:00:42:20] Now a holiday message from our sponsor, Nehemiah Security. 'Twas the night before the board meeting, when all through HQ not a C-level was stirring, even finance was a-snooze. Reports were all stacked in the boardroom with care, in hopes that the members would not pull out their hair. The CISO however was pacing the ground, mostly because he had no real metrics to sound. And the head of IT in front of long log reviews had just settled his brain after full back-up number two. When out of the seam alarms started to fly, they looked at each other and did not know why. Away to the reports they flew like a flash, to see which malware showed up as a hash. If only they knew where exploitables lay, and could sort them and treat them in an intelligent way. Showing true business impact and real dollars lost, could cyber finally be a justifiable cost? With Nehemiah Security so ready to assist, converting cyber into dollars is impossible to resist. More rapid than eagles the RQ dashboard came, instantly upping their cyber risk game. Now dollars, now cents, now recommendations, on threats, on exploits, financial justifications. To the top of the budget the CISO's report flew, smart cyber investments, now everyone knew. To hear the rest of the story visit

Dave Bittner: [00:02:16:15] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Monday, December 18th, 2017.

Dave Bittner: [00:02:26:22] Researchers at F5 Networks report a Monero mining campaign, "Zealot," which is exploiting the same Apache Struts vulnerability disclosed in March that was subsequently used to breach Equifax. It's also deploying EternalBlue and EternalSynergy, exploits the Shadow Brokers leaked earlier this year, saying they were taken from NSA.

Dave Bittner: [00:02:48:12] According to F5's research blog, Zealot exploits not only the Apache Struts vulnerability, but also the DotNetNuke vulnerability disclosed back in June. The name Zealot comes from the zip file that holds the Python scripts expressing the Shadow Brokers' exploits, which is itself named after a character in the StarCraft game.

Dave Bittner: [00:03:09:04] Zealot seems to be a multistage attack used in campaigns against both Windows and Linux systems. F5 calls the payload "highly obfuscated," and a "sophisticated multi-staged attack, with lateral movement capabilities".

Dave Bittner: [00:03:23:20] Unlike other campaigns that used tools the Shadow Brokers claimed to have stolen from NSA, like NotPetya and WannaCry, Zealot is unusual in that it propagates within a network. It delivers its payload on internal networks through web application vulnerabilities. F5 doesn't offer an attribution, but they do say the sophistication they're seeing indicates that Zealot is being run by threat actors who are far more capable than the common run of bot herders.

Dave Bittner: [00:03:50:03] The point of the whole effort appears to be installation of mule malware that mines Monero cryptocurrency, much prized by criminals for its high degree of anonymity. What should you do about it? Patch the vulnerabilities being exploited. There are fixes available for all of them.

Dave Bittner: [00:04:07:00] Alternative currencies continue to receive other criminal attention. Cryptocurrency exchange Bitfinex sustained another large distributed denial-of-service campaign yesterday, piling on top of the one it suffered last Tuesday. Customers are unhappy that their ability to trade cryptocurrency is impeded, but the good news, such as it is, seems to be that at least their wallets aren't being emptied.

Dave Bittner: [00:04:31:00] The Lazarus Group, widely regarded as a threat actor controlled by the North Korean state, is continuing its pursuit of Bitcoin theft and fraud as a way of redressing the heavily sanctioned country's financial shortfalls. Some researchers report signs of a similar increase in Russian criminals' interest in the cryptocurrency. The alternative currency appears to be attractive in part because of the opportunities it presents for money laundering.

Dave Bittner: [00:04:56:13] Trading of Bitcoin futures on the CME, the largest futures exchange in the world, opened with Bitcoin priced at $20,650. By midday today there had been a sell-off, with Bitcoin trading at above $18,500. Most observers seem to think the falloff represents a temporary blip, certainly not a trend that will probably send criminals in pursuit of other, bigger game.

Dave Bittner: [00:05:22:14] Security experts continue to mull the significance of the Triton hack, also called "Trisis", that hit a Middle Eastern energy sector industrial plant last week. The attack is generally seen as particularly disturbing in that it was designed to manipulate industrial safety systems.

Dave Bittner: [00:05:38:18] Control Global's Unfettered blog has a number of interesting points to make. First, there are some noteworthy similarities to Stuxnet, in apparent goals and approach, not in code or attribution to any particular threat actor. Yet Stuxnet happened seven years ago, and Triton still came as a surprise to many.

Dave Bittner: [00:05:57:09] Second, according to industrial control system security expert Joe Weiss, who blogs at Control Global, co-mingling control and safety systems results in a loss of safety. The plant Triton attacked escaped catastrophic damage because it was saved by its "hard-wired analog safety systems". Weiss offered this as a lesson learned from the Triton attack, "There are control system suppliers that provide integrated control and safety systems with no guidance to the end-users about the mixing of control and safety. There should be NO sharing of sensors, actuators and/or HMIs by safety and non-safety systems, or you have effectively lost safety."

Dave Bittner: [00:06:41:18] A database of MongoDB variety of California voters was found exposed online and compromised by attackers late last week. The data appears to have been compiled by some third party, not the State of California, which says the state's systems and data are secure. California is investigating.

Dave Bittner: [00:07:00:13] After turning down an offer from Atos last week, Gemalto has agreed to be acquired by Thales for a reported sum of nearly $4.5 billion. Thales will roll its own recently reorganized digital business into Gemalto, with that combined business keeping the Gemalto name. The acquisition is said by the Financial Times to create a top-three digital security player. The purchase is expected to close in the second half of 2018.

Dave Bittner: [00:07:29:22] Finally, do you find yourself just passively consuming social media content, click, scroll, scroll, scroll, click click click? Like that? There's research out from several sources, including the University of California San Diego and Yale that suggests social media may impair mental health. It seems that Facebook and so forth can lead to, as the Times of London puts it, "depression, low self-esteem and feelings of isolation, particularly among the young." Thus your tween child seems a dull dog, and why? Because the kid down the block is Facebooking away from Disney World, while your child is still stuck in Reseda, or Nutley, or Overland Park, or Smethwick, or wherever. And so your child "might suffer low moods".

Dave Bittner: [00:08:16:17] Facebook has begun to engage with this research. The company's director of research commented, "In general, when people spend a lot of time passively consuming information, reading but not interacting with people, they report feeling worse afterward." But there's hope: sure, maybe just reading Facebook may impair mental health, but you don't have to just read. That's for chumps anyway. You should post and talk more on, wait for it, Facebook. So maybe take a little of the hair of the dog that bit you, friends.

Dave Bittner: [00:08:58:05] Now I'd like to tell you about some season's greetings from our sponsor, Cylance. Crime never sleeps and black hats don't take a break for holiday cheer. So Cylance has come up with their own 12 days of Hacks-mas. On the first day of Hacks-mas my black hat sent to me a zero day in an SMB, and you don't want one of those. No, no, no, no, you'd even prefer soap on a rope. We'll share the rest of them with you one at a time. You'll find them all at: Look for their blog, and check out their 12 days of Hacks-mas. Go to Cylance not only for a Merry Christmas wish, but for cyber security that predicts, prevents, and protects. We thank Cylance for sponsoring our show.

Dave Bittner: [00:09:45:04] I'm pleased to be joined by Johannes Ullrich. He's from the SANS Technology Institute, and he's also the host of the ISC StormCast podcast. Johannes, welcome back. When we have natural disasters, here in the United States, FEMA comes in and they provide importance assistance, but sometimes the bad guys take advantage of that help.

Johannes Ullrich: [00:10:06:20] Yes. This is something that came to my attention, living in Jacksonville, Florida, which was affected by some of these recent storms. Apparently what's happening is there is all this information out there, from various data breaches – whether it's Equifax, or others – that essentially include your name, your address, your social security number, your phone number, and identifying information like this. It turns out that's all you need to file a claim with FEMA. In the past, what we have seen after natural disasters is simple donation scams, where someone sets up a website claiming to be a charity, asking for donations. We don't really see that as much anymore. I think people got a little bit wiser about this, and less likely going to fall for it. Also law enforcement got pretty active in trying to shutdown these sites.

Johannes Ullrich: [00:11:02:06] On the other hand, we have this flood of personal information that the bad guys now are trying to monitor. In the past they have filed great big tax returns, for example, but what's new now is these FEMA claims. Essentially, the way FEMA works is, it's a little bit of an honor system here. FEMA tries to the get the money to the individuals as quickly as possible. So, quite often, when you file a claim, you get the money before FEMA really has a chance to look at all the details. They give you the money, and then follow up with you later, whether this was fraudulent or not. That's, of course, a real problem if someone files a claim on your behalf, using your personal information, without you ever being affected and filing a claim. Now this claim becomes fraudulent, and you're the victim twice: first of all your personal information was stolen, but now you also have to prove that you didn't file that claim.

Dave Bittner: [00:12:01:09] I suppose if the bad folks file a claim on your behalf, before you do, and then you go to file a legitimate complaint, that will get in the way of you getting the money that you really need?

Johannes Ullrich: [00:12:12:14] Correct. That has happened with tax returns, where you file your tax return. The IRS says, hey, you already filed one, so you can't file two. Similar things are going to happen with FEMA, where your legitimate claim is being held up because of the fraudulent claim. Also, of course, FEMA on the other hand has to be more careful now. In particular, in Puerto Rico, it has caused delays in processing of claims because some of the information wasn't quite correct with what FEMA had, because they're trying now to be more careful, but that's the real difficult balance they have to find. How quickly are going to hand the money to people that really need it, and how careful are they going to be in actually checking these claims when they are submitted?

Dave Bittner: [00:13:06:01] It's a real shame, taking advantage of people when they're at their worst, and when they need help the most. Johannes Ullrich, thanks for joining us.

Dave Bittner: [00:13:17:21] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, using artificial intelligence, check out:

Dave Bittner: [00:13:30:08] The CyberWire podcast is proudly produced in Maryland, out of the start-up studios of DataTribe, where they're co-building the next generation of cyber security teams and technology.

Dave Bittner: [00:13:40:13] Don't forget that I'm part of a security segment on the Grumpy Old Geeks podcast. You can find that wherever all the fine podcasts are hosted. And also, don't forget to check out the Recorded Future podcast. That's another one that I host. The topic over there is threat intelligence. We think it's worth your time, so check that one out as well.

Dave Bittner: [00:13:57:17] Our show is produced by Pratt Street Media. Our Editor is John Petrik. Social Media Editor is Jennifer Eiben. Technical Editor is Chris Russell. Executive Editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.