The CyberWire Daily Podcast 1.18.18
Ep 517 | 1.18.18

Big healthcare data breach. False civil defense alerts. Davos will take up cyber next week (among other topics). Exobot on the block. Satori in your wallet? Ponzi scheme or pump-and-dump?


Dave Bittner: [00:00:00:18] A quick reminder that at the $10 per month level on our Patreon page, you get access to a version of the CyberWire Podcast that's ad free. It's the same show, just without the ads. Check it out at

Dave Bittner: [00:00:17:12] Norway's Southern and Eastern Regional Health Authority suffers a breach. False civil defense alerts are mistakes, not hacks, but they're worth attention. Davos will take up international conflict in cybersecurity next week. Banking Trojan Exobot holds a going-out-of-business sale. The Satori botnet rifles cryptocurrency wallets. And was Bitconnect's collapse a Ponzi scheme, a pump and dump, or something else?

Dave Bittner: [00:00:46:20] Now I'd like to share an opportunity from our sponsor, CYBRIC. On February 8th, cyber security thought leader, Dr. Chenxi Wang, joins continuous application security platform provider, CYBRIC, to discuss DevSecOps from cradle to scale, real world lessons and success cases. Many businesses are moving to DevOps and agile development methodologies. But most security tools and processes aren't designed for this new world and that hinders innovation. In this webinar, Dr Chenxi Wang, founder of the Jane Bond project Cybersecurity Consultancy, and Vice Chair of OWASP's Board of Directors, joins CYBRIC's CTO, Mike D. Kail, to discuss integrating security into your DevOps process at scale using real world examples. Mike and Chenxi will also cover getting started with DevSecOps, what metrics to use and what security at scale can mean for you. Join them February 8th at 1:00 pm, US Eastern Time, for this insightful and information-packed webinar. To register, or to learn more, go to And we thank CYBRIC for sponsoring our show.

Dave Bittner: [00:02:10:08] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Thursday January 18th, 2018.

Dave Bittner: [00:02:20:10] The odd and apparently unrelated series of attacks against medical facilities and systems continues. Norway's Southern and Eastern Regional Health Authority is reported to have been breached, apparently by hackers after personal information. Data on about three-million Norwegians are believed to have been exposed.

Dave Bittner: [00:02:39:15] Japan joined Hawaii with a false missile launch alert as North Korean nuclear saber-rattling continues to put local civil-defense teeth on edge. Broadcaster NHK mistakenly issued, then quickly retracted, a missile warning on Tuesday. Both the Hawaiian and Japanese cases are being put down, credibly, to operator error and not a cyberattack, but as is normally the case with accidents and glitches, people are now thinking about the possibility and implications of emergency warning system hacks.

Dave Bittner: [00:03:10:14] Who would do such a thing, and why, you may ask? Popular Mechanics has a speculative piece up that lays out several motives. There's no obvious, ordinary criminal angle to this - criminal in the sense of people executing this kind of hack for financial gain - but there are other kinds of crimes too. Symantec mentions joyriding as one. Instead of stealing a car and racing to destruction before you abandon it, cyber joyriders hack a system in ways that will disrupt people's lives or frighten them and they're doing it just for the lulz. A disgruntled insider might hack an alert system. Or a hacktivist might think doing so would give them a big, big megaphone. Or a nation-state could do it, because they want to sow chaos and mistrust, or, in what would be a more sinister ploy, do it as a battle-space preparation so people would ignore warnings of actual attacks. In any case, may operators of emergency alert networks look to their systems, and particularly their user interfaces.

Dave Bittner: [00:04:10:01] Davos convenes next week, and discussion of global conflict and cyber risk are expected to figure prominently in the meetings of what the Shadow Brokers would call the "Wealthy Elite." And where, we ask in passing, are the Brokers these days? Someone take away their deep-scanning security software? At any rate, the World Economic Forum has issued a resiliency "playbook" for general consideration. It comes in two parts: "a reference architecture for public-private collaboration, and cyber policy models." The playbook takes up 14 policy topics and analyzes them in terms of their impact on five areas: security, privacy, economic value, accountability, and fairness. It's intended to be an approach any nation could adapt to its own particular values.

Dave Bittner: [00:04:57:01] Web application firewall provider, Imperva, recently published a report, The State of Web Application Vulnerabilities in 2017. Joining us to review their findings is Nadav Avital, who leads the application vulnerability research team at Imperva.

Nadav Avital: [00:05:12:13] 2017 was a record year in terms of volume of capacity. There were much more vulnerabilities published during 2017 than in recent years. Looking at the numbers, you see a big spike.

Dave Bittner: [00:05:29:17] So what were some of the specific trends that you saw?

Nadav Avital: [00:05:33:21] First of all, cross-site scripting is a well known vulnerability. It had a big increase in terms of numbers. The thing is cross-site scripting is one of the most basic security vulnerabilities in web applications and it's very easy to test and to find. Most of the cross-site scripting vulnerabilities were found in open source products, which, of course, makes it easier to dig into the code and find these kind of vulnerabilities. So this is a potential explanation to this that we saw.

Dave Bittner: [00:06:10:16] And you also saw issues with IOT devices, as well as WordPress and PHP. Can you take us through that?

Nadav Avital: [00:06:18:05] Last year was a huge year in terms of IOT vulnerabilities. I'm talking about the Mirai botnet. So we wanted to know, or to look into IOT vulnerabilities, and what we saw is that there's also a growing trend of vulnerabilities published in the IOT landscape and most of them are coming from the family of authentication bypass using default credentials or easy to guess credentials in order to log into the license, take over devices and this is actually what happened with the Mirai botnet.

Dave Bittner: [00:07:01:16] So as we head into 2018, 2018 being here, what are your recommendations for folks to protect themselves?

Nadav Avital: [00:07:08:19] The key finding is that web application vulnerabilities are always on the rise and it's very difficult for organizations to keep up with that. Most of the organizations don't have a dedicated person or team to stay on top of this, and even if they do, it's very hard to patch your systems or to deploy, go to upgrade your systems, especially in a production environment where you don't have any down time or maintenance windows. So essentially the best way to deal with this flood of vulnerabilities is to deploy external security solutions that can solve the problem for you without any need for change in your systems. This is actually what a web application firewall can do for you if you decide to use it.

Dave Bittner: [00:08:03:17] That's Nadav Avital from Imperva. You can read the report, The State of Web Application Vulnerabilities in 2017 on their website.

Dave Bittner: [00:08:16:11] Say, friend, interested in a banking Trojan? There's a going-out-of-business sale in the black market souks. Yes, step right up, terms are available. The Exobot Android banking Trojan, for the last few years a popular rental in the criminal-to-criminal space, can now be yours. Divestments, sell-offs, spin-outs and so on happen in criminal as well as legitimate markets. In this case, it's not that the boss is on vacation and they've all gone crazy, just that the authors feel they've made enough of a pile and are going to get out while the getting's good. Thus the author of the Exobot Android banking Trojan - initially called "Marcher" by some researchers - has decided to cash out and exit the market by offering the source code for sale. The Trojan, which is generally regarded as a particularly successful one, has hitherto been leased to other criminals on a monthly basis. This isn't particularly good news. We can expect a fair bit of sloppy criminal activity until Exobot finally sputters out. Campaigns are expected to spike as the source code moves from a criminal-to-criminal to a wholesale market.

Dave Bittner: [00:09:22:16] We know the Satori botnet as one derived from Mirai, and we know that Mirai was initially used for distributed denial-of-service attacks. Satori is now being used for more directly gainful crime: a Satori botnet is actively and successfully stealing from cryptocurrency wallets. But wait, friend. You say you want to be a Bitcoin billionaire? Well, have you considered one of the other alt-coins out there? You, madam, do you want a better, more comfortable life? You, sir, are you looking for a way out of the rat race? Why, then, irresponsible speculation in dodgy cryptocurrency schemes may be just the thing for you. Here, take some brochures to read at that Jersey Shore timeshare you've invested in. They're profusely illustrated. But not so fast. Actually, one of those opportunities for irresponsible speculation, Bitconnect, the cryptocurrency exchange widely derided as a Ponzi scheme, has, as we know, closed. And there's more: people have looked back at what the Federal Reserve used to call "irrational exuberance" in cryptocurrency markets last month, and they're now wondering whether a certain YouTube star, one "CryptoNick," might have made a significant contribution to the speculative bubble. CrytpoNick says he's a 17-year-old crypto-millionaire, and he's been flacking Bitconnect for some time.

Dave Bittner: [00:10:40:02] A lot of disgruntled YouTube watchers are now wondering whether Mr. Nick was engaged in a pump-and-dump scheme. In any case he's as bummed as anyone. Here's what he said after Bitconnect imploded Tuesday, "I honestly can’t believe this happened guys, like I said it’s been a great platform and it’s officially coming to an end. No more Bitconnect to anyone who’s always hated on the platform. I’m still shocked, I’m still trying to take this all in. I really don’t have much to say."

Dave Bittner: [00:11:08:05] We think the best advice on this and related matters was the disclaimer that accompanied CryptoNick's performances, "I am not a financial adviser nor am I giving financial advice. I am sharing my biased opinion based off speculation. You should not take my opinion as financial advice. You should always do your research before making any investment." Tell it, brother.

Dave Bittner: [00:11:31:04] So there you have it friends, act now, everyone's a winner. Actual results may vary, Nigerian princes not included, you are unlikely to be invited to Davos. Offer not valid in Alaska, Hawaii, and Fort Meade, Maryland.

Dave Bittner: [00:11:46:00] And now, a moment to tell you about our sponsor, Control Risks. Successful companies seize opportunities and new markets, but where there's opportunity there's risk. Whether you want to move your client data to the Cloud, ring an office online in China, or acquire a competitor in Mexico, keeping your information secure is paramount. To do that, your cyber security decisions must be aligned with your business strategy, driven by reducing your risk. In such complex environments, there's no substitute for expertise on the ground. With over 2500 employees and 37 offices around the world, Control Risks can help you assess and manage the risk to your business, as they have for over 40 years across 178 countries. If you need to get a handle on your cyber risk in an emerging market, Control Risks will meet you there. Find out more at And we thank Control Risks for sponsoring our show.

Dave Bittner: [00:12:50:22] I'm pleased to be joined once again by Emily Wilson. She's the Director of Analysis at Terbium Labs. Emily, a couple of events on the horizon that are on your radar. We've got the Korean Olympics coming up and we've also got the midterm elections. What is in common between these two things and why do you have your eye on them?

Emily Wilson: [00:13:08:09] Well it is the beginning of the year and we're all thinking about what's going to happen. I think we're going to see some cyber, I think we're going to see some security and I'm not sure yet what the ratio is going to be between those two. But I think these two events give us a chance to compare to similar events we saw a couple of years ago. Back in 2016, we had the Rio Olympics and we obviously had a pretty big presidential election here in the US. So on the Olympic side, I think this is an interesting regional comparison. With Brazil we saw a lot of personal information being leaked, both from citizens and from government employees, and that came out of a lot of new actors popping up, a lot of economic unrest in Brazil leading up to the Olympics. This was a big six month campaign with a lot of information being leaked every day. Korea, a very different situation. We're seeing different kinds of threats, we're seeing different kinds of actors involved. This is a lot less on personal information leaking and a lot more at the nation state level.

Dave Bittner: [00:14:03:21] I remember also with Brazil we saw lots of warnings about carrying your personal devices, people getting credit cards skimmed and things like that.

Emily Wilson: [00:14:13:19] Yeah, and I think we've seen in a lot of reports and also in some of the work that we do there's a growing community in South America for these kinds of concerns, whether it's fraud or some of these more vandalism style attacks. I think we're just seeing different interests and different calculations in East Asia.

Dave Bittner: [00:14:33:05] And how about the election?

Emily Wilson: [00:14:34:18] The election's an interesting one because it is a midterm election so we're probably not going to see leaked information from delegates, for example, like we saw during the presidential election - some of these factors have been removed. But I'm curious to see as we get into these campaigns, and especially some of the more contested seats, are we going to see information being leaked about candidates and their families? Are we going to see people leaking information about parties, or maybe specific voters? We have heard in the last couple of years about voter databases being compromised. Recently, just in the past month or so, we heard about another database in California. I'm curious to see how all of this plays out and what we see happening openly and what we see behind the scenes.

Dave Bittner: [00:15:19:05] What about this notion, when we talk about the Russians interfering with the last presidential cycle, this notion that it really doesn't matter so much what they're doing, it's the fact that they're doing it creates chaos and uncertainty?

Emily Wilson: [00:15:33:13] I think there's a lot to be said for compromising trust in a system, whether that is the integrity of elections, whether that is the integrity of communications, the integrity of media sources. I think it's not necessarily to your point what kind of chaos you create so much as that you create chaos. I think all of us, regardless of politics, are going into this midterm election with a few different things in mind, maybe a few different expectations, a few different biases and I think that changes the way these games are played.

Dave Bittner: [00:16:10:10] Interesting times for sure. Emily Wilson, thanks for joining us.

Dave Bittner: [00:16:16:14] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of Artificial Intelligence, visit And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit to learn more. The CyberWire Podcast is proudly produced in Maryland out of the Start Up studios of DataTribe where they're co building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media with editor John Petrik. Social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe and I'm Dave Bittner. Thanks for listening.