The CyberWire Daily Podcast 1.24.18
Ep 521 | 1.24.18

Satori variants. Hacking in Anatolia. Lazarus Group improves its tradecraft. Tindr vulnerabilties. UK's new office to combat disinformation. Pirated pdfs hold malware.


Dave Bittner: [00:00:00:23] Don't forget to subscribe to our daily email news brief, where you'll find dozens of links to all the day's cybersecurity news. You can subscribe at

Dave Bittner: [00:00:13:18] New Satori variants are out. Turkish hacktivists use Twitter for social engineering. Parties unknown are conducting an espionage campaign against Turkish defense contractors. North Korea's Lazarus Group improves its cryptocurrency theft tradecraft. Dating app vulnerabilities are a cyber-stalker's dream date. Britain will combat disinformation with a national office of rumor control and save phooey, the pirated copies of Fire and Fury.

Dave Bittner: [00:00:46:12] Time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web, to develop information security intelligence that gives analysts unmatched insight into emerging threats. When analytical talent is as scare and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever.

Dave Bittner: [00:01:13:08] We at the CyberWire have long been subscribers to Recorded Future's cyber daily and, if it helps us, we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. That's We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:46:20] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Wednesday, January 24th, 2018.

Dave Bittner: [00:01:57:03] New Satori variants are said to be out, with fresh botnets. Researchers at NewSky Security have been poking around in the dark web and believe they've determined that the same malefactor who recently pushed the Satori variant Mirai Okiru, is the same actor responsible for two newly discovered Mirai variants, "Masuta" and "PureMasuta." The hacker's nom de net is "Nexus Zeta" and, when investigators first became aware of his or her activities, they were inclined to regard him or her as a novice. There were too many OPSEC missteps in the code, for one thing.

Dave Bittner: [00:02:32:04] But Nexus Zeta seems to have upped their game. PureMasuta, in particular, is thought to be interesting. It exploits a Simple Object Access Protocol, or SOAP feature, that exists as an injection bug first noticed on D-Link systems. SOAP is used by administrators to manage network devices.

Dave Bittner: [00:02:53:11] Researchers at security firm McAfee describe an assault on certain high-profile Twitter accounts that's been claimed by Turkish pro-government hacktivist group, Ayyildiz Tim. The attacker compromised accounts belonging to influential persons at the World Economic Forum, the UN and Fox News, to send the compromised accounts' contacts direct messages, that either suggested support for Pakistani and Turkish causes, or phished for account credentials.

Dave Bittner: [00:03:21:23] Using compromised email accounts to send messages whose recipients are likely to accept an act upon, is a familiar social engineering ploy. It's seen, for example, in business email compromise scams. This particular campaign uses Twitter direct messages in a similar way.

Dave Bittner: [00:03:39:22] Security firm RiskIQ reports another phishing campaign, but in this case Turkish enterprises are the victims. An unidentified espionage operator has been prospecting Turkish defense contractors with malicious email attachments that carry the Remcos remote access Trojan—the Remcos RAT. Remcos performs a typical array of spyware functions, including keylogging; screenshot capture; audio and video recording, as well as common RAT functionality that permits it to manage files and programs.

Dave Bittner: [00:04:10:14] One unusual capability is its ability to set up SOCKS5 proxies, which lets the attack's controllers turn their victims into network proxies; thereby hiding their real command-and-control server.

Dave Bittner: [00:04:25:08] Pyongyang is staying busy. Trend Micro reports that, the Lazarus Group has evolved toward the use of PowerShell scripts in its ongoing cryptocurrency theft campaign. There's been no obvious let-up in North Korean attempts against cryptocurrencies. South Korean targets of alt-coin heists may be getting a bit harder, however, the South Korean government is considering regulations that would limit cryptocurrency trading to the more stable, better regulated environment of the banking system.

Dave Bittner: [00:04:54:19] Metrolinx, an Ontario transit company, disclosed that it was hit by a North Korean cyberattack. The organization says the attack was routed through Russia and that neither customer privacy nor safety were compromised. But, beyond that, they cite security and decline to provide further information. An obvious bit of speculation would be that the incident involved WannaCry and that media accounts of Metrolinx's disclosure have tended to mention the US CIA's recent attribution of that particular strand of malware to the Democratic Peoples Republic of Korea. However, Metrolinx is unwilling to go even that far in its public comments.

Dave Bittner: [00:05:34:03] Flashpoint recently released their 2017 end-of-year update to their business risk intelligence decision report. It provides an overview of evolving geopolitical issues; evaluates the cyber criminal ecosystem and measures cyber and physical threats. Jon Condra is the Director of Asia Pacific Research at Flashpoint and he joins us to review the report.

Jon Condra: [00:05:55:16] One of the things that we do differently in this report, as well, is we have a section we call Flashpoints. These aren't intended to be predictions per se; these are intended to be things to look out for in the global geopolitical threatscape or landscape which, in particular, may cause a shift in the direction the cyber threat environment moves. This is both for our client base as well as just more broadly. We have things in here like, say, the North Korea conundrum. Obviously, if a kinetic conflict breaks out on the Korean peninsula, that is probably going to change the risk posture for many of our clients, as well as everyday users on the Internet.

Dave Bittner: [00:06:33:07] Is there anything in the report that was particularly surprising or unexpected?

Jon Condra: [00:06:37:17] One thing, throughout the year, that I was surprised about was the pivot ostensibly by North Korean threat actors to target financial institutions and even, in the case of WannaCry, levered ransomware. Both of those behaviors are not generally associated with nation state actors, at least up to this point. If you think about it, Nation States generally don't have those types of funding requirements. The money you are going to make from ransomware is not nearly what a government would require to, say, buy things like tanks and planes.

Jon Condra: [00:07:09:08] In North Korea's case, as they're so isolated, they're being hammered by sanctions right now and so they are trying to find alternative ways to fund their regime. They're turning towards tactics that we would generally associate with cyber criminal groups; so it's a really interesting turn in North Korea's behavior. Therefore, North Korea is more of a threat to entities that traditionally would not consider them a threat. That was one surprise for us.

Jon Condra: [00:07:35:23] Another one that I personally found interesting was, the rapidity with which the deep and dark web marketplace environment; the more traditional cyber crime, fell away or collapsed in 2017. There is a variety of factors that go into this but, fundamentally, four top tier marketplaces went down in 2017. AlphaBay, which is kind of the spiritual successor to the Silk road, was taken down by law enforcement in the latter half of the year and then Hansa Market went down not long after that. It turned out that those two cases were related and were both the result of law enforcement action. Two other market places, Evolution and Agora, both went down for different reasons; which were security concerns, plus a potential exit scam.

Jon Condra: [00:08:17:20] This caused a lot of chaos in a very fast moving paranoid community, who were very much concerned about personal safety and anonymity online. What we've been seeing is a transition away from traditional services for communication, or transactions moving towards alternative ones that are emerging. These are things like Discord, which is a popular chat and voice app, primarily used in the gaming community, as well as decentralized marketplaces that can't easily be taken down.

Dave Bittner: [00:08:49:03] When you look at the threats that are on the horizon here, the things that have shown up in this report, what sorts of recommendations do you have for people in terms of focusing their efforts and their resources?

Jon Condra: [00:09:02:19] One of the things that intelligence professionals do, in general, is try to avoid making broad recommendations; because they're generally not applicable, it's not our expertise and it's not our place to do so. I would say that, one way in which you could use this report is in the healthcare industry. You could look at the chart in the report and say, okay, the two entities that are known to target healthcare, in any regular fashion, would be China and cyber crime.

Jon Condra: [00:09:34:08] Then you can start to think about how you mitigate both of those fundamentally very different threats; in terms of the scale with which they target, the frequency in which they do so and the tools that they use, etc. You can start asking your internal team, as well as whatever threat intelligence providers and vendors you use, more targeted questions; rather than just thinking, you know, I have to defend against a panoply of threats when, in reality, jihadi hackers don't really go after healthcare entities. It's not to say that it cannot happen, it's not to say that it doesn't happen sometimes, but you can use this type of information to help tailor your own strategies internally.

Dave Bittner: [00:10:15:23] That's Jon Condra from Flashpoint. You can review the complete report on their website.

Dave Bittner: [00:10:22:04] Amid dark warnings of the United Kingdom's vulnerability to massive infrastructure hacking, Her Majesty's Government is also seeking to address the problem of hostile nations' influence operations. The Government intends to form a new organization whose mission will be to combat disinformation. Britain's new National Security Communications Unit will operate from the Cabinet Office.

Dave Bittner: [00:10:46:03] Researchers at Checkmarx have taken a look at widely used dating app Tinder and they don't particularly like what they see. The app doesn't encrypt photos, for one thing and it also leaves swipes and matches open to inspection. This would be good news for stalkers but bad news for ordinary lonely hearts looking for whatever it is they're looking for. Checkmarx warns that it's able to simulate exactly what the user sees on his or her screen. You know everything. Everything includes what Tinder users are doing and what their intimate preferences might be; stuff that attracts voyeurs, stalkers and blackmailers.

Dave Bittner: [00:11:25:14] Here's another reason to get your stuff from actual legitimate stores, as opposed to torrents of pirates and so forth. Fire and Fury, the sketchily sourced but by most accounts lurid and yugely entertaining tell-all by a journalist, who somehow received access to the Trump White House, is circulating in a pirated PDF form that contains, of course, malware.

Dave Bittner: [00:11:48:04] The PDF contains a Windows executable that quietly installs a back door in the reader's device. The bad version is being circulated mostly through social media channels. There was a downloadable edition in a Google Drive and WikiLeaks tweeted a link out; but that drive has been taken down because of a violation of Google's terms of service.

Dave Bittner: [00:12:08:05] Hack Reads cautiously says "experts believe that it is difficult to assess whether the pirated edition is safe or unsafe" - we think we'll go with "unsafe." The sort-of-silvery lining is that the malware, discovered by a researcher at Kaspersky Lab, which adds a certain flavor to the story, seems readily detectable by most anti-virus products. But don't download it; buy it from Amazon or Apple instead if you're interested. I mean, come on, spend a buck; it won't kill you.

Dave Bittner: [00:12:38:12] Badness does creep into the walled garden of big stores from time to time, but less often than it disports itself in the digital equivalent of the car trunk of some guy selling knockoff NBA jerseys on a side street. Besides, the pirated version is said to be about 230 pages long; the original runs to 328 pages and is, therefore, 98 pages better. You get what you pay for my friend. How do you know those 98 pages weren't where all the good stuff was?

Dave Bittner: [00:13:10:16] Now a few words about our sponsors at E8 Security. If you've been to any security conference over the past year, you've surely heard a lot about artificial intelligence and machine learning. We know we have. But E8 would like you to know that these aren't just buzz words; they're real technologies, and they can help you derive meaning from what an overwhelmed human analyst would see as an impossible flood of data. Go to cyberwire and let their white paper guide you through the possibilities of these indispensable emerging technological tools.

Dave Bittner: [00:13:42:11] Remember, the buzz around artificial intelligence isn't about replacing humans, it's really about machine learning; a technology that's here today. See what E8 has to say about it and they promise you won't get a sales call from a robot. Learn more at Follow the behavior, find the threat. That's E8. We thank E8 security for sponsoring our show.

Dave Bittner: [00:14:15:09] Joining me once again is Justin Harvey. He's the Global Incident Response Leader at Accenture. Justin, there is no secret that we have a cyber skill shortage and you wanted to go through some of the ways that perhaps people can address that.

Justin Harvey: [00:14:30:07] Yes. Like you said, we have a very large cyber skill shortage ahead of us and we, as an industry, need to do a lot better at bringing diversity into the workforce. I think, first and foremost, there needs to be a cultural and a mindset shift around women and technology. Working at Accenture, we have a very big commitment to diversity and we participate in a lot of forms. Being able to draw more women into the workforce and, from my perspective, very selfishly, more into cybersecurity.

Justin Harvey: [00:15:09:17] One way to do that is to promote the science and technology, mathematics and engineering and all that in the younger generation. Therefore, number one is bringing in diversity and number two would be getting into earlier processes in schools. Perhaps it's not just high school anymore, perhaps in middle school or even in elementary teaching, it's bringing in the basics and the fundamentals around computer programming.

Dave Bittner: [00:15:38:01] You know, one of the things I've heard many times with people I've spoken to is that, even when we get women into the field, we have a hard time keeping them; retaining them is a real problem.

Justin Harvey: [00:15:48:16] I do acknowledge that the retention around that may be problematic in some organizations. I think that, speaking as a male, I could be part of the problem. I would also say that, part of the cultural shift needs to be in being more accepting of diversity and being more accepting of people who want to excel in their field. I do think that, in technology and cybersecurity, there are some less than favorable behaviors and voices that are made and I think that it is up to us as professionals to, firstly, not stand for it and, secondly, educate others in this field to prevent that from happening.

Dave Bittner: [00:16:32:19] Those of us who are advocating for increased diversity, we need to stand up and have our voices heard.

Justin Harvey: [00:16:39:06] Exactly.

Dave Bittner: [00:16:40:09] Justin Harvey, thank you for joining us.

Dave Bittner: [00:16:45:02] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible; especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit Thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:17:07:05] The CyberWire podcast is proudly produced in Maryland, out of the startup studios of DataTribe; where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with Editor John Petrik; Social Media Editor Jennifer Eiben; Technical Editor Chris Russell; Executive Editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.