The CyberWire Daily Podcast 1.26.18
Ep 523 | 1.26.18

Lebal's layered approach to infection. Crytominers are becoming a big problem. Tracking influence ops. Dutch intelligence spotted Cozy Bear early. Exploiting password recovery.


Dave Bittner: [00:00:03:23] Lebal malware steps its way through layered defenses. Cryptocurrency mining campaigns go after Monero with XMRig, WannaMine, and other toolkits. It's not a victimless crime, either—CPUs can be rendered effectively unusable. Influence operations are tracked in Twitter and Facebook. Dutch intelligence services penetrated Cozy Bear and shared warnings with allied services. Russia demanded, and got, source code access as a condition of doing business. Stacey Higginbotham, from the Internet of Things Podcast, shares her views on IoT security and a creepy exploit of password recovery utilities.

Dave Bittner: [00:00:45:11] It's time for a message from our sponsor, Recorded Future. You've heard of Recorded Future. They are the real time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their cyber daily. They do some of the heavy-lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the cyber daily email and every day you'll receive the top results for trending technical indicators that are crossing the web. Cyber news targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. Go to and subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. It's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:52:06] Major funding of the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Friday, January 26th, 2018.

Dave Bittner: [00:02:02:08] Layered, defenses in depth that involve a complementary mix of automated tools, user awareness, and human analysts and watchstanders, have for some time been the default best practice in enterprise security. But of course, as is always the case in conflict, defenders are up against adversaries who observe, orient, decide and act, tuning their attack to the defenders vulnerabilities. Researchers at Comodo Threat Research Labs are reporting an interesting campaign that constitutes a kind of layered attack designed to get around layered defenses. Comodo calls it a "complicated chain to bypass technical security means and deceive human intelligence."

Dave Bittner: [00:02:43:09] The malware involved is called "Lebal," and as so often happens, infection begins with a phishing email. The phishbait presents itself as a message from FedEx telling the victim that a package couldn't be delivered because it exceeded a non-existent "free-deliver limit." If you want your package, the email explains, you must go pick it up from a nearby outlet. To do so you must click a link to download a label you'll need to present in order to get your parcel. The link of course is malicious, and it's disguised as a Google Drive link.

Dave Bittner: [00:03:15:21] The hackers have presented plenty of reassuring markers in the address bar, like "secure," and "https," and "" And the label itself appears to be an Adobe Acrobat document, but the malware payload it carries scans the infected machine and steals all manner of information: cookies and credentials, email, instant messenger clients. And, in a big payoff, it looks for cryptocurrency wallets it can rifle. The researchers say the campaign is targeting some thirty email servers. It's connected to an IP address and domain in Sao Paulo, Brazil.

Dave Bittner: [00:03:52:06] Cryptocurrency mining shows no signs of slacking off. Right now the criminal world seems to have shifted its attention from Bitcoin to Monero. The XMRig campaign, being followed by Palo Alto and others, has now infected more than fifteen-million users with unwanted mining software. XMRig misuses URL-shortener Bitly to hide red flags from users it seeks to induce to click malicious ads.

Dave Bittner: [00:04:18:10] Other mining campaigns are in full swing. Security company Dr. Web reports that Windows systems running some versions of the Cleverance Mobile SMARTS Server, a legitimate Russian product that automates various industrial and logistical processes, are being infected with malicious DLL files that mine Monero. Trend Micro is following a similar campaign against Apache Struts and DotNetNuke servers. And Palo Alto Networks is tracking a mass effort to infect individual users through file-sharing sites: retail rather than wholesale infestations. PandaSecurity describes WannaMine, which is fileless malware used in what are being characterized as smash-and-grab attacks. As its name suggests, WannaMine makes use of the same exploits as WannaCry, but instead of encrypting files, it worms its way into systems to install a miner.

Dave Bittner: [00:05:12:10] Perhaps you're tempted to ask, well, what's the big deal? Sure, I'd rather not be running some random guy's program on my device, but after all I'm not always using that CPU power. And they're not stealing anything from me, anyway. No harm no foul, right?

Dave Bittner: [00:05:27:05] Well, no, generous, live-and-let-live soul. These miners and others like them aren't a relatively harmless nuisance. They burn power, of course, and they also hog more CPU resources than you might imagine. CrowdStrike warns that mining is so computationally intensive that it routinely renders affected CPUs unusable.

Dave Bittner: [00:05:47:12] Turning to news of information operations, the British Parliament is dissatisfied with what many MPs take to be Twitter's evasiveness over how its platform may have been used to influence the UK's Brexit vote. Facebook reports its introspective conclusion that Russian "agents" were found behind one-hundred-twenty-nine promoted events during the election cycle.

Dave Bittner: [00:06:10:01] Dutch intelligence services are reported to have penetrated Cozy Bear before the FSB threat actor hit the US Democratic National Committee. They shared warnings with their American colleagues.

Dave Bittner: [00:06:22:10] Symantec, SAP, and McAfee are reported to have submitted source code for inspection by Russian security organs. Such inspection was apparently a precondition for doing business in Russia. This has disturbed observers because of the possibility that such inspection might reveal exploitable vulnerabilities.

Dave Bittner: [00:06:42:10] Finally, in news of crime and punishment, one Mr. Jonathan Powell, of Phoenix, Arizona, has received a prison sentence after his conviction in a case involving his intrusion into university students' email and social media accounts. He gained access to a utility IT staffs use to help students when the students forget their passwords. And why? He was looking for explicit pictures female students might have cached in their accounts. Creepy, yeah, and well-deserving of a sabbatical in the Big House. It's also bizarre—with all the free adult content on the Internet, it seems the stalking had to be part of the thrill Mr. Powell was after, because it seems unlikely this represented a market failure.

Dave Bittner: [00:07:30:20] Now a message from our sponsors at E8 Security. We've all heard a great deal about artificial intelligence and machine learning in the security sector and you might be forgiven if you've decided that maybe they're just the latest buzz words. Well, no thinking person believes in panaceas but AI and machine learning are a lot more than just empty talk. Machine learning for one thing is crucial to behavioral analytics. You can't recognize the anomalies until you know what the normal is, and machines are great at that kind of base lining. For a guide to the reality, and some insights into how these technologies can help you, go to and download E8's free white paper on the topic. It's a nuanced look at technologies that are both future promise and present pay off in terms of security. When you need to scale scarce human talent, AI and machine learning are your go to technologies. Find out more at E8 Security. Follow the behavior, find the threat. And we thank E8 for sponsoring our show.

Dave Bittner: [00:08:38:23] And joining me once again is Dale Drew. He's the Chief Security Strategist at CenturyLink. Dale, welcome back. Happy New Year.

Dale Drew: [00:08:45:13] Happy New Year. Thank you very much for having me.

Dave Bittner: [00:08:47:16] Yes, good to have you back. What are we in for this year, Dale? What are your thoughts? What do we need to batten down the hatches and be ready for?

Dale Drew: [00:08:55:22] I think 2018 is going to be a very interesting year from a cybersecurity perspective. I would call 2017 the tipping point with regards to security. We saw a migration from bad guys mostly focusing on obtaining a reputation - getting a name for themselves - to their community finding a way to make revenue from attacks. Not just the professionals but pretty much anybody. We saw a lot more people focusing on the revenue side of collecting from victims than we have ever seen before.

Dale Drew: [00:09:33:18] Another thing is we saw, with regards to the level of sophistication in attacks that were previously reserved for nation states, we're seeing a much more commodity of sophistication being available to the bad guys. So, things like the Mirai botnet. That botnet has been modified so many times to be able to take advantage of that sort of ecosystem and that infrastructure but then be able to tailor it to specific attacks and specific campaigns for the more commodity attacker.

Dale Drew: [00:10:06:09] We're also seeing victims who just - I want to say this politely - victims are paying to reduce the nuisance factor. They are not necessarily interested in solving the overall solution for the ecosystem, they just want the problem to go away so when they get hit with a ransomware attack, they are not interested in participating in the global extrusion of how to stop ransomware. They just want the ransomware off their system so they can get back to business. So we saw a pretty large explosion in people paying for DDoS extortion, people paying for ransomware extortion and then typically coming to us after the second or third time that the bad guy goes back to the till to get more money.

Dave Bittner: [00:10:49:09] Now much of that do you think is looking to minimize reputational damage?

Dale Drew: [00:10:55:08] I think it's almost exclusively dedicated to protecting that company's brand in making sure that they can get back to the business of doing business. When desktops are encrypted and your end users, your employees, cannot connect business, that's going to get noticed very, very quickly by your customers and by your investors and by the outside public and so they want that to be reduced or eliminated as quickly as possible to get back to the business of doing business.

Dave Bittner: [00:11:25:11] So this idealized notion, that the good guys always say don't pay the bad guys, when it comes down to it from a practical point of view, sometimes people still choose to pay the bad guys?

Dale Drew: [00:11:36:03] Absolutely. We are seeing a very sharp increase in that which means that there's much more motivation for the bad guys to increase ransomware. If you remember, in 2017, we saw one of the first spam-based ransomware attacks where instead of targeting specific companies and specific industries, we saw bad guys essentially flash-mob ransomware out to as many victims as they possibly could, expecting only a small percentage of people to pay, but getting a pretty large pay out in the end. They were surprised just as we were that it was a fairly large number of people who ended up paying for those ransomware attacks. We now expect to see a lot more ransomware spam-based botnet-driven attacks to occur in 2018.

Dave Bittner: [00:12:20:14] Do you suppose this is a year we're going to gain any ground?

Dale Drew: [00:12:22:24] Well I do think that we are sharing more information across the community better and faster than we ever have. We have seen a step function of evolution from the bad guys, from 2016 to 2017, and not a step evolution in response from the good guys. So the good guys are scrambling to be able to collaborate together, to find that step function to get ahead of this whereas we were a step either ahead or a step behind the bad guy, we're now several steps behind the bad guy and we have to catch up.

Dave Bittner: [00:12:59:06] All right. Dale Drew, thank you for joining us.

Dale Drew: [00:13:01:15] Thank you for having me.

Dave Bittner: [00:13:02:16] And don't forget to check out our special edition covering what you might expect in 2018 from cybersecurity. It's on our website. You can also find it in your podcast feed.

Dave Bittner: [00:13:16:14] Time to take a moment to thank our sponsor, Cylance. Are you looking for something beyond legacy security approaches? Of course you are. So you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on you system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence but it's real protection. Visit to learn more about the next generation of anti-malware. Cylance, artificial intelligence, real threat prevention and we thank Cylance for sponsoring our show.

Dave Bittner: [00:14:12:22] My guest today is Stacey Higginbotham. She's a journalist and producer and host of the Internet of Things podcast. A weekly exploration of all things IoT. She's got a weekly IoT newsletter as well which you can sign up for on her website Why don't you start with the origin story there? What brought you to start the podcast?

Stacey Higginbotham: [00:14:35:15] I was forced to. Many, many years ago at Gigaom, one of our colleagues was, like, "Hey, you know what, you should start a podcast." I was, like, "Oh, no" but I did it and we decided to do the Internet of Things - this was probably back in, oh, goodness, 2013 so a long time ago. I started doing it and he was, like, "You are terrible all by yourself, you need a co-host" and, so, my colleague at the time was Kevin Toful and he was, like, "I'll do it." That's how it started. It's not very glamorous and then when Gigaom went under, Kevin and I were having so much fun, plus we were traumatized by the loss of our livelihoods, so we were, like, "You know what, let's keep the podcast going" so we started it up again. And even when I was working at Fortune, I was still doing the podcast on the side because it was super fun. I then decided to really focus on the Internet of Things and Fortune was, like, "Yeah, we're not that into it" so I was, like, let's do the podcast full time and so far it's worked.

Dave Bittner: [00:15:33:06] One of the things I like about your show is that there is something for everyone. You have stuff for consumers and you have stuff for enterprise folks and you even dig into how IoT works in your own life with your family.

Stacey Higginbotham: [00:15:46:05] It's true. I am really a technical person although I am not a computer scientist. I love learning how things work, so I think that that is the spirit Kevin and I both approached the show with and we really believed, and have since the very beginning, that you have to try this stuff because marketers are going to market and lord knows that, in the real world, tech products often behave badly.

Dave Bittner: [00:16:11:23] And from a security point of view, what sorts of things are on your radar? What are some of the things you think we need to pay attention to?

Stacey Higginbotham: [00:16:19:07] I am still searching for a good security model for the Internet of Things. I've been in this space for two decades - this space being just technology. I have covered chips and cloud and data and all kinds of other stuff. I feel like we came up with some decent models with the cloud, but we don't have something for IoT for edge-based devices that are low in resources, so very tiny sensors. We don't have a way to scale out security programs to the masses. The Internet of Things is bringing in a lot of companies that have never worried about cybersecurity or IT security before into this world. We have to make it easier for them so we have to have set standards and we don't. I really actually am one of the people who believe that the government should set some standards here because absent those, you don't know what goal you're working for. UL will say something is secure or another lab will say something is secure but, really, you don't, as a consumer or even as an enterprise software device buyer, you don't actually know what matters there and right now the burden is all on the consumers and it's not cool.

Dave Bittner: [00:17:38:02] What sort of policy framework would you like to see?

Stacey Higginbotham: [00:17:41:09] Oh, that is the killer question because I still don't think we have a security model and that's where I'd like to start so I don't know how we actually go about doing this. Is there a security API that you can just put on a device? There's so many companies offering an agent. There is a really interesting start up I just talked to called Vidu. They're trying to attack the problem from everywhere at once so it's difficult, but they're trying to tier devices and then they're trying to build a list of known vulnerabilities and best practices for each class of device. And they're pulling in your device firmware and then data on what it's supposed to do to categorize it and then send you that information. The end goal is to have an agent running on your device from them in a test QA environment and that agent is just going to keep reporting back as things change in threat detection, vulnerabilities, the software of the device. So something like that seems really interesting but it also seems really hard coming from a start up, right?

Dave Bittner: [00:18:52:11] Yes.

Stacey Higginbotham: [00:18:53:13] That and blockchain. So there are some really interesting blockchain models but I am still not convinced that it's closer because it is decentralized and authenticated. Does that make sense? I'm not trying to just throw buzz words out there.

Dave Bittner: [00:19:08:05] I understand. So, looking ahead towards this coming year, what are the things that excite you? What are you looking forward to?

Stacey Higginbotham: [00:19:15:07] I am looking forward to hopefully things becoming more automated, more context coming into my smart home stuff. I am looking forward to better data privacy practices brought about in part by companies trying to comply with GDPR. I am looking forward to seeing the next crazy level of devices that people are coming up with, like computer vision has come so far so I'm, like, "Oh, what are we going to be able to do with that?"

Dave Bittner: [00:19:43:01] In addition to consumer facing things, you focus on the industrial side of things. What has got your attention on that side?

Stacey Higginbotham: [00:19:50:12] I think the biggest thing is applying that security model I talked about earlier, figuring out something for that side because those guys, they don't have an IT staff that does security and their cybersecurity efforts are geared in a slightly different direction so I actually think both sides could learn from each other on the industrial side. I think they could learn more about agility and their updates and things like that. On the IT side, I actually think there's a lot of really good best practices that the industrial side already does so they actually do a lot of training with their employees aimed at cybersecurity. So talking about the information they post online, telling them not to plug in USB drives that they find in the parking lot. A lot of those kind of things, they actually spend time with all of their employees talking to them and training them on that - which I think is really valuable and probably should happen everywhere. That is one. The other thing I would say for the industrial side and the enterprise side is, we need to figure out a way to put security in on the manufacturing side of devices. We need to get some accountability among people in the supply chain to actually say, "Hey, wait, I just saw that you did this and that is not a great implementation." We need to get more communication along the supply chain and push back between manufacturers building up to a connected product there.

Dave Bittner: [00:21:26:14] That is Stacey Higginbotham. She's a journalist and producer and host of the Internet of Things podcast. You can find her show on iTunes and also at Check it out.

Dave Bittner: [00:21:38:22] And we'll have an extended version of this interview on our Patreon page, that's at Our supporters get first access to it and then, in a few days, everyone can check it out. We hope you will.

Dave Bittner: [00:21:53:00] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit And thanks to our supporting sponsor E8 Security. Follow the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:22:15:04] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with Editor, John Petrik. Social Media Editor, Jennifer Eiben. Technical Editor, Chris Russell. Executive Editor Peter Kilpe and I'm Dave Bittner. Thank you for listening.