The CyberWire Daily Podcast 2.6.18
Ep 530 | 2.6.18

More Eternal exploits found more troublesome. Cryptominer updates. NIST SP 800-171. Paycard skimmers. Tsunami false alarm.


Dave Bittner: [00:00:00:20] Would you like to help us out? Of course you would. So head on over to iTunes and leave a review for the CyberWire podcast. It is one of the best ways you can help people find the show and we do appreciate it. Thanks.

Dave Bittner: [00:00:14:20] Shadow Broker exploits are now found more exploitable. Cryptocurrency miners are recognized as a problem: MacUpdate sustained a brief infestation last week, and a new Android mining campaign takes a page from Mirai's playbook. The Smominru botnet rakes in $3.6 million. T-Mobile warns of SIM-hijacking. The comment period's been extended for a NIST Special Publication. A new paycard skimmer's been found in Pennsylvania stores. And there's been a tsunami false alarm on the US East Coast.

Dave Bittner: [00:00:49:22] Time to take a moment to tell you about our sponsor Comodo. Here's the bad news, there is no way you will ever be able to stop malware from entering your network. The good news is Comodo renders malware useless. That's why Comodo customers can click on anything. Over 120 million new pieces of malware were created in 2017. So even at 99%, you're still a target for 1.2 million pieces of malware. If you do the math, that's still over 3,000 problems per day that current solutions cannot solve. Comodo doesn't settle for 99% and neither should you. They put those 3,000 daily problems into a lightweight, kernel level container, where the malware's rendered useless. With Comodo's patented auto containment technology, they bulletproof you down to hour zero every time, solving the malware problem. So with Comodo, you can say with confidence, I got 99 problems, but malware ain't one. Go to to learn more and get a free demo of their platform. That's And we thank Comodo for sponsoring our show.

Dave Bittner: [00:02:05:21] Major funding of the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Tuesday, February 6th, 2018.

Dave Bittner: [00:02:15:14] EternalSynergy, EternalRomance, and EternalChampion, all leaked last year by the Shadow Brokers and used in the NotPetya pseudoransomware attacks, have since taken a back seat in terms of public awareness to EternalBlue. But researchers at security firm RiskSense have found that these three exploits work against all unpatched versions of Windows from Windows 2000 on. The exploits, which the Shadow Brokers claimed to have obtained from the US National Security Agency's Equation Group, may be just as easy for attackers to use as the hitherto more popular EternalBlue bug. This discovery should spur laggards, and there are many who have yet to apply patches Microsoft issued last March. All of the Eternals are in the Metasploit framework, and, again, they've all been patched.

Dave Bittner: [00:03:04:02] Cryptocurrency mining continues its unpleasant run through victims' systems. People are saying that miners have become malware, but they've always seemed like malware to us. What else would you call a program you didn't intend to install, that uses your system's resources, and that does you no good? We call it "malware." Yes, you may call it a "potentially unwanted program," a PUP if you must, but whatever you call it, it still stinks. Here are some of the latest notes on this problem. On February 1st and 2nd, the MacUpdate site was briefly infested with a cryptomining malware. MacUpdate has apologized and expelled the malicious software, but users who downloaded updates at the beginning of the month should check their systems. Security company SentinelOne reports that criminals seem to have gotten into the site and installed a dropper based on the Platypus development tool to download a cryptominer from Adobe Creative Cloud services. The malicious apps were crafted to affect OnyX, Firefox, and Deeper users. They're gone now, but if you were in MacUpdate at the beginning of the month, take a look at your system.

Dave Bittner: [00:04:09:09] Security researchers at Qihoo 360 NetLab warn that a new Monero cryptomining botnet is hitting Android devices in the wild. It infects them through port 5555, which is used by the legitimate debugging tool Android Debug Bridge. The worm is interesting, and 360 NetLab is calling it a worm, because it seems to be using some of the same scanning code found in the Mirai botnet. Most of the infected devices so far are found in China and South Korea.

Dave Bittner: [00:04:40:00] Proofpoint researchers have an update on the Smominru cryptomining botnet. By the estimates the security firm has compiled, the hoods behind the botnet have now amassed more than three-and-a-half-million dollars in Monero cryptocurrency.

Dave Bittner: [00:04:54:14] T-Mobile has issued a warning of an active SIM-hijacking campaign. The warning takes the unusual form of a mass text message. In the "phone number port out scam," the crook either calls a phone provider or visits the store to request a new SIM card for their victim's phone number. Once they have it, they can further exploit the victim. Most carriers will give their customers a phone passcode or a PIN to help protect them against this fraud.

Dave Bittner: [00:05:21:08] We hear regular reports of Amazon S3 data buckets being inadvertently left open to the world. Woody Shea is Chief Technology Officer at Covata, a data security firm and he provides some background on why this problem is more common than it should be.

Woody Shea: [00:05:36:23] Yes, I guess it's the law of averages, right. So you have these admins putting information into, into these S3 buckets. It's really just a single layer of security at that point. You know, they are in charge of granting access or not to the S3 bucket. The law of averages says that, you know, eventually somebody's going to slip up and we're seeing that happen quite a bit, you know, just because so much information is in, in these buckets.

Dave Bittner: [00:06:02:10] And is this a matter of people not properly setting the access restrictions and, and I guess the other question is, why wouldn't they be set to be more restrictive by default?

Woody Shea: [00:06:13:19] I believe they are set to be fairly restrictive by default. It's,it's more that humans are imperfect. You know, it's very similar to, in my mind anyway, to a Freudian slip or, you know, that time that you drive home and don't really remember driving home after work. You know, at some point, somebody's going to need access to that information and you're just going to go on autopilot, or make a mistake and open it up to the world. And I mean there is just so many people using this and so much data in there, it, it just has to happen. You know, there's, there's no other alternative. Just law of averages, right.

Dave Bittner: [00:06:54:13] And so are there folks out there actively searching out for these open buckets so that the notion of security by obscurity doesn't really apply anymore?

Woody Shea: [00:07:03:14] Yes, yeah, and that was sort of where we started. The VP of security here at Covata and I were talking and, you know, he ended up posing a writing prompt to me. He said there's so much stuff on the Internet here, you know, how are people finding these S3 buckets that are open? And the answer is there are a number of tools starting to come out that, you know, specifically for scanning S3 buckets, but the bucket naming convention is, is very similar to, possibly identical to subdomain naming, and there are definitely many tools out there for scanning for subdomains. You know, that's actually where I started, was okay, let me collect these tools and see how easy it is to find exposed data, and it turned out to be way easier than I thought.

Dave Bittner: [00:07:50:17] So if you're someone who's using one of these S3 buckets, is there an easy way to activate an additional layer of protection for yourself, to protect yourself against yourself?

Woody Shea: [00:07:59:08] Yes and no. So that's, that's a really complex question, I think. So what you really want, and what we saw, you know, in previous years if you will, is layers of protection. You know, on premises, you had the firewall, then you had system permissions, and then maybe you had permissions within the application that the, the system was, and those might be mutually exclusive, depending on how the application's set up. But you had at least two layers. So if you accidentally opened things up on one of those layers, the other one would be there, and, and traditionally, it would be two different people controlling those two layers, right. You had your, your network admin managing the firewall, and then you had your data owner, or system admin managing the access controls on the applications.

Woody Shea: [00:08:45:24] In the cloud, we're, we're really not seeing that second layer. Now the S3 buckets, you can, but it's not very intuitive and everyone just sort of by default, has access to the multiple layers. And I would say cloud services, as a whole, are moving towards this, but they're not there yet. But you really do need those separation of duties. You need, you know, one person sort of providing swim lanes, if you will, right here is a group of people that you might want to share with, or you're allowed to share with, and then the data owner within that, okay how this file will actually go to that person, and yes that's within the swim lanes, so that's allowed. And it's just not quite there yet. So what happens is, if you have access to AWS systems, you also have access to the AWS firewall. So it's hard to maintain those separations of duties.

Dave Bittner: [00:09:42:18] That's Woody Shea from Covata.

Dave Bittner: [00:09:46:10] Apple and Cisco have partnered with insurance giant Allianz in an arrangement that will give Allianz customers lower cyber insurance rates if they use certain Apple and Cisco products.

Dave Bittner: [00:09:58:21] US Federal agencies and their contractors prepare to implement NIST information-sharing guidelines. NIST’s Special Publication 800-171 was intended to take effect on January 1st of this year, but the deadline for figuring out how to comply has been extended. NIST is now taking comments from the public on SP 800-171 until June of this year.

Dave Bittner: [00:10:23:16] Attention Pennsylvania shoppers. Take a look at that paycard terminal before you swipe, especially if you're using a debit card. Police are looking for two hoods who've been caught on surveillance cameras installing overlay skimmers on customer-facing scanners of the kind you see in checkout lines everywhere. The two crooks were seen putting them in place at a few Aldi's supermarkets. The card skimmers are thin, convincing, and snap on in seconds. They steal debit card PINs. Retailers should remind their people to keep their eyes open.

Dave Bittner: [00:10:55:02] And finally, a couple of weeks ago fumbled tests of emergency alert systems in Hawaii and Japan resulted in false alarms of a missile launch, presumably from North Korea, that set off brief, fortunately minor panics. They weren't the results of cyberattacks, but they did expose problems with the systems. There was a similar oops this morning on the US Eastern Seaboard, when a National Weather Service test of a tsunami warning system found its way into Accuweather and other outlets. Parents and children in the Middle Atlantic states who were checking for advance word of school closings, in response to tonight's expected ice storms, were instead surprised to get an alert telling them to high-tail it for high ground. It was all a mistake, and quickly retracted and corrected. We've looked out the window and can report that there's no Tsunami surge up the Chesapeake...not yet. Sorry, kids you'll have to wait for that promised ice storm if you're hoping for a day off.

Dave Bittner: [00:11:55:04] And now a few words about our sponsor, DataTribe, the successful and growing cybersecurity start up studio. They're doing something different to bring onboard some of the freshest talent to the sector. They're launching the DataTribe cyber competition. A competition to identify high technology startups who've got a vision to disrupt cybersecurity and data science. The three finalists will split $20,000 in prize money, but that's just the beginning. Finalists will be considered by DataTribe for up to two million dollars in seed funding. Startups with less than 1.2 million dollars in seed financing are eligible to apply, and contestants have until March 23rd to apply at And if you've got questions, DataTribe has answers. Email inquiries to Successful companies backed by DataTribe include ReFirm Labs, Enveil and Dragos, which recently made headlines over CrashOverride and Trisis. So check it out. It's And we thank DataTribe for sponsoring our show.

Dave Bittner: [00:13:07:11] And joining me once again is Emily Wilson. She's the Director of Analysis at Terbium Labs. Emily, welcome back.

Emily Wilson: [00:13:13:15] Good to be back. Thank you for having me. I'm enjoying the new office space.

Dave Bittner: [00:13:16:17] Oh, well thank you very much. It's radio, so we don't get to talk about it very much, but yes we're enjoying out time here at DataTribe as well. So a new year is upon us and that is usually a time for predictions but you wanted to make the point that, when the new year kicks off, that is when we start seeing people rev up their efforts at tax fraud.

Emily Wilson: [00:13:38:00] Yes, it is one of the most wonderful times of the year on the Dark Web. Everyone still loves Black Friday, but yes, I mean when you think about it, this is everything the Dark Web fraud community loves, right? You get to steal other people's money and you get to steal it from the government. It's a cause everyone can get behind.

Dave Bittner: [00:13:56:06] So how does that play out? What do you see on the Dark Web when it comes to people going at this?

Emily Wilson: [00:14:02:14] Sure, so we see a couple of things. Uh, one, there's the information that's available all year round, that gets remarketed for tax season. This is your, your fullz, your full identities, your tax fraud guides, helpfully walking you through step by step. Other personal information, socials and what have you. And then a couple of things that become more particularly relevant around tax fraud season. This is your W2s, your EINs, that sort of thing.

Dave Bittner: [00:14:29:19] I see. Now you mentioned there was something you saw called Infant Fulls. Describe that for us.

Emily Wilson: [00:14:37:05] Sure. So this is one of the few times, really one of the only times that we see the information of children being brought into play on some of these markets. As I've mentioned before, a lot of the material you tend to think of for children on the Dark Web, child exploitation, is really kept separate. These communities are really, really discrete from one another. But we do see, we saw a couple of years ago, and again this year, information of children being sold for tax fraud purposes. So in this case, what we saw were Infant Fulls being marketed, and this is a baby right, so they can't have so much information, but you're talking about a name, social, date of birth, some information about the mother. A couple of years ago we saw children's socials being sold. So the socials of a child and both parents, you could get a nice little family pack, and these are marketed explicitly for tax fraud. That's really the only time of year we see them.

Dave Bittner: [00:15:30:10] And is there anything you're expecting that's going to be new this year? Is it more of the same? Do we expect it to ramp up? Is this one that people are getting a better handle on?

Emily Wilson: [00:15:38:14] I think this is one that we're going to kind of see progress steadily, but I think every year, you know, the IRS makes just a couple of tweaks and there are guides there ready to kind of handle those tweaks and really there's not a lot that can be done about it. That's the hard thing. The only thing you can really do is try and get your return in before the criminals get to you, and even then it's luck of the draw whether or not it's your information they have on hand.

Dave Bittner: [00:16:03:00] Wow. Alright, good advice. Be careful, as always. Emily Wilson, thanks for joining us.

Dave Bittner: [00:16:10:09] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you, through the use of Artificial Intelligence, visit And thanks to our supporting sponsor E8 Security. Follow the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:16:32:00] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media. With editor John Petrik. Social media editor Jennifer Eiben. Technical editor Chris Russell. Executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.