The CyberWire Daily Podcast 2.8.18
Ep 532 | 2.8.18

Operation Shadow Web rolls up carding gang. Fancy Bear sightings. DPRK buying zero-days? Cryptojacking ICS. Huawei, ZTE get Congressional razzing. Jita scams.


Jack Bittner: [00:00:01:00] Dad, stop lying about the CyberWire. I already got glasses and they're very beautiful and they make me look handsome, and I thought your New Year's resolution was to stop lying about me on your podcast. But anyway, go to or

Dave Bittner: [00:00:30:04] Operation Shadow Web takes down the Infraud criminal carding gang. We've got two more Fancy Bear sightings, one in voter databases, one in Defense contractor emails. North Korea may have purchased its Flash Player zero-day from a third-party. Cryptojacking hits a European water utility. The US Senate considers banning Huawei and ZTE from Federal use. And no, Mr. McAfee and Musk aren't Nigerian princes, and they're not giving away Bitcoin either.

Dave Bittner: [00:01:02:13] Time to take a moment to tell you about our sponsor, Comodo. Here's the bad news, there is no way you will ever be able to stop malware from entering your network. The good news is Comodo renders malware useless. That's why Comodo customers can click on anything. Over 120 million new pieces of malware were created in 2017. So even at 99%, you're still a target for 1.2 million pieces of malware. If you do that math, that's still over 3,000 problems per day that current solutions cannot solve. Comodo doesn't settle for 99% and neither should you. They put those 3,000 daily problems into a lightweight, kernel level container, where the malware's rendered useless. With Comodo's patented auto containment technology, they bulletproof you down to hour zero every time, solving the malware problem. So with Comodo, you can say with confidence, I got 99 problems, but malware ain't one. Go to to learn more and get a free demo of their platform. That's, and we thank Comodo for sponsoring our show.

Dave Bittner: [00:02:18:11] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Thursday, February 8th, 2018.

Dave Bittner: [00:02:28:11] A US-led international effort has taken down the long-running "Infraud" carding gang, thought responsible for more than $530 million in losses to consumers over the last seven years. Thirty-six alleged hoods have been indicted; 13 of them are in custody, the rest are on the lam. Infraud, known for its motto "In fraud we trust," began as a run-of-the-mill carding forum, moved into the sale of fullz, and eventually became a large and influential full-service criminal market where hoods traded and refined their attack techniques. It was hierarchical and cellular, with participants often not known to one another.

Dave Bittner: [00:03:08:21] Allegedly run by one Svyatoslav Bondarenko, also known as "Obnon," "Rector," and "Helkern," of Ukraine. The other people charged come from Pakistan, France, Serbia, Egypt, Kosovo, Macedonia, Bangladesh, Russia, Moldova, Italy, Australia, the Ivory Coast, Canada, the United Kingdom, and the United States. They range from kingpins to moderators to low-level stiffs. The takedown is called Operation Shadow Web. Police in Australia, France, Italy, Kosovo, Serbia, the UK, and the US all made arrests. Authorities in Albania and Luxembourg were there for the assist.

Dave Bittner: [00:03:48:02] Three quick updates on investigations into apparent state-sponsored cyber operations. The US Department of Homeland Security's cybersecurity lead Jeanette Manfra said that Russia's GRU, that's Fancy Bear, targeted voter registration data in 21 states, and succeeded in "a few" cases. She said data were not manipulated during the incidents, which have been discussed on-and-off since late 2016. That there were intrusions into state voting records has been strongly suspected for a long time. The latest statement, which DHS declined on security grounds to discuss further, revives a long-standing concern. An AP report describes another Fancy Bear campaign, this one a phishing expedition against mostly US Defense contractors for technical intelligence. The technical areas Fancy Bear pawed at include aircraft stealth, rocket and missile systems, and interestingly, cloud computing platforms.

Dave Bittner: [00:04:44:10] And the third is an update on North Korea's exploitation of a Flash Player zero-day against South Korean targets. Investigators believe Pyongyang purchased the zero-day from some so far unidentified third-party. It might be criminals, it might be another state, it might be a zero-day broker.

Dave Bittner: [00:05:03:05] Researchers at Radiflow report finding a cryptominer infestation in a European water utility, marking cryptojacking's long-expected approach to the industrial Internet-of-things.

Dave Bittner: [00:05:15:24] Researchers at AlienVault recently took a look at an application compiled in late December 2017, an installer to mine Monero cryptocurrency. Christoper Doman is a security researcher at AlienVault, and he joins us to share their findings.

Christopher Doman: [00:05:31:07] So it's pretty obvious the way that we found it. It was a piece of software that was talking to a University in Pyongyang. So we could see from the domain that ended dot KP, for North Korean, it might be something worth looking at, and we see a lot of, well a fair amount of North Korean software, but this stood out being potentially malicious.

Dave Bittner: [00:05:46:15] So take us through what was going on here. What was it doing?

Christopher Doman: [00:05:50:09] It's really simple actually. It installed the Monero miner. So Monero's a bit like Bitcoin, but a bit more anonymous. And it installs it on a computer, and then the funds are then sent off to a server at the University in Pyongyang.

Dave Bittner: [00:06:01:04] And in terms of it installing itself on the computer, is it doing this surreptitiously? It is a piece of malware where it tries to hide itself?

Christopher Doman: [00:06:09:01] So it puts itself into the Windows folder, so that's not normally where you get a legitimate piece of software installed. And there's some somewhat related malware that seems to be by the same people that is even more cunning. It hides itself as a scheduled task.

Dave Bittner: [00:06:22:11] Can you tell us about that?

Christopher Doman: [00:06:23:16] Yes, after we released this report on this Monero miner sending off funds to that university in Pyongyang, a friend at Palo Alto found another piece of malware talking to the same Monero wallet, so presumably it's the same people. That's a bit more cunning. It comes in through as an archive that's password protected, that comes built in with the password. So it's got a couple of more methods in there, a bit more involved to try and avoid anti virus.

Dave Bittner: [00:06:45:15] In your research you say that it was looking for a particular host name, which doesn't resolve. Can you describe what's going on there?

Christopher Doman: [00:06:52:12] Yeah, so the host name is the server at the University of Pyongyang. I think it's called Kim II-sung University, if I got that right. And yeah, it doesn't resolve for us. We don't see any records of it ever resolving, but the way the DNS and that kind of stuff works is that if you're within North Korea within a university, perhaps it would work. So one theory about where this has come from is maybe this is running within North Korea itself.

Dave Bittner: [00:07:14:09] Another one of the theories is that it might just be a prank to fool security researchers?

Christopher Doman: [00:07:19:21] Yes, there's definitely some info put in there in case that happened and we had egg on our face. Obviously it is quite blatant, the fact it's got that North Korean domain in there. It's not exactly subtle about that. I think the prank hypothesis we have is a bit less likely, now we've found that related malware, which we're seeing installed on machines in South Korea, a number of machines and it has made about $40,000. So, if it is a prank, it's quite an elaborate one. But yeah that's possible, and that's also because we saw some, again, slightly related malware that probably isn't linked to this, but it shares some codes. So we weren't really sure how to interpret that.

Dave Bittner: [00:07:51:07] And this sort of Monero mining, this is something that you see linked to North Korean people quite often, yes?

Christopher Doman: [00:07:57:15] Yes, I mean two other reports. One was with Kaspersky. They found Lazarus, quite an infamous group of North Korean hackers. The installed some Monero mining on a bank that they'd hacked into, so they were trying to steal, you know, millions of dollars worth of cash from the bank and they risked it all, and partly got caught by installing a Monero miner. And there's also a report by the South Korean government last month, where they found a very related group of attackers installing Monero miners on South Korean networks.

Dave Bittner: [00:08:21:16] What are the takeaways here? What are the conclusions from what you found?

Christopher Doman: [00:08:25:09] Well, I guess this isn't the biggest threat for people to worry about, but given that it's something involving North Korea, it's kind of topical, it's kind of interesting. And if it's into the wider kind of economic situation, where obviously they're growing other sanctions, they need money to fund all their programs, and this is just one more piece of evidence that North Korea's investing resources in cryptocurrencies.

Dave Bittner: [00:08:44:11] And so if people want to protect themselves against this, what are your suggestions?

Christopher Doman: [00:08:48:01] Well antivirus picks this up pretty well. Monero miners are well known, and you can detect it from a network quite easily too. Again, it just uses standard Monero mining, Monero protocols. So, for most people this isn't a threat they've got to worry about. Perhaps more of a threat is, again, the later groups doing things like WannaCry to get cryptocurrency cash. That's got a far longer set of recommendations.

Dave Bittner: [00:09:07:19] That's Christopher Doman from AlienVault. You can read their full report on the North Korean cryptocurrency miner on their website.

Dave Bittner: [00:09:15:22] Two US Senators, Republicans Tom Cotton of Arkansas and Marco Rubio of Florida, have introduced a bill that would ban Huawei and ZTE devices from US Government use. The measure is similar to one recently introduced in the House. Senator Cotton said “Huawei is effectively an arm of the Chinese government, and it’s more than capable of stealing information from U.S. officials by hacking its devices. There are plenty of other companies that can meet our technology needs, and we shouldn’t make it any easier for China to spy on us."

Dave Bittner: [00:09:49:03] Finally, we've been wondering if there actually are Nigerian princes, so we consulted our Africa Desk and found out that yes, yes there are. They're traditional rulers of old constituent states that form modern Nigeria, which itself is, of course, a republic. We can call them "princes" for short; there are naturally other titles in the 521 languages native to Nigeria. Socially important as a mediating institution, Nigerian royalty is roughly equivalent to European nobility: Italian counts, German princes, Scottish lairds, things like that. We're thinking about them because of the way their names have been exploited in advance fee cons. Nigerian prince scams, we've come to call them. No actual Nigerian princes, of course, are involved.

Dave Bittner: [00:10:35:10] So maybe you thought the Nigerian prince scam was exposed and just totally over? So Nineties, right? You roll your eyes and think back about playing Los Del Rio doing the Macarena on your Walkman, am I right? Well, techno-sophisticates, think again. A variant using Twitter is out and about. And to add insult to injury, this one goes after alt-coin, that's right, the cryptocurrencies that are so hard to understand that only true crypto hipsters like our Technical Director or those guys over at Johns Hopkins can be really said to grok them.

Dave Bittner: [00:11:06:19] In fairness to the hundreds who've fallen for the con, the fraudsters aren't tweeting that they're actual widows of Nigerian princes. Instead, they're...wait for it, Bitcoin billionaires, Monero millionaires. And they're using names you know, posing as verified Tweeps. Here's a sample: "By the way, I'm giving away 20 Bitcoins to my followers. Just send 0.2 Bitcoins to the address below and I'll send you 0.2 Bitcoins back, through the same address you used in the transaction. This is my way of thanking all my friends and followers. Thank you!" And who's that from? Well who else but John McAfee, naturally. Of course it's a spoof. It's not the real Mr. McAfee. But admit it, I had you going there for a second.

Dave Bittner: [00:11:50:05] Another one looks as though it came from Elon Musk for sure, doesn't it? Well read this one and weep, rocketeers. "To celebrate the event, I'm giving away 100 Ethereum and 20 Bitcoin to my followers. Send 0.2 Ethereum or 0.1 Bitcoin to the address below and receive 2 Ethereum or 1 Bitcoin." Sounds good, right? I mean, Mr. Musk just did send a Tesla roadster into space aboard his first Falcon Heavy, so maybe that's the event he's celebrating? According to Mr. Musk, who's of course not the real Elon Musk at all, adds, "FIRST 20 only!" So hey, hop to it, Twitterati!

Dave Bittner: [00:12:25:13] There are other tech celebrity impersonators, too. What the cons have in common is that they're tweets. In fact they're replies to other tweets, and that the imposture is accomplished by typo-spoofing. So no tech celebrity, not even the famously out-of-the-box Mr. Musk or Mr. McAfee, is going to ask you to deposit cryptocurrency so he, or she, can send you more in return. Mark Twain would have recognized the bogus offer at once. He even put a royalty scam into Huckleberry Finn. We'll update it for the 21st Century. "If that don't fetch 'em, I don't know hashtag Arkansaw." Don't get fooled again.

Dave Bittner: [00:13:07:20] And now a few words about our sponsor DataTribe. The successful and growing cybersecurity startup studio. They're doing something different to bring on board some of the freshest talent to the sector. They're launching the DataTribe cyber competition. A competition to identify high technology start-ups who've got a vision to disrupt cybersecurity and data science. The three finalists will split $20,000 in prize money, but that's just the beginning. Finalists will be considered by DataTribe for up to two million dollars in seed funding. Start-ups with less than 1.2 million dollars in seed financing are eligible to apply, and contestants have until March 23rd to apply at And if you've got questions, DataTribe has answers. Email inquiries to Successful companies backed by DataTribe include ReFirm Labs, Enveil and Dragos, which recently made headlines over CrashOverride and TRISIS. So check it out. It's And we thank DataTribe for sponsoring our show.

Dave Bittner: [00:14:20:11] And I'm pleased to be joined once again by Johannes Ullrich. He's from the Sans Technology Institute and he's also the host of the ISC StormCast podcast. Johannes, welcome back. We've been seeing a lot in the news about the theft of cryptocoins. What sort of advice can you offer us here?

Johannes Ullrich: [00:14:37:14] Yes, probably the first thing to realize is if you are owning crypto coins and if you're keeping them in a wallet, this wallet isn't your traditional wallet that holds currency, whether it's electronic or not. It's really just a private key. So it's not that you need a bigger wallet if you own more coins. It's still the same private key that authenticates you to these blockchains that you are the owner of these coins. So you really have to safeguard this private key very carefully. First of all from theft, so you may want to keep it not online. One option actually I have is you can create a paper copy of this private key, either as a QR code, or there is even software that allows you to turn it into an English word passphrase kind of. So, what you can do then is if there are some crypto coins that you're just holding onto, that you're not sort of using on a day to day basis to buy your burgers or whatever. In that case, you can just transfer them into this paper wallet and keep them safe, of course. You definitely want to make sure that you keep a couple of copies in safe places of this piece of paper, because if you ever lose this particular paper, well with that you also lose whatever crypto coins are associated with it.

Dave Bittner: [00:16:01:07] Yes, so this is the kind of thing you store in your safe deposit box, I suppose. What is the level of security with these hardware wallets? Does it vary from device to device, or are they all pretty secure?

Johannes Ullrich: [00:16:15:09] It certainly varies from device to device and I had seen some of these hardware wallets that you stored a private key on like a little micro SD card. While this is not necessarily insecure, from my own personal experience, I had a lot of them fail over the year, and if, you know, this device fails, then well, again, you're losing your, your cryptocurrency. So you definitely want to make sure, again, that you do keep back ups of the private key, so that you actually can get that key in some archivable format out of these hardware wallets. Now with mobile wallets. There are a lot of mobile applications that implement wallets. They actually go beyond the bare bones wallet functionality. What's sometimes called a wallet is not just the part that holds your crypto coins, but also software that's sort of synchronized with the blockchains, so you can look it up to see how many coins you actually have in, in your account.

Johannes Ullrich: [00:17:15:13] Now they often are vulnerable to just the same vulnerabilities that all software's vulnerable to. So, again, be careful. Check the reputation of some of the software that you're using and make sure that you definitely keep back ups of everything. And I would actually recommend to write down any passwords that you're using, because the password should be complex, definitely, but there is no password recovery for these systems. So, if you lose it, it's gone. There's nobody really to complain to and ask for your money back if you lose your crypto coins.

Dave Bittner: [00:17:50:04] Right. Alright, good advice as always. Johannes Ullrich, thanks for joining us.

Dave Bittner: [00:17:56:24] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you, through the use of Artificial Intelligence, visit And thanks to our supporting sponsor E8 Security. Follow the behavior, find the threat. Visit to learn more. The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media. With editor John Petrik. Social media editor Jennifer Eiben. Technical editor Chris Russell. Executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.