The CyberWire Daily Podcast 2.15.18
Ep 537 | 2.15.18

Olympic Destroyer took its time, compromised the IT supply chain. NotPetya attribution. Coin scams. Coin miners. Botnets old and new.


Dave Bittner: [00:00:00:06] Don't forget to sign up for our daily email news brief delivered to your inbox every day. You can find out more about that on our website

Dave Bittner: [00:00:12:06] Olympic Destroyer may have started with a supply chain compromise back in December. The British Foreign Office blames Russia for NotPetya pseudo ransomware, and the Russian foreign ministry says they didn't do anything. Trend Micro researchers find a new Monero cryptomining campaign underway. CoinHerder fishes in alt-coin wallets. The Satori Botnet has expanded its target list. A new IoT Botnet, DoubleDoor, gets into routers with a one-two punch. And the LoopX ICO vanishes into thin air.

Dave Bittner: [00:00:48:20] It's time for a message from our sponsor, Recorded Future. You've heard of Recorded Future, they're the real time threat intelligence company. They're patented technology continuously analyses the entire web, to give InfoSec analysts unmatched insight into emerging threats.

Dave Bittner: [00:01:03:18] We subscribe to and read their Cyber daily. They do some of the heavy lifting and collection and analysis that freeze you, to make the best informed decisions possible for your organization. Sign up for the cyber daily email and every day you'll receive the tough results for trending technical indicators that are crossing the web. Cyber news targeted industries, straight actors exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. Go to and subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. It's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:55:17] Major funding of the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Thursday, February 15th, 2018.

Dave Bittner: [00:02:05:03] The hacking of the winter Olympics appears to have been under preparation at least since December. Investigations suggest that the games cloud provider, Atos may have been compromised two months before the Olympics opened. Atos has brought in McAfee to help with it's investigation. There appears to have been a reconnaissance phase late last year in which Atos credentials were illicitly obtained and used to prepare for this month's attacks. This is consistent with Cisco's Talos units findings. Malware used in the Olympic Destroyer campaign has turned up in VirusTotal, uploaded by unnamed users in France and Romania. Atos is headquartered in France and has significant offices in Romania.

Dave Bittner: [00:02:46:01] The company has confirmed with McAfee's help that some of it's credentials were hard coded into the Olympic Destroyer malware. The campaign is now generally regarded as an IT supply chain attack.

Dave Bittner: [00:02:57:09] It's worth noting that the disruption does not seem to have extended to the management of the games themselves. Events have gone off as planned, and scoring and timing systems show no signs of tampering. There is no unambiguous evidence that would support attribution, but speculation continues to point toward Russia on grounds of motive and opportunity.

Dave Bittner: [00:03:19:03] The British Foreign Office has directly attributed last year's Not Petya Pseudo Ransomware Campaign to Russia. Officials have also warned the Russian Government that the UK will not tolerate another disruptive attack. Russian representatives dismissed the attribution as Russophobia. The UK has been deliberate in it's attribution. Ukraine was, unsurprisingly, first out of the gate to blame Moscow. And US official opinion has tracked Ukraine's since last summer at least.

Dave Bittner: [00:03:48:13] The 5G Mobile Network is being prep tested and rolled out. And it promises speed and convenience. But, what about security? We checked in with Scott Register, Vice President of Product Management for Cloud and Security Products at IXIA, a key side business to learn more.

Scott Register: [00:04:04:15] The ultimate goal of 5G is to basically converge all of the networks that you think about today. Mobile, Wire Line, Wireless, WIFI, and you know, what we think of as 4G or LTE. All of those different ways that you access the network today in different environments and four different purposes. 5G should ultimately and sort of subsume all of those, so, that there is one very high speed access mechanism that's available, sort of any time anywhere. That's the goal. You have all these different things that are available on top of a different infrastructure. On of the nice things about 5G is that, at least to get started, the providers can re-use a lot of the basic 4G infrastructure that they've built out now, and especially the service providers who have started to invest in, especially in FD and SDN's, and have them scale and automate, those move more quickly but I think even late 18, early 19 you'll start to see kind of initial things at least billed as 5G, although I think in reality it will take multiple years, much like the transition from 3G to 4G/LTE.

Scott Register: [00:05:37:09] There were lots of kind of marketing claims around that. "Oh, we've got the first network". Well, it wasn't really full, you know LTE even though it claimed 4G. So, you'll see a couple of years involved in the roll out, but I think we'll start things at least marketed that way even late 18.

Dave Bittner: [00:05:57:03] And so from a security point of view I would imagine as we've gone through the various subversions of wireless data technology, security has become more and more front and center. Are there any specific technologies in 5G that improve the security posture of it?

Scott Register: [00:06:15:04] Yes and No. There are some technologies being applied but because of the scale, right if you think about replacing all these different networks, the network in the coffee shop, the network in your house, the network in your office. If you replace all of those with kind of one big network management becomes difficult, just because of the sheer scale. So, automation, becomes very, very, important and so you'll have an automation layer that sits on top of your virtual devices, NFE devices because those you can provision and tear down very rapidly, as well as SDN you know for flexible kind of plumbing between those.

Scott Register: [00:06:56:22] So, with that you will indeed have the ability to say things like when this kind of device, well say a medical device or a car or whatever comes on line, I want to provide end to end encryption and provision that through my network from that device. Maybe it's just to the egress of the network or maybe it's all the way back to the auto manufacturers site, or into their service cloud. Maybe certain types of devices I want to do device authentication. I want to do some very strong authentication and make sure that this particular, I don't know, Pacemaker is exactly the one that I think it is.

Scott Register: [00:07:39:16] And so, it's not so much a new technology, it's just more kind of wide spread and standardized adoption of a lot of the technologies that we have today. But, in a standardized way and spread across the network.

Scott Register: [00:07:55:07] Now, the kind of counter to that is getting that security right, becomes really, really, important because of the two things we've talked about. One is the sheer scale, the number of devices that are on the network. And, two is that shared infrastructure concept.

Scott Register: [00:08:14:04] If you think about the biggest IOT denial service attack that we know of recently, like the Dyn attack. They used DNS coming from vulnerable webcams like IOT devices. That was a massive attack and it took down major DNS services on the East Coast. It brought lots of companies off line. It was a big deal. And, it kind of leveraged this year's scale of IOT devices.

Scott Register: [00:08:40:10] Now, think about that device count which was maybe in the tens of thousands, and then multiply it out normal, so maybe it's in the millions or it's in a hundred of millions. Think about the scale of what that kind of attack could look like coupled with the fact that the network is not isolated, meaning the Internet is big and it's important to us, but you could maybe still talk to people inside your building, even if the Internet is down, you can still make phone calls from your phone even if DNS is down for major parts of the country.

Scott Register: [00:09:16:13] But, if a denial of service attack, maybe a denial service attack but not exactly looking the way that we think of one today. If that is able to impact not just the slice of the network that you're on, but the actual infrastructure that's providing services for all of these different slices, that's a really bad thing. Because someone launches a denial service based on some car network over here and suddenly people's health care devices go offline. Or they can't unlock their doors, or they can't get into their buildings, or they can't read email or whatever. That becomes a really big deal. So, how we apply that security and how we make sure that it protects the infrastructure that underpins all of these different provision networks, as well as provides security for the end devices, provide things like end to end encryption, that becomes even more important than it is today.

Dave Bittner: [00:10:17:08] That's Scott Register from IXIA. We have an extended version of our interview on our Patreon page. Our Patreon supporters get first access to it and then in a few days it will be available for everyone. That's at

Dave Bittner: [00:10:31:22] Researchers at security firm Trend Micro report that their sensors have detected vulnerabilities in ApacheCouchDB that are being exploited in the wild by Monero cryptomining malware. Cryptojacking is currently drawing the most attention from cyber criminals, probably because it's relatively easy to pull off, even if the payout seems, reports are to be believed, relatively small.

Dave Bittner: [00:10:55:24] The big money seems to be in straight forward scams. In one such campaign Coinherder is now under investigation by the Ukrainian police with an assist from Cisco. Coinherder is a complex fishing operation that uses Google ad words to poison search results in ways that induce victims to give up access to their wallets which the criminals then proceed to loot. Losses from Coinherder are said to run to some $50 million.

Dave Bittner: [00:11:22:07] Botnets continue to be used for various criminal purposes, the Satori Botnet is evolving according to security firm Netlab 360, and now affects routers made my South Korea's Dasan networks. This development is regarded as serious by observers, if only because it's unlikely that the routers will ever be patched. The secure team vulnerability disclosure service, part of the firm Beyond Security told ArsTechnica they tried without success to contact Dasan in October. Dasan has so far not commented, but about forty thousand routers could be susceptible to Satori. Satori you'll recall is a variant of Marai.

Dave Bittner: [00:12:01:05] And researchers at NewSky Security say that their honeypots have detected the formation of a new IoT Botnet. This one is being called DoubleDoor because it changed two exploits to bypass a firewall and compromise a router.

Dave Bittner: [00:12:15:16] The first backdoor, which is CVE-2015-7755, affects the firewall—Juniper Networks NetScreen. The second, CVE-2016-10401 enables privilege escalation to obtain a superuser account on ZyXEL PK5001Z devices. Both vulnerabilities are, of course, known, and have been addressed by the vendors, but a large number of susceptible devices remain unpatched.

Dave Bittner: [00:12:43:06] And finally, we all like transparency, right? There has been another initial coin offering scam reported and people have thought for a while that the start up involved lacked transparency. LoopX which may have been a crypto currency exchange had promised a proprietary algorithm yielding great profits continually every month. What that algorithm which they call the Loop Algorithm actually did was unclear. So, LoopX lacked transparency. But, over the weekend it achieved a different kind of a transparency by vanishing into thin air, and everybody now sees right through it. Investors in the ICO are left sadder but wiser to the tune of some four and a half million dollars.

Dave Bittner: [00:13:30:04] Time for a message from our sponsors at E8 Security. They understand the difference between a buzz word and a real solution and they can help you disentangle them too. Especially when it comes to machine learning and artificial intelligence.

Dave Bittner: [00:13:42:05] You can get a free white paper that explains these new but proven technologies at We all know the human talent is as necessary to good security as it is scarce and expensive, but machine learning and artificial intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats.

Dave Bittner: [00:14:02:19] They'll help you understand your choices too. Did you know that while we might assume supervised machine learning where a human teaches the machine, might seem the best approach. In fact unsupervised machine learning can show the human something unexpected. Cut through the glare of information overload and move from data to understanding.

Dave Bittner: [00:14:21:10] Check out and find out more. Follow the behavior, find the threat. That's E8 Security and we thank E8 for sponsoring our show.

Dave Bittner: [00:14:38:00] And joining me once again is Ben Yelin who's the Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. We have a story come by via the hill. And this is about the New Jersey governor signing some net neutrality orders. Now, of course, we've seen the FCC back off of net neutrality so are the States taking matters into their own hands?

Ben Yelin: [00:15:00:11] So they're trying. There's a limit to what the States can do. So, of course, President Obama instituted regulations establishing net neutrality. The FCC overturned those regulations a couple of months ago. And, that sort of left the void for proponents of that neutrality to kind of filter down to the States.

Ben Yelin: [00:15:19:19] New Jersey just elected a new governor, Phil Murphy, who signed an executive order prohibiting all ISPs that do business within the state from blocking throttling or favoring web contents. Now, this could potentially be legally problematic. Within the regulations laid out by the FCC are what are called preemption elements. And what preemption means is that there's something in the regulation that says, States cannot regulate that neutrality beyond the scope of what's been regulated by the federal government. And Congress and Federal agencies have the right to do that under that constitutional system. If they write in that Federal law preempts, then Federal will preempts. Where we sometimes see exceptions to that is when the State acts not as a regulator but as a purchaser.

Ben Yelin: [00:16:09:00] So, New Jersey in the course of it's business has to purchase services from Internet Service providers. So, for instance, they have to have Internet access at the State house. They have to have Internet access at the DMV. So, somebody is sending a check to Comcast or to AT&T. And, what this executive order does is it says you are not eligible for these contracts if you throttle Internet Services. If you block web content.

Dave Bittner: [00:16:38:11] And not just to us, to anybody in the State?

Ben Yelin: [00:16:40:21] So, it's not anybody in the State. It's just as it applies to companies doing business with the Government and that's really the only power the State of New Jersey has here. If they were to pass some sort of law banning that neutrality, the FCC would step in and say that preemption applies, this is a national issue. Congress has the right and through the federal agencies to regulate interstate commerce. This certainly falls into interstate commerce. They've chosen to preempt State action on this. But where the States do have a little leeway is in their own purchasing practices. And, I think that's what the Governor of New Jersey is trying to leverage here.

Ben Yelin: [00:17:22:00] Now, a separate issue is that a bunch of states, state attorneys general, I always get that term incorrectly, are suing the FCC on the basis of overturning net neutrality and that's a whole separate question. But, until that's resolved States can try to enact regulations. I think they're gonna be subject, probably to strict preemption, lawsuits from the FCC and the federal government. So they have to sort of use creative maneuvers to get around that preemption and using their power as a consumer in the market as a purchaser I think is a really strong way to do that.

Dave Bittner: [00:17:58:19] Interesting stuff. Ben Yelin thanks for joining us.

Ben Yelin: [00:18:01:02] Thank you.

Dave Bittner: [00:18:03:20] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible especially to our sustaining sponsors Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit

Dave Bittner: [00:18:16:24] And thanks to our supporting sponsor E8 Security. Follow the behavior, find the threat. Visit to learn more. The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe where they're co-building the next generation of cyber security teams and technology.

Dave Bittner: [00:18:35:16] Our show is produced by Pratt Street Media with editor John Petrik. Social Media Editor, Jennifer Eiben. Technical Editor, Chris Russell. Executive Editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.