The CyberWire Daily Podcast 2.21.18
Ep 540 | 2.21.18

SWIFT phishbait. DPRK hacking gets better; GRU hacking looks east. Coldroot RAT. Cryptojacking. Election cybersecurity.


Dave Bittner: [00:00:00:21] Thanks again to all of our Patreon supporters. You can find out how you can become a supporter at

Dave Bittner: [00:00:11:08] SWIFT phishbait hits inboxes. North Korean hackers show fresh sophistication and new ambitions. Fancy Bear seems to be snuffling east. There are Monero miners in Word, and why cryptojacking for Bitcoin is harder than it is for other currencies. The Coldroot RAT hides in plain sight. The US Departments of Justice and Homeland Security undertake new approaches to election security, and Facebook has a new verification mode: send in a postcard.

Dave Bittner: [00:00:44:11] And now a moment to tell you about our sponsor ThreatConnect. They've teamed up with Domain Tools for a webinar on mapping connected infrastructure. As you know, the more information you have about a potential threat, the better you can defend against it and, in order to stay ahead of malicious actors, it is crucial that security teams add context and enrichment to their threat data. The combination of the ThreatConnect threat intelligence platform and Domain Tools Iris Investigative platform empowers security professionals to hunt APTs efficiently and effectively. Watch Director of Product Integrations at Domain Tools, Mark Kendrick, and Threat Intelligence Researcher at ThreatConnect, Kyle Ehmke, as they explain how the same techniques can help network defenders and incident responders efficiently protect their own organizations. In addition, get an inside view into how ThreatConnect and Domain Tools work together to enable thorough domain actor and IP investigations. You can check it out today at That's, and we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:02:00:05] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Wednesday, February 21st, 2018.

Dave Bittner: [00:02:09:24] If you want to spot the coming trends in phishbait, just follow the news. Over the weekend, news of a series of bogus SWIFT fund transfers affecting an Indian bank hit the wires. Since then, the hoods have jumped on their main chance, and so fraudulent transfers executed over the SWIFT network have prompted a new category of spam. From their perch at the foot of Garrett Mountain, researchers at Comodo Threat Research Labs report that criminals are using spam to distribute an attachment whose payload is the Adwind Trojan. The email's subject and text declare it to be a notice that there's been a SWIFT transfer to the recipient's account, and then refers the victim to the attachment for details.

Dave Bittner: [00:02:51:22] This version of Adwind, once it's in a system, does a variety of things: registry modification, antivirus and other security software tool installation checks, and possible AV software kills, and then connection with the Tor network. It also seeks to disable the Windows restore option, and it will, if possible, turn off User Account Control which would, when enabled, prevent software from being installed without the user's knowledge.

Dave Bittner: [00:03:18:24] Comodo thinks the campaign is reconnaissance and preparation for further, more damaging attacks. Recipients have this going for them, however: while the choice of subject may be clever, the approach is not. The spam is a throwback to the days of nonstandard English grammar and eccentric idiomatic control. Be alert, and use all your critical literary skills when you read your email.

Dave Bittner: [00:03:43:03] Slowly but surely, researchers are making headway with quantum computers. The promise is one of a whole new class of computational capabilities, but with those capabilities comes a threat to the encryption we rely on today. Scott Totzke is CEO at Isara Corporation, a company specializing in creating what they describe as quantum safe cryptography, and he brings us up to speed.

Scott Totzke: [00:04:06:09] We're very much in kind of the early days, even though we've been doing research for a couple of decades into quantum computing, but we're starting to see real early applications and progress. I mean, if you look at CES a couple of weeks ago we had Intel announcing their 49 cubit chip, so we're starting to see some milestones from major technology vendors that are working on building quantum computers, even small ones that will solve problems that we can't solve on the world's largest supercomputers today.

Scott Totzke: [00:04:37:09] Everybody gets really excited about that, because we can start to see a future where you can see quantum information science impacting all kinds of innovation cycles around the world in different areas. We can look at pharmaceutical research, where we can start to do drug design much more efficiently. We can look at quantum chemistry, where we can take the one to three percent of the world's energy that we use to produce fertilizer so we can feed the planet, and we can reduce that because we can more efficiently produce fertilizer in the future. We can build superconducting materials that will let us be more efficient at transporting power over the electricity grid, where we lose ten to 12% of the electricity today. You know, we can make that a much more efficient transaction in the future, so we have less loss of electrical power as we send it over the grid.

Scott Totzke: [00:05:28:11] So, all of those kind of speak to a new era of computing where we'll be able to solve problems that are far beyond the grasp of what we can do today. I think that's where people get really excited, because they see the innovation cycle that happened, starting in the '70s in Silicon Valley, and all of that technology and wealth creation and intellectual property and prosperity that happened because of those investments and that focus in building a technology industry. Now we're onto the next phase of what's next in the computing industry, and it's quantum computing and, again, we're just on the cusp of being able to move into new areas of research and design that people get really excited about.

Dave Bittner: [00:06:09:05] And, of course, the concern is that quantum computing will be a threat to our traditional encryption algorithms.

Scott Totzke: [00:06:15:13] Yes, that's correct. So a quantum computer solves certain classes of hard problems really efficiently, and I talked about a few of them, but one of the classes of hard problems is the math that is the underlying component that protects us on the internet today. And when you look at the technology industry in general, we have been really effective and efficient at building encryption into everything that we do on a day to day basis. So, when you think about it, it's probably the biggest success story of the technology industry over the last 30 or 40 years. We've taken something that is really complicated and difficult in the use of strong encryption, and we've made it kind of ubiquitous and transparent and, even if you're a non-technical user you're going to use this type of technology a thousand times a day and not even know about it.

Scott Totzke: [00:07:00:21] So, as we think about quantum computing becoming a threat to this, we also look at how we've embedded strong encryption into just about everything we use on a day to day basis, and all of that needs to be updated to something that is going to be resistant to an attack from a quantum computer, or the integrity of everything, from the data that we use to manage the environment within an office, where we've got all kinds of sensors for managing temperature and controlling the environment there, to signing on and checking your bank balance. All of that's going to be challenged by quantum computers, so we need to focus on how we shift the security model to something that's going to be more resilient and safe to an attack from a quantum computer.

Dave Bittner: [00:07:41:24] I'm intrigued by this notion that some people may be harvesting encrypted data, storing it, looking toward the future for when we pass this quantum threshold, that they might be able to break that data they can get their hands on today.

Scott Totzke: [00:07:56:15] Yes, and that's very much a driving theme that we hear when we talk to government customers, or at every level, it depends who your adversary is. But when you're thinking about this at a state level, there's a lot of concern that whoever your adversary is, if you're US or you're a Five Eye country you're very concerned that, say, Russia or China or North Korea is harvesting all this data and storing it in a data center someplace and then when they do have a quantum computer they'll be able to go back and undo all of the secrecy and encryption that we're using to protect sensitive communications today.

Scott Totzke: [00:08:30:17] So, if you're a government agency, you might have a 20 year, 25 year secrecy obligation on electronic communications that you are sending out on a day to day basis. When we look at the timeline for when we see quantum computers being a threat, you know, this could be as early as 2026, and so today you can't meet that 20 year or 25 year secrecy obligation with state of the art encryption technology that we use today to protect all of our transactions. In some sense, you're already creating an exposure where the information that you need to protect is already exposed to an adversary, but it's maybe sometime in the next seven or eight years before that becomes actionable on their part, but every day you continue to leak more information that can't be protected in accordance with whatever your secrecy obligations are.

Dave Bittner: [00:09:21:04] That's Scott Tozke from Isara.

Dave Bittner: [00:09:25:06] The Olympics are in their final week, and the DPRK's Reaper operators are in contention for hacking gold. They weren't involved, it seems, in the disruption that hit the Games' opening ceremonies, the usual suspect in that escapade remains Russia, but they're shown a considerable increase in capability. FireEye researchers report "with high confidence" that North Korean government cyber operators are showing a new sophistication and ambition. Studies of the threat group variously known as Reaper, APT37, Group123 - that's Cisco's Talos unit's name for them - and ScarCruft, as Kaspersky called it, suggest that it's aggressively targeting international corporations.

Dave Bittner: [00:10:07:20] According to FireEye, most of Reaper's attacks are initiated with sophisticated social engineering. Crowdstrike, which tracks the group as "Labyrinth Chollima", says they've shown the ability to bridge air gaps by unspecified means.

Dave Bittner: [00:10:22:10] Reaper is known for pursuing government, defense industry and media targets, but it's recently added the chemical, electronic, aerospace, healthcare, automotive and manufacturing verticals to its target list.

Dave Bittner: [00:10:36:06] Taking a look at the Bears, Kaspersky Lab says that Sofacy, the threat group linked with Russian military intelligence, also known as APT28, Pawn Storm, Sednit, Strontium and, of course, our favorite, Fancy Bear, has begun to shift its focus eastward from NATO targets. It's now taking a closer interest in Ukrainian and Central Asian networks.

Dave Bittner: [00:11:00:11] Researchers at Israeli cybersecurity firm Votiro warn that they've determined it's possible to embed Monero-mining script in Microsoft Word documents. Why, one might ask, has Monero grown in popularity among cryptojackers? After all, Bitcoin is still the most valuable cryptocurrency, even though it's fallen off from its December highs, and Bitcoin's transaction fees, which had become high enough to put criminals off the currency have fallen from $34 to less than a buck. The answer seems to be, according to what researchers at security firms Imperva and Check Point told ZDNet, that mining Bitcoin requires a custom application-specific integrated circuit, an ASIC. No ASIC, no mining. But that's not an obstacle in the case of Monero and some other cryptocurrencies.

Dave Bittner: [00:11:49:08] Cybersecurity firm Digita Security is warning about a remote access trojan, a RAT, called Coldroot. Coldroot is a cross-platform RAT that installs a keylogger to steal banking credentials. What's curious about Coldroot is that it's been around for about a year, and has been traded in Dark Web markets. Its code has been on Github for roughly a year, too. Yet Coldroot still escapes detection by signature-based antivirus tools, indicating how easy it can be to hide in plain sight.

Dave Bittner: [00:12:21:14] And finally, as midterm elections approach in the United States, the US Department of Homeland Security is increasing its cybersecurity aid to state election officials as they prepare for midterm voting. The assistance includes classified threat briefings. The Department of Justice has also organized an anti-election-hacking task force, and the private sector is thinking about what it might do to help. Facebook has introduced a new low-tech method of verifying that people who purchase political ads are who they say they are and not, say, employees of, oh, we don't know, the Internet Research Agency, or the Voppercoin impresarios operating from the Arbat. They'll verify their bona fides by returning a physical postcard. As Facebook says, that won't solve everything, but they think it's a simple step in the right direction.

Dave Bittner: [00:13:14:20] Time for a message at our sponsors at E8 Security. They understand the difference between a buzzword and a real solution, and they can help you disentangle them too, especially when it comes to machine learning and artificial intelligence. You can get a free white paper that explains these new but proven technologies at We all know that human talent is as necessary to good security as it is scarce and expensive, but machine learning and artificial intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that, while we might assume supervised machine learning, where a human teaches the machine, might seem the best approach, in fact unsupervised machine learning can show the humans something unexpected. Cut through the glare of information overload and move from data to understanding. Check out and find out more. Follow the behavior, find the threat. That's E8 Security, and we thank E8 for sponsoring our show.

Dave Bittner: [00:14:23:04] And joining me once again is Justin Harvey. He's the Global Incident Response Leader at Accenture.

Dave Bittner: [00:14:28:22] You know, Justin, I've been hearing lately about data-centric security, and I was hoping you could shed some light on how exactly people go about implementing this, and how the architecture differs from what we've done traditionally.

Justin Harvey: [00:14:41:11] Data-centric security is really about identifying your high value assets, maybe your data, maybe your business processes, and building up your defenses from the inside out. For the last decade, the focus has really been on how high can you build your walls? How high can you build your perimeter to create resistance or friction for adversaries so that, if you're able to repel them, they won't get into your organization and steal your data? But what we're finding is it's getting easier or, at least, it is easy for adversaries to bypass the perimeter, and it's happening over and over.

Justin Harvey: [00:15:17:19] In fact, I've even told a lot of my clients, "Build your cyber defense program in such a way that you are surrendering the perimeter." Now, don't get me wrong, I'm not saying, "Go out and divest all of your perimeter controls," but what we're seeing is a race within the industry, how high can you build your wall, and it's a race condition. But what's happening every time is the adversary is leaping over the wall, and then you're in this softer center. You're in your intranet or the inside of your organization, and it's very easy for them to move laterally and steal data.

Justin Harvey: [00:15:53:18] So, data-centric security is first identifying what your high value assets are and, of course, if you can't identify them how can you protect them? Secondly, building from the inside out, so having all the necessary encryption or having all the necessary privilege access monitoring, and even going as far as to create an enclave, so a hardened center within your organization with your crown jewels, and increasing the focus and the scrutiny on those assets and then being able to monitor that effectively in a continuous response model.

Justin Harvey: [00:16:31:16] Data-centric security is not that different from the approaches that many organizations are taking today, it's just really focusing on what is important to your organization and being able to secure from the inside out.

Dave Bittner: [00:16:45:14] So, having concentric circles of walls and moats and protections all the way around, with the most valuable stuff in the middle?

Justin Harvey: [00:16:53:17] Yes, but I wouldn't say that more walls is the answer per se, but let me give you an example. Let's say data-centric security really comes into focus when we consider some of the latest vulnerabilities that organizations have been hit with. Let's consider the Struts vulnerability with Apache. Apache was hit, and an adversary perhaps is scanning your perimeter, finds an Apache server that's vulnerable, exploits that and then moves through the system in order to achieve their objective by grabbing the data and leaving.

Justin Harvey: [00:17:11:11] What is different in a data-centric security approach is a few things. Number one is being able to know where your high value assets are, just like I said before, so in this case you would already know that you have some sensitive data on your perimeter. The next would be being able to have a threat intelligence team that's examining the wire or the press or Twitter, up to date, so that when this vulnerability is exposed or hits the wire, within the first 30 minutes, an hour or two, your team knows, "Hey, this is now a vulnerability." And because you have a good vulnerability and patch management system that's reactive, now you know exactly, "Well, there's 13 Apache websites in the perimeter," and, by the way, we also have privileged access monitoring, and we have a security operations team that is essentially orchestrating the mitigation of this risk, either through installing new web app firewall, rules; maybe it's even taking the Apache system down. So, by being able to take more of a data-centric approach, that leads to a better response capability.

Dave Bittner: [00:18:37:12] Good advice as always. Justin Harvey, thanks for joining us.

Justin Harvey: [00:18:40:05] Thank you.

Dave Bittner: [00:18:43:11] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:19:05:07] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of Data Tribe, where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.