The CyberWire Daily Podcast 2.28.18
Ep 545 | 2.28.18

Memcrash and amplification attacks. SAML vulnerabilities. Thanatos ransomware. Petya returns (so does Marcher). Deterrence and election security.


Dave Bittner: [00:00:00:21] Hey, quick request, when you're done finish listening to today's show, please head on over to iTunes and leave us a review, it is one of the best ways you can help people find our show, thanks.

Dave Bittner: [00:00:13:01] Memcrash threatens big DDoS events. There are problems with single-sign-on solutions. Thanatos ransomware looks like its masters botched it, but that's not necessarily good news. The Marcher banking Trojan is back and bigger than ever. A new variant of Petya ransomware may be in circulation. What's the point of a false flag if no one's fooled? And the US Senate asks, "How do you solve a problem like Vladimir?"

Dave Bittner: [00:00:43:00] Time for a few words from our sponsor, Cylance. You've probably heard of next generation anti-malware protection and we hope you know that Cylance provides it. But what exactly is this next generation and why should you care? If you're perplexed, be perplexed no longer because Cylance has published a guide for the perplexed, they call it, Next Generation Anti-Malware Testing for Dummies, but it's the same principle, clear, useful and adapted to the curious understanding. It covers the limitations of legacy anti-malware techniques and the advantages of artificial intelligence and why you should test for yourself, how to do the testing and what to do with whatever you find. That's right up my alley, and it should be right up yours too. So check it out at Take a look at Next Generation Anti-malware Testing for Dummies. That's Cylance and we thank them for sponsoring our show.

Dave Bittner: [00:01:43:22] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Wednesday, February 28th, 2018.

Dave Bittner: [00:01:53:12] A few new exploitable vulnerabilities are being reported, some of them being used in the wild.

Dave Bittner: [00:01:58:22] Cloudflare and Arbor Networks warned yesterday that the Memcached open source memory caching protocol can be abused to amplify distributed denial-of-service attacks. The vulnerability which Cloudflare calls, "Memcrashed," probably inevitably, affects Memcached servers where UDP, that is the User Datagram Protocol) is enabled. US-CERT is taking the threat seriously. It's updated the UDP-based Amplification Attacks advisory to include Memcached as a potential attack vector.

Dave Bittner: [00:02:30:06] US-CERT explains how UDP amplification works as follows: "By design, UDP is a connectionless protocol that does not validate source Internet Protocol addresses. Unless the application-layer protocol uses countermeasures such as session initiation in Voice over Internet Protocol, an attacker can easily forge the IP packet datagram, a basic transfer unit associated with a packet-switched network, to include an arbitrary source IP address. When many UDP packets have their source IP address forged to the victim IP address, the destination server, or amplifier, responds to the victim, instead of the attacker, creating a reflected denial-of-service (DoS) attack."

Dave Bittner: [00:03:12:18] According to US-CERT, a useful way of measuring the effect of an amplification attack is by BAF, or Bandwidth Amplification Factor. US-CERT offers a helpful comparison of different attack vectors by BAF. Other than a memcached attack, a Network Time Protocol, that is, an NTP, attack, is the most severe in its effect, returning 556 payload bytes to answer a request for every byte in that request. Other kinds of attacks have a BAF of between 2 and 358. But a memcached attack puts them all far, far to shame, clocking in with a BAF of between 10,000 and 58,000.

Dave Bittner: [00:03:52:08] Arbor Networks thinks the exploit will soon be available in commodity booter services. That is, Arbor says, the typical pattern. New exploits are hand-managed by skilled threat actors, then relatively swiftly turned into commodities that spread through the criminal-to-criminal black markets.

Dave Bittner: [00:04:09:22] Cloudflare urges everyone to disenable UDP if they can possibly do so. Note that memcached, by design, has no access controls, and so shouldn't be exposed to the Internet. The SANS Institute's Internet Storm Center also suggests blocking traffic from port 11211.

Dave Bittner: [00:04:29:13] We'll have more from the Internet Storm Center's Johannes Ullrich on tomorrow's episode of the CyberWire, covering memcached.

Dave Bittner: [00:04:36:13] Duo Security has found a new class of vulnerability affecting single-sign-on systems that use the SAML, that's the Security Assertion Markup Language. Exploitation could enable users with authenticated access to induce the system to authenticate as different users without needing to know the victims' passwords. This would afford attackers a ready way of pivoting from one compromised user to other accounts on a network. Remediation is possible but complicated because there are so many different single-sign-on solutions in use, not all of which are equally vulnerable. Duo observes that what you should do about the SAML vulnerability, and you should certainly do something, would depend upon your relationship with your vendor and then sensibly recommends contacting said vendors for the right patch or mitigation. There are patches out there: disclosure was coordinated with vendors.

Dave Bittner: [00:05:31:03] There's a newish strain of ransomware in circulation, too. According to MalwareHunterTeam, Thanatos ransomware makes it effectively impossible to recover files. Thanatos' masters generate a unique encryption key for each file, but save none of them, which means victims pay ransom in vain. Researchers regard this as a botched process rather than an intentionally added layer of nastiness. Some believe there may be effective, if time-consuming, ways of brute-forcing decryption.

Dave Bittner: [00:06:01:11] Some of the current threats are resurgent varieties of familiar ones. Researchers at security firm Lookout warn that Marcher, also known as BancaMarStealer, a banking Trojan discovered almost five years ago, is back and bigger than ever. This month Lookout has observed 7,700 samples in the wild, almost four-times the number seen back in Marcher's 2016 heyday.

Dave Bittner: [00:06:26:24] And of course, you'll remember Petya, the ransomware that spawned notorious pseudoransomware imitators like NotPetya. A new variant of Petya, called Petwrap, is rumored to be circulating in Europe and India. F-Secure told Safe Gmail that it spreads through the EternalBlue exploit published by the Shadow Brokers.

Dave Bittner: [00:06:46:23] Given that you're a listener of this podcast, I'm going to go out on a limb here and guess that there's a good chance you spend a good bit of time doing tech support for your friends and family, helping to make sure they're as safe as possible online. Doctor Eric Cole is founder and CEO of Secure Anchor Consulting and the author of several books on cybersecurity. His latest work is titled Online Danger.

Dr Eric Cole: [00:07:09:10] I've been working in security for 30 years and have written a lot of technical books and what I find is when companies who are getting breached and having problems, it's not because the technical people don't know what to do. They usually are doing a great job, have big budgets, it's everyone else in the company is making mistakes. You have executives, you have managers, even when you look at large data breaches, you often have doctors, lawyers, parents and teachers, that have no clue what to do when it comes to cyber security. I started looking for a book that I could recommend, and recognized that not one single book existed, that was easy to read for that audience. So I took it as a mission, to write a book to help make cyberspace safe for families, for parents, for teachers and doctors, to help raise their awareness and most importantly, help them recognize that they are a target and there are actual things they can do to be protected online.

Dave Bittner: [00:08:10:23] I have to say your book, Online Danger, is a book that those of us in the business could buy and give to our friends and family, and it's a nice overview of the things that they could do to make themselves safer. From your perspective, for those of us who are in the business, what are some of the things that we should be doing to better protect our families?

Dr Eric Cole: [00:08:35:06] Most importantly is have the conversation, make them aware that they are a target because it amazes me how many people I talk to and they go, "Eric, I'm not important enough. I don't have enough money. No-one's going to target me. No-one's going to come after me," and they don't understand that this adversary, it's all about the numbers. They don't care who you are, they need to steal 10,000 identities a month, and if you have weak security, you're one of 10,000. The second most important thing is to help them understand that most of our devices, our applications, the system we use, have security built in - that's the good news. The bad news is, it's often turned off by default. So you have to take action to turn on the security, properly lock down, properly protect and then finally the third thing is, get rid of anything you're not using.

Dr Eric Cole: [00:09:33:05] With my kids, I look at their phone, and they have a 100 to 150 apps, that they just download randomly. Kids collect these things like they're the coolest thing out there, but when you go in and look under your privacy settings, my children had no idea that many of these apps were tracking their location, had access to their camera, had access to their microphone. So I helped them raise their awareness and then get rid of all those unnecessary apps, that could create exposure points.

Dave Bittner: [00:10:02:05] That's author, Eric Cole, his most recent book is Online Danger.

Dave Bittner: [00:10:07:24] The US Intelligence Community is telling Congress that deterrence has failed with respect to Russian operations in cyberspace. There just isn't not disputing that old Vlad Putin has been one busy bear. So how do you deter the Bears? Classically, you come up with a counter-value strategy: you hold something the opposition values at risk. Finding that value is challenging. Perhaps that value is wealth, perhaps prestige. It's doubtful it's human life or suffering, as the recent experiences of Russia's green men, deniable mercenaries, on the receiving end of American air strikes and artillery in Syria would seem to indicate.

Dave Bittner: [00:10:45:19] The US Senate has been asking Admiral Rogers what NSA and Cyber Command are doing about Russian election interference. Admiral Rogers's answer, in brief, is that his organizations lack the authorities to do much, that he can openly discuss, that is. And countering disinformation would be something new for NSA. This seems unsurprising: the Department of Homeland Security would have general responsibility for election security, with the Department of Justice responsible for the sort of naming-and-shaming that so far has figured prominently in US deterrent efforts.

Dave Bittner: [00:11:19:10] Looking back at the Olympics, it's striking how quickly suspicion of responsibility for the hacks during the opening ceremonies turned to Russia. Right, sure, security experts tended to say, there are some North Korean IP addresses, some code reuse, some Korean language clues, but come on: straight up, it's the Russians, and we're summarizing here. So, one might ask, why bother with a false flag operation when the imposture is so easily seen through? A piece this week in WIRED suggests that one reason for attacking under a false flag is to induce doubt about future attributions, which is probably part of the point in Moscow's Olympic hacking maskirovka.

Dave Bittner: [00:12:04:12] Now a moment to tell you about our sponsor ObserveIT. It's 2018, traditional data loss prevention tools aren't cutting it anymore, they're too difficult to deploy, too time consuming to maintain, and too heavy on the endpoint. They are high maintenance and require endless fine tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out of the box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats and it's extremely difficult, even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at We thank ObserveIT for sponsoring our show.

Dave Bittner: [00:13:10:18] Joining me once again is Dale Drew, he's the Chief Security Strategist at CenturyLink. Dale, good to have you back. I know you have been a real proponent of collaboration throughout the industry and you've got some stuff you want to share about that today.

Dale Drew: [00:13:25:06] I'm in the business of cybersecurity, which means I'm in the business of giving bad news. I think this is a great, good story with regards to the industry and the impact that we're having together in a very collaborative way. I'd say the second half of 2018, after the bot wave of Mirai and the impact that it had on the cybersecurity industry, and the implications it could have as that challenge evolved the future. You know a botnet that was over 1.2 million nodes large, that was being rented out to a wide variety of people to launch revenue-based extortion attacks on the industry, was a really big wake-up call for the security research community to start collaborating. And let me be very clear, the research community collaborates very within their own layers, so the malware people talk to the malware people, the network people talk to the network people.

Dale Drew: [00:14:31:13] But we really discovered with attacks like this, that we have to be crossed ecosystem in order to effectively stop these attacks. At the second half of 2017, you know, I can point to a couple of examples that we really got together as a community and stopped attacks within, one within hours, most within days, but no longer the weeks or even months of collaboration thresholds, that we were dealing with before. There was as recent report from Kenna Labs that said that there were 18 new million malware samples captured in 2016. So the amount of development that's happening from the bad buy perspective is not stopping and it's dramatically increasing because they are discovering a way to commoditize revenue from these attacks. And so the time has never been more important for the industry to collaborate and I'm really glad to see that a number of us are getting together. It does take a village to protect the Internet and that village is coming together.

Dave Bittner: [00:15:39:21] I think there's no shortage of forums out there, where people can share information like this, so what sets this apart from those sorts of things?

Dale Drew: [00:15:49:16] You are right, there are a number of forums available today that add different layers and even some cross layer that are intended to share information within the industry. I think the issue is, is that the entrance criteria for a lot of those forums are set very, very high. They are intended to identify serious players and so they have serious entrance criteria in the form of a pay for play sort of criteria. There's a fair amount of fee-based entrance to get access to those cross industry sharing collaboration forums.

Dale Drew: [00:16:25:10] And we're really encouraging the community to get together and government itself, than the community get together and share information for the purposes of stopping threats before they become industry threats. I'm a huge fan of any information sharing on any forum, so I'm not saying that any of those other forums should stop or should be represented as a bad example, but we definitely want to encourage more cooperation and collaboration and action from the community to stop threats before they emerge as actual threats.

Dave Bittner: [00:17:04:00] I see. Dale Drew, thanks for joining us.

Dale Drew: [00:17:07:05] Thank you for having me.

Dave Bittner: [00:17:10:24] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit, to learn more.

Dave Bittner: [00:17:31:23] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:17:42:00] Our show is produced by Pratt Street Media, with editor, John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe; and I'm Dave Bittner. Thanks for listening.