The CyberWire Daily Podcast 3.27.18
Ep 564 | 3.27.18

Phishing from the library. Facebook and Cambridge Analytica updates. Bots as propaganda readers. SamSam still plagues Atlanta. Aadhaar leaky? Many nations expel Russian diplomats.


Dave Bittner: [00:00:00:20] Thanks again to all of our supporters on Patreon. You can help us out by visiting CyberWire and checking out all of the offers we have there. We do appreciate it, thanks.

Dave Bittner: [00:00:15:02] The Mabna Institute was pretty good at phishing. Facebook's Mark Zuckerberg sends regrets to Westminster. Facebook is under FTC investigation. Cambridge Analytica is in hot water with the FEC. Kaspersky says outing Slingshot was just part of the job. The City of Atlanta is finding it surprisingly hard to recover from SamSam ransomware. Aadhaar may be leaky, again. Bots as Lord Haw-Haws. More than twenty countries expel Russian diplomats and a Russian cyber reprisal is expected.

Dave Bittner: [00:00:50:22] Time to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it, the CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you, by automatically collecting and organizing the entire web, to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email, to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. Go to, to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:01:09] Major funding for the CyberWire podcast is provided by Cylance from the CyberWire studios at DataTribe. I'm Dave Bittner, with your CyberWire summary for Tuesday, March 27th, 2018.

Dave Bittner: [00:02:13:03] Those Iranians the US indicted last week for a variety of cybercrimes were apparently pretty good at phishing. They got their university victims to swallow phishbait constructed to resemble an anodyne but worrisome message from their university library. Your account has expired, the message said, and you need to reactivate your it. The message changed little over the four years of the campaign. Why tinker with success? It was working nicely, thank you very much.

Dave Bittner: [00:02:41:15] Troubles for Facebook and Cambridge Analytica continue amid a growing awareness of the activities of data brokers, firms that collect, aggregate, and sell data about those of us who use the Internet. Facebook CEO Zuckerberg has declined a request that he appear before the UK's Parliament to explain what his company has been about. Instead he will send what sections of the British press describe as "underlings" to do the explaining. Yesterday the Federal Trade Commission confirmed what had been widely reported last week, It's investigating Facebook for possible misuse of users' data. The advocacy group, Common Cause, has filed a complaint with the Federal Election Commission alleging that Cambridge Analytica, its corporate parent SCL Group Limited, and several named individuals (including whistleblower Christopher Wylie) with violations of Federal election laws that prohibit foreigners from participating in US political campaigns.

Dave Bittner: [00:03:39:09] Kaspersky defends its decision to blow the anti-ISIS Slingshot cyber campaign. It's their job to "take the fish from the water." They don't care what language said fish speaks; they "have to catch it." Critics say the report on Slingshot not only compromised a useful US Joint Special Operations Command collection effort against ISIS terrorist cells, but it may also have put lives at risk.

Dave Bittner: [00:03:54:00] Atlanta's SamSam ransomware infestation seems unusually resistant to remediation. Estimates now suggest it will take the city months to recover, but Atlanta's city mothers and fathers are being tight-lipped about the details. The criminals have taken down their "contact portal," as they've received increased scrutiny (and gotten tired, evidently, of answering questions).

Dave Bittner: [00:04:29:16] Assurances by responsible authorities to the contrary, India's Aadhaar national identification database may have been compromised again. ZDNet reports that security researchers are telling the news service that the database is leaking personal information. The ruling Janata party calls such reports "fake news," but ZDNet and others say no, there's really still a problem here.

Dave Bittner: [00:04:54:19] British Defence Secretary Gavin Williamson calls Russian bots "the Lord Haw-Haws" of the Twenty-first Century. He's alluding to William Joyce, the British traitor who broadcast for Nazi Germany during the Second World War. Joyce was captured soon after V-E Day and hanged for treason in 1946. If Secretary Williamson is right, then okay, Lord Haw-Haw had about the same level of influence in Britain that Tokyo Rose had in the US. But in other respects the comparison may be wayward, Lord Haw-Haw always began his broadcasts by saying.

Lord Haw Haw (Archive): [00:05:30:05] "Germany calling, Germany calling, Germany calling."

Dave Bittner: [00:05:34:23] The Russian trolls are less overt. But Williamson's shot may have hit home anyway. Russia Today is outraged by the comparison.

Dave Bittner: [00:05:46:08] Security firm, CyberEdge Group, recently published the fifth edition of their annual cyber threat defense report, setting out to take a vendor agnostic look at cyber security challenges. Steve Piper is CEO and co-founder of CyberEdge Group and he joins us with the highlights.

Steve Piper: [00:06:01:22] This was a web based survey conducted in November 2017. A 27-question survey, to be specific. And we surveyed 1200 security professionals and each security professional worked for an organization with a minimum of 500 employees. We have respondents from smaller organizations like that, up to multinational Fortune 100 enterprises and everything in-between. These respondents came from 17 countries and 19 industries, so it's very much a geographically dispersed survey.

Dave Bittner: [00:06:36:15] Take us through some of the key findings of the report.

Steve Piper: [00:06:39:14] Let me give you top three takeaways from this year and again, this is our fifth annual report. I'm gonna start out with some good news, I'm an optimistic guy, glass is half full type of guy. So the good news that I wanna share is for the first time in our report history, we saw a decline in successful cyber attacks. So we asked, you know, the respondents, was your organization, successfully attacked by a cyber threat last year and last year, 79.2% said, yes, this year that dropped two points to 77.2. The last four years, it's risen every year, so I know a 2% drop, I'm not dancing in the streets, but a drop is better than an increase. So I'm gonna take what I can get.

Steve Piper: [00:07:27:24] Ransomware obviously, is still very much in the news and what we've learned is only half of those ransomware victims, that actually paid the ransom, only half of them got their data back, got it unencrypted. So that's kind of a discouraging statistic. Overall, 55% of organizations that participate in our survey were victimized by ransomware last year. So it's kind of like flipping a coin twice. Flip the coin once to see if you're likely to be victimized by ransomware and then if you decide to pay the ransom, pony up the bucks for some Bitcoin, well, then flip the coin again to see if you're likely to get your data back.

Steve Piper: [00:08:09:13] And then the third takeaway from this year's study is the growing concern of the shortage of skilled IT security personnel. This has been a problem for years. Each year, we ask a question, this is my favorite question from the survey, on a scale of one to five, with five being highest, rate how each of the following inhibit your organization from adequately defending itself. So in other words, what's standing in the way of cyber security professionals succeeding and defending their networks from attacks? Well, the number one response for the past few years has been low security awareness among employees, lack of investment in the human firewall, as I put it. But this year, for the first time, we have a new inhibitor, lack of skilled personnel. And so this is on a lot of organization's minds, when we asked this question five years ago, lack of skilled personnel was in fifth place, then the next year in fourth place, then third, then second and this year, in first. So it's a growing problem affecting all organizations.

Dave Bittner: [00:09:14:18] That's Steve Piper from CyberEdge, you can find their 2018 Cyber Threat Defense Report on their website.

Dave Bittner: [00:09:22:21] The British anti-doping organization sustained a cyberattack over the weekend, and suspicion turns to Fancy Bear (that is, if you're just joining us, of course, Russia's GRU). UK Anti-Doping confirmed yesterday that it had stopped an attack by "unknown hackers" over the weekend. The attackers were evidently after test and personal information about athletes. While Fancy Bear is the animal-of-interest in this matter, this seems probably to be just Fancy's normal business, another manifestation of Russia's long-standing grudge against clean athletes than it is blowback for Her Majesty's Government's ongoing work to rally the civilized world against the Salisbury incident. Such blowback is widely expected. 22 countries have now taken action against Russia in solidarity with the UK over the nerve agent attack in Salisbury. 182 Russian nationals are affected, most of them diplomats declared persona non grata. (Lithuania is the outlier here. In addition to expelling diplomats, they told 21 other Russian nationals to get out and banned a further 23 from entering the country.) The 60 the US has told to leave include 48 from the Russian embassy in Washington and eighteen from Russia's UN delegation in New York. The US says they're all engaged in espionage.

Dave Bittner: [00:10:44:21] Washington has also ordered the Russian consulate in Seattle closed. Officials describe that closure as based on Seattle's proximity to the major US Navy submarine base on the Kitsap Peninsula, and the big Boeing facilities around Puget Sound. This is the second consulate the US has ordered shuttered in less than a year. In August the administration told Russia to close its San Francisco consulate, that move was in response to Russia's order that the US cut its own diplomatic staff in Russia. As is being widely noted, Russian retaliation in the form of a cyberattack is generally expected. Attacks on electrical power grids are particular matters of concern, but for now Russia's response is likely to be a tit for tat expulsion of diplomats. Moscow is crowd-sourcing its response, asking people to recommend which consulates and missions they should shut down.

Dave Bittner: [00:11:42:13] And now a word from our sponsor, LookingGlass Cyber Solutions. An open letter from the malicious botnet on your network.

Male Voiceover: [00:11:52:16] So, here we are, it's just you and me at this Godforsaken hour, you're looking right at me too, I'm on the second monitor to the left. Had you seen me, you would have realized I compromised computers in your organization and they work for me now. Even if you had spotted me, your current process is too slow to catch me. You update your network rule sets once a week, I'll be on Cabo by then, working on my tan. I love getting to know your company by the way, your financial data, personal records. I've got a piece of unsolicited advice for you, check out what LookingGlass Cyber Solutions is doing. They've got some kickbutt technology that thins off cyber threats like me, data breaches, ransomware and stolen credentials, in real time. Be a hero, with the LookingGlass scout shield threat intelligence gateway. See the video at

Dave Bittner: [00:12:59:20] And joining me once again, is Justin Harvey, he's the global incident response leader at Accenture. Justin, welcome back, obviously, hot in the news these days is cryptocurrency mining, and you want to make the point that this is a big deal and it's something we need to take seriously.

Justin Harvey: [00:13:16:00] Yes, from a cyber defense perspective, this is a new type of threat, well, I guess it's not a new type of threat, there are still cryptocurrency mining malware variants that we're seeing out there. They're not doing anything new, what we're seeing is, the usage of, or the end goal of this cryptocurrency mining malware is what's startling and that is with the proliferation of cryptocurrency, it seems like it's a gold rush. There are multiple types of cryptocurrencies out there, there's Bitcoin, there's Ethereum, there is Monero and everyone wants to cash in on this. What you're finding though, is that for the average home user or the hobbyist, or the person who feels like, oh, I'm going to devote my computing power to this, my two or three machines, is that it is not enough. Because the cryptographic algorithms are getting harder and harder to crunch, so you need more and more CPU and more power.

Justin Harvey: [00:14:16:17] The more enterprising people are thinking, okay, well, I could get that CPU power, in order to essentially print my cryptocurrency. I could go to the Cloud, I go to rent servers, but what's happening is, that still requires electricity and hardware costs, so it's really being transitioned to cyber criminals, who are thinking, well, let's see, we have malware, we have the means to distribute it and we have, the total addressable market is every machine out there. So let's write malware, get it onto people's machines and start to, without their knowledge, let's start mining this cryptocurrency. And that way, they're able to get the scale and to get the money they need, without actually paying for any of the CPU or for the electricity.

Dave Bittner: [00:15:07:08] And you know, I think you and I have talked about this before, you know, from an IOT point of view, when we were talking about DDoS, with things like video cameras, using excess computing power and something like a connected video camera. I suppose some people could say, if my video camera's still doing its video camera job, why should I care if it's using its extra processor cycles to mine Bitcoin for someone, it's still doing what I need it to do.

Justin Harvey: [00:15:31:20] Great point. And in fact, we were just part of a large scale investigation, where there was a cryptocurrency mining malware that was also self propagating, meaning it would infect its neighbors and on top of that, it was fileless, and PowerShell based. So it was very difficult to detect and to stop. The reason why everyone should be concerned is that for two reasons. Number one is, it's taking CPU and power away from the device and therefore, away from you. So if in your example, your camera is still doing its work, it's still driving up the CPU and the fan and causing you more money. And there's also a possibility that due to the CPU limitations of that IOT device or your laptop, or your notebook, or your server, for instance, it could actually be denying you services or denying you service by not allowing you to complete things on time, or even completing them at all, because your CPU's 100% busy.

Justin Harvey: [00:16:34:08] The second reason that people should pay notice to this is that you have to wonder how it actually got on there. And what cyber criminals are doing here, is that they are essentially sourcing their total addressable market, by looking at Shodan. Shodan gives them a list of millions of IP addresses and services that are available out there, they're writing their own code, to go scam all those IP addresses that looks for vulnerabilities. And then they're implanting, instead of malware to spy on you, or malware to steal data, they're essentially putting in their cryptocurrency mining. So, as I always say, where there's smoke, there's fire, which means, if your organization is cryptocurrency mining, you might not think it's a big deal, but it is a big deal, because if they're stealing from you, your CPU and your power and there's a way it got in there. So, maybe if cryptocurrency mining cyber criminals can find that hole, maybe other adversaries can find that hole, or they've found it already.

Dave Bittner: [00:17:34:07] Justin Harvey, thanks for joining us.

Justin Harvey: [00:17:35:23] Thank you.

Dave Bittner: [00:17:40:24] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, through the use of artificial intelligence, visit And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:18:02:18] The CyberWire podcast is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media, with Editor John Petrik, Social Media Editor Jennifer Eiben, Technical Editor Chris Russell, Executive Editor Peter Kilpe and I'm Dave Bittner, thanks for listening.