The CyberWire Daily Podcast 5.7.18
Ep 593 | 5.7.18

Winnti Umbrella covers multiple threat actors. DPRK off-shores cyber ops. ZooPark is in its fourth generation. GPON router bugs exploited in the wild. Russian Twitterbots. Block the EU?


Dave Bittner: [00:00:00:21] A quick reminder that there are several ways you can help support the CyberWire podcast. You can visit our Patreon page at and find out how you can make a monthly contribution to our show. You can also visit iTunes and leave a review and a rating for the CyberWire podcast - that's one of the best ways you can help new people find out show. Thanks so much.

Dave Bittner: [00:00:21:14] Chinese intelligence services are seen beneath the Winnti Umbrella. North Korea's off-shoring cyber operations. ZooPark Android spyware is now in its fourth generation, and still active in the Middle East and North Africa. Vulnerabilities in Dasan GPON routers are exploited in the wild. Russian Twitterbots are suspected of tweeting death threats in the UK. And how do you solve a problem like GDPR?

Dave Bittner: [00:00:55:21] And now a word from our sponsor LookingGlass Cyber Solutions, an open letter from the malicious botnet on your network.

Male Voice: [00:01:04:03] So here we are, it's just you and me at this Godforsaken hour, you're looking right at me too, I'm on the second monitor to the left. Had you seen me, you would have realized I compromised computers in your organization and they work for me now. Even if you had spotted me, your current process is too slow to catch me. You update your network rule sets once a week, I'll be in Cabo by then working on my tan. I love getting to know your company, by the way, your financial data, personal records. I've got a piece of unsolicited advice for you, check out what LookingGlass Cyber Solutions is doing. They've got some kick-butt technology that finds off cyber threats like me, data breaches, ransomware and stolen credentials in real time. Be a hero with the LookingGlass Scout Shield Threat Intelligence Gateway. See the video at

Dave Bittner: [00:02:14:08] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 7th, 2018.

Dave Bittner: [00:02:25:22] ProtectWise's threat research shop, 401TRG, has identified a common actor behind a number of disparate threat groups that have been active since at least 2009, and perhaps as early as 2007. ProtectWise concludes the group, "Winnti Umbrella," is, run by "the Chinese state intelligence apparatus." The groups that fall under the Umbrella include EAD, BARIUM, Wicked Panda, GREF, PassCV, Axiom, and Winnti.

Dave Bittner: [00:02:58:09] Security firms have tracked these groups for years; ProtectWise argues that they're a single operation. Researchers base attribution on common infrastructure, overlapping tactics, techniques and procedures, and above all operational security lapses that reveal attackers' locations. The operation's initial targets are gaming studios and tech companies, where they seek to steal code-signing certificates. There's some collateral criminal bycatch but the ultimate target appears to be political intelligence. Tibetan, Uyghur, and other domestic dissidents or groups of suspect loyalty have long been prime collection targets of Beijing's surveillance apparatus.

Dave Bittner: [00:03:38:23] Recorded Future's report last week that North Korean elites are changing their online behavior also notes that North Korean espionage services stage much of their cyber operations through other countries. Readily accessible gaming services, BitTorrent, and video streaming make a country attractive. So does hosting North Korean diplomatic and cultural missions. There's a chain of North Korean state-owned restaurants abroad, for example, that appears to afford operators with good staging opportunities.

Dave Bittner: [00:04:11:18] These would appear to account for the strange and surprising list of countries that seem to have become presumably unwitting launch points for Pyongyang's cyber attacks: India, Malaysia, New Zealand, Nepal, Kenya, Mozambique, Indonesia, and China. The typical goal of the attacks is theft, or fraud, with overseas operators returning their take as a kind of government-directed remittance. Defectors say they might, individually, earn around $100,000 a year, with $80,000 of it returned to the Kim regime's accounts.

Dave Bittner: [00:04:44:10] Kaspersky warns of ZooPark (now in its fourth generation), an Android malware campaign active mostly in the Middle East and North Africa since 2015. One of its vectors is Telegram, the secure chat app. Telegram has for some time been in disfavor with the more repressive regimes in Eurasia -Russia and Iran prominently among them - and this will no doubt lend some urgency and a color of law enforcement legitimacy to their efforts to block the chat app. Consistent with their usual practice, Kaspersky doesn't speculate about attribution, but their report does note that surveillance tools are popular among regional governments.

Dave Bittner: [00:05:24:17] Vulnerabilities in Dasan Gigabit Passive Optical Network, or GPON, routers, disclosed last week, are now under active exploitation by botnet herders. Researchers at Netlab, a division of cybersecurity vendor Qihoo 360, think over a million routers are vulnerable. Mexico, Kazakhstan, and Vietnam appear most affected. ISPs in those countries are thought to have built much of their infrastructure on top of South Korean manufacturer Dasan's devices.

Dave Bittner: [00:05:55:20] Amid continuing concerns that the US and China are increasingly engaged in a security-themed trade conflict, ZTE is appealing the US sanctions levied against it to the US Commerce Department.

Dave Bittner: [00:06:10:13] Russian Twitterbots are again in the news, this time in the UK, where police are investigating what appears to be a wave of Russian-bot-driven tweets of death threats and other unpleasantness. In this case the occasion appears to be the internal Labour Party dissatisfaction with party leader Jeremy Corbyn. Corbyn has in recent weeks faced criticism of perceived softness with respect to Russian activities, like the Salisbury nerve agent attack, and of alleged blindness with respect to antisemitism on the part of some of his associates. He's also been criticized for Labour's disappointing performance in recent local elections where Labour was widely expected to romp. In any case, the troll farms seem to have been up and at 'em, although in this case, as elsewhere, it's worth remembering that information operations are difficult to assess.

Dave Bittner: [00:07:01:11] Finally, concerned about GDPR? Well, who isn't nowadays, with full implementation less than three weeks away? Taking a good luck at your data? Purging all that unnecessary stuff? Making good and sure that Google and Facebook haven't quietly offloaded their liability onto you behind a dense smoke screen of terms of service and end user license agreements? Lawyering up? Done all you can do to avoid being hit by one of those €20 million fines - that's $24 million in Yankee greenbacks, chum - or a fine of 4% of your company's annual, worldwide revenue, if that happens to be greater than £20 million? Are you good-to-go with the 72-hour deadline for revealing breaches? Hired yourself that Data Protection Officer you've been meaning to get around to?

Dave Bittner: [00:07:48:22] Or is this maybe all too much for you? Thinking of going off the grid entirely? Probably not, but a number of companies are saying so long, farewell, auf wiedersehen, goodbye to European business. Steel Root, the Boston-based cybersecurity company, early Saturday tweeted out, "We were blocking before GDPR. We have no customers outside of the US. Minimizes scans and junk traffic to our site. Minimizing EU collection is a nice benefit for us, obviously not a self-contained GDPR strategy."

Dave Bittner: [00:08:22:09] But maybe you're not ready or able to do the same. If you're not, here's an alternative we read about in Bleeping Computer. There's this product, GDPR Shield, whose makers say it will keep you out of trouble by blocking all traffic from the EU. GDPR Shield is JavaScript you can embed in your website to keep any EU visitors out. No data, no problem, or so the proprietors say.

Dave Bittner: [00:08:48:01] But hold on, Nord Americanos. Maybe it won't shield you as much as you thought. GDPR covers data about European citizens wherever they might be. It wouldn't appear to lend itself to geofencing. Consider this hypothetical. A dodgy, pre-Brexit English expatriate, let's say from Birmingham or Durham, mooching around Los Angeles and dividing his time between let us say UCLA and various divey San Fernando Valley snooker parlors, is seized with a powerful hunger and orders one sandwich, animal style, from a nearby In-and-Out Burger. To save time, he does so online. I mean, he's maybe still GDPRed up, even if he's on his phone from the corner of Pico and Alvarado, right? Weird, huh?

Dave Bittner: [00:09:38:04] Anyhoo, eighteen more days until GDPR. We're looking out for you.

Dave Bittner: [00:09:48:11] Now a moment to tell you about our sponsor ObserveIT. It's 2018. Traditional data loss prevention tools aren't cutting it anymore; they're too difficult to deploy, too time consuming to maintain and too heavy on the end point. They are high maintenance and require endless fine tuning. It's time to take a more modern approach, with ObserveIT you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at That's, and we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:10:57:22] And joining me once again is David Dufour. He is the Senior Director of Engineering and Cyber Security at Webroot. David, welcome back. We wanted to touch today on anti-malware testing. What can you share with us about that?

David Dufour: [00:11:09:18] Well, you know, I think everyone is aware, you see publications always rating anti-malware software, how well it does in tests and things of that nature, and I think it's probably a good time to just highlight how that testing works, how it's maybe not changed over the last ten years or so, and talk about the bigger things you need to be looking for in anti-malware solutions.

Dave Bittner: [00:11:33:20] Yes. Well, take us through, what can you share?

David Dufour: [00:11:36:05] Well, so back in the day a lot of times the testing, the way it worked was you would go out, you would find malware if you were a tester, you would draw up that malware on machines that were not connected to the internet but they would have the latest updates about anti-malware files, and you would see how well it detected that malware on the machine. So, basically, install some malware on a machine, run the anti-malware, make sure it's up to date and then see how well it detects, and that's kind of how you rated it. Frankly, we haven't moved too terrible far beyond that in this day and age. You know, some folks in testing labs do try to spend time using some polymorphic malware, trying to see if they can elicit some behaviors which is good; it's a better way of testing than just strictly looking at signatures. The problem is a lot of next generation malware solutions, anti-malware solutions, they're doing much more than just trying to detect a malware file.

Dave Bittner: [00:12:36:23] Yes. You know, I saw actually recently on Twitter someone was making the point that we all sort of talk about, we refer to it as "traditional anti-virus" and this person was making the point that that's sort of a straw man at this point, that traditional anti-virus is not really a thing so much anymore.

David Dufour: [00:12:53:10] That is absolutely true. And so my point in all of this is testing anti-virus in the traditional way probably isn't giving us the best understanding of the efficacy that we're seeing. For example, there are solutions now that do the meat and potato scan for files, look for behaviors, things of that nature. But before that they're warning you about malicious websites, or they're scanning sites you may browse to or email, to detect if you're trying to be phished. So they do some things up front and, in addition, after a piece of malware lands on a machine not only is it trying to detect it but, let's say it misses that malware, it might actually be looking for exploits that run in a machine to try and determine, "Hey is this piece of software exploiting my machine?" So there's a lot going on before and after that traditional antivirus that we always think of.

Dave Bittner: [00:13:53:18] And what is your advice for folks who are shopping around? Is this a case where necessarily more is better? Should I load up on different products to make sure that I have a belt and a pair of suspenders?

David Dufour: [00:14:05:06] That's a good question. You know, a belt and a pair of suspenders as long as it's not slowing your computer down too much doesn't hurt but, I guess, what I would highly recommend is don't just look at test results that say how fast something found a piece of malware or did it detect all the files that were loading. What you want to do is look at something that has more of a holistic approach, that prevents things from getting on your machine, or looks at things other than just malware by looking for those exploits and things like that. So, I guess, it's a great place to start, making that determination, "Is this file good, is it bad?" and look at those reviews. But you want to take it a step further to ensure the solution you get is preventing things from actually getting on your machine. That's really the advice I can give.

Dave Bittner: [00:14:59:06] All right, David Dufour, thank you for joining us.

David Dufour: [00:15:01:21] Thank you for having me, David.

Dave Bittner: [00:15:07:17] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsors Cylance. To find out how Cylance can help protect you using artificial intelligence visit And we're not just fans of Cylance we actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:15:26:09] And thanks to our supporting sponsor, VMware, creators of Workspace ONE intelligence. Learn more at Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security Huh? I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics. That's at

Dave Bittner: [00:16:03:14] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe where they're co-building the next generation of cyber security teams and technology.

Dave Bittner: [00:16:13:11] Our show is produced by Pratt Street Media, with Editor John Petrik, Social Media Editor Jennifer Eiben, Technical Editor Chris Russell, Executive Editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.