The CyberWire Daily Podcast 5.18.18
Ep 602 | 5.18.18

Something Wicked this way comes. Automating wallet pilferage. Office 365 phsihing scams. DPRK hackers remain active. Recognizing alt-coin investment frauds.


Dave Bittner: [00:00:03:16] A new Mirai variant is out and about. They call it "Wicked". MEWkit automates coin theft. LocationSmart was buggy and leaky. The US Senate has confirmed Gina Haspel as Director of Central Intelligence. Relaxed tensions along the 38th Parallel aside, North Korea remains active against South Korea in cyberspace. There's a lot of fraud in cryptocurrency investing, and the SEC would like to help you recognize it. Plus, my conversation with futurist, and author, Heather Vescent.

Dave Bittner: [00:00:40:09] Time to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eye-balling the Internet yourself, no matter how many analysts you might have on staff, and we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:50:23] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 18th, 2018.

Dave Bittner: [00:02:03:15] Researchers at security company Fortinet have found a new variant of the Mirai Internet-of-things botnet in the wild. They call it "Wicked" and say that it uses three modules, "Scanner," "Attack" and "Killer." Unlike the original Mirai, which brute-forced its way into vulnerable connected devices, Wicked makes use of known exploits to establish access. It scans ports to establish a connection with its targets and uses an exploit appropriate to that connection. Wicked seems to be the work of the same coder who produced the Sora, Owari, and Omni botnets.

Dave Bittner: [00:02:42:13] Security firm RiskIQ has a report out on MEWkit and the Russian mob behind it. MEWkit is an Ethereum phishing tool that makes novel use of automation in its attacks. MEWkit is interesting in the way it uses automation in the service of theft. It begins with a phishing email that's designed to induce the victims to go to a phony MyEtherWallet. The landing page harvests credentials in the old familiar way. Where MEWkit represents an advance comes next. It has a module that automatically uses the credentials to drain the victims' real Ether wallets into the hoods' accounts. As RiskIQ explains, MEWkit combines traditional phishing with an automated transfer service to take advantage of what RiskIQ calls the relatively loose security of MyEtherWallet. The specific gang behind MEWkit is still unknown, but the IP addresses in use and certain linguistic quirks in the scam suggest that it's a Russian group, or at least a Russian-speaking group.

Dave Bittner: [00:03:46:02] KrebsOnSecurity says that LocationSmart, a US company that aggregates cell phone location data, has been leaking that data through a buggy demo page on its website. The flaw granted access without requiring authentication. LocationSmart took down the relevant portions of its site yesterday afternoon upon being informed of the problem. AT&T, Sprint, T-Mobile and Verizon customers could have had location data exposed.

Dave Bittner: [00:04:15:10] Office 365 is proving increasingly popular as phishbait. The scam usually takes the form of an email purporting to be from the service, telling the recipient that their access to Office 365 will be suspended if they don't reset a password, or simply click a link to verify their account. It's all bogus, of course. Microsoft no more sends out that sort of email than it has a boiler room call you at home to say that they have detected malware in your Windows machine, but the emails are reassuringly boring, and they're perhaps the kind of thing the unwary and the unfamiliar might fall for.

Dave Bittner: [00:04:52:18] The US Senate yesterday confirmed Gina Haspel as Director of Central Intelligence. She succeeds Mike Pompeo, now serving as Secretary of State. Haspel is a career CIA officer with a background in operations.

Dave Bittner: [00:05:08:05] Representatives Langevin and Lieu, Democrats from respectively Rhode Island and California, introduced legislation in the House that would require the White House to reinstate the recently disestablished post of Cybersecurity Advisor. No-one really expects the bill to go anywhere, but it does register discontent with the Administration's move. White House cyber coordination responsibilities will devolve upon National Security Advisor Bolton.

Dave Bittner: [00:05:36:10] Hopes that reduced nuclear tensions on the Korean peninsula would moderate North Korean hacking seem to be on their way to being dashed. South Korean sources say that DPRK cyberattacks have continued essentially unabated. The Straits Times reports an interview with Choi Sang Myung, director of software firm Hauri Inc and advisor to South Korea's police and National Intelligence Service. Choi notes that Pyongyang is interested in capacity building. He says that DPRK hackers have been sent to both China and India for advanced training. Much of their recent activity is directed toward espionage, information-gathering, but we're roughly at the one-year anniversary of WannaCry, and Choi says, he wouldn't rule out a repeat performance.

Dave Bittner: [00:06:23:21] In what amounts to a dog-bites-man story, the Wall Street Journal says, a lot of cryptocoin investment offers are scams. You think? Yeah, we thought so too. Anyhoo, the Journal is on the side of the angels with respect to this one. They combed their way through 1,450 coin offerings. 271 of those offerings raised clear red flags, like plagiarized investor documents, promises of guaranteed returns, always a problem, as connoisseurs of the pink sheets can tell you, and executive teams that, when they're not missing altogether, are often simply fake.

Dave Bittner: [00:07:01:16] The US Securities and Exchange Commission is trying to help educate investors to the risks the alt-coin investment mania presents. They've set up a bogus coin offering site to show the public what the hokum and bunkum in the market look like. Their coin offering they call "HoweyCoin", a travel-focused coin, and, wow, does it sound like a good deal. Here, give it a listen. Quote, "HoweyCoins utilize the latest crypto-technology to allow travelers to purchase all segments without these limitations, allowing HoweyCoin users to buy, sell, and trade in a frictionless environment where they use HoweyCoins to purchase travel, or as a government-backed, freely tradable investment, or both!" Well, sign me up! Where do I go to surrender? You can check it out at That's h-o-w-e-y-c-o-i-n-s. We especially liked the celebrity endorsements near the bottom of the page. So read the whole thing, and expect the SEC to come to an open-mic night at a Chuckle Hut near you. Nicely done, SEC.

Dave Bittner: [00:08:11:05] Now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data loss prevention policies, and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption, and they'll round out what they can do for you with microsegmentation and analytics. VMware's White Paper on A Comprehensive Approach To Security Across The Digital Workspace will take you through the details and much more. You'll find it at See what Workspace ONE can do for your enterprise security, And we thank VMware for sponsoring our show.

Dave Bittner: [00:09:09:11] And I'm pleased to be joined once again by David Dufour. He's the senior director of engineering and cyber security at Webroot. David, welcome back. We wanted to go through some of the threat trends that you all have been tracking there at Webroot. You've got some stats to share with us. What do you have?

David Dufour: [00:09:26:16] You know, our annual threat report comes out this time of year, and we're always following and looking at what the trends are. Some of them are new and exciting, and some are just the old basics that you know how we say sometimes, David, the more mundane it is, the more important it probably is to look for. It's just some fun stats. 74% of the companies that we see impersonated out there are financial institutes. So that doesn't probably surprise anyone, but if you're getting emails from your financial institutional, or some financial organization like the IRS, or things like that, you want to be doubly sure where those emails or that communication is coming from, and just be aware because, you know, that's where we see a lot of that impersonating people trying to steal information, et cetera.

Dave Bittner: [00:10:11:17] Now, speaking of impersonations, it was interesting to me that you saw one name popped up particularly often when it came to impersonations.

David Dufour: [00:10:20:16] UPS and we saw that 52% of the time as well. I guess that has to do with trying to track packages, things like that, but I can't exactly tell you why that's happening, but we do see UPS quite a bit, and probably because they're more involved with shipping and things with Amazon, you know, exploding like they are with online purchasing. UPS helps people to get information about being able to track packages and things of that nature. That's just a guess on my part.

Dave Bittner: [00:10:48:15] It was interesting to me also, you saw a really significantly high percentage of the malware was unique. Take us through what are the implications of that?

David Dufour: [00:10:56:24] Well, so that's back to, you know, the-- our good friend polymorphism where it's, it's become-- you know, it's almost table-stakes anymore if you've writing malware, to make sure that that malware is polymorphic. Polymorphic malware is where every time a file lands on a new computer, it changes itself so the signature looks different. So that, that older methodology of looking up signatures just doesn't work anymore. We're seeing, you know, 93 to 95% of malicious malware on one machine only because of the nature of that polymorphism. You have to have something that does more than just check signatures. It needs to look for behaviors, and hopefully you're not letting it get on the machine in the first place.

Dave Bittner: [00:11:41:02] I saw another interesting stat you sent over was that a whole lot of the phishing attacks came from a limited number of domains.

David Dufour: [00:11:48:24] Yes. So 62 domains in our report handled 90% of the phishing attacks that we saw in 2017. That denotes, you know, hacked domains, or a lot of, you know, free or social domains that are out there where it's easier to create phishing websites that are easy to get on and drive people to. So, you know, if you're aware of these domains, and you block those domains, it's, it's a pretty good method of preventing attacks but one thing I would say is, it's the long tail that's the real threat. It's, yes, we see 90% of phishing attacks, you know, came from those domains, but those other 10% are coming from very small domains that we still have to be able to protect against.

Dave Bittner: [00:12:36:20] So in terms of what you are seeing in terms of overall trends and how that should inform how people manage their resources, what would your advice be?

David Dufour: [00:12:48:04] Well, you know, again, you've always got to have the basics in terms of an anti-virus that does file scanning and analysis, but a lot of effort needs to be put into protecting your users when they're online, using, you know, threat intelligence to block people from going to malicious websites, using phishing tools that help identify phishing websites to prevent those types of attacks from occurring and then one big thing we're seeing arising that we do encourage is getting training for your employees and try to get that training as close to the actual event as possible so that it becomes contextual in nature rather than, you know, having training once a year on PII or PCI, try to get that training a little, you know, delivered at the time that maybe a phishing attack happens because then people tend to remember, "Oh, oh, yeah, now we need to be paying attention".

Dave Bittner: [00:13:38:19] David Dufour, thanks for joining us.

David Dufour: [00:13:40:20] Alright, thanks for having me, David. It's always great.

Dave Bittner: [00:13:47:14] Now, some notes from our sponsor, Cylance. You've heard a lot of warnings about Russian cyber operators and their threat to the power grid in the UK, North America and elsewhere. Ever wonder how they get in? Sure, there's phishing and spearphishing, those can never be discounted, but here's the twist, Cylance has determined that one of their ways into the grid is through routers. They've found that the Bears are using compromised core routers to hit government agencies and organizations in the energy, nuclear and commercial facilities, water, aviation and manufacturing sectors. That's a bigger haul than a phishnet could catch, don't you think? Go to and check out their report on Energetic DragonFly and DYMALLOY Bear 2.0. You'll find it interesting and edifying. That's And we thank Cylance for sponsoring our show.

Dave Bittner: [00:14:51:16] My guest today is author and futurist, Heather Vescent. Her research on cyber security, cyber economics and cryptocurrency have been featured in the New York Times, on CNN, CNBC and Fox, and she's spoken at conferences including South by Southwest, TEDx, and The Future of Money. I kicked off our conversation by asking her to explain what exactly is a futurist?

Heather Vescent: [00:15:15:20] A lot of people think the future is like the past and the present. There's one past, there's one present so there's one future which is one of the reasons why we love predictions because predictions set forth one future, but the medium of the future is really different. The medium of the future is all possibilities. And so what I do as a futurist is I study the changes that are occurring in our present time. These can be trends. These can be technology trends. These can be all kinds of different, you know, what's happening in politics, cultural, social, economic stuff. So I study all the changes that are happening in our world today and then I extrapolate them out to various timelines in the future. From that, I will create a base-line future which is kind of like if nothing changes and we push it out, you know, however many years, five, 15, 50 years. This is what the future could be like, but nobody has 100% control over all of the variables of the future. So there's a lot of different other futures that could occur and so then I identify what those variables are, you know, twiddle the knobs on them and then come up with alternate futures or other futures.

Dave Bittner: [00:16:27:00] So it sounds like it's more like being a meteorologist than say, a psychic?

Heather Vescent: [00:16:31:18] Oh, my god, it's so not a psychic at all. [LAUGHS] It's-- I have a Masters of Science and Foresight.

Dave Bittner: [00:16:37:22] Right, didn't mean to trigger you there, Heather. [LAUGHS]

Heather Vescent: [00:16:41:09] Actually, a lot of people can get confused about it. I am a scienc-- I know it. A scientist of the future, what does that mean?

Dave Bittner: [00:16:48:22] Do you get a lot of eye-rolls at cocktail parties when you say the word, futurist?

Heather Vescent: [00:16:52:20] Well...

Dave Bittner: [00:16:53:16] ...or people are more polite than me, I guess. [LAUGHS]

Heather Vescent: [00:16:56:00] Well, no, actually I get two kind of different responses. One is people are fascinated and they ask me questions and the next thing I know, you know, we're in, like, a multiple hour-long conversation.

Dave Bittner: [00:17:05:24] Right.

Heather Vescent: [00:17:06:09] Or people are just not that interested and I think I also preemptively, like, I'm like, I'm a futurist, not a psychic. [LAUGHS].

Dave Bittner: [00:17:14:18] Right. Right.

Heather Vescent: [00:17:15:07] I don't tell the future. I don't make predictions.

Dave Bittner: [00:17:18:04] What led you to your specific interest in cyber security?

Heather Vescent: [00:17:22:00] Well, in the last couple of years I've had three projects that have really led me into the cyber security space. So I co-wrote the Cyber Attack Survival Manual, and it's really a guidebook for normal people to, you know, be safe and secure online. At the same time, I was doing a project for the US Army. I was looking at the future of military learning. The point of that project was to look at new technology like AR, VR, distributed learning tablets, that kind of stuff could be used to do military training, and this is kind of like the training that everyone would get when they enlist in the military when they're learning military leadership skills as well as the core competencies that they need to do their job. Cyber war is the newest domain for the military. And so the whole scenario I put together to show the future of military learning was training for a cyber security war game which then led me to wanting to kick off some research on the future of security and I ended up being invited to write this paper that I just finished for the new security paradigm's workshop and co-wrote the paper with Bob Blakeley, who does security at City Bank, and the title of the paper is Shifting Paradigms: Using Strategic Foresight To Plan For Security Evolution.

Heather Vescent: [00:18:46:01] He brought his security background. I brought my foresight futurist background, and kind of, like, mashed it up to really look at what are some real legit scenarios of the future and I was blown away by what we found out. As a futurist, I have lots of different methods available to me, and for this particular research I decided to utilize what I call is a foresight interview protocol and so there's a way that I like to interview people that focuses on current trends and then where it could go in the future. I also like to use a method called appreciative inquiry and that focuses on what's positive and already working in the industry to see where things might grow versus focusing on the problems that we have. I also use a method, it's one of the best methods in US methods in, in foresight studies called causal layer analysis or CLA. I use a light version of it. It helps you dig into kind of some of the underlying themes and cultural aspects in an industry that you might not otherwise find. And so I used these methods in conjunction with one-on-one interviews and a standard survey.

Heather Vescent: [00:20:05:24] And one of the things that was the most interesting to me that came up from the research was this idea that the reason we have so much-- so many black-hat hackers these days is because we don't have full employment for everyone who has these skills. It arises in countries that have really good education, but poor economic markets or work markets. For example, in the former Eastern Bloc or Brazil, you have very smart people that have very good education, but they're not able to get jobs. And so instead what they're doing is they're using their skills for evil because they're trying to make a living.

Heather Vescent: [00:20:45:13] And so one of the new paradigms that I discovered was this idea that we have attackers and defenders adversarial experience and so when I wanted to flip that paradigm and think, well, what if there was no more adversaries? Like, how could we have no more black-hat hackers? And I thought, well, what if everyone who has the skills is fully employed? Then they don't need to go out and find a way to monetize their skills. They don't have so much time and no money and thus the motivation to be able to, like, break these things. That changes the world dramatically. And then we kicked that up even more and thought, well, then who would be hiring, like, the actual hackers to hack into things? Well, then maybe it's only going to be nation-states that are going to be hiring these super high skilled people to do, you know, cyber warfare at the hacker level, and we really came up with this whole idea of a cold war 2.0. So, you know, that's just kind of an example of one of the more kind of far out there things we came to.

Dave Bittner: [00:22:01:10] And I suppose it's challenging for some people to imagine what the possibilities might be, either good or bad.

Heather Vescent: [00:22:08:24] Absolutely. As a futurist, it's a lot easier for people to think about the negative consequences of technology, but that actually doesn't ever really happen because if it did we'd stop building technology. Technology and all of the new things that we come up with inevitably make our lives better and more interesting, and they also give us a whole new set of problems to solve. We're going to solve our old problems, and we're going to create new problems, and that's just kind of what we do as humans.

Dave Bittner: [00:22:38:07] That's author and futurist, Heather Vescent. You can learn more about her work on her website,

Dave Bittner: [00:22:49:04] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:23:08:01] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cyber security teams and technology.

Dave Bittner: [00:23:26:07] Our show is produced by Pratt Street Media with editor, John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.