The CyberWire Daily Podcast 6.4.18
Ep 612 | 6.4.18

Microsoft buys GitHub for $7.5 billion. VPNFilter tries to reconstitute itself. Ransomware and DDoS notes. USA Really seems to be latest in Russian disinformation.


Dave Bittner: [00:00:03:18] Microsoft buys GitHub for $7.5 billion. VPNFilter seeks to re-establish itself. Financial Trojans are up and ransomware is down, but don't count the ransomware out, not yet. There's a get-decrypted-for-free card to Russian ransomware victims. The children of Mirai trouble an unhappy world. USA Really may be the latest incarnation of the Internet Research Agency, complete with rabid Florida squirrels, Wisconsin blood-suckers, and advice on Louisiana's secession.

Dave Bittner: [00:00:40:14] Time to take a moment to tell you about our sponsor, Comodo. Here's the bad news: there is no way you will ever be able to stop malware from entering your network. The good news is Comodo renders malware useless, that's why Comodo customers can click on anything. Over 120 million new pieces of malware were created in 2017. So, even at 99%, you're still a target for 1.2 million pieces of malware. If you do the math, that's still over 3,000 problems per day that current solutions cannot solve. Comodo doesn't settle for 99% and neither should you. They put those 3,000 daily problems into a lightweight, kernel-level container, where the malware's rendered useless. With Comodo's patented auto-containment technology, they bulletproof you down to hour zero every time, solving the malware problem. So with Comodo you can say with confidence, "I got 99 problems, but malware ain't one." Go to to learn more and get a free demo of their platform. We thank Comodo for sponsoring our show.

Dave Bittner: [00:01:56:17] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I am Dave Bittner with your CyberWire summary for Monday, June 4th 2018.

Dave Bittner: [00:02:08:00] We begin with some major industry acquisition news. Weekend rumors that Microsoft was in talks to buy open-source code repository GitHub were borne out this morning. Speculation about price ran to around $5 billion. This morning, Redmond announced that Microsoft had indeed made that acquisition, but not for $5 billion. Rather, GitHub went for a cool $7.5 billion in stock - about $2.5 billion more than already overheated rumor had predicted. Some observers see the move as representing for Microsoft a kind of return to its developers roots. Developers in general have shown a mixed reaction, with many predictably responding to the news in a Martians-have-landed-and-the-man-is-out-to-get-you mood. Rival platform GitLab saw a considerable immigration of projects on Sunday as rumors of the deal spread. Microsoft itself expects a good bit of churn as it integrates this acquisition.

Dave Bittner: [00:03:07:03] The VPNFilter botmasters may be attempting to reconstitute their botnet. Researchers at security companies JASK and GreyNoise reported late Friday that the threat actors behind the first round of infestations are working to herd another set of routers. In an attempt to work around the US FBI's sink-holing of the 'ToKnowAll' domain, they're actively scanning MikroTik routers with port 2000 exposed online, and they're looking only for routers in Ukrainian networks. The focus is unsurprising, given that the threat actor in question is widely believed, on compelling if circumstantial evidence, to be Fancy Bear, also known as APT28, also known as Russia's GRU. The interest in Ukrainian targets is significant, but no-one in any country should be blasé about the possibility of router infection.

Dave Bittner: [00:03:58:01] The FBI's advice remains good and the bureau regards this episode as a teachable moment. As Symantec's Vikram Thakur told Dark Reading, the bureau is, "Trying to get the word out that people should reboot their routers and set up regular routines for doing firmware upgrades." So cycle power on your SOHO router and update your firmware.

Dave Bittner: [00:04:21:09] The seesaw of criminal practice currently seems to be tilting financial Trojans up and ransomware down. Ransomware is, of course, still significant. AlienVault notes that the Satan ransomware family has adopted new approaches to spreading itself, some of them involving the Shadow Brokers' EternalBlue exploit. Where are the Shadow Brokers these days? It's been a while since they've been heard from.

Dave Bittner: [00:04:47:02] In another ransomware development that affords some insight into the complex relationship between ransomware extortionists, and either national pride or relationships with national security services, the authors of the Sigrun ransomware are offering free decryption to Russian users. They try to avoid infecting Russian users by the rough-and-ready method of detecting a Russian keyboard, but sometimes things happen. So, what would cost an American user about $2500 in Bitcoin or Dash, a Russian user can get for free. BleepingComputer consulted the Malwarebytes security researcher who noticed the discount. He told them that the Sigrun hoods are also willing to help out Ukrainian users. The Ukrainian Cyrillic keyboard layout is sufficiently different from the Russian to permit a normal infection rate in Ukraine.

Dave Bittner: [00:05:37:12] Best not to get infected in the first place, so click with caution and treat email attachments with due suspicion. Should you wind up infected with Sigrun or any other ransomware variant, your best assurance of resiliency and ability to recover is regular, secure back-up.

Dave Bittner: [00:05:55:18] Netscout Arbor reports that criminals continue to make extensive use of evolved forms of Mirai, for denial-of-service attack flavors Satori, JenX, OMG, and Wicked. Satori added remote-code injection exploits, JenX relies on external scanning and exploitation tools, OMG added HTTP and SOCKS proxies, and Wicked, the latest evolution, has moved from credential-scanning to RCE vulnerability scanning.

Dave Bittner: [00:06:25:21] FireEye says a news site that popped up last month, USA Really, is in fact a Russian information operation run out of the same building in St. Petersburg that housed the famous Internet Research Agency troll farm. As FireEye's iSIGHT Manager of Information Operations Analyst puts it to McClatchy, "We're not saying it is the Internet Research Agency, but there are a number of indicators that suggest it is."

Dave Bittner: [00:06:52:20] Some of the features are charmingly bizarre. For example, blood-sucking monsters invade Wisconsin - the denizens of Milwaukee will recognize this as a reference to what are normally called mosquitoes. Louisiana ought to secede again on account of, if it were a country it would have the 45th largest economy. Rabid squirrels are infesting Florida, possibly an homage to Peter Singer's famous ruminations about the squirrel threat to the power grid, and so on. But the intent is thought to be malign erosion of such civic trust that Americans may still enjoy, or so we hear.

Dave Bittner: [00:07:31:20] USA Really popped up on May 17th. It had a Facebook page until reporters asked Facebook Friday, "Hey, how about it?" At which point Facebook took them down. They've still got their Twitter feed, at least the last time we checked. Their come-on is mistrust: don't get your news from the mainstream media or their puppets in the political classes. If you want the skinny on the rabid squirrels, the Deep State's not going to come clean with you, but while the boys and girls on Savushkina Street talk Russian among themselves, they'll talk straight to you, or so they say.

Dave Bittner: [00:08:11:01] Now a moment to tell you about our sponsor, ObserveIT. It's 2018, traditional data loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time-consuming to maintain, and too heavy on the endpoint. They are high-maintenance and require endless fine-tuning. It's time to take a more modern approach.

Dave Bittner: [00:08:29:14] With ObserveIT you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization, that's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats, and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at We thank ObserveIT for sponsoring our show.

Dave Bittner: [00:09:20:08] Joining me once again is Malek Ben Salem. She's the Senior R&D Manager for Security at Accenture. She's also a New America Cybersecurity fellow. Malek, welcome back. You have some interesting research that you wanted to share about using behavioral biometrics for detecting mental disorders. What's going on here?

Malek Ben Salem: [00:09:39:08] Thanks, Dave. As you know, behavioral biometrics have been proposed as an approach to authenticate users continuously as they interact with a digital system or a mobile device, complementing the way we regularly authenticate those systems using passwords. It turns out that those same behavioral biometrics can be used for other purposes and this is really, really exciting. It's exciting to see how cybersecurity research can be applicable to other fields, and improve people's lives.

Malek Ben Salem: [00:10:14:22] One example of a behavioral biometric that can be used for authentication is the way we type - our typing behavior. Our research has indicated that typing behavior is unique by person, by user, and it can constitute a digital fingerprint. Because of that uniqueness of that consistency in typing behavior, some researchers within the medical field have looked at using that to see if it can detect mental disorders. The way we type basically becomes a habit - it becomes hard-wired into our brains. If our brains get attacked by mental disease, that wiring gets affected.

Dave Bittner: [00:10:58:20] Are we talking about a change in the way that we type over time, where we're detecting that you used to type something one way and now it's different?

Malek Ben Salem: [00:11:06:13] It's a change in the way we type. How fast do we type? Which combinations do we use? How long does it take us to move from one key to another? It's those types of behaviors that are typically consistent for people during the day, during the week, but if our brains get attacked they tend to change.

Malek Ben Salem: [00:11:29:08] If you think about it, the way mental disorders get diagnosed today is very expensive. Doctors have to do brain scans, or they may have to run expensive time-consuming cognitive tests, or they may have to rely on their subjective analysis. Offering them a way to monitor typing behavior, monitor inactivity that everybody does almost every time as a mundane activity, can be very useful for early diagnostics.

Malek Ben Salem: [00:12:09:00] A start-up company called NeuraMetrix, based in San Francisco, is using and harnessing typing cadence to assess a patient's mental health. They reported some encouraging results, but it was based on an internal study about Parkinson's Disease that distinguished patients from healthy people, with 99.9% accuracy.

Dave Bittner: [00:12:34:21] That's interesting. I can certainly see the advantages of this. If I knew I had trouble with something like depression and I could have an app monitoring me, to give me some indications, maybe even before I was self-aware of it, that I was heading into a bad place, I could see the usefulness of that. On the other hand, I would imagine this wouldn't be something that I would want installed on my computer at work - I might not necessarily want my boss to know these sorts of things.

Malek Ben Salem: [00:13:01:19] Absolutely. Actually, the company is offering a consumer app that provides such an evaluation, as a feature for consumers, to look at how consistent their typing behavior is. It reports their consistency score, but it also shares the typical score range for a healthy person. It does not draw any conclusion about their mental health, because the app might get the company into trouble with government regulators. But at least it gives the consumers a heads-up about how consistent they are, and it may indicate some issue that may let them decide to go see a doctor.

Dave Bittner: [00:13:43:19] It's an interesting story for sure. Like you said, an example of some technology used for security that could help people in other ways. Malek Ben Salem, as always, thanks for joining us.

Dave Bittner: [00:13:59:03] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:14:27:07] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:14:37:03] Our show is produced by Pratt Street Media, with Editor John Petrik, Social Media Editor Jennifer Eiben, Technical Editor Chris Russell, Executive Editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.