The CyberWire Daily Podcast 6.13.18
Ep 619 | 6.13.18

Cable-tapping for a new century. Lazarus Group update. BabaYaga's cannibalistic malware. Patch Tuesday notes. Cryptojacking. World Cup surveillance. Beware of strangers bearing gifts with USB connections.


Dave Bittner: [00:00:00] Hey, everybody, just a quick reminder you can show your support for the CyberWire by visiting our Patreon page - that's At the $10-per-month level, you get a version of our show without any ads. It's the same show you know and love - just without the commercials. Thanks.

Dave Bittner: [00:00:20] Old news is new news when it comes to undersea cables. The Lazarus group is still at it - against South Korean targets. BabaYaga eats other malware, so it can stage WordPress spam. We've got some Patch Tuesday notes, including some products that Redmond will no longer support. Cryptojackers are still busy. There's one new strain of coin-mining malware that uses the Eternal Romance exploit to spread. World Cup surveillance threatens visiting fans. And don't plug gifts from strangers into your USB port.

Dave Bittner: [00:00:57] Time to take a moment to tell you about our sponsor Recorded Future - Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce says it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want - actionable intelligence. So sign up for the Cyber Daily email where every day you'll receive the top trending indicators Recorded Future captures crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:15] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 13, 2018.

Dave Bittner: [00:02:27] Monday's action against several firms the U.S. Treasury Department regards as FSB's cat paws has prompted discussion over the security - or lack thereof - surrounding undersea cables. They are indeed susceptible to both tapping and intentional damage. But this is not a new problem. Undersea cables were both tapped and cut a century ago. And such activity has continued through today. So for all the current interest, this is not a new issue.

Dave Bittner: [00:02:56] Cable hacking goes back at least 100 years to the first world war. The Royal Navy cut German cables at the outset of the war forcing the Wilhelmstrasse to rely on the good offices of neutrals to pass its diplomatic messages. DCHQ ancestor Room 40 was reading and decrypting neutral cable traffic with a particular interest in American cables. That's how they got the text of the Zimmerman Telegram - the Kaiser's offer to help Mexico regain her lost provinces of Texas and California if she'd keep the U.S. too militarily occupied to join the Allies in Europe. The telegram wasn't decisive, but it certainly helped push the U.S. towards belligerency.

Dave Bittner: [00:03:40] Room 40, by the way, discreetly declined to point out to their American friends that they only read the German traffic because, well, they were reading all that American traffic too - but, you know, bygones. And it's no excuse for you, FSB - just because Admiral Hall did it 100 years ago doesn't make it right for you. The U.S.-North Korean summit is now in the record books, but the Lazarus group is still out there slugging. AlienVault reports that North Korea's Lazarus group is actively exploiting an ActiveX zero day found on a site belonging to a South Korean security think tank.

Dave Bittner: [00:04:18] Researchers at Defiant are tracking BabaYaga malware, which generates spam links and redirections. It's also cannibalistic, like its namesake. It removes competing malware from the devices it infects - effectively maintaining the Wordpress site it infects. The goal of BabaYaga is generating spam content. Defiant studied one particular campaign that had a commonly used theme and set of targets - essay writing services. That's right, kids. The essay writing ads you respond to are dodgy. So even if you're indifferent to the moral degradation of plagiarism, be advised you might not want to go there anyway no matter how attractive that offer of a term paper about the phenomenology of decolonization might look.

Dave Bittner: [00:05:04] The spam content BabaYaga generates is keyword heavy. Defiant calls it meaningless word salad designed to attract search engine traffic based on those keywords. The crooks get paid through affiliate marketing. They redirect site visitors to other sites selling stuff you probably don't need in the first place - herbal enhancement potions, commemorative figurines, Pink Sheets stock tips, term papers on the hermeneutics of glaciation - obvious things like that. You might think people wouldn't buy such stuff, but there are enough buyers born every minute to make it worth the hoods' while. So add BabaYaga to your list of petty online crime.

Dave Bittner: [00:05:44] BAE Systems is hosting a one-day cybersecurity conference in London tomorrow, June 14. They're calling it RESET. And it's gained attention not just for the impressive lineup of speakers and panelists but also because every one of those speakers and panelists are women. Kirsten Ward and Saher Naumaan are both intelligence analysts from BAE Systems, and they spearheaded the efforts. We hear from Kirsten Ward first.

Kirsten Ward: [00:06:11] So there are a number of reasons that we decided to organize this conference. I suppose one of the main reasons is that me and Saher had both been to a large range of web security conferences around the world. And at each of them, we've been disappointed with the lack of diversity in not just the speakers but also the attendees. A lot of conference organizers complain about the lack of women speakers that they're able to get for their conferences. So actually, we know so many brilliant women, and all we had to do was reach out to them.

Saher Naumaan: [00:06:44] So we actually compiled a list of over a hundred speakers to reach out to to present at our conference. And we ended up getting just over 15 women who will be individual speakers and panelists. I think we really want it to come across that if you are proactive at pointing (unintelligible) organizers, fight a little harder and actively reach out to women they know in the industry or perhaps their colleagues know, in fact, it's actually not that difficult. And we want to really normalize the presence of women experts in the field. So one of the reasons that we had an all-female speaker lineup but an open audience is so that women can attend, men can attend. Junior and senior professionals in the industry want to show everyone that women experts is the norm and should be the norm. But really, if men want to be contributing, what they should do is, again, actively promote these women, give them exposure, give them the opportunity to show their work and recognition for their research.

Dave Bittner: [00:07:47] That's Kirsten Ward and Saher Naumann from BAE Systems. The one-day RESET cybersecurity conference is in London, June 14.

Dave Bittner: [00:07:58] Yesterday was Patch Tuesday, and Microsoft addressed some 50 issues with its software. The products receiving upgrades include the Windows OS, Internet Explorer, Microsoft Edge, the ChakraCore JavaScript Engine and Microsoft Office with its Microsoft Office Services and web apps. No zero days this month, but the update did toggle Meltdown and Spectre mitigations to new default settings. Microsoft has also announced that several products would no longer receive tech support. If you're a user of Windows 7, Windows 8.1, Windows 8.1 RT, Microsoft Security Essentials, Internet Explorer 10, Office 2010 and Office 2013, you are on your own - you and the others in what we've learned to call your user community.

Dave Bittner: [00:08:45] Bitcoin and other cryptocurrencies took a hit after the weekend disclosure of theft at the Coinrail ICO exchange. Cryptojacking continues to make a nuisance of itself. A study by Palo Alto Networks concludes that about 5 percent of the Monero out there was mined by malware and that 2 percent of the daily hash rate comes from cryptojacked machines.

Dave Bittner: [00:09:08] A couple of dispatches from the captain obvious desk. Well, obvious, but if people didn't fall for these things, captain obvious would be out of his very useful job. The first one concerns the World Cup. If you, football fan, bring your phone, tablet or laptop with you to the matches in Russia, along with your vuvuzela and the other impedimenta of football fandom, please don't connect to the local free Wi-Fi. You're asking for trouble. Don't just believe us. Take it from the FBI or, more specifically, from the U.S. National Counterintelligence and Security Center. You might think you're too insignificant to be targeted by an espionage service, but you can bet your vuvuzela the espionage services don't see it that way.

Dave Bittner: [00:09:51] The other one comes from Singapore. And it concerns trade show swag or, in this case, stuff coming from a commemorative summit. Journalists covering the summit have been given a nice little fan - welcome in the 91-degree heat. That's about 33 centigrade for any football fans out thataways, but said fan plugs into your USB drive. Again, just don't. We leave it as an exercise to determine why plugging stuff strangers give you into your device is a bad idea.

Dave Bittner: [00:10:24] And finally, in other cryptojacking news, Fortinet reports the recent emergence of PyRoMineIoT cryptomining malware that propagates through the EternalRomance exploit. EternalRomance, of course, is one of the Equation Group items dumped by the Shadow Brokers. And where have those guys been lately anyway? We don't really want them back, but they're like fruitcake around the holidays. Nobody actually likes it, but somehow you feel like you'd miss it if it weren't around.

Dave Bittner: [00:11:01] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data-loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on "A Comprehensive Approach to Security Across digital Workspace" will take you through the details and much more. You'll find it at See what Workspace ONE can do for your enterprise security - And we thank VMware for sponsoring our show.

Dave Bittner: [00:11:59] And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, welcome back. We have seen plenty of stories lately about cyberattacks coming from the supply chain. Fill us in here. What should companies be doing right now to protect themselves?

Justin Harvey: [00:12:15] Well, as you know, there have been some of the larger breaches in the last decade stemming from an organization supply chain. Think about Target. Think about the now infamous NotPetya attack that came through an ERP system being used by a company inside of the Ukraine. And they came in that way. These supply chains that organizations and enterprises are relying upon for all of their digital goods and physical goods and applications and software and even hardware - there's a propensity by enterprises to automatically trust or automatically assume that their suppliers are taking all the necessary cyberdefense and cybersecurity precautions. Unfortunately, that's not true. It's very difficult to extend that level of trust in this day and age. So like the Russian proverb that Ronald Reagan coined, which is trust but verify, I think that applies very directly to supply chains.

Dave Bittner: [00:13:23] But how do you approach that from a practical point of view? If you have - I can imagine folks have lots of suppliers. How do you come at this problem?

Justin Harvey: [00:13:33] Well, what we've done with some of our larger clients is that we've actually built cybersecurity programs for their procurement and for their supply chain organizations. These sort of programs prioritize based upon the value or the volume that the supplier is giving to the enterprise. And there's also a risk calculation that can be made based upon where the supplier is. What types of goods and services are they supplying? What is the history around those companies - those suppliers? What are the risks associated with those types of services? For instance, think about the United States and their banning of goods and services from companies like Huawei.

Justin Harvey: [00:14:24] Well, that was based upon Congress and other U.S. government organizations receiving these goods from Huawei. And they already had malware and espionage and surveillance types of entries into their code that allowed, possibly, state-sponsored actors to abuse those. So that's just one example of how thinking through - creating a risk-based profile for your suppliers and then, on top of that, going to your suppliers and actually challenging them to demonstrate their proficiency across security awareness, across their ability to respond to incidents. Are they doing threat hunts? And even, in some cases, how are your suppliers managing their own supply chain? That might seem a little bit tinfoil hat. But I got to tell you - for some of the larger aerospace, defense industrial base organizations and even financial services institutions that have no tolerance for risk, we're starting to see more and more and more emphasis on the supply chain.

Dave Bittner: [00:15:30] All right, good advice as always. Justin Harvey, thanks for joining us. And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:15:58] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media, with editor John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.