The CyberWire Daily Podcast 6.18.18
Ep 622 | 6.18.18

Date extortion attempt against Liberty Life. Rex Mundi, Black Hand arrests. Hidden Cobra's back. Clipboard hijacking hits cryptocurrency wallets. ZTE, Huawei security fears. Pulp fiction.


Dave Bittner: [00:00:03:22] Liberty Life sustains an attempt at data extortion. In separate operations, international police agencies cooperate against Rex Mundi, Black Hand and the remnants of Silk Road. We've got some Cyber espionage notes. North Korean hacking resumes. More clipboard hijacking affects cryptocurrency wallets. Security concerns tighten around ZTE and Huawei. And pulp fiction: from Russia with, if not quite love, then at least intense activity, and also from the Clinton Library.

Dave Bittner: [00:00:41:07] Now a moment to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. Want to learn more? Check out their newest paper, entitled More is Not More: Busting the myth that more threat intel feeds lead to better security. It's a common misconception that a large quantity of threat intelligence feeds leads to more effective security. Unfortunately, threat feed overindulgence can lead to confusion, disorganization and inaccurate threat reports. Instead of adding more threat intel feeds, you should incorporate the feeds that provide the most value to your company's security operations. Find the paper, or to register for a free ThreatConnect account, visit That's, and we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:02:01:09] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 18th, 2018.

Dave Bittner: [00:02:13:06] South Africa-based insurer, Liberty Life, reported Saturday that it had sustained a breach by "unauthorized parties". It's an extortion play under a veneer of freelance penetration testing. Liberty, which says it regained control of its systems by Sunday, said of the attack: "An external party claims to have seized data from us, has alerted us to potential vulnerabilities in our systems and has requested compensation for this." Reports say the hackers claim to have obtained "sensitive data" about "top clients" which they intend to release if their extortion demands aren't met.

Dave Bittner: [00:02:51:11] Liberty denies early reports that it was negotiating payment with the attackers. Note that this isn't a ransomware case. Liberty's data haven't been encrypted and rendered unavailable. Instead, the hackers are threatening to release the data publicly if they're not paid. Liberty now also faces the risk of being fined for breaching the Protection of Personal Information Act, which is administered by that country's Information Regulator. Thus, regulatory risk accompanies financial and reputational risk.

Dave Bittner: [00:03:23:11] The Liberty incident is reminiscent of one last year that's just been rolled up with arrests by a multinational law enforcement effort. Europol has arrested five alleged members of the Rex Mundi cybercrime gang. The operation was an international one, with participation by the French National Police, the UK Metropolitan Police, and the Royal Thai Police. Rex Mundi overreached itself last year with a data extortion attempt during the hack of an unnamed British company. A francophone member of Rex Mundi tugged on Superman's cape by calling Europol to demand a €580,000 ransom in Bitcoin for non-disclosure of the customer data stolen or, alternatively, more than €825,000 for information on how Rex Mundi compromised the firm's systems.

Dave Bittner: [00:04:14:11] Researchers at security firms F5 and Loryka report substantial cyber espionage activity targeting last week's Trump-Kim summit, most of it from Russia, which obviously has an intelligence interest in the negotiations.

Dave Bittner: [00:04:29:20] The New York Times reports that US Cyber Command has received, and is using, authorities to conduct offensive cyber operations. The operational template is thought to be drawn from that used against the Islamic State.

Dave Bittner: [00:04:43:15] But Pyongyang, as many have had occasion to note, hasn't been idle either. US-CERT warns that DPRK hackers are back, with the Hidden Cobra threat group deploying Typeframe malware in its distribution of remote-access Trojans. There are some steps an enterprise can take to protect itself from Typeframe. As Plixer's Director of Audit and Compliance, Justin Jett, pointed out to us in an email, Typeframe uses a set of known IP addresses. These are identified in the US-CERT report, and blacklisting those IP addresses is not a bad place to start.

Dave Bittner: [00:05:20:02] Bitcoin and Ethereum investors have been hit with another round of wallet looting. According to Qihoo 360, the technique if the familiar one of clipboard hijacking. They get your clipboard, and from that they get your wallet's address. These addresses being too complicated to be conveniently typed afresh each time they're used.

Dave Bittner: [00:05:41:15] French authorities have taken down the Black Hand dark web market. Black Hand specialized in selling both contraband like drugs and weapons, but also stolen databases, banking data and bogus documents. The main administrator and "several other people" are now in custody.

Dave Bittner: [00:06:00:02] Alleged Silk Road collaborator, "Variety Jones", whose actual name is Roger Thomas Clark, has been extradited to the US from Thailand to face charges related to the now defunct dark web market once run by the Dread Pirate Roberts, AKA Ross Ulbricht. Mr. Clark, who had famously boasted that the authorities had nothing on him, will now have an opportunity to try that confident assessment in an American court.

Dave Bittner: [00:06:27:22] The US Senate is expected to take up ZTE's lifeline this week, deliberating whether to withdraw it on security grounds. Congress is believed interested in taking on Huawei next. There appears to be considerable bipartisan support building for a ban on both companies' products.

Dave Bittner: [00:06:46:09] Huawei is also facing security worries in Australia, where the company may find itself excluded by the government from participation in that country's impending 5G build-out. Huawei is the world's third largest manufacturer of smartphones, trailing only Samsung and Apple, and a leader in 5G technology. The Australian Broadcasting Company has an account of why Australia is so skittish about Huawei. Their concerns seem to derive from the difficult experience another of the Five-Eyes, the United Kingdom, had when British Telecom concluded a major deal with Huawei in 2005. The experience is believed to have been an unhappy one from the point of view of infrastructure security. ABC, reading between the heavily redacted lines of a GCHQ report on Chinese exploitation of the BT-Huawei connection, thinks Australia has received sufficient warning from its British partners to fight shy of any major engagement with Huawei.

Dave Bittner: [00:07:47:05] The impresario who's serving as the public face of the Russian online service, USA Really, Alexander Malkevich, is busily disporting himself in Washington. He showed up outside the White House on Flag Day last week intending to lead some sort of demonstration for which few, alas, showed up, but he seems undeterred. He's come to "test the limits of American freedom", doing so by, among other measures, sporting a variety of legible t-shirts - one had the Russian language equivalent of "effing morons" displayed below a picture of the Russian Foreign Minister wearing a disdainful expression - and renting a co-working space near the Executive Mansion. The co-working space didn't work out. WeWork gave Mr. Malkevich the heave-ho just two hours after he entered the building, which is probably some sort of record.

Dave Bittner: [00:08:41:06] Foreign Policy suggests that Mr. Malkevich is either a troll or a bumbling self-promoter. Some of his outlet's offerings are from a sub-tabloid level of journalism. One in particular, "Man Served His Friends Tacos Made From His Severed Limb", has drawn particular comment. He's not without some credentials: he is, for one thing, a member of the Civic Chamber of the Russian Federation, a group that advises the Duma on media policy and other matters. His USA Really venture is backed by funds from the Federal News Agency, a Russian outfit connected to the Internet Research Agency, the now notorious St. Petersburg troll farm. Whether Mr. Malkevich is a forward deployed troll, a hyperactive hambone or, perhaps most likely a mix of the two, well, welcome to the Beltway, sir. Hyperactive hambones often enjoy a good run thereabouts.

Dave Bittner: [00:09:38:21] And finally, people are reviewing the latest thriller, out just in time for beach reading. This one is a big summer novel co-authored by James Patterson and former president Bill Clinton. It's called "The President is Missing", and it's all about international cyberattacks and so forth. We haven't read it yet, because we haven't gone on vacation yet, but our editor swears that if the suits hire him an assistant he'll schlep a copy with him the next time he goes to North Point State Park in Edgemere, his favorite relaxation spot, and then he'll tell us all about it.

Dave Bittner: [00:09:54:05] As far as we can tell from reviews in Ars Technica, the Atlantic and Errata Security, the book deals with the harum scarum adventures of a US president, former governor of a southern state, Jon Duncan by name but Mary Sue by inspiration, who disappears to fight Bosnian terrorists who've installed a wiper malware called "Dark Age" in every computer in the US. Dark Age is President Mary Sue's McGuffin. Anyhoo, apparently, after a lot of freelancing gun-play organized from the prexy's unacknowledged and off-the-books safe house somewhere in Virginia, the President defeats the terrorists and then delivers a speech to a joint session of Congress to celebrate the nation's deliverance and also offer his thoughts on gun control and the minimum wage. So we'll let you know what we think, but if that ain't policy, we don't know Arkansas.

Dave Bittner: [00:11:08:06] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption, and they'll round out what they can do for you with micro-segmentation and analytics. VMware's white paper on A Comprehensive Approach to Security Across the Digital Workspace will take you through the details and much more. You'll find it at See what Workspace ONE can do for your enterprise security at, and we thank VMware for sponsoring our show.

Dave Bittner: [00:12:08:23] And I'm pleased to be joined once again by Malek Ben Salem. She's the Senior R&D Manager for Security at Accenture Labs, and she's also a New America Cybersecurity Fellow. Malek, welcome back. You know, I have a lot of interest in my voice, it's how I make a living, and you're going to share some research today about people using the forgery of voices and the security implications that might come with that.

Malek Ben Salem: [00:12:33:12] It's really concerning. With the wide use of digital assistants, we are relying on our voice to interact with digital systems like Apple's Siri, Microsoft's Cortana and Amazon's Alexa and, with that voice, a lot of companies now are considering offering their own services through those digital assistants. For instance, a bank may offer a service where you can access your banking account by talking to Alexa, which can then talk to your banking account. So what that means is that they have to build in voice authentication using those digital assistants. The problem is, because our voices are now out there, especially your voice - anybody can get access to it, right?. With some new development by start-ups like Voice RE and Lyrebird, which have developed some software to actually synthesize your own voice by giving it a sample of your voice - like a one minute sample of your recording and some sample text - they're able to synthesize and create an audio file reading that text with your own voice.

Malek Ben Salem: [00:13:37:07] So that creates several security problems, right? If we're relying on our voice to authenticate, to access certain accounts, and now that voice can be forged, then there is a huge risk to accessing those services. The risk is even bigger if we know that companies like Apple, Google and Microsoft are recording voices from hundreds of millions of people and they're storing them for one year, 18 months, et cetera. So any breach to that type of data would give the attackers an opportunity to impersonate hundreds of millions of people.

Malek Ben Salem: [00:14:42:16] Obviously, there are other attacks that would result from this type of software that can forge voices and, by the way, the companies that created this software had the best intentions in mind. They created the software so that they can help people who have lost their voice recover it; create software for those people that can let them interact with their environment. But this type of software can be misused.

Malek Ben Salem: [00:15:09:03] Another type of attack is exactly spear phishing. We're used to spear phishing through email, but now this would make spear phishing through voicemail very believable and people may fall for it. Another attack is disinformation and blackmail. Malicious actors could also fool a large group of people with this technology by generating fake audio or video that can be used as blackmail for famous people, celebrities or world leaders.

Malek Ben Salem: [00:15:42:23] One could think of solutions where honest audio or video creators could embed a digital watermark into the media that they create, but that's no guarantee that everyone will follow the same rules. Also, it's hard to independently tell whether a video or audio recording has been falsified. So, we'll have to basically rely on user awareness to counter this type of attack, especially because it takes a long time to detect forgery, and fabricating statements by world leaders, for example, or publishing fake videos would create problems much, much faster than those audios or videos could be debunked. So, again, we'll have to rely on user awareness to counter this type of attack.

Dave Bittner: [00:16:34:23] It's an interesting thing - who becomes our trusted sources? It seems like that could be an ongoing challenge as we head forward. Malek Ben Salem, thank you for joining us.

Malek Ben Salem: [00:16:44:17] Thank you, Dave.

Dave Bittner: [00:16:46:24] Just for fun, I spent about five minutes training one of the systems that Malek described, give it an idea of what my voice sounds like it. Here's what it spit out for me:

Digital Dave Bittner: [00:16:56:00] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 30th, 2018.

Dave Bittner: [00:17:04:09] So I guess that kind of sounds like me. I'm not going to be updating my resume anytime soon. Still, if there's one thing we can count on, this stuff is going to get better.

Dave Bittner: [00:17:19:16] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:17:38:14] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:17:48:03] Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called "Security Ha!" I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics. That's at

Dave Bittner: [00:18:16:17] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.