The CyberWire Daily Podcast 6.25.18
Ep 627 | 6.25.18

Nation-state cyberespionage and cybercrime. Cryptocurrency fraud and theft give alt-coins a rocky ride. Sino-US trade conflict update. GDPR data extortion. Spammy protection racket.


Dave Bittner: [0:00:00] Just the other day, my 11-year-old son came to me and said, Daddy, it's summer vacation, and I would really like to be able to go to the neighborhood pool. Do you suppose you could buy me some sunscreen, so I won't burn in the hot summer sun? And I said, son, if enough people sign up to support the CyberWire at, we'll be able to buy you that sunscreen. I'm kidding, of course. I don't let him go to the neighborhood pool. We've got a hose -

Dave Bittner: [0:00:38] Taiwan receives the PLA's cyber attentions. A look at what the Lazarus group is up to. Cryptocurrency fraudsters are arrested as altcoin values have a rocky ride. Continuing U.S. hotwater for ZTE and Huawei. GDPR-themed data extortion. Business email compromise is up - so are ransomware attacks against U.S. city governments. And when is a ransomware attack not a ransomware attack? When it's just a protection racket.

Dave Bittner: [0:01:13] I've got a few notes to share from our sponsor Cylance. You've heard a lot of warnings about Russian cyber operators and their threat to the power grid in the U.K., North America and elsewhere. Did you ever wonder how they get in? Sure, there's phishing and spearphishing - those can never be discounted. But here's a twist - Cylance has determined that one of their ways into the grid is through routers. They've found that the Bears are using compromised core routers to hit government agencies and organizations in the energy, nuclear, commercial facilities, water, aviation and manufacturing sectors. That's a bigger haul than a fishnet could catch. Go to and check out their report on Energetic DragonFly and DYMALLOY Bear 2.0. I'm sure you'll find it interesting. That's And we thank Cylance for sponsoring our show.

Dave Bittner: [0:02:14] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 25, 2018. An increase in cyber operations directed against Taiwan is observed as China's policy toward what it regards as a breakaway province hardens. Cyber operations from the mainland against the island nation haven't really abated ever. But the Financial Times is reporting an increase in their tempo, which it correlates with a starchier and more assertive regional policy from Beijing.

Dave Bittner: [0:02:51] AlienVault examines malicious documents used by North Korea's Lazarus group against South Korean targets. The documents are crafted as Hangul word processor files. Some of those AlienVault researchers have looked through are directed against participants in recent G-20 meetings. Others are connected with recent lootings of South Korean cryptocurrency exchanges.

Dave Bittner: [0:03:16] Police in Ukraine have arrested four young men on charges of running a fraudulent cryptocurrency exchange. Cryptocurrency mining and other forms of fraud exact a toll on altcoin values as the cryptocurrency markets continue to react to the recent wave of raids on exchanges.

Dave Bittner: [0:03:35] The extent to which the U.S. is offering ZTE any sort of lifeline seems likely to be much attenuated. Congress is on the warpath. Agencies are quietly advising companies to stop doing business with ZTE and Huawei. And the administration is working on a broad range of trade sanctions against Chinese tech firms and investment generally. The U.S. secretary of commerce, while pointing out dutifully that his department isn't really responsible for counterespionage, has agreed to a congressional request that commerce evaluate the espionage risk ZTE poses. He'll get back to Capitol Hill with a full report. And the administration seems to be taking China's ambitions for technological dominance as a serious competitive threat.

Dave Bittner: [0:04:20] The Treasury Department is working on a set of sanctions and restrictions designed to stem the outflow of usable U.S. technology to China. ZTE itself obviously doesn't think it's out of the woods. And like the panda bear, some of its employees will have to go to the woods to do their business. Gizmodo reports that the Chinese device manufacturer has suspended planned repairs to some of the urinals in its facilities because management is unsure of their access to U.S.-made plumbing fixtures. We think this must be in some fashion related to a brain drain. Flush your caches elsewhere, folks - or so the suits appear to be saying.

Dave Bittner: [0:05:01] GDPR implementation has inspired a wave of data extortion scams. The TAD group warns that one such crime wave is hitting companies in Bulgaria. The extortionists threaten not encryption but rather public release of personal data. The risk is exposure to potentially very heavy GDPR penalties. Business email compromise attacks appear to be rising - so too are ransomware attacks, especially against U.S. municipal governments. These enterprises are often poorly secured. And the lasting damage done to the city of Atlanta has put the fear of hackers into them.

Dave Bittner: [0:05:41] And finally everyone has seen some old-school scareware pop-ups, right? We hear from some friends that they used to encounter scareware when they visited adult-themed sites in the course of their research. The pop-up usually said something like, attention, attention, this is the Federal Bureau of the FBI. And we have detected you visiting illegal content on your computer. Pay your fine to us online, and your family need never know of your shame - plus also too you're infected with the virus or something as well - well, something like that. Or so we hear - never actually having visited a sleazy adult site ourselves.

Dave Bittner: [0:06:20] The important thing to understand about old-school scareware is that it's all bark and no bite. It wasn't really the FBI. No one was going to shame you in front of your family. And, no, your computer had not been infected by a virus or something else bad as if you'd caught some sort of virtual STD. Well, this latest scam is a little like that except there's no veneer of law enforcement. Instead, it's like an old-school protection racket right out of a movie about the mob. You know the scene - the poor but honest immigrant shopkeepers of a big city mom and pop, usually in New York or New Jersey. Well, they get a visit from the local mobsters. Mama and papa are told - usually in these words exactly - nice store you got here, shame if something happened to it.

Dave Bittner: [0:07:07] In this case, a collection of skids calling themselves the WannaCry hack team is spamming people with the subject line, Warning - WannaCrypt. For emphasis, they've equipped their subject line with an escort of exclamation points - three to the left and three to the right - as they march into your inbox. They haven't done anything to your data yet, they point out. But they could. And they will, too, if you don't pay them upfront. Why, why, they'll infect you with that WannaCry thing, mama - that thing you've been reading about, papa - unless you pay up. The choice is yours. Well, fortunately it's an easy choice, mom and pop. These clowns are no more involved with WannaCry than your Uncle Louie. So just mark the email as spam and delete it.

Dave Bittner: [0:07:55] The spammers haven't got any more malware than they've got game. So kids, if you're listening - and we know you are - here's a good deed you can do. When grandma or grandpa or both or even all four of them tell you in horror that they've been hit with that WannaCry thingamajig they read about in the paper, tell them you know all about it and that they can just delete the email and forget about it. They'd love you even more, if that were humanly possible, which, of course, it isn't.

Dave Bittner: [0:08:27] Now a few words about our sponsor Invictus. We've all heard that cyberspace is the new battle space. Invictus International Consulting was founded by people who know a battle space when they see it. This premier cybersecurity company headquartered in Northern Virginia boasts an expert staff with decades of cybersecurity, technology solutioning and intelligence analysis experience. Its customers in the intelligence, defense and homeland security communities value Invictus and its work. As a service-disabled veteran-owned small business, over 60 percent of Invictus' workforce is comprised of veterans.

Dave Bittner: [0:09:04] And it's not just in the government space. It delivers for commercial clients, too. An award-winning company recently named to 2018 Cybersecurity 500 list as one of the world's hottest and most innovative cybersecurity companies, Invictus has also won the Most Valuable Industry Partner Award at the (ISC)2 15th annual Information Security Leadership Awards. So check them out at That's And we thank Invictus for sponsoring our show.

Dave Bittner: [0:09:47] And joining me once again is Johannes Ullrich. He is from the Internet Storm Center's "StormCast," the daily podcast from the SANS Institute. Johannes, welcome back. Cryptocoin miners are still out there doing their thing. And you make the point that they're starting to be more evasive.

Johannes Ullrich: [0:10:04] Yes. Cryptocoin miners, certainly, is of the No. 1 malware that's been seen out there and that's been installed on servers or cloud. Pretty much any vulnerability we are seeing these days is predominately being exploited to install cryptocoin miners. But the hackers have gotten better in hiding those cryptocoin miners. The first cryptocoin miners were very easy to spot. In some cases, they used so much CPU resources that it crashed some of the legitimate software that was running on the system. They also used connections to some very-easy-to-enumerate mining pools. Now, what you have seen more recently is that attackers take advantage of cryptocoin mining's parameters that allow them to limit how much CPU is being used. So they're just trying to use enough that it's still worthwhile cryptocoin mining but that it's less likely that the cryptocoin miner is being discovered.

Johannes Ullrich: [0:10:59] Secondly, the backhaul - they're actually sending data back to the mining pool - uses less and less the standard mining pools. But what these attackers do is they're essentially setting up (unintelligible) a proxy where the miner does connect to this proxy that's run by the attacker. So that's, you know, a little bit more difficult to enumerate because they keep changing all the time. They're not publicly advertised like standard mining pools. Also, now it's easier for the attacker to use things like TLS to encrypt the data. So this makes it a bit more difficult to really identify these infected systems.

Dave Bittner: [0:11:38] Now, other than, you know, listening for the fans to spin up on your computer, what can you do to detect these?

Johannes Ullrich: [0:11:45] Well, anti-malware, actually, still works pretty well. We always discount anti-malware as sort of, you know, catching yesterday's exploits. But the cryptocoin miners I've seen so far are pretty well-recognized. They're not going to be changing the code there much, so that certainly helps. And, you know, of course, good old software white listing, that will help because hopefully, you don't have any cryptocoin miners white listed in your network.

Dave Bittner: [0:12:11] Yeah. I've also seen a number of plug-ins available to look out for this - you know, Chrome plug-ins and things like that. Are those effective?

Johannes Ullrich: [0:12:18] They're effective. They sort of take a little bit of signature approach where you're looking for, like, the standard coin hive miners and the like. They work pretty well at this point. Now, there's some approaches that sort of just generically detect the use of crypto functions. Javascript has a very elaborate crypto library in its recent versions. But, of course, those crypto functions, they're sometimes used legitimately, too. So I wouldn't really go overboard here and just block all crypto in your browser.

Dave Bittner: [0:12:53] Good advice as always. Johannes Ullrich, thanks for joining us. And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE intelligence. Learn more at

Dave Bittner: [0:13:29] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called "Security, Ha." I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at

Dave Bittner: [0:13:58] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.