The CyberWire Daily Podcast 6.28.18
Ep 630 | 6.28.18

Ukraine accuses Russia of preparing a cyber campaign. China eyes Tibetan diaspora. A decryptor for Thanatos ransomware. Nudging away from privacy. Dark web undercover.


Dave Bittner: [00:00:03] Ukraine warns that Russia is preparing a coordinated attack against Ukrainian financial and energy infrastructure. China appears to be stepping up surveillance of the Tibetan diaspora. Cisco's Talos unit has a free decryptor for Thanatos Ransomware. Facebook's self-audit of data usage proves both more difficult and more skeleton-rattling than hoped. Norwegian consumer watchdogs find that Facebook and Google nudge users away from privacy, and an altcoin sting against drug dealers.

Dave Bittner: [00:00:39] Now I'd like to share some words about our sponsor Cylance. AI stands for artificial intelligence, of course. But nowadays, it also means all image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the terminators. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit and check out their report "Security: Using AI for Evil." That's We're happy to say that their products protect our systems here at the CyberWire. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:40] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 28, 2018.

Dave Bittner: [00:01:52] The head of Ukraine's national cyber police has warned that Russian operators are staging malware in Ukrainian enterprises presumably for a coordinated campaign at some later date. Ukrainian authorities have told Reuters and others that they've detected evidence that battlespace preparation is in progress against financial institutions and energy infrastructure. The operation, as it's understood so far, has proceeded in the following familiar stages. First, compromise of legitimate Ukrainian government email accounts. Second, phishing campaigns mounted against infrastructure targets using those compromised accounts. Third, installation of malicious payloads carried by the emails. The malware is believed to have established backdoors in banking and energy enterprises where it will presumably be held in reserve until the attackers decide to execute.

Dave Bittner: [00:02:46] The threat, should it materialize, is unlikely to be confined to Ukraine. NotPetya began with attacks on Ukrainian targets in June of last year and quickly spread worldwide. A number of Western companies were hit hard. FedEx, effected to a considerable extent through a recently acquired European subsidiary, recently pegged the costs of NotPetya at roughly $400 million.

Dave Bittner: [00:03:12] Today is Ukraine's Constitution Day, often mentioned as attractive to attackers wishing to draw maximal attention to their political point. Nothing, however, has been reported so far today. August 24, the country's independence day, is another date mentioned for potential attack timing. Russian authorities have issued routine denials of involvement in cyberattacks on Ukrainian targets. To be sure, the Ukrainian government is disposed for many reasons to think the worst of Russia and her intentions. But the Ukrainian government is by no means alone in this respect. Much of the rest of the world regards Ukraine as a kind of proving ground for Russian cyberattack tools.

Dave Bittner: [00:03:53] The Russian record of hitting portions of the Ukrainian power grid to induce electrical outages is particularly worrisome, especially given the interest Russian operators have shown in other countries' power grids. So, as we said, Moscow says they didn't do nothing. And Ukraine says, well, you're about to. If nothing pops today, put a circle on your calendar around August 24. But when you do so, remember that public holidays are nothing more than convenient indicators. More to the point, keep an eye out for phishing.

Dave Bittner: [00:04:29] Open-source software is a valuable resource for software developers and security professionals, and the recent purchase of GitHub by Microsoft raised a few eyebrows and brought attention to the open-source community. Jaime Blasco is chief scientist at AlienVault, and he offers his perspective on open-source software for security.

Jaime Blasco: [00:04:48] I think it's a double-edged sword, right? I mean, on one hand, you need to be careful, you know, which tools you are using, especially if they are open-source and whether or not those tools are properly, you know, secured, audited and, you know, people are putting enough resources into securing and auditing the source code.

Jaime Blasco: [00:05:10] When it comes to, you know, the most popular open-source projects, that's usually not an issue. And actually, it's an advantage, you know, that the source code is publicly available because you have all these developers, all these security researchers looking at the code and, you know, submitting bugs and improvements whenever they find them.

Dave Bittner: [00:05:31] Now, when it comes to using open-source tools, do you find - are there some misperceptions out there? Do some people resist using them maybe for the wrong reasons?

Jaime Blasco: [00:05:41] I think it used to be an issue. I don't see this being an issue anymore. And I think, you know, like, last week or a couple of weeks ago when Microsoft bought GitHub, I think that was the confirmation that, you know, open-source is the future. And we are seeing these, you know, companies such as Microsoft - and 10, 15 years ago, it was unbelievable that they will contribute to open-source communities. They're actually one of the biggest contributors right now to some of the biggest open-source projects out there.

Jaime Blasco: [00:06:13] So I think people are not as scared of these tools anymore. They have become an instrumental part of any organization nowadays.

Dave Bittner: [00:06:21] Can you - describe to us the security advantages. You touched on it earlier about having so many eyes on the code. Can you describe to us so why - what's the advantage there?

Jaime Blasco: [00:06:31] So yeah, besides having many people being able to audit and find vulnerabilities in those tools, the other advantage is also how fast, you know, patches can be created and released compared to some traditional, you know, enterprise vendors. Like, sometimes, you will have to wait weeks or months until your vendor will make patches available. With open-source tools, if there is a high critical vulnerability, many times, you have many people creating patches for those vulnerabilities even before the official patch is available. So you have an option to, you know, make that piece of software more secure even before, you know, you can use the official packaging system or whatever method to patch your systems you are using.

Jaime Blasco: [00:07:19] I think cybersecurity is actually one of the big examples in terms of using open-source tools. Many times, enterprises, they have this dilemma where, you know, it's buy versus build. And, you know, I think open source is helping sometimes in terms of, you know, filling those gaps where you don't have to spend millions of dollars anymore in one specific tool. But you can go to the open-source community and find something that can satisfy your needs. And I think, you know, in cybersecurity, it has been one of the first industries to adopt, like, open-source tools in a broader context. Like, you know, I remember 10 years ago, you would have projects such as Snort and OSSIM and Suricata, OpenBAS, even Nessus before it became proprietary. But, you know, there were many, many tools that people were actively using on an enterprise context.

Dave Bittner: [00:08:13] So what are your recommendations for people who want to start using open-source tools, want to integrate them into how they approach security?

Jaime Blasco: [00:08:24] I would recommend, you know, go talk to your peers and, you know, talk to other companies that are in a similar situation that maybe they have already, you know, implemented some of these tools. Nowadays there are forums, even GitHub or, you know, Slack channels where you can go and talk to other users and try to get, you know, a perspective of, you know, how difficult the implementation is going to be and if there is any, you know, tricks and things you can use before you decide to implement that - or even replace some of the enterprise tools that you may have.

Dave Bittner: [00:08:57] That's Jaime Blasco from AlienVault. Cyber espionage campaigns apparently staged by and from China have been targeting Tibetans resident in India. The campaign seems connected with longstanding Chinese domestic surveillance of ethnic populations whose loyalty and adherence to Beijing have been suspect. Bravo, Talos. Cisco's research unit has released a free decryptor for Thanatos ransomware. Thanatos gained itself a degree of notice by its acceptance of ransom payments in a range of cryptocurrencies and not just in the extortionists' favorite, Bitcoin. The crooks will take payment in Bitcoin cash, Zcash, Ethereum and a few others as well. To add insult to injury, the Thanatos masters have shown themselves to be either incapable of or, more probably, just not interested in actually decrypting their victims' files upon payment of ransom.

Dave Bittner: [00:09:55] But Cisco's Talos Group has exploited what they call weaknesses in the design of the file encryption methodology to build their own decryptor, which they say can recover a decryption key in 14 minutes or less. The Norwegian Consumer Council, sounding a bit like a Freakonomics type interested in getting the right kind of nudges out there, complain that Facebook and, for that matter, Google are nudging toward all the wrong places privacywise. The NCC says their services exhibit dark patterns, default anti-privacy settings, confusing layouts, the illusion of choice and various design choices that offer positioning, visual cues and so forth tending to push people into more self-revelation than is probably good for them.

Dave Bittner: [00:10:42] As they put it in their study, quote, "Facebook and Google have privacy-intrusive defaults where users who want the privacy-friendly option have to go through a significantly longer process. They even obscure some of these settings so that the user cannot know that the more privacy-intrusive option was pre-selected," end quote. So the moral for users would appear to be the usual one - take the trouble to be an informed consumer, especially when you're consuming a free service offered by a company that realizes a significant fraction of its revenue from marketing.

Dave Bittner: [00:11:15] Finally, a multi-agency law enforcement operation in the U.S. has taken down a number of alleged dark web contraband dealers - for the most part, drug traffickers. The action involved the Department of Justice, Homeland Security Investigations, the U.S. Secret Service, the U.S. Postal Inspection Service and the Drug Enforcement Administration. Authorities are tight-lipped about details. But apparently, government agents posed as cryptocurrency money launderers to roll up the suspects. Turning cryptocurrencies into more conventional and more easily negotiable government fiat money is a bottleneck for dark web black marketeers.

Dave Bittner: [00:11:53] Agents of Immigration and Customs Enforcement's Homeland Security Investigations posed in the dark web as brokers willing and able to do just that. And many drug dealers were ensnared. If you're trying to launder money or convert altcoins to euros, dollars, shekels or pezuzas (ph) well, think twice. Those helpful bankers may not be what they appear to be. It's a sad day when you can't trust the people you meet through a Tor node.

Dave Bittner: [00:12:25] Now a few words about our sponsor Invictus. We've all heard that cyberspace is the new battle space. Invictus International Consulting was founded by people who know a battle space when they see it. This premier cybersecurity company headquartered in Northern Virginia boasts an expert staff with decades of cybersecurity, technology solutioning and intelligence analysis experience. Its customers in the intelligence, defense and homeland security communities value Invictus and its work. As a service-disabled, veteran-owned small business, over 60 percent of Invictus' workforce is comprised of veterans. And it's not just in the government space. It delivers for commercial clients, too. An award-winning company recently named to 2018 Cybersecurity 500 list as one of the world's hottest and most innovative cybersecurity companies, Invictus has also won the most valuable industry partner award at the (ISC)2 15th annual Information Security Leadership Awards. So check them out at That's And we thank Invictus for sponsoring our show.

Dave Bittner: [00:13:44] And I'm pleased to welcome to the show Mike Benjamin. He's the senior director of threat research at CenturyLink. Michael, welcome to the show. You know, I have certainly heard of malware, and I've certainly heard of spam. But you brought something to my attention called Malspam. Is this the best of both worlds? Is this the worst of both worlds? Fill us in. What are we talking about here?

Mike Benjamin: [00:14:05] Well, I'd say it's the best and the worst depending on how you look at it. So you know, Malspam is not a new topic or concept. But we have found, as we've been working on the topic lately, that when we say, we're working on spam to the broader security community, we actually get a lot of folks just assuming we're filtering pharmaceutical ads or dating ads. And what we're really trying to look at is the malicious email people are getting. And so we call - you know, describe it as Malspam. And we would describe it ultimately as email you're going to get that aims to do something malicious. Now, in some cases, dating spam is Malspam because ultimately they want to steal your credit card number at the end of it. And in other cases, pump-and-dump scams are pumped through these things with, again, trying to ultimately steal money from people. But at its core, we're looking for the malware delivery. And so Malspam is one of the primary vehicles of infection these days.

Mike Benjamin: [00:15:03] We saw a couple years ago the exploit kit being popular with criminal actors. And there were enough browser exploits - enough Java bugs, enough Flash bugs - that that was a great delivery mechanism for them. They could get you to click on a URL. They could inject malice into advertising and ultimately infect people through that method. Fast-forward a few years - a lot of browsers have cleaned up their problems. A lot of people have patched. There's less volume of bugs coming out. And we've put ourselves back into the position where opening a file in an email is a really effective way to infect someone. And so the old tried-and-true zip file - the file that is not what it claims to be. It claims to be a text file. It's really an executable - things like that are of course popular. But we've also seen the macro still be a popular way to infect people - so an office document with macros that dropped some sort of lightweight dropper into the operating system and then download the final payload. And so that dropper is relatively light and small. It's not a full binary executable. And then whatever it is that their final outcome that they're looking to achieve is downloaded into the machine.

Dave Bittner: [00:16:16] Now, in terms of the distribution of these things and tracking these botnets, what are you seeing?

Mike Benjamin: [00:16:22] The criminal space around Malspam is reasonably sophisticated. If you think back to the spam problems that arose in the late '90s and then became really rampant in the early 2000s, they were forced to evolve. And so the security world - the internet world, for that matter - did a relatively good job hunting down and shutting down spammers in that era. People were successfully prosecuted in courts. Laws were passed. And those are things that helped the world mature around how to deal with spam. And so as you might expect, the successful criminal actors that remain, they've evolved since then. And so you see sort of a marketplace around what they're doing. The folks who are running the spam botnets are very rarely - at least at any size and scale - the folks who are actually trying to infect you, they are being hired by the people who are trying to infect you. And the folks who are after bank account information or installing crypto miners, they're paying the botnet operators for successful installs or volume of delivery or whatever the mechanism is.

Mike Benjamin: [00:17:29] So it is very interesting to watch. And as such, what you see from the botnets is a similar level of sophistication. They're not a single command and control in a single place that's easy to remove and takedown. They've evolved. They've seen law enforcement take their botnets in the past. And so now of course, they evolved to the domain generation algorithm, or DGA, where an algorithm tells it what the next DNS hostname to resolve is. That's one of the more simple items that they've implemented. But there's a lot of redundancy - a lot of levels to the command and control. In many cases, we see peer-to-peer being used in conjunction with it. And in almost all cases, the larger and more successful Malspam botnets are in a position where they're using three or four of these types of techniques in order to stay up and avoid being broken by - whether it be law enforcement or the security community.

Dave Bittner: [00:18:24] All right. Mike Benjamin, thanks for joining us.

Dave Bittner: [00:18:31] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:18:50] And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:18:59] Don't forget to check out "The Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week we talk to interesting people about timely cybersecurity topics. That's at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.