The CyberWire Daily Podcast 7.18.18
Ep 643 | 7.18.18

Magnibur ransomware spreads. LabCorp discloses suspicious incident on its networks. Spectre, Meltdown notes. Oracle patches. Helsinki summit backing and filling and backing.


Dave Bittner: [00:00:00] Hey, everybody, before we start today's show, I've got a special bit of information to share. You've heard me talk about our Women in Cyber Security event coming up this fall at the new Spy Museum in Washington, D.C. For that event, we partner with Maryland Art Place to commission a custom work of art for the event from a female visual artist in the greater Baltimore area. You can find out more about this opportunity by visiting the Maryland Art Place website at and look in the opportunities section. Our call for entry is titled "Creating Connections." Check it out. That's And thanks.

Dave Bittner: [00:00:41] Magnibur ransomware spreads. Labcorp discloses suspicious activity on its networks. The Pentagon will add cybersecurity checks to its test and evaluation process. Siemens updates customers on Spectre and Meltdown. Oracle's quarterly patch bulletin is out. There's fallout clarifications and more fallout from the Helsinki summit. And U.S. agencies continue preparations to secure elections and infrastructure.

Dave Bittner: [00:01:15] And now a word from our sponsor ObserveIT. What in the world could old '80s technology have in common with insider threat management? Well, visit the ObserveIT booth at Black Hat in Vegas to find out. They're going back to the '80s to reminisce about throwback technology and show you how to take a 21st-century approach to your insider threat management strategy. Your Nintendo, floppy disks, and OG Macintosh computer will all be there next to your dusty DLP solution to remind you why #ThrowbackThursday technology should stay in the past. It's time to go back to the future with ObserveIT for a more complete and modern approach to data loss prevention. Gain visibility and insights into user and file activity instead of simply locking data down with cumbersome tags, limitations and rules. And before you head out, take ObserveIT's quiz on which '80s pop culture icon best represents your insider threat management strategy. Whether you're Han Solo, Tron, or Egon from "Ghostbusters," you're a pretty righteous dude. Visit and take that quiz today. That's And we thank ObserveIT for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:02:39] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 18, 2018. Magnibur ransomware, which has for some time been endemic in South Korea, has spread in new variants to other East Asian linguistic communities. Chinese-speaking users in Macau, Singapore and Malaysia are held to be newly targeted by the criminal campaign.

Dave Bittner: [00:03:06] U.S. medical diagnostics provider LabCorp has sustained a potential data breach that could expose the medical records of millions of patients. LabCorp, the largest company of its kind in the United States, disclosed the breach to the Securities and Exchange Commission in a Form 8-K dated this Monday. The company said in its filing that it detected suspicious activity on its network over this past weekend, responded by taking some systems offline in accordance with its comprehensive response. They do warn that some customers may experience brief delays in receiving their results while LabCorp completes remediation. The company said that, quote, "at this time there is no evidence of unauthorized transfer or misuse of data," end quote. The concern obviously is that sensitive records may have been lost. LabCorp subsidiary Coverage Drug Development (ph) was unaffected by the incident.

Dave Bittner: [00:04:02] When these kinds of breaches occur, the data often ends up on the dark web. But what does that really mean, and how do you protect your organization against it? Jonathan Couch is senior vice president of strategy at Threat Quotient, and he helps bring us up to speed.

Jonathan Couch: [00:04:17] I think there's a lot of misperceptions about what it really is. Out there on the internet you have the regular internet that most people interact with, and those are the sites that - you can go to Google, you can do searches, and it'll point you to Wikipedia or news sites or whatever it happens to be. Then there are those websites that are unindexed. And by unindexed, what I mean is that Google will not crawl those sites to find out information. So corporate intranets are an example of that or private companies or subscription services, things that are behind some sort of authentication that - Google will not scrape those sites, and you won't be able to find them through regular web searches. And that's what's called typically the deep web. The dark web is kind of its own special little place. That not only is unindexed, but typically you require special software in order to access those websites.

Jonathan Couch: [00:05:11] So, you know, The Onion Router, what's known as Tor, is the most popular way to get into those websites. And what that does is it provides you an encryption mechanism to provide anonymous web browsing so that using a Tor client I can go out and I can visit websites, but those websites don't know who I am. They don't know where I came from or where I'm making the requests. And so, you know, this whole concept of the dark web was really to provide anonymity around web surfing. And it has grown to really be a haven for cybercrime and cybercriminals. And so what you find on the dark web are a lot of websites that are selling wares that are illegal to be sold elsewhere because they have this anonymity. It's very difficult to figure out, you know, where these websites are actually located, who's hosting them, the people behind it and the infrastructure that surrounds it.

Dave Bittner: [00:06:08] So why should it be important to people looking to defend their organizations? What's the concern there?

Jonathan Couch: [00:06:16] So the concern is really being able to find out what the threats do. You know, if you want to know what your adversary knows, if you want - as an organization, if I'm holding a lot of information - if I have a lot of credit card numbers that my organization relies on in order to protect and make money off of, I want to be able to see, do criminals have my credit card numbers? Are they reselling them on the underground? If I am operating a certain kind of database, if there are tools that kind of - that exploit that database, that can break in and steal information from that database, I want to know about the existence of those tools and how they're being utilized.

Jonathan Couch: [00:06:54] And the dark web is kind of that marketplace. It's that black market that people can go and be able to sell those kinds of capabilities but also sell that information and data. It's not a kind of place where you just want to go and interact and that your organization may want to have direct contact with. A lot of times you want to interact more with third-party organizations, experts that live and operate within the dark web day in and day out so that you can now leverage their expertise and their knowledge to provide you that intelligence, to provide you that information of here is what we found. And you as an organization can then focus in - rather than putting your resources and your people and technology toward going out there and trying to set up this infrastructure and collect and monitor the dark web, you can now just take the information coming from these third-party providers and be able to take a look at it and say, all right, what applies to me? What am I interested in? And so it really saves you time, efficiency and resources from being able - to have to go out there and do it yourself.

Dave Bittner: [00:07:54] That's Jonathan Couch from Threat Quotient.

Dave Bittner: [00:07:58] The U.S. Department of Defense intends to add cybersecurity checks to the test and evaluation phases of its acquisition cycle. It intends to conduct more of its own testing and will not rely upon contractor certification that their systems are secure against cyberattack.

Dave Bittner: [00:08:15] Siemens has updated its security guidance on the Spectre and Meltdown chipset vulnerabilities, warning of new variants and promising software and firmware updates to address them. Users of Siemens products have been asked to stay alert for coming fixes and to apply them promptly.

Dave Bittner: [00:08:32] Oracle's quarterly patch update was released yesterday. It addresses 334 vulnerabilities, which the SANS Institute calls a record. Vulnerabilities in WebLogic, Oracle Spatial and Oracle Fusion Middleware MapViewer are rated as particularly significant. Attacks on WebLogic servers have figured in cryptojacking campaigns over the past year, and such attacks are expected to continue against unprotected systems.

Dave Bittner: [00:09:01] At a midafternoon press conference yesterday, U.S. President Trump walked back remarks he made at the conclusion of his summit with Russian President Putin which gave the impression that he accepted Mr. Putin's word over that of U.S. intelligence services, apparently agreeing that Russia had not attempted to influence U.S. elections. Mr. Trump's remarks in Helsinki were roundly criticized from all political sides. The president said that he either misspoke or was misheard, and that he believes what the U.S. intelligence community has concluded about Russian influence operations. The U.S. intelligence community, including its current leadership appointed under this president, has reiterated that it stands by its assessment.

Dave Bittner: [00:09:44] Mr. Putin did a bit of woofing about conducting a joint Russo-American investigation into the Russian influence operations he insists didn't happen. Again, essentially nobody thinks this is a particularly promising idea. It's a familiar gambit in Russian information operations - deny involvement, offer to cooperate in a joint investigation and then use the veneer of legitimacy the joint investigation confers to cover over what would otherwise be a bald and unconvincing denial.

Dave Bittner: [00:10:15] Similar misdirection has been seen recently in Russian insistence on participating in an international investigation of the nerve agent attacks in the United Kingdom. There is or was a 1999 treaty under which the U.S. and Russian Federation agreed to joint investigation of certain crimes, but observers have called that agreement a dead letter. And Sean Sullivan of security firm F-Secure told The Register, quote, "that sort of thing halted years ago after the FBI found that the Russians were recruiting rather than arresting and investigating the criminal leads forwarded to the FSB," quote. So while there's undoubtedly some scope for international cooperation in cyberspace, this wouldn't appear to be one of them. Consensus is that the U.S. would have much to lose and nothing to gain.

Dave Bittner: [00:11:05] Many investigators and media outlets are reviewing the course the Russian information operations took during the last election. Spear-phishing against poorly protected networks is generally thought to have been the principal means by which discreditable emails were obtained and made public. The public leaks were generally achieved through various false personae and distributed through trolling social media accounts and similar channels. There will certainly be additional U.S. measures taken to protect elections and infrastructure from cyberattack. NSA and U.S. Cyber Command were last week directed by their head, Gen. Paul Nakasone, to coordinate actions to counter Russian attempts to interfere with midterm elections, this lying within the organizations' authorities.

Dave Bittner: [00:11:49] Other agencies, including the CIA, the Department of Homeland Security and the FBI are, according to The Washington Post, taking similar steps. A National Security Council spokesman told the Post under conditions of anonymity that, quote, "the NSC has regular and continuous meetings to coordinate a whole-of-government approach to foreign malign influence and election security. There continue to be briefings with the president, engagements at all levels of government and coordination with state and local governments," end quote.

Dave Bittner: [00:12:22] There will no doubt be more backing and filling, clarification and so on in the days to come. For example, President Trump earlier this afternoon was asked by a pool reporter at a Cabinet meeting whether Russia was still targeting the U.S. Trump's response was no. It's been widely and promptly noted that Director of National Intelligence Coats said as recently as Friday that the warning lights were flashing red with respect to the threat of Russian cyberattack.

Dave Bittner: [00:12:52] Finally, in another clarification, Slate retracts a story about a Verizon data breach the online publication ran early this week. Their report mistook an old story for a new one, mistaking a disputed account of a third-party breach from July 2017 for a newly breaking incident. Well, Slate said, we goofed. And, no, Verizon wasn't breached.

Dave Bittner: [00:13:20] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption, and they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on “A Comprehensive Approach to Security Across the Digital Workspace” will take you through the details and much more. You'll find it at See what Workspace ONE can do for your enterprise security - And we thank VMware for sponsoring our show.

Dave Bittner: [00:14:21] Joining me once again is Robert M. Lee. He's the CEO at Dragos. Robert, welcome back. You all recently published some information about Electrum. Take us through what you all found.

Robert M Lee: [00:14:31] Yeah, absolutely. So Electrum is the activity group - the threat associated with the CrashOverride malware that was deployed against the Ukrainian - Kiev substation in 2016. So it was the first piece of malware specifically designed to disrupt electric power. And what was interesting to me about this case besides, you know, sort of the significance of it and diving into the capability and understanding all the things that it did - but what was interesting is the group is so active. So this activity group, if you will, is still going out and targeting other locations. We haven't seen any attacks to follow. We haven't seen, you know, sort of prepositioning of CrashOverride-like capability. But we've seen them absolutely target and breach other providers, other electric providers outside of Ukraine, including some water sites as well.

Robert M Lee: [00:15:23] And I think this is, you know, a reoccurring, continuing lesson in the community that it is a natural tendency of defenders to think about a big report getting disclosed or a big attack happening. And the intel report comes out, and we sort of have this idea that and we're done. Well, we know now. You know, the report's published. We're finished. And that's not the case. And these adversaries still obviously stay active, find that report publishing is not necessarily even deterring to them of course. But it's just the start of getting the message out to people to take a look for this.

Robert M Lee: [00:15:58] And what I really like about industrial control, specifically in these type of threats that we track here, is it highlights that just focusing on things like technical indicators are not going to be sufficient. The Electrum targeting of one power site versus another and the capability they ultimately deploy for the specific industrial controls in that site are going to be pretty specific to the sites. There's going to be a lot of changes. And if we're just tracking IP addresses and hashes and things like that, it's not going to be sufficient.

Robert M Lee: [00:16:30] But when we track this higher-level analysis, like Electrum as this activity group, we instead track their behaviors and their tradecraft, their methods and the styles and patterns of infrastructure choices and styles and patterns of (unintelligible). And we move from the technical to the tradecraft. That's where we can absolutely make this scalable in terms of detection and focus and insight. And that's pretty empowering as a defender.

Dave Bittner: [00:16:57] Now, is it that tradecraft or that - is that one of the elements that allows you to track them to know that you're dealing with the same group?

Robert M Lee: [00:17:04] Absolutely. So every time an adversary does something, they generally leave kind of a human fingerprint behind - you know, the way they do it, the way they configure their malware, the way they develop capabilities, the way they choose infrastructure. You know, it's like if I were to go through and make a persona and start registering domains. Maybe the way that I register the domains or the type of WHOIS information that I put in it - maybe that would have a pattern. And I would position that it likely does 'cause humans are creatures of patterns. And effectively, you do try to follow those patterns in tradecraft and look for largely those methods versus just technical components that are much easier to change.

Dave Bittner: [00:17:49] Now, in terms of misdirection when folks are intentionally trying to throw you off the path, have we reached a point where misdirection can usually be spotted? Is it obvious, or is it still a tricky thing?

Robert M Lee: [00:18:06] Yeah. So misdirection and then sort of its sister discussion of, like, false flags, they're absolutely a tricky thing. But they're a much more tricky thing for attribution than they are defense. If I really want to know who did the attack, then I very much have to factor in the idea that there might be some misdirection or even a false-flag nature to this.

Robert M Lee: [00:18:26] If I'm trying to defend against the attack, if they use a hundred percent overlap with tradecraft and a hundred percent overlap with methods, you know, do everything that would really make it seem like it's misdirection or a false flag, it still doesn't matter 'cause they still did the attack. And they're still using the methods and tradecraft I'm tracking. And I'm still doing defense. So the how versus the who changes the difficulty of the questions we're asking. In this case, false flag operations from a defense perspective are no different. It is only in the who that that begins to really matter.

Dave Bittner: [00:19:01] Robert M. Lee, thanks for joining us. And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at

Dave Bittner: [00:19:16] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:19:43] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.