The CyberWire Daily Podcast 8.9.18
Ep 659 | 8.9.18

State-sponsored ransomware campaigns coming? DarkHydrus and Phishery. Hitting ATMs for alt-coin. US sanctions Russia. IBM looks at artificially intelligent malware. Black Hat notes.


Dave Bittner: [00:00:03] Tehran seems ready to follow Pyongyang into state-sponsored theft to redress financial shortfalls. DarkHydrus uses commodity tool Phishery in a Middle Eastern campaign. Jackpotting cryptocurrency ATMs. The U.S. imposes sanctions on Russia. Reality Winner's sentencing date's been announced. IBM looks at artificially intelligent malware. The mob's role in the cyber black market according to Oxford. And what's the bigger gaming threat, sideloading apps or the Fortnite dance? We're asking for a friend.

Dave Bittner: [00:00:41] Time for a moment to tell you about our sponsor ThreatConnect. With ThreatConnect's in-platform analytics and automation, you will save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk, and mitigate harm to your organization. Every day, organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. The pioneer in threat intelligence platforms, ThreatConnect provides organizations a powerful cyberthreat defense and the confidence to make strategic business decisions. And if you're in Vegas for Black Hat this week, stop by ThreatConnect's booth, No. 1414, to get a demo and see the platform in action. And you can always learn more and get a free ThreatConnect account at And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:01:51] Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:55] From the Black Hat conference in sunny Las Vegas, where if you can't stand the heat, get out of the desert, I'm Dave Bittner with your CyberWire summary for Thursday, Aug. 9, 2018. As sanctions reimposed in response to its nuclear program begin to bite, Iran seems poised to follow the trail North Korea blazed in cyberspace - state-directed hacking that aims at direct theft to redress economic pain. Accenture researchers have been tracking ransomware strains, many of them requiring payment in bitcoin or other cryptocurrencies, and they've concluded that they represent an incipient Iranian campaign against targets of opportunity that offer the prospect of quick financial gain. Tehran's state-directed hackers have a reputation as being relatively less sophisticated than those run by Russia and China and, indeed, those run by major Western powers, the Five Eyes and their closest friends, but they also have a reputation as determined fast learners.

Dave Bittner: [00:02:55] Palo Alto Networks' Unit 42 describes a phishing campaign by unattributed threat actor DarkHydrus that's prospecting Middle Eastern governments. Unit 42 has observed them using the open-source tool Phishery in a credential-harvesting campaign directed against a university.

Dave Bittner: [00:03:14] A ZDNet report on one aspect of the criminal-to-criminal market suggests that one particular commodity is especially lucrative - malware designed to steal cryptocurrency from ATMs that deal in the altcoins is pricey. It commands fees as high as $25,000 a pop, which suggests that the black market is betting on a continuing growth in popularity for cryptocurrencies.

Dave Bittner: [00:03:40] In a move applauded in the U.K., the U.S. has announced imposition of very heavy sanctions against Russia over Moscow's nerve agent attack in Salisbury, England. Other sanctions for Russian misbehavior in cyberspace have also been imposed. The Washington Post sniffs that these cyberattack sanctions are toothless, but the measures the U.S. is taking in response to the Novichok attack appear to be severe and have been recognized as such by the Russian government. The Kremlin swiftly denounced the Novichok sanctions as not only illegal, but unfriendly.

Dave Bittner: [00:04:15] Reality Winner, the ex-U.S. Air Force, ex-NSA ex-contractor, who pled guilty to charges connected with leaking classified information to The Intercept, will be sentenced on August 2013. Ms. Winner was caught when the outlet she offered the document - the Intercept - sought to confirm its authenticity with the U.S. government. U.S. counterintelligence officers were able to use dots on the printed copy to identify the specific printer on which the document had been run. From there, it was possible to narrow the list of potential suspects to a small number of users of that particular printer, and then the access and printing were swiftly traced to Ms. Winner's account.

Dave Bittner: [00:04:56] IBM is describing their work on DeepLocker and what it has to say about potential exploitation of artificial intelligence by criminals and other threat actors. Among the more interesting implications of their work are conclusions about AI's utility in attack. It shows considerable promise in making malware more evasive. As so often happens with evasive malware, this approach lets the attack remain quiet until it confirms it's in the right environment, not just outside a sandbox, but in the enterprise it was intended to target. Not only does it make attack code better at detecting and evading such useful security techniques as sandboxing, but according to IBM, it can make reverse-engineering malware impossible.

Dave Bittner: [00:05:40] A presentation of results obtained by the University of Oxford's Human Cybercriminal Project took a look at the place of the mafia in the cybercriminal ecosystem. The mob is there, but it's not dominant. What the mob does know and what it contributes to the cyber underworld is expertise in money laundering.

Dave Bittner: [00:05:59] Black Hat, DEF CON and BSides aren't the only games in town this week in Las Vegas. There's a tower suite at Caesars Palace that's filled to capacity with a diverse group of people who've come together to celebrate an event they call The Diana Initiative. Cheryl Biswas is one of the co-founders of The Diana Initiative, and she shares their story.

Cheryl Biswas: [00:06:20] We started out of an event that was before this. Last year, we reformed as The Diana Initiative, and our mandate was to support and encourage diversity and women in security and technology. The name Diana Initiative came because we had all seen the "Wonder Woman" movie, and we were really mobilized. We loved the concept of a kick-ass heroine because that is how we felt trying to pull this together, and we realized there were a lot of other famous Dianas who represented strength, creativity, all of the things that we embody here, that sense of empowerment.

Dave Bittner: [00:07:01] So give me a sense of what's going on here. You've got multiple rooms. You've got multiple events and speakers. So what's the program here?

Cheryl Biswas: [00:07:09] So the program is about, first and foremost, giving people the opportunity to connect and have conversations and get to know each other, to nurture and grow relationships where they can hopefully build their careers off of. We're offering two speaking tracks this year. Last year, we had one. There was such a demand. People wanted to show what they know. We brought on a technical track. So we're featuring technical as well as nontechnical tracks, and we have got an amazing roster of speakers. These are people who have spoken at Black Hat, at DEF CON, at BSides. And as well, we're encouraging first-timers because it's a smaller, more intimate gathering, so they feel safer. They get the opportunity to present.

Cheryl Biswas: [00:07:53] In addition to that, we had a huge success with our lockpick workshop from last year, so we're featuring that again. And it's another chill space where people learn really cool things. And they have offered a lock-repinning workshop this year, which is just in - it was a sign-up event, but it's a very cool thing to learn. We're featuring a resume and careers workshop for both days where you can actually sit down and talk to somebody about what you'd like to do, to do a mock interview, perhaps, to get your resume assessed and reviewed. And we want people to have the opportunity to go into a career that they love, that they may have not even realized - but to give them that leg up.

Cheryl Biswas: [00:08:37] And in addition to that, we're going to have a couple of social events. On Thursday night, tonight, we're going to have a mixer, and it's going to be our quiet party - games, trivia contests. It's a lot of fun, and, again, it brings people together in a quieter, safe, welcoming space. Tomorrow night's Friday. That's our loud party. So that pretty much sums it up there.

Dave Bittner: [00:08:59] Now, you've mentioned a couple of times the importance of having a safe space. Something I hear, particularly when I talk to women, about the conventions is that they're not always safe; they're not always welcoming. So can you describe to me the importance of providing this place off to the side where people can be themselves and ask questions, learn things?

Cheryl Biswas: [00:09:18] Yeah. Definitely. For us, we wanted to offer an oasis. That's how it felt to us. That's how it has felt to our attendees. You can come here. You can hear yourself think. You know that people are going to be respectful. You're recognized. You're welcomed - because it is overwhelming to have 20,000 people circulating. I mean, I love it, but even I can find that overwhelming. So up here, you are in a space where you get to have the benefit of a learning environment and a con feel without an overwhelming number of people to contend with. And we really are about our code of conduct. It's about respect, and it's about safety. If we understand the rules of play here, all of us benefit. And we have been very careful to communicate that and make that available to all of our congoers.

Dave Bittner: [00:10:12] And what's the reaction been from the larger community as a whole - the infosec community, the cybersecurity community? Are they supporting your efforts?

Cheryl Biswas: [00:10:20] We are so overwhelmed and grateful. Yes, the support has been amazing. People really want us to be here. They love what we're offering. They're showing their support in all manner of ways. We've had people come and give everything that you could think of. We have manpower and womenpower (ph) and supplies and the - just contributing to the cost of running an event. We couldn't do it without them. Yes. We are so grateful. The support's overwhelming.

Cheryl Biswas: [00:10:49] We are an incredible and an extraordinary community. We are focused on learning, so mentoring each other, nurturing each other and growing each other up is a big part of why we get together at these kinds of events. Any opportunity we have to support each other at this level is going to pay massive dividends. We all benefit from it. And I just really want to say thank you to everybody who's made this possible.

Dave Bittner: [00:11:12] That's Cheryl Biswas from The Diana Initiative.

Dave Bittner: [00:11:17] We were with Cisco's Talos group yesterday, enjoying a midday recording of their "Beers With Talos Podcast." The recording from that session will be available shortly, but we'll share one observation from the Talos panel of experts. One of them deplored the move of the popular game Fortnite to Android on the grounds that it was inculcating poor security habits in the children at whom it's pitched, habituating them to downloading apps impulsively and in an insecure fashion. He asked if it wouldn't be possible to do better - a call for security acculturation by design.

Dave Bittner: [00:11:51] Two quick preliminary comments - we're not entirely sure Fortnite is pitched entirely at the children, although the middle school demographic appears to be an important one for Epic Games. The fact that variations of the Fortnite dance were so popular during World Cup scoring celebrations suggests that people old enough to know better are spending a lot of quality time with the soldiers, outlanders, ninjas, constructors and commandos. And second, what about the possibility of aesthetic offense offered by that nutcracker skin? We mean, what self-respecting character would want to be dressed like that, right, Jonesy? You hear me, Banshee?

Dave Bittner: [00:12:33] And now an open letter from your dedicated SOC analyst. Our team works around the clock, yet we're being flanked on all sides and can't get in front of threats fast enough. If we had a theme song, it would be "The Roof Is On Fire." Speaking of fire, each attack is more sophisticated than the last, and our current operations aren't advanced enough to keep up. Our team is already stretched thin, and companies keep poaching our talent pool, affecting our level of tradecraft. We need help, and fast. On the metro, I heard an ad from a company called LookingGlass Cyber Solutions. They have, as a service, security solutions built upon 20 years of experience, proper security chops and the infrastructure to support security teams like ours. It's time the good guys scored a point. Learn more at

Dave Bittner: [00:13:33] And joining me once again is Professor Awais Rashid. He's a professor of cybersecurity at University of Bristol. Awais, welcome back. We wanted to touch today on software warranties. So what do you have to share with us today?

Awais Rashid: [00:13:45] Well, software is all around us. It has a lot of good uses, but we are also aware of the potential vulnerabilities that exist in software and we often - fairly regularly - hear about different types of vulnerabilities. And one question that is often raised is that, perhaps, liability will change the game, and vendors and developers need to be held more to account. And the thing that I want to discuss was whether, actually, warranties are a way for developers to limit the consequences they may have to deal with. Are the ways we currently use warranties really always aligned with the goal of secure software?

Dave Bittner: [00:14:27] That's an interesting notion - so a warrantee, for example, outlining what is and isn't precisely covered.

Awais Rashid: [00:14:34] Yes. And I think, you know, that starts where the question is, that - you know, where do you draw the line? Because normally, warranties are intended to protect consumers. They often then end up indirectly opening up consumers to a wide variety of issues because they're often used as a way to limit the developer - its liability (ph). So there is this kind of really complicated balance that needs to be drawn as to, how do you punish the bad without, for example, stifling creativity and stimulating the good?

Awais Rashid: [00:15:07] And I'll use one particular example that - you know, with the rise of app stores and actually even internet of things, you know, people are being encouraged and people do write their own applications for mobile phones or IOT, and they deploy them to potentially millions of people around the world, certainly, through some of the major app stores. So the question is, you know, to what extent does liability apply to those developers? What kind of warranties should they be providing with their software? Are they, for example, leaving themselves open to liability? Do consumers actually get any real protection by specifying particular types of warranties in this context?

Dave Bittner: [00:15:46] Do you suppose - I mean, I - when I think about something, for example, like Apple's App Store, is there an implied warranty there that that app has been through a certain level of rigorous review before it's allowed to be distributed?

Awais Rashid: [00:15:59] So it's an interesting question, that, yes, there might be an implied warranty. I'm, of course, not a lawyer, so I have to be careful as to what I state here.

Dave Bittner: [00:16:08] Sure.

Awais Rashid: [00:16:08] But I think the question, then, is to, where do you draw the line? So, for example, if your game app crashes and you lose a lot of credits that you have built in the game, including some for which you may have paid a lot of money, OK, is - should it be covered by the warranty or does the warranty only apply when an app is used in a critical setting? And I'm sure if you went and looked at some of the license clauses that come with some of the apps, they would very specifically leave out any kind of liability arising from any loss of data or loss of economic value in that sense.

Awais Rashid: [00:16:50] And we also see all sorts of other license clauses, and that's not specifically about the Apple App Store, you know, where - which, for example, prohibit benchmarking - so, you know, you can't really see how well an application performs against other applications - or, you know, complicated uninstall procedures, which make it very, very hard for the users to uninstall applications in themselves.

Awais Rashid: [00:17:14] So it's a really complicated landscape, and I think that's where the question lies. As increasingly, software plays a central role in the fabric of our digital society, it's not a question that we are going to completely ever get away from because every time there is a major breach, the question it does come up as to what should be the responsibility of the vendor and the developer, who is liable, what kind of warranties should be provided, and what is reasonable expectation on the part of the user? And I think it is something that requires a longer and more detailed debate and consideration.

Dave Bittner: [00:17:52] All right. Professor Awais Rashid, thanks for joining us.

Dave Bittner: [00:17:59] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at

Dave Bittner: [00:18:07] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMWare, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:18:34] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.