The CyberWire Daily Podcast 9.17.18
Ep 685 | 9.17.18

Ransomware and cryptojacking are all the rage. Iran seeks IP, North Korea seeks a quick buck. More on EU content moderation. Alleged Russian hacking of WADA, Spiez Laboratory. Propaganda overreach?


Dave Bittner: [00:00:03] Ransomware clogs systems at a U.K. airport. New variants of ransomware are out and about in the wild. EternalBlue continues to be used to install cryptojackers in vulnerable systems. The campaign is being called Wannamine. The EU considers short deadlines and sharp penalties for failure to remove extremist content from the internet. Russia is suspected in WADA and Spiez Lab hacking. And did Moscow overreach with its latest Novichok disinformation effort?

Dave Bittner: [00:00:40] Now I'd like to share some words about our sponsor, Cylance. AI stands for artificial intelligence, of course. But nowadays, it also means all-image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit and check out their report "Security: Using AI for Evil." That's We're happy to say that their products protect our systems here at the CyberWire, and we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:37] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, September 17, 2018.

Dave Bittner: [00:01:45] A ransomware attack took departure board screens offline for two days at Bristol Airport in the U.K. Airport authorities are hedging it, calling it an attack similar to ransomware. The screens were disenabled as part of a general response to detection of the attack. The airport believes the attack was speculative rather than specifically targeted, thus the airport believes it was simply a target of opportunity caught up as the attackers swept for systems they could reach. The affected systems appear to have been business systems. As the airport recovered, flight information was manually written on white boards placed around the terminal. The airport is being cautious, which is why they were quick to disconnect where they could and why remediation has been deliberate. Work is returning to normal now. The incident began to affect operations Friday.

Dave Bittner: [00:02:41] A number of evolved ransomware strains are circulating in the wild. A new variant of Dharma is out, for one. It's being called Dharma .brrr not because it's particularly chilly or chilling, but because it appends a .brrr extension to the files it encrypts. According to reports and Bleeping Computer, Dharma .brrr is manually installed by hacking into remote desktop services that are directly connected to the internet. The hackers scan for systems running Remote Desktop Protocol, typically on TCP port 3389, and once they've found such systems, brute force the password and have at it. Dharma .brrr encrypts mapped network devices, unmapped network shares and shared virtual machine host drives. It's therefore a good idea to check permissions, restrict access to network shares to users who actually need it. It's also a good idea to put computers running remote desktop services behind VPNs.

Dave Bittner: [00:03:44] There's a related development in the criminal underworld. Flashpoint reported today that they're seeing a brisk trade in Remote Desktop Protocol access being done in dark web markets. The markets are mostly Russian-speaking with various Russian cyber gangs doing much of the buying and the selling.

Dave Bittner: [00:04:04] And elsewhere, Ryuk ransomware is not only encrypting files, but disabling endpoint protection on infected devices. The ransomware strain, which has been in active use since the middle of last month, is said by SentinelOne in a Security Boulevard piece to show signs of linkage to North Korea's Lazarus Group and some evidence of dissent from the Hermes ransomware. It had pulled in more than $640,000 by this past weekend.

Dave Bittner: [00:04:31] The attackers take a high-minded approach in their ransom note. It goes something like this, quote, "your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people, not some stupid schoolboys or dangerous punks," end quote. That last line may seem like a non sequitur, but what the attackers appear to mean is that they're not vandals like the schoolboys and punks, but rather conscientious criminals who will take care of your data and deliver it back to you whole if you cough up the ransom.

Dave Bittner: [00:05:10] Researchers at security company Kaspersky Lab are following SynAck ransomware, not to be confused with the legitimate security company with a similar name. SynAck evades detection with Process Doppelganging.

Dave Bittner: [00:05:24] And to round out the ransomware roundup, MalwareHunterTeam reports that Kraken Decryptor is out in a new form. It masquerades as the legitimate security tool SUPERAntiSpyware. The malicious file's name is close to the legitimate name, but it makes it a plural - SUPERAntiSpywares with an S at the end.

Dave Bittner: [00:05:46] The best advice against all these forms of ransomware is familiar - regular secure backup. And since most of these malicious payloads are delivered by some form of phishing, suspicion of emailed links and attachments as well as a little bit of close reading of preferred filenames can also help keep users a bit safer.

Dave Bittner: [00:06:05] Several universities in the U.K. Cambridge and Oxford among them, sustained cyber espionage incidents in which sensitive technical material was taken on behalf of Iran. This is another in a long series of attempts at IP theft by Iran as the country labors under partially reimposed international sanctions levied in response to its nuclear research and development programs.

Dave Bittner: [00:06:29] North Korea is turning in a different direction as it too seeks to evade economic sanctions. In this case, the efforts are directed at shorter term cash flow. Pyongyang has worked up false identities that use online services to provide commodity-level IT services. They're using, according to reports in The Wall Street Journal, such familiar channels as Upwork, Freelancer, GitHub, Slack, LinkedIn, PayPal and Facebook to facilitate sale of services and products, including mobile games, apps, bots and other things. Much of the North Korean activity is based in the Chinese city of Chenyang, and they've succeeded in selling to Western outfits interested in saving money by buying code services from East Asia. The customers don't know the people they're dealing with are from the DPRK. And The Wall Street Journal notes, the North Korean operations have become notorious for stiffing their subcontractors, so buyer beware.

Dave Bittner: [00:07:29] The EternalBlue exploits widely believed to have been stolen from the U.S. NSA continue to turn up in infestations around the world. A great many of the infections involve cryptojacking. Security firm Cybereason has been tracking the ransomware version that's being called Wannamine. It propagates rapidly across vulnerable networks, thereby yielding a higher return than the customary pittance more conventional cryptocurrency miners now return to their controllers. The scale makes the difference, and a lot of servers remain vulnerable to exploitation through EternalBlue. A Shodan search suggests that EternalBlue can still have its way on almost a million servers worldwide. This is a vulnerability that can be and should be patched. The fix is available, it's just a matter of applying it.

Dave Bittner: [00:08:19] The EU advances consideration of its next major internet regulation. Hosts will, if the measure passes, have one hour to remove extremist content from their services. The clock begins when authorities notify providers. Fines would be in the GDPR range.

Dave Bittner: [00:08:38] Prosecutors in Switzerland are investigating a possible attempt to hack not only the World Anti-Doping Agency, but also the Spiez laboratory, which has done work for the Organization for Prohibition of Chemical Weapons, an international body that's looking into the Salisbury Novichok attacks. On Friday, the Swiss government summoned the Russian ambassador and requested an explanation.

Dave Bittner: [00:09:02] The Washington Post reports that Russian disinformation over the Novichok attack seems to be backfiring. While ridicule and dismissive irony seemed to have some initial small effect on public opinion, putting the two GRU hoods on TV really hasn't worked outright. We should say for the sake of propriety - alleged GRU hoods, since Russia claims they're just a couple of regular tourists who wanted to take a quick holiday in Salisbury. One comment the Post quotes from the comments on RT's YouTube Russian version of the interviews is evocative. Quote, "until today, I perceived this Skripal story as Britain's provocation," wrote the viewer. "Once I saw these two idiots, my view has been shaken." Shaken indeed.

Dave Bittner: [00:09:52] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at the See what workspace one can do for your enterprise security. The And we thank VMware for sponsoring our show.

Dave Bittner: [00:10:53] And joining me once again is Malek Ben Salem. She's a senior R&D manager for security at Accenture Labs. She's also a New America cybersecurity fellow. Malek, welcome back. We wanted to talk today about encryption, but specifically about encryption using DNA. What can you share with us?

Malek Ben Salem: [00:11:11] Yeah, so as you know, Dave, we're dealing with increasing volumes of digital data. It's growing at unprecedented rates, and storage is taking a lot of space. The classical method of using tape to store that data can no longer keep up with the amounts of data that we're producing every year. In fact, global data is expected to reach the size of 45 zettabytes by 2020. If the audience is wondering what a zettabyte is, that's 10 to the power of 21 bytes.

Malek Ben Salem: [00:11:44] So we need to come up with new paradigms for data storage, for data retrieval and for data processing. And one of those possible solutions, perhaps the most promising as of today, is DNA. And that's for several reasons. No. 1 is the density of DNA storage. As a matter of comparison, if we use tape to store data, eight terabytes of data is equivalent to 8 million books, which can be stored in 57 miles of bookshelves. In comparison to that, if you stored data in DNA, you're able to store 2.2 petabytes in one gram of DNA. And that's the equivalent of 200 times the printed material in the Library of Congress. So already you can see that the classical methods cannot compare with DNA-based storage.

Dave Bittner: [00:12:45] And so what gives DNA that data density? Is it because it's nonbinary? What's the trick there?

Malek Ben Salem: [00:12:52] It's nonbinary. Obviously, that's one reason. The other reason is the way it folds, so it takes less space. So there are inherent properties in the way it can encrypt data. Remember, we - there are four types of DNA components, and so that provides more capability to encrypt more information. But also the way it folds in space also provides additional capability to reduce the amount of space it uses.

Dave Bittner: [00:13:28] Now, is this something that's practical for use today or are we still talking about something that's in the lab?

Malek Ben Salem: [00:13:34] So it's certainly still in the lab. It's practical for storing data. It's not as practical for retrieving data and processing because it takes more time to, basically, decrypt the data or turn it back from a DNA format into our known digital format, so that's less practical. But taking data from a binary format the way we store it in bits today and turning it into DNA, that's very practical today, which basically limits the use cases for the use of DNA for encrypting data. But it's certainly very useful for archiving data.

Malek Ben Salem: [00:14:22] And that's one of the things we're looking into in Accenture in our labs is, what are the best use cases for DNA-based encryption? And one of those is obviously data archiving. But also, you know, if you think about tracing certain components - and in particular, I'm thinking about chips that are manufactured and that take so many steps to come to the final format.

Malek Ben Salem: [00:14:53] And we know that we have issues with counterfeit hardware, with counterfeit chips that carry trojans, perhaps, into them. It's been hard to detect those types of counterfeit chips. So if we can use DNA to trace, basically, all the steps that a wafer or a chip goes through as they get manufactured and store that data into a piece of DNA that gets attached to the chip, then that could provide a way of verifying the origin of that chip and all the information of the manufacturing process for that chip. And it's attached to it, so it goes with it regardless where it goes. So that could be another use case for the use of storing data into DNA.

Dave Bittner: [00:15:43] Now, how about resilience? Does it hold up in storage? Is it sensitive to temperature or, you know, magnetic fields, all those sorts of things?

Malek Ben Salem: [00:15:52] Yeah, that's another great property of DNA, namely, its lifetime. We know that while tape and disc-based data storage degrades over time and can become obsolete, requiring rewriting every so much time. We know, for instance, that cloud infrastructure requires - or uses a lot of energy because of the amount of electricity that's required to prevent the data from degrading. DNA or readable DNA was extracted from the remains of a horse that's about 600,000 years old, so it basically survives for a very, very long time without requiring the amount of energy that's required for storing data into a binary format.

Dave Bittner: [00:16:48] All right. Well, it's certainly interesting research. Malek Ben Salem, as always, thanks for joining us.

Dave Bittner: [00:16:56] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at

Dave Bittner: [00:17:04] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:17:23] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:17:31] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed.

Dave Bittner: [00:17:46] And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at

Dave Bittner: [00:18:00] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.