The CyberWire Daily Podcast 11.15.18
Ep 726 | 11.15.18

RATs and the long game. New ransomware, Learning from other espionage services. Advance-fee scams continue to infest Twitter. Fancy Bear says it can’t be sued.


Dave Bittner: [00:00:03] TRat indicates a criminal shift to a longer game. Chinese industrial espionage copy's Russian services tricks. Dharma ransomware evolves. Bitcoin's price may be tanking, but Bitcoin-based advanced fee scams are still all over Twitter with bogus big brands, blue checks all over them. Nigeria plans to go after cyber gangs. Fancy Bear says it can't be sued, even if it did anything. And why a password manager is better than an infernal machine.

Dave Bittner: [00:00:39] Now I'd like to share some words about our sponsor Cylance. AI stands for artificial intelligence, of course. But nowadays, it also means all image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit and check out the report "Security: Using AI for Evil." That's We're happy to say that their products protect our systems here at the CyberWire. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:35] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Thursday, November 15, 2018.

Dave Bittner: [00:01:48] Researchers at the security firm Proofpoint have described a new modular remote access Trojan, tRat. This RAT arrives with social engineering, phishing emails with malicious Microsoft Word documents attached. TRat is distributed by the criminal group familiar from its involvement with the notorious Dridex campaigns in 2014, the Locky crime spree in 2016 and '17 and many other attacks, as well. That group Proofpoint tracks as TA505. It's criminal, of course, and its motive is financial - no reasons of state here. Proofpoint describes the group's activities as structured in an informative way - one that can help defenders recognize similar campaigns. First is the actor itself - most interesting because recognizing the human motivations of the attacker can inform defense. Then there's the vector, the delivery mechanism. In the case of TA505, that mechanism has been a spam-serving botnet sometimes owned by TA505 and sometimes leased.

Dave Bittner: [00:02:55] The third element is the hoster, usually a macro-enabled document that pulls its malicious payload from a host server. The payload itself is the fourth element. It's the malware that enables the attackers to work their will on the victim machines. And finally, there's command and control - the link between the malware and the attackers. TA505 and other capable actors use a range of command-and-control servers, which renders them resilient in the face of sinkholing, takedowns and other enforcement actions. TA505 has tended to be a ransomware specialist, but it's turned toward remote access Trojans suggests that it's now playing a longer game. As Proofpoint puts it, this represents, quote, "a broader shift towards loaders, stealers and other malware designed to reside on devices and provide long-term returns on investment to threat actors," end quote.

Dave Bittner: [00:03:50] There's another new ransomware threat out there, a refreshed and evolved version of the Dharma strain. Researchers at Heimdal Security have been tracking new strains of the familiar ransomware. The latest version successfully evades detection by most antivirus software. Nation-state threat actors are also currently active. A cyberesionage campaign against engineering and maritime targets in the U.K. has been traced by a cybersecurity company Recorded Future to a Chinese threat actor known variously as TEMP.Periscope and Leviathan. We'll say Leviathan for now and note that it seems to be engaged in the now-very-familiar Chinese practice of industrial espionage. Leviathan's case is interesting because of the way it points out the extent to which different nation-states' intelligence services sometimes share and more often simply copy the methods of their competitors in espionage. Leviathan makes interesting use of techniques apparently repurposed from the Russian threat actors Dragonfly and APT28 - that is Fancy Bear - the GRU with its restored R. If you relied solely on style, you might conclude this activity originated in Moscow, as opposed to Shanghai.

Dave Bittner: [00:05:06] The threat of nation-state attacks on private companies leads to a certain amount of understandable anxiety among security professionals. We checked in with ObserveIT CEO Mike McKee for his take on how serious a threat nation-state actors really are and how much of an uptick they're really seeing.

Mike McKee: [00:05:23] I think the short answer is increasingly often. Fortunately, it's nowhere near the majority. More and more, there's risk there in terms of competitive trade secrets and intellectual property leaving. And this is more larger companies. It's something we're hearing more and more of as being on the radar of security folks at large companies.

Dave Bittner: [00:05:45] So how do you dial in what would be a reasonable, practical, proportional response?

Mike McKee: [00:05:52] Yeah. It's almost a little bit by vertical. You know, manufacturing and pharmaceuticals - yeah, I would say a third of the time we're hearing that as a threat. That's probably up from, you know, around 10 percent of the time before as something that's on their radar that they're looking out for.

Dave Bittner: [00:06:07] I guess what I'm getting at is I hear a lot of people say that attribution isn't necessarily so important. Does it matter if the attacks coming in are from a nation-state or from just your run-of-the-mill criminals, who are trying to get something to either steal or sell?

Mike McKee: [00:06:25] Well, I would say yes because I think more often when it's at the nation-state level it's a direct competitor. I'm heading down to D.C. tomorrow to see a bunch of folks that we work with that, you know, get a lot of this information firsthand. But the particular individual we partner with was at one of the larger pharmaceutical companies. You know, they would regularly see employees planted in the organization whose job it was was to get intellectual property back to China. I do think that the difference between just selling it on the web, and the different areas of, you know, the dark web, and actual countries or nation-states is it gets into the hands of better well-funded competitors faster.

Dave Bittner: [00:07:07] And are there any specific indicators that point to a nation-state actor specifically?

Mike McKee: [00:07:13] We literally - so we work with a partner down in D.C. And most of the folks there come out of the CIA. I mean, they have literal websites that people go back to. They have organization names who they will communicate back to. They know, from their investigative work, what sites are set up and what information repositories are set up - where they're trying to get it to. They have the addresses and the URLs. And that's what they look for. And that's what we look for with them as we build that information into the alerting capability of our product.

Dave Bittner: [00:07:42] Do you suppose that this notion of being attacked by nation-states is, in some way, become kind of a Get Out of Jail Free card for people who've been breached. I mean, it's one thing to say that some crooks got in. But it's another thing to say, well, a nation-state got us. And what could we have done with an attack that sophisticated?

Mike McKee: [00:08:02] I don't think so - meaning people are always trying to know the why or where it came from. And, you know, the meantime to remediate is always on people's mind. It's no better if it's a data breach from some kid in the basement of the U.S. than it is nation-state if customer information has gotten out or intellectual property has gotten out. Whether, like I said, it's to an individual trying to sell on the dark web or an competitor across the street or an competitor in China, I don't think there's any less concern on that. I don't think people are like, oh, well, you know, you can get the guy next door. You can get the guy in the basement.

Mike McKee: [00:08:39] But I understand that you can't get China or Russia because their job is to make sure that, you know, as little information goes out as possible. You know, one of our new board members Dave DeWalt - I was actually just looking up the quote - but he was saying that 29 countries have declared cyber commands including - you know, basically said they're going to use offensive cybersecurity methods to get information. These are more nation-states as opposed to companies in those countries. But often there's a pretty blurry line between those two things.

Dave Bittner: [00:09:05] Right.

Mike McKee: [00:09:06] So 29 have actually declared they're doing it. Sixty other countries say they've got the ability to do it. And that's just a completely different level than it was five years ago. So it's almost - I mean, exaggerating a little bit - but Army, Navy, Air Force, Marines. As we know, there's a sort of Army, Navy, Air Force, Marines' cybersecurity. And it's an arm that nation-states have to get information, which is becoming increasingly accepted.

Dave Bittner: [00:09:32] That's Mike McKee from ObserveIt.

Dave Bittner: [00:09:36] The implausible but depressingly effective bitcoin-based advanced-fee scam - as in send us bitcoin, and we'll send you 10 more bitcoin in return - has assumed new forms with major brands' Twitter accounts being hijacked or spoofed to convince the unwary. Target and Google are among those major brands whose blue-checked names are being fraudulently used to bubble people out of their cash. And a lot of observers are impatiently grumbling that it seems Twitter ought to do something. Bitcoin itself, we note, has seen its price crash below $6,000 on trading markets this week, as speculators apparently fear a coming fork in the blockchain.

Dave Bittner: [00:10:17] Nigeria's new cyber command, staffed by technically proficient military officers, is expected to help with counterterrorism. The government also hopes the young organization will take a toll on the country's organized cybercriminals. That will be a challenge. The gangs are a deeply rooted subculture. It's no accident that the classic advance-fee scam is the email from the widow of a fictional Nigerian prince. That scam is so iconic it's even known as a 419 scam, after Section 419 of the Nigerian criminal code that makes such stuff illegal. Good luck to the young cyber command.

Dave Bittner: [00:10:57] Fancy Bear says the DNC can't sue them, according to ABC News and other outlets. Fancy Bear and Cozy Bear got their pals over in the Ministry of Justice to say that. Even if they did hack the Democratic National Committee, the DNC can't sue them. And they're not saying they did. It's more that they're speaking hypothetically on behalf of a friend. That's the claim the Russian Ministry of Justice made in a 10-page statement of immunity it delivered to the U.S. State Department. If such alleged hacking happened at all - which understand they're not saying it did - but if it did, they say that such alleged hypothetical hacking would have been a military action and as such shielded by the Foreign Sovereign Immunities Act of 1976, a U.S. law that affords foreign governments a degree of immunity for some actions they take inside the U.S. - if, that is, they took any such alleged action at all.

Dave Bittner: [00:11:53] Finally, in a story that's far less funny than bald retelling suggests, a Swedish man has received 6 1/2 years in prison for mailing a letter bomb to what he thought was the address of a bitcoin exchange that wouldn't change his password. Jermu Michael Salonen of Gullspang, Sweden, was a customer of London-based Cryptopay, a site that enables altcoin enthusiasts to indulge their passion for trading this now rapidly depreciating currency. Mr. Salonen sent the device, which was real and potentially lethal, to what he thought was Cryptopay's address but that, in fact, was the address of an accounting firm Cryptopay had once used. The London Met's bomb squad rendered the device safe, but it could have been lethal. And it sat in the mailroom unopened for five months. There are a few lessons to be drawn from this incident. First, don't gamble with more than you can afford to lose. Second, don't expect your accountants to open mail you send them promptly. And third, for heaven's sake, Mr. Salonen, invest in a password manager. Heck, even writing your password on a sticky note tacked to the underside of your keyboard would be suboptimal but better than sending someone a letter bomb.

Dave Bittner: [00:13:12] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data-loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at See what Workspace ONE can do for your enterprise security - And we thank VMware for sponsoring our show.

Dave Bittner: [00:14:12] And joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland. He's also director of the Maryland Cybersecurity Center. Jonathan, it's great to have you back. We had a story come by from ScienceDaily. And this was about some researchers at Georgia Tech who had discovered some side-channel vulnerabilities with some encryption in smartphones. Fill us in. What do we - what's going on here?

Jonathan Katz: [00:14:36] This was an attack that the researchers found on a version of OpenSSL that was being used on these smartphones. And like you said, it was a side-channel attack, which means that they were kind of using information that was being leaked from the device itself - physical information that was being leaked in order to figure something out about the encryption key being used on the device.

Dave Bittner: [00:14:56] So is this, like, RF energy leaking from the device?

Jonathan Katz: [00:14:59] Right. That would be an example. And what's interesting about these side-channel attacks in general is that typically, when we think about security of an encryption scheme and when we analyze security of an encryption scheme, we think only in terms of the plain text messages going in and the encrypted messages going out. And then we argue that the attacker won't be able to figure out anything about the message from the encryption that it seized. But we typically don't think about all this other information that might be coming out of the device, like you just mentioned. But it turns out that those can be a pretty powerful attack vector that can allow an attacker to figure out more about the encryption than they should be able to.

Dave Bittner: [00:15:35] So help me understand. Is this - the information within the device itself is traveling around in an unencrypted state, and they were able to sort of suss out what the keys would be in this case. Is that what was going on?

Jonathan Katz: [00:15:49] That's the basic idea. It's a little more complicated than that. But basically, by looking at emanations from the device, they were able to figure out in particular when some operation was being done and when it wasn't being done. And that information could then be correlated with the bits of the key. And gradually, you know, by repeating this enough times, they were able to figure out the entire key from the device.

Dave Bittner: [00:16:11] I see. So I suppose part of this is they had to be in fairly close proximity to the device in this case.

Jonathan Katz: [00:16:17] They did. In their experiments, they actually had a measuring device that was not touching the phone, but it was right up next to it. But they claim that in principle, an attacker might be able to do it from further away or might be able to have a recording device nearby the phone with the owner of the phone not suspecting anything.

Dave Bittner: [00:16:34] And what's your take on ways to prevent this sort of thing?

Jonathan Katz: [00:16:37] Well, researchers have been looking, actually, for a while at these attacks and then also how to prevent them. What, you know, may be especially interesting here is that the OpenSSL libraries were designed, in part, to prevent these kind of attacks. But nevertheless, the researchers were able to carry out the attack anyway. So I guess it just shows they'll have to go back to the drawing board and figure out how to make the - either the physical device not leak this information anymore or to make sure that the algorithm that they're using for the encryption is kind of leaking things that are independent of the key. But it's definitely something that's quite difficult to do.

Dave Bittner: [00:17:11] Yeah. All right. Jonathan Katz, thanks for joining us.

Jonathan Katz: [00:17:15] Thank you.

Dave Bittner: [00:17:20] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:17:39] And thanks to our supporting sponsor VMware, creators of Workspace ONE intelligence. Learn more at

Dave Bittner: [00:17:48] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.