The CyberWire Daily Podcast 2.20.19
Ep 784 | 2.20.19

Fancy Bear phishes in think tanks. Lazarus Group takes a swipe at Russian organizations. New decryptor for GandCrab. Citizen Lab and Novalpina discuss NSO Group. Ryuk’s lousy help desk.


Jack:[00:00:01] Dad, why do you keep telling all these lies? I have a snow shovel. There is no little old lady that lives next door. And mom won't let me leave the house without my gloves, but I could use a new sled. So head on over to and sign up today.

Dave Bittner:[00:00:23] Microsoft discloses a Fancy Bear sighting, snuffling around Atlanticist think tanks in Europe. Ukraine says, in effect, see? We told you so. Speaking of bears, it seems that North Korea's Hidden Cobra may be striking at the biggest bear of them all, going after Russian targets. There's a new decryptor available for GandCrab ransomware. Citizen Lab and NSO Group's new partial owner exchange notes, and a look at a ransomware help desk.

Dave Bittner:[00:00:57] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Are login credentials compromised? Is that encrypted traffic malicious? Is an attacker accessing sensitive company data? Security teams need to answer questions like these every day, but without complete visibility inside your network, your investigation could take hours or even weeks. And that's assuming you are able to detect potential threats in the first place. ExtraHop helps enterprise security teams rise above the noise of the complex attack surfaces with complete visibility, real-time threat detection powered by machine learning and guided investigations into late-stage attacks. Look for ExtraHop at RSA, or be the blue team in the interactive demo at That's And we thank ExtraHop for sponsoring our show. The CyberWire podcast is made possible, in part, by RSA Conference, taking place March 4th through the 8th at the Moscone Center in San Francisco. The CyberWire is a proud media sponsor of RSA Conference, where the world talks security. Learn more and register today at

Dave Bittner:[00:02:18] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 20th, 2019. Microsoft this morning said it had discovered another Russian cyber operation targeting think tanks critical of Moscow. The attacks occurred between this past September and December. Microsoft says it warned the affected institutions and the appropriate governments and that it also took unspecified technical measures to put a stop to the attacks. The institutions Redmond says were hit include the German Council on Foreign Relations, European branches of the Aspen Institute and the German Marshall Fund. So there's a clear Atlanticist flavor to the target list.

Dave Bittner:[00:03:01] The method of attacks was spearphishing, and the hook was a link to a malicious website. The spearphishers are said to have been from APT28 or Strontium, as Microsoft prefers to call them. We'll continue to call them Fancy Bear. But whatever the name, it's Russia's GRU military intelligence service. It's not clear from Microsoft's blog exactly what measures it took against the spearphishing. In an early wave of Fancy Bear attacks prior to the U.S. midterm elections, Redmond had obtained appropriate legal authority to take down the offending domains used in the campaign.

Dave Bittner:[00:03:36] In what the company at the time called a novel legal move, Microsoft had successfully argued that spoofing of the kind observed was a violation of its intellectual property rights, got a court order to transfer the domain names to its own servers and then shut the sites down. As The Washington Post points out, Redmond doesn't seem to have done that for the present wave of spearphishing, and the company declined to say why not. In any case, Microsoft has extended its AccountGuard security system into 12 new European markets.

Dave Bittner:[00:04:09] Fancy Bear's goal appears to be influencing European elections, both upcoming national elections and the EU elections scheduled for May. Microsoft notes that its findings would seem to confirm alarms raised in many European governments. Ukraine has been particularly explicit in its concerns. That country's national security and defense council announced yesterday that it will undertake joint cyber defense exercises with EU partners in the near future. The announcement was accompanied by charges that Russian hacking and influence operations have risen unabated as Ukraine's March 31st presidential election approaches.

Dave Bittner:[00:04:48] Moscow may sometimes be a victim, too. Security firm Check Point says - with appropriate exclamation and question marks in the heading of its announcement - that it's detected signs that North Korea's Lazarus Group, also known by its animal name Hidden Cobra, is turning its attentions to Russia. Check Point's researchers point out that there are two apparent subgroups to Lazarus - Andariel, which attends closely to South Korean government agencies and other South Korean organizations, and then which focuses primarily on attacking the South Korean government and organizations, and the second, Bluenoroff, which works against other cyberespionage targets and, most importantly, against targets where attacks can be monetized. Cybercrime has long been one of Pyongyang's approaches to redressing the chronic financial pain it feels as a pariah state laboring under extensive international sanctions.

Dave Bittner:[00:05:42] Check Point found a familiar and versatile Lazarus backdoor - KEYMARBLE, to use the name US-CERT gave it, carried by malicious PDFs or Microsoft Office files crafted for a Russian intelligence. Cyrillic-looking characters were used in images to bait recipients into enabling content, thereby triggering the malicious code. On balance, the campaign is unusual because it doesn't appear to reflect a geopolitical tensions, which have usually accompanied even North Korean financially-motivated campaigns.

Dave Bittner:[00:06:13] To be sure, North Korea has plenty of tension with just about everyone and is no longer anyone's client state, but it's got fewer such tensions with Russia than it does with most others. Perhaps there are tensions present that aren't obvious to outsiders.

Dave Bittner:[00:06:29] There are a growing number of ISACs, which stands for information sharing and analysis center, serving organizations in a variety of sectors. Tommy McDowell is vice president at the Retail Cyber Intelligence Sharing Center, or R-CISC, a member organization serving the retail and hospitality industries.

Tommy McDowell:[00:06:49] We provide the technical and community so that our members can share information about cybersecurity, threat intelligence, breach information, best practices. A lot of our members come from gaming organizations, as well as in hospitality, consumer product manufacturers, hotels, restaurants, and we also have other cybersecurity partners around the world.

Dave Bittner:[00:07:11] So what are some of the specific vulnerabilities that folks in your vertical have to deal with?

Tommy McDowell:[00:07:17] You know, we really deal with a top three threat vector and top three threats to our industry. And most of these are all through email, everything from ransomware to account takeover to credential harvesting, also any threats facing point of sale systems or the e-commerce ecosystem, all the way from the credit card readers all the way back to the e-commerce system as well. Most of our members, when they experience breaches, at some stage of that notification and investigation process, they will let our community know of the breach and of the techniques, you know, employed by the actors.

Tommy McDowell:[00:07:57] In most cases - in many cases, there are legal restrictions as to what can and cannot be released. Luckily, because you participate with a community such as ours, they may not acknowledge the breach. They may not give details as far as the amount of loss or exactly what was lost. But they're more than willing to let us know what the techniques are so that they can protect other companies and other systems all in this sector.

Dave Bittner:[00:08:20] So you sort of serve as this central clearinghouse and repository to gather these things but then also distribute them out to folks to help alert everyone and help keep them safe.

Tommy McDowell:[00:08:34] Not only just keep them safe and knowledge of the breach but also what are the best practices? What techniques are working? A large number of vendors have similar type systems, but there's always variation. And where you may have a vendor coming out with a patch or a workaround, what we get from our community is the experience of on-the-ground implementation of those patches and the configuration issues that come up and what remediation steps have to take place.

Tommy McDowell:[00:08:59] So you have this instant community of people involved in one or two key incidences and be able to give really good, lively feedback, you know, based on their availability, which for the most part we have a large number available at any given time, even if they're not a member.

Tommy McDowell:[00:09:14] You know, in many cases, we'll reach out to that agency. Or if we learn of an attack or a vulnerability or even if we see something on the Dark Web being sold that, you know, addresses a retailer, even if they're not a member, in many cases, we reach out and let them know.

Tommy McDowell:[00:09:30] So we have a lot of relationships with various other threat intelligence companies as well as other agencies that just aren't members. And yet we do try to keep them abreast of the latest attacks and threats as they're evolving. One of the things we've learned over the last year or two is to be able to stand up a fully fledged threat intelligence program is pretty challenging.

Tommy McDowell:[00:09:53] So what we've been able to do is to identify two or three key behaviors that a small company could do that would be activities a threat intelligence group would perform but you don't have to have the full program to get the benefit of that. So it is a community, and it is one that shares openly.

Tommy McDowell:[00:10:11] Our level of engagement has increased tremendously over the last couple years. I think that's largely because the amount of trust we build and emphasize inside of this group. I mean, sharing vulnerability information and information that you've been breached with a community - and by the way, these are retailers that often compete with each other. So there has to be this level of trust created. And I have to say, I've seen a lot of really good people step forward.

Dave Bittner:[00:10:37] That's Tommy McDowell from the Retail Cyber Intelligence Sharing Center, the R-CISC.

Dave Bittner:[00:10:44] A decryptor is now available for GandCrab Ransomware's version 5.1, Bleeping Computer reports. The fix by Bitdefender, Romanian police, Europol and other law enforcement partners is also effective against some earlier versions. There are, however, already signs that GandCrab version 5.2 is beginning to circulate in the wild. But in the meantime, bravo Bitdefender and colleagues.

Dave Bittner:[00:11:10] An exchange of letters between Citizen Lab and Novalpina outline the suspicions that persist around NSO Group. Novalpina Capital, the private equity firm that backed the recent reacquisition of NSO Group by its founders, said in their letter to Citizen Lab that they and the new owners were committed to greater transparency and that they welcome dialogue with those with concerns about the company's business. Novalpina alluded to the safeguards that were now in place and that were, it said, sufficient to make Novalpina comfortable with owning a stake in NSO Group.

Dave Bittner:[00:11:44] Citizen Lab, after expressing its appreciation for Novalpina's gesture of transparency, offered a long list of questions, answers to which it said would go a long way toward producing such transparency. They come down to two sets of concerns. Citizen Lab would like to know more about the extensive due diligence Novalpina undertook before its purchase of NSO Group and what criteria were employed to determine that NSO Group operates with integrity and caution.

Dave Bittner:[00:12:13] The other concern centered around Citizen Lab's study of how various repressive regimes have used NSO Group's intercept products in less than lawful ways and in ways that Citizen Lab says put NSO Groups on the wrong side of the U.N. Guiding Principles on Business and Human Rights.

Dave Bittner:[00:12:31] Among other things, Citizen Lab would like to know what remediation has been undertaken for past issues and what grievance procedure NSO Group has in place to address other issues that may arise. Amnesty International and six partners also weighed in, thanking Novalpina for the opportunity to discuss transparency and calling upon the investors to commit to eight specific undertakings. That letter specifically called out the misuse of NSO products by the government of Mexico earlier Citizen Lab research reported. Amnesty and its partners also showed particular concern for the use of intercept technology against reporters.

Dave Bittner:[00:13:12] And finally, pop quiz, hotshot - what criminal sector provides its own help desk? The mob? Nope. The Chicago Outfit? Nope and nope. Cyber gangs? There you go. Especially the ransomware hoods, they offer a help desk whose help is to help the victim pay the extortionists. Ryuk Ransomware, for example, according to No More Ransom initiative partner Coveware, does just that. But when it comes to the help you get, some victims are more equal than others. There are two notes Ryuk victims might get. One of them is blunt, unpolished and crude. That help note comes with a lower ransom demand - still a hefty 15 to 35 bitcoin, which at the high end comes to around $224,000, but lower than the demand associated with the longer, friendlier, better-written note that asks you for around 50 bitcoin and change somewhere around $320,000.

Dave Bittner:[00:14:10] Help Net Security speculates that either the help desk was having a bad day when it used the curt text or that the subtext under the niceness of the more polished note was that the crooks were reasonable and willing to negotiate. In either case, the help, as the kids say, sucks. The decryptor is buggy and just about as likely to destroy your files as recover them. Better to back up early and often and offline so that you don't have to deal with Ryuk help.

Dave Bittner:[00:14:42] Now I'd like to share some words about our sponsor Akamai. You're familiar with cloud security, but what about security at the edge? Akamai's Edge Security defends your business, your customers and your users from threats by deploying defense measures closer to the point of attack and as far away from your people, applications or infrastructure as possible. Security at the edge is dynamic and adaptive. With the world's only intelligent edge platform, you can surround and protect your users wherever they are - at the core, in the cloud or on the edge and everywhere in between. If you're going to RSA this year, visit Akamai in the north hall, booth 6153 to take a part in their crack the code challenge for an opportunity to win a new 3D printer. Akamai - intelligence security starts at the edge. Learn more at Akamai - that's That's And we thank Akamai for sponsoring our show.

Dave Bittner:[00:15:52] And I'm pleased to be joined once again by Mike Benjamin. He's the senior director of threat research at CenturyLink. Mike, it's great to have you back. We wanted to dig into another one of the botnets that you all have been tracking there, and that is Necurs. What do you have to update us with here today?

Mike Benjamin:[00:16:08] Yeah. Thanks, Dave. So Necurs, for those that aren't familiar with it - it's actually quite a few years old, and it's a spam botnet. It has sent just about every type of spam you can imagine during its lifetime. And I was on the show a few months ago and mentioned one of the unique attributes that we were seeing about Necurs was that it was shutting itself off on a periodic interval. And what I meant by that was that the command and control host of certain aspects of the botnet - and so this botnet has about three different chunks, which are DGA seeds.

Mike Benjamin:[00:16:39] And so we track them as individual entities, and sometimes they're actually - deliver different payloads or a different attack commands. But each DGA seed shuts itself off at the C2 level. And so what we've been seeing over the last few weeks is that it is shutting itself off against all DGA seeds for eight days at the time; coming back on for less than a day; delivering all its spam, all its junk, whatever the focus was for that particular campaign; and then shutting itself off again.

Mike Benjamin:[00:17:11] And so from a defender perspective, this is particularly interesting because it calls back to DGA when it can't reach its C2s. It's a lot louder during the periods that it can't find the C2s than when it can. And so this is a great way to detect it within an environment. The campaigns that we've seen recently - two of them are very common with what we've seen Necurs do in the past. They've been deploying secondary payloads of - provided families of remote access trojans so that - RATs - as well as ransomware - nothing new there.

Mike Benjamin:[00:17:41] But one of the things that we saw a couple months ago - a lot of us all unfortunately saw in our inboxes what - people deemed these extortion emails where they were claiming to have dirt on the individual and asking for, you know, upwards of - in some cases, of a couple hundred dollars' worth of bitcoin to be delivered to the cryptocurrency wallet.

Dave Bittner:[00:18:01] Right.

Mike Benjamin:[00:18:02] And this was pretty rampant, got a lot of press. And if you look back now at the wallets that were being utilized during that time period, they made some money. You know, tens of thousands of dollars were successfully gleaned from this.

Dave Bittner:[00:18:13] Yeah.

Mike Benjamin:[00:18:13] And we were able to track that, in many cases, being delivered through Necurs - certainly not Necurs alone was the vector utilized.

Dave Bittner:[00:18:20] Oh, interesting. Now, do you have any insights on - to this pattern that it shows - this, you know, going dark for days at a time? Any guesses on what the strategy there is?

Mike Benjamin:[00:18:31] Well, in some cases, this, from an infection perspective, means that it changes, that the infrastructure is not alive at the moment, that they're not using it. And we've seen this in different malware families where the actors believe that by shutting off their own control infrastructure, they may be able to evade takedowns, as well as evade certain detection techniques. And, you know, I'd argue from a network perspective, that's not effective. But maybe in some corners of the world and in some defense cases, that is effective.

Mike Benjamin:[00:19:03] One of the other things that we see that's interesting about the behavior - I find this interesting - is we see a lot of actors out there sending their spam in one language or, you know, maybe if they've got a ransomware landing page, they've translated it to a couple languages. But we've actually seen through Necurs - they're beginning to be more and more effective with language localization where they are targeting a part of the world in the native tongue over that part of the world to be more effective in the campaign that they're delivering malware from. And so, you know, there's always the conversation in our team that maybe they need that extra few days just to be more targeted and translate some campaign language. That's why they're shutting their stuff down.

Dave Bittner:[00:19:44] Interesting. All right. Well, thanks for sharing the update with us. Mike Benjamin, thanks for joining us.

Dave Bittner:[00:19:55] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at

Dave Bittner:[00:20:07] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.