The CyberWire Daily Podcast 5.8.19
Ep 839 | 5.8.19

Turla’s new backdoor. Verizon’s 2019 Data Breach Investigations Report. Bad actors seek to influence the EU. US CYBERCOM preps for 2020. Baltimore’s ransomware. Monolingual content moderation.


Dave Bittner: [00:00:03] Turla is back and with a clever backdoor called LightNeuron. Verizon's Data Breach Investigations Report shows that the C-Suite remains a big target of social engineers, that crooks are following companies into the cloud, that ransomware remains popular and that people seem warier of phishing. Bad actors peddle influence in the EU. Binance gets looted. And Baltimore gets hacked.

Dave Bittner: [00:00:33] It's time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web by identifying new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top-trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today, and stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:41] From the CyberWire studios at DatatTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 8, 2019. Microsoft Exchange has received a good bit of hacking attention recently, and ESET has a partial explanation. Turla, also known as Snake or Uroburos, a Trojan long used by Russian intelligence services, is back and using what ZDNet calls one hell of a clever backdoor. The backdoor is called LightNeuron, and it functions as a mail transfer service, which is thought to be a first. It's been active since 2014. And it's hit targets in Brazil, Eastern Europe and the Middle East. It's an espionage tool - not a conventionally criminal one. And the organizations it's known to have affected include diplomatic organizations. Kaspersky discussed the tool briefly in early 2018. But LightNeuron's unusual mode of operation and powerful functionality have only recently been understood.

Dave Bittner: [00:02:40] LightNeuron is directly integrated into the Microsoft Exchange workflow. And it's said to gain complete control over whatever passes through an infected mail server. ESET says it can intercept or redirect email, and it can alter the content of both inbound and outbound messages. It can even create and send new emails. There's really no software patch for this. LightNeuron lives off the land, abusing sound, legitimate systems. Its control mechanism is also unusual. Once installed, LightNeuron's masters don't connect with it directly. Instead, they send commands steganographically hidden in emails through the infected servers, where LightNeuron reads and executes them.

Dave Bittner: [00:03:24] Verizon's always-interesting Data Breach Investigations Report is out. This 2019 edition offers some interesting takeaways. The C-suite is far more likely now than in years past to be socially engineered over social media. And an uncomfortably large number of such attempts are proving successful. Criminals are following companies into the cloud and are devoting a lot of effort to stealing cloud service credentials. And the hoods are also looking hard for any configuration mistakes. Ransomware is still going strong, now accounting for almost a quarter of malware incidents. Paycard web application compromises are fast catching up with compromises of physical payment terminals.

Dave Bittner: [00:04:05] There's some good news here. Part of the change is accounted for chip and PIN systems' wider adoption and the success those systems are having in slowing down card-present fraud. And there's more good news. Targeting of human resources departments seems to be on the decline. And general users are showing a lot less readiness to click links in phishing emails. They're most gullible, for some reason, while using mobile devices. The phish now seem to be more mobile than otherwise. And cryptojacking - still around but a lot less prevalent.

Dave Bittner: [00:04:38] We'll have an interview with one of the authors of Verizon's data breach investigations report on this coming Friday's CyberWire podcast.

Dave Bittner: [00:04:46] There's no shortage of abbreviations and acronyms in the security space. And it's no wonder some of us find ourselves wandering around in the wilderness chanting, SIEMs and SOCs and SOARs - oh my. Well, don't surrender, Dorothy, because we've got Meny Har from Siemplify on the line to help make sense of some of the lingo.

Meny Har: [00:05:07] I think we're in this spot where, I think, we're slowly recognizing - maybe a few years now - that our focal point has now become the ability to actually respond to all these alerts. So if you think about the last 15 years, 10 years, five years, we spend a lot of effort on a lot of different tools. We have a lot of different datasets that we now - in place. Vulnerability management's very intelligent. There's a huge list of those. There's a huge list of tools that you're using from cloud to endpoint to network. There's a list of them. It goes on and on. And we've built all of these. But we haven't thought through about, what are the analysts actually looking at all this data supposed to do with it? And I think this is where the SOCs are these days - trying to figure out anything using all the different security breach centers pretty much across the country, looking at, how can they now bring it all together, be better, make sure they look at everything?

Dave Bittner: [00:05:52] Well, let's run through some terms together because things that are tossed around when it comes to SOCs are SIEMs and SOARs. Can you describe to us what those are and what the difference is?

Meny Har: [00:06:02] Definitely. SIEM - security information event management - is actually a tool set built to be able to centralize all the log sources or logged information that the organization has. For example, 15 years ago, you could have an antivirus, like a Symantec or a Norton antivirus. You could have a firewall, like a Check Point firewall. That would be two interfaces. So at that point, you also have - only have two log sources - two alert sources you can look at. Now there's 50 different tools. And the log sources - the level of information you have is just tremendous. There's no way to now leave all these different logs of information in separate tools. There's now a need to centralize all these logs to a central depository. And that's what the SIEM is here to do, which is, by the way, a very big undertaking - a lot of different log sources, a lot of different formats, how do they come together.

Meny Har: [00:06:45] And I think up until maybe a few years ago, they were also being used as an interface on the SOC. Once we have all those logs together and I'm an operating analyst sitting in the operation center of the organization - since all the logs are there and since I can define correlations to actually help me highlight the alerts I want to look at, that become the interface the analysts are working with. And it worked for a time until the attacker - until the level of attacks, the level of tools became a bit too much. And now there came a need for a toolset that is really focused on the operation side - right? - the SOAR itself, which is basically security orchestration, automation and response, right? That's kind of the acronym here.

Meny Har: [00:07:19] So once we have come to this point where there needs to be a focus on more of the operational side, how do we take all this information, all the different tools that we have - how do we operationalize to a way where now we can actually respond and be effective in our SOC? That's where the SOAR comes in, right? It comes to help you understand what is important, help you automate the things that you might not want to look at because there might be noise or false positive, which is a big problem these days, and also helps you create a process around how you should respond - or best practices around how you should respond to different alerts and actually help manage the operational side of security and not just the law collection or correlation of those.

Dave Bittner: [00:07:54] And is there a life cycle that most organizations go through? Do they start with one and grow into another, or do they dial it in depending on what their individual needs are?

Meny Har: [00:08:03] So as people - as organization look to adopt a SOAR today, especially media organization or large enterprises, they are in the place where they typically already have a SIEM in place because, A, they needed something before SOAR. There was still SOC. So it's typically in place. Another option is, a lot of the times, organization put in a SIEM for compliance purposes. They must maintain logs of X time or seven years for a specific audit they were doing. So a lot - SIEM, a lot of time, is mandatory for the business just to be able to maintain compliance.

Meny Har: [00:08:33] The second option we're seeing today - if I'm an organization building a SOC right now, then I might be looking at both at the same time, right? If I want to build a SOC end to end, I might take my SIEM. I might get a SOAR and have the whole thing together as I initially look at building a SOC.

Meny Har: [00:08:46] But there's also a lot to be done. And once all that information is collected, what should the analyst do with it? What decision should he make? What should he base his decision on? And that's where SOAR can help you, A, bring all this together in a very easy-to-use way, but also help guide your decision-making in a process that spans both man and machine.

Dave Bittner: [00:09:03] That's Meny Har from Siemplify.

Dave Bittner: [00:09:07] SafeGuard Cyber says the bad actors never left the European elections' fields of influence. They've been tracking bots, trolls and hybrids, all of which have been active against the electorates of Germany, Italy, France, Spain, Poland and the United Kingdom. A lot of the bots make pests of themselves by following the social media accounts of prominent European Union figures. A full 13% of Julian King's followers, for example, are bogus bad actors. Sir Julian is the European commissioner for the security union.

Dave Bittner: [00:09:39] In the U.S., outlines of Cyber Command's preparations to help secure the 2020 elections grow clearer. The command seems likely to take a more active approach, hunting for cyber operators and influence campaigns in foreign networks, The Washington Post reports. Bot herders and troll masters can, at the very least, expect some stern talking-tos by direct message.

Dave Bittner: [00:10:02] Another large cryptocurrency exchange has been looted. Binance, the world's leading alt-coin trading system by volume, lost some $41 million to hackers, Reuters reports. Binance, founded in China but now operating out of Japan and Taiwan, has suspended trading until it gets a handle on security.

Dave Bittner: [00:10:23] Closer to home, Baltimore's city government was hit yesterday by ransomware. It's not been a good couple of weeks around Charm City. The new mayor - and he's new because the old mayor resigned over some creative marketing of a children's book she'd written. The new mayor, His Honor Jack Young, took wearily to Twitter to let all of us here in the Land of Pleasant Living know that emergency services were unaffected and that the city would work to recover as quickly as possible. The precise strain of ransomware involved seems to be, so far, unknown, or at least undisclosed.

Dave Bittner: [00:10:56] In fairness to Baltimore, we must note that the city was hit in early 2018 about the same time Atlanta got clobbered, and Baltimore actually came out pretty well. It didn't take a financial bath. It switched quickly to manual backups, and it restored systems to essentially full capacity within 17 hours. We'll see how recovery proceeds this time. Maybe there's even a children's book in it - Hacker Holly, Ransomware Randy. Maybe not.

Dave Bittner: [00:11:25] Hey, we got a joke for y'all. You say that someone who speaks several languages is polylingual, and you call someone who speaks two languages bilingual, right? Well, what do you call someone who speaks one language? You call them American.

Sound Effect: [00:11:39] (SOUNDBITE OF RIMSHOT)

Dave Bittner: [00:11:40] That kills us every time we hear it. And, hey, we're Americans around here, so happy self-deprecation runs through our veins. Anywho, why are we sharing this particular witz, this bon mot with you today? We're prompted to do so by an article in Foreign Policy, which points out that for all the woofing about multiculturalism around Silicon Valley, greater Mountain View tends to be about as American as, say, Bugtussle, Okla., or Rabbit Hash, Ky. And this, they argue with some reason, might well induce people to cool their optimistic jets about how easy it will be to realize the ardor for content moderation forming along the San Francisco-Washington axis.

Dave Bittner: [00:12:20] We're fortunate at the CyberWire to have a linguistics desk that hips us to the nuances to be found in various foreign tongues. Like, for example, they've schooled us at great length about bad words and other lingos. Did you know, for example, that one swears quite differently in French depending upon whether one is Douai or Chicoutimi? We keep telling the desk that we're a family show and don't need to know this kind of thing. But they keep letting us know that, for example, in some Slavic languages, the names of certain diseases have the perlocutionary force of a good, old American f-bomb, but not in Russian. A Muscovite f-bomb's just like a New Yorker, except, strictly speaking, as the desk pedantically tells us, in Moscow, it's really more of a ye-bomb (ph). Go figure.

Dave Bittner: [00:13:08] Anyway, kids, study STEM, but don't blow off the languages either. And don't forget, for all you algorithms listening out there, content moderation ain't beanbag. Interpret that one, you decision procedure, you.

Dave Bittner: [00:13:25] And now a few words from our sponsor KnowBe4. Everyone knows that multifactor authentication, or MFA, is more secure than a simple login name and password. But too many people think that MFA is a perfect, unhackable solution. It isn't. Learn from Roger Grimes, KnowBe4's data-driven defense evangelist, in an on-demand webinar where he'll explore 12 ways hackers can and do get around your favorite MFA solution. The webinar includes a hacking demo by KnowBe4's chief hacking officer Kevin Mitnick and real-life successful examples of every attack type. It will end by telling you how to better defend your MFA solution so that you get maximum benefit and security. Go to to watch the webinar. That's And we thank KnowBe4 for sponsoring our show.

Dave Bittner: [00:14:30] And I'm pleased to be joined once again by Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.

Dave Bittner: [00:14:37] Ben, it's great to have you back. Interesting article came by from The Verge. And this is about folks using emojis in their communications and people in courts of law having to deal with that. What do we need to know here?

Ben Yelin: [00:14:51] So I got a big kick out of reading about this case. The case referenced comes from California. And a person under investigation of soliciting - or basically being a pimp, hiring prostitutes and the subject of a prostitutions sting had texted somebody using a crown emoji, high heels and a dollar sign. And that accompanied the message, teamwork makes the dream work. Prosecutors claim that the message implied a working relationship between a potential prostitute and this individual. The individual's defense was that he was simply trying to strike up a romantic relationship.

Ben Yelin: [00:15:32] But the fact that these emojis were used in the prosecution, I think, is both extraordinary and also becoming more common. You know, in terms of the reliability of emoji use, when we're talking about a criminal case, it seems rather unreliable. I don't know about you, but in my casual conversations, I will frequently use the wrong emoji.

Dave Bittner: [00:15:52] (Laughter).

Ben Yelin: [00:15:52] Or I'll use an emoji that might indicate something to me but indicate, you know, something else to a third-party observer, or even the person I'm speaking to.

Dave Bittner: [00:16:03] Right.

Ben Yelin: [00:16:04] They use an example in this article. One of the smiley faces that's used in the iOS emoji catalog looks a little bit different and less smiley when it makes its way into an Android user's device. And that could mean different things to the person who sent the emoji than to the person receiving them.

Ben Yelin: [00:16:24] When you think about the real-world analogue to this, you can probably glean some evidence from people's facial expressions or emotional reactions. Certainly, an excited utterance, which, you know, is somebody's instant reaction to an event that they see, is admissible in court. But emojis are vague enough and subject to such conflicting interpretations that I don't see how they could consistently be used as reliable evidence.

Dave Bittner: [00:16:52] I can't help wondering if we're going to end up with, you know, experts in emoji interpretation as - you know, hired for it by the prosecution or the defense.

Ben Yelin: [00:17:03] Yeah. I mean, maybe I have a future profession here, as someone quite familiar...

Unknown: [00:17:08] (LAUGHTER)

Ben Yelin: [00:17:08] ...With using emojis. But, you know, I'm trying to think of the most extreme examples possible. Not to make something too R-rated for this podcast, but if I was legitimately interested in cooking eggplant (laughter)...

Dave Bittner: [00:17:20] Right, right.

Ben Yelin: [00:17:21] ...And I sent that emoji and I had no idea that it was used in very different connotations...

Dave Bittner: [00:17:27] Right.

Ben Yelin: [00:17:27] ...And that ended up being used in evidence for my criminal prosecution, I mean, that would be fundamentally unfair to me. And also, it would be impossible to deduce my intention of sending that particular image. It would be up to a jury to decide whether - you know, a jury, as the finder of facts, decide whether I meant that as the literal vegetable or as the symbol that it's become in the emoji world.

Dave Bittner: [00:17:52] Yeah.

Ben Yelin: [00:17:52] So because of that unreliability, and because, you know, emojis mean different things to different people, I just don't see how it can be a reliable source of evidence.

Ben Yelin: [00:18:03] The other thing is that people make mistakes in which emojis they use all the time. Some emojis that might implicate somebody in criminal activity might be next to something that's completely innocent and innocuous, and somebody could've pressed it by accident. You'd hate to see somebody being sent to prison (laughter) because they pressed the wrong button on their mobile device. You know, I just don't see how emojis could ever be reliable evidence.

Ben Yelin: [00:18:31] You started to see emoticons show up in cases starting in the early 2000s. Those, to me - this may be a distinction without a difference, but it takes somewhat of a purposeful action to draft an emoticon, you know, although, most of the ones I use I copy and paste from the internet, like that shrugging emoticon. But making a - you know, a smiley face is a conscious action on the part of the person sending it, whereas selecting an emoji that may be subject to different interpretations isn't something that necessarily is conscious or purposeful. So I think there really is, possibly, a distinction between the two.

Dave Bittner: [00:19:16] How interesting for the judges and juries who have to contend with this stuff. And when your co-workers send around that text that asks, what's everybody in the mood for for lunch, no matter how much you want to have eggplant, don't send it out.

Ben Yelin: [00:19:30] Don't put the eggplant, yeah.

Dave Bittner: [00:19:31] (Laughter).

Ben Yelin: [00:19:31] Don't use the eggplant emoji.

Dave Bittner: [00:19:33] (Laughter) Right, right. Ben Yelin, thanks for joining us.

Ben Yelin: [00:19:35] Have a good one.

Dave Bittner: [00:19:40] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at

Dave Bittner: [00:19:41] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.