The CyberWire Daily Podcast 7.16.19
Ep 885 | 7.16.19

GandCrab hoods may be back with new ransomware. Video-on issues. Broadcom-Symantec talks are off, for now. Treason or just business? Robo-calls. A decryptor for Ims0rry ransomware.


Dave Bittner: [00:00:03] The retirement of GandCrab's hoods may have been exaggerated. Video conferencing tools RingCentral and Zhumu may have picked up Zoom's issues in the tech they licensed. Broadcom's projected acquisition of Symantec is on hold, at least for now. One Silicon Valley executive calls another company treasonous. The U.S. FCC wants to rein in robocalls. And there's a free decryptor out there for Ims0rry ransomware. 

Dave Bittner: [00:00:36]  It's time to take a moment to tell you about our sponsor, Recorded Future. If you haven't already done so take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:01:42]  Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at 

Dave Bittner: [00:01:57]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 16, 2019. The gang behind GandCrab ransomware may have said it folded its tent after making plenty of money and deciding that people had learned their security lessons and could now be left unmolested. But their retirement may have proven as exaggerated as their altruism, which no thinking person ever took particularly seriously. KrebsOnSecurity offers some reason to think they might have pitched their tent on fresh criminal ground. This time, they seem to be involved with the REvil strain of ransomware, also known as Sodin and Sodinokibi. Expect to hear about more infestations in the future. In general, the hot targets for ransomware these days seem to be municipal governments and school districts. They depend upon their data being available, but they're often poorly protected. 

Dave Bittner: [00:02:53]  Two other video conferencing services appear to be vulnerable to the same security issues that Zoom confronted last week. The video-on problem also afflicts RingCentral and Zhumu, BuzzFeed reports. It's not surprising, as both companies license Zoom technology, and their white-badged versions are susceptible to the same problems. 

Dave Bittner: [00:03:15]  Broadcom's proposed acquisition of Symantec is on indefinite, perhaps permanent hold. The two companies suspended talks when Symantec balked at going below its asking price of $28 per share, thinking that anything less would amount to an unacceptable undervaluation. The news drove down Symantec stock yesterday. The company's stock price closed at $22.84 Monday for a drop of 10.7%. Broadcom's stock closed up a bit, rising 1% to $288.34. The deal might not be off entirely, however. CRN reports that Broadcom hasn't yet given up on the deal and that talks could resume at some future point. 

Dave Bittner: [00:03:58]  Peter Thiel, Palantir chairman and co-founder, on Sunday, called for an investigation of Google for treasonous behavior with respect to China. He suggested that the company had been thoroughly penetrated by Chinese intelligence agents and that its willingness to work on a search engine for Chinese use that would be managed and closely censored by Beijing, while at the same time declining work on U.S. defense projects, raised questions about Mountain View's trustworthiness. He's not saying Google and Huawei are toss-ups as far as security is concerned, but his remarks tend in that direction. BGR's take on the story points out the possible hypocrisy, observing that, to be sure, Google hasn't covered itself in privacy and free speech glory lately, but then neither has Facebook. And then it goes on to note that Thiel serves on Facebook's board. Well, privacy shenanigans surely fall short of treason, which the Constitution primly restricts to levying war against the United States or in adhering to their enemies, giving them aid and comfort. And besides, you'd need either two witnesses or a confession in open court. In fairness to Mr. Thiel, he's probably speaking metaphorically, but perhaps there's also a bit of glass in that house from which the stone is being cast. 

Dave Bittner: [00:05:15]  Independently of Thiel's remarks, the Intercept has published a report noting Google's cooperation with Chinese spyware vendor Semptian. Semptian's products are widely used in China, and they found a ready market in repressive regimes across the Middle East and North Africa. 

Dave Bittner: [00:05:32]  Oracle recently released a report titled "Security in the Age of AI," the result of research on how c-suite executives, policymakers, and the general public view cybersecurity and technology. Wim Coekaerts is senior vice president of software development at Oracle. 

Wim Coekaerts: [00:05:49]  So if you look at it at the high level today, I guess it's a two-part answer to this. One is, on premises, of course, you know, security is important. However, security software using AI and ML is not quite incorporated yet. There's very little use of AI or machine learning on premises by the industry in general. When it comes to cloud computing, the major cloud vendors have been working on incorporating machine learning and visual intelligence across different areas of cloud, whether it's security or basically looking at availability of systems and optimizations from a performance point of view. 

Wim Coekaerts: [00:06:23]  From a security point of view, it's certainly been the most important one. What I mean by that is, we often talk about robots, and it's harder for humans to react very quickly to huge incoming threats, such as a denial of service attack or swiftly responding to being able to take systems offline or disable network ports or so. And we've seen that be a very important part for artificial intelligence and machine learning to play a huge role. And it is detecting and looking at different access patterns, you know. Whether it's daytime access, then suddenly something happens at night, machine learning algorithms can be trained on that and swiftly respond to it. And that's different from humans that are looking at a screen and don't actually know what's going on or don't have the history to respond to that. So it's a - but in cloud computing, security is definitely - certainly, at Oracle security, is a No. 1 priority. It's absolutely critical for us and our customers that we protect our data. 

Wim Coekaerts: [00:07:19]  And one of the things that I believe is probably important to mention is that cloud providers can scale. We have a lot of security experts that are well-trained. One advantage of cloud computing, also, is sort of the cookie-cutter model. There is a lot of homogenous deployments of environment. We know exactly what's deployed in data centers. Every single server is accounted for, you know, every VM. That also helps machine learning. The only way machine learning algorithms get really good is by providing it huge amounts of data. At cloud scale, we provide massive amounts of log files and action patterns to these algorithms, to get them more tuned and optimized for having no or very few false positives so that we're very efficient here. And that's really only possible when you have a cloud scale model, and it makes it much more difficult for on-premises customers that want to be in charge of their own security to do the same thing, basically. 

Dave Bittner: [00:08:12]  Yeah, it's interesting because I wonder myself if there's been, over the past - oh, I don't know - year or so, sort of a recalibration, particularly at the C-level, when it comes to how people are thinking about artificial intelligence and machine learning. You know, a few years ago, certainly from the vendor side, AI and ML was a huge focus. There was just a huge push on it. Partly, like what your report bears out here, is that people seem to be recognizing that it has a part to play but not at the expense of the human side of things. 

Wim Coekaerts: [00:08:42]  Again, it's interesting in the context of on-premises and the move towards cloud. And it's a certain segment of customers that are still not quite cloud-ready, so to speak, or they're seeing this move to go into a cloud vendor in the next few years. And when that's the case, they likely will focus more on the human aspect because, like I mentioned before, a lot of these machine learning techniques apply at scale, and it's not as efficient or necessarily as effective when deployed within the smaller data center, right? And so if companies that are looking at moving to the cloud will likely see local security experts hiring people, trying to get their existing deployment sort of cleaned up - you know, know what's installed and so forth - they'll probably focus more on the human aspect. And then companies that take that step towards cloud computing sooner rather than later, they automatically get the benefits from the machine learning as provided by the cloud vendor. 

Wim Coekaerts: [00:09:37]  And one thing to keep in mind is that retrofitting existing data centers from a security point of view is very difficult. And it really starts with doing an inventory of the systems you have. And when you look at somebody's security breaches - right? - one example there, you know, 99% percent of the real estate was known and was patched; 0.1% was just one server running one application server that, by action, it wasn't patched. And that's how they got in. Is that a security software issue? Well, on the front end it is, but on the back end, it's basically a system administration issue where all these existing homegrown data centers have so many servers with different operating systems, with different server models, different architectures, different vendors that are all interconnected, and it's just near impossible for existing data centers to purely secure it just because of its heterogeneous nature. And so that just requires humans to just basically go on the data center floor and say, what's this server? Have we identified this and what software is running on it? Part of what makes customers nervous is the unknown of, where do we start, where do you stop? So that's certainly an important aspect of educating how cloud security is beneficial but also how that works. 

Dave Bittner: [00:10:56]  That's Wim Coekaerts from Oracle. The report is titled "Security in the Age of AI." 

Dave Bittner: [00:11:03]  Tired of robocalls? Our favorite is a call one of our stringers got years ago while living in Oklahoma - good evening, said the robot, off to a good start. Although I am a recording, I hope you will have the courtesy not to hang up on me. Hah. Yeah, right, 3PO. Our stringer says he courteously heard the recording out but can’t recall exactly what it was selling, although whatever it was could probably have been for the cheaper at the Lawton Mall. The mid-1980s were crazy like that, but those proto-robots were winsome - at least the Okie versions were. But that was the early paleorompotic (ph) era. Now the calls have evolved beyond the entertaining and the naive, and the current versions are a lot more intrusive. They’ve been for some time a pervasive nuisance. And now they seem to make up the same fraction of inbound calls as junk mail takes up in the local letter carrier’s mail bag. 

Dave Bittner: [00:11:53]  Telcos have been discussing controlling robocalls for some time, with a few having announced the pending availability of tools designed to let customers block the robots. The U.S. Federal Communications Commission is unimpressed by their efforts. Commissioner Geoffrey Starks last Thursday released the responses the FCC received from the phone companies to its request for information about what they were doing about robocalls. Commissioner Starks wrote, quote, "Reviewing the substance of these responses, by and large, carriers’ plans for these services are far from clear. In our action last month, the commission committed to studying this issue and delivering a progress report within a year. If we find that carriers are acting contrary to our expectations, we will commence a rule-making. To that end, as I noted in my letters, I expect to be updated by carriers as progress is made on offering free call blocking services and recommend that carriers not stop until the job is finished. The sooner, the better," end quote. Note the emphasis on free, as some of the robo-killers on offer have been paid options you could add to your phone service. 

Dave Bittner: [00:12:58]  And finally, with all the problems people have been having lately with ransomware, especially local governments, it's nice to close with some good news. Emsisoft has released a free decryptor for the Ims0rry strain of ransomware. So bravo, Emsisoft. 

Dave Bittner: [00:13:18]  And now a word from our sponsor, KnowBe4, the experts in new-school approaches to defeating social engineering. You ever wonder how hackers and con artists know so much about their targets? Basically, there's more information out there on everyone than you'd like to believe. There's even a name for it - open-source intelligence, OSINT. Kevin Mitnick, KnowBe4's chief hacking officer, can show you what the bad guys can find out about you. Go to and register for a free webinar with people who know a thing or two about mind-blowing, underground OSINT secrets that you need to know. That's And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:14:12]  And joining me once again is Emily Wilson. She is the VP of research at Terbium Labs. Emily, it's great to have you back. You and your team over at Terbium recently published some reports on fraud and transnational crime. This is called "The Next Generation of Criminal Financing." What do we need to know about this? 

Emily Wilson: [00:14:30]  So I've been hearing anecdotally for a few years from law enforcement here in the U.S. and international law enforcement that they've seen more and more stolen payment cards showing up in organized crime groups and street gangs. Of course, we've seen this play out in the cybercrime realm as well. But hearing from people that this is an issue on the ground, we wanted to look into it and see what the problem actually looked like because, a little surprisingly, there isn't really data available on the scale of stolen payment cards being used by organized crime groups out of Eastern Europe. That seems like the kind of thing we would know already, but we don't. 

Emily Wilson: [00:15:08]  So we set out to look into this, looking at criminal cases in North America and the U.S. and Canada and from a variety of countries in Europe to see where we could find links between payment card fraud and these major sort of international, pernicious crimes - like organized crime groups, like terrorist financing, things like human trafficking and drug trafficking - just to see where that shows up and see if we can get a better sense of the problem. And that's what we turned into this report that you're referencing here - looking at sort of the distribution of these crimes across North America and across Europe to see how and where stolen data is being used for this and sort of tip of the iceberg of how big the problem actually is. 

Dave Bittner: [00:15:49]  So let's dig in then. Can you give us a couple examples of what you found? 

Emily Wilson: [00:15:53]  One of the cases studies that really stands out to me is a Sri Lankan organized crime group based in Canada, running international carding operations, in this case, out of Australia, out of a grocery store in Australia. And they effectively found a grocer who was willing to let them install a compromised point-of-sale system. They sent over an agent to help install it and recruited someone locally to sort of take the fall for it, someone who would be a shop boy who would sort of show up for a few weeks and work there and then disappear once they'd finished their skimming ring. They sent over parts of this point-of-sale system, this compromised point-of-sale system, from Canada and from the U.S. And in the end, it turns out the whole operation was being financed by some unknown individual out of the U.K. who had commissioned a certain number of cards to be skimmed. 

Emily Wilson: [00:16:40]  And, you know, this is one of those examples where you have four or five different countries at play here. You have people being, you know, sent around the world and promised different locations they're going to be moved to afterwards to, you know, hide out and wait for the heat to die down. And in conversations that law enforcement recorded between a few different operatives in this organized crime group, they were bragging about how they really got this operation down to a science - you just move people around. We send them here; we send them there. And it seems like they were willing to take sort of commissioned efforts from anywhere around the world. That's just one example of the sort of physical skimming ring that we would come to expect. 

Emily Wilson: [00:17:17]  We also saw instances where stolen payment data was used to buy plane tickets for human trafficking victims, to move them out of Turkey to some other location and then to purchase the hotel rooms they were actually going to hold these victims in while they got new identities created for them, right? We see sort of these purchasing patterns for all of the operational costs of these groups might experience, which makes sense. If you're an organized crime group, why would you tie your own name to these purchases you're making, and why on earth would you spend your own money on it when you could just use someone's stolen credit card and the bank is going to just write off the charges? 

Dave Bittner: [00:17:53]  The sophistication and the complexity here is primarily to try to evade law enforcement? 

Emily Wilson: [00:18:01]  I think it's partially to try and evade law enforcement; I think also just the pure financial costs involved here, right? There are times when we see sort of law enforcement evasion, as with the human trafficking ring or perhaps with this carding ring that I mentioned. There were other examples - I'm thinking here in particular about some of the material support to terrorism cases that we saw, where you have someone who is working on creating terrorist propaganda for ISIS and then is using stolen payment cards to sort of just fund their lifestyle choices - to buy clothes and buy food. And that's a little bit less to evade law enforcement and a little bit more, you know, I just don't want to spend my own money on this. You know, fraud isn't really a crime, in this guy's eyes, so I'm going to just use someone else's cards to buy all of my expensive clothing. 

Dave Bittner: [00:18:46]  Well, it's an interesting report. It's "The Next Generation of Criminal Financing." Emily Wilson, thanks for joining us. 

Emily Wilson: [00:18:53]  Thank you. 

Dave Bittner: [00:18:58]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:19:11]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.