The CyberWire Daily Podcast 10.2.19
Ep 940 | 10.2.19

RATs, ransomware, payloads, and unsecured data: a look at the cybercriminal underground.


Dave Bittner: [00:00:03] Sodinokibi ransomware looks more like the child of GandCrab. And McAfee has some thoughts on how ransomware-as-a-service operates. FakeUpdates are back, and they're installing ransomware, too. The Adwind RAT is back and infesting a new set of targets. It's moved on from hospitality and retail and into the oil industry. Maliciously crafted ODT files are appearing in the wild. And a big database about Russian taxpayers has appeared in an unsecured Elasticsearch cluster. 

Dave Bittner: [00:00:39]  And now a word from our sponsor ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at That's And we thank ObserveIT for sponsoring our show. Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at 

Dave Bittner: [00:01:56]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 2, 2019. 

Dave Bittner: [00:02:04]  Today's news is, for the most part, from private sector researchers, those who are watching the criminal underworld. Researchers at the security firm McAfee, for one, have been keeping an eye on the Sodinokibi ransomware strain - the one that's also known as REvil - since this past April. They've just published an update of their studies. 

Dave Bittner: [00:02:25]  Their blog begins with some foreshadowing. They note darkly that Sodinokibi turned up at about the same time the GandCrab hoods announced their retirement, saying they'd made enough money and proved to their satisfaction that anyone could easily find a profitable career doing evil. This prompts a reversal of the traditional question, why do bad things happen to good people? The really interesting question, if you follow GandCrab, is, why do good things happen to bad people? 

Dave Bittner: [00:02:54]  At any rate, GandCrab announces their retirement, and Sodinokibi turns up. So McAfee asks, coincidence, or is there more to the story? You see where this is going. McAfee unpacked Sodinokibi and found that it had a 40% code overlap with GandCrab version 5.03. So they think there's a better-than-decent chance that this is just the return of the GandCrab gang, back from a quick retirement, rested, refreshed and ready to make money while serving evil. 

Dave Bittner: [00:03:23]  Sodinokibi is sold in the criminal-to-criminal market as an affiliate scheme. In its ransomware-as-a-service model, one group maintains the code, which it licenses to the other criminals, who use it against their victims. Both sides realize certain advantages from the arrangement. From the developers' point of view, they get a cut of the ransom, and they even get to set targets for their affiliates. The affiliates run a great deal more risk than the developers, especially if those developers work from one of several countries that don't really regard developing malware as a crime worth punishing, provided you leave targets in that country alone. The list of languages Sodinokibi checks for and blacklists is instructive. They're spoken in Russia and the near abroad, plus Iran and Syria. 

Dave Bittner: [00:04:09]  The affiliate gets a good deal, too. They don't need to write the malware themselves. That learn-to-code stuff is for suckers, as long as you've got someone coding for you. There are low barriers to entry. If you're willing to be a criminal and if you can be accepted as such in the right dark web markets, then Bob's your uncle, and you can get down to shaking down hospitals, schools, small towns, anyone who needs their data but may not have thought through how to protect that data. When the affiliates do well, so do the developers. That's why GandCrab used to kick the nonperformers out of its affiliate network. And it seems to be no accident that some of its top affiliates have moved over to Sodinokibi. 

Dave Bittner: [00:04:48]  McAfee's researchers say that Sodinokibi is generally well-prepared malware, quality albeit criminal work. It's a serious threat. The evidence linking it to GandCrab is circumstantial but interesting. And the main point is this. Ransomware is a criminal business being run like a business, and it has the characteristic vulnerabilities of its business model. Want to see an affiliate model fail? Make the top affiliates unprofitable, or outcompete them with free decrypters. These are private sector solutions. If you carry a badge and a gun, then we hope you'll make good collars. 

Dave Bittner: [00:05:24]  Ransomware is clearly more than a nuisance, and it's very far from being victimless. Computing reports, for example, that hospitals in both the U.S. and Australia have been forced to delay elective surgery and otherwise turn patients away because of infestations in their systems. They are working hard to deliver urgent care, but it's difficult when you're working through the resistant medium of maliciously encrypted files. The U.S. health care facilities being hit this week belong to the DCH health system in Alabama. The Australian victims are in Gippsland and southwest Victoria. 

Dave Bittner: [00:05:59]  If you've ever been sued or have had the occasion to sue someone, you know that part of the legal process is discovery. These days, much of that process is e-discovery, dealing with all things electronic and online. Daniel Garrie is co-founder of Law & Forensics, a global legal engineering firm, and he's editor-in-chief of the Journal of Law & Cyber Warfare. He shares his insights on e-discovery. 

Daniel Garrie: [00:06:23]  Litigation often ensues around a breach or around all sorts of things - right? - firing employees, (unintelligible). There's all sorts of complicated issues that come up that involve lawyers. It's about the discovery of the responsive information relevant to that incident. Now, sometimes, discovery can also involve third parties, so a lot of vendors that collect logs or have cloud-based services or whatever will get third-party subpoenas in connection with discovery involving another case. Like, for example, they may want the endpoint log files that are hosted by a third party. The part involved in a data breach - one of the lawyers will - may have to subpoena that company, and there'll be discovery. So it's the process of getting information as it's connected to a dispute. 

Daniel Garrie: [00:07:07]  Now, there's also discovery in arbitration. There's also discovery in government investigations, and certainly in criminal cases as well. Those tend to be a little more draconian and arcane sometimes, or one-way, or, you know, better or worse, depending on the regulator. 

Daniel Garrie: [00:07:24]  And then you have state court lit. And I was just referring to federal court litigation earlier. State court litigation with state court judges is sort of - I don't want to say the Wild West, but it varies based on the knowledge and understanding of the judge. It's about going before a court and saying, look; we need this information to argue our case. It gets inherently more complicated because judges are generalists, and they're not, you know, the wise years (ph) of ones and zeros, so to speak. They hear murder cases, divorce cases, criminal cases, white-collar crime, contract disputes and everything else. When people come before them and say, oh, we want all of the email server, you know, it could be virtualized in the cloud, and the judge will be like, I don't know what any of that means. And so articulating what's reasonable to get that information back-and-forth is sort of discovery. 

Dave Bittner: [00:08:13]  So when things go wrong when it comes to discovery, what are the things that you typically find yourself up against? 

Daniel Garrie: [00:08:22]  It ranges, but usually, it can be very - you know, from helping the parties - you know, for example, there's a case involving Amazon and several different cloud-based service technology providers - a case called CDS v. Rapid Systems in New York in the southern district - where I was tasked with basically creating a set of protocols and constructs so parties could have coequal access to a cloud-based platform. As they proceeded to litigation - fairly complicated because of a virtualized private cloud, and the court had no idea what the parties were fighting about or how to grant - so this type of thing. So I got appointed by the courts in federal court to create - as a technical special master to resolve all the issues and create a set of protocols so the parties could functionally operate and update the product and release the product. They had different customers and different, you know, instances of the cloud but the same source code base. So stuff like that. 

Daniel Garrie: [00:09:20]  And then we have, like, Small v. UMC, where the core, you know, point to me was a sort of mandate of resolving, you know, a wide range of e-discovery issues. And as I said at the beginning, it's about finding the right information. And it ranges from parties and lawyers don't know how to properly extract or collect the information to the vendors they hire don't do the right work to, you know, just outright perjury and lying by parties about what they did or didn't do. I often tell people, you know, I'm very fortunate because ones and zeros frequently don't lie. You know, there's inevitably issues. 

Dave Bittner: [00:09:57]  That's attorney Daniel Garrie. He's one of the featured speakers at the upcoming Sixth Annual Cyber Warfare Symposium. That's October 17 in New York City. It's sponsored by the Journal of Law & Cyber Warfare. 

Dave Bittner: [00:10:12]  Netskope has been following the spread of the Adwind RAT and warns that the remote access Trojan is now being used against a different sector. Adwind has hitherto been observed in use mostly against retail and hospitality targets. It's now in active use against the U.S. oil industry. The RAT's functionality includes capturing webcam images, scanning for files based on specific extensions, performing injection into known legitimate Windows processes, monitoring system status and exfiltrating data to its command-and-control server. The current versions of Adwind seem to be showing improved obfuscation capabilities as well. 

Dave Bittner: [00:10:51]  Cisco's Talos group finds that criminals are looking into the possibility of using maliciously crafted ODT files in an attempt to bypass detection by commonly used security programs. The current campaign is still small, but it's used ODT files to distribute RevengeRAT and njRAT payloads. OpenOffice and LibreOffice users, take note. 

Dave Bittner: [00:11:14]  And finally, Comparitech reports finding personal information on some 20 million Russian taxpayers exposed online in an unprotected Elasticsearch cluster hosted on an Amazon cloud. The exposed data include basically the whole shebang - names, addresses, passports, tax IDs and so on. Here's a question for the tax man. In a country whose internet policy is as self-sufficient as Russia's has become, what are income tax data doing on Amazon? Maybe the owner of the data could shed some light on this. Unfortunately, Comparitech hasn't been able to find that person or organization, but they seem to be somewhere in Ukraine, so maybe this owner owns the data kind of on the side. 

Dave Bittner: [00:12:01]  And now a word from our sponsor Edwards Performance Solutions. It's commonly accepted that cybersecurity is a business risk, not an IT problem. What may not be as commonly accepted is that cybersecurity needs to be an integral part of every business strategy and that cybersecurity can actually be an asset to your business. Achieving this outcome is a journey. The journey starts with an understanding of what information is important to the business, what business processes generate, use, store or transmit that information, and what are the rules and regulations impacting the information? The next part of the journey is understanding the risks to the business and those information assets, followed closely by establishing a governance structure to manage those business risks. This includes managing the risk to your supply chain. The journey is not an easy one and is fraught with roadblocks and obstacles. You may need a guide. Edwards Performance Solutions is ready to be your guide in this journey. Please visit their website,, to learn more. That's And we thank Edwards Performance Solutions for sponsoring our show. 

Dave Bittner: [00:13:21]  And I'm pleased to be joined once again by Ben Yelin. He's the program director for public policy and external affairs at the University of Maryland Center for Health and Homeland Security. Ben, it's always great to have you back. We had word come by that the city of Huntington Park in California has a new addition to their police force. What's going on here? 

Ben Yelin: [00:13:42]  So the Huntington Park Police Department announced this past June the addition of a robot police officer, or as they call it, a HP RoboCop. This is a 400-pound security robot. It roams through the streets of the city of Huntington Park. And to just to try and create an image for people, to me, it looks like a - the offspring of EVE from the "WALL-E" movie, R2-D2 and maybe a little bit of the coneheads in there - just the shape of the head.

Dave Bittner: [00:14:16]  (Laughter) Yeah. 

Ben Yelin: [00:14:16]  It looks rather silly, something that seems like it would be in a really bad science fiction movie. 

Dave Bittner: [00:14:22]  It's not intimidating. That's for sure. 

Ben Yelin: [00:14:24]  It does not seem intimidating. 

Dave Bittner: [00:14:25]  Maybe it's not supposed to be. 

Ben Yelin: [00:14:27]  I feel like I would just laugh if I saw a RoboCop. 

Dave Bittner: [00:14:30]  OK. 

Ben Yelin: [00:14:30]  But then when you dig into the details, it becomes not as much of a laughing matter. Part of it is based on these surveillance capabilities of this robot. So the company that produced it says that this robot is, quote, "a fully autonomous security data machine," meaning they basically observe everything around them, take real-time photos and videos and are just constantly collecting data on what they see. 

Ben Yelin: [00:15:00]  And the purpose of that, from the city's perspective, is to fill in blind spots. So if you can't have law enforcement at all locations at all times and you can't have traditional surveillance techniques, like plain, old security cameras, you can have these robots going around corners and into alleyways where there might not be persistent surveillance. 

Ben Yelin: [00:15:21]  What was particularly disturbing to me is the company trying to describe why this particular robot wouldn't generate false positives - in other words, identify people as security threats when they are not actually security threats. And the answer was something like, well, RoboCop has the power to distinguish between the good guys and the bad guys. They'll know, you know, what makes a criminal. And... 

Dave Bittner: [00:15:46]  I know it when I see it. 

Ben Yelin: [00:15:47]  I know it when I see it. 

Dave Bittner: [00:15:48]  (Laughter). 

Ben Yelin: [00:15:49]  And they can place - you know, once they determine that someone's a bad guy, they can put the - that person's face through their facial recognition software. They can red-flag that person. And they can collect IP addresses. They can identify that person's smartphone if it's in a particular geographical range. So this is, you know, pretty disturbing in that oftentimes, AI is extremely biased, as we've seen in all sorts of previous studies. 

Ben Yelin: [00:16:19]  In terms of legal recourse, I mean, we have this public view doctrine, which means if you are out in public and a member of law enforcement observes you doing something, you have no reasonable expectation of privacy. That's fair game for a prosecutor to use in a criminal court case. 

Dave Bittner: [00:16:40]  Right. 

Ben Yelin: [00:16:41]  We've talked a lot on this podcast, Dave, about applying that doctrine to all sorts of modern technology, so license plate readers, aerial surveillance. When you start to talk about, you know, these RoboCops, it's so far beyond the traditional understanding of the public view doctrine because we're just expanding the universe of what can be seen in public view to such an absurd degree. I don't think a court, at this point, would accept the argument that the public view doctrine shouldn't apply when we're dealing with these RoboCops or other extremely persistent forms of surveillance, but I think it's something in the long term they're going to have to consider. 

Dave Bittner: [00:17:23]  Well, how is this different from, say, a security camera on a telephone pole up in the corner of the public park versus this being that can just move around? It's a camera that can move from place to place, and its very presence improves the security because it's an active reminder to folks that safety is a priority here in our public space. 

Ben Yelin: [00:17:50]  RoboCop is on the beat. 

Dave Bittner: [00:17:52]  (Laughter). 

Ben Yelin: [00:17:52]  Yeah, control yourself, people. 

Dave Bittner: [00:17:53]  Right. 

Ben Yelin: [00:17:54]  Yeah. I mean, you know, with a security camera, there's generally a level of notice. So people can see the cameras. They'll realize that they're under surveillance. I assume if you see one of these guys, these RoboCops going through the park, perhaps you'll adjust your behavior as well. 

Ben Yelin: [00:18:10]  But, you know, I think that the other big difference is the area that can be covered. You can put up a million different security cameras, and there are going to be little nooks and crannies within a jurisdiction that aren't going to be subject to their coverage. And when you have RoboCops on wheels, they're going to be able to go into back alleys and obscure areas of public parks where security cameras will not be able to reach. So the surveillance is more persistent. 

Ben Yelin: [00:18:39]  And then also, the smart elements of this particular surveillance tool. So the ability to take in more information than simply a video or a photo, to do real-time analysis, to do profiling - those are also types of things that don't exist in traditional video surveillance. 

Dave Bittner: [00:19:02]  Well, and for anybody who is familiar with the original "RoboCop" movie, please put down your weapon. You have five seconds to comply. 

Ben Yelin: [00:19:10]  Yeah, exactly. Exactly. I never thought "RoboCop" would come to life in this capacity, although "RoboCop" the movie would've been far less interesting if the RoboCop looked like this little guy, who... 

Dave Bittner: [00:19:20]  Right. 

Ben Yelin: [00:19:22]  ...Just does not seem super intimidating to me. 

Dave Bittner: [00:19:24]  Yeah, yeah. All right, well, we'll see how this one plays out. Ben Yelin, thanks for joining us. 

Ben Yelin: [00:19:30]  Thank you. 

Dave Bittner: [00:19:36]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:19:48]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.