The CyberWire Daily Podcast 5.10.16
Ep 96 | 5.10.16

Ransomware evolves (and gets brutal). Dataminr blocks IC--bad Gov-industry blood?


Dave Bittner: [00:00:02:24] The Bangladesh Bank hack investigation is looking at insiders and technical issues. ImageMagick continues to be exploited in the wild. A Viking Horde turns up in the Google Play Store. CryptXXX ransomware evolves beyond decryption tools. Triumfant updates us on Locky. Ambivalence about information sharing turns up in industry. Accenture's Malek Ben Salem talks big data security frameworks, and the Panama Papers database seems unlikely to bring down any more governments.

Dave Bittner: [00:00:34:09] This CyberWire podcast is brought to you by Recorded Future, the real time threat intelligence company whose patented web intelligence engine continuously analyzes the entire web, to give information security analysts unmatched insight into emerging threats. Sign up for free daily threat intel updates at

Dave Bittner: [00:00:58:22] I'm Dave Bittner in Baltimore, with your CyberWire summary for Tuesday, May 10th, 2016.

Dave Bittner: [00:01:04:16] There are some recent developments in the Bangladesh Bank hack story. Investigation appears to be following two lines. One of those lines leads toward insiders. The Wall Street Journal says the US FBI has evidence that at least one bank employee was involved in the diversion of funds into a bogus account. Anonymous sources have also told the Journal there are reasons to think that individual may have had several accomplices.

Dave Bittner: [00:01:28:14] The other line of inquiry runs toward alleged vulnerabilities in the SWIFT system used to manage international funds transfers. Authorities in Bangladesh claim they see signs of poor technical practices, including questionable password management, that rendered the bank open to hacking. They want to interview SWIFT technicians, a police official told Reuters, "to determine whether their actions were intention or negligent." SWIFT, for its part, dismisses the Bangladesh police allegations as, "false, inaccurate, and misleading."

Dave Bittner: [00:01:58:10] Representatives of SWIFT, the Bangladesh Bank and the New York Federal Reserve Bank are meeting today in Switzerland to discuss the incident.

Dave Bittner: [00:02:07:06] On the malware and exploitation fronts, ImageMagick vulnerabilities continue to be exploited in the wild. Newer versions of the popular software aren’t vulnerable, but older instances remain in widespread use. Policy-based mitigations are available for those older versions.

Dave Bittner: [00:02:23:06] Check Point warns that another serpent is frolicking in the Google Play Store’s walled garden. They’re calling it “Viking Horde,” and while its principal purpose seems to be ad fraud, it could easily be adapted to herding bots for spam and DDoS campaigns.

Dave Bittner: [00:02:38:23] CryptXXX is that nasty strain of ransomware for which Kaspersky recently developed and released a decryption tool. Well, CryptXXX has evolved. Proofpoint says the ransomware is now able to evade that decryption tool. The CryptXXX authors are also thought to be responsible for the long-familiar Reveton malware, and have been closely tied to the Angler exploit kit. They’re also distributing it through new vectors. The Register reports that the Hollywood gossip site has been compromised to serve up CryptXXX.

Dave Bittner: [00:03:11:06] Bucbi ransomware, little seen since its discovery in 2014, appears to be making a comeback. Palo Alto Networks researchers have found it brute-forcing its way into servers via vulnerable remote-desktop protocol connections. This mode of attack, unusual for ransomware, seems connected to a wave of RDP capers against corporate networks, which Fox-IT reported last week. Palo Alto says the criminals behind Bucbi claim to represent the "Ukrainian Right Sector", a political organization opposed to Russian involvement in Ukraine. But this could well be a false-flag, or provocation, especially since, as Palo Alto points out, the use of the GOST algorithm suggests a Russian provenance for the exploit. As usual, attribution is murky.

Dave Bittner: [00:03:57:18] Other strains of ransomware remain a threat. We spoke to Triumfant’s CEO, John Prisco. His company recently completed a study of Locky, and here’s what he had to tell us.

John Prisco: [00:04:07:21] We came across it as a result of finding it at a customer's site, and then we were asked to build signatures, or filters, to identify it when it was seen again. We set about to prove that signatures would be useless in detecting Locky, and we did prove that, because the malware attack mechanism morphed five times within a 24-hour period. So, if I write a signature to catch it, it's going to morph into something else so that my signature is useless.

Dave Bittner: [00:04:46:24] Prisco says their approach at Triumfant is to monitor the user's system, to establish what normal use looks like.

John Prisco: [00:04:54:14] When processes begin to deviate from the norm, we see that deviation and we record it as an anomaly. Locky is like any other process - it has to run on your computer for it to be able to begin doing its damage. When we see a rogue process running, we find it, we identify it as malicious, and we shut it down.

Dave Bittner: [00:05:20:00] It's a combination of proactive techniques, trying to identify Locky before it takes hold, and reactive ones, acting quickly when the system detects the intrusion.

John Prisco: [00:05:29:04] Any virus which is effective in about 20% of all attacks shuts processes down in a hurry. But it only shuts the ones down that it has a signature for. So, the best of both worlds is to be able to identify something without a signature, and to shut it down quickly, and that's a tall order. So that's why Locky, and other ransomware has been so successful. We are working on speeding up the process. We've got the accuracy down pat, now we have to speed it up so that we can shut these processes off in milliseconds.

Dave Bittner: [00:06:08:09] That's John Prisco, from Triumfant. Their website is, spelled with an F instead of a PH.

Dave Bittner: [00:06:17:11] The security industry is showing some understandable ambivalence about information-sharing. Zero-day vendors are feeling the heat. Their alleged unwillingness to tell defenders about the exploits they’ve discovered is seen as weakening security generally.

Dave Bittner: [00:06:31:01] Some security start-ups dislike the decision by Google, and its partners, to restrict VirusTotal access to just those who contribute to it. VirusTotal administrators explain the new policy this way: "All scanning companies will now be required to integrate their detection scanner in the public VT interface, in order to be eligible to receive antivirus results as part of their VirusTotal API service. Additionally, new scanners joining the community will need to prove certification and/or independent reviews from security testers, according to best practices of Anti-Malware Testing Standards Organization."

Dave Bittner: [00:07:09:05] And Twitter’s move to block Dataminr from feeding the US Intelligence Community is called, by eWeek, the foreseeable fruit of a bad relationship government has allowed to develop between itself and the IT industry.

Dave Bittner: [00:07:21:11] Finally, the world, including us, has been waiting for access to the Panama Papers searchable database. But, since the data hit the Internet yesterday, the results have been disappointingly unsurprising, and don’t seem to contain anything likely to bring down any more governments.

Dave Bittner: [00:07:37:24] Canadian tax enforcement authorities are taking an interest in the database, as are transparency advocates in New Zealand.

Dave Bittner: [00:07:44:05] There are a few more than 30 US citizens who appear mentioned in dispatches, but they seem, for the most part, people who’ve been involved in quite public investigations of various forms of allegedly dodgy behavior over the last couple of decades. We searched, because we knew you’d ask, for all three currently active major party US Presidential candidates - no joy, kids. Also no Satoshi Nakamoto, but we admit it was a casual search - no spouses, known aliases, etcetera.

Dave Bittner: [00:08:13:09] So, while we won’t say there’s nothing to see here, move on, we ourselves will move on. Everyone else, feel free to gawk.

Dave Bittner: [00:08:26:09] This CyberWire podcast is brought to you by Recorded Future, the real time threat intelligence company whose patented web intelligence engine continuously analyzes the entire web, to give information security analysts unmatched insight into emerging threats. Sign up for free daily threat intel updates at

Dave Bittner: [00:08:51:15] Joining me is Malek Ben Salem. She's the R&D Manager for Security at Accenture Technology Labs, one of our academic and research partners.

Dave Bittner: [00:08:59:04] Malek, I know one of your areas of research is big data, and I'm curious, what are the challenges, when it comes to security, when dealing with big data?

Malek Ben Salem: [00:09:07:08] Security and privacy challenges are magnified by the velocity and the volume, as well as the variety of big data. Organizations have to understand how sensitive the data they capture is, in order to be able to apply the right security controls to it. They have to understand how they're using that data, so that they can manage it and store it properly. If it's used frequently, it has to be stored in datalinks that are easily accessible with the right security controls. If it's not used frequently, they have to think about how long they need to keep it. They need to think about who gets access to the data, especially if it's in a big data platform where it's stored in a distributed fashion. And they have to, obviously, have a data recovery plan in place for it.

Malek Ben Salem: [00:10:10:00] Based on those challenges, in terms of volume, variety is mostly, as well as the velocity, that that data is captured. We need real time mechanisms to be able to label the data as sensitive or not, analyze it in real time, and apply the access control mechanisms in a real time manner, as well.

Dave Bittner: [00:10:33:01] What exactly does that mean, when you're talking about the real time analysis of that data?

Malek Ben Salem: [00:10:38:01] So what I mean is, the ability to look into the data in real time, and identify how to classify it. Is this sensitive data? Is this extremely confidential, highly confidential data? Or, is this data that can be open for access to all employees in a company, for example, in order to encourage innovation and sharing? Those decisions have to be made quickly, as the data is being gathered, as otherwise companies will be behind in terms of applying the right security controls on that data.

Dave Bittner: [00:11:19:20] Alright, interesting stuff. Malek Ben Salem, thanks for joining us.

Dave Bittner: [00:11:25:23] That's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors who make the CyberWire possible. If you'd like to place your product, service or solution in front of people who want it, you'll find few better places to do that than the CyberWire. Visit to find out how to sponsor our podcast or daily news brief.

Dave Bittner: [00:11:49:09] The CyberWire is produced by Pratt Street Media. The editor is John Petrik. I'm Dave Bittner. Thanks for listening.