The CyberWire Daily Podcast 11.14.19
Ep 970 | 11.14.19

PureLocker ransomware. APT33 update. Hong Kong and information war, in the courts and on PornHub. Facebook content takedowns. Alleged criminals prepare to face the court.


Dave Bittner: [00:00:03] PureLocker is a new ransomware strain available in the black market. APT33 is showing a surge of activity; lawfare and information operations in and around Hong Kong. Facebook takes down content for violating its community standards. And two alleged cyber criminals are facing charges. One is allegedly the former proprietor of Cardplanet. The other was selling a remote administrative tool the RCMP says was really a different kind of RAT. 

Dave Bittner: [00:00:37]  And now a word from our sponsor, ExtraHop, delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) Cloud today at That's And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing one billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to 

Dave Bittner: [00:01:54]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 14, 2019. Researchers at security company Intezer and IBM's X-Force warn of a new ransomware strain, PureLocker, which attacks enterprise production servers. PureLocker, the researchers believe, is associated with the criminal groups Cobalt Gang and FIN6, who are thought to have obtained it on the black market from a malware-as-a-service provider. PureLocker is stealthy. If it detects itself running in a debugger environment, for example, it exits. It also deletes its payload after its work is done. It has cross-platform capabilities. The ransomware is written in PureBasic, which makes it relatively easy to use against Windows, Linux and Mac OS machines. PureLocker is also selective. It avoids encrypting executables, concentrating on data files. Once it's infected a machine, it leaves its ransom note on the desktop written in the now-traditional non-native speakers' English. 

Dave Bittner: [00:03:01]  Researchers at the security firm Trend Micro describe renewed activity by APT33, the suspected Iranian threat group active against oil, gas and defense targets. The targeting is said to be narrow. The group uses commercial VPNs for reconnaissance and staging. Most of APT33's interests lie in the oil industry supply chain, but it's also focused on other targets of interest, including a European politician's private website - used to spear phish oil industry companies - and a potable water facility used by the United States Army. Much of the activity Trend Micro describes appears to be reconnaissance and staging, but Trend Micro warns even those indicate a major risk given APT33's record of using destructive malware. 

Dave Bittner: [00:03:52]  Unrest in Hong Kong continues, as do lawfare and information operations waged from Beijing. The Internet Society has protested a ruling by the Hong Kong High Court that effectively criminalizes using the internet for communications not in the government's interest. The proscribed communications are ones that nominally promote violence. But the ruling seems more expansive than that. It's also likely, the Internet Society believes, to exert a chilling effect on online communications with attendant pressure on platforms to air on Beijing's side when they perform content moderation. The Internet Society has filed a petition with the High Court to overturn the ruling. 

Dave Bittner: [00:04:36]  And in the face of widespread takedowns of coordinated inauthenticity, Quartz reports that Beijing's line on Hong Kong is being circulated through an unlikely channel - Pornhub, which is exactly what its name suggests. Much of this activity seems the work of centrally inspired but independently operating patriotic actors. One imagines that Pornhub visitors who expected to find saucy videos were disappointed to find themselves offered edification on the bad faith of Hong Kong protesters, or cockroaches as the Beijing line calls them. It's as if one were to walk into what one had taken for a gentlemen's club and instead found that one had actually wandered into a Legion hall. Some of the videos have highlighted violence to represent the protesters as right-wing thugs. One incident in particular - tragic, repellent and utterly discreditable - showed a man disagreeing with the protesters being murdered by incineration. 

Dave Bittner: [00:05:37]  CrowdStrike recently published their 2019 mid-year review from their Falcon OverWatch team titled "Observations From the Front Lines of Threat Hunting." Jennifer Ayers is vice president of OverWatch and security response at CrowdStrike. 

Jennifer Ayers: [00:05:52]  One of the reasons why this type of information is important is because what we're talking about is what we call tactical intelligence. So at the end of the day, you know, when you kind of look at global threat intelligence, regardless of whether it's coming from CrowdStrike new (ph) or another provider, that often looks at much more of the strategic, you know, threat landscape view. You know, what is the plan from China? What is the, you know, theory on, you know, Russia? What is the geopolitical status of the Ukraine? That level of intelligence, you know, is very, very broad and very high level. What we report on at the tactical level is the execution of that. So what we're talking about, you know, are real, live intrusions that we have seen across the Falcon telemetry that we have the privilege of being able to work with. And this is a dynamic landscape, right? This is constantly changing. So one thing that we might identify in the first half of the year might not exactly be the same in the second half of the year. You know, adversaries are real. They're constantly working, and they definitely have their agendas. 

Jennifer Ayers: [00:06:52]  So the first half of this year, you know, a major observation was actually the uptick in e-crime. One of the key points around highlighting that is, you know, e-crime is a much, much bigger, much more diverse group than what your typical nation state adversaries are. To look at the statistics and see that in the first half of 2019, you know, a 61% increase in terms of e-crime attack compared to our full 2018 is pretty significant. Now, that's not to say that this doesn't mean that nation states have stopped and e-crime has taken over. What this is simply showing you is from a volume perspective we are seeing a lot more e-crime activity on the rise. 

Jennifer Ayers: [00:07:34]  This is where you get into areas like we've talked about at CrowdStrike, you know, big-game hunting, for example, where these criminal organizations band together and begin to leverage what we would call living off the land or previously known, you know, nation state techniques to focus on larger assets than the typical spray and pray, right? I'm going to send a spam email to a thousand people. Maybe your parents, you know, pick it up and get encrypted by ransomware, right? You're going that broad, you're going to get maybe 10 out of 100 for lack of a better term. The big-game hunting purely focuses on enterprise, and they are purely focusing on what the key assets of those enterprise are. So watching that continue to rise is more of an awareness concern for people in the industry as a whole. This is not necessarily targeting that is driven by what the traditional nation states do, whether it's geopolitical or intellectual property. This is targeting based off of how much money you're going to be able to pay in that ransom. 

Jennifer Ayers: [00:08:33]  So what we're seeing, you know, across the board is the more mature your security program is, the less of a target that you'll be. So there are some fundamentals that we continue to see not happening in practice, you know, fundamentals that we've all been talking about for years and years. And don't get me wrong. I've been on the commercial side. I understand how hard it is to implement things. I understand how hard it is to get business buy-in to do updates. I understand, you know, how very, very difficult it is to get the business to agree to let one system go down so you can properly patch it. But it is those fundamentals that continue to allow these adversaries, whether they're e-crime or whether they're a nation state, to do their job. Two-factor authentication - something that we're starting to see much more of, you know, especially in online presence. You know, it is necessity. 

Jennifer Ayers: [00:09:19]  If you have a VPN, it should have two-factor. If you have the capability, two-factor enabling on any administrative account, you know, domain administrator, you know, always a benefit, multifactor type of methodologies. You know, those types of things help disrupt this actor type of activity. They can still dump creds today, and they can still get in by using a simple username and password from whatever they've cracked from the creds that they've dumped. Other simple things, you know, passing passwords in plain text - very active in a number of enterprises today. 

Jennifer Ayers: [00:09:46]  As the security practitioner for the last 20 years, we've been talking about this for more than 15, right? It's those type of little practices that are continuing to allow these adversaries to be as successful, right? There's no need for them to change their tactics and techniques because things still work. And it's up to us in the security industry to make sure that we're making it much more difficult. They'll never go away. 

Jennifer Ayers: [00:10:09]  It is our job to make it much more difficult as a security person or a CISO or, you know, a security analyst within an enterprise company, it's your job to make it so you're not as much of a target. And the way you do that is by making it so that you're not interesting to them because it's too hard to do their job. Adversaries are humans just like we are, right? All of us, humans by nature, will take the least path of resistance; more resistance you put in place, the less likely they're going to play in your space and they're going to go find somebody else who doesn't have those types of security practices in place. 

Dave Bittner: [00:10:40]  That's Jennifer Ayers from CrowdStrike. The report is "Observations From the Front Lines of Threat Hunting: A 2019 Mid-Year Review From the CrowdStrike Falcon OverWatch Team."

Dave Bittner: [00:10:53]  Facebook's Community Standards Enforcement Report says the social network took down tens of millions of pages whose contents violated its community standards. Those standards proscribe content that falls into categories that cover adult erotic material - with certain artistic and scientific or educational exceptions - bullying and harassment, child exploitation, bank accounts, hate speech, contraband - notably drugs and weapons - spam, terrorist propaganda, violent and graphic content and finally suicide and self-injury. The categories for Instagram are presently a subset of these, and they exclude terrorist propaganda, suicide and self-injury, child exploitation and contraband. 

Dave Bittner: [00:11:38]  Facebook also offered examples of how it draws the line on impermissible content, recognizing that such lines can be difficult to draw. In the second and third quarters of this year, Facebook removed 54 million pieces of violent and graphic content, 18.5 million items determined to involve child abuse or exploitation, 11.4 million posts that broke Facebook's hate speech rules and 5.7 million uploads that violated policies against bullying and harassment. As we've mentioned, Facebook has also brought its Instagram unit under the same monitoring and reporting system, taking down 3.2 million images that violated its community standards. 

Dave Bittner: [00:12:21]  And finally, two long-running criminal investigations seem to be arriving at their endgame. One Mr. Aleksei Burkov, age 29 of Tyumen and St. Petersburg, Russia, arrived at Dulles International Airport outside of Washington Monday courtesy of extradition from Israel where Mr. Burkov had been ensconced. He's now in U.S. federal custody held on suspicion of operating a large and lucrative carding shop. His charges include wire fraud and access device fraud, as well as conspiracy to commit those offenses and identity theft and money laundering. The charges together carry a maximum of 80 years in prison and prosecutors would also like to see Mr. Burkov forfeit his $21 million in allegedly ill-gotten gains. 

Dave Bittner: [00:13:10]  Cardplanet was one of those black markets that mimicked legitimate business practices. It advertised itself as the only service that would refund the price of invalid card data. It's also said to have offered a fee-based service, Checker, that would allow downstream criminals to verify whether the cards they were considering buying were still valid. Meanwhile in Canada, the Royal Canadian Mounted Police have charged Toronto resident John "Armada" Revesz with operating an international malware distribution scheme doing business as Orcus Technologies. Mr. Revesz says that Orcus is a legitimate remote access tool. The Mounties say, nope, it's a RAT, OK, but the remote access Trojan kind. 

Dave Bittner: [00:14:00]  Now a word from our sponsor, KnowBe4. Email is still the No. 1 attack vector the bad guys use with a whopping 91% of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization with an on-demand webinar by Roger A. Grimes, KnowBe4's data-driven defense evangelist. Roger walks you through 10 incredible ways you can be hacked by email and how to stop the bad guys. And he also shares a hacking demo by KnowBe4's Chief Hacking Officer, Kevin Mitnick. So check out the 10 incredible ways and learn how silent malware launch, remote password hash capture and rogue rules work, why rogue documents, establishing fake relationships and compromising a user's ethics are so effective, details behind clickjacking and web beacons and how to defend against all of these. Go to to watch the webinar. That's And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:15:18]  And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, it's always great to have you back. We've been seeing a lot of stories come by about biometrics and how it is taking a larger and larger part of cybersecurity operations. What sort of insights can you share with us? 

Justin Harvey: [00:15:37]  I think we can all agree that logging in to websites is not fun, either through multifactor or through the SMS text backs or through remembering all of these passwords. And it does seem that biometrics is one of the cornerstones to authentication and to identity. But I don't think it's the panacea that people make it out to be. I am a big advocate of having multifactor passwords and at least two of the three types of authentication mechanisms. And those three are, one, what you know - so it's your password - two, what you are - which is, of course, your DNA, your eyes, your fingerprints - and three, what you have - so whether that be a device, your phone, a fob or something else in your physical possession, that makes it a lot more secure when you implement two or all three of those against an authentication target. 

Justin Harvey: [00:16:35]  What really worries me about this, Dave, is our reliance on biometrics particularly here in North America. Biometrics - your fingerprint, your eye, your face - is all data that is then sent and stored in various places. If you and I were living in Europe under the GDPR, our own biometric digital information is considered to be part of us. It is our identity. And in fact, we own it. So if Google or Microsoft or Facebook have our biometric information, we have the right under EU law to force those companies to destroy it and not use it anymore. But here in North America and in other countries where we lack national data privacy regulations, it makes it a little bit fuzzy. And I'm not sure today particularly outside of EU if there is a generalized social construct or social understanding on who owns our biometric data. 

Dave Bittner: [00:17:38]  And I suppose - I mean, the other concern I've heard about biometrics is that they're hard to change. My fingerprints are my fingerprints, and it's not like I can change my fingerprints the way I can change a password. 

Justin Harvey: [00:17:50]  Exactly. Our fingerprints are all digitized when we get our driver's licenses. And they're digitized when we pair them with our phone; same with our faces. And those zeros and ones can be copied. They can be reconstructed, and they can be altered. And in fact, they can be breached, and they can be lost and - or even worst-case scenario, they can be leaked, and they can become public. It's only a matter of time before some organization that collects these biometrics goes through an incident or a breach and a lot of our biometric data is out there in the public. So that really enforces why it is so important to have at least two, if not three, of these identity cornerstones to be considered for authentication. 

Dave Bittner: [00:18:41]  Don't put all your eggs in one basket. 

Justin Harvey: [00:18:43]  Don't put all your fingerprints in one basket either. 


Dave Bittner: [00:18:45]  That's right. That's right. All right. Well, Justin Harvey, thanks for joining us. 

Justin Harvey: [00:18:49]  Thank you. 

Dave Bittner: [00:18:55]  And that's the CyberWire. 

Dave Bittner: [00:18:56]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:19:07]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.