The CyberWire Daily Podcast 11.22.19
Ep 976 | 11.22.19

Sandworm in Google Play. Internet sovereignty. Bogus accounts on LInkedIn. Pupil becomes teacher. Six-year sentence for DDoS. Big bug bounty at Google. Ransomware updates. Pegasus inquest.


Dave Bittner: [00:00:03] Google researchers provide a Sandworm update. Internet sovereignty is considered - an aid to law enforcement or a means of social control. LinkedIn reports on the 21 million bogus accounts it closed over the past year. Teacher becomes pupil as marketing learns from information operators. An Ohio man gets six years in an Akron DDoS case. Ransomware case updates. A Parliamentary inquiry into India will look into the deployment of Pegasus against WhatsApp users. 

Dave Bittner: [00:00:37]  And now a word from our sponsor, ExtraHop - delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) Cloud today at That's And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:01:32]  Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to 

Dave Bittner: [00:01:54]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 22, 2019. Google security researchers revealed that the Russian threat actor Sandworm uploaded malicious apps to the Google Play store in an attempt to infect Android devices with malware, WIRED reports. Google discovered malicious versions of legitimate Korean-language apps in the Play Store in December of 2017, which were apparently part of Russia's efforts to disrupt the 2018 Winter Olympics. That discovery led the researchers to another malicious app that had been in the Play Store for two months, this one targeting Ukrainians. Sandworm also launched phishing attacks against Ukrainian Android application developers in an attempt to compromise their apps. The Sandworm team is probably best known for its deployment of BlackEnergy malware against sections of the Ukrainian power grid in 2015. If you're like us, and you prefer that threat actors' names be more ursine than vermiform, call them Voodoo Bear. It's the same fine crew, probably. 

Dave Bittner: [00:03:03]  As the UN continues its protracted deliberation over the internet sovereignty measures advanced by Russia and some like-minded states, Decipher points out that internet sovereignty will actually do little to suppress cybercrime. But, of course, online gang-busting isn't really the point, and you don't have to be Eliot Ness to figure that one out. What's of interest to the authors of the proposed international regime seems pretty clearly to be social control, not crooks spreading ransomware or engaging in carding. 

Dave Bittner: [00:03:33]  To see a sovereign internet in action, read WIRED's account of how sovereignty is being realized in Iran. As it happens, Tehran was not one of Russia's co-sponsors, but this week it clamped down hard on internet access as it seeks to tamp out domestic unrest that flared up over economic issues. The immediate flashpoint was an increase in gas prices, but this has simply accelerated some long-guttering discontent. As WIRED points out, Iranian American families are among those feeling the effects of Tehran's controls. It's proving difficult to the point of impossibility for them to reach and check in with relatives back in Iran. 

Dave Bittner: [00:04:12]  LinkedIn's first Moderation Report, issued yesterday, says that the business-focused social network booted some 21 million fake accounts over the past year, and the Telegraph wonders if the sock puppets, catphish and people with nonexistent job offers at companies no one's ever heard of were the work of spies. If many or most of those accounts weren't, then all we have to say is the world's intelligence services have really been asleep at the switch. 

Dave Bittner: [00:04:40]  So if information operations are really marketing in battledress, what happens when a commercial entity decides it looks good in camouflage? State-style information operations can find, and now have found, their way into clickbait commercial marketing, as a Nisos inquiry into a U.S. news startup and its employment of writers based in Macedonia suggests. Far left or far right, as long as concocted, inflammatory news stories drive traffic, it seems to be a win, The New York Times reports. 

Dave Bittner: [00:05:12]  The company involved is LaCorte Media, which aspires, its co-founder, Ken LaCorte, says, to find a middle ground and restore faith in media. Such aspirations are in tension with the profit that can be realized from clickbait. As Mr. LaCorte told The New York Times, quote, "I wanted to try to find middle ground. Unfortunately the thing that works best right now are hyperactive politics. On one hand, that's at odds with what I want to do. But you can be more successful by playing the edgy clickbait game," end quote. The New York Times observes that the spreading of politically divisive content or even blatant disinformation and conspiracy theories by Americans is protected free speech. 

Dave Bittner: [00:05:55]  The Macedonians who crank out the clickbait would appear to be hired guns. There's some evidence they were also contractors for Russian disinformation operators during the run-up to the U.S. 2016 elections. 

Dave Bittner: [00:06:09]  A 33-year-old man from Ohio, James Robinson, was sentenced to six years in prison for launching DDoS attacks against the websites of the city of Akron, Ohio, and the Akron Police Department, according to ZDNet. Mr. Robinson, who claimed membership in Anonymous, said he launched the attacks because he held a grudge against Akron's police force. 

Dave Bittner: [00:06:31]  Google will pay a $1 million bug bounty to anyone who can fully compromise the Titan M chip used in Pixel devices, Ars Technica says. Additionally, the company is offering $500,000 for an exploit that allows data exfiltration from a Pixel device. 

Dave Bittner: [00:06:49]  Following up on two high-profile ransomware attacks, we see that the BBC reports that Rouen University's Hospital Charles Nicolle has refused to pay the ransom, and that the hospital has reverted to manual backups. We hope they succeed in keeping their patients safe. The other attack is the ransomware infestation Louisiana suffered earlier this week. The strain of ransomware involved has been identified as Ryuk. The state continues its recovery, and the National Guard has been playing a role in that response. This will probably be the emerging model of state cyber response plans. 

Dave Bittner: [00:07:25]  In India, the Parliamentary Standing Committee on Information Technology has opened an inquiry into the affair of the Pegasus infestation found in WhatsApp, the Business Standard reports. At issue is whether elements within India's government deployed the spyware against journalists, activists and other potential domestic political malcontents. Meanwhile, India Today reporters, with real gusto and tschim-tshara-bim (ph) tracked down some NSO Group reps who were going about their business in Paris. NSO's people, the outlets said, we're not particularly forthcoming on camera, which is really no surprise. What is surprising is the way India Today somehow makes it seem that a trip to Paris represents some kind of hardship. 

Dave Bittner: [00:08:13]  It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We here at the CyberWire have long been subscribers to Recorded Future's Cyber Daily. And if it helps us, we're confident it will help you, too. Subscribe today, and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:09:15]  And joining me once again is Craig Williams. He's the head of Talos outreach at Cisco. Craig, it's always great to have you back. You and your team recently published a blog post - it's "Cryptocurrency miners aren't dead yet: Documenting the voracious but simple 'Panda.'" Take us through - what are you guys tracking here?

Craig Williams: [00:09:33]  Well, basically, Panda is the name we're giving the actor behind this particular campaign. Now, like a lot of actors we've seen over the last - I don't know - let's call it 18 months, this one's decided that the way that they're going to monetize their malicious behavior is through cryptomining. Now, you know, some people may not be super familiar with cryptomining if they've lived under a rock for the last year... 

Dave Bittner: [00:09:58]  (Laughter). 

Craig Williams: [00:09:58]  ...So in the event you've escaped from a cave or some sort of government facility, the reason malware authors turn towards cryptomining is because, unlike ransomware or other profitable means, it's relatively easy to get away with, right? Most people are never going to know if a cryptominer has been installed in their network. 

Dave Bittner: [00:10:19]  Right. 

Craig Williams: [00:10:20]  And because there's no damages, law enforcement is not going to put it anywhere near the top of their priority list. I mean, if you think about it - right? - what's the actual damage caused to most networks from cryptomining? Well, it's going to be processor usage, some - I guess you could argue power consumption. 

Dave Bittner: [00:10:39]  Right. 

Craig Williams: [00:10:39]  That's really hard to assign a number to. And without that number, law enforcements are really going to turn a blind eye to it. So from an adversary's perspective, cryptomining - basically significantly less risk, no damages, so not really furious victims coming after you, and it's going to be a slow, steady and consistent payout. And because no one knows that they're infected, well, it's going to keep paying out for the foreseeable future. 

Dave Bittner: [00:11:06]  What are some of the specifics of Panda? What's unique about it? 

Craig Williams: [00:11:09]  Well, you know, there's not a ton that's unique here. It's another cryptomining malware that basically looks for cryptomining malware so that it can be the only one, which I, of course, always enjoy the bad guys when they close the door after them and kick everybody out. 

Craig Williams: [00:11:23]  (Laughter). 

Craig Williams: [00:11:24]  The OPSEC around Panda is not amazing - you know, similar TTPs throughout their campaign, and some of the infrastructure was even reused. But it's important to realize that even though this seems, you know, relatively low sophistication-wise and benign, it is using relatively sophisticated means to spread, right? It's using Mimikatz and things like that. And so it kind of goes back to some of the good, old-fashioned ways to secure your Windows systems. Don't have SMB1 exposed, right? If you don't need it, don't have it on. Definitely don't have it exposed to the internet. And make sure that you're patching, right? I mean, a lot of the issues that it's taking advantage of, you really shouldn't be vulnerable anymore, particularly with modern defensive software. 

Dave Bittner: [00:12:11]  Now the fact that you all have named this Panda, is that a little tip of the hat to where you might think it be originating? 

Craig Williams: [00:12:20]  We would never do that. That's so silly. 

Dave Bittner: [00:12:23]  I see. Of course, right. How silly of me to even suggest it. 

Craig Williams: [00:12:26]  (Laughter). 

Dave Bittner: [00:12:28]  Let's move on then. What sort of prevention methods should should folks have beyond the basics that you just outlined? I mean, is this an easy one to detect? Or how stealthy is it? 

Craig Williams: [00:12:40]  Well, you know, in the past, we saw this use open-source frameworks that were really popular in China of all places. And so it's that kind of software. It's Windows. Basically if there are known vulnerabilities and public exploits, it's potentially going to be a vector. Combine that with, you know, traditional brute-forcing through things like Mimikatz, and it becomes very effective. And so, you know, I would make sure that people look at work boxes are talking to what, right? You know, potentially one of your boxes shouldn't be logging into all the others as administrator. Hopefully you have NetFlow or some other tool to look at. And make sure you turn on automatic patching, even in your open-source software if it's available. 

Dave Bittner: [00:13:25]  All right, well, the blog post is titled, "Cryptocurrency miners aren't dead yet: Documenting the voracious but simple 'Panda.'" Craig Williams, thanks for joining us.

Dave Bittner: [00:13:39]  And now a word from our sponsor, the upcoming Cybersecurity Conference for Executives. The Johns Hopkins University Information Security Institute and Ankura will host this event on Wednesday, March 25, in Baltimore, Md. on the Johns Hopkins Homewood Campus. You can find out more at and click on Sixth Annual Cybersecurity Conference for Executives. Learn about the dos and don'ts of risk management with industry leaders and other cyber professionals. Check out the details at Click on the Sixth Annual Cybersecurity Conference for Executives. And we thank the Johns Hopkins University Information Security Institute for sponsoring our show. 

Dave Bittner: [00:14:28]  My guest today is Keenan Skelly. She's vice president of global partnerships at Circadence. Earlier in her career, Keenan Skelly served in the U.S. Army as an explosive ordnance disposal technician and went on to work for the Department of Homeland Security, where she served as chief for comprehensive reviews in the Office for Infrastructure Protection. Our conversation centered on the need to get a broad range of young people excited about potential careers in cybersecurity. It's not just about getting kids interested in tech; there are social and cultural issues at play as well. 

Keenan Skelly: [00:15:01]  I actually had a young CyberPatriot student not too long ago who was absolutely phenomenal. She could code in 16 languages, and she was so smart. And when it came time for her to pick, you know, what her major was going to be, she said, well, I think I'm going to be a doctor (laughter). And I was like, why? Why would you want to do that? You're so good at this, and you obviously love it. You've been in all of the clubs for, you know, four or five years. And her response was, actually, I just don't see myself as a black hoodie kind of girl. 

Dave Bittner: [00:15:34]  Wow. 

Keenan Skelly: [00:15:34]  And that was really eye-opening for me about how we are doing as, you know, a cybersecurity industry really reaching out to those more diverse groups and helping them realize that cybersecurity is everything. It's everywhere. There's so many jobs that take cybersecurity into play. And coding is one of those things that is going to help you no matter what career you have. So tech has sort of been something that young men or young boys seem to get involved in much earlier than young girls do. Now over the last decade or so, as, you know, the community has been making a concerted push to try to identify, you know, how we can meet this cyber skills gap that we have right now, which is, you know, 3.5 million in the next five years - that's a really big number. 

Keenan Skelly: [00:16:21]  So when we start thinking about how to get at that number, it's really important that we look outside the sort of standard demographic and try to really get more diverse and inclusive hiring practices in place, programs in place for young, diverse students who are interested in cybersecurity and interested in moving forward. Now one of the challenges that we've actually faced is young women in particular are very excited about STEM. They're very excited about coding. And in my personal experience, they tend to do things like Girls Who Code, do things like CyberPatriot or these other programs where they can really get into the process. 

Keenan Skelly: [00:16:59]  But then when it comes time to make decisions about where they want to go in a career, a lot of times they just don't see themselves in this career. And one of my biggest pet peeves is the fact that we as an industry have not been very good about marketing to those folks. We always tend to, you know, put up that black hoodie guy who is, you know, with his Mountain Dew and working through a problem. We have some work to do still. 

Dave Bittner: [00:17:25]  Yeah, clearly. Well, how - from a practical point of view, I mean, how do you propose that we do a better job of getting that message out there and being welcoming? 

Craig Williams: [00:17:35]  So I think part of it is providing really good mentors and really good, accessible people who are doing cybersecurity as a part of their everyday job but don't necessarily fit into that title that people are looking at. Like, they don't have a hacker title, right? But they might be the chief marketing officer at a very large company who uses cyber skills and coding and really pushes cybersecurity within their firm, those types of things, or having the CISOs and the CIOs come out and talk to young people and really get them interested in all of the different facets of what cyber and cybersecurity means today. 

Craig Williams: [00:18:14]  If we just look at health care, for example, there's a lot of cybersecurity initiatives going on in health care right now. And it's really fascinating to me to see all of the jobs that are kind of coming out of that specific sector that are very focused on cyber, but not jobs that you would think. So you could be a doctor and have a lot of coding experience and security experience, helping your organization protect the data of your patients in a much more fun way and a much more sort of realistic way. 

Dave Bittner: [00:18:44]  So do you suppose that part of this is for those folks who are already in the industry to get out there and be ambassadors to that sort of message? 

Keenan Skelly: [00:18:53]  One-hundred percent. I find that it's not always easy - if you're trying to break into the field, it's not really easy to find somebody who necessarily fits the idea of cyber that you're trying to get into. So having mentor groups, I think, is a huge thing. You know, I'm a big fan of Women's Society of Cyberjutsu, who really brings together local communities of women who are interested in cyber and kind of helps them identify who that right mentor, who that right person might be for them. I think that's something that really has to be done by a lot more people. I would love to see some organizations, you know, some big tech companies, really driving this initiative forward a lot more and putting out some of their greatest assets in terms of cybersecurity folks and really allowing them to be a little bit more active in the mentoring side. 

Dave Bittner: [00:19:48]  At Circadence, you have a new gaming platform. Can you describe to us what's going on with that? 

Keenan Skelly: [00:19:53]  Previously we had been focused on one of our products, which was Project Ares, which is great for bringing somebody in who's maybe new to cybersecurity, sort of intern or somebody who's interested in learning the basics and moving forward. But one of the things that we started thinking about was, you know, that security awareness piece really is the first step. If you're looking at a - let's say a global enterprise organization, they're probably doing something with PhishMe or KnowBe4 to really get at that general cybersecurity awareness. 

Keenan Skelly: [00:20:27]  And that's really - those things are working very well for phishing attacks right now. But what we kind of looked at is, what about all of the other things that are out there that people need to be aware of, like ransomware or, you know, connecting to the Wi-Fi at your local coffee shop, or things like that. But we wanted to present it in a way that it could also help identify maybe cybersecurity talent that's kind of latent right now. So we really wanted them to understand advanced concepts like the cyber kill chain and what it takes for a hacker to get your data and, you know, really use that to some benefit. 

Keenan Skelly: [00:21:05]  So we created a game called Insight, which is just super fun, first of all (laughter). It can be played on a mobile device. It can be played on a desktop application. And what it does is it gives you a set of your own hackables (ph) that you have to protect and defend against other hackers. They also will get that set of hackables. And you kind of learn how to go through the same process that a hacker would to gather your data, and then use that in a nefarious way by weaponizing it and then, you know really creating an event that's meant to install malware on your device or install some other nefarious means, but all of this in a very fun, kind of lighthearted way. 

Keenan Skelly: [00:21:47]  Gamification is a huge, huge win for something like cybersecurity games, something like this. And I kind of always akin it to Angry Birds, right? Most people I know have Angry Birds on their phone. And it teaches you physics, but it teaches you those types of things in a very abstract way that you don't even understand that you're learning. So if you're thinking about Insight, for example, we're teaching you very complex ideas about how hackers are trying to get to you personally, how they're trying to get to you at an enterprise level in your job, you know, all of these things that you should be looking out for every day to really protect yourself and your organization against some of these ideas. 

Keenan Skelly: [00:22:34]  You have cool things within the platform. Like, you can earn cryptocurrency that you can upgrade your defenses and upgrade sort of the things that you want to be able to do in the game. But every single section of the game, as you start to learn more and more types of - sort of events within the cyber kill chain, you also get teaching moments regularly. And the more teaching moments that you take out of this, the more points you can earn or more, you know, sort of cryptocurrency you can earn. And with those things, you can continue to upgrade and really, you know, protect what you have. 

Keenan Skelly: [00:23:09]  In this case, what we're really looking to do is provide them with an area of expertise that is so fluid and easy to use that they continue to grow throughout the process. Now on the back end of that, with the metrics that we collect, we're able to identify by individual or organization kind of how their learning curve is progressing. So you may have had someone in the accounting department start out with very low-level skills - maybe they keep getting hacked in the game, but they're not really using currency. They're not really upgrading. They're not really doing other things. That's an easy, teachable moment to go back and say, actually, did you know you could do this? And this will kind of change your outlook. 

Keenan Skelly: [00:23:53]  Or as they're continuing to move through on the opposite side of the spectrum, what we often find are sort of cyber gems within an organization who actually have a remarkable proclivity for cybersecurity and then - can then be transitioned into sort of the next step of the training or learning pathway, where they get to get more access to more technical information and see if they're a fit for cybersecurity. So this has been really good with some larger organizations who are interested in taking people they already have and upskilling them or cross-scaling them to do cybersecurity activities as well. 

Dave Bittner: [00:24:27]  So you can really find those folks who you may not have otherwise known had a skill for this sort of thing within your organization. 

Keenan Skelly: [00:24:37]  Absolutely. 

Dave Bittner: [00:24:38]  It's like "The Last Starfighter." 

Keenan Skelly: [00:24:39]  It kind of is (laughter). It kind of is, yes - but cooler, but way cooler and much... 

Dave Bittner: [00:24:45]  (Laughter) Oh, don't know, Keenan, "The Last Starfighter" is pretty cool (laughter). 

Keenan Skelly: [00:24:50]  It was. It was pretty cool. 

Dave Bittner: [00:24:50]  That's Keenan Skelly from Circadence. 

Dave Bittner: [00:24:58]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:25:11]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.