The CyberWire Daily Podcast 12.11.19
Ep 987 | 12.11.19

Hacking in Iran? The Lazarus Group hires Trickbot. Election influence ops. Cryptowars updata. Ransomware in municipal and tribal governments. Patch Tuesday notes. Do it for State.


Dave Bittner: [00:00:03] Iran says it stopped a cyberattack and that an insider was responsible for a major pay card exposure. TrickBot is now working for the Lazarus Group. Influence operations both foreign and domestic concern British voters on the eve of the general election. The crypto wars are heating up again as the U.S. Senate opens hearings on encryption. Pensacola's cyberattack was ransomware, and so, too, apparently, was the one that hit the Cherokee Nation. And do it for state. 

Dave Bittner: [00:00:38]  And now a word from our sponsor, the upcoming Cybersecurity Conference for Executives. The Johns Hopkins University Information Security Institute and Ankura will host this event on Wednesday, March 25 in Baltimore, Md., on the Johns Hopkins Homewood campus. You can find out more at, and click on Sixth Annual Cybersecurity Conference for Executives. Learn about the do's and don'ts of risk management with industry leaders and other cyber professionals. Check out the details at Click on the Sixth Annual Cybersecurity Conference for Executives. And we thank the Johns Hopkins University Information Security Institute for sponsoring our show. 

Dave Bittner: [00:01:22]  Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to 

Dave Bittner: [00:01:47]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 11, 2019. 

Dave Bittner: [00:01:55]  Iranian officials say they stopped a very big cyberattack, U.S. News reports, but Tehran didn't call out the nation responsible or say what attack they were referring to. 

Dave Bittner: [00:02:06]  The New York Times independently reports that the breach and exposure of some 15 million Iranian bank debit cards followed last month's unrest in that country. The number of accounts involved amounts to a fifth of the country's population. Iran's information and telecommunications minister denied that the nation's banking system's computers had been breached and said that the incident was the result of an insider threat, what he described as a disgruntled contractor who had used his access to the accounts to expose them in an extortion caper. 

Dave Bittner: [00:02:38]  The Times notes speculation that an unnamed nation-state adversary was behind the data theft. The presumed goal of a nation-state would be to induce more instability into an Iranian society already under stress induced by international sanctions. 

Dave Bittner: [00:02:54]  Messages that represented themselves as being from the attackers were distributed over Telegram, with the initial communique reading, we will burn the reputation of their banks the same way we torched their banks. The burning is an allusion to the damage done to some 730 banks during last month's rioting. So the stolen pay card data remains, for now, under investigation. 

Dave Bittner: [00:03:18]  Security firm Cybereason today outlined a new use for TrickBot - spreading Anchor malware against a select set of targets. Sentinel Labs, which has been tracking related activity, reported yesterday afternoon that the TrickBot criminal enterprise is now supplying North Korea's Lazarus Group. Criminal groups have worked with state intelligence and security agencies before, but this transnational collaboration is relatively unusual. The more common pattern is the one observed in Russia, where gangs operate at the sufferance of the state under the tacit understanding that they'll leave certain potential, usually domestic, victims alone and that they'll undertake occasional tasks as the organs direct. The TrickBot cooperation seems closer to a conventional business arrangement than it does to a protection racket. 

Dave Bittner: [00:04:08]  TrickBot has been adept at both code injection and quiet harvesting of desktop credentials. Threatpost warns that banks especially should look to their defenses. The Lazarus Group has long been involved in financial crime as it meets taskings to redress North Korea's chronic, sanctions-induced shortfalls, and TrickBot began its career as financially focused malware. 

Dave Bittner: [00:04:32]  As the United Kingdom prepares for tomorrow's election, Business Insider cites experts who see disinformation circulated via WhatsApp as a problem for voters. Concern about the potential for foreign meddling remains high, but not all mendacity comes from abroad. The New York Times notes that supporters of the two largest political parties, Labour and the Conservatives, have themselves apparently learned from the Russian disinformation playbook, operating misleading sites, trading in leaked documents and fomenting malicious rumors. What's new, of course, is that this is being done over the internet, as opposed to the coffeehouses and newspapers that would've been its vehicles in, say, the late 18th century. 

Dave Bittner: [00:05:14]  The U.S. Senate Judiciary Committee's hearings on encryption policy open today. Observers see the balance in the crypto wars tilting against end-to-end encryption. Facebook is hanging tough for the pro-encryption side, but The Telegraph thinks the social network is now in a fight it will find it difficult to win. That fight is proceeding on both sides of the Atlantic, and those in favor of limiting the reach and effectiveness of encryption - typically law enforcement agencies who see their work as a contribution to what former FBI Director James Comey called ordered liberty - have gained momentum by arguing that while privacy is all well and good, encryption has too often played a role in enabling child abuse and human trafficking. 

Dave Bittner: [00:05:57]  Back in 2015, the OPM breach captured the attention of the security community and the public at large for both its size and the scope of information taken. In the years since, the OPM breach served as a case study for those monitoring the information gathered from the victims. Kevin Lancaster is general manager of security solutions at Kaseya and CEO of ID Agent. He was among those who were brought in to remediate the breach from the outset. 

Kevin Lancaster: [00:06:25]  So when you have an incident, a breach, the first focus, the first goal is always, you know, identify what happened, what was extracted, and then, you know, normalize and secure, right? So you want to, you know, really respond quickly and understand what happened. It's always chaotic when you're dealing with an incident, but something of that magnitude, it's polarized. It's compounded by, you know, the, you know, fact it's the U.S. federal government. And it's going to make the news just about every corner of the globe. 

Kevin Lancaster: [00:06:53]  So there's always that period where it's just - it's really intense. And then you get into program launch, and you often - you do - you reserve 800 numbers and notifications for those that were impacted by the incident. But again, because of the enormity and how much speculation there was, the government, OPM and others decided to release the call center 800 numbers. And so we went from really strong response times - maybe two, three, four minutes in the call center - to something like three hours, four hours. 

Dave Bittner: [00:07:23]  You know, as we're recording this, we're coming up on 2020. And the OPM breach happened back in 2015. So I think it's sort of unique in that we have the ability to have that distance in the rearview mirror between now and when it happened. What are some of the take-homes for you now that you've had time to take it all in, to analyze what has happened in your own mind? When you look back on it, what are some of the lessons you take away from it? 

Kevin Lancaster: [00:07:51]  Most of the large salacious (ph) breaches that you have out there, unless you're dealing with a very persistent, well-funded adversary, most of them could've been mitigated with layers - right? - adding in multifactor to access your O365. So I think part of the takeaway is that, you know, maybe it's a - maybe it was a funding challenge for OPM and the fed gov in particular. There were bare minimums that they could've been doing five years ago. There are bare minimums that organizations could be doing today to mitigate 70%, 80% of the attacks that they see on a daily basis. 

Kevin Lancaster: [00:08:27]  And so one of the disconcerting things in all this is that you still see statistics out there about, you know, 75%, 80% of people still use the same or derivation of the same password, right? And the broader population - 4% or 5% of the broader population are using a password manager or some type of multifactor on every single - in anything they sign in to. So just tells you that we've still got a long way to go to, you know, make these bare minimums standards. 

Kevin Lancaster: [00:08:58]  That is, I think, part of the positive byproducts out of some of these incidents. You know, looking at what NIST is coming out with, these frameworks and their statements on passwords and password usage and complexities. I think looking back, it's like, wow, that was five years ago. A lot of things have changed, and a lot of things haven't changed. And so there's good and bad, I guess, in hindsight. 

Dave Bittner: [00:09:21]  That's Kevin Lancaster. He's general manager of security solutions at Kaseya and CEO of ID Agent. 

Dave Bittner: [00:09:29]  The city of Pensacola confirmed yesterday that the cyberattack it sustained was, indeed, a ransomware incident, WEAR TV reports. That's what it looked like at first, and in the U.S., at any rate, state and local governments have become favorite targets of ransomware. 

Dave Bittner: [00:09:45]  Nor should tribal governments be forgotten, either. The Eastern Band of the Cherokee Nation also sustained a ransomware attack, according to the Charlotte Observer, one that hit sometime Monday. Tribal authorities say they've contained the infestation but that they've also powered down their servers pending a full recovery. Services are being restored as soon as that becomes possible. 

Dave Bittner: [00:10:07]  Cherokee police have one suspect in custody. In a speech posted on Facebook, Principal Chief Richard Sneed said that a member of the tribe employed by the tribal government is believed to have carried out the attack. Chief Sneed declared a state of emergency for the Eastern Band, which is also working with the FBI and other federal agencies. They're treating the incident as an act of domestic terrorism. 

Dave Bittner: [00:10:32]  Yesterday was Patch Tuesday, and Microsoft issued 16 security updates, three of which closed remote code execution vulnerabilities. It's also the end, for real and forever, of support for Windows 7, and Microsoft says it's going to display a big, full-screen message to the dead-enders on January 15 - your Windows 7 PC is out of support. Read and heed, dead-enders. Adobe also patched, fixing 17 issues in Photoshop, Reader and Brackets. And Google updated Chrome, as it begins rolling out a feature that will warn users if they've got an exposed password. 

Dave Bittner: [00:11:11]  And finally, remember the case last year of the guy who attempted to seize control of the domain name doitforstate at gunpoint and was thwarted when he, himself, was shot in the bungled attempt to make the legitimate owner transfer the rights to a different GoDaddy account? Mr. Sherman Hopkins Jr., of Cedar Rapids, Iowa, pistol-whipped and then wounded the domain owner. But in the ensuing tussle, the victim, Ethan Deyo, got the gun away from Mr. Hopkins and, in turn, shot him. Both men have recovered, and Mr. Hopkins is now a guest of the correctional system. 

Dave Bittner: [00:11:45]  As you might imagine, Mr. Hopkins was not the mastermind behind the idea. No, that would've been his cousin, Mr. Rossi Lorathio Adams II, known as Polo. Mr. Adams, an Iowa State alumnus and proprietor of an influencer site devoted to kegger culture around the university, felt his own enterprise would be more successful if only it had the slogan Do It For State embedded in its domain. Anyhoo, the U.S. attorney for the Northern District of Iowa on Monday announced that Mr. Adams would serve 14 years on one count of conspiracy to interfere with commerce by force, threats and violence. Well, if you've got to do time, do it for state. 

Dave Bittner: [00:12:33]  It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We here at the CyberWire have long been subscribers to Recorded Future's Cyber Daily. And if it helps us, we're confident it will help you, too. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:13:35]  And I'm pleased to be joined once again by Emily Wilson. She's the VP of research at Terbium Labs. Emily, it's always great to have you back. We are heading into the holiday season here. It is upon us. And you had some things you wanted to remind listeners about when it comes to connected gifts. 

Emily Wilson: [00:13:52]  I do. You know, I think anyone who's spoken to me in the last few years has heard me express some of my concerns about the amount of child data that's showing up in some of these criminal marketplaces and that we need to be thinking critically about the way that children are having their information captured or exploited by criminals. And I think it's a good time to remind people that while you should be cautious about gifting any kind of connected device - and I think my colleagues in the cybersecurity space would agree - you should be particularly careful when you think about connected devices for children. 

Emily Wilson: [00:14:29]  And by connected devices, I mean anything that is going to be able to collect data on your child or the child you're gifting it to that might require some sort of account creation. These devices may seem harmless, and they may go entirely uncorrupted by cybercriminals. But the more opportunities that we have to collect data on children, the more viable a consumer class they become effectively. 

Emily Wilson: [00:14:55]  And if we're kind of collecting data on them from a very early age, that's more data that can be exposed eventually. It's more data available to cybercriminals. It's more data available to marketing firms. And children aren't in a position to make informed, consensual decisions about their data collection and their data usage. And so we need to be careful in the ways that we do that for them. 

Dave Bittner: [00:15:18]  So in general, when it comes to collecting data about children, are they in a more protected category than adults are? 

Emily Wilson: [00:15:25]  They should be, and in theory, they are, right? We have disclaimers on websites or on applications requiring that if you are under the age of 13, for example, you need to have a parent's consent to use a website or to use an app. That's great in theory. In practice, there are ways to get around that, of course, whether from older children who are going to simply say, yes, I have parental consent and this is all fine, I'm allowed to use this. 

Emily Wilson: [00:15:55]  Or it may be that parents do consent and that parents don't understand the implications of consenting to a child using, say, a tablet that's specifically designed for children or a smartwatch that's supposed to encourage physical activity - really great ideas, really great things to encourage learning, to encourage fitness and health. These are good ideas. But we have to stop and think critically about what information is being collected. 

Emily Wilson: [00:16:24]  Is that information associated with a child or a parent? How is that information being used by the company that has developed this technology or this tool or this toy? Who are they sharing that information with? When they're sharing that information with third parties, is that information associated with a parent or child? 

Emily Wilson: [00:16:42]  There are a lot of questions here that we need to be asking ourselves critically about the things that we, as informed consenting adults, are using with the technology that we rely on every day. But we need to be thinking that way about children as well because we don't always know what we're going to be opting our kids into. And we also don't know if the companies that are receiving this data are using it or limiting it in the way that they're supposed to do. 

Dave Bittner: [00:17:07]  Yeah. That's a really interesting insight. I mean, it strikes me that this is - this generation coming up is perhaps the first that that has this - puts them at risk of having their data collected from the very beginning of their lives. 

Emily Wilson: [00:17:21]  From the very beginning, whether collected by some of these devices, as we're describing, or it may be that parents are opting them into that collection. When you think about - of course, you have a child, you're very excited about that. You want to share that with people. And so you share photos. You share names and information. You share the time that they were born and the day that they were born. You track how much they love a certain toy or how much they enjoy a certain food. 

Emily Wilson: [00:17:48]  And all of that information being shared, particularly on open social media networks, for example, that information can be tracked. You know, you have to think about the fact that you're not just sharing information with your friends or with your family. You're also opting your children into what is, quite frankly, a broader surveillance network. And when we think about how that might develop over the next 10, 15, 20 years as those children come of age, we should be cautious, to say the least. 

Dave Bittner: [00:18:18]  Yeah. I can really see that being a tough situation for parents, where the functionality of that hot toy at Christmas time, you know, may rely on its connectivity. It's connecting with other kids or being able to share information online. You know, if you disable that, then I could see there being a lot of peer pressure. That's the whole point of the device. 

Emily Wilson: [00:18:40]  There are - I think there are a couple of things to address there. One is that it is understandable and reasonable to want to get children toys or devices that are going to allow them to enjoy all of the benefits of technology. It's very exciting to read a book about a dinosaur and then go watch a YouTube clip of what scientists have imagined that dinosaur might have looked like and moved like, right? It's really exciting to be able to connect those kinds of resources. 

Emily Wilson: [00:19:09]  And for children who are growing up in a device-reliant world and a technology-reliant world, it's important to develop those skills, just as we develop language skills or writing skills. The flip side of that is that there are ways that parents can encourage these children to enjoy some of those devices, maybe with a little bit more protection. Maybe don't use your child's real name. If you need to create an account for a device, for example, use an account generator. Use something that is not affiliated with your child or your family in any way, which is also a fantastic opportunity to teach children about how to be safe online. 

Dave Bittner: [00:19:50]  Yeah. All right. Well, Emily Wilson, thanks for joining us. 

Dave Bittner: [00:19:58]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:20:11]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.