The CyberWire Daily Podcast 12.20.19
Ep 994 | 12.20.19

Pegasus and Pakistan. What’s in Legion Loader. Threats to financial markets. Seasonal scams. What would Clippy do?


Dave Bittner: [00:00:00] Hey, everybody. Dave here with some exciting news. We are pleased to announce our new subscription program, CyberWire Pro. It's launching early in 2020. For cybersecurity professionals and others who want to stay abreast of our rapidly evolving industry, CyberWire Pro is a premium news service that will save you time as it keeps you informed. You can learn more and sign up to get launch updates at That's Do check it out. Thanks. 

Dave Bittner: [00:00:33]  Pegasus may have appeared in Pakistan. Legion Loader packs in six bits of malware in one Hornets' Nest campaign. Someone may have hacked Bank of England press releases to give them a few seconds advantage in high-speed trading. Frankfurt, in the German land of Hessen, is clearing its networks of an Emotet infection. Some seasonal, topical scams are circulating. And what would Clippy do? 

Dave Bittner: [00:01:03]  And now a word from our sponsor, the upcoming Cybersecurity Conference for Executives. The Johns Hopkins University Information Security Institute and Ankura will host this event on Wednesday, March 25, in Baltimore, Md. on the Johns Hopkins Homewood campus. You can find out more at, and click on 6th Annual Cybersecurity Conference for Executives. Learn about the do's and don'ts of risk management with industry leaders and other cyber professionals. Check out the details at Click on the 6th Annual Cybersecurity Conference for Executives. And we thank the Johns Hopkins University Information Security Institute for sponsoring our show. 

Dave Bittner: [00:01:50]  Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to 

Dave Bittner: [00:02:13]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, December 20, 2019. 

Dave Bittner: [00:02:20]  The Guardian reports that Pegasus spyware, the intercept tool produced and sold by NSO Group, has been found in the phones of several senior officials in Pakistan's defense and intelligence services. The infestation apparently took advantage of the same weaknesses in WhatsApp that enabled Pegasus to be installed in devices belonging to journalists and activists in India. The Indian cases appear to have been potentially instances of domestic surveillance. Their discovery prompted a public scandal and parliamentary inquiries in India. The Pakistani case seems, the Guardian says, to represent state-on-state espionage. Pakistani diplomatic missions the Guardian contacted had no comment on the reports. 

Dave Bittner: [00:03:03]  Deep Instinct's dissection of a Legion Loader, which we saw yesterday, displays an impressive mix of bad things. ZDNet calls Legion Loader a grab bag, including, as it does, information-stealing Trojans, a remote backdoor, a cryptojacker and a cryptocurrency stealer. In all, Legion Loader packs at least six - count them, six - varieties of badness in that grab bag. The three information-stealing Trojans are Vidar, which specializes in culling personal information, including screenshots and data that may be stored in two-factor authentication software. The second Trojan is Predator the Thief, which not only steals data, but can pull images from the infected machine's camera. And the third Trojan is the new, powerful and customizable Raccoon Stealer. 

Dave Bittner: [00:03:51]  In addition to these three Trojans, Legion Loader installs a remote desktop protocol-based backdoor to give the hoods running the campaign the ability to return, re-attack and stage new malware. The last two malicious programs bundled both have an interest in cryptocurrency. One is a PowerShell-based cryptocurrency stealer that prospects and loots any altcoin wallets it finds. The second is a cryptojacker, a cryptocurrency miner that uses the victim machine to mine for its own coin. 

Dave Bittner: [00:04:21]  It's also being used in a high-volume campaign, which Deep Instinct calls Hornets' Nest in view of the swarm of malicious code that arrives with Legion Loader. That said, it's still unclear how the malware is being spread and what infection vectors are being used. None of the hornets in this particular nest are particularly sophisticated or novel. Indeed, they can be found traded in various dark web markets and represent commodity malware. It looks very much like a dropper-for-higher campaign, and Deep Instinct thinks Legion Loader is under active development as its masters improve their wares. 

Dave Bittner: [00:04:59]  Signs in the code, Deep Instinct says in their report, point to the author or authors of Legion Loader as being Russian-speaking coders. These are in all likelihood criminals as opposed to intelligence or security services. And while Hornets' Nest is a swarm of commodities, it should nevertheless not be underestimated. Sometimes quantity has a quality all its own, and Legion Loader delivers quantity. 

Dave Bittner: [00:05:24]  Britain's Financial Conduct Authority is investigating a possible case of eavesdropping on Bank of England press conferences. High-speed traders are thought to have hacked access to the press conferences slightly before they became publicly available. And this would have given them material information a few seconds early, which can be, as Law360 points out, a considerable advantage in trading. 

Dave Bittner: [00:05:48]  The city of Frankfurt, a German and European financial hub, shut down its municipal networks after they were infected with Emotet, ZDNet reports. The city is in the process of recovery. Emotet can be used to deliver a variety of other infections. And recently, it's been associated with ransomware attacks. 

Dave Bittner: [00:06:07]  There are a number of topical, pop-culture and current-events-themed spam campaigns in progress, as you'd expected at this time of year. OK, first of all, as Ms. Swift would probably say, ZDNet reports that Taylor Swift images have been found to conceal cryptojackers. Oh, barf. Since its Swiftmas (ph), we should have seen that one coming - totes. 

Dave Bittner: [00:06:28]  There are a lot of dodgy holiday e-cards in circulation, including hokey invites to office parties. There are also bogus seasons greetings purporting to be from climate activist Greta Thunberg, which are no doubt intended to appeal to the naive, people thrilled to click before they reflect that Ms. Thunberg is unlikely to have actually emailed them. Proofpoint warns that these particular greetings have been serving up Emotet piping hot. 

Dave Bittner: [00:06:55]  And of course, there's the new "Star Wars" movie, "Rise Of Skywalker." Have you seen it? Anywho, PCMag and lots of other media outlets are saying that phony "Rise Of Skywalker" files are carrying malware. That's not only the obvious come-on offers of pirated copies, which anyone should, of course, steer clear of, but also some innocent-appearing trailers. Reach out with your feelings, and discern the stuff that's no good for you. Otherwise, the malware will be with you always. 

Dave Bittner: [00:07:24]  And finally, the question of what operating system Russian President Putin really has on his personal machine remains very much up in the air. Could it really be Windows XP, or is this some elaborate disinformation campaign? It's tough for Americans to tell - in matters Russian, we feel like a nation of poker players up against a nation of chess players. Both have their strengths, but you're not playing the same game. On the one hand, you have quick estimation odds and willingness to take a risk and trust your luck. On the other, you are negotiating a complex but deterministic system where luck never plays a part. 

Dave Bittner: [00:08:00]  But over in the U.K., Naked Security is asking the really important question - if Mr. Putin is really using XP, is he also using an older version of Office, complete with Clippy, the helpful anthropomorphic paperclip? Naked Security asks, is Clippy telling the Kremlin, it looks like you're trying to destabilize another country's democratic process using an army of fake social media accounts. Would you like help? 

Dave Bittner: [00:08:30]  And now a word from our sponsor, McAfee. Ideas don't come for free. Budgets are begged for. Long hours are required. The months, maybe even years of research, the sheer human effort of it all, the changes, the revisions, the reworks, the results, the adaptation, the innovation, the collaboration all lead to the final moment when it pays off, and it's perfect - your company's work, as long as it's not compromised. From device to cloud, McAfee harnesses the power of 1 billion threat sensors to design security that moves beyond intelligence to insight so you can move beyond optimizing security products to optimizing your security posture and not just react to threats but remediate threats that matter. Intelligence lets you respond to your environment. Insights empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to That's And we thank McAfee for sponsoring our show. 

Dave Bittner: [00:09:42]  And joining me once again is Craig Williams. He's the director of Talos Outreach at Cisco. Craig, it's always great to have you back. We wanted to take a chance to take a look back. You all recently published your Talos Vulnerability Discovery Year in Review looking back at 2019. Take us through. What are some of the highlights here? 

Craig Williams: [00:10:00]  Well, so every year, our vulnerability research team decides that they're going to target certain things, right? And their overall goal is to find vulnerabilities in software that we use every day, right? And so that can include desktop software, office software and everything in between - right? - anything from your thermostat to your laptop to your 3D printer, potentially. 

Craig Williams: [00:10:23]  We did have a really interesting finding this year, and that this was the first year where we had more vulnerabilities discovered in ICS platforms than non-ICS platforms. And so what that means is basically, you know, when we started looking at IoT devices, we found lots of issues. I know there's the pessimists out there (laughter) so... 

Dave Bittner: [00:10:46]  One or two, yeah. 

Craig Williams: [00:10:47]  Yeah. You know how the internet is. Everybody's mostly positive. 

Dave Bittner: [00:10:49]  (Laughter). 

Craig Williams: [00:10:50]  But there might be people out there who would think that, hey, well, that means IoT devices aren't secure. You know, I saw that newspaper article about the Ring doorbell getting hacked. And therefore, I don't want one. You know the whole song and dance. 

Dave Bittner: [00:11:04]  Sure. 

Craig Williams: [00:11:04]  But I think this is actually a positive thing, right? When I look at this and I think about the way that software works, you know, and the fact that all software has bugs - right? - it's the nature of the beast, basically what it means is that, you know, IoT companies are taking software more seriously. They're looking for issues. Of course they're finding issues, right? If you look at any piece of software, you're going to find issues. 

Craig Williams: [00:11:29]  What we can say here is that we found issues, we worked with the vendors to address them, their maturity model is improving. And I think what we're seeing are definite steps in the right direction. So we were surprised, and we were very pleased with how it turned out. 

Dave Bittner: [00:11:45]  So really reflecting, I don't know, a maturation of the ecosystem overall? 

Craig Williams: [00:11:52]  I think so. I think that's a great way to think about it. You know, one of the jokes we used to tell was that IoT was stuck in the '80s, or maybe if you wanted to be generous, early '90s. 

Dave Bittner: [00:12:02]  Yeah. 

Craig Williams: [00:12:03]  And, you know, and the reason we say that - you know, it's tongue in cheek. But the reason we would say that is because you would see vendors when you would report a security issue deny that it was an issue, or they would say, well, that's not, you know, feasible. No one's going to connect that to the internet. And it's like, bro, have you seen the internet? (Laughter). 

Dave Bittner: [00:12:20]  (Laughter). 

Craig Williams: [00:12:23]  And so I think those realities, those denials that used to come in to try and, like, basically not fix things have gone out the window. People are realizing that, yes, you know what? Local devices can be targeted. Even if it's not accessible to the internet, it's still a serious issue because someone could be compromised behind it. Think about it, right? Like, you don't want to have a refrigerator that you can get remote code execution on through, say, you know, some sort of Linux overflow vulnerability inside of a Starbucks because somebody could walk into the Starbucks, scan the network. They don't know it's a refrigerator. They see - you know, it looks like potentially a low-end Linux box. It's very old. It's unpatched. It gets exploited. And then all of a sudden, they control the refrigeration unit for that store, and, you know, all kinds of nefarious things can happen. 

Craig Williams: [00:13:10]  And so I think things like that, stories like devices and things being held for ransom, are what's helped push this along, right? And I think with any industry, we certainly saw growing pains, right? We certainly had our share. I think the record holder for VolDev (ph) time to patch is held by a certain IoT vendor. Now, I'm happy to say that the issue was fixed, but I think what we're seeing here has taken it from that original vulnerability we found years ago to a place now where not only are IoT and ICS vulnerabilities something we find, but we routinely find and we routinely work with vendors to get them fixed. 

Craig Williams: [00:13:52]  So I think overall, it's a very positive message. It's saying that the vendors are working with us. They understand security. They're not perfect, right? Nobody ever is. But they're taking great steps, and they're on the right path. And I think it's a - it's an awesome outlook for 2020. Give me some insights here. In your publication here, you group together IoT and ICS. And obviously, IoT is Internet of Things. ICS is industrial control systems. I guess in my mind - my initial reaction when I hear IoT, I tend to think toward consumer devices. And I don't think of ICS stuff as being consumer devices. What's the rationale here for lumping them together? 

Craig Williams: [00:14:33]  It's a little bit like debating politics, right? 

Dave Bittner: [00:14:35]  (Laughter) OK. 

Craig Williams: [00:14:37]  There's definitely valid views on both sides. 

Dave Bittner: [00:14:40]  OK. 

Craig Williams: [00:14:41]  Now the reason we lump it together is because when you look at it from a device perspective, from a hardware perspective, from a software perspective, there are almost always the same, right? The equipment in my TV is going to be the equipment in any potential industrial display, or at least very similar to it. The software stack is going to be very similar to it. The open source libraries used are going to be the same. You know, it's almost always going to be Linux BusyBox-based install, running probably the exact same protocols or very similar protocols. And so just for simplicity's sake, we tend to lump them together. 

Dave Bittner: [00:15:13]  All right. Well, the report is Talos Vulnerability Discovery Year in Review for 2019. Craig Williams, thanks for joining us. 

Craig Williams: [00:15:20]  Thank you. 

Dave Bittner: [00:15:26]  And now a word from our sponsor, OpenVPN. OpenVPN Access Server is a flexible VPN solution that secures data communications from remote access to IoT to networking cloud data centers. While private networks have the security advantage of isolating critical IT services, it can be costly to extend to different sites, devices and users. Enter OpenVPN Access Server, a full-featured and cost-effective VPN solution. Access Server has an economical licensing model based on the number of concurrent VPN connections rather than the number of users. OpenVPN Access Server can be deployed on premises or on the cloud and allows load balancing, failover and fine-grained access controls, making it the best solution for small to medium-sized enterprises. You can testdrive OpenVPN Access Server for free. It comes with two VPN connections. Get started today at That's And we thank OpenVPN for sponsoring our show. 

Dave Bittner: [00:16:38]  My guest today is Bob Ackerman. He's managing director and founder of AllegisCyber Capital, an early-stage venture capital firm. Prior to starting AllegisCyber Capital, Bob was the president and CEO of Unisoft Systems, a global leading Unix systems house and founder and chairman of Infogear Technology Corp., a pioneer in the original integration of web and telephony technology. Full disclosure, he is also among the leadership team at DataTribe, which is an investor in the CyberWire. 

Dave Bittner: [00:17:09]  Our conversation focuses on his insights on where VC funding for cyber is heading in the coming year. 

Bob Ackerman: [00:17:16]  Well, I think there's a growing appreciation for a number of aspects of the cyber environment from an investor's perspective. I think, No. 1, you know, we've all witnessed sort of a massive influx of capital into the cyber innovation ecosystem. I think there is concern today that the sector may be overcapitalized, overinvested in. I think that's probably a legitimate concern. So I think investors are becoming more discerning as they look at the cybersecurity marketplace. 

Dave Bittner: [00:17:49]  So looking forward to the year ahead, would areas within cyber have your attention? What has your gaze? 

Bob Ackerman: [00:17:56]  Well, I think one of the things that I'm spending a fair amount of attention on is, how do we get better at managing? You know, so much of what we do today is basically a knee-jerk reaction. You know, we do the best we can. We deploy as many tools and technologies as we can to secure our infrastructure, to secure our data. But sometimes, it reminds me a bit of whack-a-mole - you know, just trying to stay ahead of the evolving threat landscape. 

Bob Ackerman: [00:18:25]  And I think we've taken that approach out of necessity as we try to catch up with the various threat vectors, but I think we need to transition to a more holistic view of cyber risk. And we need to manage cyber as a risk type, and we need to get better tools and better technologies to understand our exposure. 

Dave Bittner: [00:18:50]  With all of the pitches that you see, and you see a lot of pitches, some - is there a pattern? Are there things that make people stand out from the crowd, things that draw your attention and make you want to dig in and take a closer look? 

Bob Ackerman: [00:18:59]  Cyber is not something that you can pick up along the way. You know, cyber is something where you have to have a solid foundation upon which to build if you're really going to do innovative things. You know, if you look at our playbook, that reflects itself in our bias towards engineers coming out of the intelligence community - either deep data science engineers coming out of the intelligence community or former offensive engineers coming out of the intelligence community. 

Bob Ackerman: [00:19:27]  So if I go back to your question about when we're being pitched by entrepreneurs, we parse very, very quickly based on folks that have got a career of domain expertise and those that don't. And so we select for entrepreneurs that have spent their careers in cybersecurity. 

Dave Bittner: [00:19:44]  That's Bob Ackerman from AllegisCyber Capital. 

Dave Bittner: [00:19:52]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:20:05]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. 

Dave Bittner: [00:20:19]  Before we sign off, this being our last daily CyberWire podcast of the year, a heartfelt thanks to everyone who has helped make our show possible. We've had a great year here at the CyberWire - doubled the size of our team, launched new products and shows, and have started laying the groundwork for exciting things to come in the New Year. We truly are an amazing team of writers, producers, developers, salespeople and hosts, and we all feel privileged to do the work we do and that so many of you find it valuable enough to make it a part of your day. Thanks to our partners and sponsors for making the show possible. And of course, thanks to all of you for listening. Have a relaxing, safe and joyous Christmas, holiday break and New Year. We'll be running extended interviews throughout the break, and we'll be back with new shows January 2. On behalf of everyone here at the CyberWire, thanks for listening.