The CyberWire Daily Podcast 6.22.16
Ep 126 | 6.22.16

Android malware circulating in the wild. Did bears find Clinton Foundation servers just right? Help me, ObiWan.


Dave Bittner: [00:00:04:11] Android badness in the wild. Crimeware-as-a-service, courtesy of the Brazilian and Russian mobs. The challenges of third-party apps. The DNC hack still looks like the work of Russian intelligence and those two bears, Cozy and Fancy, are now said to have taken up residence in the Clinton Foundation. Critical infrastructure attack surfaces and threats, from ICS to the grid to transportation.

Dave Bittner: [00:00:31:09] Before we get to today's news, I want to take some time to thank our sponsor, E8 Security and ask you to visit to check our their free white paper, “Detect, Hunt, Respond.” It's gonna give you the information you need to deal with the unknown threats in your network, the threats no one has ever seen before. E8 is going beyond legacy signature matching and human watch standing and their hunting these unknown threats with machine learning and big data analytics. So what E8 has to say. Download the free white paper at E8 security dot com slash dhr. We appreciate E8 for sponsoring the CyberWire.

Dave Bittner: [00:01:14:06] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, June 22, 2016. We’ll be following up on the DNC hack and related incidents later in the show but first a review of what’s currently happening in the wild, where criminals are currently wild about Android exploits. Malwarebytes is tracking “Pawost”. This is a bit of an odd one. It makes calls to numbers in area code 259. That’s unassigned in the US, but if you use China’s country code (+85) and try the numbers with that area code, you get a busy signal. This leads Malwarebytes to think that infected phones are calling China. Since, as Malwarebytes researchers put it, with Android malware motives usually answer the question, “Will this make me money?” the suspicion is that the calls are to premium numbers. Pawost masquerades, by the way, as a stopwatch app. Download with care.

Dave Bittner: [00:02:04:10] Other Android capers are being tracked by Trend Micro. Malware they’re calling “Godless” is rooting smartphones for the most part in India and Southeast Asia, although a few infections have been reported as far afield as Iran and the United States. Godless affects Android 5.1 - that is Lollipop - and has been found in a wide variety of apps, from utilities like flashlights to copies of popular games. You’re always best advised to download Android apps only from Google play, but Godless has found its way even into that walled garden. Third-party apps always pose their particular set of security challenges. We spoke with Ayse Kaya Firat from CloudLock about their recently published report, "The explosion of apps: 27% are risky."

Ayse Kaya Firat: [00:02:50:19] Two years ago when we looked into this domain, we have found about 5,500 apps. This year at the same time, we found more than 150,000 applications that are connection to corporate cloud environments, so this is a number that has increased by 30x in the last two years alone.

Dave Bittner: [00:03:11:22] It's not just the increase in the number of apps that's cause for concern.

Ayse Kaya Firat: [00:03:15:19] The apps that you are talking about, they are touching the corporate back points and employees are authorizing these applications using their corporate credentials. They give these applications, and obviously by extension their venders, programmatic access to their corporate data. These applications usually have very extensive permissions scopes, exit scopes. They ask for permission to read documents, read all of your documents, externalize your documents, tell them those contacts. So they introduce millions of back doors into corporate environments. All of these back doors can easily be exploited as potential gateways for cyber crime.

Dave Bittner: [00:03:58:24] Third party apps can be notoriously difficult for IT to track and the problem grows even more dangerous when they're being used by highly privileged employees.

Ayse Kaya Firat: [00:04:10:05] And the employee might be the CEO of the company or they might be a super admin or super privileged account that sees all documents in an environment. Who can see passwords for everybody in that environment. So a super privileged admin giving credentials to an application, it changes the entire dynamic. It's not just about the application itself, but it's also about the dynamics. You know, how is this being used? Who is using those applications, et cetera?

Dave Bittner: [00:04:39:00] The sheer number of dangerous apps outlined in CloudLock's report makes it daunting for IT departments to try to deal with them on an individual basis. Based on their research, Ayse Kaya Firat has some suggestions.

Ayse Kaya Firat: [00:04:49:08] What organizations need is to develop a very high-level strategy and they also need a tactical, very specific application acceptable use policy to decide having a whitelist of those applications going forward. You know, a set of criteria. And these cannot be secret. It needs to be shared as a vision with the end users, because ultimately the end users are responsible. They're the ones doing this. And automating what flows after this, so how they are going to identify applications, how are they going to ban and rework applications, in real time, has become more important than ever.

Dave Bittner: [00:05:27:21] That's Ayse Kaya Firat from CloudLock. You can check out the report on their website.

Dave Bittner: [00:05:35:24] Another exploit Trend Micro’s following is “Mangit,” a commodity banking Trojan being served up by the Brazilian mob. We note that Brazilian organized cyber crime may soon be giving the Russian mob a run for its money. Mangit does the sorts of things you’d expect from a banking Trojan, basically getting into accounts and making illegal transactions. It’s noteworthy that this is being sold in the form of malware-as-a-service, and so is accessible to criminals who have limited (or no) technical capabilities.

Dave Bittner: [00:06:04:23] Ransomware is also still with us, and it, too, is being offered as a service. Cerber in particular is now on offer by Russian organized crime, and Check Point says that two distinct waves of evolved Cerber have hit the UK and the US over the past month. A survey of businesses suggests that most are no longer willing to consider paying ransom. What effect if any this shift in attitude will have on the criminal market remains to be seen.

Dave Bittner: [00:06:29:22] The big story this week, of course, continues to be the hack of the U.S. Democratic National Committee. Despite the best efforts of Guccifer 2.0, including his brief and somewhat high-flown interview with Motherboard, the smart money is increasingly on Cozy Bear and Fancy Bear, as CrowdStrike affectionately calls the responsible teams at Russia’s FSB and GRU. Fidelis and Mandiant are in substantial agreement with CrowdStrike on this attribution. The spoor the attackers left behind is “too sophisticated for script kiddies,” as Fidelis put it.

Dave Bittner: [00:07:01:23] So what of Guccifer 2.0, the lone hacker who claimed responsibility? There are several possibilities. First, he may be simply hoaxing, claiming responsibility for an attack he had nothing to do with. Or, second, he may be a false flag, a disinformation operation designed to afford the actual hackers with plausible deniability. Or, finally, he may be a third hacker, having romped in coincidentally with the Bears. This is entirely possible. Some high-profile cyber attacks take on the qualities of a riot, with several independent actors striking the same target set. CrowdStrike has been darkly suggesting the second, middle option - disinformation - and, since we’re after all dealing with bears, it seems appropriate to remark that this one would be just right.

Dave Bittner: [00:07:48:14] More interestingly, especially for those waiting for more documents to drop, Bloomberg reported yesterday that unnamed sources tell them that the DNC hackers, presumably Cozy and Fancy, also gained access to the Clinton Foundation’s systems. Observers expect more files to leak over the coming weeks.

Dave Bittner: [00:08:06:21] We heard a presentation from a senior NSA official this morning at Cyber 7.0 conference. Renee Tarun, Special Assistant to the Director, NSA, for Cyber, and Deputy Chief of the NSA’s Cyber Task Force, spoke at length about the threat nation states pose to critical infrastructure. She specifically discussed Russia, China, Iran, and North Korea (and she wasn't telling tales out of school, since these are the same threat actors US Director of National Intelligence Clapper has singled out in recent Congressional testimony). Her two sample cases were the now famous Bowman Street dam hack in Rye, New York, and December’s take down of a portion of Ukraine’s power grid.

Dave Bittner: [00:08:43:21] Industry observers note increasing worry about industrial control system security across many sectors, with the power industry particularly concerned about a repetition of the Ukraine hack, this time in North America. Consensus on that likelihood is a soft, well, maybe, probably, or at least maybe, but the concerns are widespread. Other forms of infrastructure present their own distinctive attack surfaces. We spoke about those in the transportation sector with Charles Clancy, Director of Virginia Tech's Hume Center. We'll hear from him after the break.

Dave Bittner: [00:09:16:13] In industry news, analysts assess the needs of the cyber insurance market. Traders are looking at the prospects of bellwether publicly-traded security companies, especially those who, like Cisco and Symantec, have recently made acquisitions, and those who, like FireEye, have recently declined to be acquired. Venture capital is also active, as behavioral analytics shop LightCyber gets $20 million in Series B funding.

Dave Bittner: [00:09:42:08] Finally, let’s return to the problem of attribution for a moment. It strikes us that this is often done the way Obi-Wan Kenobi would do it. It’s a small step from “this code, too sophisticated for mere script kiddies; only nation-states are so capable” to “these blast points, too accurate for Sand People; only Imperial Storm Troopers are so precise.” Now if you could only see if they hacked in single file to hide their numbers….then we’d really have something.

Dave Bittner: [00:10:19:01] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at

Dave Bittner: [00:10:45:10] And I'm joined once again by Dr Charles Clancy, he's the Director of the Hume Center for National Security and Technology. They're part of Virginia Tech. Dr Clancy, I know one of your areas of research is dealing with some of the cyber challenges regarding transportation.

Dr Charles Clancy: [00:10:59:07] Indeed. As we see the growth of autonomous vehicles and certainly connected vehicles right now, there's a growing risk of cyber threat to those vehicles principally due to the interconnectiveness of them. Previously, your car was not connected to the cloud, and now it is. And once that connection's in place, it creates a threat factor.

Dave Bittner: [00:11:19:17] So what are some of the specific dangers involved with vehicles?

Dr Charles Clancy: [00:11:23:01] Well I think most people probably saw the report a couple of months ago about the group that hacked a jeep and Wire had an article on it showing that they could hack in via the cellular interface and cause the jeep to drive off the side of the road. Obviously concerns like that are significant, but there's also a wide range of privacy concerns if hackers are able to access the microphones in your cabin of your vehicle for example, and be able to listen in on conversations. There's significant privacy concerns as well.

Dave Bittner: [00:11:56:02] And it's not just with autos, there are concerns with aviation as well.

Dr Charles Clancy: [00:12:00:16] Indeed, there has been a number of well-publicized reports recently about people proposing that they can hack into different segments of, in particular, the civil aviation ecosystem, whether it's air traffic control systems or individual aircraft. So we have a research portfolio at Virginia, Texas looking specifically at things like air traffic control and how we might make the next generation air traffic control systems more secure against such attacks. That ecosystem is being complicated significantly by the growth of UAVs and the intersection between the civil aviation and the UAV eco-system. Obviously many of these UAVs are relatively unsophisticated devices and have cyber threats of their own that need to be contended with.

Dave Bittner: [00:12:43:12] Alright, Dr Charles Clancy, thanks for joining us.

Dave Bittner: [00:12:46:07] And that's the CyberWire, thanks to all of our sponsors for supporting the show. We hope you will check them out. That really does help us. The CyberWire's produced by Pratt Street Media. Our editor is John Petrik and I'm Dave Bittner. Thanks for listening.