The CyberWire Daily Podcast 6.30.16
Ep 132 | 6.30.16

Hacktivism or denial-&-deception? (Smart money's on D&D.) LizardStressor herds CCTV bots.


Dave Bittner: [00:00:03:16] Is the DarkOverlord playing the media about stolen health care data? Guccifer 2.0's story gets more complicated, but the details aren't lending verisimilitude to what remains a bold and unconvincing narrative. The World-Check database leak seems to have been contained. Oculus' Twitter account was hijacked, briefly. Point-of-sale breaches put the onus for protection on the customer, and some governments seem to advance their ability to control the Internet.

Dave Bittner: [00:00:34:09] It's time to tell you about one of our sponsors - E8 Security. You know, once an attacker's in your network, there's a good chance they'll use command and control traffic to do the damage they have in mind. Could you recognize it? E8's analytics can. Here's what malicious C2 traffic might look like: newly-visited sites, visits to a website that doesn't have the features a legitimate site usually does, like a high number of pages, a fully-qualified domain name, or a distinct IP address, or the association of a website with a limited number of user agents. It's tough for a busy security team, but it's easy for E8's behavioral intelligence platform. For more on this, and other use cases, visit and download their free white people. “E8 Security - Detect, Hunt, Respond.” We thank E8 for sponsoring The CyberWire.

Dave Bittner: [00:01:30:06] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, June 30th, 2016.

Dave Bittner: [00:01:36:07] The dark web still has the purported millions of health care records for sale, but the purported hacker DarkOverlord has changed his barking in ways that lead Motherboard, for one, to conclude that he’s “gaming the media,” and really interested in profiting by extortion as opposed to wholesale data sale: “I have a reputation with this handle now,” says the DarkOverlord. “Another step accomplished. Every time I put a new listing up it gets reported without hesitation now.” There are suggestions that Mr. Overlord is posturing before the media in the hopes of inducing victimized organizations to pay for the return of their data. And, of course, the quality and provenance of the data being offered in the Real Deal market remain largely a matter of conjecture.

Dave Bittner: [00:02:20:05] After several days of silence, Guccifer 2.0 has resurfaced with a blog entry deriding the many people who’ve attributed the DNC hack to Russian intelligence services. He’s even included an FAQ page. In brief, he - and Guccifer 2.0 specifically identifies himself as a man - he calls the DNC hack a “personal project,” and dismisses CrowdStrike as an outfit that would finger anyone as a Russian hacker.

Dave Bittner: [00:02:45:07] Few seem to be buying this story, however. Its details are hazy, and the romantic chatter about self-preservation and the need for anonymity strike most as unconvincing misdirection. And, of course, CrowdStrike isn’t the only one who regards Guccifer 2.0 as a Russian sock-puppet. SecureWorks presents evidence that the DNC hack was one aspect of a comprehensive espionage campaign against US targets known to be of close interest to the Russian government. ThreatConnect lays out the evidence available to its researchers and concludes that Guccifer 2.0 is a denial-and-deception operation, most probably mounted by Russian intelligence services. Their evidence is admittedly circumstantial, but ThreatConnect’s reasoning is interesting and worth a look. You’ll find a link to their treatment in today’s CyberWire Daily News Brief.

Dave Bittner: [00:03:32:12] And, by the way, CrowdStrike isn’t the only company Guccifer 2.0 names in dispatches. He also rags Kaspersky, which he claims has deliberately created “the myth about the almighty Russian hackers” because it’s good for business. Kaspersky, of course, is Eugene Kaspersky’s eponymous and very Russian security company. But as we say, what Guccifer 2.0 is selling, few are buying.

Dave Bittner: [00:03:55:03] Researcher Chris Vickery reports that a 2014 version of Thompson-Reuters’ widely used World-Check database of terrorist actors has leaked online. Thompson-Reuters says it’s “secured” the third-party source of the leak. We hear from Andrew Komarov, Chief Intelligence Officer at InfoArmor, who told us "Upon review, the data appears likely to have been stolen from one of World Check’s partners or customers, who was likely using it in their own operations." World-Check, used for watchlisting and other purposes by private and governmental organizations, including banks and police forces, is controversial for some of the people and organizations it includes as connected with terror.

Dave Bittner: [00:04:35:17] Such watchlisting clearly has its uses in flagging potentially illicit transactions. We’ve heard this week about another round of fraudulent SWIFT-related money transfers affecting banks in Ukraine and Russia. Today we hear from Cytegic expert Dan Pastor on how criminals can accomplish such fraud.

Dan Pastor: [00:04:53:11] We've seen a rising trend, not only in specific attacks on SWIFT, but specific, dedicated, financially-driven attacks on monetary value assets, such as bank accounts, and specifically on financial transactions. Basically, what we were able to see is that this has basically been a trend that's been rising since the beginning of January 2015. While a lot of the industry might have been surprised about the quick rise in attacks on SWIFT, and particularly on banks, we can actually show that it's been in the making for quite a while now. If you use this trend analysis, and look at a wider perspective, you can actually forecast these types of attacks, and be better prepared for that in the future.

Dave Bittner: [00:05:44:10] Pastor says these attacks coincide with a shift in availability of sophisticated attack tools.

Dan Pastor: [00:05:50:16] Less capable attackers, that in the past were not able to use highly sophisticated or advanced attack methods, have now been able to get much more into it, due to what we call the trend of proliferation of advanced attack methods. There has been much more dedicated, and focused, and sophisticated attacks, or attack methods, that have been used, which in the past were only used by nation states, or truly advanced attackers. You don't need to be a once-in-a-generation attacker, or hacker, in order to perform these advanced attacks. What you need to do is have sufficient funds, and sufficient CPU, I guess, and you need to know what your targets are. So that's a very, very alarming and interesting trend we've been able to see, and you can see that actually coinciding with the attacks on SWIFT.

Dave Bittner: [00:06:48:22] That's Dan Pastor from Cytegic.

Dave Bittner: [00:06:52:23] Oculus, the California-based virtual reality company hasn't appointed a new CEO. If you follow them on Twitter, you may have heard that news, but it's a hoax. Instead, Oculus has become the latest high-profile tech company to sustain a social media hijacking. Their Twitter account is now back under company control.

Dave Bittner: [00:07:11:13] The Internet-of-things’ potential to be exploited in distributed denial-of-service attacks has been realized this week in the form of a large botnet of Internet-connected security cameras. LizardSquad’s LizardStresser tool has been implicated in forming the botnet and herding the bots. Observers think this augurs more use of LizardStressor in DDoS attacks involving the IoT. The fig leaf of security testing LizardSquad had once draped over LizardStresser has by now largely withered and dropped. Its uses are by now pretty clearly criminal. There's not even a plausibly gray-hat claim to be made about it.

Dave Bittner: [00:07:47:07] The Hard Rock Hotel and Casino Las Vegas and the fast-dining chain Noodles and Company both confirm they’ve suffered data breaches that affect customer pay card information. Brad Bussie, of STEALTHbits Technologies, tells us that this is a sign of the inability of legacy anti-malware approaches to keep pace with emerging threats. He notes that it’s always a good idea to minimize your attack surface, and isolate inherently vulnerable point-of-sale systems. “When you cut off the traditional methods of malware propagation, the number of breaches will fall significantly.”

Dave Bittner: [00:08:19:01] And Lastline’s Craig Kensek gives Noodles props for being relatively transparent about the breach they suffered. He does note that the duration of the breach at Noodles and Company -about six months - makes it difficult to notify all affected customers, and that so far Noodles has advised everyone to look over their card statements for anomalous charges. Since doing so is universally regarded as common-sense good practice whether or not a breach has been disclosed, this strikes Kensek as placing too much of the onus on the customers. "Target offered customers’ whose credit card/debit card info was compromised a free credit watch service for a year,” Kensek said. “Noodles and Company may want to consider this for affected customers."

Dave Bittner: [00:08:58:14] Turning to policy news, one of the concerns surrounding the Brexit referendum in the UK is that anti-Brexit hacktivism will surge. Hacktivism in particular, but other kinds of cyber attacks also, do seem to be keyed to events in the physical world, including anniversaries, historically significant dates, holidays, seasons, and so on. We spoke with Level 3's Dale Drew about the seasonal nature of cyber attacks. We'll hear from him after the break.

Dave Bittner: [00:09:24:19] Finally, to end on an unfortunately downbeat note, information may well want to be free, but in some places it’s being put pretty firmly in chains, or at least under house arrest. Russia is about to require, in a formal and legal way, that software vendors backdoor their products and give keys to the government. And observers note the retirement of Lu Wei, head of China’s Central Leading Group for Cyberspace Affairs, the country’s Internet control authority. Back in 2000, US President Clinton ironically wished the Chinese government good luck in its efforts to control the Web, saying they might as well try to nail Jello to the wall. Lu Wei seems to have succeeded in advancing what he would probably call “Internet sovereignty” more than anyone expected. Jello, meet wall.

Dave Bittner: [00:10:15:14] This CyberWire podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent, rather than reactively detect, the execution of advanced persistent threats and malware. Learn more at

Dave Bittner: [00:10:38:11] Joining me once again is Dale Drew - he's the Chief Security Officer at Level 3 Communications. We're leading into summertime here, at least in the northern hemisphere, and I'm curious: do we see any shifts in the types of attacks that we see on a seasonal basis?

Dale Drew: [00:10:52:17] Yeah. We really do see shifts in seasonal activity. I would say at the end of the summer, there's a very large, very sharp increase in ransomware and classic computer attacks. Usually what happens is that college kids enjoy their summer, and when they come back, they want to show the botnet that they've amassed, and so we see a very large uptick in ransomware attacks at the end of the summer. Same thing with the end of the winter - round the end of December, beginning of January time-frame, that same uptick with the same activity occurs as well, so those attacks are very seasonal.

Dave Bittner: [00:11:32:13] And so you're crediting that to college-age kids heading back to school?

Dave Bittner: [00:11:37:12] I would say, for the most part, it's a bit of an assumption on our part, and also based on some of the [PHONETIC: originating] traffic that we've seen, but yeah, I'd say for the most part, at least the uptick, we are attributing mostly to college kids coming back from school.

Dave Bittner: [00:11:54:15] All right. Summer time, and the hacking is easy. Dale Drew, thanks for joining us.

Dave Bittner: [00:12:01:05] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor and principal suit is Peter Kilpe. I'm Dave Bittner. Thanks for listening.