The CyberWire Daily Podcast 7.12.16
Ep 139 | 7.12.16

Medical device, record hacks. (Un)welcome new ransomware: Alfa, Ranscam. ISIS online decline?


Dave Bittner: [00:00:03:10] ISIS may be shrinking in social media country even as it shrinks in the Levant. NATO will increase cyber cooperation. A newly described malware dropper is tailored to work against European energy companies. Patient records are breached in the US, and medical devices become increasingly attractive to hackers. There's a decryptor out for Jigsaw ransomware, but not for the newly introduced "Alfa" or "Ranscam" (and Ranscam doesn't even bother to decrypt in the first place). Google and Niantic deal with Pokémon Go security issues, and don't enter some strangers' home, even if you see Reshirom EX on their sofa.

Dave Bittner: [00:00:44:17] Time to take a moment and tell you about our sponsor Netsparker. Are your security teams dealing with hundreds of vulnerability scan results? Netsparker not only automates scanning but it verifies the exploits it finds too. Reduce alert fatigue and improve security with Netsparker. Not only will your protection improve but your costs will drop, and that's a good deal in anybody's book. Netsparker's automated approach to web application scanning lets your security team concentrate on the things best left to the human beings. Find out more about Netsparker Desktop and Netsparker Cloud. Whether you're pentesting or securing your enterprise online, you'll find what you need at You can try it out for free with no strings attached. Go to for a 30 day fully functional version of Netsparker Desktop, and by fully functional Netsparker means yes; really fully functional. Scan those websites with no obligation. Check it out at, and we thank Netsparker for sponsoring the CyberWire.

Dave Bittner: [00:01:48:12] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, July 12th 2016.

Dave Bittner: [00:01:55:00] ISIS may be declining in cyberspace even as its territory in physical space shrinks under military pressure. The AP has reported a 45% decline in the jihadist group's Twitter traffic over the last two years. Such trends tend to be ambiguous, and quantification is seldom as straightforward as a simple number might lead one to conclude, but there does appear to be some shrinkage of the Caliphate's on-line presence. Erik Knight, industry veteran and president of cloud security shop, SimpleWan, tells us that in his view government efforts against ISIS are one part of the story, "Hacktivist groups have contributed to the Islamic State's weakening on-line presence. What the U.S. government is doing is helping, but you also have groups like Anonymous actively going after Twitter accounts controlled by these groups. It's becoming a war with diminishing returns for ISIS. It's taking a lot more work for ISIS to get messages out." So, it seems information operations can be self-organizing on both sides of a conflict.

Dave Bittner: [00:02:52:00] The recently concluded NATO summit featured agreements for increased cooperation in cyberspace. Some of this is against trans- or sub-national groups like ISIS, and other aspects of it are directed toward threats from nation-states. And the nation-state in question, when it comes to NATO vigilance, is typically Russia.

Dave Bittner: [00:03:10:04] SentinelOne reports finding a malware dropper built to target specific European energy companies. It looks like a battlespace preparation tool, a precursor to the previously observed “Furtim” campaign. This inevitably reminds people of last December’s attack on Ukraine’s grid. While neither SentinelOne nor observers are exactly saying “iz Moscvi” signs do seem to point generally toward the Kremlin.

Dave Bittner: [00:03:35:03] Kaspersky Labs has looked into industrial control system hosts and finds more than 90% of them vulnerable to remote exploitation. That’s not exactly what legal experts would call “an admission against interest” coming as it does from a security company, but it’s not an implausible figure, and it does suggest that SCADA systems remain unpleasantly exposed to the ministrations of determined attackers.

Dave Bittner: [00:03:57:08] InfoArmor has published a report, “Healthcare under Attack” that describes a wave of patient record theft the company discovered and disclosed to the National Healthcare and Public Health Information Sharing and Analysis Center (the NH-ISAC) back in May. Some 600,000 records are thought to have been affected. More than three terabytes of data are for sale in Dark Web markets. InfoArmor’s Chief Intelligence Officer Andrew Komarov, who supervised preparation of the report, told us that unfortunately there’s little individual patients can do to protect themselves against this sort of incident. Komarov said, “On the traditional anti-fraud level it is highly recommended to be subscribed on credit monitoring services”, but even so the risk of PII details being disclosed remains high, and with it the attendant risk of fraud and on-line bank theft.

Dave Bittner: [00:04:48:00] STEALTHbits’ Adam Laub called the episode, “Another perfect example of the fact that attackers are after two things, and in this order: credentials and data.” He urges enterprises to look to poorly secured credentials and unchecked data to better protect their patients’ information. The breaches appear to have been accomplished through exploitation of remote desktop services. Balabit co-founder and CTO Balázs Scheidler notes that remote access to data is commonplace. "In the case of healthcare firms in question, attackers initially used a normal user account and then acquired superuser privileges using Local Privilege Escalation.” He advocates closer monitoring of remote access to identify such misuse.

Dave Bittner: [00:05:30:16] It’s not only patient records, but medical devices themselves that are increasingly of interest to hackers. It’s not so much that they’re interested in directly attacking someone’s health by hitting, say, a dialysis device, although that too is a risk. Rather, medical devices are attractive because they often afford a poorly protected way into medical records, which themselves are easily sold on the black market. TrapX and Cyber Risk Management tell Threatpost that the typical goals are either data compromise or that other evergreen motive for IoT hacks: botnet wrangling.

Dave Bittner: [00:06:02:09] There’s mixed news on ransomware today. Check Point Software has produced a decryptor for Jigsaw, to which we say, bravo Check Point. The bad news comes in two parts. The criminals behind Cerber ransomware have produced a successor, “Alfa” for which there’s so far no remedy. The newly observed, "Ranscam" is also out in the wild. Ranscam should give everyone who’s considering paying the ransom pause, because, as its name suggests, Ranscam is a scam. The hoods behind it won’t decrypt your files because they can’t. They were too lazy to write code that would’ve encrypted the data in the first place. Instead, Ranscam simply deletes your files upon infection. It’s just telling you they’ve been encrypted. So, save your Bitcoin and do remember to regularly and securely back up your files.

Dave Bittner: [00:06:49:04] Another word of advice, coming in from multiple sources: use Pokémon Go with caution. Google and Niantic--, Niantic being, of course, Pokémon’s corporate parent--, are working on a fix to a problem arising for many users of the wildly popular game. Demand has outstripped Niantic’s ability to sign on new trainers, so many of you are using your Google account to get into the game. If you do that, you’re giving the game full access to your Google account. That’s a lot of permissions, more than are needed, and more than you should prudently give. Think: do you want Jessie to be able to read your Gmail? Delete stuff from your Google drive? Do you want everyone to know exactly where you are, even Meowth?

Dave Bittner: [00:07:28:00] Finally, Pokémon trainers, take a good look around you as you pursue the Pokémon in augmented reality. Some map glitches are directing people to places better left unvisited. So, even if you see Charmander and Reshirom EX in some random strangers’ living room four blocks away, don’t go there. That's the kind of thing Team Rocket would do.

Dave Bittner: [00:07:51:11] Time to take a moment to tell you about our sponsor E8 Security, putting your data together with E8's Analytics for security that can handle the unknown unknowns. Consider what might warn you off to malware on your system? Listening, or running programs, on a rare or never seen before open port is one of them. It's easy to say that but, could you say what counted as rare or never seen before? Or would that information jump out at you as you reviewed logs? If you had time to review your logs, and by the time the logs reached you, the news would be old. E8's analytical tools recognize and flag that threat at once, enabling you to detect, hunt and respond. Get their free white paper at and get started. E8 Security, your trusted partner. We thank E8 for sponsoring the CyberWire.

Dave Bittner: [00:08:43:00] And I'm joined again by Markus Rauschecker, he's from the University of Maryland Center for Health and Homeland Security. Markus, I saw an article in the Wall Street Journal recently. The article was called "Should companies be required to share information about cyber attacks?". First of all, give us an overview. What are they talking about here in this article?

Markus Rauschecker: [00:08:59:14] Yeah this is an issue of sharing information about cyber attacks that a company, an organization has suffered, I mean, this idea has been around for a while now. The basic idea is that, if we're sharing information of companies that are seeing cyber attacks, that have experienced a cyber attack, if these companies are sharing information with other companies or with the government about that attack, then other companies and the government can learn from the attack and then use that information to better protect other companies or the government. So that's the basic concept behind information sharing when it comes to cyber attacks: cyber breaches.

Markus Rauschecker: [00:09:38:13] There is some controversy about the cyber information sharing because, on the one hand, yes, everyone kind of agrees that information sharing is a good idea, situational awareness is a good idea. The more we know about what the threats are, what's out there, what's coming our way, the better everyone will be prepared, but it's a lot easier to talk about this than to implement it. There's some serious concerns about implementation of actual cyber information sharing. We've seen that when Congress has been trying to pass cyber security information sharing legislation. It took them a while to actually pass a law that creates a framework for sharing this kind of information. Privacy groups and civil liberties groups are very much opposed to cyber security information sharing legislation because they argue that personally identifiable information could be shared. Government could get information about individuals without actually going through the proper warrant procedures or other privacy protections that are out there.

Dave Bittner: [00:10:44:05] And back in December, Congress passed the Cyber Security Act. What was that designed to cover?

Markus Rauschecker: [00:10:49:10] This creates a voluntary framework for companies and other organizations to share information with each other, or with the government. And also thereby gain some liability protection for sharing that information. It's really supposed to encourage this information sharing and information sharing on the technical aspects of the breaches, so that other organizations and government can really learn about what the threats are that are out there, and then in real time be able to protect others from the same threat. It's important to note though that this is a voluntary framework. No company is being compelled to actually share this information, and companies can choose not to share information if they don't want to.

Dave Bittner: [00:11:32:13] Alright, time will tell. We'll keep an eye on it as always, Markus, thanks for joining us...

Dave Bittner: [00:11:39:00] ...and that's the CyberWire. For links to all of today's stories along with the interviews, our glossary, and more visit If you enjoy our daily look at cybersecurity news, we hope you'll help spread the word by telling your friends and co-workers about our show, or leaving a review on I Tunes.Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben, our technical editor is Chris Russell. Our executive editor is Peter Kilpe., and I'm Dave Bittner. Thanks for listening.