The CyberWire Daily Podcast 7.19.16
Ep 144 | 7.19.16

Influence online, from jihad to kawaii. Cybercrime. Industry updates.


Dave Bittner: [00:00:02:21] ISIS gets doxed. Comparative studies of malign and benign inspiration. Did coup plotters overlook the Internet? DDoS against governments, companies, and games. Turning two-factor authentication toward fraud. Malicious Excel macros. The story of the Cknife web shell. Enfal malware stays relevant after all these years. And some trends in security investment.

Dave Bittner: [00:00:31:07] Time to take a moment to tell you about our sponsor, Netsparker. Web applications can have a lot of vulnerabilities have you heard? Sure you have, you're listening to this podcast. And, of course, every enterprise wants to protect its websites. But if you have a security team, you know how easy it is for them to waste time calling out false positives. Check out Netsparker. Their technology not only automatically finds vulnerabilities in web applications, but it automatically exploits them too, and even presents a proof of exploit. Netsparker Cloud scales easily; you can use it to automatically scan thousands of websites in just a few hours. But don't take their word for it, go to for a free 30 day fully functional trial of the Netsparker Desktop or Cloud. Scan your websites with Netsparker for a month, no strings attached. And we thank Netsparker for sponsoring the CyberWire.

Dave Bittner: [00:01:28:02] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, July 19th, 2016.

Dave Bittner: [00:01:34:05] A prominent ISIS web forum administrator has had his online correspondence hacked and two years of it dumped on Pastebin, Motherboard reports. The content includes recruitment information and communication with forum members. A Flashpoint researcher observes that, “The myth of a highly secure jihadi underground, is exactly that: it's a myth." The material that’s been released is thought to be sufficiently interesting to the intelligence services of the civilized world, that the forum participants have some grounds to worry. Some of the correspondence was encrypted with ISIS’s homebrew version of PGP. The forum went down shortly after the doxing - “under repair.”

Dave Bittner: [00:02:12:20] The relative lack of security found in jihadist online operations should be unsurprising. ISIS, whatever its larger, long term aspirations and woofing about its technical chops, has long concentrated on the Internet as a place for information operations, specifically for the sort of inspiration that would draw recruits and prompt independent attacks. The pack leaders, essentially, are howling at the lone wolves. More sad indications of the success such inspiration appears to be having may be seen in the case of the Afghan teenager who attacked train passengers near Wurzburg, Germany, with an axe. And in evidence French authorities say they have, that man who murdered Bastille Day holiday makers' in Nice was much taken up with searching online for information about the Orlando massacre. German police officials caution against jumping to conclusions about the Wurzburg attacks. On the other hand, an ISIS flag was found in the attacker’s apartment and ISIS itself hasn't been shy about claiming the boy as one of its soldiers.

Dave Bittner: [00:03:12:10] Post mortems on whatever it was that happened last weekend in Turkey conclude that the coup plotters’ central error was failure to take down the Internet. How they might actually have done so analysts tend to leave as an exercise for their readers, apart from some hand-waving in the direction of DDoS. Shutting down the Internet is easier said than done. And again, ironically, Turkish citizens during the Erdoğan era have grown fairly adept at circumventing blocks to their access to social media. It would seem to be particularly difficult to do this under the time pressure of a coup d’état. Ars Technica reports that one of the plotters is alleged to have been a Turkish Army Colonel regarded as an expert in cyber-operations.

Dave Bittner: [00:03:51:16] Considering distributed denial-of-service attacks, compare one suffered this week by Philippine government websites. The attacks are widely held to be the work of Chinese security services acting against their country’s rival for control of territorial or international waters in the South China Sea.

Dave Bittner: [00:04:08:24] Symantec has reported banking malware concealed in Excel macros, a new wrinkle on distribution of malicious code.

Dave Bittner: [00:04:17:02] There’s also some fresh news on a long used family of espionage tools popular in China. Recorded Future has been looking at a dangerous web shell they’re calling “Cknife.” We spoke with Recorded Future expert, Levi Gundert, about the threat.

Levi Gundert: [00:04:30:13] In this case we actually alerted on some of the technologies that were mentioned in a Chinese forum post, and because we do natural image processing in Chinese and Russian and a lot of other foreign languages, we're able to detect these sorts of events. So this event for Cknife came through because of references to thinks like ASPX and PHP and so forth and so on. It was very interesting when we dug into it because the first reference we had to it was actually in December of 2015. We hadn't internally caught it until this alert fired in March, that was about the same time that Cknife had been posted to get github, but it was all done in Chinese so the only chatter about this particular web shell was in Chinese speaking forums.

Dave Bittner: [00:05:15:09] The Cknife exploit uses a programming technique called a web shell. I asked Gundert to explain the technology.

Levi Gundert: [00:05:21:22] The term web shell is probably a little bit more confusing than what it is. It's really just a file that's giving an adversary access to the underlying operating system or shell. It doesn't have to be malicious. It could be something that's benign or helpful. But essentially what it is is just a file that sits on a web server, and that file is some sort of code. So, generally speaking, these files that get placed on web servers are only used by actors and adversaries with malicious intent. What they're doing is they're remotely calling these files on the web server to do things like access a database, upload additional tool sets - just maintain persistence in the web server while they map other parts of the network. There are so many different ways to leverage a web shell, limited by the creativity of the individual using it.

Dave Bittner: [00:06:12:06] There's a well known Chinese exploit called China Chopper, and the creators of Cknife describe it with nationalistic pride as a cross platform evolution of China Chopper.

Levi Gundert: [00:06:22:12] China Chopper was built for Windows only. So, if you were going to install the controller - the controller connects to that file on the web server - that controller was only built for Windows. It's portable executable verses Cknife which is built in Java, so I've run it on Linux and it runs on Windows, it runs on Mac so it's completely cross platform compatible.

Dave Bittner: [00:06:44:24] Levi Gundert says they haven't spotted Cknife in the wild yet, and he offers some advice for protecting yourself from web shell exploits.

Levi Gundert: [00:06:53:02] If you're going to prevent web shells you actually have to understand your web servers and their environments. You have to do the basic things like upgrade a patch where you run content management systems like Joomla or Wordpress or have plug-ins for those things. If you're in an enterprise and you have hundreds of servers or even double digits, it becomes fairly complex to understand whether a particular file should actually be on that web server or not. Further, because it's not particularly malicious in and of itself, it becomes very difficult to detect these things. So it really comes back to doing a better job of hunting in your own traffic, in your own servers, and also just really doing some good due diligence on the basics, for those web servers, because, over and over again, we see that some of the really impactful campaigns tend to start with a web server - that's where they initially gain a foothold.

Dave Bittner: [00:07:47:03] That's Levi Gundert from Recorded Future. You can read the entire Cknife report on their website.

Dave Bittner: [00:07:53:19] Another espionage tool, Enfal, was first spotted in 2004 but continues to circulate in appropriately updated forms. Verint has been tracking Enfal, and notes that its targets tend to be diplomatic missions and non-governmental organizations in East Asia, with some attention recently to Brazil and Ethiopia. Enfal offers a striking example of the way venerable malware persists in evolved forms.

Dave Bittner: [00:08:18:00] In industry news, experts warn about the importance of addressing cyber security during mergers and acquisition in all sectors. We heard last week at SINET’s Innovation Summit that venture capital’s interest in cybersecurity startups is growing more sophisticated and selective, but that it’s far from over. Other observers see a trend toward a somewhat smaller number of somewhat larger investments. This morning, Skycure announced that it’s received $16.5 million in Series B funds. Foundation Capital led this round, which brings Skycure’s total funding to $27.5 million.

Dave Bittner: [00:08:52:08] Finally, we return to the topic of online inspiration. If inspiration is a form of information operations, and if information operations are largely marketing in battledress consider the marketing phenomenon of Pokémon Go. A piece in Foreign Policy sees this as the culmination of a Japanese government soft power campaign, spread through the cult of the cute, or kawaii. This seems like a big stretch, although we’re too close both physically and temporally to the recently concluded Bronycon to underestimate the power of the cute. And to compare the Shinto matrix of Pokémon to jihad would do an injustice to both Shinto and Islam. But information operators might study the Pokémon Go phenomenon with profit if they seek a benign case study of viral inspiration.

Dave Bittner: [00:09:43:19] I want to take a moment to tell you about our sponsor, E8 Security. You know to handle the unknown unknown threats, you need the right analytics to see them coming. Consider the insider threat, and remember that an insider threat isn't necessarily a malicious actor. Sometimes, it's a well intentioned person who's careless, compromised, or just poorly trained. Did you know you can learn user behavior and score a user's risk? E8 can show you how. Did you know, for example, that multiple Kerberos tickets granted to a single user is a tip off to a compromise? E8 can show you why. Get the free White Paper at and get started. Detect, hunt, respond. E8 Security. We thank E8 for sponsoring the CyberWire.

Dave Bittner: [00:10:32:06] Joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, we've been seeing all these breaches with passwords and people getting into people's accounts. People using common passwords on multiple accounts. One of the ways that we can fight this is by using two-factor authentication right?

Joe Carrigan: [00:10:50:13] Right, yes. There are three parts to identify somebody or to authenticate them and that's who they are, what they know, or what they have. So, if you look at that from your perspective, who you are could be a biometric, like your iris scan, fingerprint, facial recognition, something you know - could be your user name and password - and something you have usually winds up being your cell phone. So a lot of sites, such as Gmail, and many banking sites will have an optional setting where you can go in and enable a two-factor authentication process where you enter your user name and password, and then they send a text to your phone with a code, and then they prompt you for that code, you enter the code, if it matches you get authenticated because, presumably, you have your phone. So now what happens is, if my password's out there in one of these hash leaks, or plaintext, god forbid, and it gets compromised and guessed or brute forced or whatever, now somebody has to identify me personally, find out where I am physically, steal my phone then go log in and enter the code.

Dave Bittner: [00:11:58:23] So obviously making it a lot harder than just being able to have the password on its own, and some of these services allow you to dial in when they hit you with the multi factor.

Joe Carrigan: [00:12:08:20] Yes. Gmail says every time you log in from an unrecognized computer, it will send you one of these codes. There's a financial institution that I use that has the setting that I can be prompted every single time I log in for it. Now, every time I enter my user name and password, I get the code and I enter the code and I log in. Yes, it takes a little more time but now it's going to be a lot harder for someone to break into my account.

Dave Bittner: [00:12:37:24] And I think that's part of it, is getting over that hump because it is, when you're trying to log into something and you have to wait for that text to come, it's a little bit of a road block and that can be an annoyance but really, in the big picture, probably worth it.

Joe Carrigan: [00:12:54:08] Right. It's like a work factor. So now, in order to get into my account, not only do I need a username and password but I also need a little bit of time. Well, to me, a little bit of time is not much but to somebody who might be trying to brute force it, it's going to be significant.

Dave Bittner: [00:13:08:16] And, again, it's one of those things where we might not be able to make our accounts completely secure but if the other accounts are less secure than ours, then the hackers are going to spend their time on those other accounts instead of ours.

Joe Carrigan: [00:13:21:15] Correct, and nothing is ever going to be completely secure.

Dave Bittner: [00:13:24:17] Right, so we do the best we can.

Joe Carrigan: [00:13:26:05] Right.

Dave Bittner: [00:13:26:17] Alright Joe, thank you once again for joining us.

Joe Carrigan: [00:13:28:17] My pleasure.

Dave Bittner: [00:13:30:22] And that's the CyberWire. For links to all of today's stories, along with the interviews, our glossary, and more, visit If you enjoy our daily look at cyber security news, we hope you'll help spread the word by telling your friends and co-workers about our show, or leaving a review on i-Tunes. And thanks to all of our sponsors who make the CyberWire possible.

Dave Bittner: [00:13:49:16] The CyberWire podcast is produced by Pratt Street Media. The Editor is John Petrik. Our Social Media Editor is Jennifer Eiben, our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thank you for listening.