The CyberWire Daily Podcast 11.15.16
Ep 226 | 11.15.16

It walks, it talks, it reports to Shanghai. Locky takes a run at US Army Cyber Command. CrySis decrypted. SpamTorte 2.0 is out. Adults should be warned off by "adult."


Dave Bittner: [00:00:03:20] It walks, it talks, it reports to Shanghai. Kryptowire finds a backdoor in some Android phones. Locky ransomware takes a run at US Army Cyber Command. CrySis ransomware is decrypted. SpamTorte 2.0 is out, and it's thinking big. A Trojan may be implicated in the Tesco fraud campaign, and it may have more banks in its crosshairs. And watch out for the AdultFriendFinder-themed spam that will follow in the breach's wake.

Dave Bittner: [00:00:35:13] Time for a message from our sponsor, E8 Security. You know, once an attacker's in your network there's a good chance they'll use command and control traffic to do the damage they have in mind. Could you recognize it? E8's analytics can. Here's what malicious C2 traffic might look like. Newly visited sites, visits to a website that doesn't have the features a legitimate site usually does, like a high number of pages, a fully qualified domain name or a distinct IP address, or the association of a website with a limited number of user agents. Tough for a busy security team, easy for E8's behavioral intelligence platform. For more on this and other use cases, visit and download their free White Paper. That's E8 Security - detect, hunt, respond. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:37:04] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, November 15th, 2016.

Dave Bittner: [00:01:43:02] We've heard a lot in recent months, more than anyone in a better world would like to hear, about Russian cyber operations. Today we'll hear about another nation's threat actors, whether commercial, criminal or state intelligence service is so far unclear. Security company, Kryptowire, has discovered a significant vulnerability that affects many Android devices, especially prepaid or burner phones. Essentially, preinstalled Adups software amounts to a backdoor that collects text messages and ships them every 72 hours to an address in China.

Dave Bittner: [00:02:15:17] Adups software enables phone manufacturers to provide remote firmware updates. And, according to Kryptowire, this isn't a bug inadvertently introduced into the software, but rather a deliberate installation. Shanghai Adups Technology Company, which according to the New York Times claims its product is in some 700,000,000 devices, says Adups enables them to monitor user behavior for a Chinese phone manufacturer. Two of its larger clients are Huawei and ZTE. The software wasn't intended to have that functionality in US-built devices. One US manufacturer, BLU Products, says it's updated its software to eliminate the backdoor from the 120,000 BLU phones affected.

Dave Bittner: [00:02:59:21] Whether the backdoor is a data scraping tool intended for commercial marketing or a state-directed espionage is unclear. Adups attorneys characterize it as the former, and tell the New York Times that, quote, "This is a private company that made a mistake," end quote, and not a business that's affiliated or colluding with the Chinese government. We spoke with Ryan Johnson, the Kryptowire researcher who discovered the vulnerability.

Ryan Johnson: [00:03:24:09] So I usually like to take a look at what comes installed on the system image and I noticed there were essentially two applications. One is com.adups.fota and the other is com.adups.fota.sysoper and those two were communicating so I noticed in one of the content providers it would provide access to the call log as well as the text messages so I thought that was a little strange so, essentially, like a wrapper. So usually you would provide your own content, but this was-- once you had queried it, it would query the phone calls and the text messages and also allow you to write files and read files and it was open to any app on the phone. Once I saw that it was providing that, I looked to see what other applications were accessing it, because it seems strange just to have that there out in the open.

Ryan Johnson: [00:04:20:11] I noticed it was when you plug in the phone or when there is a connectivity change broadcast intent, so, like, when you leave a wifi network or come on a wifi network, it would send this out and the data was eligible to be sent out every three days. So I-- and then, once I saw that, looked at the URL, looked at the-- did a nslookup for it, saw that it was a service in Shanghai, China. It was pretty concerning once I saw that and it was sent out in an HTTP post where the-- it was actually, like, a zip file in the form data, so it could just extract that. And then-- and that was over HTTPS. And then also, at least for the text messages, there was further encryption being used to conceal the actual content of the text message which the key was hard coded and-- as well as the IV so that that was extracted and then from there, you can see the actual body of the text message and it also has the number so they can see essentially who you are texting and who you are calling.

Dave Bittner: [00:05:26:05] That's Ryan Johnson from Kryptowire. We'll be sure to have more on this story as it develops.

Dave Bittner: [00:05:32:14] State espionage services are of course active in many ways, as electronic capabilities and the lives of people online are assimilated to traditional espionage tradecraft. Motherboard reports that intelligence agencies, their lead example comes from Brazil, are making foreseeable (and, as Motherboard puts it, "creepy") use of various social media platforms for traditional ends of infiltration, compromise and recruitment.

Dave Bittner: [00:05:58:02] Ransomware continues to circulate. This week US Army Cyber Command reports that some of its personnel have been receiving phishing emails carrying Locky ransomware payloads. There's some good news, however, on the ransomware front. Over the weekend Kaspersky released decryption codes for the CrySis ransomware family. Bravo Kaspersky.

Dave Bittner: [00:06:19:02] Verint has seen a new variant of SpamTorte, an advanced, multilayered spambot, circulating in the wild since 2014. SpamTorte 2.0, as it's inevitably being called, operates with several command-and-control servers compromised through vulnerable WordPress and Joomla extensions. It's using several thousand spam mailers, compromised websites, and incorporates features that enable spam campaigns to be more efficiently conducted.

Dave Bittner: [00:06:45:23] Observers continue to harrumph about how Tesco ought to have known better, that it should have done more to prevent it. Maybe so, but even if you think your security is pretty solid, bankers, well, don't get cocky, kid!

Dave Bittner: [00:06:57:16] ESET says that the Retefe Trojan was involved in Tesco bank fraud. Retefe, usually spread via malicious email, configures a proxy server for man-in-the-middle access to traffic between customers and their online account. It also installs a bogus root certificate to fend off warnings of interaction with a spoofed site and it has a mobile component that intercepts passcodes to subvert two-factor authentication. ESET believes other banks are being actively targeted with Retefe.

Dave Bittner: [00:07:28:03] Security vendors have begun their holiday season warnings for online shoppers. Black Friday, the traditional start of the door-buster shopping season, is less than two weeks away. We'll have occasion to share some of that advice in upcoming podcasts. In the meantime you can read the advice on offer in today's issue of the CyberWire.

Dave Bittner: [00:07:47:16] There's that old saying about the only constant in this world being change. For many in the security biz, part of that change is deciding how much, if any, of your data and services to move to the cloud and how to make it possible for your users to access what they need on an expanding array of devices.

Dave Bittner: [00:08:04:09] We checked in with Pamela Dingle, Senior Technical Architect at Ping Identity for her take on how companies are handling these challenges. They call it the digital transformation journey.

Pamela Dingle: [00:08:14:17] The idea is to not just move your business into new technology paradigms, but to embrace those paradigms and to change the ways that you do business to actually leverage these new capabilities of new technologies. So digital transformation is not new. Anyone who has been in the business for a long time has seen initiatives to, you know, take advantage of mobile, to take advantage of, you know, this new web 2.0 thing that came out a while back. But what's happened right now, of course, is that, because we have these incredible stable elastic platforms and we also have these changing user paradigms of tablets and mobile phones and all of these amazing things, the juxtaposition of those two things has meant that everybody is thinking about what it means to move their infrastructure to the cloud and transform it at the same time to leverage the abilities of the cloud.

Pamela Dingle: [00:09:15:23] That's half of it. And then the other half is the front end pieces, the user experience pieces. Those are moving to a device, an anywhere device type of paradigm.

Dave Bittner: [00:09:24:24] So when we're talking about a digital transformation, what part does security play in that?

Pamela Dingle: [00:09:31:06] It plays a massive part. I don't believe that this kind of digital transformation would even be possible or advisable except that there is a heightened security awareness today. So if you can imagine people trying to do what we're doing now, even a decade ago, you would end up with silos of information and you wouldn't be able to talk to anything and you wouldn't have any visibility into what's going on. But because we have really good security infrastructure around how to manage the front door of a lot of corporate infrastructures or customer facing infrastructures, we, we have the ability to execute, or at least maintain, some control over how people are using resources that might now be splayed across various platforms and using various paradigms on the Internet.

Pamela Dingle: [00:10:22:15] I'm excited about the fact that it doesn't matter how so much anymore, it only matters that what you do is well audited, that you're watching it properly and that you've got a decent risk profile as to why you are doing things the way you're doing them.

Dave Bittner: [00:10:38:20] That's Pamela Dingle from Ping Identity. The digital transformation survey report is available on their website.

Dave Bittner: [00:10:47:00] In industry news, Nehemiah Software acquires Siege Technologies, specialists in forecasting attacker capabilities.

Dave Bittner: [00:10:55:04] Finally, a UK court has approved Lauri Love's extradition to the US where he'll face hacking charges. And, if Ash Carter has his druthers, there'll be no eleventh-hour pardon for Edward Snowden as President Obama prepares to leave office. It's safe to say that Mr. Snowden isn't exactly flavor of the month with the US Defense Secretary.

Dave Bittner: [00:11:16:17] Predictably, AdultFriendFinder-themed spam has begun to appear. Warn those 339,000,000 friends of yours who were incautious enough to avail themselves of that service that they'll have other worries soon enough. We note with regret that some 78,000 of the compromised accounts are US military addresses. We've said it before and, sadly, we have to say it again. Straighten up and fly right.

Dave Bittner: [00:11:46:24] Time to take a moment to tell you about our sponsor, AlienVault. Do you know the typical attack goes undetected for more than eight months? This is especially frightening considering 90% of all businesses have suffered an attack. It's no longer a question of whether an organization will be breached, it's when. Better threat detection starts with AlienVault Unified Security Management. The AlienVault platform provides all of the essential security controls needed for complete threat detection in one easy to use and affordable solution. With its integrated security controls and expert threat intelligence from the AlienVault Lab's Security Research Team, you don't need to deploy and manage numerous security point products. Spend your time responding to threats rather than researching them with AlienVault. Visit today and download your free 30 day trial of AlienVault Unified Security Management. That's And we thank AlienVault for sponsoring our show.

Dave Bittner: [00:12:52:11] And joining me once again is Emily Wilson. She's the Director of Analysis at Terbium Labs. Emily, welcome back. You all have a new report out called The Truth About the Dark Web: Separating Fact from Fiction. Take us through the report. What kind of stuff did you find?

Emily Wilson: [00:13:06:16] So, yeah, we, we've been working on this report for the last few months and kind of basic overview of the report. We did a, a random sample of Tor hidden services and kind of took a look at the proportion of different content types on the dark web and kind of the most interesting thing to come out of that, contrary to popular opinion, is that the dark web is mostly legal to the tune of 55%, we saw. Of that 55%, that is made up of both kind of normal legal content and then what we called explicit content, so perfectly legal porn. And that's just not something you hear about very often. People are quick to talk about how the dark web is a place full of danger and crime and drugs and that's definitely true, it's just only half of the story.

Dave Bittner: [00:13:52:04] Just because something on there is legal, that doesn't mean that it is not problematic.

Emily Wilson: [00:13:57:13] Potentially definitely. I think that's one of the, you know, one of the struggles that we have as analysts is looking at material and trying to determine whether or not it's, it's potentially damaging and, you know, that can come in many forms, right? So is it, is it slander that's technically legal or do you have someone who's discussing proprietary information that they either shouldn't have access to or that they shouldn't be discussing. You know, that's one of the reasons that we kind of try to remove a lot of the human analysis from the work that we do and focus on being a data company is to avoid situations where we may overlook something that may actually be important because, unless you're the organization involved, you really don't know what, what can be sensitive.

Dave Bittner: [00:14:38:19] And is, is that driven by the fact that a lot of people are on here anonymously?

Emily Wilson: [00:14:44:01] Absolutely. You know, the kind of Tor hidden services by their nature are anonymous and people, by and large, will choose not to identify themselves. There is really no benefit in providing information about your identity. You might say, "I work in healthcare," or you might say, "I work in technology," but those are very broad definitions. Healthcare can be manufacturing, it can be retail, it can be pharma. If you work in technology, you could be doing everything from, you know, working at kind of a technology retailer up to working on very sensitive kind of technological advancements at, you know, an intelligence institution. And people are quick to build their own reputation, but there is a fine line between establishing yourself as an authority in a space and avoiding giving too much away about yourself. I think a good rule of thumb here is that anyone who wants to go on the dark web and announce that they have a secret probably doesn't unless they are-- you know, you're dealing with people who are more, more prolific in this space, people who have built up a reputation over time. Someone who says, you know, "Take a look at this space at 11 o'clock tomorrow morning," you're probably going to listen to them.

Dave Bittner: [00:15:52:17] So it's more subtle than that.

Emily Wilson: [00:15:53:19] It's more subtle. You know, if you need to say that you have a secret, do you really have one?

Dave Bittner: [00:15:59:15] Yeah. Emily Wilson, thanks for joining us.

Dave Bittner: [00:16:01:23] The report, The Truth About the Dark Web: Separating Fact from Fiction can be found on the Terbium Labs' website.

Dave Bittner: [00:16:10:02] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors who make the CyberWire possible.

Dave Bittner: [00:16:20:14] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.