Military, law enforcement cooperation take a toll of ISIS operators. DDoS investigations. Mirai botnet can be rented on the black market. Beware ATM skimmers. Ransomware hits San Francisco light rail. Bogus news of cable show hacking.

Dave Bittner: [00:00:03:18] Military and law enforcement cooperation are taking a toll on ISIS cyber operators. US election hacking retrospective. DDoS in Brussels and Ireland under investigation. A Mirai botnet is available for rent on the cyber black market. ATM skimmers threaten holiday users, and the skimmers are tough to detect. Ransomware hits San Francisco light rail. And no, Anthony Bourdain's foodie show wasn't hacked to get banned in Boston.

Dave Bittner: [00:00:35:08] Time for a message from our sponsor, Netsparker. You know, web applications can have a lot of vulnerabilities. I'm sure you know that, you're listening to this podcast. And, of course, every enterprise wants to protect its websites, but if you have a security team you know how easy it is for them to waste time culling our false positives. You need to check out Netsparker. Their technology not only automatically finds vulnerabilities in web applications, but it automatically exploits them too and even presents a proof of exploit. Netsparker cloud scales easily. You can use it to automatically scan thousands of websites in just a few hours. Learn more at netsparker.com but don't take their word of it, go to netsparker.com/cyberwire for a free 30-day fully functional trial of Netsparker desktop or cloud. Scan your websites with Netsparker for a month, no strings attached. That's netsparker.com/cyberwire, and we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:39:01] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, November 28th, 2016. It's good to be back.

Dave Bittner: [00:01:46:02] The New York Times has an account of how cooperation between law enforcement agencies, notably the FBI, and US and UK military forces have enabled the arrest or, in many cases, the battlefield killing of ISIS social media operators. The Times notes that, in a number of cases, the social media operators appear not to have been replaced, which seems surprising, given that plausible candidates are apparently out there and available. Perhaps the drone strikes are deterring volunteers although, at least publicly, ISIS adherents seem to court rather than avoid martyrdom, so the lack of succession seems curious.

Dave Bittner: [00:02:21:23] In separate actions, French security services have rolled up an alleged ISIS terror ring through, in part, evidence derived from online sources. Some of those arrested were implicated in planning for a series of terror attacks, at least one of which was to have targeted Euro Disney. French authorities view the alleged plots as part of a concerted effort to disrupt and undermine upcoming elections, widely believed to favor right and center-right parties hostile to what ISIS considers its political, religious, and demographic interests.

Dave Bittner: [00:02:52:13] In the US, as major and minor political parties allege, in a low-grade way, vote hacking and other forms of election fraud, President Obama officially pooh-poohs the notion that the election was somehow tampered with by anyone. This dismissal seems unlikely to affect litigation over recounts.

Dave Bittner: [00:03:10:11] There's no word yet on how last week's denial-of-service attack on the European Commission was accomplished. Radio Free Europe/Radio Liberty notes that the attack coincided with a meeting in Brussels between Ukraine's president and EU officials, but this may have been coincidental. The European Commission has emphasized in its public statements that the attack was quickly contained. It's worth noting that denial-of-service incidents often serve as misdirection for other attacks. This appears to have happened during last December's takedown of a significant section of Ukraine's power grid. Booz Allen Hamilton recently published a walkthrough of that attack, in a paper titled, "When the lights went out." We spoke with Booz Allen's Brad Medairy.

Brad Medairy: [00:03:51:16] From an attack perspective, it really occurred over the period of a year through a series of phishing attacks. It started with reconnaissance, identifying potential targets and launching a phishing campaign that was the entry point into several organizations. From the phishing attack, malware and a series of remote access Trojans were installed. The adversaries then established a command and control connection and began to harvest credentials.

Brad Medairy: [00:04:21:00] Once they had the credentials, they were able to basically laterally move across the corporate network, perform some additional reconnaissance and then basically move laterally again into the industrial control system network. At that point, the typical security mechanisms that are in place in an enterprise don't necessarily exist in the OT environment. The adversary develops some malicious firmware and they delivered malware to the environment. And then basically they just scheduled the UPS to be shut down. They shut the breakers and at that point then they turned the lights off, and that set off a series of events that were difficult to recover from.

Dave Bittner: [00:05:02:01] Was there anything unusual about the Ukrainian system itself? Were they particularly vulnerable compared to other facilities of their type?

Brad Medairy: [00:05:10:23] My opinion is that it's fairly similar to a lot of environments that we see and, at the end of the day, people are the weak link. I talk to a lot of folks even outside of utilities and manufacturing, and I was talking to a client and we were talking about one of their European manufacturing facilities. I said "Think about how easy it would be to go onto something like LinkedIn to find your employees in your facility and to craft a fairly basic phishing attack, and an operator on a machine to click on the phishing email and either inject a piece of malware or a remote access tool kit or even something like ransomware that would potentially bring down a controller or an HMI." So, I think that these environments are all fairly fragile. I think that, in many cases, there's a big connect between the IT and the OT environment and basic hygiene and some street practices that we see in the enterprise aren't in place on OT network and I think that they're really exploitable.

Dave Bittner: [00:06:12:14] That's Brad Medairy from Booz Allen Hamilton. The name of the report is "When the lights went out. Ukraine cyber security threat briefing" and it's available on the Booz Allen website.

Dave Bittner: [00:06:24:08] In other DDoS news, router vulnerabilities were exploited last week to disrupt service to some 400,000 webmail users in Ireland.

Dave Bittner: [00:06:32:20] And two hoods using the noms-de-hack "Popopret" and "BestBuy" are renting a Mirai botnet said to contain 400,000 devices. BestBuy, we note is, of course, quite unconnected with the well-known big-box electronics retailer. This BestBuy is know for his VIP status in underground markets like the notorious Hell Forum.

Dave Bittner: [00:06:53:16] The botnet need not be rented as a whole. The two impresarios are offering a variety of service levels. Here's one representative sample: "price for 50,000 bots with attack duration of 3600 secs (1 hour) and 5-10 minute cooldown time is approx 3-4k per 2 weeks." They decline to say too much about their offerings (security, don't you know), but they make the possibly true but quite unsubstantiated claim to have had access to Mirai source code before it was made generally available. Their version is thought by some security researchers to offer evolved IP-address spoofing and some ability to evade DDoS mitigation systems.

Dave Bittner: [00:07:34:19] Popopret and BestBuy are not unknown to threat researchers. They're thought to have been responsible for the GovRAT Trojan which the security company InfoArmor identified in November 2015, and which hit US government and business targets.

Dave Bittner: [00:07:49:12] KrebsOnSecurity offers another glimpse into the criminal underground with sales videos for ATM inset card skimmers. The inset skimmers are quite thin and look as though they'd be difficult to detect, so anyone using an ATM is advised to avoid standalone systems, especially those in poorly lighted areas. You're better off going to an ATM permanently installed in a bank.

Dave Bittner: [00:08:11:07] Today, of course, is Cyber Monday, and all online and brick-and-mortar shoppers are advised to exercise due caution and circumspection as they browse and buy. Cybercriminals are also observing the holidays in their own way, and we'll hear from Terbium Labs' Emily Wilson after the break, who can tell us thing or two about how they celebrate on the dark web.

Dave Bittner: [00:08:31:19] And we close with two notes about hacks, both real and imaginary. Over the weekend San Francisco's Muni light rail system was hit with HDDCryptor ransomware that infected scheduling and payment. Those responsible caused this message to appear on ticketing terminals: "You Hacked, ALL Data Encrypted, Contact For Key (cryptom27@yandex.com) ID:601." We predict that "You Hacked" will soon join "All your bases are belong us" as a hacker meme. We also note that Yandex is a Russian multinational offering a range of Internet services. The crooks have asked for a relatively paltry 100 Bitcoin, about $75,000, which so far has not been paid. They issued a follow-up offer to decrypt one machine as a token of capability and good faith, but as far as we know San Francisco hasn't taken them up on that offer. Remediation is presumably in progress, but until it's complete, the Muni is responding to the attack by opening the turnstiles and letting passengers ride for free.

Dave Bittner: [00:09:34:04] Finally, Thanksgiving evening - that's last Thursday, for those of you who may be unfamiliar with the US holiday - it was widely reported, and believed, that Boston-area foodies who thought they were tuning in to watch Anthony Bourdain's eating show, Parts Unknown,"were instead served up thirty minutes of graphic adult content. The evidence that this happened was a tweet by one "Rose" but apparently it never happened, or at least no-one else saw it. The cable service RCN, which delivers the CNN feed to Boston, says it's looked into it and found that nothing of the kind occurred. As RCN goes on to say, primly, about Rose, "Only a technical review of the individual’s equipment involved could ascertain how this might have occurred. We’ve confirmed that this one customer account is in proper working order."

Dave Bittner: [00:10:23:03] So come clean, Rose. And advice to all of us - even if it's tweeted, it ain't necessarily so. But you all knew that, right?

Dave Bittner: [00:10:35:04] It's time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it every day. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how many analysts you might have on staff, and we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel, and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:11:40:07] Joining me once again is Emily Wilson. She's the Director of Analysis at Terbium Labs. Emily. We just got over the Thanksgiving holiday weekend and, of course, part of that is Black Friday. And it turns out that Black Friday is actually pretty big on the dark web?

Emily Wilson: [00:11:54:17] It is. So, Halloween tends to be the favorite holiday, Halloween and New Year's Eve incidentally, kind of favorite holidays of the drug vendors, but when it comes to fraud, everyone gets excited for Black Friday, and so people have big Black Friday sales. In the same way that your favorite retailers are out with kind of door busters and dropping prices, you have fraud vendors who are offering major discounts on cards just in time for the holidays.

Dave Bittner: [00:12:21:05] So buying up credit card numbers at "You won't believe these prices"?

Emily Wilson: [00:12:24:19] Absolutely. And it's funny, I remember last year there were actually kind of comments and forums saying "Hey are you going to do a big sale for Black Friday? I want to make sure that I'm here in time, you know, while supplies last."

Dave Bittner: [00:12:37:11] So the fraudsters on the dark web, are they taking advantage of the massive amount of traffic that happens on Black Friday online for their own, you know, ill-gotten goods?

Emily Wilson: [00:12:48:16] Absolutely and so, I think, that's both online, you know, plenty of online transactions and also kind of physical corrupted points of sale. You know, you have a massive amount of spending going on and a large number of transactions going on, kicking off right around Thanksgiving and all the way through kind of the end of the year and even the first part of the New Year. And so Black Friday is a great chance for people to empty their current stock and get ready for all of the new cards they're going to add over the next month or two.

Dave Bittner: [00:13:15:06] I see so they're clearing them out and planning that they're going to get new ones over the holidays as well?

Emily Wilson: [00:13:20:10] Yes, absolutely and, you know, when you're buying something at a pretty steep discount you can't complain too much if the validity rates are pretty low.

Dave Bittner: [00:13:28:02] You were mentioning that there's sort of a sense of community, that people are actually you known decorating for the holidays.

Emily Wilson: [00:13:34:09] It's funny they do. You know, I remember last year kind of looking forward to seeing what people come up with this year but you know one of the big Russian fraud forums had snow over their logo and a Santa Claus in the corner and people will post with images or kind of red and green colors. You know, people do celebrate the holidays.

Dave Bittner: [00:13:53:06] Emily Wilson, thanks for joining us.

Dave Bittner: [00:13:57:24] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. While you're there, be sure to subscribe to our CyberWire daily news brief, delivered daily to your email. Thanks to all of our sponsors, who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.