The CyberWire Daily Podcast 12.1.16
Ep 236 | 12.1.16

Shamoon and Fancy Bear are back. Mirai never left. San Francisco Muni saved by good backups. New Android Trojan found. Firefox patches threat to Tor anonymity. Surveillance policy, ISIS investigations in Germany. 


Dave Bittner: [00:00:03:17] Shamoon is back, and again probably from Iran, and again hitting Saudi targets. Mirai infestations are turning up in the UK; observers see a criminal race to round up the biggest bot herd. Fancy Bear is also back, and still pawing at WADA. Good backup practices enabled San Francisco's Muni light rail to recover from ransomware. Palo Alto warns of a new Android Trojan. Facebook says there's no way ransomware was hidden in Messenger images. Firefox patches the zero-day that threatens Tor anonymity. Germany mulls going for more surveillance, less privacy, as investigations of ISIS operations continue.

Dave Bittner: [00:00:43:17] Time for a message from our sponsor Netsparker. Are you still scanning with labor intensive tools that generate more false positives than real alerts? Let Netsparker show you how you can save time and money, and improve security with their automated solutions. How many sites do you visit and therefore scan that are password protected? With most other security products, you've got to record a login macro, but not with Netsparker. Just specify the user name, the password and the URL of the login page and the scanner will figure out everything else.

Dave Bittner: [00:01:12:04] Visit to learn more and if you want to try it for yourself, you can do that too. Go to for a fee 30 day fully functional trial version of Netsparker desktop. Scan your websites and let Netsparker show you how easy they make it. and we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:42:22] This is Dave Bittner in Baltimore with your CyberWire summary for Thursday, December 1st, 2016.

Dave Bittner: [00:01:48:04] Shamoon, the drive-wiping malware that hit Saudi Aramco and other energy firms hard in 2012, is back, with infections reported in Saudi government systems. Saudi investigators say their forensic investigation leads them to attribute the attack to an Iranian source. Shamoon, also called Disstrackt, appears to be purely disruptive in operation, with no reports of data exfiltration.

Dave Bittner: [00:02:11:21] That was the case with the former appearance of Shamoon. In 2012 it destroyed data on Saudi Aramco devices, forcing hasty disconnection and costly replacement of the oil company's systems. That attack was attributed by most to an Iranian actor as well; a group calling itself "Cutting Sword of Justice" claimed responsibility.

Dave Bittner: [00:02:32:07] Even as Deutsche Telekom recovers from its Sunday distributed denial-of-service attack, there are reports today of further Mirai infestations affecting Internet routers outside Germany. In the UK, both TalkTalk and Post Office broadband service has been disrupted by an evolved version of the Mirai botnet herding malware.

Dave Bittner: [00:02:50:14] The security firm Plixer has been keeping us informed about the progress of Mirai. Thomas Pore, Director of IT and Services at Plixer, told the CyberWire he sees these latest episodes as amounting to a continuation of "the Mirai arms race" – hoods are competing to develop a leading position in the numbers of bots that can be marshaled for an attack. Exploiting routers distributed by TalkTalk and the Post Office greatly increases the volumetric capacity of the attack tool. "Customers knocked off-line during the infection growth expansion already feel the pain, which may be marginal compared to an attack against some of the largest ISPs down the road."

Dave Bittner: [00:03:27:13] So in this view there's more Mirai coming. Estimates place the number of exploitable devices at greater than forty million, which, Pore says, means that, if even a fraction of those devices are compromised, "the power behind this Mirai variant could be unprecedented."

Dave Bittner: [00:03:43:13] Fancy Bear is also back. The World Anti-Doping Agency has again come under cyber attack, and the responsible parties are either Fancy Bear or someone masquerading as Fancy Bear. The evident goal of the attack is to discredit the World Anti-Doping Agency as corrupt. You will recall that the Agency had sanctioned a number of Russian Olympians during the Rio games this past summer.

Dave Bittner: [00:04:06:04] San Francisco's Muni light rail has recovered from the ransomware attack it sustained this past weekend. It didn't pay the ransom, and so far none of the data releases the extortionists threatened have occurred. The Muni says that's because the attackers didn't get any data in the first place. The recovery, observers note with general approval, was made possible by Muni's sound backup practices.

Dave Bittner: [00:04:29:14] The notion of an ATM spitting out all of its money seems like something out of a heist movie, or maybe a bad sitcom but, as we reported, a cyber gang – likely Russian organized crime – has come up with a way to make the machines do just that. In Armenia, Belarus, Bulgaria, Estonia, Georgia, Kyrgyzstan, Moldova, The Netherlands, Poland, Romania, Russia, Spain, the United Kingdom and Malaysia. Group-IB is a cybersecurity firm that's taken a lead role in investigating the caper and have named it Cobalt. We spoke with Dmitry Volkov who joined us from their offices in Moscow.

Dmitry Volkov: [00:05:04:04] We’re observing targeted attacks against the financial institutions, like banks, payment systems, since 2013. This specific group, we detected it just in the middle of this year. The first attack happened in Russia, so one Russian bank was robbed. And when we started to detect a spearphishing campaign, targeting different countries, in Asia and Europe, in Soviet Union countries as well. We started to receive a request from different banks and from European countries. We see malicious activity inside their corporate network and it was clear that [UNSURE OF WORD] was going to attack banking systems and ATM.

Dave Bittner: [00:05:45:05] How does it work? How are they getting these ATMs to spit out their cash?

Dmitry Volkov: [00:05:49:00] Well, they have special [UNSURE OF WORD] malware tools. It's not malicious programs in traditional understanding. So they do not infect system with this malware, we do not use some persistent techniques to make this program last forever on the infected system. But this tool allows the uses of traditional API functions to make calls to financial software to make ATM spit out cash.

Dave Bittner: [00:06:19:18] Yeah, it struck me that it seems like if I were a manufacturer of an ATM, the one thing I would not want it to ever be able to do is spit out all of its cash, right?

Dmitry Volkov: [00:06:29:15] But you have to provide visibility to legitimate software because you need to operate the ATM machine, you need to separate.

Dave Bittner: [00:06:36:14] So basically, once they had access to the network that connected to these ATMs, they could use these standard tools to then manipulate them into doing what they wanted?

Dmitry Volkov: [00:06:49:01] Actually the tools are not standard. So they develop their own tools for these purposes. But their interface communicate with ATM, yes it's standard.

Dave Bittner: [00:06:59:00] How are the banks preparing to protect themselves from this?

Dmitry Volkov: [00:07:02:09] Well, first of all we need to protect all the corporate infrastructure. These cyber criminals used very simple technique to get inside the corporate network. They sent spearphishing emails.

Dave Bittner: [00:07:14:11] Is there something that banks who haven't been affected, can they do anything to preemptively protect themselves now that we know that this attack is occurring? Are there any fingerprints that they can look for?

Dmitry Volkov: [00:07:26:16] Yes, of course, in our effort we have a pretty long list of indicators that could be used to detect any suspicious activity. But I mean, banks anyway should think of cybersecurity more complex. So first of all, of course we need to protect against phishing attacks. It's almost impossible because banks have thousands of employees. But it's possible to detect it on the early stages. We need to segment and do proper segmentation of a network and restrict access from different segments and detect anomaly attempts of connection from non-critical segment to a critical segment.

Dave Bittner: [00:08:09:02] That's Dmitry Volkov from Group-IB. Their full report on the Cobalt ATM hacks is available on their website.

Dave Bittner: [00:08:18:03] Palo Alto Networks' Unit 42 reports on a new Google Android Trojan, PluginPhantom that abuses the DroidPlugin framework. PluginPhantom, which includes a keylogger, extracts a wide range of user and device information. It can take screenshots, intercept texts, reveal your location, and more.

Dave Bittner: [00:08:38:18] Facebook is calling hogwash on Check Point Software's report of Locky ransomware being spread by images in Facebook Messenger. The social media giant says there's no Locky in the images it delivers, and suggests Check Point is misinterpreting vulnerable Chrome extensions (which Facebook says it's blocked for some time) as betraying a vulnerability in Facebook Messenger.

Dave Bittner: [00:09:01:07] Firefox has patched a zero-day that could be exploited to de-anonymize Tor users.

Dave Bittner: [00:09:07:13] Germany's Interior Ministry has proposed legislation that would limit the transparency of online surveillance. Such surveillance has been instrumental in collaring ISIS terror suspects in particular, interception of communications from jailed ISIS adherents implicated in a plot to bomb a Sikh temple in the Ruhr city Essen suggests that they continued planning for unusually repellent attacks targeting children with, among other things, poison.

Dave Bittner: [00:09:34:21] Investigation into the alleged ISIS mole in the BfV continues, and eyebrows from RT to the Washington Post are being raised by revelations that the alleged mole had a pre-BfV career in producing adult material. The media outlet's surprisingly retro assumption seems to be that this fact ought to have led a security agency to think twice before hiring him. It's also seen as surprising that the gentleman in question converted to Islam and sought out ISIS on the strength of phone conversations with a religious guy in Austria whose last name escapes the gentleman in question.

Dave Bittner: [00:10:08:10] Inspiration works in funny ways. Or, to quote another famous (and late-blooming) German, "of the crooked timber of humanity, no straight thing may be made."

Dave Bittner: [00:10:23:14] Time to take a moment to tell you about our sponsor, Recorded Future, the real-time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web to give cyber security analysts unmatched insights into emerging threats. We read their dailies at the CyberWire, and you can too. Sign up for Recorded Future's Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or to ahead of the cyber attacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security. Go to to subscribe for free threat intelligence updates from RecordedFuture. It's timely, it's solid, it's on the money. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:11:22:07] And I'm pleased to be joined once again by Jonathan Katz, he's a professor of computer science at the University of Maryland, and head of the Maryland Cybersecurity Center. Jonathan, fun article came by at InfoWorld recently and the headline was "Stupid Encryption Mistakes Criminals Make". Sometimes these malware authors don't end up being the sharpest knives in the drawer when it comes to choosing how to implement their cryptography.

Jonathan Katz: [00:11:47:09] Well, that's true but I wouldn't blame them too much actually. I think what this demonstrates is that cryptography is hard. And just to set the context here, right, this was in the context of ransomware, where criminals are writing a malware that will go into your machine and then encrypt the files on your machine, and then you'll have to pay the criminal some ransom in order to get access to your files back. So what you can see here is that, number one, that crypto is actually not that easy, and so even the criminals are making mistakes. But it's interesting still to see what kind of mistakes they're making in their code.

Dave Bittner: [00:12:18:18] And what kind of mistakes do we see them making?

Jonathan Katz: [00:12:20:24] Well, a lot of them are mistakes that we see also honest people making when they implement crypto. For example, one of the problems that the researchers found was being made very often was that criminals were using bad sources of randomness to generate keys for encryption, and if you don't generate your keys uniformly at random, then it came become easier to guess the key being used. So they just mention one example where the ransomware authors were using essentially something based on the current time in order to generate an encryption key. But of course, the current time is not all that difficult to guess. There's only a limited number of possibilities, only a limited number of seconds in a day as it were. And so it wasn't that hard, actually, for the engineers to figure out the key and then decrypt the file on their own without paying the ransom.

Dave Bittner: [00:13:04:04] So we do see from time to time after these ransomware schemes have been out for a while that some research group will come up with a crack for the ransomware. So this is a matter of being able to reverse engineer it and find out where the weaknesses are?

Jonathan Katz: [00:13:19:01] Yeah, exactly. So I guess it's spy versus spy. You have the ransomware people who are writing this code and trying to encrypt files and get people to pay a ransom. And then on the other end you have people trying to attack the encryption scheme being written by the ransomware writers. I think the other comment I wanted to make actually, it's not only demonstrating that encryption is hard but you have to keep in mind the incentives of the ransomware writers. They don't care whether the encryption is secure or not. What they care about is that it's secure enough to convince the person at the other end to pay the ransom. And so if it's any significant amount of effort to reverse engineer it and undo the encryption or if they have to pay a consultant a large fee in order to do it, then they may just as well end up paying the ransom in the first place, and from that point of view, the ransomware writers have already won.

Dave Bittner: [00:14:04:16] Good point. Jonathan Katz, thanks for joining us.

Dave Bittner: [00:14:09:17] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors, who make the CyberWire possible. And if you consider the CyberWire podcast a valuable part of your day, we hope you'll take the time to write a review on iTunes, it really does help people find the show.

Dave Bittner: [00:14:27:20] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.