The CyberWire Daily Podcast 12.8.16
Ep 241 | 12.8.16

IP theft in Germany. "Sledgehammer" looks like DDoS by Turkish patriotic hacktivists. Floki Bot and Dridex in the wild. Competition for cyber talent in a tight labor market.


Dave Bittner: [00:00:03:13] Industrial espionage is back and it's poking into the Ruhr. Turkish hacktivists use a sledgehammer to install back doors. The Floki Bot Trojan is a cheap and evasive addition to the Zeus family. Dridex is back. GPS gets a cybersecurity upgrade. Too many people are still using Windows XP and NSA is said to be struggling to compete with the private sector for cyber talent.

Dave Bittner: [00:00:31:07] Time for a message from our sponsor Netsparker. Are you still scanning with labor intensive tools that generate more false positives that real alerts? Let Netsparker show you how you can save time and money and improve security with their automated solution. How many sites do you visit and therefore scan that are password protected? With most other security products you've got to record a log in macro, but not with Netsparker. Just specify the user name, the password and the URL of the log in page and the scanner will figure out everything else. Visit to learn more. And if you want to try it for yourself, you can do that too. Go to for a free 30 day fully functional trial version of Netsparker Desktop. Scan your websites and let Netsparker show you how easy they make it., and we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:30:10] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, December 8th, 2016.

Dave Bittner: [00:01:36:19] ThyssenKrupp discloses that it lost steel production intellectual property to a cyberattack early this year. The IP theft is said to have been discovered in April. The culprits are unknown, but some reports suggest that they were based in Southeast Asia. ThyssenKrupp has filed a criminal complaint and an investigation is well underway.

Dave Bittner: [00:01:56:16] According to security company Forcepoint, a distributed denial-of-service attack, "Sledgehammer," originated in Turkey and is affecting organizations the attackers evidently regard as unsympathetic to Turkish government policy. This appears to be a patriotic hacktivist operation, but one never really knows what degree of organized criminality or state-directed is at work in cases like this. The victims include political parties, like the ruling center-right German Christian Democratic Party, the CDU, opposition and dissident parties in Turkey such as the People’s Democratic Party of Turkey and the Kurdistan Workers Party, the PKK, and that perennial burr under the Turkish government's saddle of amour propre, anything devoted to memorializing the World War One era massacres in Armenia, like the Armenian Genocide Archive.

Dave Bittner: [00:02:45:18] The "Sledgehammer" campaign is unusual, Forcepoint says, in the way it's gamified DDoS. The hackers run a DDoS collaboration platform called "Surface Defense." Our linguistic staff warns us against attempting to pronounce the original Turkish, so we won't. Anyone who signs up for the platform is asked to attack a specified set of political targets and, in return, they earn points they can trade in for rewards, like their own copy of the DDoS tool or a swell click-fraud bot. It's as if the cyber underground has discovered the marketing value of giving away Green Stamps, or a set of steak knives, or some other promotional goodies. Play with caution if play you must. Of course, we say, don't play. Not only would it be wrong, and you'd be a bad person, but Surface Defense will also surreptitiously back door your own system to turn it to Sledgehammer's own ends. There's no more a free lunch than there is honor among botmasters.

Dave Bittner: [00:03:40:12] Cisco's Talos Group and Flashpoint together report on Floki Bot, essentially an evolved Zeus Trojan. It's for sale in dark web markets and poses a threat to point-of-sale systems as well as banks and insurance companies. It's more evasive than its Zeus ancestors and it's also active across three language communities: Portuguese, in Brazil, English and Russian. Floki Bot is widely available on the black market, where it sells for just $1000. This is discount attack code. Its famous GameOver Zeus predecessor was sold only inside restricted groups and in its prime fetched $15,000.

Dave Bittner: [00:04:18:23] The banking Trojan Dridex is back, and circulating among Scottish systems. The most recent come-on, Fujitsu-CTI reports, is an email purporting to be from and for Scottish football supporters. That's soccer fans, for our American listeners. The email of course carries a malicious payload.

Dave Bittner: [00:04:37:22] Ransomware continues to be a threat and one strain widely available is known as Stampado. Deepen Desai is Director of Security Research at Zscaler and he brings us up to date on Stampado.

Deepen Desai: [00:04:50:19] Well, "Stampado" is yet another ransomware stream. There have been more than a dozen ransomware streams in 2016. The strain has been around since July of 2016, that's when we first saw it being advertised on the underground forum by the author. The author goes by the moniker "The Rainmaker" and he was offering a lifetime, full lifetime support for just $39. Some of the unique things about their payload, it's written in AutoIt, which is a scripting language. So it was pretty easy for us to reverse engineer. The second thing, it had capabilities to encrypt more than 1,200 different file types. This was pretty unique, because they were also targeting files that were already encrypted by other popular ransomwares like Cerber, Locky, [INAUDIBLE], other prevalent ransomware variants out there right now. So what essentially they are doing is they are double dipping on systems with weak security posture and the end user will end up paying a double ransom, right, for each of those infections, in order to retrieve their file.

Deepen Desai: [00:06:06:16] The other interesting feature we found this variant was, it had features to spread. So from the infected system, if there are shared network drives or there are connected removable drives, that's where it will make a copy of itself and the way it copies itself is it will look for existing files and hide those existing files rename all the existing files and then it will make a copy of itself using the same icons as the original file, and those are essentially shortcut files which point to the Stampado binary, which is also copied on the removable drive. So, it had the ability to spread over the network, as well as through the removable drives to different users.

Dave Bittner: [00:06:56:12] And if the user pays the ransom, will they get their files back?

Dave Bittner: [00:07:00:15] If the pays the ransom, yes they will get a decrypter from the author. But in this case, it is very easy for the user to retrieve the file through one of the publicly available tools as well. Emsisoft has published a tool. Also, we are planning to push out a tool as well, which will be able to generate the decryptor using the binary itself. Because it's not a public private keyboard encryption, asymmetric encryption, in other words, it is possible to retrieve your file, so we would recommend not paying any kind of ransom.

Dave Bittner: [00:07:36:10] That's Deepen Desai from Zscaler. They have more information about the Stampado ransomware on their website.

Dave Bittner: [00:07:43:19] An upgrade to the Global Positioning System, GPS, provides a timely reminder of the way in which cyberspace is important to operating in outer space. Lockheed Martin has completed what it describes as a "major upgrade" to the ground stations that control the orbiting constellation of GPS satellites. Prominent in that upgrade is a set of measures put in place to improve the cybersecurity of GPS.

Dave Bittner: [00:08:06:20] Other upgrades include a beta release of AirDroid that addresses vulnerabilities discovered by Zimperium and Locus Energy's patch of issues in its solar power home electrical meters.

Dave Bittner: [00:08:18:16] Here's something that won't be patched. Windows XP, which reached the end of its support life back in April of 2014. Yet a study just released shows that nine out of ten National Health Service Trusts in the UK are still using Windows XP.

Dave Bittner: [00:08:34:17] US Congressional Democrats and others continue to advocate bipartisan investigation of Russian attempts to interfere with recent US elections.

Dave Bittner: [00:08:43:21] And finally, competition for cyber labor remains intense. The Daily Caller rather breathlessly says that, "The private market is demolishing America's premiere spying agency," by which they mean NSA. Sorry, CIA and DIA, NRO, NGA, for that matter. Former Director at NSA Keith Alexander told a conference at the University of Maryland that the problem was the Government's inability to compete with private industry on pay and low morale brought on by what he characterized as negative and unfair media coverage of the agency. Some signs of that competition may be seen in a job opening at Facebook, which is looking for an "Offensive security engineer." We read that as a honcho-kind-of call for a vulnerability researcher or penetration tester. But the Register has a different take on it. Their headline and deck suggest that Facebook's looking for a sysadmin who'll tell help desk callers, "Here's your new password, champ. Now go **** yourself." Well, we're a family show. But we really don't think the House of Zuckerberg is looking for someone who would recommend monogenesis. On the other hand, if they are, we hear Tay might be available.

Dave Bittner: [00:09:57:19] Time to take a moment to tell you about our sponsor Recorded Future, the real time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web, to give cybersecurity analysts unmatched insights into emerging threats. We read their dailies at the CyberWire and you can too. Sign up for Recorded Future's Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyberattacks. They watch the web, so you have time to think and make the best decisions possible for your enterprise's security. Go to Recorded Future dot com slash intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, it's on the money. That's Recorded Future dot com slash intel and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:10:56:11] Joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, you recently attended the Grace Hopper Conference, so give us some background here. What is the Grace Hopper Conference and what were you doing there?

Joe Carrigan: [00:11:09:12] Grace Hopper is the celebration of women in computing. It's a gathering of about 12,000 women from all over the world, who come to, this time, Houston, Texas and I was there primarily representing the Johns Hopkins University Information Security Institute, trying to recruit women into our program, our cybersecurity program. There are a lot of undergraduate women at this conference. In fact, next year I'd like to have my daughter go. She's a computer engineering major right now.

Dave Bittner: [00:11:37:08] Oh, nice.

Joe Carrigan: [00:11:38:23] It would be great to have her go there to network and to meet other women in computing.

Dave Bittner: [00:11:43:07] You know, we have conferences like this. We have the Grace Hopper Celebration. I'm familiar with the Women In Cybersecurity.

Joe Carrigan: [00:11:49:07] Women in Cybersecurity is coming up in April, right?

Dave Bittner: [00:11:51:04] Yes. The last day of March, first day of April.

Joe Carrigan: [00:11:54:15] Last day of March, first day of April.

Dave Bittner: [00:11:55:09] You and I were both there last year.

Joe Carrigan: [00:11:57:23] Last year.

Dave Bittner: [00:11:58:02] That conference is another one that's good.

Joe Carrigan: [00:11:59:03] And that's also a great conference for women to meet and network.

Dave Bittner: [00:12:02:24] I think we have this issue in the field, certainly within cybersecurity, but I think in tech in general, of women being underrepresented. We're not getting enough women into the field and when we get them in, they're not staying.

Joe Carrigan: [00:12:15:00] Right. Back in the '80s, before the dawn of the personal computer-- you and I were discussing this earlier-- that women represented a much higher share of computer science graduates. The statistics I've heard are around 30 percent and now it's down around 12 percent, so it's moved in the wrong direction actually.

Dave Bittner: [00:12:34:03] So, I think, you know, the bottom line is, I think those of us who think this is important, the diversity both with women and minorities, I think there's a real truth here that when you have a diversity of thought, that leads to better solutions and better answers...

Joe Carrigan: [00:12:50:18] It does.

Dave Bittner: [00:12:51:09] ...and I think those of us who believe that, who are behind that notion, we have a role to play of supporting these types of conferences, these types of efforts.

Joe Carrigan: [00:13:00:08] We do, absolutely. My opinion and my observations are that the steering of people towards these fields, it happens very early in life. It happens very early where these people start having the inclination towards engineering.

Dave Bittner: [00:13:16:04] So, having those opportunities even as a child?

Joe Carrigan: [00:13:18:20] Even as a child, getting the right toys. Making sure that your kid, whether they're a boy or a girl, has Lego to play with. Just things they can get the spatial relationships up. Give them toys that teach programming, if you will. Yes, we got our kids Mindstorms. Now, that being said, I pushed both my kids towards the engineering field and my son just has no desire to pursue it. He is completely uninterested, but he is very much interested in the field of business and accounting and that's where he's decided he's going to go. But, my daughter has taken to it and taken to it very well.

Dave Bittner: [00:13:57:01] Right. Alright, Joe Carrigan, good talking to you.

Joe Carrigan: [00:13:59:05] My pleasure.

Dave Bittner: [00:14:02:11] And that's the CyberWire. For links to all of today's stories, along with the interviews, our glossary, and more, visit Thanks to all of our sponsors, who make the CyberWire possible. And if you consider the CyberWire podcast a valuable part of your day, we hope you'll take the time to write a review on iTunes. It really does help people find the show. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.