Stressor, booter shoppers arrested. Small DDoS against Russian banks. Botnets and home routers. Popcorn Time ransomware. US investigates Russian influence operations.

Dave Bittner: [00:00:03:17] Shopping for DDoS tools, kids? The cops have got their eye on you. Russian banks sustain a mild, easily parried DDoS attack. Mirai gets trickier. US-CERT warns against vulnerabilities in home routers. Popcorn Time ransomware says it's doing good by doing bad, but few will be deceived. The US opens an investigation after the intelligence community concludes that Russian services tried to throw the US election away from Clinton and toward Trump. And North Korea says they didn't do it, you tantrum-throwing conservative puppet regime, you.

Dave Bittner: [00:00:39:24] Time for a message from our sponsor Netsparker. You know, web applications can have a lot of vulnerabilities, I'm sure you know that - you're listening to this podcast. And of course, every enterprise wants to protect its websites. But if you have a security team, you know how easy it is for them to waste time calling out false positives. You need to check out Netsparker. Their technology not only automatically finds vulnerabilities in web applications, but it automatically exploits them too, and even presents a proof of exploit. Netsparker cloud scales easily, you can use it to automatically scan thousands of websites in just a few hours. Learn more at Netsparker.com. But don't take their word for it. Go to Netsparker.com/Cyberwire for a free 30 day fully functional trial of Netsparker desktop or cloud. Scan your websites with Netsparker for a month, no strings attached.That's Netsparker.com/CyberWire and we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:44:06] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, December 12th, 2016.

Dave Bittner: [00:01:49:19] We begin the week with a quick round-up of news and notes on cybercrime.

Dave Bittner: [00:01:53:12] Last week an international police sweep rounded up people suspected of using distributed denial-of-service tools. Authorities from Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom and the United States, cooperated with Europol, collared 34 and cautioned another 101 users of hacking tools. Most of the suspected were young adults. In fact, a lot of them hadn't yet turned 20. The persons of interest were flagged by their purchases of stressor and booter services in various black and gray markets. The purveyors of such DDoS tools had attempted to position them as legitimate items, or at least legitimate enough to avoid the attention of law enforcement. That marketing placement would appear to have decisively failed with last week's arrests.

Dave Bittner: [00:02:43:15] Russian banks did after all sustain the DDoS Russian authorities pointed to with foreboding a week ago. It hit last Monday, but any of you who were looking for it may be forgiven for having missed it, because the campaign wasn't very large. Rostelecom, the state-owned telecommunications service, reported Friday on how it parried the campaign. The attacks peaked at only 3.2 million packets per second, with the longest attack lasting a bit more than two hours. 3.2 million packets per second is well within the range of what DDoS mitigation services handle easily. By way of comparison, back in September KrebsOnSecurity sustained an attack that peaked at 143 million packets per second, two orders of magnitude larger than the poke at the Russian banks.

Dave Bittner: [00:03:28:00] The attacks were mounted by botnets herded from among home routers that used a vulnerable implementation of the TR-069 protocol. This is the same exploit implicated in DDoS attacks last month against Eircom, TalkTalk, and Deutsche Telekom.

Dave Bittner: [00:03:43:17] US-CERT warned against using the Nighthawk line of Netgear home routers. The flaw could be exploited to bring routers into a botnet that could serve as a DDoS attack tool. Netgear has acknowledged the problem and says it's working hard to come up with a fix.

Dave Bittner: [00:03:58:11] The Mirai IoT botnet malware has been upgraded. It now sports a domain-generation algorithm. As SANS recommends, alert your intrusion detection and DNS sensors.

Dave Bittner: [00:04:10:06] Turning to ransomware, there's an unusually repellent campaign in progress that offers free decryption in exchange for your willingness to infect your neighbors. "Popcorn Time" (not to be confused with the video content app that uses the name) displays the following warning upon infection: “We are sorry to say that your computer and your files have been encrypted, but wait, don’t worry. There is a way you can restore your computer and all of your files. Send the link below to other people. If two or more people will install the file and pay, we will decrypt your files for free.” So it's like a chain letter with a payload. This is repellent enough, but the criminals (who ask for 1 Bitcoin—roughly $800) claim to to be "Syrian computer students" engaged in collecting money on behalf of impoverished Syrians victimized by the ongoing multi-party fighting among the Assad regime, rebels of various stripes, and, of course, ISIS.

Dave Bittner: [00:05:03:24] The Assad regime has long been in the market for lawful intercept tools, which too many have been willing to sell it. ISIS, of course, concentrates on its online brand in what continues to be an effective branding campaign.

Dave Bittner: [00:05:16:23] In other news of international cyber conflict, the US Intelligence Community reported "with high confidence" late Friday that Russian intelligence services had been acting against the candidacy of Democratic nominee Clinton during the US Presidential election. The evidence of intent to influence the election in favor of the Republican nominee consists largely of the dog that didn't bark; no Republican National Committee documents were leaked, even as WikiLeaks, Guccifer 2.0, and DCLeaks vigorously doxed the Democratic National Committee.

Dave Bittner: [00:05:47:18] While some insiders say the Republican National Committee wasn't hacked – only routine communications among individual Republicans were exposed during the run-up to voting – the general opinion is that they probably were, and that the take was withheld to influence the election. President Obama has directed an investigation, but doesn't believe the election results were called into question. President-elect Trump dismissed claims that he benefited from Russian support. One interesting sidelight: the Russians appear to have been as surprised as anyone by President-elect Trump's success.

Dave Bittner: [00:06:21:04] The State of Georgia's request that the Department of Homeland Security explain apparent attempts to penetrate the firewall around the state's election systems spawns an investigation. There are several possibilities: nefarious DHS attempts on the system; benign vulnerability scans; attack by a rogue employee; or nothing at all. Benign vulnerability scans seems likeliest, although there were some reports of a rogue employee. But investigation remains in its earliest stages.

Dave Bittner: [00:06:51:11] And, finally, North Korea has issued its customary denial of responsibility for malware found in South Korean military networks. The charges, Pyongyang says, are "beyond the realm of common sense," and represent the kind of "tantrum" the "puppet conservative party" in South Korea throws during times of stress. Pyongyang's denial show a new reach for hipster freshness, however; the headline was "North Korea hacking?! Even a stone image of the Buddha would laugh." Well, okay, maybe not enough for open mic night at the Chuckle Hut, but north of the 38th Parallel that's socko stuff.

Dave Bittner: [00:07:32:01] Time from a message from our sponsor, RecordedFuture. If you haven't already done so, take a look at RecordedFuture's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it every day. The web is rich with indicators and warnings but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. RecordedFuture does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators.

Dave Bittner: [00:08:03:19] Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to RecordedFuture.com/Intel to subscribe for free threat intelligence updates from RecordedFuture. That's RecordedFuture.com/Intel and we thank RecordedFuture for sponsoring our show.

Dave Bittner: [00:08:36:15] And I'm pleased to be joined once again by Emily Wilson. She's the Director of Analysis at Terbium Labs. Emily, we've been sort of making our way through your recent report, it was called Separating Fact from Fiction: The Truth About The Dark Web and some of the things you dug into here was drugs versus pharmaceuticals. Tell us what did you find when it comes to that?

Emily Wilson: [00:08:56:13] We took at look at legal versus illegal content on the Dark Web and we thought those proportions were interesting, but then we wanted to dig into just the illicit content, the things people tend to talk about. And of that we found that drugs make up about 45 percent. Which is a fair amount of that, right?

Dave Bittner: [00:09:14:05] And when we're talking about drugs, what are we talking about?

Emily Wilson: [00:09:16:04] We're talking about things that are primarily going to be used recreationally. So for our purposes, you know, definitions matter, we separated pharma out as kind of anything you would typically go to a physician to get a prescription for. And so in that case we included anti-anxiety medications or ADHD treatments or kind of other medications you would think of.

Dave Bittner: [00:09:38:08] So in this case, pharma is a subset of drugs, yes?

Emily Wilson: [00:09:42:06] We broke them out differently in this case because one of the things that we see, and it's difficult to measure intent here when people are buying things that look like pharmaceuticals. But one of the things that we see for pharmaceuticals is that they're branded and sold very differently than drugs. So when you have drugs – and here I'm thinking recreationally – you don't particularly care where your LSD is coming from, you care about the reputation of a vendor. You maybe don't care too much about your cocaine, you trust the reputation of the vendor. But when you're dealing with pharmaceuticals, brand matters and big pharma brands matter. You want to trust the reputation of the manufacturer and less so of the vendor. So when you're dealing with pharmaceuticals, especially for things like steroids or human growth hormones, you are seeing kind of very clinical packaging. And people are invoking brand names and dosing information. And you don't so much see that with recreational drugs.

Emily Wilson: [00:10:37:09] We thought pharma was a really interesting use case to break out because it's the kind of thing that really makes for interesting discussion when you're thinking about privacy or anonymity on the Dark Web. These are things that you may want to buy privately because you have a sense of embarrassment or a stigma about it, whether that's medication for dealing with erectile dysfunction or some anti-anxiety medications, or other drugs that can be used to treat mental health issues. And then you have other things where it may be an access issue. Someone will show up looking for a medication to induce abortions. Something that, it may be because of the state you live in, it may be because of the stigma in your home life, or it may be a cost issue.

Dave Bittner: [00:11:26:04] A drug that's expensive here in the United States may be available from another country, and I could access that on the Dark Web?

Emily Wilson: [00:11:33:10] Absolutely. And that's something where if you are willing to take that risk into your own hands, something that may not be FDA approved or you're trusting the vendor has what they claim to have. You know, that is adventurous to some people.

Dave Bittner: [00:11:46:23] And what about reputations? Are there vendors who become known for actually providing the real goods?

Emily Wilson: [00:11:53:06] Absolutely. Reputation building is everything on the Dark Web. You have a market that exists entirely based on reputation because it has to be anonymous by nature. And so you have nothing if you don't have your reputation. And I think the Dark Web community does a really good job in building up that institutional knowledge. And it's really almost a self-policing community. If someone is providing something that isn't pure or isn't safe, people are quick to comment on that and they're quick to jump on it and warn other people off.

Dave Bittner: [00:12:29:18] Alright, interesting stuff. Emily Wilson, thanks for joining us.

Dave Bittner: [00:12:34:10] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit TheCyberWire.com. While you're there, be sure to subscribe to our CyberWire Daily News Brief, delivered daily to your email. Thanks to all of our sponsors who make the CyberWire possible.

Dave Bittner: [00:12:49:13] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.