The CyberWire Daily Podcast 1.24.17
Ep 271 | 1.24.17

Shamoon and Greenbug. HummingWhale purged from Play Store. Apple patches across its product line. Leadership changes at CIA, GCHQ. Lloyds Bank incident update. Honor among thieves? Nope.


Dave Bittner: [00:00:03:14] Shamoon may be connected to Green Bug, Google's purging HummingWhale malware from the Play Store. Apple issues a major set of patches; the CIA has a new director; GCHQ's still looking for one. Yahoo's deal with Verizon is delayed until April at least. Other industry M&A and venture funding notes. Lloyds Bank targeted with cyber extortion and there's no honor among thieves; if you don't believe us just ask the thieves.

Dave Bittner: [00:00:35:22] It's time to take a moment to tell you about our sponsor, CyberSecJobs. If you're an information security professional seeking your next career, or your first career, check out and find your future. CyberSecJobs is a veteran-owned career site and job fair company for information security professionals and students. Job seekers can create a profile, upload their resume and search and apply for thousands of jobs and it's great for recruiters too. If you're an employer looking to source information security professionals, contact CyberSecJobs about their flexible recruitment packages, designed to meet your needs. To learn more, visit That's And we thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:31:02] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday January 25th 2017.

Dave Bittner: [00:01:41:10] Researchers who've been tracking the re-emergence of Shamoon believe they may have discerned a connection between the group behind it and the threat actors known as "Greenbug." Greenbug's modus operandi has been to fish victims with the goal of installing a data-stealing remote access Trojan, or RAT. The one favored by Greenbug is Trojan.lsmdoor. It comes packaged, according to Symantec security researchers, with a set of ordinary credential-stealing tools.

Dave Bittner: [00:02:09:02] Greenbug's target set bears some similarities to Shamoon's: Middle Eastern aerospace, investment, government, and education organizations. We'll continue to follow developments as research proceeds and is reported.

Dave Bittner: [00:02:22:19] Security firm Check Point's disclosure to Google that a new HummingBad variant, was infesting the Google Play Store, has prompted a purge of compromised apps from that store. It's called HummingWhale because that's a bigger deal, the way the whale is a bigger deal compared to a HummingBird, and probably to a HummingBad, so. Get it?

Dave Bittner: [00:02:42:19] At any rate, HummingWhale essentially serves a fake refer scam. It represents an advance in stealth over its predecessors, it also relies on bogus reviews and testimonials to goose its acceptance, and its controllers' ill-gotten revenue.

Dave Bittner: [00:02:57:19] Late yesterday afternoon Apple released new versions of iOS and macOS Sierra, that close significant code execution vulnerabilities the operating systems share. In addition to these major releases, Cupertino also released a set of significant patches for Safari, iCloud for Windows and watchOS. Users are being encouraged to update quickly.

Dave Bittner: [00:03:20:15] The new US Director of Central Intelligence, former member of Congress Mike Pompeo, has, as expected, received Senate confirmation. There's still a high-level vacancy at British signal intelligence service GCHQ, which is looking for a new director in the wake of Robert Hannigan's resignation late last week.

Dave Bittner: [00:03:39:03] In industry news, Yahoo! Says that it will delay Verizon's planned acquisition of Yahoo!'s core assets until the second quarter of 2017. The future of the deal, says Yahoo! Still "looks bright" but bright or not it won't happen before April of this year. the SEC has undertaken fresh investigations of Yahoo!'s two major breaches.

Dave Bittner: [00:04:00:10] Elsewhere, IBM is buying the cyber security start-up, Agile 3 Solutions, for an undisclosed sum. Landesk and Heat Software, having merged, will henceforth do business under their new name of "Ivanti". Microsoft Ventures backs Illusive Networks with a funding round that brings the total the company's raised to somewhere north of $30m. Illusive, based in Israel, specializes in security through deception. And the quantum cybersecurity experts at Quintessence Labs also get an infusion of cash, this from Westpac Group. Westpac's investment raises its stake in Quintessence from, roughly, 11 to 16%.

Dave Bittner: [00:04:39:16] The Lloyds Bank DDoS attack disclosed this week was accompanied by extortion attempts. Bleeping Computer has been on the story, and they identify the attackers as, simply, Hacker 1 and Hacker 2. The Hackers frame their demand for ransom as a "consultancy fee," and state their willingness, in somewhat hesitate but threatening English, to reveal the vulnerabilities they discovered and restore service in exchange for £75,000 Sterling, payable in Bitcoin.

Dave Bittner: [00:05:07:04] "We have identified severe security issues related to and As an effect, both these services will be put offline starting from the 11th January 2017 at .01 GMT until they are fixed". And they close with a promise and a threat: "Once paid, the services will be back online, you will get a list of flaws related to both services, along with our disappearance. Feel free to test our capabilities and patience. Good luck." Lloyd's says it's restored service; there's no suggestion they did so by paying the consulting extortion.

Dave Bittner: [00:05:50:14] There are some good reasons to resist paying extortion that have little to do with the many other good reasons we're familiar with: the direct financial loss, the unreliability of criminals, the possibility of escalating demands and the folly of contributing to the growth of a criminal market. This new reason is that the ransomware may itself be bogus, a bluff, a pure scam. Citrix surveyed UK ransomware victims and concluded that nearly 40% of them has sustained a ransomware attack that was pure social engineering, with no data encrypted or otherwise held at risk. So, again, back-up your files and hang tough.

Interviewer: [00:06:27:22] And, finally, since there's proverbially no honor among thieves, thieves are themselves on guard against their own kind. A new service has appeared in the hacker market that claims to enable criminals to gage the reliability of their co-conspirators:, which Motherboard characterizes as "the Yelp for cybercrime". Hoods are invited to share information on rippers, that is, criminals who fail to deliver the goods they promise. Motherboard has a sample review. We won't quote the review verbatim, because we're a family show and the language is more appropriate to an Army barracks or a Quentin Tarantino movie, but the reviewer begins as follows: "This Lier" - we're pretty sure the reviewer means Liar - "is a shame for our community". Community spirit aside what bothers this particular reviewer is that the person he did business with bilked him of $250 and wouldn't return emails. So there's no justice, darn it. But we're surprised that contributors to would think that a bad thing.

Dave Bittner: [00:07:34:23] Time for a message from our sponsor, E8 Security. Let me ask you that question. Do you fear the unknown? Lots of people do, of course: the Wax Phantom, the Spooky Space Kook, stuff like that. But we're not talking about those, we're talking about real threats, unknown unknowns lurking in your networks. The good people at E8 have a White Paper on hunting the unknowns with machine learning and big data analytics that go beyond the old school legacy signature matching and human watch standing. Go to and download their free White Paper, Detect, Hunt, Respond. It describes a fresh approach to the old problem of recognizing and containing a threat no-one's ever seen before. The unknown unknowns, like phantom shadows or the headless specter, they're nothing compared to the unknown unknowns out there in the wild. See what E8's got to say about them. Go to and check out that White Paper. And we thank E8 for sponsoring our show.

Dave Bittner: [00:08:38:09] Joining me once again is Yisroel Mirsky. He's a researcher and project manager, at the Cyber Security Research Center at Ben-Gurion University. Yisroel, I know you want to share with us today some of the work you've all been doing with 3D printers.

Yisroel Mirsky: [00:08:52:00] Yes. As you know, 3D printing, also known as Additive Manufacturing, is a process where layer on top of layered material is placed to make some sort of object or tool. Recently we've seen many companies use this technology for prototyping to try and come up with a future product. The research firm, Gartner, predicts that soon 3D printers will be used to make actual products, not just prototypes. Like any computerized device it can be hacked and hacking it can cause certain damages.

Yisroel Mirsky: [00:09:23:18] A team in our labs actually, in cooperation with the University of South Alabama and Singapore University of Technology and Design, thought it would be less likely that an attack would go and try and infect the printer itself, but rather try and infect the 3D models. I'll give you an example of what I mean. Instead of an attacker trying to infect Adobe Reader and have it be distributed to all the different clients, they would rather infect the pdf itself and have that perform malicious activity as it's read by Adobe Reader.

Yisroel Mirsky: [00:09:59:05] To demonstrate this kind of feasibility and the potential damage of the attack, what they did is they modified a 3D model file of a drone, specifically for the propeller of the drone. What they did is, they hid inside the propeller kind of a gap of air, and they did it in a way so that, when you visually inspect it in the AutoCAD program and once it's printed, you don't see anything wrong with the propeller.

Yisroel Mirsky: [00:10:26:05] The scenario looks something like this. Somebody at home or a company prints out a propeller for their DGI drone, they replace the propeller. After a visual inspection they see nothing's wrong with it, they send their drone up in the air and about two minutes later the propeller snaps off and the drone comes tumbling down, $1,000 worth of equipment hits the ground.

Yisroel Mirsky: [00:10:48:12] We've done a demo of this attack as well, we've printed out the propeller with the cavity and we showed that after two minutes of flying, which you can assume the drone's going to be way up high in the sky, it just snaps right off and falls to the ground.

Yisroel Mirsky: [00:11:02:07] Like any new technology, security needs to be considered from every kind of angle, and perhaps some sort of trusted method of sharing 3D model files should be proposed or considered.

Dave Bittner: [00:11:13:01] Interesting stuff. Yisroel Mirsky, thanks for joining us.

Dave Bittner: [00:11:18:05] And that's The CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit Thanks to all of our sponsors who make The CyberWire possible and special thanks to our sustaining sponsor, Cylance. Learn more about how Cylance prevents cyber attacks at

Dave Bittner: [00:11:35:11] The CyberWire podcast is produced by Pratt Street Media, our editor is John Petrik, our social media editor if Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.