The CyberWire Daily Podcast 1.25.17
Ep 272 | 1.25.17

Cleaning ransomware out of the Play Store (but snakes still get into the walled garden, so watch your apps). Vigilantes, vulnerabilities, and industry news.


Dave Bittner: [00:00:03:17] Russia charges a cyber threat researcher with treason. Charger ransomware detected and ejected from the Play Store. Watch your apps - too many snakes are still getting into the walled gardens. RATs evolve and return to the wild. Shamoon 2 expands its target set. A database vigilante may be out there. Cyber fraud rises in the United Kingdom - it's safer for the crooks than stickups. We've got some M&A and venture funding news, and that Verizon-Yahoo! deal remains up in the air.

Dave Bittner: [00:00:38:06] It's time to take a moment to tell you about our sponsor, CyberSecJobs. If you're an information security professional seeking your next career, or your first career, check out and find your future. CyberSecJobs is a veteran-owned, career site and job fair company for information security professionals and students.

Dave Bittner: [00:00:57:16] Jobseekers can create a profile, upload their resume, and search and apply for 1000s of jobs, and it's great for recruiters, too. If you're an employer looking to source information security professionals, contact CyberSecJobs about their flexible recruitment packages, designed to meet your needs. To learn more, visit We thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:33:08] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner, in Baltimore, with your CyberWire summary for Wednesday, January 25th, 2017.

Dave Bittner: [00:01:43:07] In news that broke early this morning, we hear that Russian authorities have arrested a senior threat researcher with Kaspersky Lab. Ruslan Stoyanov has been arrested on charges of treason. Kaspersky Lab told CNBC that the investigation and arrest are unrelated to the company, that Stoyanov is under investigation for the period when he worked for the FSB prior to joining Kaspersky. Details are sketchy and may not be forthcoming. Stoyanov was charged under a statute that permits secret trials. We'll be following the story as it develops.

Dave Bittner: [00:02:16:17] Check Point warns of "Charger," a newly discovered ransomware strain found in the EnergyRescue app in the Google Play Store. Google's Android security team has managed to interdict the malware before it reached the point of mass infection. In the case of Charger, the extortionists' threat is release, sale, or other abuse of stolen data, mostly contacts and SMS messages. "All your data is already stored on our servers!" crow the hoods, who demand $180 in protection money.

Dave Bittner: [00:02:45:19] If you've been missing the implausibly fractured English of Guccifer 2.0 and the Shadow Brokers - and who among us hasn't been missing those boys and girls? - the lingo behind Charger will make you nostalgic for the old days: "You need to pay for us, otherwise we will sell portion of your personal information on black market every 30 minutes. We give 100% guarantee that all files will restore after we receive payment. We will unlock the mobile device and delete all your data from our server! Turning off your phone is meaningless, all your data is already stored on our servers! We still can selling it form spam, fake, bank crime, et cetera."

Dave Bittner: [00:03:22:02] So there you go. And no friends and family discount mentioned. Charger also asked for admin permissions, and of course, were those granted, would lock the infected phone. The malware was available for about four days before being taken down, and Checkpoint thinks relatively few devices were affected, perhaps because the criminals were engaged in a test run.

Dave Bittner: [00:03:43:18] Zscaler and Malwarebytes are warning that two newly evolved remote access Trojans, or RATs, are circulating in the wild. Zscaler reports that SpyNote is flying the false flag of a Netflix app. Malwarebytes says that the well-known AndroRAT has become more stable, added new functionality, and increased its obfuscation.

Dave Bittner: [00:04:05:00] Saudi Arabia's government is concerned about the latest rounds of Shamoon 2 attacks, which this week were disclosed to have hit chemical industry targets, as well as the Labor Ministry. The incidents may indicate a shift in Shamoon 2's target set: November's attacks involving the malware most prominently focused on aviation operations. The original Shamoon attacks of 2012 hit Saudi Aramco.

Dave Bittner: [00:04:29:00] In the wake of widely reported attacks on Hadoop and MongoDB instances, it appears that a database "vigilante" (that's what Motherboard is calling him, or her, or them, anyway) is on the mean streets of cyberspace, finding poorly secured databases warning their admins. The warning may be too subtle for most admins to pick up on: the vigilante is inserting an empty folder into the vulnerable database and naming it "your-db-is-not-secure." We're ambivalent about vigilantes and other gray hats, but the chairman of the not-for-profit GDI Foundation tells Motherboard that, quote, “It looks like a friendly warning.” Which is one way of looking at it. Database admins, look to your defenses.

Dave Bittner: [00:05:13:03] The Anthem data breach remains one of the most significant we've seen, with over 80 million customer records stolen from the healthcare company back in February 2015. The story was back on the news recently when California's attorney general announced that state actors, most likely China, were responsible for the breach. Not everyone is comfortable with that attribution - Mike Lipinski is CISO at Securonix.

Mike Lipinski: [00:05:36:19] I think we're starting as an industry to start using the state actor concept - it happened with Yahoo!; it's happening now with Anthem. It's happened with OPM. A lot of them are blaming the state actor concept, and I just think that we're getting a little too careless with using that as a get out of jail free card. Regardless of whether it's me attacking your system or a state actor attacking your system, I think we have to make sure that we're providing the same protections to eliminate that from happening.

Mike Lipinski: [00:06:05:01] I understand that the logic behind using the state actor excuse is that they're well-funded, they have a lot of tools, they have a lot of money, we can't possibly stop them from getting in if they want to. I guess my argument to that is, if you look at all the current reports that are out after the fact, just like this Anthem one, or if you even look at the reports that the NSA released, and their review of all of the breaches over the last three years, these companies aren't exploiting any new vulnerabilities in these attacks - they're attacking things that we've known about for many, many years. So there's really not an excuse, if we're doing our jobs well, to allow these breaches to keep happening if we get a little bit more diligent about taking care of our environments.

Dave Bittner: [00:06:49:09] What's the takeaway here? What's a better way for Anthem to have handled the situation?

Mike Lipinski: [00:06:55:07] From a breach standpoint, I think all organizations, and I won't just pick on Anthem, because it's really every organization you've read about, or heard reported on in the last couple of years. The data that they needed to identify the attack quickly has been in their environment. We've always been able to go in after the fact, from a forensic standpoint, and determine who did what when, and how. We're just not using that data well, in a proactive fashion, on the whole.

Mike Lipinski: [00:07:24:18] You've got your prevent, detect, respond components of security. Prevent, you have to agree, is going to fail. I think that's what we're saying with the whole state actor breach. If people want to get in bad enough they can. So, okay, if we're going to subscribe to that concept then that brings us to our detect and respond component of our security infrastructures. I think that's where we need to get better. I think we need to get better at finding that breach when it happens, so we don't allow people to stay in our networks 200 or 300 days and exfiltrate data, and leave. The breach is inevitable, but the exposure doesn't have to be.

Dave Bittner: [00:08:00:04] That's Mike Lipinski from Securonix.

Dave Bittner: [00:08:04:19] Cisco is patching its WebEx Chrome Plugin. Users are advised to update: the vulnerabilities addressed are potentially serious.

Dave Bittner: [00:08:13:15] KPMG reports that cyber fraud cost the United Kingdom some £124 million in 2016, and that's a lot. KPMG tracked fraud cases in British courts to arrive at its figures. And who's behind the rise in cybercrime? Skids, to a significant extent. Ilia Kolochenko, CEO of web security firm High-Tech Bridge, told us that, quote, What is particularly alarming is the rise of small online fraud committed by teenagers and people with almost no technical skills. End quote. Cybercrime is seen by many hardscrabble crooks as a relatively low-risk, high-payoff proposition, especially when compared to stickups and muggings.

Dave Bittner: [00:08:54:16] In industry news, RiskIQ buys Maccabim for its brand threat project management capability. Cisco is acquiring AppDynamics for a reported $3.7 billion. Reuters floats the rumor that Keysight Technologies is considering buying Ixia. Venture capital hasn't been idle, either, as SentinelOne closes a $70 million Series C round, and Secret Double Octopus - specialists in multi-factor authentication - gets $6 million in Series A funding from Jerusalem Venture Partners.

Dave Bittner: [00:09:28:04] Finally, what does Verizon have to say about the new SEC investigation of Yahoo!'s breach disclosure, and Yahoo!'s announcement that its deal with Verizon will be delayed at least until April? Well, nothing. As far as we can tell, Verizon is keeping its counsel and holding its corporate tongue.

Dave Bittner: [00:09:49:18] Now let me mention one of our sponsors - E8 Security. Let me you that question: do you fear the unknown? Lots of people do, of course: The Gator Ghoul, Phantom Racer, stuff like that. But we're not talking about those. We're talking about real threats - unknown unknowns lurking in your networks. The good people at E8 have a white paper on hunting the unknowns with machine learning and big data analytics that go beyond the old-school legacy signature matching and human watch standing.

Dave Bittner: [00:10:14:24] Go to and download their free white paper, “Detect, Hunt, Respond.” It describes a fresh approach to the old problem of recognizing and containing a threat no-one's ever seen before. The known unknowns, like the Mantis, or the Beast of Bottomless Lake, they're nothing compared to the unknown unknowns out there in the wild. See what E8's got to say about them. That's, and check out that white paper. We thank E8 for sponsoring our show.

Dave Bittner: [00:10:51:04] I'm pleased to be joined once again by Professor Awais Rashid. He heads the Academic Center of Excellence in Cyber Security Research at Lancaster University. Professor Rashid, certainly the IoT is top of mind these days with the major hacks that we've seen - the botnets and so forth. Today, though, you wanted to talk about IoT when it affects the healthcare industry.

Professor Awais Rashid: [00:11:14:06] Yes. We've recently seen, as you know, that IoT devices have been used in large-scale attacks. Let me start by saying the Internet-of-Things is a very promising development, where we can use a high level of connectivity in really a number of key applications, such as digital health, whereby implantable medical devices, or body area networks can help us. But one of the things we need to bear in mind is that one of the things we must not do, as we design these devices, is to ignore security, because in due course, as we have seen in other domains such as industrial control system and critical and national infrastructure, once these devices are connected to other networks, that opens them up to various potential vulnerabilities and attacks, and we've already seen this in high-profile attacks.

Professor Awais Rashid: [00:12:02:08] So there are a number of threats that we need to think about. First of all, there is what you would call the telemetry interface in these devices, where potential attackers can eavesdrop, or replay forged commands. For instance, to make the device do something that it shouldn't be doing. We've already seen the use of these devices in malware. Can you imagine somebody's pacemaker, for instance, being used as part of a botnet?

Professor Awais Rashid: [00:12:29:23] But there are also more subtle ways in which these things can be compromised, so you don't necessarily need to, for example, make the device do something - you can just do enough to the device to cause sensor actuator failure, thereby compromising trust in the device. Or you can maliciously inject some data that no longer allows you to trust the information that you're getting from the device, and in which case, it is absolutely useless.

Dave Bittner: [00:12:58:17] How can organizations protect themselves from that kind of thing?

Professor Awais Rashid: [00:13:01:19] I think the fundamental principle that we need to use with regards to health IoT is - if it is not secure, it is not safe. And that's the fundamental thing. We have a very good understanding of safety within the health environment, and I think we need to extend that towards security, and ask the question: if this device is not secure from a cyber security perspective, is it really safe to utilize in a health setting? We are increasingly seeing regulators actually get much more aware of these issues.

Professor Awais Rashid: [00:13:36:23] The other thing that we really need to think about is that these devices don't operate on their own. They will come into contact with a range of other systems, simply because they are networked, and it is not just about securing what's on the device, but also the environment in which these devices are placed, and actually understanding their interactions with that environment, and how we may secure those interactions so that the device and the data it is utilizing is protected in an effective fashion.

Dave Bittner: [00:14:08:20] Professor Awais Rashid, thanks for joining us.

Dave Bittner: [00:14:13:12] That's The CyberWire. For links to all of today's stories, along with the interviews, our glossary, and more, visit Thanks to all of our sponsors, who make The CyberWire possible, and special thanks to our sustaining sponsor, Cylance. To find out more about how Cylance can help protect you, visit

Dave Bittner: [00:14:30:19] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.