The CyberWire Daily Podcast 2.8.17
Ep 282 | 2.8.17

Islamist hackers hit websites in Britain and Austria. Mac malware linked to Iran. Criminals follow the money into the cloud. M&A notes. Dendroid RAT author gets probation.


Dave Bittner: [00:00:03:15] ISIS-affiliated hackers deface UK National Health Service's sites with propaganda. Turkish Islamists DDoS Austria's parliament. Poorly crafted, but troubling, Mac malware seems linked to Iran. Criminals follow the money into the cloud. Malwarebytes picks up Saferbytes and Sophos buys Invincea and the author and purveyor of the Dendroid RAT gets probation.

Dave Bittner: [00:00:32:12] Time to take a moment to tell you about our sponsors CyberSecJobs. If you're an information security professional seeking your next career or your first career, check out and find you future. CyberSecJobs is a veteran owned career site and job fair company for information security professionals and students. Job seekers can create a profile, upload their resumé and search and apply for thousands of jobs. And it's great for recruiters too. If you're an employer looking to source information security professionals, contact CyberSecJobs about their flexible recruitment packages designed to meet your needs. Here's one of the current hot jobs. WakeMed is looking for an information systems security officer to help safeguard sensitive information. You'll find this and other great opportunities at We thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:36:08] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, February 8th, 2017.

Dave Bittner: [00:01:46:18] The Independent has reported that a number of National Health Service's sites in the UK have for the last three weeks been targeted by ISIS-adhering hackers belonging to the Tunisian Fallaga Team. The most visible aspect of the attack involved website defacements with images of violence in Syria and a demand for an end to Western aggression. Patient information may have been exposed in the course of the hacks, but so far, at least, such information seems not to have been compromised.

Dave Bittner: [00:02:15:13] The Cabinet Office believes the coordinated attack is a serious one, more serious than earlier defacement campaigns. In part, this is due to the choice of target: the National Health Service, after all, affects essentially everyone in the UK. Various NHS trusts have sustained a number of successful attacks over the past year, many of them criminal ransomware incidents, but this coordinated defacement campaign suggests a more disturbing class of threat. Still, NHS has proven a relatively soft target in the past, and the most recent attacks have little about them to suggest a significant increase in ISIS cyber capability. Note, for example, the continuing emphasis on information operations as opposed to, say, data theft or destruction. The Tunisian Fallaga Team is believed to be working in concert with two other ISIS-affiliated groups: Global Islamic Caliphate and Team System DZ.

Dave Bittner: [00:03:09:19] In other ISIS news, captured files suggest the Caliphate is having difficulty keeping its foreign fighters motivated and on-task. Iraqi forces seized documents in Mosul last month belonging to ISIS's Tariq Bin Ziyad battalion. Of interest are the effect anti-ISIS military operations seem to be having on foreign fighters in particular, an expressed desire to return home, mostly to France and Belgium, and the apparent requirement ISIS has that fighters claiming to be too sick or injured to fight submit a doctor's note.

Dave Bittner: [00:03:43:15] A different Islamist hacking group, this one of a Turkish nationalist as opposed to an ISIS bent, briefly disrupted access to the Austrian Parliament's website over the weekend. The distributed denial-of-service attack was mounted by the Lion Soldiers Team, known by its Turkish acronym ANT, for Aslan Neferler Team. ANT was reacting to Austria's move to block Turkish accession to the EU in the wake of President Erdogan's crackdown on dissent in Turkey after an abortive Kemalist coup d'etat last year.

Dave Bittner: [00:04:16:15] A quick rundown of some upcoming events. Of course, if you're planning to be at our RSA next week, visit our event sponsor E8 Security. They're having a book signing and a cocktail party with author Gary Hayslip. And be sure to drop by event sponsor Deep Instincts booth as well. They're in the north hall at 4805 and see what they can do for you. In Fulton, Maryland on February 26th, the joint event sponsored DataTribe in the start up crucible for their Hacking The Home Contest, and on the 1st March check out the Cybersecurity Summit in Denver, as they offer their Senior Executive Security Conference. We've got a full listing of events on our website:

Dave Bittner: [00:04:54:06] We've been following Fancy Bear and Cozy Bear for a long time now. It's time to note the appearance of a new bad animal in the menagerie, and this one's not even Russian, still less a bear. Think of it as a Persian cat. It's being called "Charming Kitten," and it's a threat group thought to be connected to Iranian security companies. Charming Kitten is unusual in that it appears to be focusing on Mac malware. Early reports suggest the malware, called MacDownloader and designed to steal passwords from a Mac keychain, is poorly crafted. It poses, sort of, as a malware removal tool but it's come-on is poorly written and badly proofread, and thus unlikely to be plausible. Its more recent appearances have been in devices used by critics of Iran's human rights record, such critics in Iran tend to favor Macs for their presumed security advantages, but it's also appeared in phishing and watering hole incidents involving a bogus United Technologies website that offers equally bogus professional development courses to employees of Lockheed Martin, Boeing, and Raytheon.

Dave Bittner: [00:05:59:06] So, inept as the initial come-on may have been, Charming Kitten will bear watching. Reports suggest that Charming Kitten and Flying Kitten, another Persian cat, may have their claws out as much for US defense and aerospace companies as they do for Iranian dissidents.

Dave Bittner: [00:06:16:22] An unknown state-sponsored group, possibly though not certainly Russian, used Word macros to distribute a maliciously doctored version of a Carnegie Endowment report on the implications of US President Trump's election.

Dave Bittner: [00:06:30:05] PhishLabs has taken a look at last year's phishing schemes and noticed a trend. Criminals are increasingly going after data held in cloud services. We heard from Tim Erlin, Tripwire's Senior Director of IT Security and Risk Strategy, who thinks we shouldn't be surprised. Thieves go for value, as we've known since Willy Sutton explained why he robs banks. As Erlin says, "Storing your data in the cloud doesn't magically protect it." We can expect criminals to subvert whatever protections are in place, whether those are in a traditional enterprise set-up or in a modern cloud.

Dave Bittner: [00:07:05:04] There's some news on mergers and acquisitions. Salient CRGT has announced its acquisition of Information Innovators, Inc., commonly known as Triple I. Salient, which includes security among its offerings, sees Triple I's expertise in the Federal mission space, particularly the healthcare space, as complementary to its existing capabilities.

Dave Bittner: [00:07:28:01] Malwarebytes has also made an acquisition, Italian firm Saferbytes, specialists in anti-malware, anti-exploit, anti-rootkit, cloud AV, and sandboxing. Malwarebytes sees the acquisition as enhancing its threat feed and enterprise remediation offerings.

Dave Bittner: [00:07:44:12] In the largest bit of M&A news, Sophos has announced its agreement to buy Invincea for a $100 million cash consideration with a $20 million earn-out. Sophos intends to integrate Invincea's machine learning and malware detection technology into its endpoint protection offerings.

Dave Bittner: [00:08:03:04] Finally, returning to crime and punishment, Pittsburgher Morgan C. Culbertson, now 21, arrested in July 2015 during the FBI's takedown of the Darkode hacking forum, has been sentenced after his guilty plea in charges related to his authorship of the Dendroid remote access Trojan. Culbertson, who seems destined to be known forever as a former FireEye intern, which seems really unfair to FireEye, who after all did nothing worse than offer a kid a break, got off very lightly. 3 years probation and 300 community service. He could have faced 10 years in Club Fed. Not all youths are so lucky. Get scared straight, kids. This really is a permanent record, even if you get the no-jail-time Mr. Culbertson received. There are teenagers doing time for cybercrime and they serve that time in a real prison, not something constructed in Minecraft.

Dave Bittner: [00:09:03:22] Time for a message from the good folks at E8 Security - putting your data together with E8's analytics for security that can handle the unknown unknowns. Consider what might warn you off to malware on your system - listening or running programs on a rare or never seen before open port is one of them. It's easy to say that, but could you say what counted as rare or never seen before, or would that information jump out at you as you reviewed logs? If you had time to review your logs and, you know, by the time the logs reached you, that news would be old. But E8's analytical tools recognize and flag that threat at once, enabling you to detect, hunt and respond. Get the white paper at and get started. E8 Security, your trusted partner. We thank E8 for sponsoring our show.

Dave Bittner: [00:10:01:03] Joining me once again is Rick Howard. He's the CSO at Palo Alto Networks. He also heads up their Unit 42 Threat Intel Team. Rick, welcome back. I know today you wanted to talk about something called adversary play books. That's new to me. What are we talking about here?

Rick Howard: [00:10:18:06] Let's talk about adversary play books - kind of a new idea that we're pushing. When cyber adversaries attack their victims networks they leave clues behind in their wake, sort of tell-tale signs that they have been there. We all know what these are - they're called indicators of compromise. Network defenders, our community have been sharing these things for years but that really hasn't worked that well. We share them by the gazillions, but the bad guys still seem to get in. What we have found more useful to share is entire adversary play books. Now, to understand what an adversary play book is, let me throw a sports analogy at you

Rick Howard: [00:11:02:01] So, in American Football both teams come to the game with an offensive and defensive play book - plays that they have practiced to get ready for the game on both sides of the football. It's the same in our community in cyberspace. We're used to hearing about how network defenders, guys like us, we have play books within our own organization, that describe how an infosec team responds to an ongoing incident. We reach for the play book and we know what to do. But on the other side of the football, so to speak, the adversary has a play book too. We know that cyber adversaries don't freelance their attacks on the fly for every new victim. They don't come out, "oh, how am I going to do it today? Let me try something completely different." They re-run the same tools over and over again, down the cyber kill chain from delivery to compromise, to establishing a command and control channel, to moving laterally into ultimately exfiltrating data or destroying it.

Rick Howard: [00:11:58:21] Everything that adversary does down the cyber kill chain is their play book. The idea is for network defenders to share everything we know about a specific play book, so that we can deploy prevention and detection controls at every stage of the cyber kill chain. So, when we're just blocking just one indicator of compromise, you have a chance to stop the bad guy, but if you were blocking it at every stage of the kill chain, you exponentially increase your chances for stopping the bad guy, because even if the adversaries find their way around one of your blocks, they will immediately run into another one at the next stage. Are you buying any of that?

Dave Bittner: [00:12:35:18] Yes, absolutely. I imagine we're looking for patterns in the play books, looking for pieces of play books that might be passed around, that sort of thing?

Rick Howard: [00:12:42:24] Yes, we might know like, three pieces of a play book and we share it with another security vendor. They might know the same three, but might know two others. So now, together, we have a better, more mature, more robust idea of the complete play book. The idea then is to share it among everybody, so we have the most complete play book there is, so that we can get it to everybody so they can deploy those prevention controls.

Dave Bittner: [00:13:05:21] So is there a mechanism for sharing?

Rick Howard: [00:13:08:07] Well, that's what everybody is playing with right now in - how do we do that efficiently? And, there is a couple of models out there. There is the platform play, which is what all firewall vendors do. There is a third party vendor play, which is some third party does it for you. I've talked to you before about the Cyber Threat Alliance, a group of cybersecurity vendors who have decided to share play books amongst themselves, so we can help our collective customers be better protected. We are moving in that direction. The play book idea is a relatively new idea though.

Dave Bittner: [00:13:43:12] Good information as always. Rick Howard, thanks for joining us.

Dave Bittner: [00:13:48:12] That's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit Thanks to all our sponsors for making our show possible, especially to our sustaining sponsor Cylance. For more information about how they can help you visit

Dave Bittner: [00:14:04:02] Thanks for sharing our show and helping to spread the word. One of the best ways you can do that is to leave us a review on iTunes. It really does help people find the show.

Dave Bittner: [00:14:12:11] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, our social media editor is Jennifer Eiben, our technical editor is Chris Russell, our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.