The CyberWire Daily Podcast 2.4.16

John Petrik: [00:00:01:18] The Emissary Trojan evolves apparently in response to being tracked by threat intelligent shops. An active campaign is hitting WordPress sites with the Nuclear exploit kit. Comodo's working on a patch for Chromodo. A former Norse insider disputes negative accounts of the company's business. Analysts offer their sense of the trends in cyber conflict, with particular attention to the US, Russia, and China. Google makes tentative moves against online radicalization. And we look at the state of card skimmers and malware-serving email invoices.

Dave Bittner: [00:00:38:17] This CyberWire Podcast is made possible by the John Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for a highly skilled professionals in the field of information security, assurance, and privacy. Learn more online at isi.jhu.edu.

John Petrik: [00:01:01:07] This is John Petrik, the CyberWire's editor, in Baltimore, filling in for Dave Bittner, with your CyberWire daily podcast for Thursday, February 4th, 2016.

John Petrik: [00:01:11:12] Palo Alto Networks has been keeping an eye on Operation Lotus Blossom, an attack campaign using the Emissary Trojan. Since publishing a report on Lotus Blossom late last year, Palo Alto has noticed that Emissary is morphing, apparently in an attempt to avoid detection and analysis, and it's doing so at a faster clip than before. Used almost entirely against targets and in Taiwan and Hong Kong, the evolution of this remote access Trojan suggests strongly that the authors of sophisticated malware are tracking threat intelligence, the better to evade defenses.

John Petrik: [00:01:43:00] A large and active campaign to install the Nuclear exploit kit's Backdoor.Andromeda payload is afflicting WordPress sites this week. Sucuri detected the uptick in infections. Apparently the attack code redirects traffic initially to domains that seem to host ads, then, after this initial misdirection on to the Nuclear kit itself. Backdoor.Andromeda, known since 2014, has been used to steal data or to execute code on victim machines. WordPress issued a security update earlier this week, and while it's not yet clear the patch would fend off the Neutrino campaign, users would be wise to apply the update in any case.

John Petrik: [00:02:20:23] In other patch news, Comodo says it's working on a fix for problems recently disclosed in it's Chromodo browser, and an update is expected from them next week.

John Petrik: [00:02:30:13] In industry news, Skybox Security and eSentire both raise significant amounts of new funding. Cisco is buying the IoT shop, Jasper Technologies, for a reported $1.4 billion. Apple hires, or at least acquires, it's not entirely clear which, the LegbaCore researchers, who found the OS X Thunderstrike vulnerability last year.

John Petrik: [00:02:52:11] And we continue to follow the fate of Norse Corporation. It's recently departed CEO, Sam Glines, has a long letter out, published in CSO's Salted Hash blog, in which he defends Norse's integrity and challenges, much of the speculation that's surrounded the company and it's products this week.

John Petrik: [00:03:09:09] Threat trend watchers will doubtless read with interest Crowdstrike's Global Threat Report, just released. The report sees an increase in nation-state cyber conflict, more criminal resort to extortion, in its various forms, and an increase in hacktivism matched by greater censorship and response. This last trend, Crowdstrike suggests, will be most pronounced in the Middle East.

John Petrik: [00:03:32:01] National intelligence budgets and strategy documents are also out, for the US, Russia, and China. The US Department of Defense has asked for some seven billion, to support cyber capabilities in 2017. Russia, which correctly sees itself as not exactly in American cyber good graces, responds with plans to spend the equivalent of 250 million on cyber offense alone. Moscow also takes time to point out to the world that it has some of the best hackers going. And scrutiny of China's Five Year Plan suggests to analysts that agriculture and alternative energy will be the two economic sectors of particular interest to the PLA over the next few years.

John Petrik: [00:04:10:20] The big issue for many security and diplomatic services, of course, is what to do about ISIS messaging. That ISIS messaging continues to inspire recruits is evident in arrests from Kansas to Dortmund, but what to do about that inspiration, in terms of information operations, remains very much up in the air. Saudi Arabia is standing up an effort to monitor radicalization in social media. Israel offers intelligence cooperation to other nations who are seriously interested in opposing ISIS, and the US Secretary of State makes a controversial foray into lay theology, denouncing the Caliphate as a bunch of apostates. From Silicon Valley, however, we see some stirring of contributions from the private sector. Google is said to be planning to display anti-radicalization and counter-terrorism messages, along with search results whose terms suggest an interest in joining ISIS.

John Petrik: [00:05:01:15] Privacy Shield is replacing the former US-EU Safe Harbor agreement, but the EU says businesses should realize that full details won't be worked out until April

Dave Bittner: [00:05:14:05] This CyberWire Podcast is brought to you by the Digital Harbor Foundation, a non-profit that works with youth and educators to foster learning, creativity, productivity and community through technology education. Learn more at digitalharbor.org.

John Petrik: [00:05:33:13] BlackEnergy continues to prompt concerns about the security of utilities. And we hear from a policy expert on what's involved in securing critical infrastructure.

Dave Bittner: [00:05:41:16] I'm joined by Markus Rauschecker. He's a cybersecurity program manager at the University of Maryland Center for Homeland Security. They're one of our academic and research partners. We've had a lot of stories on the CyberWire lately about the cyber threat to critical infrastructure, particularly with the recent attack on the power systems in Ukraine. In your view, how serious is this threat, and what makes critical infrastructure an attractive target for attackers?

Markus Rauschecker: [00:06:05:14] Certainly a very serious issue. The events in Ukraine are significant because it marked the first time that a cyber attack was successful in shutting down power on a power grid. Here, in the United States, we're obviously very concerned about a successful cyber attack against critical infrastructure. But the good news is that, according to experts in the field, it seems that the likelihood of a successful cyber attack against their critical infrastructure sector, especially a power grid, is low in this country. That doesn't mean that we don't have to be concerned. Critical infrastructures are an attractive target to hackers simply because of the consequences that could result from a successful attack. There are national security implications. There are severe economic implications, and there are basic public safety and health implications, should a cyber attack on the critical infrastructure be successful. All these issues are so important and so critical to deal with that we can't take our eye off the ball here.

Dave Bittner: [00:07:27:22] Markus Rauschecker, from the University of Maryland Center for Help and Homeland Security, thanks for joining us.

John Petrik: [00:07:35:04] To return to cyber crime, you've heard, of course, of card skimmers - those devices attached for the most part to self-service point-of-sale terminals, like gas pumps or supermarket express checkout lines. Criminals use the skimmers to harvest payment card information. You may have wondered what they look like, and you may have imagined that they'd be easy to recognize. Well, as to what they look like, KrebsOnSecurity has a photo up that shows a skimmer removed from, Krebs says, a Safeway store in Maryland. It's pretty plausible looking to our eyes. As far as gas pump skimmers are concerned, they're even more insidious - harder to detect because they're usually mounted internally to the pump.

John Petrik: [00:08:11:10] How do the crooks get into the pump, you may ask? With a gas pump universal key. These are readily available online. They don't cost much, and they're easy to purchase legitimately. If you run a gas station, a smart deputy sheriff gave us this advice about an easy way to protect your customers: use a padlock on your pumps.

John Petrik: [00:08:30:05] Finally, in which surely in the running for the title of least convincing malware-bearing spam ever, someone sending marks in the UK an invoice bearing the Dridex banking Trojan. So far, so familiar. But the invoice itself? It's a bill for hiring a toilet. While this isn't perhaps as obviously off the mark as other questions or come-ons we've heard like, "Are you sure you didn't get married?" Or, "Really, are you certain you've never visited Antarctica?" Or even, "The Prince of Poyais has been moved by the spirits to leave his considerable fortune to you, if you act now." We do think you'd be likely to remember if you'd rented a toilet. So don't please open this sort of thing, even out of curiosity. Happy emailing, and stay safe.

John Petrik: [00:09:15:06] That's the CyberWire for Thursday, February 4th, 2016. For links to all of today's stories, along with interviews, our glossary and more, visit the CyberWire.com. The CyberWire Podcast is produced by CyberPoint International, and this is the editor, John Petrik. Our regular host, Dave Bittner, will be back from his travels on the 16th. Until then I'll be filling in. Thanks for listening.