The CyberWire Daily Podcast 3.7.17
Ep 300 | 3.7.17

StoneDrill succeeds Shamoon. Trojanized Android Facebook Lite. Progressive groups threatened with doxing, blackmail. WikiLeaks' Vault 7. Hacking back? Wiretapping?


Dave Bittner: [00:00:03:12] StoneDrill succeeds Shamoon - it's more evasive and at least as destructive. Russian hackers are blackmailing US progressive political groups. Congress considers a bill to allow companies to hack back. WikiLeaks' Vault Seven mostly unsurprising and Washington wiretapping allegations prompt recriminations.

Dave Bittner: [00:00:29:13] Time to take a moment to tell you about our sponsor, the good folks over at CyberSecJobs. If you're an information security professional seeking your next career or your first career, you need to check out and find your future. CyberSecJobs is a veteran-owned career site and job fair company for information security professionals and students. Job seekers can create a profile, upload the resume and search and apply for thousands of jobs. And it's great for recruiters too. If you're an employer looking to source information security professionals contact CyberSecJobs about their flexible recruitment packages designed to meet your needs. You'll find this and other great opportunities at That's And we thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:25:21] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Tuesday, March 7th, 2017.

Dave Bittner: [00:01:35:15] Kaspersky Lab reports finding a new version of Shamoon, which it's calling "StoneDrill." Like its progenitor, StoneDrill is destructive, deploying a wiper across infected machines to destroy data. Kaspersky discovered StoneDrill in the course of investigating the three waves of Shamoon 2.0 attacks that began in November 2016.

Dave Bittner: [00:01:56:16] StoneDrill is more evasive than Shamoon (it avoids execution in sandboxes) and includes "mostly Persian resource language sections." (Shamoon 2.0 featured Yemen's version of Arabic; Kaspersky notes that both language cues could easily be false flags.) Another difference between StoneDrill and Shamoon is StoneDrill's reliance on memory injection of the wiper into the victim's "preferred browser" - the new malware forgoes Shamoon's use of drivers during deployment.

Dave Bittner: [00:02:25:23] It's begun to turn up in Europe, in what Kaspersky calls "a large corporation with a wide area of activity in the petrochemical sector," but with no apparent interest in or connection to Saudi Arabia. This finding suggests that the StoneDrill operators are expanding their target set beyond its original Saudi range.

Dave Bittner: [00:02:45:15] Shamoon itself has gone by a number of names. "Shamoon" has been used to designate the campaign that was first identified by the IT security company Seculert in August of 2016, when it hit Saudi Aramco machines in a destructive attack. The name "Shamoon" has also, somewhat more loosely, been used to designate the malware itself. Palo Alto, Cylance and others have called the wiper malware "Disttrack."

Dave Bittner: [00:03:11:03] For background, recall that the original Shamoon campaign of 2012 was claimed by a group calling itself the "Cutting Sword of Justice," widely believed to be acting on Iran's behalf in that country's contest for regional superiority with Saudi Arabia. The threat group associated with Shamoon, and probably with StoneDrill, has been called Charming Kitten, Newscaster and NewsBeEF by security researchers.

Dave Bittner: [00:03:37:11] Malwarebytes warns that a Trojanized version of Facebook Lite for Android targets Chinese users with Spy FakePlay. The users are downloading it from third-party app stores because of China's restricted access to Google Play. Malwarebytes advises that you stick to Google's Play Store to avoid this particular nasty. If, that is, you've got access to Google Play. If not, well, then buyer beware.

Dave Bittner: [00:04:03:09] In the US, center-left and progressive advocacy groups are subjected to online blackmail: Russian hackers threaten to release embarrassing emails and shared documents. The FBI is investigating. The blackmail demands so far appear to range from $30,000 to $150,000. It's not clear what, if any, documents have been doxed. The blackmailers are said to be using some techniques reminiscent of Cozy Bear - that's Fancy Bear's quieter, more patient sibling, generally held to be Russia's FSB, but in this case the hackers are thought to be criminals and not intelligence services. It's worth repeating Bloomberg's observation that, in Russian operations, this distinction can be a difficult one to draw. But Russian intelligence services' tools have shown up in criminal gangs' hands, and vice versa.

Dave Bittner: [00:04:54:06] WordPress sites were recently hit with a slew of defacements and remote code execution attempts, abusing a vulnerability in the WordPress REST API. For more on this vulnerability, we spoke with Neill Feather, President of website security company, SiteLock.

Neill Feather: [00:05:10:04] So this one was a vulnerability that was in WordPress itself. What it essentially allowed an attacker to do was if a site was making us of the REST API, it was allowing attackers to insert their own content or overwrite website content with what they chose to put on the site. So you didn't have to be logged into your WordPress in order to make changes and it was allowing unauthenticated access to WordPress administration pages. The way it was done was there was an input field that was not being properly handled in the code and because those types of requests weren't being filtered properly and cleaned properly, they were able to perform unintended actions with the WordPress environment.

Dave Bittner: [00:06:04:17] And so has this been patched?

Neill Feather: [00:06:06:04] Yes. For a lot of folks it was able to be patched before it was publicly known. Folks like us in the security community and folks on the WordPress side were patching this before the public disclosure of the information. So for a lot of WordPress users they never had any kind of negative impact of this. But, you know, certainly WordPress is such a large and widely deployed platform that it did impact millions of websites.

Neill Feather: [00:06:32:10] WordPress is so popular so that tends to give some folks the perception that it's an insecure platform and that's not true. So it's as secure as any other type of open source CMS that's out there. I think the big difference is it's so popular that cyber criminals tend to target it. The cyber crime business is no different from any other business, they're going to phish where the fish are, so to speak. WordPress happens to be a popular platform and so it gets targeted a lot more and the incidents tend to be a lot bigger because there are so many folks using the platform.

Neill Feather: [00:07:07:17] We recommend that folks who are using open source CMS and using plug-ins and themes and other great functionality, that you use a product like a web application firewall. Something that's going to help you virtually patch these issues. If you're not going to be the type of website owner who's constantly going to stay on top of updates and stay on top of vulnerabilities and things like that, this gives you a little bit of cover for those types of vulnerabilities that get disclosed before you have a chance to patch it yourself.

Dave Bittner: [00:07:38:16] That's Neill Feather from SiteLock.

Dave Bittner: [00:07:42:18] In M&A news, CA buys Veracode for $614 million. Edwards acquires Evolved Cyber Solutions, Inabox buys Logic Communications, and Okta acquires Stormpath. The Veracode buy is the largest of these by some margin, and has attracted the most interest among analysts, some of whom see it as a bellwether.

Dave Bittner: [00:08:05:22] In the US, Congress considers legislation that would permit hacking victims to access their attackers' non-cooperating systems to determine attribution. The proposed bill seems less about reprisal than it does an incentive to do some aggressive private sleuthing. Observers are divided as to whether this is a good idea.

Dave Bittner: [00:08:25:02] WikiLeaks has released some of its long-promised "Vault Seven" documents, which contrary to expectations have little to do with former Secretary of State Clinton and instead mostly express RT- and TASS-like shock that the Central Intelligence Agency collects foreign intelligence, and that the Agency has seen its share of controversy.

Dave Bittner: [00:08:44:23] And finally, you may have noticed a lot of yelling and tweeting since Saturday over the Obama-Trump wiretapping dust-up, as partisans of the current residents of Kalorama and Pennsylvania Avenue woof at each other on talk shows and on the Internet. Present and former leaders of the Intelligence Community seem particularly riled, and ill-at-ease with some of the current Administration's Tweets. We await the settling of dust. In the meantime, you're invited to read your favorite papers, and your unfavorite papers, too, for their take on that matter.

Dave Bittner: [00:09:20:24] Time for a message from our sponsor, Netsparker. Are your security teams dealing with hundreds of vulnerability scan results? Netsparker not only automates scanning but it verifies the exploits it finds too. Reduce alert fatigue and improve security with Netsparker. Not only will your protection improve, but your costs will drop and that's a good deal in anyone's book. Netsparker's automated approach to web application scanning lets your security team concentrate on the things best left to the human beings. Find out more about Netsparker Desktop and Netsparker Cloud. Whether you're pen testing or security your enterprise online, there's something for everyone at Want to try it out free with no strings attached? Go to for a 30 day fully functional version of Netsparker Desktop. And by fully functional Netsparker means, yes, really truly actually yes, fully functional. Scan those websites with no obligation. Check it out at And we thank Netsparker for sponsoring our show.

Dave Bittner: [00:10:27:13] Joining me once again is Ben Yelin. He's a Senior Law and Policy Analyst at the University of Maryland, Center for Health and Homeland Security. Ben, interesting story came by, from Vice News, about a court case where Amazon's Alexa is involved in a murder case. People trying to get information from Alexa. Bring us up-to-date, what's going on?

Ben Yelin: [00:10:46:02] We've lived to see the day where Alexa herself can be the subject of a lawsuit. So what happened was there was an incident in Arkansas, back in November 2015. There's a man named James Bates, who was a former Walmart employee. He had friends over at his house, the next morning Bates himself called 911, reported that one of the guests was dead in the hot tub outside. Bates was accused of the crime of homicide, and one of the ways the government was trying to obtain evidence was trying to subpoena information from Amazon, gleaned through their Alexa device.

Ben Yelin: [00:11:25:08] So, as you know, the device is activated when somebody says, "Hey Alexa." What I didn't know until I read this article is that it actually picks up some of the conversation that happens before the trigger, before the, "Hey Alexa" and after that trigger. In this case, law enforcement thinks that there might be some evidence of this crime, either in the conversation that occurred after the trigger or immediately before and immediately after.

Ben Yelin: [00:11:52:08] Amazon is seeking to quash the subpoena. They, just like Apple in previous cases and just like all of the technology companies, want to protect the privacy of their users. So they are fighting the subpoena hard. They're saying that the allegation that this information would be somehow useful to the investigation isn't supported by compelling evidence. And they're also arguing that potentially there's a First Amendment violation. When people are using their Alexa devices, frequently they're asking it to shop for them, it's an Amazon device. So if I say, "I want to read a Noam Chomsky book" or "I want to read Das Kapital by Karl Marx," this is something that implicates freedom of speech and freedom of association, and to infringe on those rights you'd have to have a compelling interest.

Ben Yelin: [00:12:44:03] And what Amazon are saying is law enforcement doesn't have a compelling interest, because they can't prove to any reasonable extent that any information they'd gain from this device would actually be useful in the investigation.

Dave Bittner: [00:12:57:18] But how is this more of a phishing expedition than say just a warrant to search my house? They're suspicious of something, they convince a judge that maybe there's something to this and they search my home. How would searching Amazon's records be any different from that?

Ben Yelin: [00:13:14:17] Well, a couple of things. One are those freedom of association implications. There is private information in the home, but what Amazon has said in its motion to quash the subpoena, is that there's a particular relationship between a user and this Alexa device. And part of that is personal information that's gleaned simply from some of the conversations. The other thing is the particularity requirement. So most times when you have a warrant to search a house, it's because you have probable cause that there's some evidence there that a crime has been committed.

Ben Yelin: [00:13:48:09] Here there's no real confirmable evidence. The reason this seems like a phishing expedition, at least to me, is that they just want all the audio they can obtain to see if there's something there that might implicate this criminal defendant. And that's too generalized. We have this particularity requirement, under the Fourth Amendment that you have to have probable cause that a piece of evidence is really going to be useful in solving the crime.

Dave Bittner: [00:14:13:05] Interesting stuff. We'll have to keep an eye on it as it develops. Ben Yelin, thanks for joining us.

Dave Bittner: [00:14:19:22] And that's the CyberWire. Thanks to all of our sponsors, who make the CyberWire possible especially to our sustaining sponsor, Cylance. To find out how Cylance can protect you from cyber attacks, head on over to

Dave Bittner: [00:14:31:24] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, our social media editor is Jennifer Eiben, our technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.