The CyberWire Daily Podcast 3.23.17
Ep 312 | 3.23.17

Newly disclosed threats and vulnerabilities, mostly criminal. Catphishing peer review. The US may indict North Korea for the Bangladesh Bank heist.


Dave Bittner: [00:00:03:09] We got a rundown of recently announced threats and vulnerabilities in stores and documents: Play Store, App Store, and MS Office. Some crooks move to the cloud. GoDaddy buys Sucuri. The US is rumored to be preparing a North Korean indictment for the Bangladesh Bank heist. Social media look for bad bots. And some dodgy scientific journals seem to use catphish for peer review.

Dave Bittner: [00:00:31:07] Time for a message from our sponsor, Dragos. There are SOCs for this and SOCs for that. Our sponsor, Dragos, would leave you out of that SOCs box, because not all SOCs are good for your SOCs. And ICS won’t fit into IT SOCs. Well that’s how Dr Seuss might have put it, but Dragos can explain it in a manner fit for adults. They've got a new white paper out that can help any organization that operates industrial control systems work through the challenges of establishing a security operation center that meets its distinctive needs. Most SOCs are modeled on the ones that have been built for IT systems, and they’re just not made to fit industrial control systems. Go to and download the white paper now and you’ll build yourself a capability that grows with your ICS needs. Again, that’s Dragos, for ICS insight. And we thank Dragos for sponsoring our show.

Dave Bittner: [00:01:32:11] Major funding for the CyberWire podcast is provided by Cylance. I’m Dave Bittner in Baltimore with your CyberWire summary for Thursday, March 23rd, 2017.

Dave Bittner: [00:01:42:24] Some recently discovered threats and vulnerabilities lead today's news. Researchers at the security firm Zscaler have found some unusually nasty bits of adware lurking in the Google Play Store. They're unusual in at least two ways. First, they're able to add themselves as a device administrator, and second, they play possum for six hours after installation, exhibiting only good behavior. That second feature seems to have been put there to evade detection and ejection by Google Bouncer, Mountain View's security feature that executes an app, evaluates its behavior, and kicks it out of the store if it shows itself to be up to no good. Zscaler found 12 bad apps. Four of them have a lot of downloads, between 10,000 and 50,000, by Zscaler's count, so it's putting those on the BOLO list. So be on the lookout for Eighth Note Jump - Talk2Me; Photo Editor: Cut, Crop, Paste; QR & Barcode Scanner, and, finally, Smart Compass.

Dave Bittner: [00:02:40:08] Google is neither careless nor negligent about security, but the Android ecosystem is big, open, and complex, and it's difficult to purge all the bad things out there, especially when criminals are devoting a great deal of time, talent and attention to circumventing security. In another report about Android malware, Palo Alto Networks' Unit 42 has found that new, aggressive adware is abusing the popular open-source Android plug-in frameworks, DroidPlugin and VirtualApp. Users' private data are at risk if they operate in these environments, so again, be wary.

Dave Bittner: [00:03:16:24] Apple's App Store, by reputation more tightly controlled than its relatively more open Google counterpart, also draws the attention of crooks and scammers. Trend Micro has a report on how some criminals, apparently in China - at least their code is in Mandarin - have insinuated their own third-party app store into Apple's App Store. The third-party store got in cloaked in a legitimate application. ICS security shop Dragos reports finding malware disguised as Siemens firmware infecting some ten industrial plants. The infestation has been quietly active for about four years.

Dave Bittner: [00:03:54:06] According to security researchers at Netskope, a new strain of macro-based malware affecting Microsoft Office is now cloud-based. Default Office installations disable macros, so the malware purveyors are seeking to induce their targets to enable macros in the documents they use as vectors. The malware uses either VBScript or PowerShellScript, and its signatures are known. Of course, users fall victim to known threats all the time. What's interesting about this macro-based malware is its use of a cloud service, 1Fichier, a service based in France, or perhaps one-feeshyay if you're an Anglophone reading news stories. It's not a criminal organization, but it is being used by criminals. Netskope Threat Research Labs don’t think too highly of 1Fichier as far as security is concerned, rating them an 11 out of 100 on enterprise readiness. The payloads being distributed by the malicious macros are often ransomware. The extortion notes are in English, Polish, Russian, Dutch, Italian, and Mongolian.

Dave Bittner: [00:04:58:08] Most malicious Word files have been crafted to affect either Windows machines or Macs, but analysts at Fortinet have found one that can swing from either side of the plate. The malicious code takes different routes depending on the operating system it detects on the victim's device.

Dave Bittner: [00:05:15:06] Another new potential threat is an attack technique that hasn't so far been observed in the wild. Security firm Cybellum's researchers have described an escapade they're calling "Double Agent." Double Agent uses Microsoft's Application Verifier, loading its own verifier DLL in place of the one provided by Microsoft. Double Agent, as demonstrated by Cybellum, can subvert anti-virus software and either silence them or turn them into attack mechanisms. Potentially affected AV vendors have either verified that their products aren't vulnerable, patched them, or are at work on fixes, so with some work and some luck, if Double Agent shows up in the wild, it will do so with limited effect.

Dave Bittner: [00:05:57:11] In the Fall of 2016, Facebook launched Marketplace, what they describe as a convenient destination to discover, buy and sell items with people in your community. Facebook has clearly got eBay and Craigslist in their sights as they enter this space. There’s also a security angle. Eric Olson is Vice President of Intelligence Operations at LookingGlass Cyber Solutions, where one of the services they provide is keeping an eye out for customers for unauthorized or gray market goods in online marketplaces. Reviewing data gathered from LookingGlass customers, Eric Olson offers us some insights.

Eric Olson: [00:06:32:17] The traditional big three were Alibaba, Craigslist in its many hundreds or thousands of city-specific sites, but collectively Craigslist, Alibaba, and eBay have for many years been the big three, and in less than a hundred and eighty days, Facebook has moved to the two or three slot, depending on the type of products. So I’d say that’s going pretty well. They've gone from zero to sometimes as much as eight or nine or ten percent of the total, out of thousands of findings, in less than six month.

Dave Bittner: [00:07:03:07] From a Cyber security point of view, what are the concerns?

Eric Olson: [00:07:06:21] Well I think there are a couple of things to consider from a security standpoint. On the one hand, this is in some ways potentially beneficial. Facebook is a, if you will, a monolithic source. Facebook is developing the same kind of abuse reporting or response program that you see at eBay, in place for many for years. And so by being another large monolithic source that draws in large numbers of buyers and sellers, from a security standpoint it is nice in some sense to have one place to go to ask for assistance. For example, in removal or take down or investigation. So that’s helpful. On the flip side, the problem is that it is a system so easy to use, for the non-technical seller and buyer, that it may actually grow the pie, not just change where things are being distributed within it. So I think that is certainly one concern.

Eric Olson: [00:08:05:14] The second is that, as you may know, it is very simple to set up a Facebook account and I think the proliferation of accounts will be even greater on Facebook than they might be on a site like eBay.

Eric Olson: [00:08:23:03] The third and final thing that comes to mind is, unlike eBay or Craigslist where companies have long had programs, or vendors, or a process in place to monitor, you've now added hundreds of Facebook city markets similar to what Craigslist does. They are city-specific markets. You now have hundreds of new markets you have to keep on, and from an operation standpoint, unless you work with a vendor who specializes in such things, I think it adds one more thing for a security professional to have to keep an eye on, and that may mean new processes or procedures or services.

Dave Bittner: [00:09:00:05] That's Eric Olson from LookingGlass.

Dave Bittner: [00:09:04:08] In industry news, GoDaddy acquires security firm Sucuri. GoDaddy's cloud platform caters mostly to small, independent businesses. It appears that they believe Sucuri's website security products and services will be just the thing their users want.

Dave Bittner: [00:09:20:00] The US considers indicting North Korean hackers in the Bangladesh Bank SWIFT fraud case. The Department of Justice, the New York Fed, and SWIFT aren't commenting, but the word on the street is that it was the North Korean government, aided and abetted by Chinese middlemen.

Dave Bittner: [00:09:36:02] Finally, have you heard of fake news? Sure you have, and all sorts of people are grappling with the old problem of telling truth from lies, and from their epistemic cousins, error and BS. The issue is complicated by the challenge of telling the humans from the bots, a difficulty that's troubling Twitter's business these days as bots are now thought to compromise some 15% of Twitter accounts. Other social media platforms are believed to suffer similar infestations. So we should call in science to find the fix, right? Alas, science has its own problems. Hand in hand with the replication crisis researchers are talking about quietly comes another problem: scam journals. Why are they scams? Well, good science is peer-reviewed. So are the scam journals. It's just that the reviewers are, wait for it, bots, catphish, and other online riff-raff. It's enough to make any scientist, well, a mad scientist.

Dave Bittner: [00:10:40:11] Time for a message from our sponsor, Palo Alto Networks. You know it's tough to find an enterprise that's not at least partially in the cloud. Our sponsor, Palo Alto Networks, can keep your cloud secure and happy no matter what type it is, because, as they'll tell you, a secure cloud is a happy cloud. You can visit them at Far more than just some convenient place somewhere out there to store stuff, the cloud's become an integral part of all enterprise level organizations. Palo Alto Networks understands that your data and applications are distributed across the private cloud, the public cloud, software as a service environments and any number of configurations in between. They'll ensure your data and apps stay secure and protected wherever they are. Palo Alto Networks delivers the broadest, most comprehensive cyber security for a private cloud, public cloud, and SAS environments. Learn more at And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:11:46:03] And I'm pleased to be joined once again by Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, we want to touch base today about I guess what you could call some evolution in the Mirai botnet?

Dale Drew: [00:11:58:02] Yeah, we're actually very excited to talk about this. We're actually seeing, and I'm going to knock on wood here, but we're actually seeing part of the wind coming out of the sails of Mirai. When we first started tracking Mirai during its sort of bubble period, you know, we were tracking 500,000 to 600,000 compromised end devices being controlled by, you know, some 100 different botnet operators. We're now seeing what we're calling controllable Mirai nodes at around the 100,000 mark. And what we mean by that, a controllable node, is there's still about 500,000 to 600,000 compromised Mirai end nodes out there, but the command and control systems can no longer connect to those devices. Those devices are now stranded. So the devices that the bad guys are still able to operate is around 100,000, and so we're definitely seeing a significant reduction in that footprint. We're seeing a lot of frantic activity from some of the operators trying to increase the amount of devices they have by looking for new exposures. I do believe in the next few months we're going to see some pretty significant exposure with regards to the number of new IOT vulnerabilities that are going to be out in the industry, 'cause these bad guys are definitely looking for new ways of breaking into these devices.

Dave Bittner: [00:13:18:13] Now when you say stranded, what do you mean by that in terms of an endpoint device?

Eric Olson: [00:13:22:18] Well, so what's happening is that when a bad guy breaks into, say, a home DVR or a home camera or a router, and he loads his own sort of botnet code to be able to control it, moments later another bad guy will also break into that device and try to upload his own code. So we saw a lot of infighting between botnet operators. And so what was happening is the consumer had no idea this fighting was happening on their home device, but one bad guy would actually patch or fix the exposure so the other bad guy couldn't break in. In a lot of cases, we've seen botnet operators essentially hard code the command and control system that that compromised end point would talk to. So when internet service providers or security researchers are taking down those C2s, like us, then that C2 can no longer talk to those compromised devices. When the bad guy finds a new C2, he can't re-break into those devices 'cause those devices have been hard coded to the previous command and control system.

Dave Bittner: [00:14:23:09] All right, so there's no honor among thieves, and, Dale Drew, thanks for joining us.

Dale Drew: [00:14:28:24] Thank you for having me.

Dave Bittner: [00:14:32:04] And that's the CyberWire. Thanks to all of our sponsors who made the CyberWire possible, especially to our sustaining sponsor, Cylance. Find out how Cylance uses artificial intelligence to protect you from cyber attacks. Visit The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.