The CyberWire Daily Podcast 4.4.17
Ep 320 | 4.4.17

Pegasus version now affects Android. UK on alert for ISIS infrastructure cyberattack. DPRK tied, again, to Bangladesh Bank heist. Fancy Bear and Turla updates. Samsung Tizen 0-day. Tax season security.


Dave Bittner: [00:00:03:14] Pegasus alights daintily in the Android ecosystem. British authorities warn of possible IRIS cyber attacks on infrastructure. Russia investigates the St. Petersburg metro bombing. New evidence connects North Korea with the Lazarus group. Fancy Bear continues to romp unabated and Turla seems to have remained quietly active for about 20 years. Apple issues an emergency iOS patch. Plus some industry notes and tax season security advice.

Dave Bittner: [00:00:35:10] Time to thank our sponsor, Palo Alto Networks. You can visit them at Software as a service applications are changing the way organizations do business as data now lives beyond the traditional network perimeter. What are you doing to keep your organization's data secure in this new environment? Palo Alto Networks helps organizations with complete SaaS protection, providing detailed software as a service visibility and granular control, data governance, automated risk remediation and malware prevention. Palo Alto Networks offers the most comprehensive cyber security for all cloud and software as a service environments because secure clouds are happy clouds. Get started securing yours at And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:01:39:08] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, April 4th, 2017.

Dave Bittner: [00:01:49:01] There's some nasty attack code out there affecting Android devices, a version of the Pegasus malware that Lookout found infesting iOS last autumn. Now Lookout's Security Intelligence Team, working with Google, has found the long-expected Android variant which you can call either "Pegasus for Android" or "Chrysaor." It's a sophisticated bit of malware. Lookout says it has the same sort of spying functionality as its iOS counterpart including screenshot and audio capture, email and browser compromise and data exfiltration. If it senses that it's been detected, it will delete itself. The good news is that Pegasus attacks seem to be very narrowly targeted. If you however find your device infected, Lookout Security asks you to contact them.

Dave Bittner: [00:02:36:12] The British government is again warning infrastructure operators, especially those concerned with nuclear power plants and airports, to be on alert for ICS cyber attacks mounted by ISIS. We heard from Edgard Capdevielle, CEO of Nozomi Networks, who notes that these warnings began in February and he thinks they're unlikely to have been ignored. Nonetheless it wouldn't do to become complacent. Much infrastructure continues to be controlled by older systems which have, given their long life cycles, only relatively recently been connected. He sees one silver lining, control system traffic tends to be predictable which provides a background against which anomalies stand out.

Dave Bittner: [00:03:18:10] Should these concerns prove a real threat, they would indicate a considerable increase in ISIS cyber capabilities which have hitherto been largely confined to information operations.

Dave Bittner: [00:03:30:00] Russian authorities are investigating suspected jihadist links to yesterday's suicide bombing in the St. Petersburg metro. A Russian citizen is thought to have been the bomber.

Dave Bittner: [00:03:41:03] Kaspersky offers more evidence connecting the Bangladesh Bank fraudulent funds transfers to the North Korean government. The Lazarus Group is now generally suspected of being a DPRK asset. As US pressure on the DPRK over recent missile launches increases, including efforts to work with China on a bilateral response, and as the Chinese coal embargo bites Pyongyang harder, observers expect a corresponding rise in cyber activity both from and against North Korea.

Dave Bittner: [00:04:12:20] More warnings, this time from Secureworks, of continued espionage from Fancy Bear, which they're calling Iron Twilight but it's the same familiar GRU crew. A recent victim, the IAAF, apologizes for the loss of athletes' medical records to the Russian espionage services. Secureworks predicts that 2017 will see no let-up in Fancy Bear's operations which have grown increasingly brazen since the spring of 2016.

Dave Bittner: [00:04:40:24] Another Russian espionage group has been connected to 1998's Midnight Maze operation against the US Department of Defense. Exactly where this one would appear in a state-cum-criminal organization chart is unclear but it's the familiar Turla APT. Turla is also known as Snake, Uroburos, Venomous Bear or Krypton. The group is still using, and apparently with success, versions of the venerable LOKI back door.

Dave Bittner: [00:05:09:18] Continuing our coverage of last week's Women in Cybersecurity conference, I sat down with Amanda Rousseau, malware researcher at Endgame, to learn about her work and the path she took to get there.

Amanda Rousseau: [00:05:20:16] I'm always looking at security news because I'm following the current threats and trends as they come along. And then what I'll do is I'll look at those independently and try to reverse engineer it or recreate it so that I can create a new detection for it. And it can be either ransomware one day or it can be APT malware another, or even, like, kernel level stuff. It all depends on what's the hot new thing at the time, kind of like following fashion trends. [LAUGHS]

Dave Bittner: [00:05:52:23] What is the pathway that took you to malware engineering? Like, how did that become the thing you were interested in?

Amanda Rousseau: [00:05:58:11] Well, okay, so I'll start back when I got into computer science and everything. So I really didn't think I would be doing this field at all. I started out in graphic design which is why all of my slides and presentations are all pretty. [LAUGHS]. And then once I took a computer science class, I couldn't look back. And then I heard about what reverse engineers do because my Dad was in the Air Force and he kind of knew about that hacking world and he would kind of, you know, drill me in conversations on security and protection and all that. And then that's how I learned what a reverse engineer did.

Amanda Rousseau: [00:06:35:07] So I worked my way up through the DOD, at the Cyber Crime Center and incident response to get to malware reverse engineering research and development.

Dave Bittner: [00:06:48:02] When you're looking ahead, sort of looking over the horizon at what the challenges are facing people in your field, what are those things?

Amanda Rousseau: [00:06:55:20] I think it's just plain knowledge of it. A lot of people don't know about the hacking world and when they see it on the news, they think it's some type of magic or, you know, it's evil. But a lot of people out there, they want to protect other people and that's how I feel about it. Like, I want to protect the normal person. I want to protect a nuclear power plant. I want to protect the critical infrastructures. But to do that, you know, I need to look at threats and trends and build something that's actually useful.

Dave Bittner: [00:07:28:09] Coming at this field as a woman, has there been any specific challenges from that point of view, you know, for you to be able to get where you are today?

Amanda Rousseau: [00:07:35:09] Oh, yes. A lot of imposture syndrome, all the time. When I started, you know, you're in the computer science class and you're, like, one of-- one of the only girls in the class or one of five in the whole department and you have-- you, you feel, am I on par with everyone else, like, what am I doing wrong? But I really-- I was actually average. I didn't-- I wasn't bad, I wasn't too good. I would understand it and get it, and it was the same in my career. You know, I was young, I was a girl, I didn't know how to act in a corporate environment, you know, trying to deal with social situations that you grew that over time and eventually, you know, you start to gain confidence in what you do, and then that's when you can focus on just your work and not what's going on socially.

Dave Bittner: [00:08:26:00] That's Amanda Rousseau from Endgame. You can hear more from her in our upcoming CyberWire Women in Cybersecurity Conference special edition. She's on Twitter @malwareunicorn and it's a feed worth following.

Dave Bittner: [00:08:39:12] Israeli security researcher, Amihai Neiderman, reports finding 40 zero-day vulnerabilities in Samsung's Tizen OS. Tizen runs on Smart TVs, Smart watches and on some Samsung phones. If exploited they would give an attacker control over the device.

Dave Bittner: [00:08:56:22] Apple issues an emergency iOS patch to close a Wi-Fi drive-by vulnerability. This is in addition to last week's regular patches.

Dave Bittner: [00:09:05:18] In industry news, Verizon will combine its AOL and Yahoo acquisitions into a unit called Oath and Intel Security has now spun out and become McAfee once more.

Dave Bittner: [00:09:18:07] And finally we're just two weeks away from tax filing day in the US. Fraudulent returns have, according to experts, resulted in tens of millions of dollars lost. We'd like to pass on some advice from the encryption company Alertsec. They recommend that businesses protect themselves by using a VPN tunnel with encrypted communications, full disk encryption, multi-factor authentication and a good firewall. It's familiar advice but good advice. It's also good to remember that your personal information, always a target for criminals, will receive particular attention this month. So be prudent, stay safe and happy filing. Taxes are the price we pay for civilization, or so we hear.

Dave Bittner: [00:10:04:23] Time to take a moment to tell you about our sponsor, Control Risks. If you own cybersecurity in your organization, let's be honest, you might not sleep easily. If you lie awake thinking about new threats over the horizon or how to allocate your limited resources, Control Risks can help. It's often impossible to separate threats to your data from geopolitical swings, local regulatory shifts and competitors' maneuvering. Without a risk-led approach, how can you be sure all your shiny tools are working? Talk to Control Risks. They treat information security as a business risk, not just a technical problem. For over 40 years they've helped clients proactively identify and mitigate risk, respond to and recover from disruption and capitalize on opportunities. In short they bring order to chaos and reassurance to anxiety. Let Control Risks help you spend money where it really counts, protecting what really matters. Find out more at That's And we thank Control Risks for sponsoring our show.

Dave Bittner: [00:11:17:07] Joining me once again is Doctor Charles Clancy. He's the director of the Hume Center for National Security and Technology at Virginia Tech. Doctor Clancy, we are certainly familiar with denial of service attacks here on the CyberWire but today you wanted to touch base about denial of service when it comes to our telephone system.

Dr. Charles Clancy: [00:11:35:04] Yeah, there's an interesting new set of control plane attacks that are happening within the landline and cellular telephony infrastructure. Your listeners may be familiar with many of the control plane protocols on the Internet. There are similar but different control plane protocols within our telecommunications infrastructure with the legacy protocols being SS7 and some of the newer ones with voice over IP all being based around SIP.

Dr. Charles Clancy: [00:12:01:22] So in the same way that you can launch a distributed denial of service attack against an IP network, you can do the same thing against a phone number, right? It's a unique identifier just like an IP address. So there have been a number of cases with an increasing rate of such cases where bad actors have essentially gotten a whole bunch of devices to simultaneously call 911. And what happens is essentially the trunking line from the local landline phone operator into the public safety answering point where there are operators who answer these 911 calls, becomes overwhelmed with calls and there aren't enough channels in the trunk in order to have additional calls terminated within the PSAP or the public safety answering point.

Dr. Charles Clancy: [00:12:47:09] But I guess there is some light at the end of the tunnel. There are some standardization efforts underway right now within the Internet engineering task force that are looking at adding authentication to some of the newer SIP protocols associated with the caller ID which would give telecommunication companies the ability to start blocking calls rather than having to sort of manually trace them back to the originator.

Dave Bittner: [00:13:11:10] And in terms of overwhelming a 911 system, are the people who are doing this, at this stage are they simply pranking and testing out their abilities or is there any sort of ransom component or what's their motivation?

Dr. Charles Clancy: [00:13:24:05] Right now there doesn't appear to be any kind of criminal component associated with it. One of the more recent examples was essentially someone who walked into a cellphone store in Texas and walked around each one of the display phones in the store and dialed 911 on each of them and since cellphones are required to place outbound emergency calls regardless of whether or not they have a SIM card active within them, all of these calls went through despite the fact that these phones didn't have valid SIM cards. So far there have not been any examples that are associated as far as we can tell with a ransomware type attack or an effort to prevent other people from calling 911 as part of some sort of criminal activity. But many believe that it's only a matter of time before that sort of behavior begins to show up in the landscape.

Dave Bittner: [00:14:16:21] Alright, Doctor Charles Clancy, thanks for joining us.

Dave Bittner: [00:14:21:13] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can protect you from cyber attacks, head on over to

Dave Bittner: [00:14:33:14] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben. Our technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.