The CyberWire Daily Podcast 4.13.17
Ep 327 | 4.13.17

Ewind adware infesting Android third-party app stores. Influence operations. Russian state use of organized crime. Finspy a payload in Word zero-day exploits.


Dave Bittner: [00:00:00:00] Ewind adware infests cloned apps in the Android ecosystem. Influence operations rise to prominence amid increased Russian and Islamist activity against Western targets. An accused Russian traitor makes a jailhouse denunciation of Russia's coziness with cyber organized crime. Finspy is found distributed via a Word zero-day. And suppose you're doing time in the big house, how do you stay connected?

Dave Bittner: [00:00:29:22] We would like to thank our sponsor, Palo Alto Networks, you can visit them at With the adoption of software as service applications, data now lives beyond the traditional network perimeter, exposing your organization to more malware and threats. Palo Alto Networks helps your organization achieve complete SaaS protection with detailed SaaS visibility and granular control, data governance, automated risk remediation and malware prevention. Palo Alto Networks has the broadest most comprehensive cyber security for all cloud and software disservice environments. They know that secure clouds are happy clouds. Find out how to secure yours at And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:01:29:11] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, April 13th, 2017.

Dave Bittner: [00:01:39:09] Palo Alto Networks researchers warn that an aggressive strain of Ewind adware is afflicting Android users. As much Trojan as conventional adware, Ewind clones popular apps, installs malicious code and inserts them into third-party stores. Some of the noteworthy apps so cloned include Grand Theft Auto Vice City, AVG cleaner, Minecraft (Pocket Edition), Avast! Ransomware Removal and Opera Mobile. This is one more reason, should anyone need still another, to restrict your app purchases to authorized and reputable stores, in this case, Google Play. Those too can be, and have been, wrangled into hosting malicious apps, but on the whole they're a far safer bet than the freelancing alternatives.

Dave Bittner: [00:02:25:20] If you were wondering about the emergency siren hack in Dallas over the weekend, it turns out that it wasn't a network intrusion at all. Dallas public safety authorities are understandably tight-lipped but they're saying the sirens were turned on by a spoofed RF signal. Exactly how, they're not saying, but it's worth noting that warning sirens are typically controlled by tone combinations received over UHF radio.

Dave Bittner: [00:02:51:12] In industry news, the Mach 37 cyber accelerator has announced its new class of start-ups. They include: Automated DL, BroadBridge Networks, Ekran Systems, neoEYED, SecureHome and Trovolone. Good luck to all of them.

Dave Bittner: [00:03:09:16] Optional technology, or OT, refers to the use of computers to control things in the real world, things like power plant control systems or the switching systems in a railroad.

Dave Bittner: [00:03:19:21] Fred Wilmot is CEO and CTO at PacketSled and he warns that the ongoing convergence of OT, IT and IoT requires special attention from security professionals.

Fred Wilmot: [00:03:32:11] Well I think there's a couple of dimensions here where IT and OT are converging in what we refer to as IoT and the relation of the technologies being put out into the environments today of wearables and things as devices in your home. Your Alexa, your Siri, all of these components all become operational technology at some level but we will refer to those as IoT devices. And the OT devices, what we know is operational technology that runs for things like planes, trains, automobiles are really also entering the same foray with a slightly different challenge. But nonetheless, they are converging in a sense that the requirement for us to protect our intellectual property or the key to the kingdom are all sort of the weakest link being the supportable problems base that we're trying to avoid or mitigate the risk of.

Fred Wilmot: [00:04:28:11] And so that's where those pieces do seem to come together more of the challenges we've had historically in a security industry is collaboration consists. And the first thing that I advocate for here in this particular case is, with your vendors and with your organizations, spend time going to the source of where those conflicts begins and that is you have not been out to an airplane and that's what you're looking to defend, go to an airplane, sit down, figure out all the potential parameters around that and then characterize that in a way that your vendors can understand and operate on and action, and look to help influence legislation that's associated with that. That's obviously for very large organizations.

Fred Wilmot: [00:05:07:20] For smaller organizations you've got to look at, first of all, getting an understanding of what that problem looks like, I think getting visibility on what happens when those OT environments, where you can't put endpoints deterrent, technology, things like that, is critical. It's also again looking at responsible evaluation and disclosure with your partners in the business that manufacture your technology, holding them accountable and allowing them to have the room to navigate to continue to make you successful and transparency around that.

Fred Wilmot: [00:05:40:07] And I would say the final piece is, so we've done some iteration around the technology itself and how it works and the process of evaluating continue to iterate on it, now we also have I've implemented that and how do I test and validate the assertions I'm making around whether or not that is or is not safe and secure or that is or is not something that will affect a larger risk profile for the business, you've got to table top those exercises. You've got to spend time looking at causing some of the scenarios you expect to have happen, with purple teams, that do a little bit of an assessment in testing work and allow your operational team to try to find and or mitigate what's happening on their infrastructure, and it's a cyclical process that everyone needs to continue to go through. As we all know, this is no different than what we've done in IT for years but the attacks of attacks that OT environments are vulnerable to are much lower quality and or complexities.

Fred Wilmot: [00:06:37:10] So we want to make sure that we can capably understand what the implications are when they do happen and take action as a result of them.

Dave Bittner: [00:06:44:19] That's Fred Wilmot from PacketSled.

Dave Bittner: [00:06:49:02] Russo-US relations continue to be chilly, with information operations believed to continue unabated even amid high-level talks between Washington and Moscow. The new information operations center being established in Helsinki, Finland, is a sign of the more tough-minded allies' resolution to do something about Russian influence operations against elections. That concern isn't confined to the partners who are establishing the Helsinki center, either: German authorities advocate widespread control over on-line media to combat fake news and Berlin hopes that all of Europe will follow. Essentially the plan is to impose heavy fines on social media providers, in particular, who fail to satisfactorily police "hate speech". Addressed as much to concerns about terrorism as they are to influence operations, the German plans are being met with a predictable degree of skepticism. There are few signs that policy or technical fixes offer much prospect of short-term success.

Dave Bittner: [00:07:50:08] Ruslan Stoyanov, the Kaspersky researcher and former FSB officer, whom Russian authorities have charged with treason, has condemned the Russian state practice of co-opting and using cybercriminals. In a statement he dictated to his lawyers, who released it to independent television station Dozhd, Stoyanov says "patriot-thieves" are given immunity from prosecution to attack foreign targets, and this practice is unsustainable, the protected hoods will eventually unleash a wave of crime against Russia itself. Observers have long commented on close ties between Russian security services and organized crime.

Dave Bittner: [00:08:30:02] The biter may have already been bitten with one of the Word zero-days patched this week. According to FireEye, CVE-2017-0199 appears to have been exploited to deliver FinSpy to Russian-speaking targets. FinSpy is a controversial lawful intercept product developed by the Gamma Group. The vector was a weaponized document, a military manual from the Ukrainian pro-Moscow separatist group "Donetsk People's Republic". The same vulnerability has also been used to spread the more obviously criminal Latenbot and Terdot payloads.

Dave Bittner: [00:09:06:06] American criminals enjoy a rather different relationship with law enforcement. Suppose you've done something kind of bad in, for example, Athens, Ohio, to pick a town at random, maybe a Wildcat party gets too frisky, and, well your honor, one thing just led to another and before you know it you're invited to a medium-security sabbatical in Marion, courtesy of the Governor. Naturally, you want your Internet, I mean who wouldn't? Well, here's some news you can use from Motherboard, which has looked into exactly how some gentlemen of fortune stayed connected in the joint. Essentially they pieced the machines together bit by bit, using parts they pilfered from a computer disassembly program they'd been working in, as an alternative, we suppose, to lifting weights and working in the license plate shop.

Dave Bittner: [00:09:52:13] We'll let one of the inmates speak for himself. As Motherboard quotes his statement to investigators, it went something like this: "I imagined the drive with Acronis, all you gotta do is take that drive, plug it into any computer and it will boot up. I took a network card out of another computer and put it in the illegal computer, plugged it into the inmate switch. Remote desktop into the computer. And then, bam. I'm on the network." So there you go. Bam.

Dave Bittner: [00:10:24:12] Time to take a moment to tell you about our sponsor Control Risks. For 41 years across over 130 countries, Control Risks has partnered with the world's leading companies to help them succeed in complex, physical, political and virtual risk environments. They've been with their clients as risks have evolved from kidnapping in the jungles of Colombia to extortion by cyber attack. In an increasingly interconnected world cyber risks are everywhere you operate. Control Risks has a comprehensive view of cybersecurity as a business risk within a context of geopolitical, reputational, regulatory and competitive complexity and, thanks to their unique heritage, they provide clarity and actionable guidance that only decades of risk experience can bring. Control Risks brings order to chaos. Let them show you what over 40 years in the risk business has taught them. Find out more at That's And we thank Control Risks for sponsoring our show.

Dave Bittner: [00:11:32:10] And joining me, once again, is David Dufour, he's the Senior Director of Engineering in cybersecurity at Webroot. David, welcome back. You know tax season is upon us, you had some points you wanted to make about being wary of phishing emails and sort of how to know what to expect, what's normal from the IRS.

David Dufour: [00:11:49:11] Well David it's great to be back and, yes, with tax season upon us, we are seeing a huge growth in the fishing scams around the IRS and taxes in general. The IRS is never going to send you an email or call you, that's not something cybersecurity-related, it's just that they don't it. They're going to send you something via paper, mail, that's how they communicate. So if you're getting emails saying that you owe money or getting phone calls saying that the IRS is going to put a lean on you, you probably want to just ignore those because you're going to get something in the mail from the IRS directly.

Dave Bittner: [00:12:30:01] Yes, you know I have a friend who recently went through this, where someone was just absolutely pestering them and hammering them with fake calls from the IRS, just really ratcheting up the threats that they didn't pay and pay right now or the world was going to end.

David Dufour: [00:12:45:15] Yes, that's exactly right and again you're going to want to block those, probably report them. Also you need to be very aware that third parties may try to contact you as well saying that they've actually analyzed your taxes and you're going to get this amount returned, or they need to speak with you about your tax situation because they're working with the IRS. The IRS is not going to work third parties and this, again, isn't necessarily cybersecurity related, it's more scam focus. So just be aware an IRS will contact you with good old US mail. They're not going to email you, they're not going to call you and they're not going to use third party agents to communicate with you.

Dave Bittner: [00:13:29:19] So the IRS is old school when it comes to communication.

David Dufour: [00:13:32:13] They are.

Dave Bittner: [00:13:33:17] All right. David Dufour, thanks again for joining us.

Dave Bittner: [00:13:39:00] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible especially to our sustaining sponsor, Cylance. To find out how Cylance uses artificial intelligence to help protect you, visit A quick reminder that we're partnering with our friends at Recorded Future to produce a new podcast focused on threat intelligence. It comes out once a week and we hope you'll check it out and help spread the word. You can search on iTunes for Recorded Future or visit The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.