The CyberWire Daily Podcast 4.25.17
Ep 335 | 4.25.17

Fancy Bear spotted in France, Denmark, and maybe Bulgaria. Tensions mount around North Korean weapon programs. Power grid fragility. Milkydoor in the PlayStore. AV misunderstanding. Kelihos indictment. Ashley Madison blackmail.


Dave Bittner: [00:00:01:15] Fancy Bear is spotted snuffling around the French Presidential election. Denmark and Bulgaria also report bearish activity. Sino-US pressure on North Korea foreshadow an uptick in the cyber op-tempo. Power failures prompt worries about the grid's fragility. MilkyDoor's Trojanized Android apps pose a BYOD threat to businesses. Webroot is fixing its AV misunderstandings with Windows. And another Ashly Madison extortion caper surfaces.

Dave Bittner: [00:00:38:02] Time to thank our sponsor Palo Alto Networks. You can visit them at Software as a Service applications are changing the way organizations do business, as data now lives beyond the traditional network perimeter. What are you doing to keep your organization's data secure in this new environment? Palo Alto Networks helps organizations with complete SaaS protection. Providing detailed Software as a Service visibility and granular control, data governance, automated risk remediation, and malware prevention. Palo Alto Networks offers the most comprehensive cybersecurity for all cloud and Software as a Service environments. Because secure clouds are happy clouds. Get started securing yours at And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:01:41:14] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Tuesday, April 25th, 2017.

Dave Bittner: [00:01:51:00] As expected, reports of Russian intelligence services working to influence French elections have surfaced. Security company Trend Micro reports that the threat actor it calls "Pawn Storm" also known as APT28 and Fancy Bear, and generally identified as an operation of Russia's military intelligence service, the GRU, has been phishing the campaign of Emmanuel Macron. Trend Micro says the tactics, techniques and procedures in play are essentially those successfully used against the US Democratic National Committee during 2016's US presidential election.

Dave Bittner: [00:02:27:04] The French security Agency ANSSI has confirmed that the attempts occurred, and that, "it's the classic operation procedure of Pawn Storm." Mindful of the difficulties of attribution and the possibility of false flags, however, ANSSI declined to attribute the operation to any particular nation-state.

Dave Bittner: [00:02:45:00] What the phishing accomplished is so for unknown, but Fancy Bear is known to hang onto stolen emails for long periods of time, waiting for the right moment to release them for maximum effect. The campaign against centrist popular outsider Macron is thought to be intended to benefit rightist populist insurgent Marine Le Pen, but that speculation is at this point circumstantial.

Dave Bittner: [00:03:08:00] Fancy Bear has been busy elsewhere too. Denmark's Minister of Defense says the Russian service has been "aggressively" pawing at his ministry's networks for the past two years. Bulgaria's President Rosen Plevneliev has also gone public with accusations that an unnamed threat actor based in Russia sought to interfere with Bulgaria's 2015 local elections.

Dave Bittner: [00:03:30:14] Tensions continue to rise over North Korean nuclear and long-range missile programs, with China and the US assuming the roles, respectively, of good cop and bad cop. The good cop seems to be losing his temper with the perp, however. Chinese economic sanctions appear to be biting with effect, and, while public statements by President and others continue to call for US restraint, there's an unmistakable tone of impatience in communications directed at Pyongyang. An increased cyber op-tempo can be expected in this dispute.

Dave Bittner: [00:04:02:21] Last week's brief power outages in New York, Los Angeles, and San Francisco, while apparently not caused by any cyberattacks, have nonetheless raised concerns about the electrical grid's vulnerability to disruption by cyberattack. ICS security expert Joe Weiss points out that, "One breaker failed in PG&E's Larkin Street Substation. This One breaker in One substation brought the city of San Francisco to its knees." Thus he warns that the North American grid remains too susceptible to takedowns, with single points of failure capable of producing large cascading effects.

Dave Bittner: [00:04:41:09] The CyberWire is proud to be a media partner for the upcoming Borderless Cyber Conference in New York this June. Eric Burger is a Researcher Professor of Computer Science at Georgetown University, and we spoke to him about the event.

Eric Burger: [00:04:54:01] The goal is to bring together people from both the site, private sector, public sector, and as importantly policy makers. And the goal here is to evaluate and debate and collaborate on cyber threat intelligence information sharing. So what the technology is, but more important, especially given our target, what are the best practices and the sort of things that you can actually take away and use.

Dave Bittner: [00:05:23:20] So, this is a two day event. Can you take us through some of the highlights? Some of the key notes?

Eric Burger: [00:05:29:14] Sure so, you know, the goal and the overarching theme for this year's addition for Borderless Cyber is what we call changing the economics for computer network defense. Historically, it's been pretty inexpensive for the bad guys to attack systems, and it's been pretty expensive to defend them. And so the industry, and researchers, have been looking at how can we change those economics to make it more economical to defend, as well as raise the costs of attacks for the attackers. So, kind of, with that theme, we'd been talking about and hearing about how people are actually deploying sort of proactive and reactive threat intelligence and automation. So, kind of figuring out the attacks before they come, but especially with the focus on information sharing. What else is out there, and what do I need to be concerned about?

Eric Burger: [00:06:31:10] Looking at different strategies for changing those cyber economics. You know, how do we decrease the cost of defending, increasing the cost of the attacks? And really, you know, a bit practical as well. The lessons from the trenches. How are other people in the industry protecting themselves? Now, one part of our target audience is it's mostly looking at the C-level executives. The CSOs, and even CIOs and CFOs. So, we have a lot of focus on not just, here's this particular tool that implements TAXII and STIX, but this is what it means for the corporation, this is what it means to the business. And why, as a business owner, or an owner of a significant port of like the risk portfolio, you need to be aware of and what other people are doing in this sector.

Dave Bittner: [00:07:30:06] That's Eric Burger. The Borderless Cyber event takes place in New York, the 21st and 22nd of June, 2017.

Dave Bittner: [00:07:38:01] Trend Micro researchers have also announced discovery of an Android backdoor, they're calling it MilkyDoor, designed to use vulnerable Android devices as a point of entrance into corporate networks. About 200 Trojanized apps infected with MilkyDoor have been found in Google's Play Store. They appear to be originally legitimate apps, mostly of a recreational kind, that have been repacked and republished by criminals.

Dave Bittner: [00:08:03:21] Security firm Webroot is in the process of fixing its widely used antivirus solution. Its automated features is misidentifying benign Windows files as malicious, and it's also stopping legitimate apps that ride atop those files. Bad definitions of dangerous files were, according to Webroot, live for about 13 minutes yesterday before being taken down. The company is working on a remediation for its user community.

Dave Bittner: [00:08:30:16] The alleged mastermind behind the Kelihos botnet was indicted by US authorities last Friday. Pyotr Levashov is being charged with eight crimes. Mr Levashov is currently being held by Spanish police and the US is seeing extradition.

Dave Bittner: [00:08:46:06] And finally Ashley Madison is back in the news. A group of extortionists are sending emails promising to expose users of the adultery-facilitating site unless they pay hush money. As the criminals say, "On May 1st, 2017 we are launching a new site, Cheaters Gallery, exposing those who cheat and destroy families. We will launch the site with a big email to all the friends and family of cheaters taken from Facebook, LinkedIn and other social sites. This will include you if you do not pay to opting out." If you get such an email remember paying up will probably do you no good.

Dave Bittner: [00:09:30:03] And now a moment to tell you about our sponsor Control Risks. As your company grows and the global business environment becomes more complex, it gets harder to identify your blind spots and figure how to see into them. It's now more important than ever to understand how protecting your systems and data require visibility beyond your network. Control Risks support its clients by increasing their situational awareness and proactively securing their operational environment, no matter where it is. Using their global reach and local risk expertise, they have a unique approach to identifying and mitigating their client's information security risks. From cyber due diligence assessments of third parties around the world to multi-jurisdictional cybersecurity regulatory reviews, to cyber threat assessment that account for socio-political and economic risk indicators and more.

Dave Bittner: [00:10:20:12] There is uncertainty on the journey towards you business goals. Control Risks brings order to the chaos, and reassurance to the anxiety. Find out more at That's And we thank Control Risks for sponsoring our show.

Dave Bittner: [00:10:44:18] And I'm pleased to be joined once again by David Dufour, he's the Senior Director of Engineering and Cybersecurity at Webroot. David, welcome back. I know a hot topic for you, something that you are particularly interested in, is this whole notion of the Internet of things, and trust when it comes to the supply chain?

David Dufour: [00:11:03:03] Yes, David. Once again thanks for having me back. And you know I could really talk your ear off on this supply chain of trust, it's a big deal to me. And I think it's one of the biggest gaps we're seeing in the security market related to IoT devices.

Dave Bittner: [00:11:17:23] Well, let's dig in. Where do things break down?

David Dufour: [00:11:19:20] So, we see a lot of velocity and new ideas in both software and hardware coming out. You know, people are manufacturing things, prototyping solutions and where there's a lot of times a security breakdown is, not necessarily just in the design side that they didn't build security in, but also where they're only aiming their solutions from. So, let's say I'm making a widget and I want that widget to WiFi enabled. Well, I'm going to go out and I'm not going to build a WiFi radio, I'm going to go buy one off the shelf from a manufacturer who's already made it. And if I've not taken the time to understand where that chip's coming from, the firmware required to run that chip, and the susceptibility of the chip to be able to be hacked, then I'm actually building into my prototype, or even my go to market solution, some very unsecure technology that is susceptible to hacking.

Dave Bittner: [00:12:16:10] You know, it's a real challenge with IoT devices and knowing, like you say, what's deep down inside on that circuit board. I've heard people mention that perhaps what we need is something along the lines of like Underwriters Laboratory, where there's someone who's certifying these devices, you know digging in and making sure they have a certain level of security. Do you have a take on that?

David Dufour: [00:12:37:08] So, I absolutely think that's where we need to go. I think we're a long way from that. It's the wild west right now. I don't necessarily want to wait for the government or some organization to come around and form that. But I will not disagree long term that's the solution we need to take a look at.

Dave Bittner: [00:12:54:22] So, how should we approach this. I mean, obviously, I've heard people say, you know, "Well, don't just buy that no name web cam off of Amazon." But, you know, we've had situations where even well-known name brands have these sorts of problems as well?

David Dufour: [00:13:07:10] Well that's true. And so there's two sides to this. If you're the consumer who's buying these products, you want to take the time, do some research. You're not going to know what's built into the device, but try to buy from reputable companies that have a good track record. And if you're the manufacturer, a really good example of someone I talked to before about how they handle this, kind of a fun company called Taser, they make those things that you know shock you. They have actually put together a team internally of hardware folks, their software folks and their security folks, and they have this team vet all of the products they're bringing in to take a look at how they're going to integrate those, insure the security exists. And they're very diligent about putting a team together and reviewing this.

David Dufour: [00:13:59:02] I think until we have those organizations that can tell us what products are good or bad, as a manufacturer, you really have to take the time to get those security guys together with the software guys, together with the hardware folks.

Dave Bittner: [00:14:13:16] Good information as always. David Dufour, thanks for helping us.

Dave Bittner: [00:14:19:03] And that's the CyberWire. Thanks to all of our sponsors for making this CyberWire possible, especially to our sustaining sponsor Cylance. They are the company keeping your data safe with artificial intelligence. You can check them out at

Dave Bittner: [00:14:33:04] The CyberWire Podcast is produced by Pratt Street Media. Our editor is John Petrik. Social editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.