The CyberWire Daily Podcast 5.3.17
Ep 341 | 5.3.17

Shamoon update. Sabre discloses possible breach to SEC. Mobile device and VPN threats and vulnerabilities. Information operations and cyberespionage.


Dave Bittner: [00:00:03:12] Shamoon's Trojan servant gets a new comms channel. Sabre discloses a possible breach: hospitality and travel sectors are affected. Some more things to worry about: ultrasonic beaconing, SIM card fraud, VPN privilege escalation, and another bad app in the Play Store, but you can fix all these. Governments look to social media restrictions to control hate speech and fake news; social media providers look to human curation and the blockchain for help. Cyberespionage and influence updates, from Washington to Seoul.

Dave Bittner: [00:00:38:14] We'd like to take a moment to thank our sponsor, Palo Alto Networks. You can find them at The use of software-as-a-service applications takes data security beyond traditional network perimeters. SaaS environments can create gaps in security visibility, and pose new risks for threat propagation, data leakage, and regulatory non-compliance. With Palo Alto Networks integrated platform, you get detailed software-as-a-service visibility and granular control, data governance, automatic risk remediation, and malware prevention, so your organization can achieve complete SaaS protection.

Dave Bittner: [00:01:17:09] With Palo Alto Networks, you get the broadest, most comprehensive cybersecurity, for all cloud and SaaS environments. Make sure your apps and data stay secure and protected. Remember, secure clouds are happy clouds. Find out how to secure yours, at We thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:01:49:09] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, May 3rd, 2017.

Dave Bittner: [00:01:59:09] There's some follow-up this week on the Shamoon campaign, the destructive malware attack whose successive waves have hit Saudi enterprises since 2012, most recently in late 2016. The campaign is generally believed to have been run by Saudi Arabia's regional rival, Iran. The specific threat actor is called "Greenbug." Researchers at Arbor Networks have been looking at Greenbug's tradecraft. In early phases of its attacks, Greenbug installs a remote access Trojan, a RAT called "Ismdoor' to harvest credentials from its targets. Controllers have established bi-directional communications with their RAT using HTTP-based channels, but that's now changed. Greenbug now cloaks its command-and-control chatter in DNS TXT record queries and responses, a stealthier and more evasive method of communication.

Dave Bittner: [00:02:52:07] Sabre, the Texas-based travel and hospitality company, disclosed a possible breach in its 10-Q report filed yesterday with the US Securities and Exchange Commission. The report, which covers the quarter ending March 31st, 2017, said that Sabre was investigating possible unauthorized access to payment systems.

Dave Bittner: [00:03:12:15] The investigation, which KrebsOnSecurity says Sabre has entrusted to FireEye's Mandiant unit, concerns potential exposure of personally identifiable and paycard information. Sabre SynXis is used by some 32,000 properties, which themselves must now deal with the possibility of a major third-party breach - the third party in this case would be Sabre.

Dave Bittner: [00:03:36:13] The Vault7 documents released by WikiLeaks included a hack of Samsung TVs, codenamed "Weeping Angel," which reportedly turned the smart TV into a listening device. Craig Young is a Principal Security Researcher at Tripwire, and he shares his own research into smart TV vulnerabilities.

Craig Young: [00:03:55:13] In research that I conducted late in 2015, just looking at a small selection of smart TVs - three brands, which I'm not going to name, because we're still going through the disclosure process with these companies - basically I found that on one of the TVs, within just a few minutes, I was able to get a root shell through some local access things. Another issue where if somebody had a remote control, they could punch in some commands and take control over the TV, or if they had access to a USB port on the powered-up TV, they could plug that in, and it would simulate the remote control commands to get code execution on the TV.

Craig Young: [00:04:37:21] Another problem that I found on a separate model of television was actually that the services involved with doing control from your phone to your television, like, for example, if you want to send up YouTube, or Netflix to the TV, there is a misimplementation within that, such that you could actually force the television to load any arbitrary web page. Directly this has some implications of if this television is within some sensitive area, like a conference room, and somebody's giving a presentation, you could certainly cause some embarrassment by flashing up some inappropriate content on the screen at the wrong time.

Craig Young: [00:05:18:08] The risks are actually a lot more severe than that. The web browser technologies that are implemented into smart TVs, they do not get updated very often. You might get an update once a year - it might not include security fixes. So once you get the ability to force a smart TV, to load an arbitrary web page, you then have a pretty good chance of being able to get it to run arbitrary code, and to take over controls to that TV, whether it has a camera on it, or a microphone on the remote for being able to do voice-activated commands.

Craig Young: [00:05:57:04] This is quite a serious problem because it's not just limited to that case where I have my phone or my laptop, and I'm on the same network as your TV, and I can directly talk to the TV and tell it to do bad things, but also because of the nature of these technologies, it's possible that a malicious website that you browse to while on the same network as that television, can relay commands over to the television and take control over it. That is a real-world possibility, of a completely remote television - smart TV hack.

Dave Bittner: [00:06:31:01] That's Craig Young, from Tripwire.

Dave Bittner: [00:06:35:05] Research presented at the IEEE European Symposium on Security and Privacy found that ultrasonic beaconing, a marketing tool with privacy implications, is becoming increasingly common in Android applications - some 234 current apps use it. Many of those apps are quite mainstream, used to track users and their habits, but the potential for abuse raised eyebrows at the IEEE symposium. Users are typically quite unaware that this functionality is part of the package they installed. So, restrict apps' access to your device's microphone if you don't want to be tracked.

Dave Bittner: [00:07:11:22] A researcher claims to have demonstrated a privilege-escalation vulnerability in demotically-named VPN service HideMyAss. But, holy fundament, kids, the service is thought unlikely to patch the flaw, so CYA with care.

Dave Bittner: [00:07:28:21] And be careful around SIM cards, those things you can change out when you upgrade your phone or move to another carrier. Fraudulent SIM swaps are enabling criminals to take over a phone's identity, and kill the phone you own. Good security hygiene is your first defense, according to Naked Security: be alert for phishing and waterholing, don't use obvious security questions, and consider using a password manager. Keep your on-access anti-virus running and up-to-date, and consider switching your two-factor authentication away from SMS to an authenticator app. How do you know you've become a victim? If your phone suddenly drops to emergency-only status, be very suspicious.

Dave Bittner: [00:08:09:17] Another quick note: don't use the Super Free Music Player app from Google's Play Store - it's malware.

Dave Bittner: [00:08:17:09] Concerns over fake news has spooked service providers and emboldened various national authorities to seek ways of controlling it. China plans to establish its own state-vetted Wikipedia alternative inside the Great Firewall, UK MPs want a new legal review of hate speech, and Malaysia threatens WhatsApp admins with jail for spreading rumors. Facebook plans to hire 3,000 analysts to review its users' content. A start-up called Userfeeds is working on a technical solution - it thinks it can apply the blockchain to news discovery in social content. The future here is murky, but some are disturbed that restriction as opposed to "counter-messaging" seems to be, as they say in social media, "trending."

Dave Bittner: [00:09:02:21] Commenting on espionage in cyberspace, security expert and entrepreneur, Eugene Kaspersky observes that "everyone hacks everyone." US Intelligence Community officials, including the Directors of the FBI and NSA, are testifying about Russian influence operations before Congress this week.

Dave Bittner: [00:09:22:11] In Seoul they're not in much doubt as to who hacked South Korea's military cyber command in 2016. After nine months of investigation, prosecutors concluded that the evidence points north, toward Pyongyang and the DPRK. Some 26 individuals, including the cyber command head, are expected to face disciplinary action for failing to prevent or contain the incursion.

Dave Bittner: [00:09:51:07] And now a moment to tell you about our sponsor, Control Risks. Control Risks thinks like your adversaries, and knows that they attack as a means to an end. Whether you're worried about malicious insiders stealing intellectual property, state-supported foreign competitors targeting M&A data, or hacktivists looking to smear your reputation, one thing is clear - a standard technical approach to incident response is not enough to address the entirety of your problem, and protect your business' future growth, profit, and brand.

Dave Bittner: [00:10:21:11] Control Risks has conducted more than 5500 complex investigations in nearly 150 countries. Their 360° response framework pulls together their expertise in investigations, crisis management, network and host forensics, data analytics, and legal compliance support. Effective response often requires more than standard incident response, and how you respond can mean the difference between an isolated incident and an enduring crisis. Let Control Risks navigate you through it. Find out more at We thank Control Risks for sponsoring our show.

Dave Bittner: [00:11:09:11] Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications. We certainly see a lot of news about botnets - of course, the famous Mirai botnet, and other ones that are growing and blooming, but you wanted to make the point that you're seeing some evolution when it comes to botnets.

Dale Drew: [00:11:26:06] And quick evolution as well. I mean, we used to see evolution of botnets every couple of years or so. When I say "evolution," I mean a very significant change in behavior, sophistication, or capability. And now, between botnets like Bashlite - and now there's a new botnet called Hajime.

Dave Bittner: [00:11:51:13] That one tripped me up, too. I got corrected by someone I work with who happens to know Japanese. No, it's Hajime.

Dale Drew: [00:11:59:07] Hajime. Excellent. Well, I mean, that botnet represents what we think a pretty significant shift in botnet behavior, and botnet capability. Not only is it extremely sophisticated in its code - this botnet has got assembly language built into it, as an example. It's also peer-to-peer, so it's changing the sort of dynamics about how a botnet operates, where botnets for the most part were operating where you have a sort of command-and-control infrastructure, managing a set of robot nodes - botnets - and having it do their bidding.

Dale Drew: [00:12:40:21] These new botnets, they're using BitTorrent as the communication protocol, where every node is now a botnet node, and every node is a command-and-control infrastructure. So it's very, very difficult to be able to cut the head off of a botnet these days, when that botnet is now sort of a flat, peer-to-peer network.

Dave Bittner: [00:13:03:03] And what are you seeing in terms of the amount of traffic that these botnets are generating?

Dale Drew: [00:13:07:09] We've seen studies that show about 29% of all Internet traffic is bad botnet traffic. There was a report that showed about half of Internet traffic is either a good botnet or a bad botnet - meaning some sort of automated system that is either inventorying the Internet, reaching out to end-users, doing machine-to-machine communication, but about 30% of all Internet traffic is bad botnet traffic. 

Dale Drew: [00:13:35:14] We're also seeing the cost of botnets get a lot more routine-based. You can rent a 65,000 node botnet for around $6,000 a month. We've also seen as low as $5 an hour, where someone can rent 50,000 nodes for about $5 an hour. So these new trends in being able to commoditize the botnet environment are putting significant motivation in the ability to make them much more sophisticated, and much more difficult to take down.

Dave Bittner: [00:14:10:01] Dale Drew, thanks for joining us.

Dave Bittner: [00:14:14:06] And that's The CyberWire. Thanks to all of our sponsors who make The CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance helps protect you using artificial intelligence, visit

Dave Bittner: [00:14:27:09] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.