The CyberWire Daily Podcast 5.8.17
Ep 344 | 5.8.17

Election cyber-influence campaign in France. (Will UK and Germany follow?) AMT bug to be fixed. HandBrake compromised. Kazuar upgrade for Snake. Ransomware black market.


Dave Bittner: [00:00:01:00] Hi everybody. Dave here. Before we start the show, we've got some special news. Thanks to podcast listeners like you, the CyberWire has grown to be one of the top cyber security podcasts in the world. We couldn't have done it without you and we're truly grateful that you value what we do and choose to make the CyberWire part of your day. We want to continue to produce the news you've come to rely on and with your help, we're looking to develop more programs and launch new initiatives that tell the critically important stories taking place in our industry today. And so we've launched a Patreon page for the CyberWire and we hope you'll check it out. Go to, sign up and become a CyberWire patron today. That's Thanks. Now here's our show.

Dave Bittner: [00:00:47:07] Emmanuel Macron wins election to France's presidency despite last-minute hacking. The hacked emails seem not scandalous as the story develops. Germany and the UK brace for cyberespionage in their own upcoming elections. The Intel AMT flaw is more serious than expected and will get fixes this week. The HandBrake download server was RAT-infested. And the ransomware market features FrozrLock and Fatboy.

Dave Bittner: [00:01:17:12] Time to take a moment to tell you about our sponsor Recorded Future. You've heard of Recorded Future. They are the real time threat intelligence company. Their patented technology continuously analyzes the entire web to give info sec analysts unmatched insights into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:21:16] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, May 8th, 2017.

Dave Bittner: [00:02:31:23] France's Presidential elections are over and Emmanuel Macron has won office against the National Front's Marine Le Pen, despite 11th hour leaks of hacked emails. French election law prohibits distribution of late-breaking materials within 40 hours of voting. The law is best understood as mandating a news blackout with a view to avoiding the sort of last-minute surprise a campaign would have difficulty responding to. Macron's En Marche! movement disclosed that it had been breached shortly before the legally mandated blackout began. A variety of social and alternative media did push the material, including several based in the US, 4chan prominently among them. WikiLeaks was apparently not among the hosts, as had been widely reported, but Julian Assange's site did offer some magnet linking that kept the archive accessible after some of the original sites had been taken down.

Dave Bittner: [00:03:25:07] En Marche! says most of the material in the dump is genuine, but that the archive has been salted with fabricated content aimed at disinformation. Some of the fake content, En Marche! suggests, was put there itself, both protectively to discredit the leakers and possibly as a kind of canary trap. The dump is very large and will take time to sort out, but preliminary looks suggest most of the materials is anodyne, routine and not particularly scandalous. Thus it's much more like the low-grade penetration of Republican sites during the last US election than it is the more incendiary hacking of the Democratic National Committee. The Republican leaks consisted mostly of thank-yous to donors, notes about fundraising dinners and so forth. The En Marche! leaks seem to be largely that sort of thing.

Dave Bittner: [00:04:13:20] French authorities, of course, are investigating and early speculation about attribution looks toward Russia, since the incident resembles influence operations Russian intelligence services are generally, and officially, regarded as having conducted during the last US campaign cycle. Both Trend Micro and Flashpoint have reported circumstantial evidence that Russia's GRU military intelligence service was behind the incident. And remember GRU operations are also commonly known as APT28, Pawn Storm, and, of course, Fancy Bear.

Dave Bittner: [00:04:46:09] Before the last-minute tranche of leaks, President-elect Macron had called for closer ties between French and US intelligence services. He envisioned a comprehensive overhaul of France's defense policy and some of his senior advisors have indicated a desire to approximate the sort of relationship currently enjoyed by the intelligence services of the Five Eyes, the US, the UK, Australia, Canada and New Zealand. So we shall see if current concerns about cyberespionage drive a transformation of the Five Eyes into the Six Yeux.

Dave Bittner: [00:05:19:22] British and German officials prepare for cyberattacks and influence operations against their own upcoming elections. German officials engage in public musing about hacking back at offending servers. Predictable "Germany attacks" alarmism ensues among many who really ought to know better. The British general election has been called for June 8th, exactly a month from today. German Federal elections are farther out. Germans will go to the polls on September 24th.

Dave Bittner: [00:05:48:04] Not all the news at the beginning of the week is so obviously political and cloak-and-keyboard. Last week researchers disclosed a long-standing authentication bypass flaw in several generations of Intel chips. That flaw, discovered by security firm Embedi, is expected to be fixed later this week. In the meantime, researchers warn that the vulnerability is worse than initially thought, with more Active Management Technology users exposed to more dangerous remote code execution than initial estimates reported. Intel has published, as an interim measure, both a vulnerability detection tool and a mitigation guide. They're available at

Dave Bittner: [00:06:30:05] There's also a problem reported with the popular video conversion app HandBrake. A mirror download server for the software was compromised by hackers who replaced the Mac version with its own version that comes preloaded with the Proton remote-access Trojan. HandBrake has issued removal instructions.

Dave Bittner: [00:06:49:14] Researchers continue to follow the twists-and-turns of Snake in the dark web. It's spyware that's confirmed to exist for Windows and Mac and there are reasons to suspect that it also has a Linux version as well. "Snake," properly speaking, refers to the Mac version being tracked by the researchers at Fox-IT. The Windows version has been named Kazuar by Palo Alto Networks after a word found in the malware's source code. "Kazuar" is "cassowary" in various Slavic languages, so a big bird. Palo Alto believes it's found signs in Kazuar code that a Linux version is also out there. Kazuar seems to represent an upgrade over the Uroburos spyware used by Turla, a threat actor believed by Kaspersky and others to be operating out of Russia, perhaps as early as 1995. Among the novelties seen in Kazuar is an API that enables the malware's masters to reverse command-and-control traffic as needed. Turla and its works seem to represent the sort of hybrid state-criminal operation often observed in Eastern Europe.

Dave Bittner: [00:07:55:07] And elsewhere in the dark web, the cyber black market sees the continuing popularity of ransomware. Both of the recent entries we're hearing about hail from Russia. The first, "FrozrLock," is offered to criminal customers at the low, low price of $220. It comes with a slick presentation and a tagline touting it as "a great security tool that encrypts most of your files in several minutes," which on reflection hardly sounds like a recommendation.

Dave Bittner: [00:08:23:03] And Recorded Future's look at the Fatboy ransomware-as-a-service offering discloses an interesting pricing structure. Fatboy uses the Economist's Big Mac Index to peg pricing to the victim's regional cost-of-living. Thus a Londoner or a Manhattanite should expect to pay more than a resident of Sheffield or Indianapolis. So, from each according to their abilities to each according to their needs, we guess. Big Mac, by the way, is a tool that explains exchange rates and has nothing to do with the 563-calorie confection offered at McDonald's restaurants. So any connection to Fatboy is purely coincidental.

Dave Bittner: [00:09:05:20] Time for a word from our sponsor, E8 Security. They'd like to invite you to take a joyride with them but it's not the kind of bad behavior that you'd find in the joyrides in say Rebel without a Cause or Ferris Bueller's Day Off. It's a joy ride into behavioral analytics, the indispensable tool for being able to tell good behavior from bad behavior. You'll know the bad actors by what they do, how they behave and not by who they say they are. The experts at E8 are offering you a first hand look on a small scale with no obligation at what behavioral analytics can do for you. Go to and hop on in. Seeing is believing. and let E8 show you what they can do. And we thank E8 for sponsoring our show.

Dave Bittner: [00:09:58:14] Joining me once again is Emily Wilson. She's the Director of Analysis at Terbium Labs. Now, Emily, we covered the fact that OpIsrael happened recently. Every April 7th, it comes around. And you all saw some interesting observations when it came to OpIsrael this year.

Emily Wilson: [00:10:15:06] We did. You know, every April 7th, we, you know, kind of keep an eye out, expect this to happen and I think it's interesting that we have these kind of anticipated events in cyber security, right. We expect data to be leaked. We know roughly what it will be and how it will appear and what people will say about it. But what we didn't expect this year was that we saw actually a bunch of OpIslam posts, information being dumped, kind of in the week leading up to it and then definitely kind of in bulk on April 7th. Normally we see those in kind of the days following, right, these kind of retaliatory posts in exchange for the OpIsrael data on April 7th. But this year it was the other way around.

Dave Bittner: [00:10:52:17] So just to clarify, explain to me what is OpIslam posts. What is that?

Emily Wilson: [00:10:56:11] Yeah, in this case, so these OpIslam posts, you know, OpIslam is a broader operation, kind or attacking any kind of Islamic targets. What we saw here were-- we're still in that same vein, right, so whether these are kind of Muslim targets or companies that have ties in the Muslim world, what we saw were these same kinds of posts but with active and open pro-Israeli kind of manifestos at the beginning.

Dave Bittner: [00:11:22:19] And we reported that OpIsrael really has historically not been much more than a nuisance to the Israelis.

Emily Wilson: [00:11:30:23] I think that's a fair assessment, you know. I think certainly probably the first year of this, everyone was a little surprised and, you know, 2014 then, I suppose, the second year, you know, kind of people watching this space but now we know to expect it. We know largely how the information's going to appear and I think, in this case, it's people looking for any outliers. What's new, what's different or is this going to be same old, same old.

Dave Bittner: [00:11:53:22] So is it more a matter of a group getting attention rather than actually, you know, thinking that they're going to really have any effect on Israeli security?

Emily Wilson: [00:12:03:19] Yeah, I think, at least from the data that I saw this year, I didn't see anything that went as far as really getting into kind of true Israeli state security. I think you have here a couple of groups of people who are looking to kind of make a nationalistic or a religious statement. And they're kind of picking sites that are moderately interesting but not, not overly impactful at a state level.

Dave Bittner: [00:12:29:16] Alright, Emily Wilson, thanks for joining us.

Dave Bittner: [00:12:34:10] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance protects you using artificial intelligence, visit If you enjoy the CyberWire every day, we hope you'll consider leaving a review for us on iTunes. It is one of the best ways that you can help other people find our show. And of course, you can show your support for the CyberWire by supporting us on Patreon. Visit to find out about how to become a contributor and all of the benefits we put together for those who give. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.