The CyberWire Daily Podcast 5.9.17
Ep 345 | 5.9.17

Metadata signs point to St. Petersburg in l'affaire Macron. UK, Germany, US expect more Russian election influence ops. New IoT botnet appears. US FCC sustains DDoS. Microsoft fixes MsMpEngine. SS7 weakness and 2FA.


Dave Bittner: [00:00:00:00] The CyberWire podcast is made possible in part by listeners like you who contribute to our Patreon page. You can learn more at

Dave Bittner: [00:00:12:20] Haste may make for brazen but ineffectual influence operations. Metadata evidence of Fancy Bear's paws in En Marche! emails. North Korea is thought to be paying for its advanced weapons programs with cyber bank heists. Persirai joins Mirai in the IoT botnet world. Should you be on the lookout for Pegasus on your Android device? Microsoft patches an RCE flaw in its malware protection engine. And SS7 protocol weaknesses defeat two-factor authentication.

Dave Bittner: [00:00:46:08] It's time to take a moment to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how many analysts you might have on staff and we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:54:05] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, May 9th, 2017.

Dave Bittner: [00:02:04:07] France's presidential election is over and Emmanuel Macron is preparing to take office but postmortems continue on the influence operations that released a large number of hacked emails and some apparent fabrications just before French media entered their legally mandated pre-voting blackout period. The leaked material has yet to turn up anything observers find particularly scurrilous or discreditable and the influence operations seem to have amounted to little more than tendentious jeering memes on social media. Thus the campaign seems to have been ineffectual. Security firm, Flashpoint has told the press that the whole hack-and-release effort was both brazen and hasty and the haste manifested itself in comparatively poor preparation and output. Macron emerged as a serious contender quite late in the campaign cycle, his candidacy gaining traction as the principal center-right alternative to Marine Le Pen and the National Front was effectively side-lined by scandal. Thus, whoever got into the emails of Monsieur Macron and his EnMarche! movement had only weeks to run their operation. Consider the many months in which threat actors were present in the US Democratic Party's networks and contrast the results of the Macron hack with the damaging enforced transparency Miss Clinton's campaign suffered.

Dave Bittner: [00:03:23:06] While Moscow indignantly denies any involvement in the incident, circumstantial evidence still points toward Russia. Attribution to Russian services are being denounced from the Kremlin as slander and false flags. Research firm, Trend Micro, has maintained for some time that the operation against Macron's campaign is circumstantially but significantly similar to the one Pawn Storm, Fancy Bear, that is, the GRU, conducted against the US Democratic National Committee last year and it's been publicly joined in that assessment by Flashpoint.

Dave Bittner: [00:03:55:08] False flags planted in the leaks are of course possibilities, if not probabilities, but German and British authorities are taking the threat of Russian information operations to their own elections very seriously. Recently retired US DNI Clapper agrees and says the US should expect more of the same. He also says that he and the Intelligence Community whose activities he wants coordinated, remain convinced that Russia did attempt to disrupt US elections. Congressional investigations into those activities continues.

Dave Bittner: [00:04:27:14] For its own part, WikiLeaks, unchastened by l'affaire Macron, continues its Vault7 dumps Friday releasing Archimedes, said to be a CIA tool used to compromise devices operating within a single LAN.

Dave Bittner: [00:04:41:09] Two other instances of political action in cyberspace merit mention. First, ISIS is back and has reverted to its distinctively repellent propaganda of the deed, posting video it claims shows the beheading of a captured Russian officer. Russia has reacted with outrage as has most of the rest of the civilized world and is investigating the clips authenticity. Second, people are wondering where North Korea is getting the money it needs to fund its nuclear and missile programs. Since it can't sell coal to China anymore, or at least not very much coal, it appears that Pyongyang is now mainly reliant on cyber theft from banks to pay for its strike ambitions.

Dave Bittner: [00:05:22:05] The Pegasus lawful intercept tool made the news last summer when it was discovered exploiting three zero-day vulnerabilities in Apple's IOS mobile operating system. Pegasus could access all sorts of data on a compromised phone including messages, calls, emails and logs. Apple quickly patched the zero-days that made Pegasus possible but researchers at Lookout have discovered a new version of Pegasus, this time on Android. Andrew Blaich is a security researcher at Lookout.

Andrew Blaich: [00:05:49:23] Remember the time when we were investigating the IOS app in August. We started to then take a look at, you know, a variety of different identifiers, devices that were infected with Pegasus, where they were coming from, account behavior and looking at kind of apps that were on these devices that we believed that were infected with Pegasus. And from that, you know, we were able to correlate or look through our data and noticed a bunch of anomalous findings that we didn't see anywhere else on devices in the world. And from that, you know, we highlighted a couple of interesting apps and then from that we basically opened up a joint investigation with Google where we said, "Hey, we believe these apps may be the Android side of the product. What do you guys think? Let's continue collaborating and look at this data, and see if we can go any further with it."

Dave Bittner: [00:06:32:23] So, in terms of, you know, regular users, because this is a lawful intercept tool, right, that means that it's really a targeted tool. Does that mean that , you know, day-to-day people, you know, going about their business, this isn't something that they should really be worried about? Should it be on the radar? Can other people take the technology from Pegasus and apply it to, you know, regular run-of-the-mill malware?

Andrew Blaich: [00:06:54:05] Yeah, that's a great point and question actually. So, with Pegasus, this type of lawful intercept technology is used in kind of very targeted cases, right? So, this is not something that the general population necessarily has to worry about or will encounter in their day-to-day lives. However, like, some of the similar techniques in terms of how they can grab data and stuff, definitely those can be borrowed into kind of the commodities as software that you see out there, right? So, there's kind of different pockets of software that was there where Pegasus will be like the high-end user, very targeted specific cases where there's actually commodity malware where anyone can actually go online and buy it and there's-- if you just do some Google searching, you can actually find many, many different products that use some similar techniques, not as advanced as the Pegasus sample, but they still try to go after the device and get the data off it that any user can buy basically. And those you'll probably find more commonly, but things like Pegasus are used only strictly in, you know, highly targeted cases.

Dave Bittner: [00:07:47:12] That's Andrew Blaich from Lookout.

Dave Bittner: [00:07:51:08] A new Internet-of-Things botnet, "Persirai", has been discovered by security firm, Trend Micro. It affects Internet connected cameras exploiting a known password stealing bug about 1,000 models of camera share. Trend Micro says they've run a Shodan search that found about 120,000 cameras vulnerable to Persirai. Many of the camera users, Trend Micro says, are probably unaware that their systems are even connected, let alone exposed. It's thought that Persirai will be used in much the same way Mirai was for distributed denial-of-service attacks.

Dave Bittner: [00:08:27:19] Today is Patch Tuesday but one problem couldn't wait. Microsoft late yesterday fixed a remote code execution vulnerability that Google's Project Zero found in Windows malware protection engine, commonly known as MsMpEngine. Google called the bug, "crazy-bad". The malware protection engine is enabled by default in most versions of Windows. The vector that enables attackers to get into MsMpEngine can be an email, an instant message or a visit to a link. Remote code execution becomes possible if MsMpEngine scans a maliciously crafted file. With its fix, Microsoft warned that, quote, "An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the local system account and take control of the system," end quote. The patch is also part of today's regular security update.

Dave Bittner: [00:09:20:08] Banks and their customers, mostly in Germany, have been hit by criminals who exploit a weakness in the Signaling System Number Seven messaging protocol, also known as SS7, to bypass two-factor authentication. The crooks have enjoyed some success so watch your SMS messaging. It's worth noting that this isn't an exploit that gains a hacker initial access. Rather, it bypasses the final line of defense. To get that far, the criminals first need to get the banking customer's username, password and telephone number but those, alas, are often gettable so when the SS7 exploit enters, it's Katie bar the door.

Dave Bittner: [00:10:02:13] As our sponsors at E8 Security will tell you, bliss is not only knowing what's going on in your networks but being able to distinguish the goodness from the badness. That's their promise for their behavioral analytics and they're willing to show you too. So, go to for a small scale checkout where you can see for yourself. Their behavioral analytics platform gives you insight into every stage of the attack life cycle across your network, users and end-points, even those often overlooked little things in the Internet-of-Things. The bad actors can spoof an identity, they can steal a credential but their crimes will betray them. That's what behavioral analytics can do for you. You can check it out for yourself at Don't let the data trees get in the way of seeing the risk forest and enjoy the ride. And we thank E8 for sponsoring our show.

Dave Bittner: [00:11:01:03] And I'm pleased to be joined once again by Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, I was speaking to a security researcher recently who was talking about people's ability to hack into TVs and one of the things he brought up was this notion of within your home network basically segmenting it, having a separate Wi-Fi network for your IoT devices versus, you know, your regular brow-- your laptops, your phones, your regular web browsing. What's your take on that?

Joe Carrigan: [00:11:29:04] I think it's a great idea. The only issue I see with it is it's not something every layman is going to have, going to have the ability to do. It's going to-- you know, might be out of the-- out of reach of guys or girls like my parents for example. They're probably not going to be able to do this and my parents actually do have a smart TV in their house. It would be nice to be able to segment it. So it would be simple enough to do. You could either have a piece of equipment that can handle the V-LAN or perhaps have a guest network segmentation or you could actually buy two pieces of hardware and have one piece of hardware handle the Internet-of-Things products in your house, like your TVs, your thermostat or whatever and have the other piece of hardware that you control handle your Wi-Fi network for, you know, your family's devices.

Dave Bittner: [00:12:15:15] Yeah, you know, this is something we did in our house for a while just sort of to control access for the kids, you know, to keep them from being on the network at all hours of the day and night. We had a separate network set up for them that had time restrictions on it and then one for my wife and I that was unrestricted that was actually hidden. It didn't broadcast its name so they didn't even know it was there and that's great, because if they knew it was there, sure, they would certainly crowdsource a solution to hack into it.

Joe Carrigan: [00:12:43:14] Right. Absolutely. So I've been thinking about doing this as well. Simply because, you know, my, my ISP is Verizon and I think last time we were talking and, and you asked if I had any IoT devices in my house and my immediate response was, "Oh, no, I don't have any of those," and then you asked, "Well, what about your cable boxes?" and I went, "Oh, yeah, those are essentially just little Linux boxes that sit on my network."

Dave Bittner: [00:13:06:14] They creep in.

Joe Carrigan: [00:13:07:03] Exactly, and so, you know, these things, you don't even think about, about what you have as an IoT device.

Dave Bittner: [00:13:12:23] Right. We have a television that can run Netflix, can run, you know, Spotify. It can run apps, so it-- and it's on the Wi-Fi network.

Joe Carrigan: [00:13:21:18] That's right and, you know, we-- my daughter has one of those as well that she uses as a streaming device and a computer monitor.

Dave Bittner: [00:13:29:06] So, again, as it come-- as we talk about-- you know, you and I talk about over and over again is attack surface.

Joe Carrigan: [00:13:33:00] Exactly.

Dave Bittner: [00:13:33:14] And so if you can separate the attack surface of all these IoT devices--

Joe Carrigan: [00:13:37:18] Right, and now if somebody compromises one of your IoT devices, and these things never get updated, right, and that's the problem with them, so if now, now if I compromise-- if somebody compromises my IoT device it's isolated on a network and the only thing it's going to have access to is other IoT devices, things that I might not consider to be critical. I'm certainly not going to store my data on that part of the network.

Dave Bittner: [00:13:59:24] Right. All right. Good advice as always. Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:14:03:16] My pleasure.

Dave Bittner: [00:14:06:21] And that's the CyberWire Thanks to all of our sponsors who make the CyberWire possible especially to our sustaining sponsor, Cylance. To find out how Cylance protects you using artificial intelligence, visit If you enjoy the CyberWire every day, we hope you'll consider leaving a review for us iTunes. It is one of the best ways that you can help other people find our show. And of course you can show your support for the CyberWire by supporting us on Patreon. Visit to find out about how to become a contributor and all of the benefits we put together for those who give.

Dave Bittner: [00:14:39:21] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.