The CyberWire Daily Podcast 8.31.17
Ep 425 | 8.31.17

Turla's Gazer backdoor. OurMine vs. WikiLeaks; WikiLeaks vs. CIA. Reality Winner trial. House of Cards material leaks. Patching notes. Insecure APIs.


Dave Bittner's Son: [00:00:01:02] Dad, stop using me to get subscribers to your Patreon. Go to Okay dad, where's my $20?

Dave Bittner: [00:00:20:09] Turla is using some sophisticated code against diplomatic and defense industry targets. OurMine hackers use DNS poisoning against WikiLeaks, but WikiLeaks opens up Vault7 anyway: this week it's "Angelfire." Accused US Intelligence Community leaker Reality Winner wants her initial statements to investigators suppressed at trial. House of Cards leaks stories and other material related to the TV show. A quick patching update. Insecure APIs take a toll on Instagram and the FCC. And what's up with Rick and Morty?

Dave Bittner: [00:00:55:18] Time for a message from our sponsor Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At The CyberWire, we subscribe to and profit from Recorded Future Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want, actionable intelligence. Sign up for The Cyber Daily email and every day you'll receive the top trending indicators Recorded Future captures crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two again of the threat. Go to to subscribe for free threat intelligence updates. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:10:02] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your Cyber Wire summary for Thursday, August 31st, 2017.

Dave Bittner: [00:02:20:04] Turla, the Russian espionage group that's known to have been active for the better part of two decades, has continued its cyber collection efforts this summer.

Dave Bittner: [00:02:29:21] ESET researchers have more on the group's technique, publishing an assessment of a second backdoor they've discovered in its toolkit. They call it "Gazer," and it's a second-stage backdoor installed once the first-stage, called "Skipper" is in and open. Kaspersky Lab has also been tracking Turla; they've referred to the attacks involving Gazer as "WhiteBear," so don't let the differences in nomenclature confuse you.

Dave Bittner: [00:02:54:21] Gazer's been around for awhile, making its appearance, it seems, in 2016. ESET thinks it likely that Turla will develop a successor backdoor now that Gazer has been detected and linked back to the espionage group. Turla doesn't use much re-purposed commodity malware. Gazer, like most of the other tools in Turla's kit, was designed with care and sophistication by a well-resourced team.

Dave Bittner: [00:03:18:07] The backdoor's command-and-control mechanisms are interesting. As ESET says in their report, "Gazer can receive encrypted tasks from a C&C server, which can be executed either by the infected machine or by another machine on the network." It also uses an encrypted container to store its components. Its list of command-and-control servers is embedded. They're all legitimate but compromised websites, most of them based on WordPress, that serve as a first layer proxy.

Dave Bittner: [00:03:46:19] Turla has tended to concentrate on the Middle East, Eastern Europe, and what Russia calls the "Near Abroad," former Soviet Republics in Russia's backyard. Its latest operations have tended to follow this pattern, although some South American targets appear to have been serviced as well. Diplomatic missions in its reasons of interest have long received Turla's ministrations, but it's recently shown an increased interest in the defense and aerospace sector.

Dave Bittner: [00:04:14:09] WikiLeaks' site was attacked and defaced early this morning by OurMine, the Saudi-based hackers whose public stance is that they're gray hat pentesters, freelancing into vulnerable sites for the general good. This time, however, the defacement indicates it's personal, an instance of long festering bad blood between OurMine and WikiLeaks. OurMine has gone after WikiLeaks at least twice before, and the text of the defacement page also alludes to a longstanding beef OurMine has had with Anonymous.

Dave Bittner: [00:04:44:19] It appears that WikiLeaks' servers themselves weren't compromised, which has led Silicon Republic and others to sniff that this wasn't a "real hack" at all. Instead, they accomplished their work through DNS poisoning.

Dave Bittner: [00:04:57:11] It's Thursday, and that's the day WikiLeaks has tended to choose for its now regular, weekly, publication of the contents from Vault7. RT, the news organization formerly known as Russia Today, has reported that Vault7 opened on schedule. This time the documents purport, as usual, to be descriptions of CIA hacking tools. Today's are said to describe "Angelfire," a framework for loading and executing implants onto Windows XP or Windows 7 machines. This also continues a trend, many of the recent documents WikiLeaks has released are represented as affecting older machines running software which is beyond its end of life.

Dave Bittner: [00:05:36:24] How WikiLeaks gets its material remains publicly unknown. There have been some recent moves in the US Congress to express its sense of what WikiLeaks is up to. The text of the resolution is: "It is the sense of Congress that WikiLeaks and the senior leadership of WikiLeaks resemble a non-state hostile intelligence service often abetted by state actors and should be treated as such a service by the United States."

Dave Bittner: [00:06:01:17] This, like sense-of-the-Congress resolutions generally, is expressive, not prescriptive. Congress is upset with WikiLeaks and wants people, especially people working in the Intelligence Community, to know it.

Dave Bittner: [00:06:16:15] Protecting your organization's reputation online is, of course, important, but it can be challenging to predict when an online misstep or squabble can turn into a full blown PR disaster, and of course online things can happen really fast.

Dave Bittner: [00:06:30:08] The folks at Deloitte recently announced the acquisition of assets from a company called Blab. Specifically, their predictive social intelligence platform. Mike Kerney is a partner in Deloitte's Risk and Financial Advisory Group.

Mike Kerney: [00:06:42:17] While organizations do a very good job managing risk, they often look at brand and reputation risk as more of an outcome, so something that is really dependent on their existing risk management programs. So, we believe that it is a risk and I think if you look at what CEOs and other executives talk about as being their most significant risk, they often times focus on an event that could potentially impair the reputation. So, with this Blab acquisition, we're excited about it because it allows us to begin to anticipate potential issues, reputational events that may occur. This could be anything from a regulatory issue, competitive threat, a financial reputational impact. It could be innovation from our competitors. It could be a reputational damaging event from our employees, third parties, government. It really goes across the spectrum.

Dave Bittner: [00:07:42:24] So give us an idea, how does this predictive technology work.

Mike Kerney: [00:07:48:10] The tool, like many other risk sensing tools, ingests 50,000 different data sources, 100 million pieces of data a day. What really interested us and was different about the tools that we were already using within our firm and other vendors that we'd worked on, the Blab team had developed an algorithm and had patented it which allows them to predict low signal noise, which could be potentially be a reputational event. That could be something that is extremely positive, something you want to amplify as an organization. It also could be potential reputational event that would be something that you'd like to mitigate. The algorithms getting smarter because it's continuously looking at how well it did to protect an event. So, now they're hovering around 80% likelihood that when they predict something, and it's always within a 72 hour period of time, it's always improving the way it looks at those event. It's learning from itself so that it can improve predictability in the future.

Dave Bittner: [00:08:54:08] That's Mike Kerney, from Deloitte.

Dave Bittner: [00:08:57:18] In one of the ongoing cases against alleged US Intelligence Community leakers, former NSA contractor Reality Winner has asked that the courts suppress the initial statements she made to investigators when they first came knocking. Those statements amounted to a confession, which she takes back, arguing that it was a confusing time and she lacked proper counsel. Reality Winner was apprehended after her alleged cover was inadvertently blown by her communications with the Intercept, the magazine that received the material she's said to have improperly removed from a secure facility.

Dave Bittner: [00:09:30:17] The Chinese and Cuban governments have little compunction about locking public discourse down fairly tightly and foreign companies doing business in China are puzzling over how to navigate Beijing's latest round of Internet controls. But in most other places there's been a tension between dissuading people from extremism and safeguarding rights of free speech and expression. The discussion about how to do so has tended to concentrate on how best to manage censorship, with those concerned about radicalization either opting for censorship cheerfully and enthusiastically, or embracing some modified, limited hangout form as the lesser of two pretty bad evils.

Dave Bittner: [00:10:11:12] Consider, however, the role bots have come to play in information operations. Brian Krebs has noticed that when he Tweets something about Russian President Putin, he gets a lot of not really relevant Twitter traffic about US President Trump. Social media are infested with bots, and information operators find them useful in magnifying opinion, pushing memes, and either influencing or intimidating those who don't share their views.

Dave Bittner: [00:10:37:00] Here's an interesting suggestion we've heard former US Homeland Security Secretary Chertoff express: research into quick identification of bots could provide an opportunity to control at least this aspect of information operations. And, bots not being natural persons wouldn't seem to enjoy the natural rights persons do.

Dave Bittner: [00:10:57:01] In patching news, a cross-site scripting flaw in the Woocommerce WordPress plugin has been fixed. Siemens patches LOGO, and patients with St. Jude pacemakers are advised to see their doctor for a firmware update.

Dave Bittner: [00:11:11:08] You can add House of Cards to the list of television hacks, alongside Game of Thrones. Some of the show's scripts and other production information have been compromised, but this appears to be inadvertent exposure as opposed to focused criminal attack.

Dave Bittner: [00:11:25:23] Insecure APIs trouble Instagram, with some high-profile accounts being compromised, and the US Federal Communications Commission, where jokers probably dissatisfied with how net neutrality regulations are playing out have installed Rick and Morty GIFs.

Dave Bittner: [00:11:42:10] We consulted our Middle School desk about Rick and Morty. We're informed that the cartoon is "Okay," but that you have to have played Call of Duty to get the jokes. Words for all of us to live by, at least until school begins in Maryland next week.

Dave Bittner: [00:12:01:13] As our sponsors at E8 can tell you, there's no topic more talked about in the security space than artificial intelligence, unless maybe it's machine learning. But it's not always easy to know what these could mean for you, so go to and see what AI and machine learning can do for your organization's security. In brief, they offer now a penicillin, not a cure all, but rather an indispensable approach to getting the most out of your scarce, valuable and expensive human security analysts. Let the machines handle the vast amounts of data. If you need to scale you security capability, AI and machine learning are the technologies that can help you do it. So visit and see how they can help address your security challenges today. We thank E8 for sponsoring our show.

Dave Bittner: [00:12:56:05] Joining me once again is Emily Wilson. She's the Director of Analysis at Terbium Labs. Emily, we have not spoken about the AlphaBay situation. You were making a running commentary while it was going down. You were one of the folks who did not think that the people running AlphaBay were running off with the money, and ultimately you were proven right. So, fill us in. What do we need to know about this situation?

Emily Wilson: [00:13:18:21] The first reaction from users is that a market is exit scammed because people are worried about their money. I didn't think it was an exit scam. AlphaBay was a fairly sophisticated organization, despite what we know now about one of the admin’s OPSEC, and I figured if they were going to close down and run off with money they would do it a little bit less sloppily. I didn't know, I don't think any of us knew for sure what had happened, but I didn't think it was an exit scam. Now it turns out that not only was it a coordinated international take down but the Dutch police had been running Hansa for a month and I don't think any of us saw that coming.

Dave Bittner: [00:13:56:21] What is Hansa?

Emily Wilson: [00:13:58:08] Hansa was one of the other main dark web markets. Actually the interesting thing for me on Hansa is that after AlphaBay first went down, Hansa ended up locking new user registration, claiming that it was putting too much of a strain on their systems and it was causing technical difficulties. So, an interesting way to run a honey-pot and I'm sure we'll see the reasons for that shake out at some point, publicly or privately.

Dave Bittner: [00:14:20:09] Is the popular working hypothesis now that the take-over of Hansa was done in preparation for the shutting down of AlphaBay, that everyone would shift over there and it would be a honey-pot?

Emily Wilson: [00:14:31:10] Absolutely. Hansa and Dream, Dream is still up, those were the two markets that people began to flock to really and those were two of the larger remaining markets. Dream is still up. You have a few others that are floating in that top space and a few others that are growing as people are starting to diversify.

Dave Bittner: [00:14:52:11] What's the reaction of the people who use the dark web as part of their day-to-day lives?

Emily Wilson: [00:14:57:23] I can give you a more narrow answer than people who are using the dark web as part of their day-to-day lives. I can speak to people who are operating on these markets. There are plenty of people who use Tor hidden services for a variety of other reasons that aren't impacted by the AlphaBay take down. As you can imagine, at least for the drug community, a bunch of people find out that law enforcement has been operating a market they've been spending money on. People were scared. People were panicky and after a few minutes wanted to know when their orders would arrive. People are beginning to move on to new markets. Vendors are setting up shop on new markets. The community is still reeling a little bit but I describe this as a hiccup. The dark web markets continue to go on but people are definitely keeping a wary eye out to the side and there is even some talk of whether or not any of the remaining markets are also being controlled by law enforcement.

Dave Bittner: [00:15:51:02] Does this take down have the effect that I suspect law enforcement would want it to have, which would be to make people hesitant to use these markets at all?

Emily Wilson: [00:16:02:09] A little bit and certainly by taking away two of the larger sources. AlphaBay was so much larger than any of the markets we've ever seen before. Taking away that source certainly disrupted the trade. We'll see now how other markets react to selling things like heroin or fentanyl, which really got a lot of attention, certainly in the statement that Jeff Sessions came out and made about it. People are moving on and markets are recruiting and vendors are moving. A lot of the conversion, at least in that part of the community, is about how to avoid being exposed if this happens in the future and let's clean house and take a hard look at our personal security measures. So not necessarily the reaction they were hoping for, I think.

Dave Bittner: [00:16:44:20] Emily Wilson, thanks for joining us.

Dave Bittner: [00:16:49:00] That's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit The Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit

Dave Bittner: [00:17:07:14] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jen Eiben. Our technical editor is Chris Russell. Our executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.