The CyberWire Daily Podcast 1.10.18
Ep 512 | 1.10.18

Turla returns. Moscow interested in Mexican elections? FakeBank mobile Trojan hits Russian banks. Phishing the Olympics. Patch Tuesday. Bad flashlights, nice doggie.


Dave Bittner: [00:00:00:17] One of the best ways you can help spread the word about the CyberWire podcast is to leave a review for us on iTunes. We do appreciate you taking the time. Thanks.

Dave Bittner: [00:00:12:05] Turla's back, with a depressingly nifty man-in-the-middle campaign. The US thinks it sees Russia trying to influence Mexico's national elections. Russian banks are hit with a new mobile Trojan. Iran continues its Internet crackdown, and conducts more domestic surveillance and hacking. Winter Olympics-themed cyberattacks rely on well-crafted social engineering. Patch Tuesday addressed Spectre, Meltdown, Flash, and an Office zero-day. And stay away from those flashlight apps. Take a look at your dog-walker's app too while you're at it.

Dave Bittner: [00:00:47:03] Time for a few words from our sponsor, Cylance. You've probably heard of next-generation anti-malware protection, and we hope you know that Cylance provides it. But, what exactly is this next generation, and why should you care? If you're perplexed, be perplexed no longer, because Cylance has published a guide for the perplexed. They call it "Next Generation Anti-Malware Testing for Dummies," but it's the same principle: clear, useful, and adapted to the curious understanding. It covers the limitations of legacy anti-malware techniques, and the advantages of artificial intelligence. And why you should test for yourself how to do the testing and what to do with whatever you find. That's right up my alley, and it should be right up yours, too. So, check it out at Take a look at Next Generation Anti-Malware Testing for Dummies. Again, that's Cylance. And we thank them for sponsoring our show.

Dave Bittner: [00:01:48:00] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Wednesday, January 10th, 2018.

Dave Bittner: [00:01:57:17] Remember Turla, the tail-clutching ouroboros of cyberspace? It's back, or more accurately, it's returned to notice, since Turla never really left. The cyber espionage group, one of the organs of Russian intelligence, is active for the most part against the Near Abroad, that is against former Soviet Republics, and also against former Warsaw Pact countries. Turla has also ventured further afield to spy on other targets, typically consulates, embassies, and other diplomatic missions.

Dave Bittner: [00:02:27:10] This time it's returned with more sophisticated and elusive exploits. Turla has been observed using a Flash installer to infect targets. The downloads appear to come from legitimate Adobe domains and IP addresses. In fact, they do not. It's a man-in-the-middle attack.

Dave Bittner: [00:02:43:20] ESET, which has just released a report on Turla's latest activities, said they've found the threat group to be using a web app hosted on Google Apps Script as their command-and-control for malware dropped by a bogus Flash Installer. ESET is positive that the threat group hasn't compromised Adobe's servers. Instead, they switch files in transit during the Flash Player installation process and install a backdoor that ESET is calling "Mosquito."

Dave Bittner: [00:03:12:02] How Turla is substituting its malicious code remains a mystery, but ESET's report outlines four possibilities. They might be using a local man-in-the-middle attack, relying on a machine in the victim's network they've already compromised. Or they might be using a compromised gateway. They might be using BGP hijacking. Or, finally, they might be executing a man-in-the-middle attack at the ISP level. ESET speculates that the likeliest of those would be exploitation of a compromised gateway.

Dave Bittner: [00:03:43:15] As noted, Turla's usual targets are diplomatic ones; its typical interests are thought to involve political intelligence. There have been companies affected by Turla, but ESET regards these as being of incidental or at most secondary interest to Turla's masters.

Dave Bittner: [00:04:01:10] There's other news of Russian operations in cyberspace, but these involve allegations of influence operations in Latin America. The US has accused Russia of undertaking a large information campaign aimed at influencing Mexico's 2018 national elections. National Security Advisor H.R. McMaster said there were already signs that Moscow has begun a coordinated attempt to nudge opinion in the direction of Lopez Obrador, leftist former mayor of Mexico City, who is running on an anti-corruption platform. Kremlin news outlets RT and Sputnik have given Obrador noticeably positive coverage. But, of course, positive coverage is no crime, and neither the US Administration, nor Mexico's foreign ministry have provided comment on or amplification of McMaster's observation. Propaganda is nothing new, nor are attempts to influence elections.

Dave Bittner: [00:04:56:06] Russian targets have also been victims of hacking. In this case, it's a fresh wave of cybercrime. A new mobile banking Trojan, FakeBank, has appeared in Russia. The criminals behind it are afflicting customers of Sberbank, Leto Bank, and VTB 24. FakeBank is distinguished by its sophisticated use of multiple layers of obfuscation.

Dave Bittner: [00:05:18:21] Iran's Internet crackdown continues. It's not just the blocking and censorship of the filternet, but online control extends to active surveillance and offensive cyber operations against Iranian citizens. These extended to phishing campaigns, again, domestically focused. The Islamic Revolutionary Guard Corps, that branch of the armed services specifically charged with the mission of protecting the Islamic character of the state, is reported to have successfully intruded into individuals online communications, and made arrests on the basis of the content found in their systems. Much un-Islamic content is illegal under Iranian law, hence the name "halal Internet" that was initially used to describe the country's autarkic corner of cyberspace when the regime began to fence it off in 2011, during the administration of former President Mahmoud Ahmadinejad. Ahmadinejad, himself, out of office for several years, is now under house arrest, charged with fomenting dissent.

Dave Bittner: [00:06:19:01] The still-unattributed cyber offensive targeting South Korean companies during the run-up to the Pyeongchang Winter Olympics appears to depend upon effective timing and compelling phishbait, that is, on good social engineering as opposed to technically sweet hacking.

Dave Bittner: [00:06:34:22] Patch Tuesday saw Microsoft fix 56 security issues. Redmond addressed not only Spectre and Meltdown, but also a zero-day in the Office Equation Editor. The general round of patching for Spectre and Meltdown has continued, with most major vendors taking some steps to offer mitigations. Microsoft has pulled the fixes it offered for AMD chips, those appeared to brick machines, so AMD remediations remain a work in progress.

Dave Bittner: [00:07:03:05] If you're thinking of downloading a flashlight app for your Android phone, don't. Too many of them are malicious, and it's not worth the risk. Get a cheap LED light for your physical keychain instead.

Dave Bittner: [00:07:15:05] And, finally, if you're the kind of person who engages a dog-walking service, which strikes us in this BYO dog shop as a little like sending your kids off to boarding school, maybe even a military boarding school, be advised that there are reports in the Wall Street Journal that Wag, the Uber of the dog-walking gig economy, may have accidentally exposed more than 50 customers addresses and, worse yet, codes to the lock boxes in which they left their keys. Wag says it's notified affected customers and taken steps to better secure the data. It's worth noting that this is a report of an exposure and not an actual theft of information, so it's not known if any bad actors obtained and used the lock box codes. So, grr. But if security's now better at Wag, then, good dog. Good boy. Good doggie. Who's a good boy?

Dave Bittner: [00:08:09:13] Now, a moment to tell you about our sponsor, ThreatConnect. On Tuesday, January 23rd, at 10:00 AM Pacific and 1:00 PM Eastern Time, they're teaming up with DomainTools for a webinar on mapping connected infrastructure. As you know, the more information you have about a potential threat, the better you can defend against it. And in order to stay ahead of malicious actors, it is crucial that security teams add context and enrichment to their threat data.

Dave Bittner: [00:08:35:07] The combination of the ThreatConnect threat intelligence platform and DomainTools' Iris investigative platform empowers security professionals to hunt APTs efficiently and effectively.

Dave Bittner: [00:08:47:02] Join Director of Product Integrations at DomainTools, Mark Kendrick, and Threat Intelligence Researcher at ThreatConnect, Kyle Ehmke, to learn how the same techniques can help network defenders and incident responders efficiently protect their own organizations. In addition, get an inside view into how ThreatConnect and DomainTools work together to enable thorough domain actor and IP investigations. Sign up today at That's And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:09:28:10] And joining me once again is Dr. Yossi Oren. He's a Senior Lecturer at the Department of Software and Information Systems Engineering at Ben-Gurion University. He's also a member of BGU's Cyber Security Research Center. Yossi, welcome back. You all did some interesting research about replacement touch screens on phones, and how that could be a vulnerability.

Dr. Yossi Oren: [00:09:50:12] Yes. So, I just want to give credit to my excellent students, Omer Schwartz and Amir Cohen, and Dr. Asaf Shabtai, who was my collaborator on this. We have our phones with us, we take them everywhere, and we trust them with everything. Of course, the companies who make these phones, it could be Google, or Apple, or Samsung, and so on, they really do a lot of hard work protecting our phones from all sorts of attacks. So, they check the software very carefully, and they have app stores, and all sorts of protections. And they also check all sorts of hardware, which is coming into their phone very carefully. Obviously, they don't build all the phone themselves, they buy components from all sorts of vendors. But they are very careful about stuff that goes into our phones, so they are secure.

Dr. Yossi Oren: [00:10:32:00] But in our lab, we started thinking, what happens if we drop our phone? Or we dunk it in the toilet, or whatever unfortunate thing happens to our phone, and we don't go to the repair store, the official Apple store and so on. We just go to the corner shop and get our phone repaired there for cheap.

Dr. Yossi Oren: [00:10:49:11] So, what kind of risks are we exposing ourselves when we do this thing? We actually found out that there's something called an attack envelope, or a trust boundary, when you talk about security. And you think about things outside this boundary as very, very dangerous. For example, if somebody sends you an attachment by email, it's going to be very, very risky, so you have to check all sorts of things about it. But there are things inside this trust boundary which you would trust without asking anything. And we found out that the hardware which we place on your phone, for example, a replacement touch screen, is actually inside the trust boundary of the phone. And the phone trusts everything this component does blindly, without doing any sort of checking.

Dr. Yossi Oren: [00:11:32:03] We made an attack, we called it Shattered Trust, so shattered because you shatter your screen, and trust is because you abuse this trust boundary. And we started thinking of what sort of damage can you do if your phone is completely protected, and you have antivirus and everything is up to date, but the phone screen hardware is malicious?

Dr. Yossi Oren: [00:11:52:12] We have very, very short videos on YouTube, about 30 seconds, showing all sorts of very, very crafty stuff you can do if your touch screen is corrupted. For example, if I'm only controlling your touch screen, I can wake up the phone in the middle of the night, take a picture of whatever is going on outside the phone, and then make an instant message or an email, and send this picture to the adversary, to the enemy. And obviously, the phone doesn't have to turn on the screen when this is happening. It could be completely in the dark.

Dr. Yossi Oren: [00:12:23:17] Another thing you can do, for example, is wait for the user to type in an URL, and then very, very quickly replace this URL with a phishing URL. So, you're trying to log into your bank, so you type in, and you're very sure that this is the right address. But I can very, very quickly replace this URL with a malicious URL, and then I can get all your credentials from the bank. And it's going to happen so quickly that you won't notice.

Dr. Yossi Oren: [00:12:50:21] And another thing I can do, which is actually more advanced, is we can do something which is called the buffer overflow. So, we can take the data which is coming from this touch screen into the smartphone, and we can send this data in a corrupted way, which actually causes the phone to execute code, instead of processing the touches, and then we can actually do whatever we want on the phone. We can disable all of the protection you have on the phone, and then we can actually completely pwn it, as it's said.

Dave Bittner: [00:13:18:06] Yeah. And, so, is this a matter of perhaps the hardware manufacturers need to disallow third-party screens to protect against this sort of thing?

Dr. Yossi Oren: [00:13:27:10] So, this is kind of a legal policy issue. There is a big battle in the, in the US called "the right to repair." And the question is, when I buy a phone, am I also legally entitled to have the tools, and the parts, and the manual, so I can repair the phone myself? It could be a phone, it could be a car, it could be a tractor, it could be a plane, and so on. And my personal opinion is that it's very, very much the fact that you have the right to repair it, and you should have the right to repair. So, I don't want to make a world where you're not allowed to buy your own repair components and repair your phone yourselves.

Dr. Yossi Oren: [00:14:00:08] But what I would like, and this is something we're working on right now, is to have the phone be better protected against these attacks. So, if you, for example, get a third-party replacement for your phone, and you buy it off Amazon or off eBay, you could be a journalist, and you're on a mission in a country, and you want to repair your own camera when it breaks and so on. I want you to be sure that if the replacement hardware you get is questionable, it won't be able to damage your phone. So, we're actually taking technology from the firewall world, and we're bringing into the phone. We're shrinking it in size. And we want to build something we called a peripheral firewall, which is doing the same thing that the firewall does on the network, only inside the phone.

Dave Bittner: [00:14:44:05] Now, it's interesting stuff, and I think an area people don't often think about. Dr. Yossi Oren, thanks for joining us.

Dr. Yossi Oren: [00:14:51:18] Thank you.

Dave Bittner: [00:14:54:14] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit

Dave Bittner: [00:15:07:16] And thanks to our supporting sponsor E8 Security. Follow the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:15:16:16] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:15:26:05] Our show is produced by Pratt Street Media. With Editor John Petrik. Social Media Editor Jennifer Eiben. Technical Editor Chris Russell. Executive Editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.