The CyberWire Daily Podcast 1.25.18
Ep 522 | 1.25.18

Patriotic hacktivism. HNS botnet spreads P2P. Electron vulnerabilities found, mitigated, Criminals target ICOs. Ransomware-as-a-service. Cryptowars. Fancy Bear doxes luge.


Dave Bittner: [00:00:00:19] Remember, one of the ways you can help support our show is by leaving us a review on iTunes. We appreciate you taking the time, thanks.

Dave Bittner: [00:00:10:19] Patriotic hacktivists talk turkey to high-profile Twitter accounts. The Hide 'N' Seek IoT botnet spreads swiftly through specially crafted peer-to-peer communications. Vulnerabilities are found in the Electron developers framework. ICOs are heavily targeted by criminals. Bell Canada was breached, and the Mounties are on the case. Ontario transit operator, Metrolinx, is asked how it knows North Korea hacked it. British Prime Minister May takes a swing at secure messaging and tech companies generally. Fancy Bear doesn't like Olympic luge. And what's the significance of a value statement?

Dave Bittner: [00:00:50:18] Time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's cyber daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely - because that's what you want, actionable intelligence. So sign up for the cyber daily email where every day you'll receive the top trending indicators Recorded Future captures crossing the web, cyber news, targeted industries, threat actors exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:08:23] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Thursday, January 25th 2018.

Dave Bittner: [00:02:19:03] McAfee has continued to track the hacktivist Twitter compromise campaign of Ayyildiz Tim. Their intentions have increasingly turned to the Twitter accounts of high-profile journalists. They continue to be interested in both Tweets and direct messages. The content of their communications over the hijacked accounts generally aligns with the government of Turkey's positions, thus they would be a fair specimen of the patriotic hacktivist variety. A representative message of Ayyildiz Tim would be "We will show you the power of the Turk," and "We love Pakistan."

Dave Bittner: [00:02:51:19] The campaign has some social engineering dimensions to it, since direct messages have been used to induce people to follow malicious links, but the general operation is typically hacktivist: ideological cries and defacements transposed to social media.

Dave Bittner: [00:03:07:14] Security company, Bitdefender, is describing a new Internet-of-things (IoT) botnet, "Hide 'N' Seek" (or simply HNS). HNS is marked by its rapid spread, growing from twenty-seven-hundred to more than twenty-four-thousand devices over the last two days. Its infection mechanism is the same as Reaper's, but researchers discern no other connection between the two botnets.

Dave Bittner: [00:03:30:09] HNS's rapid spread is enabled by a decentralized peer-to-peer mechanism that will complicate any takedowns. Other botnets have used P2P communications, but they've relied upon an existing BitTorrent protocol. HNS uses a custom system. Once installed, HNS's capabilities include code execution, data exfiltration, and interference with device operation. Effectively, every infected device serves as a command-and-control server, a file server, and a jumping-off point for further infection. Bitdefender thinks HNS has the hallmarks of an attack prepared by an unusually sophisticated threat actor.

Dave Bittner: [00:04:10:24] Widely used applications, including Skype and Slack, that were built using the popular developer platform, Electron, are being patched after the Electron framework has been discovered vulnerable to remote code execution. While Electron is used to develop apps for macOS and Linux, this vulnerability affects only Windows applications.

Dave Bittner: [00:04:32:23] Initial coin offerings (ICOs), a trendy approach to funding that's attracted increased interest from legitimate businesses seeking to raise capital, is also attracting a lot of interest from criminals. Security firm Group-IB says that hacking attempts against ICOs increased roughly tenfold during 2017. Group IB also contributed research to a report issued this week by Ernst and Young. The study found that, of the approximately $3.7 billion raised in ICOs so far, about $400 million of it has been simply stolen. The typical theft involves phishing victims with bait that will induce them to send cryptocurrency to a wallet controlled by the criminals. Once it's there, it's gone, and a lot is going—about ten percent of total investment.

Dave Bittner: [00:05:21:07] Indeed, cryptocurrency seems to attract criminals to its technolibertarian garden the way carrion draws flies. Security researchers with RiskIQ took a look at twenty of the most popular legitimate app stores—you'll recognize most of them; they include Apple App Store, Google Play, SameAPK and APKPlz—and what RiskIQ found was disconcerting. Even in monitored and curated stores, of the over 1800 apps the researchers inspected, 661 of them were "blacklisted Bitcoin apps." Google Play hosted the most: some 272 malicious Bitcoin apps.

Dave Bittner: [00:06:01:03] Cryptocurrency is not only stolen directly, but it's also a popular means of getting ransomware victims to pay the extortion. The SANS Institute has been looking at this section of the criminal-to-criminal market. They've found one ransomware-as-a-service offering that's ridiculously user-friendly and run on a royalty model. All you, the aspiring criminal, need do is specify the Bitcoin address to which you want the ransom delivered, and then select the amount of ransom you wish to demand—between a hundredth Bitcoin and one Bitcoin—and in a matter of seconds you get a malicious PE file you can turn loose on your victims. What do the proprietors of the service get? Ten percent of whatever ransom their customers collect. It appears to be either a proof-of-concept service or, perhaps, one that's still under development. One hopes, of course, that the criminal participants in this market will spend a lot of time and energy busily attempting to defraud one another, but the criminal-to-criminal market continues to display growing sophistication.

Dave Bittner: [00:07:00:11] Bell Canada disclosed a data breach affecting about one-hundred-thousand customers. The data lost were customer names and email addresses. Bell Canada says no credit card numbers or other sensitive information was taken. Nonetheless, the matter has been referred to the Royal Canadian Mounted Police, who are investigating.

Dave Bittner: [00:07:20:01] Earlier this week another Canadian organization, Ontario transit operators Metrolinx, disclosed that it was hacked by North Korean hackers. The disclosure was light on details—beyond saying that customer privacy and safety were not compromised. The transit provider cited security reasons for saying little beyond that. But, sparse as details were, they were very specific in their attribution: whatever was done, it was the North Koreans who done it. This hasn't played particularly well with the security sector: observers would like to see evidence that fingered Pyongyang.

Dave Bittner: [00:07:55:02] The recent discovery of records for sale online from India's Aadhaar database has caught the attention of security researchers. One of those researchers is Malcolm Harkins, Chief Security and Trust Officer at Cylance. He joins us with his take on the breach.

Malcolm Harkins: [00:08:10:17] There is still a lot under investigation, and reports are saying that the police are investigating other agencies within India. However, as far as what's been reported, there was access given to reporters who were apparently able to buy personal information for India's citizens that apparently came from that national ID system for hundreds of rupees, so small dollar amounts, and, therefore, potentially exposing it. The full nature of what exactly occurred still will probably have another several weeks or potentially even months to fully ascertain but, at this point, it is clear to say that information that is contained in that database - people's names, addresses, perhaps phone numbers, emails - was able to be purchased and, therefore, exposed.

Dave Bittner: [00:09:09:15] Is there any idea what the scale is of this? How many people's information is available through that nation?

Malcolm Harkins: [00:09:16:19] As I understand it, that system has been in use now for almost eight years. It started in 2009 as a voluntary system meant to prevent fraud and improve the identification of Indian citizens for a variety of purposes. The last report that I have seen is greater than 1.2 billion citizens of India give or take a little bit have their personal data and biometric data in the system.

Dave Bittner: [00:09:52:04] With the part that this database plays in their society for security, how do you see this playing out? What do you suppose the folks there are in for?

Malcolm Harkins: [00:10:02:04] It will be interesting to see how it fully evolves and whether or not biometric data ends up having been potentially compromised versus just other sets of information. I think if it is anything like we've seen with the Equifax breach, or other breaches that we've seen in the US and in Europe, you can expect potential identity theft. You can expect fraud type items. You could expect that that information could be used not necessarily for harming the individual, so let's just say Malcolm's identity was compromised, it could be used in a way that could potentially harm me but it could also be used to represent Malcolm. So if I assume somebody else's identity, I could use that for a variety of purposes. One would be the obvious, credit card fraud, that type of stuff. You could use it for healthcare purposes. I'll pretend to be Malcolm and go get his medicine, go use his doctor's appointment - that type of stuff.

Malcolm Harkins: [00:11:15:10] You can also use it and say who is Malcolm associated with? If I have Malcolm's identity, can I pretend to be Malcolm to go after a different target? To use the potential compromise of my identity to go after somebody else that I might be associated with or close to, that's a more higher value target because Malcolm might be associated with a senior executive in a company. Malcolm might be associated with somebody in a particular research field. It all depends upon what the motivation is and the ways in which you could leverage the identities that you've compromised for whatever means or mechanisms that you might have as an attacker.

Dave Bittner: [00:12:01:12] That's Malcolm Harkins from Cylance.

Dave Bittner: [00:12:06:02] At Davos, British Prime Minister May doubles down on her crypto-skeptic position in the cryptowars. She wants technology companies to, as she put it, live up to their social responsibilities. Human trafficking, child abuse, terrorism and extremism, she said, are being enabled by social media and messaging platforms that give malefactors a safe place to roost. She said, "Companies simply cannot stand by while their platforms are used to facilitate child abuse, modern slavery, or the spreading of terrorist or extremist content." Prime Minister May named security messaging app Telegram as a principal offender—she'd like to see more cooperation out of them.

Dave Bittner: [00:12:48:19] Olympic-related hacking didn't end with the first doxing wave earlier this month. Fancy Bear has released documents stolen from the International Luge Federation. The hackers claim the documents reveal doping violations. Fancy Bear, generally identified with Russia's GRU military intelligence organization, has been upset over the International Olympic Committee's sanctioning of the Russian team.

Dave Bittner: [00:13:13:06] Finally, the Intercept notes with displeasure that the US National Security Agency has changed the "Mission and Values" statement on its public website. NSA told the publication that they'd simply updated the website, and not made any real changes to their values, but the Intercept isn't buying it. We've taken a look at both the new and old versions, and we have to admit that the changes look mostly verbal to us—the values of honesty and transparency, that were in the old version seem to still be there, albeit in a different form. So we're going with "website update" and not nefarious retreat from high ethical standards.

Dave Bittner: [00:13:49:14] But values statements raise interesting questions. What's the value of a value statement? On the one hand, public statements of some sort of code can seem to have good effect—one sees this sometimes in military organizations, for example—but on the other hand they can also be so much marketing argle-bargle. One of the most famously high-minded corporate value statements of the last few decades belonged to Enron. Talk amongst yourselves.

Dave Bittner: [00:14:21:03] As our sponsors at E8 Security can tell you, there's no topic more talked about in the security space than artificial intelligence unless, maybe, it's machine learning. But it's not always easy to know what these could mean for you so to to and see what AI and machine learning can do for your organization's security. In brief, it's not a panacea, not a cure-all, but rather an indispensable approach to getting the most out of your scarce, valuable and expensive human security analysts. Let the machines handle the vast amounts of data. If you need to scale your security capability, AI and machine learning are the technologies that can help you do that. So visit and see how they can help you address your security challenges today. Follow the behavior, find the threat. And we thank E8 for sponsoring our show.

Dave Bittner: [00:15:21:05] And I'm pleased to be joined once again by David Dufour. He's the Senior Director of Engineering and Cybersecurity at Webroot. David, welcome back. Here we are, a couple of weeks into 2018, what's on your radar for this year?

David Dufour: [00:15:32:21] Cybersecurity, of course. A lot of things are probably going to carry over from last year and we'll see some things we've maybe been talking about for a while actually start to happen this year. Top of mind for me is ransomware. People will have heard you and I talk in the past - everyone knows that is one of my favorite business models for cyber criminals. I see that growing just simply because the business model is a good one. I see lots of new strains coming out. We saw the first variant or instance in 2010 but, by the end of this year, we have well over 500 different strains - not just polymorphed versions but actual strains of ransomware - so I continue to see that to grow as it is a great way for cyber criminals to make money.

Malcolm Harkins: [00:16:23:12] Do you think there are any areas where people are not paying the attention that they should to particular things?

David Dufour: [00:16:29:12] Yes. We just started the year so I am going to look into my crystal ball back into December where I was going to talk about how we will start to see some actual physical plants and facilities be affected by cyber criminals. If you look around mid-December last year there was, in fact, a plant closure - I don't want to give out names or exact locations - but if you Google cyber attack plant closure you will actually see where some cyber criminals are beginning to really affect and find very effective ways to take advantage of infrastructure and shut infrastructure down, physical infrastructure. So, to me, I think we are going to start seeing a lot of that occurring both this year and into the future.

Dave Bittner: [00:17:19:17] For the day to day for those of us who are just trying to protect ourselves, keep our computers safe, any new advice? Just keep at it from last year or do we have to change our tactics?

David Dufour: [00:17:33:11] The advice a lot of times is the same. If anyone's ever heard me talk with you before, back up your data, that is the number one way to protect yourself. However, I would submit to people assume things are going to get hacked when you get those new electronic devices which tracks your walking, etc. Just assume that something is going to get hacked and don't enter information into it that you would not be comfortable sharing with the public. That is really the advice. Just be vigilant and aware.

Dave Bittner: [00:18:06:05] Alright. David Dufour, thank you for joining us.

David Dufour: [00:18:08:16] Thank you for having me, David.

Dave Bittner: [00:18:12:04] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:18:34:08] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with Editor, John Petrik. Social Media Editor, Jennifer Eiben; Technical Editor, Chris Russell; Executive Editor, Peter Kilpe and I'm Dave Bittner. Thank you for listening.