The CyberWire Daily Podcast 3.10.16
Ep 53 | 3.10.16

ISIS rival in Syria. OnionDog hits Korea. Ransomware and DDoS. Remorse in Manitoba.


Dave Bittner: [00:00:03:11] An ISIS rival in jihad joins the information war in Syria. OnionDog hits Korean infrastructure. The deniable cyber attack on Ukraine's power grid may have been designed to consolidate Russia's hold on the Caucuses.We take a look at ransomware and DDoS incidents and more children's toys and games prove vulnerable to cyber mischief. The Apple-DofJ dispute is proving to have some interesting technical ramifications. And if you were robbed, would you friend the perp on Facebook to inspire remorse? A store owner in rural Manitoba did and it worked.

Dave Bittner: [00:00:37:14] This CyberWire podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent rather than reactively detect the execution of advanced persistent threats and malware. Learn more at

Dave Bittner: [00:00:57:15] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, March 10th, 2016.

Dave Bittner: [00:01:03:18] Another branch of Al-Qaeda - the Caucasus Emirate - takes the field in Syria and begins posting video in competition with its ISIS rivals in jihad. The US continues to work toward making good on its promise to take the fight to ISIS in cyber space and quiet conversations with tech companies on their potential contributions to information operations continue.

Dave Bittner: [00:01:24:11] 360 SkyEye Labs says a threat actor they're calling OnionDog has been stealing information from the energy transportation and other infrastructure industries of Korean language countries. That would seem to be a circuitous way of saying that the target is South Korea. There's no attribution, but some of the command and control appears to be located in the Republic of Korea itself.

Dave Bittner: [00:01:46:01] Patient zero for cyber warfare waged against infrastructure remains, of course, the power grid in Western Ukraine. Observers see this as the cyber equivalent of the "green man," the plausibly deniable militias that operate in the Russian interest during that country's encroachments into the near abroad. An interesting note in Defense One suggests that the rolling blackouts had a Clausewitzian connection to Russia's larger immediate goal of consolidating its hold on Ukraine's Crimean region. If Crimea gets its power from Russia, as opposed to Ukraine, that advances Russian interests in the region.

Dave Bittner: [00:02:19:17] The Mac ransomware KeRanger has now been analyzed and assessed by Bitdefender and others as a variant of the Linux Encoder malware identified by Dr Web last November.

Dave Bittner: [00:02:30:22] A Ponemon study claims that healthcare organizations are subjected to an average of a hack a month. The most famous recent attacks have been ransomware incidents infecting hospitals in Westphalen and California. The strain of ransomware implications in these attacks, Locky, continues to circulate, steadily increasing its share of this criminal market. We spoke with the University of Maryland's Jonathan Katz about the ransomware incident at Hollywood Presbyterian. The hospital that paid extortionists $17000 to recover access to its systems. We'll hear from him after the break.

Dave Bittner: [00:03:02:03] Children's toys and games continue to be vulnerable points of entry into home networks and families' lives. The Wi-Fi enabled toy LeapFrog appears to be susceptible to attacks that leverage Adobe Flash weaknesses, and the popular on-line game Minecraft is the subject of a BBC story that would strike fear into any parent's heart: not only adware and hijack searches, but what the BBC calls grubby ads for aspiring Russian mail order brides. Download mods or add-ons for Minecraft with extreme caution, especially those offered by third parties.

Dave Bittner: [00:03:35:08] Improperly configured TFTP sites are being used for reflecting DDoS attacks. A team of researchers at Napier Edinburgh University report DDoS remains popular among cyber criminals and hacktivists. We spoke with Corero's Dave Larsen about ways of dealing with denial of service attacks.

Dave Larsen: [00:03:52:11] A distributed denial-of-service implies that the only concern is availability and if the attack traffic is not causing you an outage, many enterprises wrongly assume that their defenses or their posture or whatever is sufficient for the task. The reality of it is some of the DDoS traffic may actually be probing and looking for vulnerability in the environment. It may actually be masking actual breach activity that you don't even realize is taking place. People need to think about this as a security vector, not just an availability problem. If they were to look closely at their environment and see the amount of what looks like innocuous traffic, you know, low level DDoS, ephemeral vectors that are coming in and out of their network periodically, there's no reason that we should be comfortable with a low level background noise of what otherwise is a malicious vector. Just because you're staying up through it, doesn't mean you should tolerate it in your environment, and I think people need to be, you know, a little bit more aware of that, particularly if they have assets that need to be protected in the form of personally identifiable information, health records, banking information, etc.

Dave Bittner: [00:04:59:21] Corero has a white paper for hosting providers on DDoS protection at their website,

Dave Bittner: [00:05:06:10] The case of the jihadists county issued iPhone continues to affect the cyber security sector.

Dave Bittner: [00:05:11:08] Cothority, a project working toward preventing backdoored software updates, has offered to help Apple ensure that any backdoors installed in response to secret Court Orders would become public. The approach Cothority advocates is decentralizing the signing process. Other security experts suggest that the FBI might try to chip off the phone, but this method of hardware attack is delicate, often fails and can result in permanent loss of data. Apple itself continues its public dispute with the Department of Justice as the company's senior vice-president of software engineering warns that knuckling under to the request for Government OS would cause security to lose ground in its arms race with hackers.

Dave Bittner: [00:05:49:14] And finally, a thief's digital remorse results in an arrest. A store owner in Gimli, Manitoba found his window smashed and some watches taken. He posted surveillance footage of the break-in to Facebook, succeeded in identifying the culprit and then sent the burglar a friend request. The humane gesture so touched the crook's heart that he turned himself in, saying in extenuation and mitigation that he was intoxicated at the time. The Mounties warn you, however, that you'd best leave digital law enforcement to the pros. Oh, Canada.

Dave Bittner: [00:06:23:24] This CyberWire podcast is made possible by the generous support of Cylance offering cyber security products and services that are redefining the standard for enterprise end-point security. Learn more at

Dave Bittner: [00:06:43:14] I'm joined once again by Jonathan Katz. He's a professor of computer science at the University of Maryland. He's also Director of the Maryland Cyber Security Center, one of our academic and research partners. Jonathan, recently in the news we had the situation with Hollywood Presbyterian Hospital. They were hit by ransomware. What's your take on that attack?

Jonathan Katz: [00:07:00:00] I think it's a particularly scary attack, because in this case the people who wrote that malware were able to not exactly shut down, but they were able to seriously affect the operations of a major hospital for about a week, to the point where ultimately the hospital decided it was better off for them to pay the ransom and recover access to their data, rather than try to recover it using some other means.

Dave Bittner: [00:07:24:09] And I think this is particularly chilling because in a case like this you could actually have lives on the line.

Jonathan Katz: [00:07:29:08] Yes, that's right. I mean, you had all kinds of data that was encrypted including patient medical records, and you could have somebody coming in and trying to get access to the records for some operation or procedure that they were doing and being unable to do that. And it also meant that they were unable to communicate with doctors and with nurses the way they had been doing before, and really it threw them back about 30 or 40 years, I guess, in terms of what they were able to do and how efficiently they could do it.

Dave Bittner: [00:07:52:24] How can organizations like this protect themselves against this sort of ransomware attack?

Jonathan Katz: [00:07:57:06] Well, fundamentally there are two things here. The first is being infected in the first place. I don't think we know for sure yet how this hospital was infected, but more likely than not it seems it was the result of some kind of a phishing attempt where a user ultimately was tricked into clicking on some malicious link which caused this malware to be downloaded and then installed and run on their computers. So, as usual, it comes down to education of the end-user and trying to make sure that they know to identify potentially malicious links and not to click on anything like that. Of course, it also calls for maybe better protection of the systems themselves, so that downloading malware like that would perhaps only infect that one user's computer rather than the entire network. Then, on the other side, there's the recovery issue and really what this highlights is the importance of having back-ups of all your data, and if the hospital were regularly backing up their data, say every night, then they may have lost one day of data but they would have been able to recover and perhaps not had to pay the ransom in this case.

Dave Bittner: [00:08:56:12] And, there are people actively working on cracking these ransomware encryption schemes, right?

Jonathan Katz: [00:09:02:15] There are, and there have been cases in the past: they're kind of interesting actually where the people who wrote this ransomware actually did a bad job with the crypto and the crypto could be broken directly without having to pay the ransom. I think that people, the malware writers, have learned from that, and I would only assume that in this particular case the encryption was not crackable and so they had to pay the ransom.

Dave Bittner: [00:09:23:09] Jonathan Katz, thanks for joining us.

Dave Bittner: [00:09:28:10] And that's the CyberWire. Later today, we'll be publishing the last of our RSA special reports: this one covering trade and investment. For links to all of today's stories, visit The CyberWire is a production of CyberPoint International. Our Editor is John Petrik, and I'm Dave Bittner. Thanks for listening.