The CyberWire Daily Podcast 3.18.16
Ep 59 | 3.18.16

Buhtrap raked in the rubles. Dridex is back. So are Stagefright and Rowhammer.


Dave Bittner: [00:00:03:22] More on Buhtrap and its sophisticated spear phishing of Russian banks—they may have failed to snap a billion rubles in one caper, but they did get six hundred million. We'll hear more reasons not to jailbreak your iPhones and iPads, and still more reasons not to download adult apps on your Android. And we hear from the University of Maryland's, Ben Yelin, who brings us up to date on the lingering fallout of the Snowden leaks.

This CyberWire podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent rather than reactively detect the execution of advanced persistent threats and malware. Learn more at

I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, March 18th, 2016

The Russian cyber mob that impersonated FinCERT now has a name, "Buhtrap" , and a tally sheet: 13 banks hit since August, with their biggest single take being 600 million rubles ($8.65 million). Group-IB has been reporting on the incident. Losses in smaller regional banks were particularly heavy, although the biggest single attempted theft, to the tune of a billion rubles, was foiled when a typographical error in the email aroused suspicions. The exploit proceeded roughly like this: once the mark bit on the emailed phishbait—convincingly spoofed FinCERT communications—the malware payload then exploited the automated bank-customer system that connected to the regulator. Dmitry Volkov , the head of Group-IB’s cyberintelligence department, explained that this system is a highly critical one for Russian banks. Drawing a comparison to a comparably important American system, he told Bloomberg, “This is the same as if hackers were to get access to the SWIFT system at Citibank, for example.” 

Proofpoint's warning earlier this week that Carbanak is back suggests that other segments of the Russian criminal underground remain active against the financial sector. Trend Micro points out that notorious revenant, Dridex, is also active, and bothering banks, despite the many takedowns the criminal botnet has suffered. 

Various outlets say that FireEye has given the Indian government a report detailing extensive cyber espionage campaigns by actors based in Pakistan. It's unclear from media reports so far whether the attacks are state-run (or state-inspired), hacktivist or criminal, or some mix of all of these. The campaign is said to involve distribution of Seedor malware through email attachments. The targets are reported to be Indian military and government personnel as well as Pakistani dissidents. Again, the target set is consistent with the interests of a range of possible threat actors. 

AceDeceiver, the iOS vulnerability Palo Alto Networks described this week, should give users another good reason not to jailbreak their iPhones or iPads, as if sensible ordinary users needed any good reasons to leave well enough alone. There's some evidence that AceDeceiver could affect non-jailbroken iPhones, but you, user, would really have to work at installing a pretty obviously dodgy app to suffer an infection. Wired puts the issue into perspective with a quotation from security researcher, Jonathan Zdziarski. “In its current form," Zdziarski says, "this isn’t dangerous except to the exceptionally stupid.” The real risk, as Palo Alto has pointed out, is that AceDeceiver's clever tricks might be integrated into some future exploits that could draw the normally bright as well as the exceptionally stupid. In the meantime, don't jailbreak your devices. 

Speaking of the dodgy Internet stuff and reckless users, Zscaler would like everyone to know that you're shooting dice with malware when you download what appears to be a player for what we, being a family show, will delicately call "adult content." It's a Chinese-named app, but consumers of "adult content" tend to be visually oriented anyway, so pinyin characters aren't likely to put off even those more accustomed to Roman, Greek, Cyrillic, Hebrew, Arabic, etc. Again, just stay away. 

The Stagefright vulnerability may prove to be realistically exploitable after all, according to NorthBit, which describes a proof-of-concept attack that the security company says could readily work in the wild. Google closed Stagefright bugs in response to Zimperium research, but unpatched devices remain vulnerable. Rowhammer, another vulnerability from the past, may also be riskier than long thought. Third I/O research suggests that bitflipping might indeed work against dual in-line memory modules. The black market continues to act like a market, as supply and demand meet opportunity. The ready availability of cheap Steam stealers is driving a long-running uptick in criminal hijacking of Steam gaming accounts. 

Observers think the FBI is more worried about precedent than a single iPhone's contents in the dispute with Apple. The Bureau, say many, is concerned that encryption really will enable criminals and terrorists to go dark. But their arguments still aren't convincing Apple supporters that weakened encryption wouldn't prove to give criminals and terrorists a large net advantage. 

NSA looks back on the last three years of Snowden leaks and, while the agency still feels the pain, that pain's getting duller with time. We had a chance to talk about this with Ben Yelin from the University of Maryland's Center for Health and Homeland Security, considering whether the passage of time has made the Snowden revelations less relevant. We'll hear from him after the break.

And finally, we're still two weeks short of the April 1st H-hour when Anonymous intends to kick-off its action against US Presidential candidate, Donald Trump, but some of the hacktivists may have crossed the line-of-departure prematurely. People claiming to be from Anonymous have posted phone numbers and PII they claim belong to Donald Trump, but disappointed Tweeters say their texts to the number seem to have just wound up in a full mailbox, somewhere. Where's the anonymous help desk when a social media Joe Sixpack or Janie Lunchbucket slacktivist needs one? The disappointed Tweeters were hoping to hear the Donald tell them, "You're fired." Alas, no joy. Maybe later.

This CyberWire podcast is brought to you by the Digital Harbor Foundation, a non-profit that works with youth and educators to foster learning, creativity, productivity and community through technology education. Learn more at

Dave Bittner: [00:06:23:16] I want to welcome to the CyberWire podcast, Ben Yelin, he's a senior Law and Policy Analyst for the University of Maryland Center for Health and Homeland Security. Ben, welcome to the show.

Ben Yelin: [00:06:32:09] Thanks so much for having me.

Dave Bittner: [00:06:33:18] I want to talk about the fallout from the Edward Snowden spying revelations. There was an interview on NPR recently with Richard Ledgett, the NSA's Deputy Director, and he said that the fallout from the Snowden leaks isn't over but the information is getting old.

Ben Yelin: [00:06:49:04] I think there's a lot of truth to what Mr. Ledgett is saying there. For one, one of the major programs that Snowden uncovered was the call detail records program under Section 215 of the USA Patriot Act. The act itself actually was about business records, it allowed the FBI to compel companies to turn over business records that were relevant in an ongoing terrorism investigation. What we didn't know until the Snowden Disclosures is that that law was being used to justify the bulk collection of phone metadata. So phone metadata includes not the content of the conversation but who made the call, who received the call, the duration, etc. That program has since been repealed as of this past November and replaced with a new program, The USA Freedom Act. So in one sense one of his major two revelations is the program is no longer active, that's one aspect of the disclosures maybe going stale a little bit. The other aspect and for the program that hasn't since been amended, which is the content of Communications under Section 702, the Five Amendments Act, the NSA has been able to switch some of its methods and tactics, I think largely just with the passage of time. It's been three years, I think they've been able to adjust tactics knowing what information has now been released to the public. Three years is a long time, especially when we're talking about signals intelligence where the technology itself changes so drastically over a short period of time. But the methods, even without the disclosures are going to necessarily have to change.

Dave Bittner: [00:08:32:04] We'll hear more from Ben Yelin on the Snowden leaks in our Friday weekend review podcast later today. And that's the CyberWire. For links to all of today's stories visit The CyberWire is production of CyberPoint International. Our editor is John Petrik. I'm Dave Bittner. Thanks for listening.