The CyberWire Daily Podcast 8.22.18
Ep 668 | 8.22.18

Facebook takes down "inauthentic" Russian and Iranian fronts. Twitter blocks Iranian false-flags, and FireEye explains why they think it's Tehran. Triout Android spyware described. Hacking back?


Dave Bittner: [00:00:03] Facebook takes down more inauthentic pages; some are Russian, but others are Iranian. Twitter blocks Iranian accounts for being bogus. Russia denies, again, any involvement in information operations against the U.S. U.S. Army Cyber Command's boss wonders if his job isn't more information ops than cyber. Bitdefender describes Triout, an android spyware framework. And some in industry caution the Senate not to expect them to get frisky hacking back.

Dave Bittner: [00:00:39] Now I'd like to share some words about our sponsor, Cylance. AI stands for artificial intelligence, of course. But nowadays, it also means all-image or anthropomorphize incredibly. There's a serious reality under the hype, but it can be difficult to see through to it, as the experts at Cylance will tell you. AI isn't a self-aware Skynet ready to send in the terminators. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit and check out their report, "Security: Using AI for Evil." That's We're happy to say that their products protect our systems here at the CyberWire, and we thank Cylance for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:39] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 22, 2018. Last week, U.S. National Security Adviser John Bolton said that Iran, China and North Korea were involved in election meddling along with Russia. This week's takedowns suggest that he was right, at least about Iran.

Dave Bittner: [00:02:01] Now two of the familiar four - Russia, sure, but also Iran - seem to have been caught setting up online fronts aimed at the manipulation of public opinion, mostly in the U.S., but in Latin America, the Middle East and the U.K., too.

Dave Bittner: [00:02:16] The day after Microsoft's announcement that it had taken control of six domains used for Russian disinformation operations, Facebook reported that it had taken down 652 pages, accounts and groups which were engaged in inauthentic behavior aimed at influencing U.S. opinion. This is the second round of such takedowns in as many months. Last month, Facebook was reluctant to offer attribution. They're not being so coy this time around. The company said directly that the inauthenticity they squashed emanated from Russia and Iran. There's no evidence of coordination between the two states, however, as both appear to have acted independently. Tehran's front accounts purchased about $6,000 in ads to run on Facebook and Instagram and organized some 25 events. Iranian activity seems directed toward creating a climate of opinion favorable to Tehran, as opposed to influencing elections.

Dave Bittner: [00:03:15] Twitter also took action overnight against 284 accounts engaged in coordinated manipulation - this information staged, in many cases, by Iran. This campaign used a network of front news organizations established for the purpose, and also organized a number of events. The themes were obvious choices for Iran - anti-Saudi, anti-Israeli, anti-Trump and pro-Palestinian. A number of the impersonators posed as progressive supporters of U.S. Senator Sanders, independent from Vermont. The Iranian information campaign was uncovered by researchers at FireEye, which noted that Google Plus and YouTube were also affected. FireEye duly noted in its own blog that attribution, of course, is an inexact science. But the security company did say that it concluded with medium confidence that Tehran was indeed behind the phony accounts they flagged to Facebook and Twitter. They've traced several front media organizations apparently run by the Islamic republic.

Dave Bittner: [00:04:17] In the U.S., the leading organizational identity they assumed was Liberty Front Press, which represents itself as an independent news service devoted to reducing the influence of money in politics and similar goals. Much of its coverage is unremarkable, apart from a persistent animus against Israel and Saudi Arabia. The Liberty Front Press is accompanied by a large number of associated and coordinated social media accounts.

Dave Bittner: [00:04:43] As it lays out its reasons for thinking all of these are Iranian fronts, FireEye usefully proposes a definition of inauthentic. They use the term to, as they say, quote, "describe sites that are not transparent in their origins and affiliations, undertake concerted efforts to mask these origins and often use false social media personas to promote their content," end quote. Their content, FireEye points out, is a mix of original material and news pieces pulled, sometimes with alterations, from other outlets.

Dave Bittner: [00:05:16] To return to the Microsoft takedown, Moscow, through its mouthpieces at the Interfax news agency, dismissed the domain seizure as nothing more than a politically motivated stunt. The Russian government continues to deny having anything to do with the influence operations essentially everybody else thinks they are doing.

Dave Bittner: [00:05:34] Moscow's demands to see the evidence when it's accused of hybrid warfare are reminiscent of nothing so much as the Afghan Taliban's posture of even-handedness when, post-9/11, it told the U.S. to send over any evidence it might have of Osama bin Laden's orchestration of the terror attacks, so that they, the Taliban, might take proper action, all with due process and in due course.

Dave Bittner: [00:05:58] It's perhaps worth noting that such influence operations are likely to be misunderstood if they're regarded as the digital analogue of a Chicago machine ward heeler passing out free turkeys in the 10th ward to get out the vote, or some downstate block captain registering names from tombstones in a local graveyard. The goal is instead fundamental disruption and erosion of confidence in institutions, not necessarily any particular electoral outcome.

Dave Bittner: [00:06:26] It's also noteworthy that Lieutenant General Stephen Fogarty, who leads U.S. Army Cyber Command, thinks his command should get a new name, that, really, we're past the age of cyber and into the age of information warfare. He mentions as possibilities either Army Information Warfare Operations Command or Army Information Warfare Dominance Command, but he's presumably open to suggestions.

Dave Bittner: [00:06:51] There are technical approaches to managing risk and protecting your organization from cyberattacks. But a rapidly growing area of business protection is insurance against cyber events. James Burns is cyber product leader at CFC Underwriting.

James Burns: [00:07:07] Some time now, I'd say for the past three to five years, it's been the fastest growing product line within the global insurance industry. So we're at a stage where we've got more insurers than ever before offering some sort of cyber insurance solution, which is a good thing in many ways because it means there's choice there for clients. But it can have a negative impact in that it's still a very young market. So there are lots of different providers who may not necessarily call their products the same thing, which can sometimes lead to confusion.

Dave Bittner: [00:07:41] And as an industry, how do you all contend with the fact that there aren't really a hundred years of actuarial tables for you all to look back on?

James Burns: [00:07:50] Absolutely right. And I guess that's part of being part of a nascent product line. But what we do is use the data that we have as best we can. We also, obviously, benefit from the fact that a lot of the risk that we're considering is technology-driven. And we benefit from the fact that the technologies at our disposal today are far more advanced than actuaries had when trying to assess other product lines 50, 60, 70 years ago.

Dave Bittner: [00:08:20] Now as people are shopping around for cybersecurity insurance, what are some of the things that they find to be confusing?

James Burns: [00:08:28]: I guess a lot of the terminology can be confusing because, you know - especially, for smaller and mid-sized clients where they, perhaps, don't have in-house security teams, or even in-house IT. A lot of the exposures that we're offering protection against can be quite jargonistic in nature because we're dealing with digital age. And not all insurance buyers are as OK with lots of the terminology as some are. That can be a big struggle. I think explaining what the exposure is to many companies can be quite confusing as well because a lot of companies don't know what the impact of a cyber event might be until they've actually suffered it.

James Burns: [00:09:10] So in some instances, you're talking in hypotheticals. You know, this is potentially what might happen. So trying to bring that to life is a big part of our industry's job. But like I said, we're seeing more and more claims come through every month now. So being able to regale real-life experience in terms of what has happened to certain companies and what impact that's had on their businesses is really helping to clear up that confusion.

Dave Bittner: [00:09:39] Now for the person who's been tasked with going out there to research and purchase cyber insurance for their company, what's your advice? How should they approach it?

James Burns: [00:09:47] I think they've got to start by taking a look at their own business. So they've got to look at what potential exposure they might be open to, and then what the potential impact of that exposure might be. So if you're an organization that collects a large volume of sensitive data, for example, maybe somewhere in the health care industry or the retail industry, then you're going to be exposed to having a data breach and, potentially, all the types of costs and fallout that come associated with that.

James Burns: [00:10:16] If, by contrast, you're working for an organization in a more traditional industry, such as manufacturing or heavy industry, you might not actually collect any data whatsoever, so your data breach exposure's fairly low, but you could have a huge exposure to operational disruption if a cyberattack shut down your systems so you couldn't produce your products.

James Burns: [00:10:36] So I think the most important thing is for a business to look at what they are, who they are. And that's almost the easy part in a way because business owners and execs know what their businesses are inside out. Once they've established that, they can then look at the exposures present and go about selecting an appropriate cyber insurance policy accordingly.

Dave Bittner: [00:10:55] That's James Burns from CFC Underwriting.

Dave Bittner: [00:11:00] While information operations may have temporarily, at least, pushed traditional cyber news to the side today, there's still plenty of old-school hacking to be seen. And how odd it seems to be saying old-school hacking. We'll mention two items. First, Bitdefender reports its discovery of a new Android spyware framework it's calling Triout. Triout can deploy malware onto Android devices, where it gives its controllers extensive surveillance and information-stealing capabilities. Second, hearings of the U.S. Senate Judiciary Committee's subcommittee on cyber yesterday featured, as expected, renewed calls by lawmakers for some sort of hack back legislation, which the salons prefer to call active defense.

Dave Bittner: [00:11:45] At least one industry representative, Thomas Fanning, CEO of Southern Company, the Atlanta-based electric utility holding company, told the subcommittee that he's talked with senior federal government people about hacking back and that he still believes that kind of retaliation belongs in military, and not corporate, hands.

Dave Bittner: [00:12:09] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro-segmentation and analytics. VMware's white paper on “A Comprehensive Approach to Security Across the Digital Workspace” will take you through the details and much more. You'll find it at See what Workspace ONE can do for your enterprise security - And we thank VMware for sponsoring our show.

Dave Bittner: [00:13:09] And I'm pleased to be joined once again by Craig Williams. He's the director of Talos Outreach at Cisco. Craig, welcome back. You all recently put out a report talking about MDM, which is mobile device management, and some vulnerabilities there. Why don't we just start with some basic stuff here? Can you describe to us, what are we talking about when we say MDM?

Craig Williams: [00:13:28] So a mobile device manager is just basically a system that's been designed to allow someone to control your mobile device. Traditionally, this would be the company you work for. And I do want to stress this isn't a vulnerability. This is more or less - it's working as designed, and users are just being tricked. But so if you were an employee at Cisco - right? - you would install the mobile device management on your phone. Cisco would then be able to erase your phone remotely.

Craig Williams: [00:13:53] Now, of course, because iOS is designed with security in mind, it doesn't allow you to directly access the data, right? Your data is still protected. But what it does allow the company to do is push down things like company apps. And so attackers have figured out that they can actually use this to push down apps that look like real apps that have been modified using a sideloading technique or by rewriting something that appears to be a different app. And then they can effectively spy on the user.

Craig Williams: [00:14:20] So the threat that we found was basically a campaign targeting people in India. The actor - they made some strategically poor decisions by leaving things like the log directory readable. So we were able to actually look at the log file and verify that there were 13 devices on earth that had been compromised by this server. Which, you know, when you see something like that, it's pretty concerning - right? - because anytime you see a campaign that's that targeted, the hair should stand up on your arm a little bit, and you should wonder, well, what are they doing with this?

Craig Williams: [00:14:52] As we dug into it, we found out that it was basically, you know, they were spying on people. What they were doing with the server was pushing down backdoored WhatsApp and Telegram applications, as well as another application called PrayTime. WhatsApp and Telegram, of course, grabbed our attention. I mean, these are apps designed for secure messaging. These are apps that people want to use if they're, you know, afraid of having their data intercepted. And these are apps that people would send pictures that they were only intended for the specific recipient through. The actor was intentionally modifying those applications so that they appeared to be legitimate. And yet, while they still functioned accordingly, they were also siphoning off all that data to the attackers, you know, including things like contact information, location, chat logs, pictures, SMS, all that good stuff.

Dave Bittner: [00:15:43] Now, in terms of this mobile device management software, was the user of the iPhone intentionally downloading this for legitimate reasons or were they fooled into doing that as well?

Craig Williams: [00:15:55] We believe they were fooled into doing it. We actually have the pictures of someone being infected on our blog post. And it's an ordeal. You have to be tricked to do this. This is not something you can do by accident. You know, the phone basically tells you, are you sure you would like someone to take over your phone? And the user has to click yes. And the phone will tell you this is a bad idea, and the user clicks yes anyway. And then at that point, the attacker has control of the phone. And so they could wipe it. They could steal data off it through apps.

Craig Williams: [00:16:25] And we thought that was the end of the story, but as we dug a little bit further into it, we were able to find a little bit of a deeper rabbit hole. And so what we ended up finding was that this was part of a much broader campaign. We were able to link this to an existing APT group called Bahamut that was reported by Bellingcat and Amnesty International. And effectively what we believe happened was when they did the initial Bahamut research, they only found the Android versions. And so we think that this iOS version was basically an evolution of that threat where they added some additional capabilities.

Craig Williams: [00:17:02] We found some additional MDM servers when we were looking for this. And we actually found another version of this malware that actually added another really interesting twist to the story. They added some additional apps that they were stealing data from, but the one that really caught my attention was they wrote a malicious Safari browser. Weird, right? They actually...

Dave Bittner: [00:17:21] Just, I mean, talk about a foundational app on your phone.

Craig Williams: [00:17:25] Right. And this is not trivial. This isn't something somebody just modifies an existing binary and slaps together. This is - somebody put some effort into this. Somebody spent hours thinking this through and planning this out. But basically, the Safari app targeted very, very specific sites, you know, potentially sensitive sites like ProtonMail, Reddit, Amazon,, Yahoo - right? - sites that people presumably think are relatively private - maybe not Reddit on that one - but, you know, relatively private like ProtonMail. And it sent those credentials to the bad guys. Really, this sounds like it's a terrible situation.

Craig Williams: [00:17:59] The reality is this is MDM working as designed for a device that wasn't secured properly. And so it turns out that in most enterprise applications, you're already going to have an MDM certificate installed. And naturally, the right way to deploy an MDM certificate is to not give the users the password to remove it. So, you know, if you have Cisco Security Connector or any of our competitors' MDM on your phone and it's been locked down by your company with a password you don't have, this isn't a threat to you. You don't need to worry about these. But unfortunately, for a lot of home users and some enterprises that haven't deployed them correctly, this is still an issue.

Dave Bittner: [00:18:39] Well, it's an interesting read for sure. The title of the article is "Advanced Mobile Malware Campaign in India Uses Malicious MDM." As always, Craig Williams, thanks for joining us.

Craig Williams: [00:18:50] Thank you.

Dave Bittner: [00:18:55] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:19:30] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.