The CyberWire Daily Podcast 3.28.19
Ep 810 | 3.28.19

Gustuff is out and after Android devices. Microsoft takes down Phosphorus. Elfin is working for Tehran. Russian cyber troops come to help Venezuela’s Chavistas. Guilty plea expected in Martin case.


Dave Bittner: [00:00:04:03] A young banking Trojan gains criminal market share in the android ecosystem. Microsoft lawyers up and seizes sites Iran's Charming Kitten used to stage its attacks. Another Iranian APT, "Elfin" is described. A battalion's worth of Russian special operators and cyber troops are on the ground in Venezuela. Washington wants them out, Moscow says they're in for the duration. And accused NSA leaker Hal Martin is expected to take a guilty plea this week.

Dave Bittner: [00:00:38:24] Now a moment to tell you about our sponsor, ThreatConnect. Designed by analysts, but built for the entire team, ThreatConnect's intelligence driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team.

Dave Bittner: [00:01:15:24] Want to learn more? Check out their newest ebook, SOAR Platforms. Everything you need to know about security, orchestration, automation and response. The book talks about intelligence driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at That's And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:01:50:09] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday March 28th, 2019.

Dave Bittner: [00:01:59:03] Security firm Group-IB has reported that an android banking Trojan circulating in criminal marketplaces has been growing in popularity and should now be considered among the top threats of this kind. The Trojan is called "Gustuff" and after about a year in circulation, it now joins more familiar banking malware like Anubis, Red Alert, Exobot, LokiBot, and BankBot. Gustuff is said to be capable of phishing credentials and automating transactions in and around 100 android banking apps and some 32 cryptocurrency applications.

Dave Bittner: [00:02:34:13] Both large traditional banks and new wave alt-coin exchanges are among the targets of Gustuff's users. An attack beings with social engineering designed to get users to the Android Accessibility service, that's been a common approach with android banking Trojans, but Gustuff departs from the norm in its ability to use Automatic Transfer Service to expedite theft. That's old hat for Windows malware, but it's a new wrinkle in the android world.

Dave Bittner: [00:03:03:10] So Gustuff will be one to watch. So far, according to Group-IB, the malware hasn't appeared in Trojanized apps offered in the Google Play Store, but users should be alert.

Dave Bittner: [00:03:15:03] Iranian cyber threat groups are again in the news. First, in a bit of lawfare, observers approvingly call "creative lawyering," Microsoft yesterday announced that it had seized control of 99 websites used by the threat group they call "Phosphorus." A US Federal court issued an injunction last week that enabled the takedown.

Dave Bittner: [00:03:36:14] Phosphorus is also called APT35, the Ajax Security Team, and (our favorite) Charming Kitten. The group is known for its use of social engineering, usually tailored spear phishing, or more broadly based phishing that uses a bogus security warning as its phish bait. Traffic from infected victims will now go to a Microsoft sinkhole for analysis, and not to the paws of Charming Kitten.

Dave Bittner: [00:04:03:07] Microsoft observes that this takedown is similar to the one they executed against sites belonging to Strontium, the threat actor better known as APT28, or (again, our favorite) Fancy Bear, which of course belongs to Russia's GRU military intelligence service. For some reason, Microsoft likes to use the Periodic Table of the elements for deriving its names for threat actors. We feel sorry for the poor hoods who eventually get tagged with Thullium, not to mention Boron, which sounds bad, but is still a heck of a lot more useful than Thullium. And what happens when you reach the 119th threat actor? Will Redmond move onto isotopes? Some element names as it happens are already taken by the good guys, Terbium comes to mind, and so should be off the table. Anyhoo, for now at least, Phosphorus has taken the hit.

Dave Bittner: [00:04:57:05] The other Iranian APT is one security firm Symantec calls "Elfin." This group has been working most heavily against targets in Saudi Arabia and the US, but other countries have been affected as well. Belgium, Jordan, the United Kingdom, the United Arab Emirates, China, Thailand, Morocco and the Czech Republic have all sustained attacks.

Dave Bittner: [00:05:18:12] Elfin's targets have been drawn largely from the "engineering, chemical, research, energy consultancy, finance, IT and healthcare sectors." Symantec calls the group agile and active, and notes that it operates by scanning for vulnerable websites. It then deploys a range of commodity and custom-built tools. SecurityWeek notes that FireEye tracks the group as APT33. Neither Symantec nor FireEye think Elfin is the group responsible for the 2018 wave of Shamoon attacks, although Elfin and Shamoon's targets have shown some overlap.

Dave Bittner: [00:05:54:11] Some of Elfin's recent campaigns against Saudi Targets have sought to exploit a known vulnerability in WinRAR, CVE-2018-20250. Successful exploitation would give the attackers control over the victim machine.

Dave Bittner: [00:06:11:10] We're all familiar with the phrase "fight fire with fire." In the ongoing arms race between attackers and defenders in the cyber domain, some say "fight AI with AI." Satish Thiagarajan is VP and Global Head of the Cybersecurity practice at Tata Consultancy Services. He shares these thoughts.

Satish Thiagarajan: [00:06:31:00] Very recently, McAfee Labs published a 2019 threat prediction report that states that hackers will increasingly turn to AI to help them evade detection. This is very significant, because we're already seeing patterns of attack that are very AI driven. So cyber criminals will also use AI to automate the target selection, so therefore in our assessment, over the last few months we have seen a significant increase in cyber attacks which are not necessarily leaving signatures of traditional methods of attack. But a significant influence of AI and ML by the attackers themself.

Satish Thiagarajan: [00:07:11:09] Cyber attacks have become more adaptive, they've become stealthy, they are very intelligent and the intelligence has increased over the last few years. To defend against these kind of attacks, organizations probably need to use much more advanced AI machine learning and [PHONETIC: B planning] learning capabilities, to address this particular problem.

Dave Bittner: [00:07:32:09] And what are some of the things that draw attention to an attack as likely being sourced by AI or machine learning?

Satish Thiagarajan: [00:07:39:18] Some patterns that we have seen as malwares are now able to choose its target vectors on the fly, based on the environment and vulnerabilities it perceived. Which is very different to the attacks that have happened in the past. They are older forms of malware like TrickBot which are now using AI to intelligently mimic trusted system components, and adapt to the context of the target. So number one, they are getting very stealthy. Number two, they have the ability to adapt based on the target that they're trying to attack.

Dave Bittner: [00:08:14:12] What part do the humans play in all of this? Is this a matter where the AI and ML can handle the high velocity of potential attacks that are coming in and then alert the humans that these are the ones that we believe really need your actual attention?

Satish Thiagarajan: [00:08:29:20] Absolutely. I think you've got it right on the money. One of the key issues that we face, as cyber defense warriors, there is this issue of alert fatigue. You get millions of alerts. You don't know which one do you have to act on and you end up acting on a few and you leave the rest, not knowing whether the rest is going to cause disruption. Artificial intelligence, analytics and insights are going to give you the ability to identify the needle in the haystack. The kind of algorithms that we use will identify the rightful pattern that is pointing to a potential attack or a breach in your system based on data.

Satish Thiagarajan: [00:09:11:17] There are also additional use cases where you use AI and ML in the context of our business, we have built what is called a Doomsday Predictor. The Doomsday Predictor actually looks at your WAF, web application firewall logs, the incoming traffic is analyzed and based on the incoming traffic, we look at what is the attacker trying to attack in your system? Or what vulnerability is he trying to exploit? And within your system you look at whether those vulnerabilities are patched and we do draw a correlation and based on algorithms, we predict what is the likelihood that a particular vulnerability be on the infrastructure or the application side is likely to be exploited. And hence that needs to be predicted, so having AI, ML or deep planning capabilities becomes very essential for an enterprise to be successful in defending their crown jewels.

Dave Bittner: [00:10:08:03] That's Satish Thiagarajan from Tata Consultancy Services.

Dave Bittner: [00:10:14:06] A small contingent of Russian troops, two plane loads, has arrived in Venezuela with the avowed purpose of assisting the Chavista regime recover from what Caracas maintains is a wave of cyber attacks and sabotage that have crippled its electrical grid. The US wants the Russians out and the Russians say they're staying. The two aircraft that made the delivery were an Antonov 124 Condor and an Ilyushin 62 Classic. Between them, the two aircraft have a troop capacity of somewhat less than 650, which places an upper limit on the size of any contingent they might have carried.

Dave Bittner: [00:10:52:01] The Russian troops are said to include both special operations forces and cyber operators, and so their presence might be said to constitute a kinetic contribution to an information operation. Few credit the Maduro regime's hacking allegations, but that's their story and they're sticking to it. The Venezuelan power grid continues to suffer periodic issues, even after power was restored after widespread outages earlier this month.

Dave Bittner: [00:11:18:06] European, Canadian and US authorities cooperated this week in rounding up 61 people who'd been actively trading contraband of various kinds, drugs, guns and so forth, in dark web markets. In addition to the arrests, police seized $7 million in cash and virtual currency, as well as about 300 kilograms of drugs and 51 firearms.

Dave Bittner: [00:11:42:11] Coincidentally, or not, Dream Market now regarded as the world's largest dark web market since the demise of Silk Road, AlphaBay and Hansa Market, announced that it would cease operations at the end of April. There's some speculation that the police took over Dream Market some time ago and have been using it as a honeypot, but most observers think this is unlikely. It's probable that the Dream Market's proprietors are feeling the heat and decided to get out while the getting was still good.

Dave Bittner: [00:12:11:21] The Wall Street Journal, CNN, the Baltimore Sun and others are reporting that former NSA contractor, Hal Martin, is expected today to plead guilty to charges of stealing classified material. His trial has been expected to begin in June.

Dave Bittner: [00:12:26:15] The government says they found some 50 terabytes of secrets in Martin's possession in his home, and shed, in Glen Burnie, Maryland, a Baltimore suburb near BWI airport and just across interstate 95 from Fort Meade. Mr. Martin's defense counsel have portrayed him as a pack rat, and in this judgment, they're seconded by some of his acquaintances. But defense counsel has suggested that their client's hoarding was obsessive and perhaps pathological and maybe in this respect, even exculpatory. "He's no Edward Snowden," they've said, and had no intention of harming the US.

Dave Bittner: [00:13:03:01] The Government, it's worth noting, hasn't charged Mr Martin with espionage, but rather with 20 counts of "unauthorized and willful retention of national defense information." That's bad enough, but it's also not espionage. An interesting question that remains to be answered is this. With all the concern about insider threats, how was a pack rat able to pack so much over the course of more than a decade?

Dave Bittner: [00:13:32:08] And now a word from our sponsor, KnowBe4. Email is still the number one attack vector the bad guys use with a whopping 91% of cyber attacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization with an on demand webinar by Roger A Grimes, KnowBe4's data driven defense evangelist. Roger walks you through ten incredible ways you can be hacked by email and how to stop the bad guys. And he also shares a hacking demo by KnowBe4's chief hacking officer, Kevin Mitnick.

Dave Bittner: [00:14:06:15] So check out the Ten Incredible Ways, including how silent malware launch remote password hash capture and rogue rules work, why rogue documents establishing fake relationships and compromising a user's ethics are so effective. Details behind click jacking and web beacons and how to defend against all of these. Go to That's and we thank KnowBe4 for sponsoring our show.

Dave Bittner: [00:14:52:16] And I'm pleased to be joined once again by Daniel Prince, he's a senior lecturer in cybersecurity at Lancaster University. Daniel, it's great to have you back. We wanted to touch today on cyber risk management and some of the aspects related to that. What do you want to share with us?

Daniel Prince: [00:15:09:01] Well, thanks for having me back on. One of the areas that I teach here at Lancaster is around cyber risk management, as part of our master's degree course. And one of the things that I talk to my students about when we're going through this course is that the idea that for a lot of the cybersecurity risk management elements that we're looking at, so all the risks and the threats, they're based on a series of assumptions. Assumptions about who the attacker is, assumptions about the structure of the network. What we're really saying when we're trying to make risk evaluations is that this is the risk level, assuming all the things that we have that go behind that are true.

Daniel Prince: [00:15:48:16] That basically moves us into a different category, because what we need to do is understand all those assumptions behind what we believe to be the known knowns. Because as soon as those assumptions start to fail or start to be proven to be false, then actually a lot of the risk measurements that we've made start to fall away. They start to become invalid.

Dave Bittner: [00:16:12:17] In terms of the known knowns in managing risk, are we dealing with absolutes or probabilities?

Daniel Prince: [00:16:19:05] By and large, when we're doing things like quantitative risk management, we're thinking about the probabilities. We're thinking about the possible outcomes that the system can produce, and in this case the negative outcomes, the negative events. And then we're trying to assign probabilities to those, the likelihood of those events happening. What I'm interested in is trying to help the students and others to understand actually, what are the assumptions that go into making those qualitative or quantitative risk assessment analysis, so that we can understand when those assumptions do fail, we can take appropriate remediation action.

Daniel Prince: [00:16:55:14] That's really important, because time and again we've seen in the technology scene, a number of assumptions around how a technology works, fail. So for example, the hardware security issues we've seen with Spectrum meltdown, there's a big assumption here that the actual hardware is secure and doesn't prevent any problems. But as soon as that assumption is proved to be false, then a lot of the other security assumptions that we make and the security risk assessments that we make, then also become false and we have to start again.

Daniel Prince: [00:17:28:20] So, it's really important to understand the assumptions that we have that sit behind our risk assessment and try to map and understand those. It's also caught up in this idea of inductive risk, so the reasoning process we have behind it, and the risks associated with that, in terms of the biases that we potentially have in place, and then also based on the assumptions around the methodologies we use, to derive the probabilities and so on.

Dave Bittner: [00:17:53:20] Yes, it strikes me that with something like those hardware issues, that's a low probability risk I would imagine. Thinking that these hardware designs that have been around for decades would have a fundamental flaw in them, well there's a low chance of that. But, it's also high impact if something like that turns out to be true.

Daniel Prince: [00:18:14:06] And that's just one of the significant problems I think with cybersecurity and technology more generally. The risks are driven by network effects, so they're highly exponential. As soon as something bad happens, it tends to happen very quickly and at scale. So these things that we would normally not need to worry about in terms of physical processes, physical risks, we do need to worry about, because there is a significant impact potentially from these low probability risks. And I would argue that we need to consider those in a much more considered way, because time and again we've seen within cybersecurity a significant number of black swan events. Things that people didn't think could happen, are happening and causing a significant number of problems for everybody.

Dave Bittner: [00:19:07:04] Daniel Prince, thanks for joining us.

Dave Bittner: [00:19:13:19] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at

Dave Bittner: [00:19:26:04] The CyberWire podcast is proudly produced in Maryland, out of the start up studios of DataTrade, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire Editor is John Petrik, Social Media Editor Jennifer Eiben, Technical Editor Chris Russell, our staff writer is Tim Nodar, Executive Editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.