216 episodes

Every Saturday, we sit down with cybersecurity researchers to talk shop about the latest threats, vulnerabilities, and technical discoveries.

Research Saturday CyberWire Inc.

    • Technology
    • 4.9 • 7 Ratings

Every Saturday, we sit down with cybersecurity researchers to talk shop about the latest threats, vulnerabilities, and technical discoveries.

    Getting in and getting out with SnapMC.

    Getting in and getting out with SnapMC.

    Guest Christo Butcher of NCC Group's Research and Intelligence Fusion Team discusses their research into a cybercriminal group they dubbed SnapMC. Forget ransomware, too expensive and too much hassle. Randomly enter through a known vulnerability, take a look around, lock away data and leave again. And all that within half an hour: hit & run. An email is then sent to the affected organization: pay or else the stolen data will be published and/or sold.
    This is the opportunistic approach of a new group of blackmailers who don't even bother to encrypt data. NCC Group has given them the name SnapMC: a combination of 'snap' (a sudden, sharp cracking sound or movement) and MC, from mc.exe, the primary tool they use to exfiltrate data. They have only seen SnapMC's attacks in the Netherlands for the time being. They do not target specific sectors and we have not (yet) been able to associate them with known attackers.
    The research can be found here:

    SnapMC: extortion without ransomware

    SnapMC skips ransomware, steals data

    • 18 min
    CyberWire Pro Research Briefing from 11/23/2021

    CyberWire Pro Research Briefing from 11/23/2021

    Enjoy a peek into CyberWire Pro's Research Briefing as the team is off recovering from our Thanksgiving feasts. This is the spoken edition of our weekly Research Briefing, focused on threats, vulnerabilities, and consequences, as they’re played out in cyberspace. This week's headlines: Iranian threat actors target the IT supply chain. North Korean cyberespionage. More information on Emotet's return. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.

    • 8 min
    Using bidirectionality override characters to obscure code.

    Using bidirectionality override characters to obscure code.

    Guests Nicholas Boucher and Ross Anderson from the University of Cambridge join Dave Bittner to discuss their research, "Trojan Source: Invisible Vulnerabilities." The researchers present a new type of attack in which source code is maliciously encoded so that it appears different to a compiler and to the human eye. This attack exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers. ‘Trojan Source’ attacks, as they call them, pose an immediate threat both to first-party software and of supply-chain compromise across the industry. They present working examples of Trojan-Source attacks in C, C++, C#, JavaScript, Java, Rust, Go, and Python. They propose definitive compiler-level defenses, and describe other mitigating controls that can be deployed in editors, repositories, and build pipelines while compilers are upgraded to block this attack.
    The project website and research can be found here:

    Trojan Source: Invisible Source Code Vulnerabilities project website

    Trojan Source: Invisible Vulnerabilities research paper

    • 26 min
    A glimpse into TeamTNT.

    A glimpse into TeamTNT.

    Senior Intelligence Researcher at Anomali, Tara Gould, joins Dave to discuss their team's work on "Inside TeamTNT’s Impressive Arsenal: A Look Into A TeamTNT Server." Anomali Threat Research discovered an open server to a directory listing that they attribute with high confidence to the German-speaking threat group, TeamTNT. The server contains source code, scripts, binaries, and cryptominers targeting Cloud environments. Other server contents include Amazon Web Services (AWS) Credentials stolen from TeamTNT stealers are also hosted on the server.
    This inside view of TeamTNT infrastructure and tools in use can help security operations teams to improve detection capabilities for related attacks, whether coming directly from TeamTNT or other cybercrime groups leveraging their tools.
    The research can be found here:
    Inside TeamTNT’s Impressive Arsenal: A Look Into A TeamTNT Server

    • 16 min
    An incident response reveals itself as GhostShell tool, ShellClient.

    An incident response reveals itself as GhostShell tool, ShellClient.

    Guest Mor Levi, Vice President of Cyber Practices from Cybereason, joins Dave Bittner to discuss her team's work on "Operation GhostShell - Novel RAT Targets Global Aerospace and Telecoms Firms." In July 2021, the Cybereason Nocturnus and Incident Response Teams responded to Operation GhostShell, a highly-targeted cyber espionage campaign targeting the Aerospace and Telecommunications industries mainly in the Middle East, with additional victims in the U.S., Russia and Europe. 
    The Operation GhostShell campaign aims to steal sensitive information about critical assets, organizations’ infrastructure and technology. During the investigation, the Nocturnus Team uncovered a previously undocumented and stealthy RAT (Remote Access Trojan) dubbed ShellClient which was employed as the primary espionage tool. To learn more, listen to the episode.
    The research can be found here:
    Operation GhostShell - Novel RAT Targets Global Aerospace and Telecoms Firms

    • 19 min
    Malware sometimes changes its behavior.

    Malware sometimes changes its behavior.

    Dr. Tudor Dumitras from University of Maryland joins Dave Bittner to share a research study conducted in collaboration with industry partners from Facebook, NortonLifeLock Research Group and EURECOM. The project is called: "When Malware Changed Its Mind: An Empirical Study of Variable Program Behaviors in the Real World." In the study, the team analyzed how malware samples change their behavior when executed on different hosts or at different times. Such “split personalities” may confound the current techniques for malware analysis and detection. Malware execution traces are typically collected by executing the samples in a controlled environment (a “sandbox”), and the techniques created and tested using such traces do not account for the broad range of behaviors observed in the wild. In the paper, the team shows how behavior variability can make those techniques appear more effective than they really are, and they make some recommendations for dealing with the variability.
    The research and executive summary can be found here:

    When Malware Changed Its Mind: An Empirical Study of Variable Program Behaviors in the Real World

    Analysing malware variability in the real world

    • 27 min

Customer Reviews

4.9 out of 5
7 Ratings

7 Ratings

Jedi Wannabi ,

A fascinating look into the guts of the machine

I love learning about how even the people who deeply know and understand the intricacies of existing data networks are constantly breaking new ground.

GottaRun21 ,

The go-to for cyber research discussion

Need or want to know more about the leading research in security? You’ve found just the thing. It’s the perfect show to catch up on the latest research over a cup of joe on a Saturday morning.

Frogstar5 ,

One of my favorites from the CyberWire

I never miss an episode of Research Saturday. These one-on-one interviews with researchers from all over the world, and from a diverse range of companies and institutions helps me keep on top of critical threats and vulnerabilities. I like the concise, down-to-business format too. This podcast is time well spent, thank you!

Top Podcasts In Technology

You Might Also Like