skip navigation

More signal. Less noise.

Daily briefing.

Kaspersky finds two APT groups, "Naikon" and "Hellsing," targeting one another. Both have been unusually active in South and East Asia (and as usual Kaspersky is coy about attribution). The conflict is particularly interesting insofar as the mutual targeting appears intentional.

Palo Alto Networks observes a phishing campaign (most targets are Japanese). The "DragonOK" group was active between January and March of this year.

Verizon's Annual Breach Investigation Report, out today, notes among its findings the speed with which successful phishing attacks can compromise a network: about a minute twenty seconds from a user's swallowing the hook until data exfiltration begins.

TeaMp0isoN embarrasses various universities by exposing their network weaknesses.

This week's patches will keep sys admins busy. Microsoft issues eleven updates, Adobe fixes twenty-two Flash bugs, and Oracle addresses fifteen Java flaws. Apple's fixes (out last week) address Safari vulnerabilities.

In industry news, Palo Alto Networks buys Cyvera, Marlin Equity Partners buys Fidelis from General Dynamics, Symantec shops Veritas (the better to position itself in the security space), and — the big M&A story — Nokia buys Alcatel-Lucent for $16.6B.

Government and industry continue to compete for scarce and pricey cyber talent. The US Department of Defense announces that personnel shortages will delay fielding of cyber defense capabilities. In the UK, GCHQ continues to seed the kind of security vendor ecosystem in Gloucestershire that the US's NSA has fostered in Maryland.

The European Union formally charges Google with anti-trust violations, and opens a new inquiry into Android's position in the marketplace.

Notes.

Today's issue includes events affecting Cambodia, Denmark, Estonia, European Union, Finland, France, India, Indonesia, Latvia, Lithuania, Malaysia, Myanmar, Nepal, Norway, Philippines, Singapore, Sweden, United Kingdom, United States, and Vietnam.

The CyberWire will be covering RSA 2015 in San Francisco next week. Look for special issues devoted to the event beginning this Friday.

Cyber Attacks, Threats, and Vulnerabilities

The Chronicles of the Hellsing APT: the Empire Strikes Back (SecureList) One of the most active APT groups in Asia, and especially around the South China Sea area is "Naikon". Naikon plays a key part in our story, but the focus of this report is on another threat actor entirely; one who came to our attention when they hit back at a Naikon attack

Elite cyber crime group strikes back after attack by rival APT gang (Ars Technica) Coming to the Interwebz near you: Spy vs. Spy APT wars

'APT-On-APT' Action (Dark Reading) New spin on the cyber espionage attack: spies hacking other spies for information

Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets (Palo Alto Networks) Palo Alto Networks Unit 42 used the AutoFocus threat intelligence service to identify a series of phishing attacks against Japanese organizations. Using AutoFocus to quickly search and correlate artifacts across the collective set of WildFire and other Palo Alto Networks threat intelligence, we were able to associate the attacks with the group publicly known as "DragonOK." These attacks took place between January and March of 2015

US-CERT Warns of Issues with DNS Zone Transfer Requests (Threatpost) The US-CERT is warning administrators and network operators that a misconfiguration issue with some DNS servers that has been known about for more than 15 years and can give attackers detailed information about DNS zones is coming back around thanks to new scans that show a high number of servers vulnerable to the issue

TeaMp0isoN reveals schools' vulnerabilities (Office of Inadequate Security) Reading @_TeaMp0isoN_'s Twitter timeline last night and this morning was somewhat disheartening. Tweet after tweet identified vulnerabilities that would enable hackers access to universities' sites. For each school named, TeaMp0isoN indicated the type of vulnerability they had found and the vulnerable url. In some cases, if the university has a Twitter account, TeaMp0isoN included their Twitter account in the tweet to call their attention to their vulnerability. No data was dumped and many of the subdomains likely do not contain sensitive information, but once you've gotten in a door

U.S. sounds alarm on hacking of passenger jets, air traffic control (IDG via ComputerWorld) Government report says the FAA needs to do more to ensure safety in the skies

Email Phishing Attacks Take Just Minutes to Hook Recipients (Wired) If you work in IT security, you've got one minute and 20 seconds to save your company from being hacked. This is not a drill. It's the median time it takes for an employee to open a phishing email that lands on a company's network and in their inbox, setting in motion a race to prevent data from leaking. That's according to the new Verizon Breach Investigations Report, which is due to be released publicly tomorrow but was previewed to reporters today

Report: Internet of Evil Things is your next nightmare (CSO) A vast majority of enterprises are home to things that have the potential to turn evil at any moment, according to Pwnie Express

Welcome to the Internet of Things. Please check your privacy at the door. (ITWorld) Several things can happen to your IoT data, and most of them are bad. Here are the biggest things you need to worry about

Behind Tax Fraud: A Profile of 3 IRS Scammers (TrendLabs Security Intelligence Blog) Cybercriminals have been taking advantage of tax season for years. While we have seen tax seasons involving countries like Australia and the U.K., it appears that cybercriminals tend to heavily favor the use of Internal Revenue Service (IRS) scams, especially during the US tax season

How the heck did so much Game of Thrones leak in 2015? (Ars Technica) A four-episode leak may spell the death knell for the DVD screener

HSBC Financial Corp. notifies mortgage customers of online breach (Office of Inadequate Security) HSBC Finance Corporation has begun notifying an undisclosed number of consumers whose mortgage account information was inadvertently exposed on the Internet. The firm believes the exposure began sometime towards the end of 2014 and continued until March 27, 2015, when they learned of the breach

Security Patches, Mitigations, and Software Updates

Critical Updates for Windows, Flash, Java (KrebsOnSecurity) Get your patch chops on people, because chances are you're running software from Microsoft, Adobe or Oracle that received critical security updates today. Adobe released a Flash Player update to fix at least 22 flaws, including one flaw that is being actively exploited. Microsoft pushed out 11 update bundles to fix more than two dozen bugs in Windows and associated software, including one that was publicly disclosed this month. And Oracle has an update for its Java software that addresses at least 15 flaws, all of which are exploitable remotely without any authentication

Apple Fixes Cookie Access Vulnerability in Safari on Billions of Devices (Threatpost) When Apple pushed out its most recent round of patches last week it fixed a cookie vulnerability that existed in all versions of Safari, including those that run on iOS, OS X, and Windows. According to researchers who dug it up, the number of affected devices may total one billion

Microsoft Patches Critical HTTP.SYS Vulnerability (Threatpost) Microsoft has patched a critical vulnerability in the Windows HTTP protocol stack, known as HTTP.sys, which could have devastating consequences once it's inevitably publicly exploited

Microsoft Security Bulletin Summary for April 2015 (Microsoft Security TechCenter) This bulletin summary lists security bulletins released for April 2015

Chrome starts pushing Java off the Web by disabling plugins (Ars Technica) The Netscape-era NPAPI is now off by default in Chrome 42

Cyber Trends

Web app attacks, PoS intrusions and cyberespionage leading causes of data breaches (IGD via CSO) Web application attacks, point-of-sale intrusions, cyberespionage and crimeware were the leading causes of confirmed data breaches last year

Mobile security mostly a nonissue at the moment, Verizon says (CNET) There's not much of a need to fret about mobile security given that cybercriminals still have plenty of easy marks to hit, according to Verizon's enterprise security group

Health data breaches sow confusion, frustration (ProPublica via USA TODAY) As the privacy officer for The Advisory Board Co., Rebecca Fayed knows a thing or two about privacy and what can happen when it's violated

BYOD employees 'indifferent' to enterprise security (ZDNet) A new study says the next generation of workers is placing the enterprise at risk with a lax attitude to mobile security

Think only big companies get hacked? Wrong (CNBC) Once a month, it seems, we hear about a high-impact breach of a corporate computer system. The latest is Premera Blue Cross, and before that Anthem, Sony, Target, Home Depot: These are big companies, and many would assume they were relatively bulletproof. Yet they couldn't keep the hackers at bay

Cyber Security Show — Critical industry operational technology often 30 years old (IT Security Guru) Assets within energy companies can often be 20-30 years old

In 2015, It's All About the Data (United States Cybersecurity Magazine) 2014 taught us that massive security breaches are the new normal for U.S. companies, government agencies, and universities. Some of the most prominent were Target, Home Depot, Neiman Marcus, Apple's iCloud, Michaels, the U.S. Postal Service, the IRS, Community Health Services, UPS, Staples, the State Department, Sands Casinos, USIS, eBay, PF Chang's, JP Morgan Chase, and, to sum up the year, Sony Pictures. The sobering reality is that it is now no longer a matter of if but when and how often that we're going to be breached. In 2014, we witnessed CEOs being fired, CIOs let go, boards of directors personally sued, and company data stolen or sabotaged on a grand scale. What will the extent of the damage be to our company, shareholders, and customers? What are the bad actors really after?

Marketplace

Palo Alto splashes $200m to strengthen endpoint security offering (Computer Business Review) Company acquires Israeli cybersecurity company Cyvera

Private Equity Firm Marlin to Buy General Dynamics' Fidelis Cyber Business (GovConWire) Los Ageles-based investment firm Marlin Equity Partners has agreed to purchase threat detection services business Fidelis Cybersecurity Solutions from General Dynamics (NYSE: GD) for an undisclosed sum

NSS Labs Raises $7 Million to Grow Cyber Advanced Warning System Solution (NSS Labs) NSS Labs, Inc., the world's leading information security research and advisory company, announced today that it has secured $7 Million in additional equity and debt funding with participation from LiveOak Venture Partners and Chevron Technology Ventures. The financing will support the growth of the NSS Cyber Advanced Warning System™ launched in March 2015

Cybersecurity startups raise big capital (The Hill) Two cybersecurity startups are making headlines for new rounds of financing that signal investors' growing interest in security products

Cyber security start-up draws $100m in BlackRock-led fundraising (Financial Times) Illumio, a cyber security start-up with personal backing from successful technology founders, has raised over $100m in a fundraising round led by BlackRock

With $30M in new funding, Duo Security announces London venture (MichiganLive) After previously raising roughly $18 million in funding, Ann Arbor-based Duo Security announced it has raised $30 million in Series C funding and will be expanding its efforts to London

Symantec: The Veritas Sale A Catalyst For The Rerating Of The Security Business (Seeking Alpha) A sale of the storage business for $5-8bn could highlight the undervaluation of Symantec's security ops. If the security business does not rerate as we expect, it is likely that private equity firms will try to acquire it (rumors have been circulating for months). The sale of the storage business could also enable Symantec to make a major acquisition in the security software space as it needs to reinvent itself

Nokia acquires Alcatel-Lucent for $16.6 billion to create networking giant (Ars Technica) Will strong research divisions be enough to let Nokia compete with Huawei and Ericsson?

Distil Networks Helps Companies Battle Bad Bots (Forbes) "I was working at a cloud security company and customers were asking for a way to identify real people versus bots on their websites. The company that I was with didn't tackle that problem. And so I tried to find something that would for those customers. The more I looked around, the more I realized there was a gap in the market for that service. So that's where things started in 2011," says Rami Essaid, co-founder and CEO of Distil Networks on his company's genesis

Chertoff Group Principal Jim Pflaging Joins the AdaptiveMobile Board of Directors (BusinessWire) Seasoned executive has deep expertise in the security and enterprise markets

Northrop Grumman opens cyber centre in UK (IHS Jane's 360) US headquartered contractor Northrop Grumman has opened a new cybersecurity centre in Gloucestershire, the United Kingdom, the company announced on 14 April. The facility will serve as a hub for cyber offerings to potential clients throughout Europe, the company said

GCHQ Steadily Sparks UK Cyber Industry Rush (Defense News) The cyber industry hub supporting Britain's GCHQ is continuing to grow with Northrop Grumman becoming the latest company to set up development and innovation facilities close by the headquarters of the intelligence center

Security Companies Hire Hackers, Ex-Spies to Fight Cyber Attacks (BloombergBusiness) It's a seller's market for the cyber war's special forces

U.S. Military's Anti-Hacking Force Won’t Be Ready Until 2018 (BloombergBusiness) The Pentagon will miss its own 2016 deadline to create cybersecurity teams to defend critical computer networks from hacking and they won't be fully operational until 2018, a senior Defense Department official said

Joint Cyber Training New Nordic Priority (Defense News) Cyberwarfare technology training has been identified as a new project area within The military-run Nordic Defense Cooperation (NORDEFCO) program

Study: 82% of organisations expect a cyber attack; 35% are unable to fill open jobs (ITWeb) According to a study by ISACA and RSA Conference, 82% of organisations expect to be attacked in 2015, but they are relying on a talent pool viewed as unable to handle complex threats. Thirty-five percent are unable to fill open positions, according to State of Cybersecurity: Implications for 2015, a study conducted by ISACA, a leader in cyber security, and RSA Conference, organisers of cyber security events

Products, Services, and Solutions

Cyber boot camp to churn out security pros in eight weeks (V3) The SANS Institute is opening up a cyber skills academy that will condense a two-year training course into just eight weeks to produce work-ready security warriors

Android Security Apps Continue to Improve in Latest AV-Test Report (PC Magazine) How much room does Android security have left to grow?

Tenable Network Security Announces SecurityCenter 5, Empowering Organizations to Continuously Measure, Analyze and Visualize Overall Network Health (BusinessWire) Industry leader in continuous network monitoring introduces Assurance Report Cards in its flagship product to help customers align security policies with business objectives

FinalCode Redefines Enterprise-Grade File Security for Confidential Collaboration (Nasdaq) Strong file encryption and extensive usage controls protect files wherever they go within and outside the corporate network

ThreatConnect, Inc. and CrowdStrike Partner to Strengthen Threat Intelligence Data Availability and Delivery (MarketWatch) ThreatConnect expands unique marketplace enabling organizations to effectively aggregate, analyze, and act on other threat intelligence sources via ThreatConnect Platform

Promisec Launches 'Freemium' Endpoint Monitoring Service to Minimize Cybersecurity Risk (Virtual Strategy Magazine) Freemium product provides critical MSSP/ OEM support for security service providers in Promisec's Partners Program

Aircrack-ng 1.2 RC 2 - WEP and WPA-PSK keys cracking program (Kitploit) Here is the second release candidate. Along with a LOT of fixes, it improves the support for the Airodump-ng scan visualizer. Airmon-zc is mature and is now renamed to Airmon-ng. Also, Airtun-ng is now able to encrypt and decrypt WPA on top of WEP. Another big change is recent version of GPSd now work very well with Airodump-ng

Tailoring Security Info for the C-Suite (eSecurity Planet) SurfWatch Labs' SaaS platform makes security information intelligible to business execs

Technologies, Techniques, and Standards

Threat Intelligence Is a Two-Way Street (Dark Reading) Intelligence analysis should be looked upon as less of a service and more of a partnership

Attention Healthcare IT Teams: Five Simple Ways to Keep Patient Data Safe (Trend Micro: Simply Security) At Trend Micro, we've been trying to draw attention to the growing cyber security threat facing healthcare organizations for some time now. With recent cyber-criminal targeting of healthcare organizations, it seems like a pretty good time to revisit our advice for others in the industry who want to stay secure on their journey to the cloud

Design and Innovation

An App That Hides Secret Messages in Starcraft-Style Games (Wired) China's Internet cafes full of young nerds glued to Starcraft 2 might soon be taking on more than Zerg hordes and Protoss Colossi. One group of anti-censorship researchers wants to turn those games themselves into a weapon in the war for web freedom

Google May Offer New Way to Target Ads (Wall Street Journal) The war for advertising dollars between Google Inc. and Facebook Inc. may add a new front: email addresses

Research and Development

New algorithm could auto-squash trolls (Naked Security) Ah trolls. A species we know well Naked Security those people who bounce around in comments sections flinging language dung all over the intertubes

DARPA Eyes Near-Zero-Power Tech to Extend Sensor Operational Life (ExecutiveGov) The Defense Advanced Research Projects Agency is seeking proposals on near-zero-power sensor technologies as part of the Near Zero Power RF and Sensor Operations program to address current power limitations of remote wireless military sensors

Legislation, Policy, and Regulation

DHS Opens Cyber Dialogue With China (HS Today) Although cyber relations between the United States and China became strained after numerous allegations during the past year of Chinese spying operations targeting the US, the Department of Homeland Security (DHS) and China's Ministry of Public Security (MPS) are now working on reestablishing a cyber dialogue

Deterrence will keep a lid on cyberwar, former spy chief says (ComputerWorld) Ex-national intelligence director Dennis Blair likened the standoff to mutually assured nuclear destruction

New cyberthreat information-sharing bill may be more friendly to privacy (ComputerWorld) The new bill still allows companies to share some unnecessary personal information with government agencies, a critic says

House panel approves cyber bill after adding surveillance restrictions (The Hill) The House Homeland Security Committee on Tuesday approved by unanimous voice vote a bill that gives companies liability protection when sharing cyber threat data with the Department of Homeland Security (DHS)

How To Boost Domestic Intelligence and Privacy To Prevent the Next Terrorist Attack (Defense One) Here are three steps to balance civil liberties with domestic security needs

14 Republicans move to block Internet rules (The Hill) Thirteen Republicans joined Rep. Doug Collins (R-Ga.) in support of a resolution that would block new Internet rules approved by the Federal Communications Commission

Litigation, Investigation, and Law Enforcement

EU Formally Accuses Google of Antitrust Violations (Wired) FIVE YEARS AGO the European Union began an investigation into whether Google violated its antitrust laws. Now it will finally bringing charges against the company as well as open a new investigation into Google's Android operating system

Banks hide cyber crime losses, says City of London Police (ComputerWeekly) Banks are obscuring the true amount of money lost to cyber fraudsters preferring to write off cyber incidents as losses, according to the City of London Police

International Operations Take Down Beebone, Simda Botnets (eSecurity Planet) Both operations required coordination between government agencies and private sector partners

NJ legislator who sponsored anti-swatting bill gets swatted (Ars Technica) "Some sick, evil person thought it would be funny to send the police to my house"

Lawsuit Over Alleged Jihadi Link Dismissed (Courthouse News Service) Offensive Security Limited voluntarily dismissed its lawsuit claiming online education company Udemy was "being used to educate jihadists in the art of hacking"

Baltimore Cops Asked Creators Of 'The Wire' To Keep Cellphone Surveillance Vulnerabilities A Secret (TechDirt) Over the past decade, criminals have apparently gained an insurmountable technology lead over law enforcement. I'm not sure how this is possible, especially considering many criminals don't have access to the same technology cops do, much less access to generous DHS funding, and yet, here we are witnessing police officers (following orders from the FBI) tossing cases and lying to judges in order to "protect" secret tools that aren't all that much of a secret

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Newly Noted Events

AFCEA Defensive Cyber Operations Symposium (Baltimore, Maryland, USA, May 5 - 7, 2015) The U.S. Defense Information Systems Agency's new operational role in the cyber domain as network defender creates a formal relationship between DISA, U.S. Cyber Command and the command's military service...

Cybergamut Tech Tuesday: An Hour in the Life of a Cyber Analyst (Hanover, Maryland, USA, May 12, 2015) This hands-on workshop will demonstrate how easy it is for a breach to occur by analyzing a virtualized web server environment. Participants will use open source tools such as port scanners and protocol...

CyBit: the Computer Forensics Show (IT Security and Cyber Security) (New York, New York, USA, June 11 - 12, 2015) Cyber Security: The interdependent network of information technology infrastructures, including the internet, telecommunications networks (satellite communications), computer systems, embedded processors...

International Symposium on Forensic Science Error Management (Washington, DC, USA, July 20 - 24, 2015) The symposium will give forensic science practitioners and researchers from around the world the opportunity to discuss best practices for identifying and reducing errors in forensic science laboratories.

USENIX Security (Washington, D.C., USA, August 12 - 14, 2015) The USENIX Security Symposium reunites researchers, practitioners, system administrators, system programmers, and others specialists interested in the latest advances in the security and privacy of computer...

SIN ACM (the International Conference on Security of Information and Networks) (Sochi, Russia, September 8 - 10, 2015) The 8th International Conference on Security of Information and Networks will feature contributions from all types of specialists in the cyber security field, from papers and special sessions to workshops...

NSPW (New Security Paradigms Workshop) (Twente, Netherlands, September 8 - 11, 2015) Although NSPW is more of a workshop than a conference, it has earned its right to be included in this list. Since 1992, NSPW has been offering a unique forum for cyber security specialists involved in...

CSS (International Conference on Cryptography and Security Systems) (Warsaw, Poland, September 25 - 27, 2015) After three years' break, CSS is returning in 2017 with another great look at the evolution of cryptography and its role for the cyber security industry. This event is focused on presenting original and...

ASIS International (Anaheim, California, USA, September 28 - October 1, 2015) The ASIS Annual Seminar and Exhibits boasts of being one of the world's most influential events for security professionals. Its mission is to provide industry-leading education, countless business connections,...

Ruxcon 2015 (Melbourne, Australia, October 24 - 25, 2015) Ruxcon is a computer security conference that aims to bring together the best and the brightest security talent within the Aus-Pacific region. The conference is a mixture of live presentations, activities...

Upcoming Events

Cyber Security Summit: Industrial Sector & Governments (Prague, Czech Republic, April 14 - 15, 2015) Cyber Security Summit Europe — Industrial Sector & Governments brings together cyber security experts who will share their skills and know-how needed to address highly topical issues such as state-sponsored...

Cyber Security Summit: Fnancial Services (Prague, Czech Republic, April 14 - 15, 2015) Cyber Security Summit Europe — Financial Services brings together cyber security experts across the financial sector to discuss topical security vulnerabilities as well as bring forward effective...

Cyber Security Summit: Financial Services (Prague, Czech Republic, April 14 - 15, 2015) Cyber Security Summit Europe — Financial Services brings together cyber security experts across the financial sector to discuss topical security vulnerabilities as well as bring forward effective...

INTERPOL World 2015 (Singapore, April 14 - 16, 2015) INTERPOL World is a new biennial international security trade event which will bring police and other law enforcement agencies together with security solution providers and security professionals from...

Symantec Government Symposium: Secure Government: Manage, Mitigate, Mobilize (Washington, DC, USA, April 15, 2015) The annual Symantec Government Symposium is a one-day event attracting 1,500 government IT security and management professionals. The event is designed to facilitate peer-to-peer dialogue on the challenges...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.