Kaspersky finds two APT groups, "Naikon" and "Hellsing," targeting one another. Both have been unusually active in South and East Asia (and as usual Kaspersky is coy about attribution). The conflict is particularly interesting insofar as the mutual targeting appears intentional.
Palo Alto Networks observes a phishing campaign (most targets are Japanese). The "DragonOK" group was active between January and March of this year.
Verizon's Annual Breach Investigation Report, out today, notes among its findings the speed with which successful phishing attacks can compromise a network: about a minute twenty seconds from a user's swallowing the hook until data exfiltration begins.
TeaMp0isoN embarrasses various universities by exposing their network weaknesses.
This week's patches will keep sys admins busy. Microsoft issues eleven updates, Adobe fixes twenty-two Flash bugs, and Oracle addresses fifteen Java flaws. Apple's fixes (out last week) address Safari vulnerabilities.
In industry news, Palo Alto Networks buys Cyvera, Marlin Equity Partners buys Fidelis from General Dynamics, Symantec shops Veritas (the better to position itself in the security space), and — the big M&A story — Nokia buys Alcatel-Lucent for $16.6B.
Government and industry continue to compete for scarce and pricey cyber talent. The US Department of Defense announces that personnel shortages will delay fielding of cyber defense capabilities. In the UK, GCHQ continues to seed the kind of security vendor ecosystem in Gloucestershire that the US's NSA has fostered in Maryland.
The European Union formally charges Google with anti-trust violations, and opens a new inquiry into Android's position in the marketplace.
Today's issue includes events affecting Cambodia, Denmark, Estonia, European Union, Finland, France, India, Indonesia, Latvia, Lithuania, Malaysia, Myanmar, Nepal, Norway, Philippines, Singapore, Sweden, United Kingdom, United States, and Vietnam.
The CyberWire will be covering RSA 2015 in San Francisco next week. Look for special issues devoted to the event beginning this Friday.
Cyber Attacks, Threats, and Vulnerabilities
The Chronicles of the Hellsing APT: the Empire Strikes Back(SecureList) One of the most active APT groups in Asia, and especially around the South China Sea area is "Naikon". Naikon plays a key part in our story, but the focus of this report is on another threat actor entirely; one who came to our attention when they hit back at a Naikon attack
'APT-On-APT' Action(Dark Reading) New spin on the cyber espionage attack: spies hacking other spies for information
Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets(Palo Alto Networks) Palo Alto Networks Unit 42 used the AutoFocus threat intelligence service to identify a series of phishing attacks against Japanese organizations. Using AutoFocus to quickly search and correlate artifacts across the collective set of WildFire and other Palo Alto Networks threat intelligence, we were able to associate the attacks with the group publicly known as "DragonOK." These attacks took place between January and March of 2015
US-CERT Warns of Issues with DNS Zone Transfer Requests(Threatpost) The US-CERT is warning administrators and network operators that a misconfiguration issue with some DNS servers that has been known about for more than 15 years and can give attackers detailed information about DNS zones is coming back around thanks to new scans that show a high number of servers vulnerable to the issue
TeaMp0isoN reveals schools' vulnerabilities(Office of Inadequate Security) Reading @_TeaMp0isoN_'s Twitter timeline last night and this morning was somewhat disheartening. Tweet after tweet identified vulnerabilities that would enable hackers access to universities' sites. For each school named, TeaMp0isoN indicated the type of vulnerability they had found and the vulnerable url. In some cases, if the university has a Twitter account, TeaMp0isoN included their Twitter account in the tweet to call their attention to their vulnerability. No data was dumped and many of the subdomains likely do not contain sensitive information, but once you've gotten in a door
Email Phishing Attacks Take Just Minutes to Hook Recipients(Wired) If you work in IT security, you've got one minute and 20 seconds to save your company from being hacked. This is not a drill. It's the median time it takes for an employee to open a phishing email that lands on a company's network and in their inbox, setting in motion a race to prevent data from leaking. That's according to the new Verizon Breach Investigations Report, which is due to be released publicly tomorrow but was previewed to reporters today
Behind Tax Fraud: A Profile of 3 IRS Scammers(TrendLabs Security Intelligence Blog) Cybercriminals have been taking advantage of tax season for years. While we have seen tax seasons involving countries like Australia and the U.K., it appears that cybercriminals tend to heavily favor the use of Internal Revenue Service (IRS) scams, especially during the US tax season
HSBC Financial Corp. notifies mortgage customers of online breach(Office of Inadequate Security) HSBC Finance Corporation has begun notifying an undisclosed number of consumers whose mortgage account information was inadvertently exposed on the Internet. The firm believes the exposure began sometime towards the end of 2014 and continued until March 27, 2015, when they learned of the breach
Security Patches, Mitigations, and Software Updates
Critical Updates for Windows, Flash, Java(KrebsOnSecurity) Get your patch chops on people, because chances are you're running software from Microsoft, Adobe or Oracle that received critical security updates today. Adobe released a Flash Player update to fix at least 22 flaws, including one flaw that is being actively exploited. Microsoft pushed out 11 update bundles to fix more than two dozen bugs in Windows and associated software, including one that was publicly disclosed this month. And Oracle has an update for its Java software that addresses at least 15 flaws, all of which are exploitable remotely without any authentication
Apple Fixes Cookie Access Vulnerability in Safari on Billions of Devices(Threatpost) When Apple pushed out its most recent round of patches last week it fixed a cookie vulnerability that existed in all versions of Safari, including those that run on iOS, OS X, and Windows. According to researchers who dug it up, the number of affected devices may total one billion
Microsoft Patches Critical HTTP.SYS Vulnerability(Threatpost) Microsoft has patched a critical vulnerability in the Windows HTTP protocol stack, known as HTTP.sys, which could have devastating consequences once it's inevitably publicly exploited
Think only big companies get hacked? Wrong(CNBC) Once a month, it seems, we hear about a high-impact breach of a corporate computer system. The latest is Premera Blue Cross, and before that Anthem, Sony, Target, Home Depot: These are big companies, and many would assume they were relatively bulletproof. Yet they couldn't keep the hackers at bay
In 2015, It's All About the Data(United States Cybersecurity Magazine) 2014 taught us that massive security breaches are the new normal for U.S. companies, government agencies, and universities. Some of the most prominent were Target, Home Depot, Neiman Marcus, Apple's iCloud, Michaels, the U.S. Postal Service, the IRS, Community Health
Services, UPS, Staples, the State Department, Sands Casinos, USIS, eBay, PF Chang's, JP Morgan Chase, and, to sum up the year, Sony Pictures. The sobering reality is that it is now no longer a matter of if but when and how often that we're going to be breached. In 2014, we witnessed CEOs being fired, CIOs let go, boards of directors personally sued, and company data stolen or sabotaged on a grand scale. What will the extent of the damage be to our company, shareholders, and customers? What are the bad actors really after?
NSS Labs Raises $7 Million to Grow Cyber Advanced Warning System Solution(NSS Labs) NSS Labs, Inc., the world's leading information security research and advisory company, announced today that it has secured $7 Million in additional equity and debt funding with participation from LiveOak Venture Partners and Chevron Technology Ventures. The financing will support the growth of the NSS Cyber Advanced Warning System™ launched in March 2015
Symantec: The Veritas Sale A Catalyst For The Rerating Of The Security Business(Seeking Alpha) A sale of the storage business for $5-8bn could highlight the undervaluation of Symantec's security ops. If the security business does not rerate as we expect, it is likely that private equity firms will try to acquire it (rumors have been circulating for months). The sale of the storage business could also enable Symantec to make a major acquisition in the security software space as it needs to reinvent itself
Distil Networks Helps Companies Battle Bad Bots(Forbes) "I was working at a cloud security company and customers were asking for a way to identify real people versus bots on their websites. The company that I was with didn't tackle that problem. And so I tried to find something that would for those customers. The more I looked around, the more I realized there was a gap in the market for that service. So that's where things started in 2011," says Rami Essaid, co-founder and CEO of Distil Networks on his company's genesis
Northrop Grumman opens cyber centre in UK(IHS Jane's 360) US headquartered contractor Northrop Grumman has opened a new cybersecurity centre in Gloucestershire, the United Kingdom, the company announced on 14 April. The facility will serve as a hub for cyber offerings to potential clients throughout Europe, the company said
GCHQ Steadily Sparks UK Cyber Industry Rush(Defense News) The cyber industry hub supporting Britain's GCHQ is continuing to grow with Northrop Grumman becoming the latest company to set up development and innovation facilities close by the headquarters of the intelligence center
Study: 82% of organisations expect a cyber attack; 35% are unable to fill open jobs(ITWeb) According to a study by ISACA and RSA Conference, 82% of organisations expect to be attacked in 2015, but they are relying on a talent pool viewed as unable to handle complex threats. Thirty-five percent are unable to fill open positions, according to State of Cybersecurity: Implications for 2015, a study conducted by ISACA, a leader in cyber security, and RSA Conference, organisers of cyber security events
Aircrack-ng 1.2 RC 2 - WEP and WPA-PSK keys cracking program(Kitploit) Here is the second release candidate. Along with a LOT of fixes, it improves the support for the Airodump-ng scan visualizer. Airmon-zc is mature and is now renamed to Airmon-ng. Also, Airtun-ng is now able to encrypt and decrypt WPA on top of WEP. Another big change is recent version of GPSd now work very well with Airodump-ng
Attention Healthcare IT Teams: Five Simple Ways to Keep Patient Data Safe(Trend Micro: Simply Security) At Trend Micro, we've been trying to draw attention to the growing cyber security threat facing healthcare organizations for some time now. With recent cyber-criminal targeting of healthcare organizations, it seems like a pretty good time to revisit our advice for others in the industry who want to stay secure on their journey to the cloud
Design and Innovation
An App That Hides Secret Messages in Starcraft-Style Games(Wired) China's Internet cafes full of young nerds glued to Starcraft 2 might soon be taking on more than Zerg hordes and Protoss Colossi. One group of anti-censorship researchers wants to turn those games themselves into a weapon in the war for web freedom
New algorithm could auto-squash trolls(Naked Security) Ah trolls. A species we know well Naked Security those people who bounce around in comments sections flinging language dung all over the intertubes
DHS Opens Cyber Dialogue With China(HS Today) Although cyber relations between the United States and China became strained after numerous allegations during the past year of Chinese spying operations targeting the US, the Department of Homeland Security (DHS) and China's Ministry of Public Security (MPS) are now working on reestablishing a cyber dialogue
14 Republicans move to block Internet rules(The Hill) Thirteen Republicans joined Rep. Doug Collins (R-Ga.) in support of a resolution that would block new Internet rules approved by the Federal Communications Commission
Litigation, Investigation, and Law Enforcement
EU Formally Accuses Google of Antitrust Violations(Wired) FIVE YEARS AGO the European Union began an investigation into whether Google violated its antitrust laws. Now it will finally bringing charges against the company as well as open a new investigation into Google's Android operating system
Lawsuit Over Alleged Jihadi Link Dismissed(Courthouse News Service) Offensive Security Limited voluntarily dismissed its lawsuit claiming online education company Udemy was "being used to educate jihadists in the art of hacking"
Baltimore Cops Asked Creators Of 'The Wire' To Keep Cellphone Surveillance Vulnerabilities A Secret(TechDirt) Over the past decade, criminals have apparently gained an insurmountable technology lead over law enforcement. I'm not sure how this is possible, especially considering many criminals don't have access to the same technology cops do, much less access to generous DHS funding, and yet, here we are witnessing police officers (following orders from the FBI) tossing cases and lying to judges in order to "protect" secret tools that aren't all that much of a secret
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Newly Noted Events
AFCEA Defensive Cyber Operations Symposium(Baltimore, Maryland, USA, May 5 - 7, 2015) The U.S. Defense Information Systems Agency's new operational role in the cyber domain as network defender creates a formal relationship between DISA, U.S. Cyber Command and the command's military service...
International Symposium on Forensic Science Error Management(Washington, DC, USA, July 20 - 24, 2015) The symposium will give forensic science practitioners and researchers from around the world the opportunity to discuss best practices for identifying and reducing errors in forensic science laboratories.
USENIX Security(Washington, D.C., USA, August 12 - 14, 2015) The USENIX Security Symposium reunites researchers, practitioners, system administrators, system programmers, and others specialists interested in the latest advances in the security and privacy of computer...
NSPW (New Security Paradigms Workshop)(Twente, Netherlands, September 8 - 11, 2015) Although NSPW is more of a workshop than a conference, it has earned its right to be included in this list. Since 1992, NSPW has been offering a unique forum for cyber security specialists involved in...
ASIS International(Anaheim, California, USA, September 28 - October 1, 2015) The ASIS Annual Seminar and Exhibits boasts of being one of the world's most influential events for security professionals. Its mission is to provide industry-leading education, countless business connections,...
Ruxcon 2015(Melbourne, Australia, October 24 - 25, 2015) Ruxcon is a computer security conference that aims to bring together the best and the brightest security talent within the Aus-Pacific region. The conference is a mixture of live presentations, activities...
Cyber Security Summit: Industrial Sector & Governments(Prague, Czech Republic, April 14 - 15, 2015) Cyber Security Summit Europe — Industrial Sector & Governments brings together cyber security experts who will share their skills and know-how needed to address highly topical issues such as state-sponsored...
Cyber Security Summit: Fnancial Services(Prague, Czech Republic, April 14 - 15, 2015) Cyber Security Summit Europe — Financial Services brings together cyber security experts across the financial sector to discuss topical security vulnerabilities as well as bring forward effective...
Cyber Security Summit: Financial Services(Prague, Czech Republic, April 14 - 15, 2015) Cyber Security Summit Europe — Financial Services brings together cyber security experts across the financial sector to discuss topical security vulnerabilities as well as bring forward effective...
INTERPOL World 2015(Singapore, April 14 - 16, 2015) INTERPOL World is a new biennial international security trade event which will bring police and other law enforcement agencies together with security solution providers and security professionals from...
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.