skip navigation

More signal. Less noise.

Daily briefing.

Several sources are reporting that Sweden's infrastructure has been under threat of a cyber—or at least an electronic—attack from Russia since November of last year. A series of outages in Sweden's air traffic control system between 4 and 9 November 2015 are thought to have been caused by deliberate Russian offensive EW tests.

IBM X-Force researchers report that two banking Trojans, Nymaim and Gozi, have combined into a single malware package, "GozNym." Attackers have done this sort of thing before to assemble desired functionality into a single package—in this case they like Nymaim's two-stage dropper and Gozi's malicious dynamic link library injection.

Sucuri reports that CTB-Locker ransomware is using the Bitcoin blockchain to deliver decryption keys to victims (and take victims' payments).

Russia and Ukraine continue to host the world's most active and capable cyber criminal gangs. Notes from LookingGlass and LIFARS offer an overview of Eastern European gangland. Much money comes from direct theft, but sale of products and services is also big business. One trend in cyber gangland, says Team Cymru, is increased use of fast flux networks to make operations more resistant to takedown.

Speaking of gangland, Dmitri Fedetov, a.k.a. "Paunch," the Blackhole exploit kit impresario, was just sentenced to seven years by a Moscow court.

QuickTime for Windows is vulnerable, its support has ended, and it should be uninstalled.

The FBI still hasn't found much of anything on that jihadi's iPhone. It's still unlikely the Bureau will tell Apple how it got in.


Today's issue includes events affecting Canada, China, Denmark, European Union, Germany, India, Iran, Norway, Russia, Sweden, Ukraine, United Arab Emirates, United Kingdom, United States.

We'll be covering the SINET ITSEF conference from Mountain View, California, next Tuesday and Wednesday. Watch for our customary live-Tweets and special issues.

Catch the CyberWire's Podcast later this afternoon, with interviews, educational tips, and more on the stories of the day.


SINET IT Security Entrepreneurs Forum (ITSEF) 2016 (Mountain View, California, USA, April 19 - 20, 2016) ITSEF introduces entrepreneurs to government, business and investment leaders for open collaboration on cybersecurity challenges. Register today.

Georgetown Cybersecurity Law Institute (Washington, DC, USA, May 25 - 26, 2016) Experienced government officials, general counsels, and cybersecurity practitioners offer insight into governance, preparedness, and resilience. Register Today, CyberWire readers receive a $100 DISCOUNT using code WIRE16.

Cyber Attacks, Threats, and Vulnerabilities

Russia blamed for crashing Swedish air traffic control to test electronic warfare capabilities (International Business Times) Sources in the Swedish government have blamed Russian intelligence for causing a major cyberattack on Sweden's air traffic control system that lasted for at least five days in November 2015, allegedly due to Russia testing out its electronic warfare capabilities

Sweden Says its critical infrastructure was under Attack by Russian Hackers (HackRead) Sweden sent a message to NATO and released alert all over claiming that the country was under threat of a serious cyber-attack in November 2015. According to reports, the Swedish government claimed of receiving two separate warnings and passed them to various NATO allies including Denmark and Norway

Special Report: Confirmed cyber attack against air traffic control system (Threat Brief) We have been following reports for the last two days indicating that outages in the Swedish Air Traffic Control System between 4 and 9 November 2015 were actually caused by malicious, sustained cyber attacks from highly trained groups either supported by or under the direction of the Russian government

Banking Trojans Nymaim, Gozi Merge to Steal $4M (Threatpost) Two powerful Trojans, Nymaim and Gozi ISFB, have been combined to create a “double-headed beast” called GozNym

Ransomware authors use the bitcoin blockchain to deliver encryption keys (IDG via CSO) The CTB-Locker ransomware uses a metadata field in bitcoin transactions to store decryption keys

Alert (TA14-017A) UDP-Based Amplification Attacks (US-CERT) Certain application-layer protocols that rely on User Datagram Protocol (UDP) have been identified as potential attack vectors

Guess what? URL shorteners short-circuit cloud security (Ars Technica) Researchers search for Microsoft, Google short URLs, find exposed personal data

Cisco UCS servers can be hijacked with malicious HTTP request (Help Net Security) A data center server platform running Cisco’s Unified Computing System (UCS) Central Software can be compromised by unauthenticated, remote attackers with a single, malicious HTTP request, security researcher Gregory Draperi has discovered

Why the smart office is highly susceptible to data breaches (Help Net Security) The Edge in Amsterdam is one of the smartest office buildings in the world. The state-of-the-art offices include 28,000 connected sensors for motion, light, temperature, humidity and other conditions, which can all be detected and adjusted to suit workers’ needs

The Global Cyber Crime Underground: Russia and Eastern Europe (Cyveillance) n last week’s blog, LookingGlass Cyber Threat Intelligence Group (CTIG) Senior Threat Analyst Emilio Iasiello and LIFARS Marketing Manager Michal Nemcok* provided a general overview of the global cyber crime underground, as well as a more in-depth look at the Chinese criminal underground. Today, they focus their discussion on the Russian and Eastern European criminal marketplaces

East European Criminal Fastflux Infrastructure (Team Cymru) Fast flux networks allow miscreants to make their network more resistant against takedowns. By updating and changing the A records of a domain rapidly, there is a constant changing list of IPs hosting the domain involved, making it harder to shutdown. The carding site at csh0p[.]cc is hosted on a fast flux network. The servers are largely located in the Ukraine and Russia. Analysis of IPs used by this fastflux networks showed that they were also used by a Teslacrypt ransomware payment site and a TreasureHunter POS controller (friltopyes[.]com) in March 2016

Blizzard Hit By Multiple DDoS Attacks (Kotaku) Players couldn’t log into games like World of Warcraft and Diablo III for several hours last night thanks to a series of DDoS attacks that flooded Blizzard’s servers, the developer said. Blizzard says they’ve since thwarted the problem, though some login issues could linger this morning

Blizzard is fending off a potential Lizard Squad cyberattack that’s affecting (Venture Beat) You may have trouble getting your Hearthstone on

Anonymous Shut Down Dalhousie University Website Against Halifax Rape Case (HackRead) In November 2015, HackRead reported about the hacktivist group Anonymous forcing Halifax Regional Municipality police into reopening the investigation of a sexual assault case involving an 18-year-old girl Jane Doe attacked by a fellow student on Halloween night at a Dalhousie University frat house in Halifax Nova Scotia, Canada

Security Patches, Mitigations, and Software Updates

Urgent Call to Action: Uninstall QuickTime for Windows Today (Trend Micro: Simply Security) We’re putting the word out that everyone should follow Apple’s guidance and uninstall QuickTime for Windows as soon as possible

Alert (TA16-105A) Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced (US-Cert) According to Trend Micro, Apple will no longer be providing security updates for QuickTime for Windows, leaving this software vulnerable to exploitation

Apple stops patching QuickTime for Windows despite 2 active vulnerabilities (Ars Technica) Security firm urges Windows users to uninstall media player

VMSA-2016-0004 (VMware Security Advisories) VMware product updates address a critical security issue in the VMware Client Integration Plugin

Cyber Trends

U.S. government worse than all major industries on cyber security (Reuters via Business Insurance) U.S. federal, state and local government agencies rank in last place in cyber security when compared against 17 major private industries, including transportation, retail and health care, according to a report released Thursday

Mismatch of HIT and workflow tops list of patient safety concerns (FierceHealthIT) A disconnect between health IT configurations and organizational workflow topped the ECRI Institute's 2016 list of top 10 patient safety concerns

Status Quo Stagnates Healthcare Data Security Performance (Dark Reading) Healthcare organizations still largely driven by compliance and legacy attitudes

Why few US consumers penalize hacked companies? (Help Net Security) About a quarter of American adults reported that they were notified about their personal information being part of a data breach in the previous year, but only 11 percent of those who have ever been notified say they stopped doing business with the hacked company after the event occurred, according to a new study

UK world's most targeted nation for phishing scams and ransomware (Information Age) Why is the UK so high on the list of targets for scammers, and what can we do to protect ourselves?

Hacker Lexicon: What Are White Hat, Gray Hat, and Black Hat Hackers? (Wired) After much speculation over who provided the FBI with the mysterious solution for hacking into the San Bernardino iPhone, the Washington Post reported this week that it was a “gray hat” hacker who came forward to save the day for the feds


10 Things Cyber Insurance Won't Cover (Dark Reading) Cyber insurance policies come with some important caveats to keep in mind

Products, Services, and Solutions

AristotleInsight's New Regulation Roadmap Feature Helps Expand the Cyber Intelligence Cycle (PRNewswire) In response to a need for faster compliance reporting, the engineers at Sergeant Laboratories recently developed the latest addition to their AristotleInsight software, the Regulation Roadmap

Menlo Security integrates malware isolation platform with Check Point firewalls, gateways (FierceITSecurity) Menlo Security, a security startup that emerged from stealth mode last year, is partnering with Check Point to integrate its isolation platform with Check Point's next-generation firewalls and vSEC Virtual Edition gateways, which protect virtualized environments from threats by securing virtual machines and applications

Signs point to Apple abandoning OS X branding in favor of “MacOS” [Updated] (Ars Technica) Change would bring the Mac in line with iDevices, the Apple Watch, and Apple TV

Technologies, Techniques, and Standards

Ransomware, Cyberattacks, and Hacking in the Health Care Industry: Lessons from a Letter to the FBI (Forbes) The last several weeks have brought a host of alarming revelations regarding the vulnerability of some of the most confidential data that corporations and legal entities maintain on their servers

The Risk Room: Building the Right GSOC for Your Business (Security Magazine) A GSOC’s value is now recognized as a necessity to support an enterprise’s global business goals and operations

The Time Has Come to Hack the Planet (Threatpost) Today marks an exciting development in the often monotonous rehashing of vulnerability disclosure. The ISO standard that began about 11 years ago with the emotionally loaded title “Responsible Vulnerability Disclosure,” and was finally published in early 2014 as ISO/IEC 29147 Vulnerability disclosure, is now available for download at no cost

5 Steps to Improve Your Software Supply Chain Security (Dark Reading) Organizations that take control of their software supply chains will see tremendous gains in developer productivity, improved quality, and lower risk

'Threat Hunting' On The Rise (Dark Reading) Rather than wait for the adversary to strike, many enterprises are going out actively looking for them

HTTP Public Key Pinning: How to do it right (Internet Storm Center) One of the underutilized security measures I mentioned recently was "HTTP Public Key Pinning", or HPKP. First again, what is HPKP

BBB urges digital spring cleaning (Barre Montpelier Times-Argus) The Better Business Bureau and the National Cyber Security Alliance, are urging consumers to make digital devices an additional target of their spring cleaning activities

Design and Innovation

A Scheme to Encrypt the Entire Web Is Actually Working (Wired) Apple's move to encrypt your iPhone and WhatsApp’s rollout of end-to-end encrypted messaging have generated plenty of privacy applause and law enforcement controversy. But more quietly, a small non-profit project has enacted a plan to encrypt the entire global web. And it’s working

Google May Have Found a Way to Make the Real-World Web Work (Wired) Remember beacons? Honestly, there’s not much reason you would

Facebook’s working on auto-tagging us in videos (Naked Security) Has anybody ever captured your image as you lunged at them, screaming “STOP THE TAGGING MADNESS!!”?

Legislation, Policy, and Regulation

MEPs back sharing airline data to ‘fight terrorism’ (Euro News) The European Parliament has backed sharing airline passenger data across the EU as part of the fight against terrorism

Top European countries launch tax crackdown (Seeking Alpha) In the wake of the Panama Papers scandal, the EU's five biggest economies have struck a deal to crackdown on tax avoidance, agreeing to exchange information on the beneficial owners of companies and trusts

'Silly old journalist' -- Congress and the encryption debate (FierceITSecurity) To paraphrase Christopher Robin in Winnie-the-Pooh – "Silly old journalist"

FBI stays inside for new CIO (Federal News Radio) The FBI turned to a familiar face for its new chief information officer

Cyber Is Not Always The Answer (SIGNAL: The Cyber Edge) Intrusions into U.S. networks do not necessarily require a cyber return of fire

Texas prisons’ new rules aim to force social media to close inmate accounts (Ars Technica) New rules prohibit friends and family from updating Twitter, Facebook, or Instagram

California Kills Phone Decryption Bill, But Bigger Battles Loom (Threatpost) Civil liberty groups and tech firms are celebrating the defeat of a controversial California bill that would have forced phone makers to decrypt their devices by court order. The proposed legislation, AB 1681, died when lawmakers refused to give the bill a vote

Litigation, Investigation, and Law Enforcement

No links to foreign terrorists found on San Bernardino iPhone so far, officials say (Washington Post) The FBI has found no links to foreign terrorists on the iPhone of a San Bernardino, Calif., terrorist but is still hoping that an ongoing analysis could advance its investigation into the mass shooting in December, U.S. law enforcement officials said

Apple probably won’t find out how the FBI hacked the San Bernardino iPhone (Macworld via CSO) And the iPhone 5c in question hasn’t yielded significant evidence in the crime, according to a report

Microsoft Sues U.S. Over Orders Barring It From Revealing Surveillance (New York Times) Big technology companies have usually played a defensive game with government prosecutors in their legal fight over customer information, fighting or bowing to requests for information one case at a time

A New Lawsuit from Microsoft: No More Gag Orders! (Just Security) Microsoft is once again making headlines via litigation over government’s use of the Stored Communications Act

What's this about Canada reading your BlackBerry texts? (Register) What we knew in 2010, 2012 and 2014 we still know in 2016

‘Blackhole’ Exploit Kit Author Gets 7 Years (KrebsOnSecurity) A Moscow court this week convicted and sentenced seven hackers for breaking into countless online bank accounts — including “Paunch,” the nickname used by the author of the infamous “Blackhole” exploit kit

Суд в Москве приговорил семерых хакеров к длительному заключению за взлом сайтов банков (ТАСС) Ущерб от действий подсудимых составил более 25 млн рублей

US court agrees with feds: Warrants aren’t needed for cell-site location data (Ars Technica) Data placed suspects near a string of Radio Shack and T-Mobile store robberies

Former U.S defense contractor sentenced for passing military secrets to India (UPI) A former U.S. defense contractor with access to sensitive U.S. weapons systems has been sentenced to over four years in federal prison for passing information on those weapons to India

Dubai Issues Fatwa Against Using Neighbor’s Wifi without Permission (HackRead) Fatwa issued in Dubai, against WiFi theft with a warning that stealing your neighbors WiFi will be contradictory to Islamic principles. This Fatwa was issued this week by Dubai’s Islamic Affairs and Charitable Activities Department, wherein the concerned authorities posted the religious announcement on their website

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

CSO 50 Conference and Awards (Litchfield Park, Arizona, USA, April 18 - 20, 2016) We at CSO, the award-winning media brand, will bring you speakers from up to 50 organizations with outstanding security prowess. Over 2 ½ days, these distinguished executives and technologists will share...

2016 Cybersecurity Symposium ( Coeur d’Alene, Idaho, USA, April 18 - 20, 2016) The Cybersecurity Symposium: Your Security, Your Future is an opportunity for academic researchers and software and system developers from industry and government to meet and discuss state of the art processes...

Creech AFB–AFCEA Las Vegas Cyber Security, IT & Tactical Tech Day (Indian Springs, Nevada, USA, April 19, 2016) The Armed Forces Communications & Electronics Association (AFCEA) Las Vegas Chapter, with support from the 432d Wing, will host the 4th Annual Cyber Security, IT & Tactical Technology Day at Creech AFB...

Creech AFB–AFCEA Las Vegas Cyber Security, IT & Tactical Tech Day (Indian Springs, Nevada, USA, April 19, 2016) The Armed Forces Communications & Electronics Association (AFCEA) Las Vegas Chapter, with support from the 432d Wing, will host the 4th Annual Cyber Security, IT & Tactical Technology Day at Creech AFB...

Amsterdam 2016 FIRST Technical Colloquium (Amsterdam, the Netherlands, April 19 - 20, 2016) FIRST Technical Colloquia & Symposia provide a discussion forum for FIRST member teams and invited guests to share information about vulnerabilities, incidents, tools and all other issues that affect the...

Security & Counter Terror Expo 2016 (London, England, UK, April 19 - 20, 2016) Security & Counter Terror Expo (formerly Counter Terror Expo) is the event for any professional tasked with protecting assets, business, people and nations from terrorism. It brings over 9000 attendees...

SINET IT Security Entrepreneurs Forum (ITSEF) 2016 (Mountain View, California, USA, April 19 - 20, 2016) IT Security Entrepreneurs Forum (ITSEF) — SINET's flagship event — is designed to bridge the gap between the Federal Government and private industry. ITSEF provides a venue where entrepreneurs can meet...

SecureWorld Philadelphia (King of Prussia, Pennsylvania, USA, April 20 - 21, 2016) Join your fellow security professionals for affordable, high-quality cybersecurity training and education. Earn 12-16 CPE credits through 60+ educational elements learning from nationally recognized industry...

2016 Akamai Government Forum: Safeguarding a Dynamic Government — End–to–End Security for your Agency (Washington, DC, USA, April 21, 2016) Today's public demands a high performance — and safe — web experience from government and public organizations. And public IT leaders require flawless web protection to securely meet that...

2016 Akamai Government Forum: Safeguarding a Dynamic Government — End–to–End Security for your Agency (Washington, DC, USA, April 21, 2016) Today's public demands a high performance — and safe — web experience from government and public organizations. And public IT leaders require flawless web protection to securely meet that demand. Join...

Army SIGINT (Fort Meade, Maryland, USA, April 25, 2016) Approximately 500 attendees will come together to discuss future technologies in Signals Intelligence (SIGINT), focusing on applications for the actual users in the field (the soldiers). Most attendees...

6th European Data Protection Days (EDPD) (Berlin, Germany, April 25 - 26, 2016) The EDPD Conference will provide participants from the business side with all the important news and updates for the international data protection business at a high level. These include key developments...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.