Shamoon, the drive-wiping malware that hit Saudi Aramco and other energy firms hard in 2012, is back, with infections reported in Saudi government systems. Saudi investigators say their forensic investigation leads them to attribute the attack to an Iranian source. The new strain of Shamoon is also being called "Disstrack," and it appears to be purely disruptive in operation, with no reports of data exfiltration.
Investigation into the Tesco Bank breach suggests to some observers that the bank's connection to its parent supermarket may have afforded the attackers their way in.
The World Anti-Doping Agency is again under cyberattack, and it's either Fancy Bear or someone masquerading as Fancy.
Palo Alto Networks' Unit 42 reports on a new Google Android Trojan, “PluginPhantom," that abuses the DroidPlugin framework. PluginPhantom, which includes a keylogger, extracts a wide range of user and device information.
Facebook is calling hogwash on Check Point Software's report of Locky ransomware being spread by images in Facebook Messenger.
Firefox has patched a zero-day that could be exploited to de-anonymize Tor users.
Germany's Interior Ministry has proposed legislation that would limit the transparency of online surveillance. Interception of jailed ISIS terrorists' communications suggests planning for unusually repellent attacks targeting children. Investigation into the alleged ISIS mole in the BfV continues; the Telegraph argues any security service might overlook red flags when recruiting for scarce language skills.
A US Defense Department report accuses Chinese security firm Boyusec of working with the PLA to embed espionage tools in its security products.
Today's issue includes events affecting Australia, Canada, China, European Union, Germany, Iran, Iraq, Israel, Jamaica, Netherlands, Russia, Saudi Arabia, Syria, United Kingdom, United States.
ON THE PODCAST
The CyberWire's regular daily Podcast will be out later this afternoon, with interviews, educational tips, and more on the stories of the day. Today we hear from our research partners at the University of Maryland, as Jonathan Katz describes the challenges of including encryption in ransomware. Our guest Dmitry Volkov from IB will take us through what's known about the Cobalt ATM hacks.
A special edition of our Podcast up is up, too—the topic is venture capital. In it we examine the current state of investment in cyber security, speak to experts in the field, and learn from top cyber security-focused venture capitalists about what they expect before they invest.
As always, if you enjoy the podcasts, we invite you to please consider giving it an iTunes review.
AlienVault USM Webcast(Live Webcast, December 1, 2016) Find threats lurking on your systems with host-based intrusion detection and AlienVault USM.
Deutsche Telekom attack part of global campaign on routers(Reuters) A cyber attack that infected nearly 1 million routers used to access Deutsche Telekom internet service was part of a campaign targeting web-connected devices around the globe, the German government and security researchers said on Tuesday
New Mirai Worm Knocks 900K Germans Offline(KrebsOnSecurity) More than 900,000 customers of German ISP Deutsche Telekom (DT) were knocked offline this week after their Internet routers got infected by a new variant of a computer worm known as Mirai
Bears continue to maul anti-dopers(SC Magazine) Fancy Bear are [sic] continuing to target the western sports establishment, publishing a series of emails from inside the World Anti Doping Agency, illustrating a number of small allegedly scandalous details from inside the organisation
New SmsSecurity Variant Roots Phones, Abuses Accessibility Features and TeamViewer(TrendLabs Security Intelligence Blog) In January of 2016, we found various “SmsSecurity” mobile apps that claimed to be from various banks. These apps supposedly generated one-time passwords (OTPs) that account holders could use to log into the bank; instead they turned out to be malicious apps that stole any password sent via SMS messages. These apps were also capable of receiving commands from a remote attacker, allowing them to take control of a user’s device
PluginPhantom: New Android Trojan Abuses “DroidPlugin” Framework(Palo Alto Networks) Recently, we discovered a new Google Android Trojan named “PluginPhantom”, which steals many types of user information including: files, location data, contacts and Wi-Fi information. It also takes pictures, captures screenshots, records audios, intercepts and sends SMS messages. In addition, it can log the keyboard input by the Android accessibility service, acting as a keylogger
HDDCryptor: Subtle Updates, Still a Credible Threat(RDK Software Solutions) Since first writing about the discovery of HDDCryptor back in September, we have been tracking this ransomware closely as it has evolved. Last week, a new version was spotted in the wild, and based on our analysis, we believe that this variant is the one used in a recent attack against San Francisco Municipal Transport Agency (SFMTA)
New SmsSecurity Variant Roots Phones, Abuses Accessibility Features and TeamViewer(Cyber Disruption) In January of 2016, we found various “SmsSecurity” mobile apps that claimed to be from various banks. These apps supposedly generated one-time passwords (OTPs) that account holders could use to log into the bank; instead they turned out to be malicious apps that stole any password sent via SMS messages. These apps were also capable of receiving commands from a remote attacker, allowing them to take control of a user’s device
Hello, You’ve Been Compromised: Upward Attack Trend Targeting VoIP Protocol SIP(Security Intelligence) There are numerous protocols used in voice-over-IP (VoIP) communications. According to IBM Managed Security Services (MSS) data, the most targeted VoIP protocol is Session Initiation Protocol (SIP), which accounted for over 51 percent of the security event activity analyzed in the last 12 months
IoT camera turned into a zombie in under two minutes(Naked Security) It may be the favorite easy target for those of us who like to grumble about the sad state of security in the consumer market, but there have been some egregious examples of poor security in “smart” cameras recently
Who Hacked The Lights In Ukraine?(Motherboard) On December 23 of last year, tens of thousands of people in Ukraine suffered a blackout. The culprit wasn't just another malfunction or a natural disaster—but a hacker attack. This was the first known cyberattack that took out the electric grid anywhere in the world
Dark Web Child Porn Sites Are Using 'Warrant Canaries'(Motherboard) For coal mines, canaries raised the alarm on toxic leaks. For tech companies, cryptographically signed messages—or warrant canaries—flag secret demands for user data. And on the dark web, they are supposed to show that a criminal site has not been infiltrated by law enforcement
Europol Red-faced as Terror Data Appears Online(AFP) Europol admitted on Wednesday that confidential information on terror investigations were accidentally put online, as it launched a probe into what it called a "very serious incident"
Do you know which data compliance standards apply to your organization?(Help Net Security) Despite the explosion in data collection among companies in every sector and the well-documented risks of cyber threats, a new Liaison Technologies survey of nearly 500 US C-level executives and senior-level managers reveals that nearly half (47%) are unsure which information security and privacy regulations apply to their organizations
Feds Need to Bolster Cyberprotection Speed and Range(E-Commerce Times) Providing cybersecurity that is adequate to meet increasing threats has proven to be a perpetual catch-up process. Public sector agencies are particularly sensitive targets, with high visibility not only to the citizens they serve, but also to cyberattackers
1 Top Small-Cap Stock to Buy Now(Fox Business) Small-cap stocks can deliver explosive gains -- or sizable losses. Choose well, and these high-risk yet potentially high-reward stocks can deliver multibagger returns and turbocharge your portfolio's overall performance. But choose poorly, and a small-cap stock can produce painful losses, up to and including a complete loss of capital should the business be forced into bankruptcy
FireEye execs admit channel troubles(CRN) At security vendor FireEye's Partner Advisory Council earlier this year, Nick Giampietro said partners were asked, in the wake of all its challenges with the channel and the market: Is FireEye done?
NDAA Requires Army To Buy Intelligence Software Commercially(Defense NewsCyber center project a 'turning point' for Army capability, leaders say) After a federal judge put a stop to the Army’s current plan to develop its intelligence analysis framework internally, requiring it to look again at commercially available products, a provision in the conference report of the 2017 defense policy bill further pushes the Army toward buying commercial capability
Actively Monitoring a Mobile Workforce with SecurityCenter(Tenable Network Security) As the boundaries of the traditional workplace expand from users in the traditional single office building to mobile road warriors and remote workers, the effectiveness of a vulnerability management program across all endpoints becomes more challenging
Next-gen protection against multi-vector DDoS attacks(Networks Asia) Devastating multi-vector distributed denial of service (DDoS) attacks continue to make the news. Two complex assaults on internet infrastructure company Dyn late October, that some reports claim to be in the 1.2 Tbps range, took down popular websites including Twitter, Netflix, Pinterest, Paypal, Spotify, Airbnb and Reddit
The Floodgate IoT Security Toolkit is here(App Developer Magazine) Icon Labs has announced its Floodgate IoT Security Toolkit, which enables IoT edge devices to be easily and securely integrated with IoT cloud platforms, including Verizon’s ThingSpace IoT Cloud Platform, and provides security management for remote IoT devices from a single user interface
Node.js Foundation To Oversee Node.js Security Project To Further Improve Stability for Enterprises(Yahoo!) The Node.js Foundation, a community-led and industry-backed consortium to advance the development of the Node.js platform, today announced that the Node.js Security Project will become a part of the Node.js Foundation. Under the Node.js Foundation, the Node.js Security Project will provide a unified process for discovering and disclosing security vulnerabilities found in the Node.js module ecosystem
Bypassing BitLocker during an upgrade(Naked Security) If you’ve got an iPhone, or an Android, or a Mac, or a Windows 10 computer, then you’ll know that when you do an upgrade, the device almost always reboots during the process, sometimes more than once
The Purple Team Pentest(CircleID) It's not particularly clear whether a marketing intern thought he was being clever or a fatigued pentester thought she was being cynical when the term "Purple Team Pentest" was first thrown around like spaghetti at the fridge door, but it appears we're now stuck with the term for better or worse
Next level red teaming: Working behind enemy lines(Help Net Security) The term “hacker” calls forth both positive and negative mental pictures, but I can bet that there are not many people, even in the infosec community, to whom the term generates the image of a guy running through the jungle with a laptop and an automatic weapon
House passes intelligence bill enhancing efforts against Russia(The Hill) The House passed an annual intelligence policy authorization bill on Wednesday that includes a provision to increase scrutiny of Russia's attempts to exert covert influence around the world, after the country was accused of meddling in this year's U.S. presidential election
Extremist Content and the ICT Sector(Global Network Initiative) The role of information and communication technology (ICT) companies in responding to alleged terrorist or extremist content has become one of the most challenging issues for freedom of expression and privacy online. In July 2015, GNI launched a policy dialogue to explore key questions and considerations concerning government efforts to restrict online content with the aim of protecting public safety, and to discuss the human rights implications of such government actions
US Judges Can Now Sign Global Hacking Warrants(Motherboard) On Thursday, changes to the rules around US search warrants came into effect, meaning that magistrate judges can now authorize the hacking of computers outside of their own district
Snowden: Hacking rule changes threaten Americans' rights(Washington Examiner) Changes to a little-known rule that allows law enforcement agencies like the FBI to search multiple computers with one warrant go into effect in a few hours, prompting a stern warning from former NSA contractor Edward Snowden that the rights of all Americans are in jeopardy
These senators are hoping to divide Cyber Command from the NSA(CyberScoop) A bipartisan amendment introduced Tuesday in the Senate to the 2017 National Defense Authorization Act seeks to elevate U.S. Cyber Command to a combatant command. The status upgrade would cause Cyber Command to become independent of the NSA, receive additional resources and assume different leadership than currently installed
America wonders what path Trump will tread on cybersecurity(Naked Security) Trying to predict the shape of cybersecurity under President Trump is a frustrating exercise for industry professionals. But given what’s at stake, we asked some to give it a try anyway, or at least offer the president-elect some advice
All western spy agencies, including MI5, are vulnerable to infiltration by Islamists. Here's why(Telegraph) he news that the German security service, the Bundesamt für Verfassungsschutz (BfV) may have been penetrated by an Islamist terrorist organisation will come as no surprise to western counter-intelligence analysts. In fact it will serve only as an unpleasant reminder of the vulnerability of such agencies when entrance and vetting standards are compromised in an effort to acquire language skills
Arrested German spy was a onetime gay porn actor — and a secret Islamist(Washington Post) Two weeks ago, German intelligence agents noticed an unusual user in a chat room known as a digital hideout for Islamic militants. The man claimed to be one of them — and said he was a German spy. He was offering to help Islamists infiltrate his agency’s defenses to stage a strike
Navy asks Hewlett Packard to pay up for personal data breach(Navy Times) The Navy is pressing private contractor Hewlett Packard Enterprise to pay for credit monitoring services for sailors affected by a data breach that exposed more than 130,000 social security numbers, a defense official familiar with the ongoing investigation said
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Newly Noted Events
2nd Annual Billington International Cybersecurity Summit(Washington, DC, USA, March 30, 2017) The 2nd Annual Billington International Cybersecurity Summit on March 30, 2017 at the National Press Club in Washington, DC will feature over 300 world class cybersecurity decision-makers from allied nations...
CIFI Security Summit(Toronto, Ontario, Canada, November 30 - December 1, 2016) The Annual CIFI Security Summit takes place all over the world, Asia, Europe, Australia & North America. These summits are essential 2 day conferences and exhibitions bringing together leading security...
AlienVault USM Webcast(Online, December 1, 2016) Host-based intrusion detection systems (HIDS), work by monitoring activity that is occurring internally on a host. HIDS look for unusual or nefarious activity by examining logs created by the operating...
Cyber Threats Master Class(Turin, Italy, December 1 - 2, 2016) The UNICRI Masterclass on Cyber Threats aims to provide media and public relations professionals, as well as those planning a career in public information and communication, with a deeper understanding...
Disrupt London(London, England, UK, December 3 - 6, 2016) TechCrunch Disrupt is the world’s leading authority in debuting revolutionary startups, introducing game-changing technologies, and discussing what’s top of mind for the tech industry’s key innovators.
US Department of Commerce Cyber Security Trade Mission to Turkey( Ankara and Istanbul, Turkey, December 5 - 8, 2016) Now is the time to expand in Turkey! The growth and frequency of cyber-attacks in recent years has increased the demand to protect critical data and infrastructure of governments and businesses. Turkey...
Infosecurity Magazine Conference (Boston, Massachusetts, USA, December 6 - 7, 2016) Bringing together 100+ information security end-users, analysts, policy-makers, vendors and service providers, the meeting connects the information security community providing actionable information,...
Practical Privacy Series 2016(Washingto, DC, USA, December 7 - 8, 2016) This year, the Practical Privacy Series will return to Washington, DC, with its rapid, intensive education that arms you with the knowledge you need to excel on the job. We’re programming some stunningly...
CISO Southern Cal(Los Angeles, California, USA, December 8, 2016) A data breach is not only a PR nightmare, but cause for customers to turn to competitors, exposing sensitive company information and racking up fines from industry regulators. In order for organizations...
SANS Cyber Defense Initiative 2016(Washington, DC, USA , December 10 - 17, 2016) Make plans to attend SANS Cyber Defense Initiative 2016 (CDI). SANS is the one educational organization known for developing the cybersecurity skills most in need right now. SANS Cyber Defense Initiative...
Privacy, Security and Trust: 14th Annual Conference(Auckland, New Zealand, December 12 - 14, 2016) This year’s international conference focuses on the three themes of Privacy, Security and Trust. It will provide a forum for global researchers to unveil their latest work in these areas and to show how...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.