Saturday Ukraine experienced an electrical outage in the vicinity of Kiev. Ukrenergo, the national power company, said the interruption was caused by an "external influence." Investigation continues, focusing on "failure of automation control."
Flashpoint has published its close look at the ShadowBrokers' leak of Equation Group code. The security company concludes, "with medium confidence," that it was an inside job. They say the data's structure looks like something from an internal code repository, one accessible to contractors and employees. The Grugq offers an interesting and wide-ranging cultural and linguistic close-reading of the communications surrounding the leak.
WordPress vulnerabilities may have been overestimated, as source-code analysis shop RIPS noted last week, but some bad actors are paying them a lot of attention nonetheless. Over the past three weeks WordFence has observed 1.6 million brute-force attempts daily against WordPress sites. About a sixth of these attacks originate in a single Ukrainian ISP.
Cisco's Talos unit warns of "hailstorm" spam: it evades detection by sending low volumes of spam from a large number of IP devices. PerimeterX observes a similar technique used in botnet-driven brute-force attacks, which avoid tripping volumetric warnings by using a very large number of bots.
Neustar's study of DDoS growth in 2016 is out. And the SANS Internet Storm Center reports that Mirai is prowling the wild, sniffing for new bots at Port 6789.
According to White Ops, Russian criminals are exploiting ad networks in the "Methbot" scam, diverting between $3 and $5 million a day from US advertisers.
Today's issue includes events affecting Egypt, Germany, Russia, Syria, Turkey, Ukraine, United States.
A note to our readers: The new Star Wars flick, Rogue One, is billed as "the epic tale of a scrappy group of rebels and their daring mission to steal the plans for the Death Star." Given what's known about information security, however, one wonders if perhaps the plans might actually have been compromised in a different way. (Like using "camaro" as your password for both Lord.Vader@deathstar.edu and Heavybreather@yakhoo.com...not that a Sith Lord and a T.I.E. ace would do that, y'know...)
Another note on our end-of-year schedule: We'll be observing US Federal holidays, as is our custom, and since this year both Christmas and New Year's Day fall on Sunday, that means we'll take a break on Monday, December 26th, and again on Monday, January 2nd. Other than that we'll publish on our normal schedule.
ON THE PODCAST
The CyberWire's regular daily Podcast will be out later this afternoon, with interviews, educational tips, and more on the stories of the day. Today we'll hear from our partners at the University of Maryland, as Jonathan Katz updates us on recent advances in homomorphic encryption. We'll also have a guest, Corero's Dave Larson, who'll tell us what we can expect the DDoS landscape to look like in 2017.
A special edition of our Podcast is also up—the topic is venture capital. In it we examine the current state of investment in cyber security, speak to experts in the field, and learn from top cyber security-focused venture capitalists about what they expect before they invest.
As always, if you enjoy the podcasts, we invite you to please consider giving it an iTunes review. The podcast will take a holiday break on December 26th and January 2nd. Next week, December 27th through December 20th, we'll be running special best-of-episodes from 2016. All returns to normal on January 3rd.
Cyber Attacks, Threats, and Vulnerabilities
Five Things to Worry About After the Assassination of Russia’s Ambassador to Turkey(Foreign Policy) On Monday, Russian Ambassador to Turkey Andrey Karlov was assassinated at an art exhibit in Ankara, reportedly shot by Mevlut Mert Altinas, a police officer. According to at least one report, the gunman said “We’ll make you pay for Aleppo” before firing at the ambassador, likely referring to Russia’s backing of the Syrian government in its brutal siege of Aleppo
Why is NERC minimizing cyber threats?(Control Global) In preparation for the January 2017 Texas A&M Cyber Security Conference, a question was raised to some select participants about our thoughts concerning a recent article on nuclear plant cyber security – “UN: Threat of a hacking attack on nuclear plants is growing”
Insider Threats: “The Shadow Brokers” Likely Did Not Hack the NSA(Flashpoint) Based on the data released in the most recent dump by the threat actor known as “The Shadow Brokers,” Flashpoint assesses with medium confidence that the stolen information was likely obtained from a rogue insider. Flashpoint is uncertain of how these documents were exfiltrated, but they appear to have been copied from an internal system or code repository and not directly accessed through external remote access or discovered on any external staging server
Die Gefahr aus dem Netz(WeltN24) Thyssenkrupp hat gerade eine groß angelegte Attacke aus dem Internet abgewehrt. Für Mittelständler können Cyber-Angriffe sogar die Insolvenz bedeuten. Und selbst Privatpersonen sind nicht sicher
Online retailers' fake news problem(Christian Science Monitor Passcode) Just as fake news circulated around the web ahead of the presidential election, bogus ads are spreading on Facebook and Twitter as a vehicle for delivering malicious software
2016 SS8 Threat Rewind Report(SS8) Over the past year, SS8 has conducted breach detection risk assessments on live production networks for companies in key industries including critical infrastructure, retail and education using our BreachDetect platform. BreachDetect leverages technology used by the nation’s leading law enforcement and intelligence agencies to uncover digital footprints associated with suspects-of-interest (SOI) to help enterprises uncover previously unknown threats posed by devices-of-interest (DOI)
Mirai Scanning for Port 6789 Looking for New Victims(SANS Internet Storm Center) Early today, a reader reported they were seeing a big spike to inbound tcp/6789 to their honeypots. We have seen similar on DShield's data started on December 17. It was actually a subject of discussion this weekend and this helpful data from Qihoo's Network Security Research lab attributes the large increase to Mirai, the default-password-compromising malware infected various IoT devices that are internet-connected. It's hard to see in the graph as it is still not a huge (but still it is significant) portion of Mirai scanning traffic. Here is port-specific graphs from Qihoo as well showing the start time of the spike
Spammers Work Up A Hailstorm(Dark Reading) In their constant effort to evade anti-spam filters, spammers have devised a new way to deliver junk mail to your inbox
Alice: A Lightweight, Compact, No-Nonsense ATM Malware(TrendLabs Security Intelligence Blog) Trend Micro has discovered a new family of ATM malware called Alice, which is the most stripped down ATM malware family we have ever encountered. Unlike other ATM malware families, Alice cannot be controlled via the numeric pad of ATMs; neither does it have information stealing features. It is meant solely to empty the safe of ATMs. We detect this new malware family as BKDR_ALICE.A
The Many Evolutions of Locky(Forcepoint) First spotted in February 2016, the Locky crypto-ransomware has become a dangerous threat to both large organisations and residential users alike. In this blog we give a brief overview of what Locky is and cover the significant aspects of its infamous history
Ransomware Top 10 list of 2016(Indian Cyber Security Solutions) Ransomware attack in corporate houses in 2016 was very common. Some ransomware attacked the critical infrastructure of organizations. Ransomware attacks panicked the entire corporate world. There are hundreds of ransomware families which came into lam light after they attacked many organizations. Some of the most dangerous ransomware of 2016 are as follows
Malware Exchange Busted by the Feds Relaunches, At Least in Name(Motherboard) The digital underground is a fragile place, with hacking forums sometimes being shuttered by police. That's what happened to malware-marketplace Darkode last year: in coordinated raids, the FBI, UK's National Crime Agency, and a slew of other law enforcement bodies arrested over 70 hackers and closed the popular site
Fake Apps Take Advantage of Super Mario Run Release(TrendLabs Security Intelligence Blog) Earlier this year, we talked about how cybercriminals took advantage of the popularity of Pokemon Go to launch their own malicious apps. As 2016 comes to a close, we observe the same thing happening to another of Nintendo’s game properties: Super Mario
Signal Claims Egypt Is Blocking Access to Encrypted Messaging App(Motherboard) Egypt has been censoring access to encrypted messaging app Signal, according to Open Whisper Systems, the company behind the app. The move highlights that as privacy-focused users move to technologies such as Signal, governments may still try to limit their use
27 Chinese Hackers Profiled(Wapack Labs) Hacker use information sharing and collaboration, and there is a large community of Chinese coders are doing just that -- exchanging ideas, and tools, and sharing software development. This week, Wapack Labs published a study of 27 of the most active Chinese coders, revealing the some common characteristics of this community
Citizens will share personal data with smart city programs by 2019(Help Net Security) The rapid pace of technological and societal change has given government CIOs a new sense of urgency and a willingness to experiment with smart city and open data initiatives, according to Gartner. If managed effectively, this shift will position governments at the core of technological innovation in society
UK Consumers Fear Hackers Will Disrupt their Christmas(Infosecurity Magazine) Over half (59%) of consumers are worried that staff shortages over Christmas will mean their data and key IT systems are more at risk from hackers, according to new research from Huntsman Security
Verizon Wants Concessions on Yahoo(Investopedia) There have been reports Verizon Communications Inc. (VZ) has requested changes to its pending acquisition of Yahoo’s core assets for $4.85 billion in the wake of revelations of a new Yahoo cyberhack
Blog: DHS S&T Has Money to Award for Innovation, New Technologies(SIGNAL) Douglas Maughan, director of the Cyber Security Division at the U.S. Department of Homeland Security (DHS), recently briefed members from AFCEA International’s Homeland Security and Small Business committees on the Silicon Valley Innovation Program (SVIP), which launched in 2015 and serves to cultivate relationships with technology innovators, particularly nontraditional performers, from small startups to large companies, investors, incubators and accelerators
Salient CRGT Expands Assure 6i Software Product Offerings 0(Washington Exec) Fairfax, Va.-based Salient CRGT Inc. announced Dec. 15 that the company is expanding its software product offerings of Appix Financial Services, Assure 6i™ Cyber Security Solutions and Voyager™ Mobility Solutions to add enhanced features, be more widely available and decentralized, and offer multi-platform accessibility
Tufin extends Check Point R80 security management(App Developer Magazine) Tufin, a network security policy orchestration solutions, has announced support for Check Point R80 Security Management, delivering end-to-end change automation and continuous policy compliance for joint customers across hybrid networks
Infobyte launches Faraday App Store(Broadway World) Infobyte works to design solutions that helps toimprove security systems information. With that goal, is now presenting Faraday App Store, a place where you can acquire and merge essential tools to optimize security audits for your company
Digital security tips for journalists: Protecting sources and yourself(Journalist's Resource) With hacking and other digital intrusions becoming a regular feature of life in the computer age, it’s more critical than ever for journalists to protect their sources. But for many, the tech world is intimidating. This tip sheet offers free resources for journalists of all digital-comfort levels as well as links to useful tutorials
Mitigating internal risk: Three steps to educate employees(Help Net Security) IT security is usually focused on how to prevent outsiders with malicious intent from causing harm to your IT systems and data. While this is a valid concern, people within organizations who simply do not understand the consequences of their everyday habits and behavior on company computers pose an equivalent if not greater risk
Five Ways To Avoid Holiday CyberFraud(Forbes) As more and more people are shopping online -- a record $3 billion in sales was racked up this past CyberMonday alone -- ever more thieves are active in cyberspace. That means you have to pay even more attention to cybersecurity
Google is beefing up security by offering tools to check cryptography libraries(Yahoo! Tech) Google security engineers Daniel Bleichenbacher and Thai Duong announced the launch of Project Wycheproof on Monday, a set of security tests that look for known weaknesses and check for expected behaviors in cryptographic software. It’s named after the smallest mountain in the world, Mount Wycheproof, because “the smaller the mountain the easier it is to climb it.” Project Wycheproof is provided on GitHub via open source to download and use for testing popular cryptographic algorithms such as AES-EAX and AES-GCM, and related software libraries
Google-Chrysler autonomous project will include ride-sharing(Auto Blog) Google's new Waymo automobile-technology division might have just gotten "way mo" interesting, if you'll excuse the pun. Google, which this spring said it would work with Fiat Chrysler Automobiles on the development of a self-driving Chrysler minivan prototype, is adding a ride-sharing component to the project
An Eye for an Eye: Deterring Russian Cyber Intrusions(War on the Rocks) The U.S. intelligence community has confirmed what many suspected for months: Agents directly affiliated with the Russian government conducted malicious cyber operations intended to influence the 2016 U.S. presidential election. Russia’s primary motive — now accepted by the Director of National Intelligence, the Central Intelligence Agency, and, most recently, the Federal Bureau of Investigation — was not simply to undermine the legitimacy of American democracy, but to actually bolster Trump’s chances of defeating Clinton. Moreover, new reports suggest that Vladimir Putin himself may have actually given the orders
Cyber goes hyper!(Federal News Radio) Eight years ago, one of the think tanks published a grand extended white paper: “Securing Cyberspace for the 44th Presidency.” I often think that if some law of nature imposed a 10-page limit on all reports generated in Washington, more would actually get done. Yet during the Barack Obama administration and the Congresses that coincided with it, the federal government has made a lot of progress
Trump appointee to FCC could put the brakes on Wheeler cyber initiatives(Washington Examiner) One of the chief architects of cybersecurity policy during the Obama years — Federal Communications Commission Chairman Thomas Wheeler — last week announced he will leave the FCC on Jan. 20, clearing the way for a Donald Trump appointee who may put the brakes on a couple of cyber initiatives that have roiled industry
The Department of Homeland Security is essential to US cyber strategy(The Hill) Last week, President-elect Donald Trump formally nominated former commander of United States Southern Command Gen. John F. Kelly to serve as secretary of the Department of Homeland Security (DHS). In his announcement, he cited Gen. Kelly's “decades of military service and deep commitment to fighting the threat of terrorism inside our borders”
Impressed by DoD’s digital service, Army decides it needs one of its own(Federal News Radio) First there was the U.S. Digital Service, then the Defense Digital Service. Now the Army says it’s becoming the first of the military services to launch a digital service “outpost” and wants a dedicated team of technology experts from outside the government to tackle its own problems
NSA Watchdog on Leave in Whistleblower Case(New York Times) Allegations of retaliation against a whistleblower at the National Security Agency have left its top watchdog fighting for his job, according to an intelligence official and another individual familiar with the case
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Newly Noted Events
SANS Southern California - Anaheim 2017(Anaheim, California, USA, February 6 - 11, 2017) Learn practical, relevant tips and techniques from industry leaders. Join us for SANS Southern California - Anaheim 2017, and choose from eight courses on cyber defense, penetration testing, incident response,...
SANS San Jose 2017(Milpitas, California, USA, March 6 - 11, 2017) Securing and defending your network has never been more important as attacks and breaches make the news daily. Gain the skills and tools you need to win the battle against the wide range of cyber adversaries...
SANS Pen Test Austin 2017(Austin, Texas, USA, March 27 - April 1, 2017) Every organization needs skilled people who know how to find vulnerabilities, understand risk, and help prioritize resources based on mitigating potential real-world attacks. That's what SANS Pen Test...
SANS 2017(Orlando, Florida, USA, April 7 - 14, 2017) Success in information security requires making a commitment to a career of learning, from the fundamentals to advanced techniques. To put you firmly on that learning path, join us at SANS 2017 in Orlando,...
CES® CyberSecurity Forum(Las Vegas, Nevada, USA, January 5, 2017) Now in its second year, the CES® CyberSecurity Forum presented by CyberVista is designed to ensure all stakeholders in developing high tech solutions understand the complexity and the need for action in...
SANS Security East 2017(New Orleans, Louisiana, USA, January 9 - 14, 2017) Start the year off right by choosing from outstanding, cutting-edge courses presented by our top-rated instructors. SANS is looking forward to an exciting kickoff of 2017 with SANS Security East 2017 in...
Cybersecurity of Critical Infrastructure Summit 2017(College Station, Texas, USA, January 11 - 13, 2017) An inaugural event to convene thought-leaders, experts, and strategic decision makers from government, industry, and academia to discuss the technology and policy implications of the ever-evolving cyber-threats...
ShmooCon 2017(Washington, DC, USA, January 15 - 17, 2017) ShmooCon is an annual east coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and...
SANS Las Vegas 2017(Las Vegas, Nevada, USA, January 23 - 28, 2017) Attend SANS Las Vegas 2017, where SANS will provide outstanding courses in IT security, forensics, and security management presented by the best cybersecurity teachers in the country. At SANS events you...
BlueHat IL(Tel Aviv, Israel, January 24 - 25, 2017) Announcing BlueHat IL – a special edition of Microsoft's leading cyber security conference for top professionals, to be held for the very first time in Tel Aviv, Israel.
Over the past 10 years, BlueHat conferences have drawn the brightest minds in security to discuss key industry challenges. And now, BlueHat IL is here to crank it up by exploring and creating new cyber security thoughts and boundaries. This exclusive, by invitation only, single track event will host top cyber security professionals from around the world, who will come together to tackle the present and peek into the future. It will feature brilliant speakers and focus on breakthrough research, key trends and emerging threats in the field. Registration closes December 28.
SANS Cyber Threat Intelligence Summit & Training 2017(Arlington, Virginia, USA, January 25 - February 1, 2017) Join SANS at this innovative Summit as we focus on enabling organizations to build effective cyber threat intelligence analysis capabilities. Most organizations are familiar with threat intelligence, but...
Blockchain Protocol and Security Engineering(Stanford, California, USA, January 26 - 27, 2017) This conference will explore the use of formal methods, empirical analysis, and risk modeling to better understand security and systemic risk in blockchain protocols. The conference aims to foster multidisciplinary...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.