skip navigation

More signal. Less noise.

Daily briefing.

Anonymous goes after three new targets: North Korea (to protest the DPRK's presumably easily militarized satellite launch), Saudi Arabia (to protest various human rights issues, and to demand the country's exclusion from the Olympics), and South Africa (where a job portal is attacked to protest child labor practices).

In other hacktivist news, White Hat "vigilantes" struggle with LizardSquad, contesting control over a network of compromised home routers. (In fairness to LizardSquad, characterizing the loose group as "hacktivist" is probably at this point misleading, given its steadily increasing participation in criminal black markets.)

Investigation into doxing at the US Departments of Justice and Homeland Security continues. It seems likely the attackers' point of entry was a compromised staffer account used to socially engineer an agency help desk. Those responsible (now known as "the DotGovs") posted their take on CryptoBin, which according to Tripwire has since become less accessible to searches.

The US Internal Revenue Service warns that somewhat more than 100,000 taxpayers' e-file credentials may have been compromised. The incident, the IRS says, was an automated attack on its Electronic Filing PIN application. The attack's been contained (without, authorities say, loss of personal data). The IRS is notifying taxpayers whose e-file accounts were prospected.

Palo Alto Networks warns that tax-themed phishing is spreading the NanoCore RAT.

SAP has patched a problem in its Manufacturing Integration and Intelligence (xMII) ICS product. Cisco closes a buffer overflow vulnerability in its ASA Software. (That vulnerability is being actively probed in the wild.) Patch now.


Today's issue includes events affecting European Union, Democratic Peoples Republic of Korea, Russia, Saudi Arabia, United Kingdom, United States.

Cyber Attacks, Threats, and Vulnerabilities

North Korea Bears the Brunt of Satellite Launch — Becomes Target of Anonymous (Hack Read) A group of hackers famously known as New World Hackers (NWH) has attacked a number of state websites in North Korea

Anonymous Wants Saudi Arabia Out from Olympics for Battering Human Rights (Hack Read) Saudi Arabia has always been criticized by the West for its strict civil laws and so-called Shari'ah abiding regulations

Anonymous Hacks South African Job Portal Against Child Labour (Hack Read) As you may know, the OpAfrica is underway and the online hacktivist Anonymous has been targeting African governments against corruption, injustice, child abuse and child labour in the African countries

Hacker May Have Punched Through FBI Cyber Security With One Phone Call (Defense One) It doesn't matter how technically secure your data is if it's protected by gullible humans

CryptoBin Down Amid Claims Hacker Posted Details of 20,000 FBI Employees (Tripwire: the State of Security) Sometimes things would be better if people didn't keep their word. Take hackers, for instance

More than 100K taxpayers' e-file credentials stolen in IRS malware attack (FierceGovernmentIT) The Internal Revenue Services has identified and halted an attack on an online tax application that allowed perpetrators to obtain the e-file personal identification numbers of 101,000 tax payers

IRS Statement on E-filing PIN (IRS) The IRS recently identified and halted an automated attack upon its Electronic Filing PIN application on IRS[dot]gov

NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails (Palo Alto Networks) It seems every mainstream news event or holiday has an accompanying phishing campaign. Opportunistic actors hoping to capitalize on the public's attention are often seen sending phishing e-mails with themes related to the news or the season

Fake Security App for AliPay customers — Android SMS Stealer (ZScaler) During an ongoing analysis to protect our customers from the latest mobile threats, we came across an Android malware that disguised itself as a security feature for a famous Chinese online payment app, AliPay. Upon analysis, we discovered that the fake app is a malicious SMS stealer Trojan

UmbreCrypt Ransomware manually installed via Terminal Services (Bleeping Computer) A new CrypBoss ransomware variant has been released called UmbreCrypt

Critical Cisco ASA IKEv2/v2 Vulnerability. Active Scanning Detected (Internet Storm Center) Cisco released an advisory revealing a critical vulnerability in Cisco's ASA software. Devices are vulnerable if they are configured to terminate IKEv1 or IKEv2 VPN sessions. (CVE-2016-1287)

Cisco ASA firewall has a wormable problem (CSO) It has been a rough couple of weeks for security vendors. Juniper with their remote access issue and and then Fortinet with their hardcoded password. Now, Cisco has found itself in the media

How Bad is Avast SafeZone Flaw (Information Security Buzz) Chris Underhill Head of IT and Security at UK-based cyber security firm, Cyber Security Partners have the following comments on the Avast SafeZone flaw

Vigilante Hackers Fight Lizard Squad For Control Of 150,000 Home Routers (Forbes) Home routers with little to no security are far too common. They're dangerous from a number of perspectives: as peeping holes for spying on people's daily web use, for filtering stolen files and for launching distributed denial of service (DDoS) attacks, where the power of combined compromised machines is used to flood target websites with traffic, thereby knocking them offline

DNSChanger Outbreak Linked to Adware Install Base (Cisco Blogs) Late last autumn, the detector described in one of our previous posts, Cognitive Research: Learning Detectors of Malicious Network Traffic, started to pick up a handful of infected hosts exhibiting a new kind of malware behavior. Initially, the number of infections were quite low, and nothing had drawn particular attention to the findings

Android root malware widespread in third-party app stores (IDG via CSO) Users should be cautious when downloading from app stores other than Google Play

Skimmers Hijack ATM Network Cables (KrebsOnSecurity) If you have ever walked up to an ATM to withdraw cash only to decide against it after noticing a telephone or ethernet cord snaking from behind the machine to a jack in the wall, your paranoia may not have been misplaced: ATM maker NCR is warning about skimming attacks that involve keypad overlays, hidden cameras and skimming devices plugged into the ATM network cables to intercept customer card data

Flaw in Sparkle Updater for Mac opens users of popular apps to system compromise (Help Net Security) A security engineer has recently discovered a serious vulnerability in Sparkle, the widely used open source software update framework for Mac applications, that could be exploited by attackers to mount a man-in-the-middle attack and ultimately take control of the computer if they are located on the same network

The Phishie Awards: (Dis)Honoring the Best of the Worst Phishing Attacks (Dark Reading) From the costly to the clever to the just plain creepy, here are the recent phishing campaigns that have earned our reluctant recognition

CSO Online's 2016 data breach blotter (CSO) There were 736 million records exposed in 2015 due to a record setting 3,930 data breaches. 2016 has only just started, and as the blotter shows, there are a number of incidents being reported in the public, proving that data protection is still one of the hardest tasks to master in InfoSec

IBM's X-Force team hacks into smart building (CSO) As buildings get smarter and increasingly connected to the Internet, they become a potential vector for attackers to target

How to Hack the Power Grid Through Home Air Conditioners (Wired) There are many ways we know of to cause a blackout

Malware developers hide in plain sight in online sandboxes (Tech Republic) Malware analysis using online sandboxes is another example of technology designed to assist good guys that ends up helping bad guys as much if not more

Bitcoin brain wallets are useless, like Bitcoiners' passwords (Naked Security) Hard to guess! Long! Complex! Unique! Coming up with strong passwords is hard

Security Patches, Mitigations, and Software Updates

SAP plugs critical software flaw that could let hackers into factories (Register) It would be alarmist to say it sounds like a Stuxnet vector, so we won't do that

SAP slaps a patch on leaky factory software (ComputerWorld) A flaw in SAP Manufacturing Integration and Intelligence (xMII) allows attackers to extract information without authorization

Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability (Cisco) A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code

Execute My Packet (Exodus Intelligence) Cisco has issued a fix to address CVE-2016-1287. The Cisco ASA Adaptive Security Appliance is an IP router that acts as an application-aware firewall, network antivirus, intrusion prevention system, and virtual private network (VPN) server. It is advertised as "the industry's most deployed stateful firewall." When deployed as a VPN, the device is accessible from the Internet and provides access to a company's internal networks

FEB 16 Criticial Fixes Issued for Windows, Java, Flash (KrebsOnSecurity) Microsoft Windows users and those with Adobe Flash Player or Java installed, it's time to update again!

Microsoft patches critical security flaws and tells us the full details for the first time (TechRadar) Windows Update will never be quite as mysterious again

Gmail to warn when email comms are not encrypted (Help Net Security) From now on, Gmail users will be able to see whether their communications with other email account holders — whether Gmail or any other email service — is secured. If it's not, there will be a red broken lock icon in the upper right corner of the message

Google bangs another nail in Flash's coffin (Graham Cluley) Google has announced that it is dropping support for Adobe Flash-based online ads

Facebook Paid Out $4.3 Million in Bounties Since 2011 (SecurityWeek) Facebook has paid out a total of more than $4.3 million since the launch of its bug bounty program in 2011, the social media giant said on Tuesday

Cyber Trends

IoT Next Surveillance Frontier, Says US Spy Chief (InformationWeek) US Director of National Intelligence James Clapper delivers chilling remarks regarding the Internet of Things, noting there may come a day when spy agencies may tap into IoT for surveillance, network access, and more

Cylance's Stuart McClure on cyberthreats to critical infrastructure (FedScoop) Cybersecurity Insights & Perspectives host Kevin Greene speaks with Cylance's Stuart McClure on the evolving threat landscape — and moving beyond response and detection to prevention

Redspin Releases Annual Report on the State of Cyber Security in Healthcare (CNN Money) Large scale hacking attacks dominate 2015 statistics; over 100 million patient records affected

SOF's Cyber FRINGE (Small Wars Journal) When everything is connected to everything else, warfare will have a very different face

2016 Security Pressures Report (Trustwave) Welcome to the 2016 Security Pressures Report from Trustwave


Former spymaster to help fight City cyber crime (Financial Times) The former head of GCHQ has been drafted in to help boost the City of London's defences against cyber attacks. Sir Iain Lobban, who was director of GCHQ between 2008 and 2014, is helping insurance broker Marsh to draft a report on cyber resilience for TheCityUK lobby group

What's the real cost of a security breach? (Help Net Security) The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million, according to NTT Com Security

Alberta's auditor general questions royalty reduction and cyber attack assessment (Calgary Herald) Alberta's auditor general criticized Alberta Energy Wednesday for failing to assess the performance of its oil and gas royalty reduction programs and for failing to assess the potential impacts of a cyber attack on the industry

Is The Cybersecurity Bubble About To Burst? (Dark Reading) Cybersecurity stocks are way down in 2016 so far, but venture capital money still flows

Can FireEye Stop Its Losing Streak? (The Street) Shares of enterprise security company FireEye continue to get hammered, plummeting 40% already in 2016 and 65% in the past 12 months. And if you've held FireEye stock over the past three years, you're likely in the hole about 67%

Israeli standalone cyber security startup Cynet raises $7M Series A (GeekTime) Since they began operations in 2015, they have only encountered 10 cases of false positives out of a total of 6,000 alerts issued — this might be the real deal

Former Blue Coat CEO Launches Security Operations Center-As-A-Service Startup (CRN) Former Blue Coat Systems CEO Brian NeSmith is diving back into the security market with the Wednesday launch of Arctic Wolf Networks, a Sunnyvale, Calif.-based security startup that offers a Security Operations Center-as-a-Service solution

ZeroFOX Appoints Sales & Marketing Execs to Accelerate Global Growth (ZeroFOX) Jon Fraleigh, former VP of WW Sales at IBM's Security Systems Division and Q1 Labs, will take over as EVP of Worldwide Field Operations, and Brian Reed, formerly of Good Technologies, will take over as Chief Marketing Officer

Products, Services, and Solutions

Network forensic analysis tool NetworkMiner 2.0 released (Help Net Security) NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network

Arctic Wolf Heralds Fastest to Deploy Security Operations Center (SOC)-as-a-Service for Mid-Market Companies (BusinessWire) Cloud SIEM-based service provides enterprise-class cybersecurity against 77% of security breaches targeting mid-market companies

Startup Spotlight: Vectra Networks' Threat Detection (eSecurity Planet) Automated intrusion detection that can detect APTs in real time is Vectra Networks' focus

Bromium Announces Next-Generation Endpoint Protection Software Solution (Sys-Con Media) Advanced endpoint security combines endpoint protection, endpoint monitoring and threat analysis; protect, detect and respond to advanced attacks, zero-day threats and breaches in real time

Avast Launches Wi-Fi Finder for Android to Help Spot Secure Wi-Fi Connections (Softpedia) The app is based on a crowdsourcing program from 2015

Israel's Ministry of Health Secures Health Data with Safe-T Box 6.0 (Newsfactor) Israel's Ministry of Health secures health information with Safe-T Box 6.0 — Safe application access and file sharing provides an additional layer of protection against data loss and cyber-attacks

Technologies, Techniques, and Standards

No, VTech cannot simply absolve itself of security responsibility (Troy Hunt) A few months ago, the Hong Kong based toy maker VTech allowed itself to be hacked and millions of accounts exposed including hundreds of thousands of kids complete with names, ages, genders, photos and their relationships to their parents replete with where they (and assumedly their children) could be located

Threat Intelligence and SIEM (Part 2) — Understanding Threat Intelligence (Recorded Future) In part one of the series we addressed the limitation of the reactive security posture of "traditional" security information and event management (SIEM) solutions

Tomcat IR with XOR.DDoS (Internet Storm Center) Apache Tomcat is a java based web service that is used for different applications. While you may have it running in your environment, you may not be familiar with its workings to provide adequate incident response when the time come. This article will walk through an incident where Tomcat is used and what critical artifacts you should collect

Cyber Risk Demands All Hands on Deck: Proofpoint CFO (CFO) A finance chief brings his engineering background to bear on spear-phishing and other cybersecurity risks

Design and Innovation

The Schism Over Bitcoin Is How Bitcoin Is Supposed to Work (Wired) The Bitcoin Community can't even agree on whether it's breaking up


Cambridge2Cambridge hackathon fulfils Obama's dream (BusinessWeekly) Student teams from the two Cambridges — in the UK and Massachusetts — are set to fulfil the vision of President Obama and David Cameron to get the best young transatlantic brains tackling cyber security problems

Legislation, Policy, and Regulation

New EU Cyber-Security Law Moves Closer (Wynyard Group) New EU obligations on cyber-security have moved a step closer to becoming law now that the text of the proposed Network and Information Security (NIS) Directive has been agreed

Third Committee Report Critical Of UK's "Sloppy" Draft Surveillance Bill (TechCrunch) A third UK parliamentary committee has now published a report on the government's draft surveillance legislation

US Congress locks and loads three anti-encryption bullets (Register) We might ban it, we might not, but we will be in charge

Obama's cybersecurity agenda bold, but relies on untested funding, experts say (Network World) The IT Modernization fund has important goals that won't be reached until well after the current administration expires

White House's Cybersecurity National Action Plan Includes Cybersecurity Awareness Campaign, Creation of Federal Privacy Council (National Law Review) Following the announcement of the President's Cybersecurity National Action Plan (CNAP), an initiative designed to "enhance cybersecurity capabilities within the Federal Government and across the country," the White House has released a fact sheet outlining the different components of the CNAP

Help Wanted: Federal Chief Information Security Officer, Executive Office Of The U.S. President (Forbes) If the salary being offered for the newly minted job of Federal Chief Information Security Officer (CISO) is any indication, then the U.S. government is going to have a hard time recruiting qualified candidates

DOD's $6.7B cyber budget focused on emerging threats (Defense Systems) The Defense Department's 2017 budget request is looking to amp up spending on cyber operations to $6.7 billion, which would represent about a 16 percent increase from the spending enacted for fiscal 2016

DNI Releases Budget Figure for FY2017 Appropriations Requested for the National Intelligence Program (IC on the Record) Consistent with Section 601 of the Implementing the Recommendations of the 9/11 Commission Act of 2007, as amended (50 U.S.C. 3306), the Director of National Intelligence is disclosing to the public the aggregate amount of appropriations requested for Fiscal Year 2017

Good Defense is Good Offense: NSA Myths and the Merger (Lawfare) Over at Just Security, Ross Schulman opines that "When NSA Merges Its Offense and Defense, Encryption Loses." Schulman argues that under NSA's newly announced reorganization, the Information Assurance Directorate (IAD) "will be subsumed by the intelligence-gathering program" and "effectively cease to exist"

Trust and the NSA Reorganization (Lawfare) Yesterday, Susan defended the NSA21 reorganization based on her experience working for the Agency

Senate Committee Backs Nominee for OPM Director After Breach (ABC News) A Senate committee is backing President Barack Obama's nominee to head the Office of Personnel Management

Litigation, Investigation, and Law Enforcement

Moscow raids could signal end of global Dyre bank trojan menace (Register) Police keep mum as malware activity flatlines

State Department offers Clinton email installment Saturday (Politico) Responding to a federal judge's complaints about delays in the court-ordered process of releasing Hillary Clinton's emails, the State Department is now offering to post a batch of about 550 messages online Saturday

Android app helps Iranians avoid morality police checkpoints (Ars Technica) Gershad crowdsources intelligence on routes around potential public humiliation

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Newly Noted Events

Pwn2Own 2016 (Vancouver, British Columbia, Canada, March 16 - 17, 2016) Since its inception in 2007, Pwn2Own has increased the challenge level at each new competition, and this year is no different. While the latest browsers from Google, Microsoft, and Apple are still targets,...

Black Hat Asia 2016 (Singapore, March 29, 2016) Black Hat is returning to Asia again in 2016, and we have quite an event in store. Here the brightest professionals and researchers in the industry will come together for a total of four days — two...

ISC West 2016 (Las Vegas, Nevada, USA, April 6 - 8, 2016) ISC West is the leading physical security event to unite the entire security channel, from dealers, installers, integrators, specifiers, consultants and end-users of physical, network and IT products.

2016 Akamai Government Forum: Safeguarding a Dynamic Government — End–to–End Security for your Agency (Washington, DC, USA, April 21, 2016) Today's public demands a high performance — and safe — web experience from government and public organizations. And public IT leaders require flawless web protection to securely meet that...

Black Hat USA 2016 (Las Vegas, Nevada, USA, August 3 - 4, 2016) Black Hat — built by and for the global InfoSec community — returns to Las Vegas for its 19th year. This six day event begins with four days of intense Trainings for security practitioners...

Upcoming Events

SecureWorld Charlotte (Charlotte, North Carolina, USA, February 11, 2016) Join your fellow security professionals for affordable, high-quality cybersecurity training and education. Earn 6-12 CPE credits through 30+ educational elements learning from nationally recognized industry...

Suits and Spooks (Washington, DC, USA, February 4 - 5, 2015) Suits and Spooks DC (Feb 4-5, 2015) is moving to the Ritz Carlton hotel in Pentagon City! We're expanding our attendee capacity to 200 and for the first time will be including space for exhibitors. We...

2016 Cyber Security Division R&D Showcase and Technical Workshop (Washington, DC, USA, February 17 - 19, 2016) The cybersecurity threat continues to evolve and in order to keep ahead of the threat; new cutting-edge cybersecurity technologies are needed. The Cyber Security Division (CSD) within the Department of...

Department of the Navy (DON) IT Conference, West Coast 2016 (San Deigo, California, USA, February 17 - 19, 2016) The purpose of the DON IT conference is to: (1) Explain the new and invigorated DUSN (M), DON/AA, and DON CIO organization and its business and IT transformation priorities. (2) Share information that...

National Insider Threat Special Interest Workding Group: Insider Threats From A Human Resources & Legal Perspective (Laurel, Maryland, USA, February 18, 2016) This meeting will be focused on "Insider Threats From A Human Resources & Legal Perspective." Mrs. Jordan C. Meadows, Security Program Analyst at Rolls-Royce North America will present from the Human Resources...

ICISSP 2016 (Rome, Italy, February 19 - 21, 2016) The International Conference on Information Systems Security and Privacy aims at creating a meeting point for researchers and practitioners that address security and privacy challenges that concern information...

Interconnect2016 (Las Vegas, Nevada, USA, February 21 - 25, 2016) IBM InterConnect 2016 is for those who are building new business models, transforming industries, and creating better outcomes. Whether you're a C-suite executive, IT leader, developer, designer, architect,...

CISO Canada Summit (Montréal, Québec, Canada, February 21 - 23, 2016) Tactics and best practices for taking on enterprise IT security threats. The CISO Summit will bring together C-level IT security executives, industry analysts and solution providers to discuss challenges...

cybergamut Tech Tuesday: Neuro Cyber Analytics: Understanding the Patterns of Human Cognition in the Cyber Domain (Elkridge, Maryland, Middletown, February 23, 2016) This presentation will discuss Neuro Cyber Analytics. Humans use context-specific neurocognitive patterns for receiving and processing internal and external sensory information. Stated differently, people...

Insider Threat Program Development Training Course — Maryland (Annapolis, Maryland, USA, February 23 - 25, 2016) The National Insider Threat Special Interest Group website has some very "eye opening" examples of how "damaging and costly" an "insider threat incident" can be. The FBI Insider Threat Alert states companies...

CISO New York Summit (New York, New York, USA, February 25, 2016) A data breach is not only a PR nightmare, but cause for customers to turn to competitors, exposing sensitive company information and racking up fines from industry regulators. In order for organizations...

BSides San Francisco (San Francisco, California, USA, February 28 - 29, 2016) BSides San Francisco is an Information / Security conference that's different. We're a 100% volunteer organized event, put on by and for the community, and we truly strive to keep information free. There...

CISO Summit Europe (London, England, UK, February 28 - March 1, 2016) With the media covering the latest data breaches, cloud computing security questions going unanswered and hackers developing more sophisticated attacks, the IT department has a growing responsibility to...

RSA Conference 2016 (San Francisco, California, USA, February 29 - March 4, 2016) Celebrating its 25th anniversary, RSA Conference continues to drive the information security agenda forward. Connect with industry leaders at RSA Conference 2016

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.