Experts and executives meet this fall to discuss emerging global cyber threats.
The week that was.
WikiLeaks dumps CouchPotato documents from Vault7.
Vault7 this week disgorged material on an alleged CIA video remote monitoring tool. It's aptly called "CouchPotato" (HackRead).
Confident in your incident response and business continuity plans?
NotPetya continues to ripple through shipping and manufacturing markets.
NotPetya is delivering windfalls for relatively unaffected firms, as customers of hard-hit companies shift their trade. DHL, which NotPetya affected only briefly (twenty-seven express systems in Ukraine infected but swiftly remediated), saw no negative effect on earnings, but is seeing an increase in business this quarter. "We are seeing volume increases in Europe in the third quarter, probably because rivals were more affected than we were," CFO Melanie Kreis said after DHL reported results (Reuters).
Customers are said to be "furious" with FedEx European subsidiary TNT, which was much affected by NotPetya. The BBC ran a litany of sad customer stories almost worthy of a prim Jerry Springer, if such can be imagined: a table delivered too late for its recipient's birthday (with a broken table leg, too—they've got pictures to prove it), a wedding dress that almost arrived too late for the wedding (but got there just in time, thank heavens—more pictures) etc. (BBC). (Seriously, consumer impact has a business impact.)
To be sure, NotPetya looked like a disruptive operation as opposed to a conventional robbery or extortion caper, but, pioneered by states or not, attacks on manufacturers and their supply chain are now seen as having considerable criminal potential (Security Sales and Integration).
Kaspersky Lab's quarterly report warns that more pseudoransomware like NotPetya is coming. The proven attack method will continue to appeal to governments and other threat actors of unclear motivation and provenance. Where disruption is the goal, as opposed to theft, pseudoransomware has shown it can answer the bell. TechCrunch calls the technique a "wolf in wolf's clothing," which seems right.
40+ cyber thought leaders to examine cyber threats and solutions at summit.
Crooks will follow in the spies' tracks.
The Cyber Department of Ukraine's National Police announced on August 5th an arrest in connection with NotPetya (Кіберполіції України). The suspect (reported to be one Sergey Neverov, described in Ukrainian media as a "nerd") was picked up in Nikopol; he's not thought to be the malware's author, but rather to have used it in a tax fraud scheme (Bleeping Computer). When police seized the suspect's computers, they found a list of companies who seem to have deliberately used the "Petya malware" to cover up illicit activity. "They specifically infected their own computers to cover up (unspecified) illegal activities and evade the payment of fines to the government," the investigators said (Threatpost). Ukraine has consistently blamed Russia for cyber attacks against Ukraine. Such attacks can serve many purposes, however, and may attract many opportunistic actors.
Ad-free podcasts now available to Patrons.
Fancy Bear checks into some upscale hotels (using an Equation Group key).
FireEye reports that Fancy Bear (Russia's GRU) has used leaked EternalBlue tools from the Equation Group to propagate spyware across the Wi-Fi networks of hotels in seven European and one Middle Eastern capitals. They establish presence by phishing, move rapidly through the network using EternalBlue, and then install Responder credential-stealing malware. The targets are characterized as "high-value hotel guests" (WIRED).
DNS forensics: where intuition meets experience.
Hybrid warfare updates.
Russian preparation for (and execution of) hybrid war continues. An analysis in the Frankfurter Allgemeine sees the Russian economy as having been placed on a war-footing.
A week after US Secretary of State Tillerson visited Georgia, Russian President Putin visited the Russian-occupied breakaway province of Abkhazia, which Russia separated from Georgia along with South Ossetia in 2008. That incident foreshadowed the current operations in Ukraine's Donbas, combining cyber attacks with deniable military action. Georgia has considered closer ties with NATO, and President Putin's visit is seen by some as serving notice: things got hot for Ukraine when it started getting too friendly with NATO (Foreign Policy).
International response has so far consisted largely of sanctions, most recently in the form of a US law Congress passed and President Trump signed and in some mutual expulsion of diplomats (New Yorker). Congress is considering requiring the US to develop an "information warfare" plan to hold in readiness for use against Russia (Washington Examiner).
As always, deterrence in cyberspace, clarity about proportional response, and a clear understanding of the line between espionage and acts of war remain underdeveloped. An opinion piece in the Diplomat argues for "active cyber defense," and for involving the private sector in ways that would increase the US Government's capacity to respond.
Some distinctions are in order, since such a proposal can sound like a return to marque-and-reprisal. "Active Cyber Defense" is a term of art for an approach to cyber defense that concentrates on achieving resilience by automating sensing, remediation, and information-sharing to the greatest possible extent. It involves no intrusion into hostile or non-cooperating networks or systems. "Active defense," in contrast, would involve counterattack, inflicting damage on an attacker by exploiting vulnerabilities in attack toolkits, distributing disinformation, inflicting malicious code, etc. Active defense is a controversial defensive strategy, but it seems closer to deterrence than Active Cyber Defense.
Other ongoing incident look like cyber offensive operations. As North Korea's missile testing and nuclear threats have continued, researchers report seeing increased activity of Konni and Inexsmar malware deployed against DPRK targets (Cyberscoop). There's no attribution, yet, but plenty of states with significant cyber capabilities (essentially, all of them) have reason to be worried about North Korea's nuclear strike capability.
And EirGrid, Ireland's electrical power utility, is thought to have come under cyberattack by a "state-sponsored" actor. That actor's identity and motives are unclear, but the attempt has been compared to incidents in Ukraine (Hot for Security).
Venezuela's ongoing political and economic crisis has prompted not only fighting but some credible allegations of government vote fraud in the elections that put in place an extra-parliamentary group charged with "rectifying" the constitution. It's also prompted some rebel hacking. According to reports, a hacktivist group associated with the rebels has conducted cyberattacks against sites in that country. Most, but not all, of the affected services belong to the Venezuelan state. The group claiming responsibility calls itself "the Binary Guardians" (BBC).
Researchers at security firm Intezer describe an anti-Israeli, pro-Palestinian wiper malware "Israbye" that's currently circulating in the wild. It's not cryptoransomware, since it offers no prospect of file recovery until such time as Israel “disepeare” [sic]—effectively, of course, no prospect of recovery at all. It also doesn't encrypt files. Rather, it replaces their content with anti-Israel messages. The wiper began circulating around the time Israeli authorities imposed certain restrictions on visits to the Temple Mount and the Al Aqsa Mosque situated there—metal detector installation was found particularly objectionable by Muslim worshippers. The restrictions were quickly eased, but the malware continues to circulate. It's not exactly ransomware, despite some gestures in that direction, nor is it pseudoransomware like NotPetya, but Israbye does bear a family resemblance to that style of attack (HackRead).
Rumors of rogue insiders at the DNC and Clinton campaign.
There's some thought, shouted in the Nation, stated quietly in Bloomberg, that insiders, not Russian intelligence services (or at the very least not just Russian intelligence services), were the ones who compromised the Democratic National Committee and the Clinton presidential campaign last year. The dissenting explanation centers on the role of Guccifer 2.0. The story is developing, but is interesting in that it's moved from the precincts of conspiracy theory to two publications that seldom have skin in the conspiracy game.
Mr. Smith goes to Midtown.
The HBO hacker or hackers going by "Mr. Smith" released an email from HBO that offered them a "'bounty payment' of $250,000 as part of a program in which 'white hat IT professionals' are rewarded for 'bringing these types of things to our attention.'" Variety notes that HBO's note to the hackers is "curiously non-confrontational," but in any case the hackers didn't bite; they're holding out for millions (Variety). So it appears that at least one of the following things happened: either HBO offered ransom under by the fig leaf of a bug bounty to make Mr. Smith go away quietly, or HBO hoped to finesse the hackers into becoming harmless white hats, or HBO hoped to wrap them up for delivery to law enforcement. Whatever was intended, the hackers spit the proffered hook and called Variety.
The Register suggests some interesting background. The ransom note HBO received indicated that "Mr. Smith" has an annual budget of $500 thousand, used to buy zero-days. They invest in tools that enable them to compromise corporate networks, which would make them a zero-day broker gone rogue. "Mr. Smith claims to make between $12 million and $15 million a year, which would account for the $6 million to $7.5 million "six-months' salary demand. In any case, HBO and "Mr. Smith" appear for now to be at an impasse.
Both Mandiant and the FBI are investigating the HBO hack. Many in the security industry see the media as a relatively attractive target for hackers, and the entertainment industry has seen enough in the HBO affair to be spooked.
Winter is coming. So is GDPR (Brexit or not).
Regulations expected to go into force in the UK next spring would impose fines of up to £17 million on critical infrastructure companies (notably those involved in transportation or energy distribution) whose failure to harden their systems resulted in consequences similar to those sustained during the WannaCry and NotPetya incidents. They essentially establish the GDPR as the controlling data privacy standard in the UK. Observers note that such fines are actually larger than the hefty ones GDPR would impose for data mishandling (Register).
Crypto wars: news from the UK front.
Jonathan Evans, former MI5 director, weighs in on the pro-encryption side of the crypto wars. His view is similar to that some of his US counterparts have expressed: weakened encryption poses a risk disproportionate to any potential investigatory advantages it might provide (Computing).
Passwords are always passé, yet somehow always with us.
Familiar advice about making strong passwords and changing them frequently began in 2003, with NIST Special Publication 800-63, specifically Appendix A. The advice included such password-building practices as using irregular capitalization, including at least one numeral, and throwing in some special characters, perhaps in lieu of a letter. It also advised changing passwords frequently. But the author of Appendix A, retired NIST expert Bill Burr—and we hasten to say that he's one of the good guys—now regrets his advice, most of which NIST ejected from the current version of SP 800-63. The advice drove people to lazy practices, Burr now believes, and tended to lead them to devise passwords that are hard for people to remember, but easy for machines to crack. Current thinking is to base passwords on some idiosyncratic but easily remembered short phrase that would be difficult for automated systems to guess (Verge).
Dashlane's 2017 Password Power Rankings are out, they report that about half the Websites they looked at fell short even of even those now questionable standards. Passwords are always on the way out, and Centrify says the HBO hack is another nail in the password's coffin (Security Brief), but a convincing, easy-to-implement alternative has yet to fully emerge. So passwords are likely to remain with us, but supplemented by other means of authentication (Naked Security). It's worth noting that no password guidelines are likely to remain permanent. Like everything else in the field of conflict, such guidelines are on the offense-defense seesaw.
New NIST framework offers workforce guidelines.
NIST has a new framework out, offering guidelines for classification and career paths in cybersecurity (GovTechWorks). The framework may be found in Special Publication 800-181. It defines a common lexicon, outlines knowledge and skill requirements, and suggests job roles that can be applied in both Government and the private sector.
Other (alleged) crime and (potential) punishment.
Marcus Hutchins, a.k.a. MalwareTech, the individual hailed as a hero for inadvertently discovering and flipping WannaCry's kill switch, was arrested last week by the FBI on a warrant alleging his role in creating and distributing the Kronos banking Trojan. He's been released on bail after entering a plea of not guilty (Computing). His arraignment, which had been scheduled for Tuesday, has been postponed into next week (Fifth Domain).
The US FBI has made a collar in an unusually repellent extortion case. One Buster Hernandez has been arrested. The Government alleges that, using the pseudonym "Brian Kil," Hernandez sextorted underage girls online, sometimes threatening them with murder. He is alleged to have cloaked his activities in Tor, but the Bureau was able to trap him with a video designed and placed for that purpose (Naked Security).
Tuesday was Patch Tuesday, and major software vendors (notably Adobe, Google Microsoft, and SAP) have issued fixes for their products. Google's August Android update addressed ten critical bugs (Threatpost). SAP's round of patching fixed nineteen problems, three of which were rated "high-severity" issues (Threatpost).
Adobe's patches addressed problems with Acrobat, Reader, and Flash Player. Most observers recommend that uses of Acrobat and Reader devote their attention to updating the software for those two products. They continue to recommend that disabling Flash Player, scheduled for final retirement by Adobe in 2020. The software has been a perennial target of attackers (KrebsOnSecurity).
Microsoft's forty-eight patches affect Windows, Internet Explorer (IE), Edge, the subsystem for Linux, Kernel, SharePoint, SQL Server and Hyper-V. The vulnerabilities addressed don't appear to be undergoing exploitation in the wild, but some of the patches are sufficiently important that they should be applied as soon as possible. Experts concur that CVE-2017-8620, a Windows Search Remote Code Execution Vulnerability, is the big one, and they say applying it should be a priority (ZDNet). Redmond will not patch the SMBLoris flaw researchers disclosed to it: Microsoft doesn't regard this as a security bug (Bleeping Computer).
Management by SMS?
Salesforce fired two senior engineers for their talk at DEF CON. Their presentation was about MEATPISTOL, an internal penetration-testing tool similar to Metasploit (the anagram is intentional). The engineers believed they'd been cleared to give the presentation, but a late SMS message, which the pair said they didn't see, directed them not to give the talk. And so they were terminated. Salesforce had intended to open-source MEATPISTOL, but the company's current plans for the tool remain unknown (Register).
SDxCentral published a list of "top security start-ups to watch in 2017." It includes Armis (IoT security), Awake Security (with an automated security analytics platform), Balbix (risk analytics and resilience assessment), Block Armour (blockchain-based security applications), Bricata (advanced security sensors), Corelight (enterprise network visibility), Edgewise Networks (zero-trust networking), Elastic Beam (API security), and Jask (predictive security).
BlueTeam Global announced its launch with a $125 million funding round (PRNewswire).
Deloitte announced acquisition of some of Blab's assets. The intention is to use Blab's predictive social intelligence analytics to give customers advanced warning of "reputational events" (PRNewswire). Symantec will acquire Fireglass, the Israeli browser-isolation shop (Monotone). KeyLogic has bought CrossResolve in a move to expand its biometric service offerings. (BiometricUpdate).
This CyberWire look back at the Week that Was discusses events affecting European Union, Georgia, Israel, NATO/OTAN, Russia, Ukraine, United Kingdom, United States, and Venezuela.
© 2018 CyberWire, Inc.
Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story.