Confident in your incident response and business continuity plans?
Your patient data depends on your incident response and business continuity plans, but are you prepared? Learn how to reduce your cyber risk. Save your seat for our upcoming webinar on August 23 at 1 PM ET.
The Week that Was.
August 20, 2017.
By The CyberWire Staff
Extremism online and on the ground.
Last weekend's riot and murder in Charlottesville, Virginia, when neo-Nazi-led marchers brawled with Antifa counter-protesters, resulted in one death and several injuries when a neo-nazi sympathizer rammed his car into a crowd (New York Times). These were followed by a jihadist car-ramming in Spain. In both cases online chatter inspired fighters.
The center of neo-nazi inspiration in the US is held to be the Daily Stormer, an online publication evidently inspired by Nazi Germany's Stürmer, a newspaper vile enough to earn its publisher a death sentence at the Nuremberg Tribunal in 1946. The Stormer has been ejected from essentially all of the legitimate sites that had hosted or provided services for it; it's currently existing in a Tor half world, and only intermittently there (HackRead). Private companies are generally thought by legal experts to be within their rights to refuse to do business with "non-protected classes," which would include most political groups (Ars Technica).
Even Cloudfare, among industry's most principled free-speech advocates, booted the Stormer after the publication claimed Cloudflare was in sympathy with its views (decidedly not the case) (WIRED). But Cloudflare's CEO remains uneasy about the control companies can exert over speech. He's called for industry to think through how it should handle extremist content (TechCrunch).
Online vigilantes (encouraged by some celebrities who have themselves been victims of doxing, and whom one would think might know better) have doxed people they think they see in pictures of the neo-nazi marchers. Foreseeably, many of those doxed are entirely innocent and uninvolved (WIRED).
The jihadists in Spain were members of a network Catalan police swiftly rounded up (mostly killed). The principal attacker retrospectively looks like a known wolf; the cell he belonged to participated in the now sadly familiar forms of jihadist inspiration (Times).
In an unrelated action, Saudi authorities are indicting "radical" Twitter users, essentially ultra-Wahhabi extremists (CNN).
40+ cyber thought leaders to examine cyber threats and solutions at summit.
The 8th Annual Billington CyberSecurity Summit September 13 in Washington D.C. is pleased to announce DNI Coats, White House Cyber Coordinator Joyce, Rep. Hurd, US CENTCOM’s Votel and acting CISO Schneider (invited) join 40+ cybersecurity thought leaders offering insightful answers on cybersecurity threats and solutions.
Online crime, and information operations against it.
A US Drug Enforcement Administration presentation recognizes the futility of trying to take out illegal trafficking sites by subverting encryption, as good an indication as any of how the crypto wars stand in the US (Security Week).
Fghting extremist violence can draw lessons from law enforcement at least as often as it does from intelligence services and the military. Here's one interesting approach that may have wider application. Police have succeeded in taking down online contraband souks like Silk Road and AlphaBay, but buyers and sellers, after a period of inconvenience, generally find one another again in some other dark net sewer.
But some police report good results from a more purely informational approach to the black market: leave bad reviews; then leave them alone. Buyers apparently care a great deal about the seller's reputation as expressed in the criminal equivalents of Yelp, and complaining that some guy is a rip-off apparently has a swift and negative affect on said rip-off artist's business (Motherboard).
Experts and executives meet this fall to discuss emerging global cyber threats.
The Cyber Security Conference for Executives, hosted again this year by The Johns Hopkins University Information Security Institute and COMPASS Cyber Security, will be held on Tuesday, September 19th, in Baltimore, Maryland. The theme is emerging global cyber threats, and the conference will feature discussions with thought leaders across a variety of sectors. Join the discussion and learn about current and emerging cyber security threats to organizations, and how executives can better protect their enterprises.
The continuing effect of Equation Group leaks.
Exploits the ShadowBrokers leaked continue to affect security. WannaCry, generally thought to have been contained through patching and more effective detection, has resurfaced, this time in the service center networks of South Korean company LG (HackRead).
Fancy Bear used Eternal-series exploits to compromise Wi-Fi servers of upscale hotels in European and Middle Eastern capitals. The GRU's apparent targets are high-value diplomats and industrial leaders (Naked Security). Kaspersky calls the leaked exploits "game changers" (Computer Weekly), and Cylance agrees that unpatched SMB flaws present a serious continuing risk (Computer Weekly).
Want to learn how to develop an incident response plan?
Join us for the first operational community-driven incident response conference. IR17 is open to both commercial and government professionals. Register for free to learn tips and best practices from industry leaders. IR17 features 30+ hours of practical training, 36 breakout sessions designed for all levels of experience, and you will leave the conference with a developed incident response plan.
Damage assessment: NotPetya.
Maersk, hard-hit by the NotPetya pseudoransomware attacks, is assessing the damage it sustained, and has found that damage substantial, estimated at some $300 million (Infosecurity Magazine). Maersk has taken extensive measures to reorganize its business and shore up security; these have been instigated at the shipping company's highest levels (Financial Times).
On August 23rd, in Palo Alto, The Chertoff Group will present the next event in its popular Security Series—Security in the Board Room. This event aims to enhance and add to the Security in the Boardroom conversation by offering insights into technology, threat, and policy to help executives respond to the evolving threat environment. Register today.
Damage assessment: HBO hack (a.k.a. Game of Thrones hack).
On Wednesday HBO's Twitter and Facebook accounts were briefly hijacked by the faux white hats of OurMine, who hadn't been heard from in awhile (Variety). Tripwire sees at least three lessons. First, use multifactor authentication. Second, if you sustain one breach, look for others (hackers tend to kick you when you're down). And third, continuous improvement should be your practice: the threat evolves and so should you.
The Time Warner cable giant has struggled with "Mr. Smith" since its networks were penetrated in July, but HBO has, after initial attempts to treat the hackers like bug-bounty white hats, held firm in its refusal to pay its attackers off. While costs of responding to the attack are still unknown (investigation, remediation, and other recovery expenses will be non-negligible), the damage done to the company's revenues and brand seems minor. Viewers continue to watch; subscribers continue to subscribe.
Industry observers contrast HBO's experience with Sony's much more corrosive exposure by the Guardians of Peace in 2014. People seem disposed to regard HBO as the victim, and such emails as have leaked don't contain the sort of toxicity that poisoned Sony management's relationship with customers, investors, and talent (Variety).
A Game of Thrones star suggests an old-school approach to securing scripts: air-gap them. Nikolaj Coster-Waldau says they should stop distributing scripts electronically, and just deliver them in hard copy, as in the old days (Fox News). Presumably that's how it was done in Westeros, anyway: Dragon delivery may no longer be available, but maybe showrunners could consider a DJI drone, security now upgraded in an attempt to woo back the United States Army (Naked Security).
Operation #LeakTheAnalyst is looking like attempted market manipulation.
Operation #LeakTheAnalyst continued with another, minor poke at FireEye, specifically the company's Mandiant unit, but there's little fresh evidence that the hackers' large claims of having compromised the security company in a big way amount to much more than a lot of hot air. The hacker's second release, which didn't amount to much, was accompanied by a prolegomenon that showed an interest in hitting the company's valuation: “It was funny seeing their frustration during these days. Trying to track us while keeping their shares value not to drop under $14 … we’re going to punish the lairs [sic], the fat riches who care only about their stock shares” (Motherboard).
Investigation into the incident continues, and has taken an interesting turn that suggests the hacker cares about FireEye's "stock shares" as much as the company's board of directors. The hacker broke into a Mandiant analyst's personal email about a year ago, but waited to announce his (her? their?) success until such announcement was likely to damage FireEye's stock price. The leaks went up on Pastebin on July 31st, a day before FireEye was to report its second quarter results. Pastebin took the posts down, but they've since circulated through multiple Twitter accounts. It's unclear the hack had any appreciable effect on FireEye's share price, which is down, but not obviously because of the incident. (Cyberscoop).
US Cyber Command will become a unified combatant command.
As has been long expected and much discussed, US Cyber Command will now become a unified combatant command (UCC). President Trump made the formal announcement Friday. Cyber Command has been a subcommand of US Strategic Command (Politico).
The decision is also regarded as a step toward splitting Cyber Command leadership from the National Security Agency (NSA)—currently both organizations are led by the same officer, Admiral Michael Rogers. Separation would involve another Presidential decision. Secretary of Defense Mattis has been directed to recommend a commander for Senate confirmation to the new post; Admiral Rogers is expected to retain his dual responsibility for now (Washington Post). Army Lieutenant General William Mayville is regarded by observers as a likely candidate to lead the newly elevated organization (Real Clear Defense).
UCC status for US Cyber Command is generally regarded as desirable. Its current position, commanded by the Director NSA but operating as a subordinate organization of US Strategic Command, is seen as leading to fragmented and imperfectly focused operations in cyberspace. Its close ties to NSA bring with them the familiar difficulties that arise when intelligence and operational missions are commingled.
Unified combatant commands are "command[s] with a broad continuing mission under a single commander and composed of significant assigned components of two or more Military Departments that is established and so designated by the President, through the Secretary of Defense with the advice and assistance of the Chairman of the Joint Chiefs of Staff" (DOD Dictionary of Military and Associated Terms). UCCs report directly to the Secretary of Defense, then to the President, making them in effect the top-level US military organizations. Their place in the US Defense establishment is specified in 10 US Code Chapter 6.
Six of the current UCCs are geographical, focused on a specific area of responsibility. The remaining three are functional (US Department of Defense). Cyber Command will become the fourth functional command.
Ukraine's security services have warned the country to brace for another round of cyber attacks (Kyiv Post). The country's central bank has also warned the financial sector that it may be seeing an outbreak of malware comparable to the June NotPetya infestation (Reuters).
Russia is moving troops into Belarus for joint exercises. Many observers expect them to stay as part of a long-range campaign on Moscow's part to re-engorge the Near Abroad, as former Soviet Republics are called in Russia. The troops are participating in the Zapad ("West") exercises, held every four years, so their deployment isn't unexpected. But war in Ukraine and heightened tensions with Poland, the Baltic States, and NATO in general raise doubts that the forces will redeploy to Russia once the exercise concludes (Newsweek). Belarus, which shares borders with not only Russia, but Poland, Latvia, Lithuania, and Ukraine as well, has long been, from the Kremlin's point-of-view, among the most tractable states in the Near Abroad. The country's president, Aleksandr Lukashenko, has been in office since full independence in 1994, which should indicate to even casual observers the sort of regime Belarus enjoys.
More cloud misconfiguration and data exposure.
Voting machines in the US state of Illinois have exposed, through their connection with a misconfigured Amazon Web Services S3 database, the data of some 1.8 million Chicago voters. The breach curiously seems to affect Chicago voters only, but it appears to be the result of now-familiar inattention to the public accessibility settings of an S3 bucket (Register). Such misconfigurations are the user's responsibility, but Amazon has introduced a new tool, Macie, designed to help its customers find and protect their sensitive data (CSO).
India's Aadhaar national identification system has been exposed again, this time through flaws in a system designed by the National Informatics Centre (Hindustan Times).
Cyberespionage: through backdoors, brute force, and exploits.
NetSarang, the South Korean maker of widely used server management products, this week disclosed that a backdoor, "ShadowPad," had been inserted into recent product builds somewhere in the supply chain. They've patched, and they urge users to upgrade to the latest versions immediately (Computing). British users of NetSarang software seem particularly exercised about the espionage threat; the backdoor appears to have been introduced into the supply chain by actors working for Chinese intelligence services (Express).
The Parliament of Scotland sustained an attempt by unknown parties to brute-force their way into email accounts at Holyrood (BBC). The attack is similar to the one the Parliament at Westminster experienced earlier this summer. So far defenses at Holyrood have for the most part held (Guardian).
As tensions over Pyongyang's nuclear ambitions remain high, North Korean cyber operators step up collection efforts against US defense and aerospace companies (Palo Alto Networks). Pyongyang's hackers are thought to belong to the Lazarus Group (Bleeping Computer).
Crime and punishment (or at least, allegation and extradition).
Marcus Hutchins, a.k.a. MalwareTech, is out on bail as he prepares for his October trial in a US Federal Court. He's accused of having been instrumental in writing and selling the Kronos banking Trojan. He had achieved recent acclaim, before his arrest in Las Vegas right after Black Hat, for his role in flipping WannaCry's "kill switch." Hutchins has attracted considerable sympathy from security researchers, and indeed the charges against him appear to involve relatively novel and aggressive applications of relevant criminal law (Guardian). Still, the US Department of Justice says Hutchins confessed to writing Kronos (Engadget). Whether that counts as a crime the court will decide. Hutchins has entered a plea of not guilty (Reuters). Britain's GCHQ apparently knew that Hutchins was under FBI investigation before he departed the UK for Vegas (Times).
Karim Baratov, arrested in March by Toronto police, has waived his right to a hearing in Canada and will be extradited to the United States. Baratov faces ten counts of wire fraud and computer abuse for what the US alleges is his role in the Yahoo! breach. About 500 million accounts were compromised between 2014 and 2016 in an incident that materially affected Yahoo! and the price it fetched in acquisition by Verizon. Baratov is said to have hacked Yahoo! under the direction of Russia's FSB, and two FSB officers, Dmitry Dokuchaev and Igor Sushchin, are indicted co-conspirators. Dokuchaev and Sushchin are not of course in custody, but their case represents the first time the US has brought criminal hacking charges against Russian intelligence officers (Cyberscoop).
Marcel Lehel Lazar, famous under his "Guccifer" nom de hack, is back in his native Romania, where he's serving a sentence for violating his Romanian probation for involvement in cyber crime. He's due to be returned to the US to do the time he's received for US convictions, but he's telling reporters he shouldn't be returned to a US prison, but should be allowed to serve his sentences concurrently in the old country. Lazar claims he accessed Hilary Clinton's email servers when she was Secretary of State, and he's also claiming that he has reasons to believe the Guccifer 2.0 hacks were "an inside job" and not the work of Russian intelligence, as is generally believed (SC Magazine).
The "inside job" theory of the DNC hacks has gained adherents in some surprising, politically left precincts. The Nation has been pushing the theory, credited to VIPS (Veteran Intelligence Professionals for Sanity) that the material WikiLeaks obtained from the DNC was delivered to it by disgruntled insiders. Most in Washington still see Russian intelligence service hacking as the most probable source (The Hill).
Some FBI digging into the DNC hack and related election influence operations seems likely to produce a dry hole. "Profexor," the Ukrainian hacker who's talking to Ukrainian authorities and the Bureau about Fancy Bear's operations, may not have any particular insight to offer. The P.A.S. tool he says he was involved with probably wasn't used to hack political targets. For one thing, it doesn't appear in the GRIZZLYSTEPPE report the New York Times cites (KrebsOnSecurity). GRIZZLYSTEPPE itself is now regarded as more of a multi-agency compendium than a focused report on a connected set of incidents (Robert M. Lee).
Today's issue includes events affecting Belarus, Canada, China, India, Peoples Democratic Republic of Korea, Republic of Korea, Romania, Russia, Saudi Arabia, Spain, Ukraine, United Kingdom, United States.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.