skip navigation

More signal. Less noise.

Dana Foundation speeds move from waterfall to DevOps with embedded security.

Forward-looking organizations are increasing innovation velocity, modernizing development while trying to stay ahead of the constantly changing threat landscape. Learn how one such organization, The Dana Foundation, was able to move from waterfall to DevOps methodology while embedding security earlier in the development process and gain full visibility of security across the development lifecycle. Register for our webinar September 14 at 1PM ET to learn how.

The Week that Was.

Vault7 and the first known (to us) instance of (alleged) liaisonware. 

WikiLeaks resumed its regular practice of dumping what it claims are CIA documents describing offensive cyber operations. This week's Vault7 haul describes "ExpressLane," which is unusual in that it appears to have targeted partner organizations, most of them American agencies like the National Security Agency, the FBI, and the Department of Homeland Security. The program is said to have worked by requiring installation of a software update as a condition of doing business with Langley, and, says WikiLeaks, those updates also installed backdoors (The Hill).

Bank of America needs your cyber security experience.

As one of the world's leading financial institutions, Bank of America has built an extraordinary team of cyber security professionals focused on defending critical financial services infrastructure. That team is growing and needs your experience. Find exciting and rewarding opportunities across the United States for ethical hackers, intrusion analysts, malware analysts, crypto architects and more.

Crooks and cheats.

Some criminals, Trend Micro reports, are exploiting online games with malicious Chrome extensions, thereby stealing in-game currency. The malware takes cookies from running Roblox processes—Roblox is the popular massively multiplayer social media gaming platform—but could be adapted to pull information from any website. If you install it, you give it a hunting license for your information. The malicious extension is for sale in the Dream Market underground souk for just ninety-nine cents.

Trend Micro uses the occasion of their discovery to offer a useful reminder. "This is a good time to remember to always verify the permissions required before any Chrome extensions are installed," they say in their report. "If you are unsure about these permissions, it’s better to not install the extension in the first place. This particular malicious extension requires the 'Read and change all your data on the websites you visit' permission, which should be a hint of its malicious behavior" (TrendLabs Security Intelligence Blog).

Why would someone want to steal in-game currency? To sell it to gamers, of course, undercutting the prices charged within the legitimate games themselves.

There's also the issue of cheating, or, more properly of cheats. "Cheats," as gamers will tell you, offer an advantage over the sometimes difficult, frustrating, and time-consuming rules of play. Researchers at SentinelOne have discovered that some cheats for the popular Counter Strike: Global Offensive game are installing cryptocurrency miners on victim machines. This particular miner goes after Monero, and it's called "OSX.Pwnet.A."  The mining software is working for a guy who seems to go by the name of "Finn." SentinelOne seems to be on to him. For one thing, they seem to be insinuating that the gentleman is a brony (SentinelOne). Make of that what you will, but remember: friendship is magic.

Want to learn how to develop an incident response plan?

Join us for the first operational community-driven incident response conference. IR17 is open to both commercial and government professionals. Register for free to learn tips and best practices from industry leaders. IR17 features 30+ hours of practical training, 36 breakout sessions designed for all levels of experience, and you will leave the conference with a developed incident response plan.

Clouds and cryptocurrencies.

Unwelcome cryptocurrency miners are being distributed in other ways, too: Netskope Threat Labs has found the Zminer malware hosted in an Amazon S3 bucket. They say, "The kill chain begins with the delivery of a drive-by download Zminer executable that downloads payloads from Amazon S3 cloud storage to a victim’s machine and then uses the machine’s computing resources to perform coin mining." They note that the miner helps ensure its own smooth operation by disabling Windows Defender on infected machines.

Cryptocurrency wallets themselves are also under attack. Researchers at Duo Security note that criminals are exploiting some of the weaker forms of two-factor authentication—notably SMS and email authentication—to get into the wallets. They advise adopting more cryptographically secure forms of multi-factor authentication (Information Security Buzz).

Initial coin offerings (ICO) have proved more vulnerable to virtual robbery than investors would like. Estimates suggest that participants in an ICO have about a one-in-ten chance of losing coins to theft. Ethereum speculators are thought to have lost $325 million (SF Gate).

40+ cyber thought leaders to examine cyber threats and solutions at summit.

The 8th Annual Billington CyberSecurity Summit September 13 in Washington D.C.  is pleased to announce DNI Coats, White House Cyber Coordinator Joyce, Rep. Hurd, US CENTCOM’s Votel and acting CISO Schneider (invited) join 40+ cybersecurity thought leaders offering insightful answers on cybersecurity threats and solutions.

Not every mishap is a cyber incident.

When the destroyer USS John S. McCain collided with a merchant tanker in the crowded Straits of Malacca on Monday, there was immediate speculation that McCain had been the victim of a cyberattack against its navigation systems (International Business Times). That speculation was based on two facts.

First, there had been a case of GPS spoofing in the Black Sea earlier this summer: the US Maritime Administration issued a warning to that effect after receiving reports on June 22nd of inaccurate GPS locations from ships operating near Novorossiysk (MARAD). The incident has been widely attributed to Russian testing of an attack capability (New Scientist). Note that this wasn't jamming, the simple blocking of GPS signals by much stronger transmissions, a threat to GPS that's long been known. It was instead active spoofing, inducing navigation systems to display an incorrect position, which is in some respects a subtler and more dangerous form of cyber attack, an updated form of meaconing (National Defense).

Second, US Navy warships have been involved in an unusually large number of accidents recently, four in the past year, all of them in the US 7th Fleet: USS John S. McCain (collision, August 21st), USS Fitzgerald (collision, June 17th), USS Lake Champlain (collision, May 9th) and USS Antietam (grounding, January 31st) (MSN). This seemed to many observers too many for coincidence. The US Navy's refusal to rule out cyber attack as a cause was seen by many not as proper reticence during the early stages of an investigation, but as a tacit partial confirmation that McCain had been the victim of some sort of hack (Business Insider).

But it does indeed appear that the collision was a more ordinary mishap, as tragic as its results were. If it were spoofing, other ships should have reported being effected, which they haven't (Popular Mechanics). Nor has investigation so far turned up malware introduced into ship's systems during, as some speculated, calls at Yokosuka, the port McCain shares with its 7th Fleet sisters, or in some other fashion (CIMSEC). The US Navy relieved the vice admiral commanding 7th Fleet citing "loss of confidence" in his leadership (New York Times), and has directed a service-wide review of seamanship (Navy Times). As always, speculation outruns investigation (Ars Technica).

A side note: China's Peoples Liberation Army Navy has not been slow to kick the US Navy while it's down, suggesting that American ineptitude on the high seas now constitutes a hazard to navigation (South China Morning Post).

Ad-free podcasts now available to Patrons.

Patrons now receive a streamlined, ad-free, version of the Daily Podcast when they support the CyberWire as Friends of the Show (or at higher levels). See here for details. And thanks to all the Patrons who've been so generous in their support of the CyberWire.

Digital 9/11s, cyber Pearl Harbors?

Opinion continues to warn of a "digital 9/11" that would cripple infrastructure on a national scale (The Hill), or a bolt-from-the-blue cyber Pearl Harbor that would be as shocking and devastating in its own way as the original Pearl Harbor was in 1941(Naked Security). The most serious concerns derive from assessments that industrial control systems are highly vulnerable to disruption.

The lingering effects of NotPetya.

Sinopec's Shengli oilfield in China, one of that country's larger production fields, announced Monday that it had disconnected many of its systems from the Internet. Early reports indicated a cyberattack, vaguely characterized by Reuters as "ransomware that hobbled big business across the globe," presumably either NotPetya or WannaCry (Reuters). There have been no further reports; as far as is publicly known, the situation in Shengli remains as initially reported.

And finally, there's another consequence of NotPetya in the manufacturing sector making itself felt in the UK: cat food shortages in London and the Home Counties. Mars subsidiary Royal Canin was affected,and deliveries of cat food have lagged, with some customers waiting two weeks. Another Mars pet food brand, James Wellbeloved, is also thought to have been affected, but they're more in the dog food line, and there have been fewer complaints from the dogs (Metro).

Inspiration online: the Daily Stormer is gone, but ISIS remains.

The neo-nazi Daily Stormer winked in and out of a fitful online existence this week before finally falling into whatever darkness such things fall (TechCrunch). The Daily Stormer had attracted widespread odium when it came to prominence during riot and homicide in Charlottesville, and it eventually managed to alienate even the closest things to free-speech absolutists in the tech industry when Cloudflare finally had enough and stopped providing its services to the online publication.

So here's a question: why was tech so quick to squash the unlamented Daily Stormer, yet so apparently powerless against ISIS?

Mosul has fallen to Iraqi forces and the Kurdish Peshmerga militia. This is a hard blow to ISIS, since Mosul had been the seat of government from which the terrorist organization had announced its renewed Caliphate. ISIS is also in retreat from the other territorial enclaves it controlled, which places it in a difficult position: many observers have long said that the legitimacy of any Caliphate depends upon its control and righteous administration of territory, and have wondered what the jihadist group would do when its territory was lost. As far as its online presence is concerned, the answer appears to be that ISIS would continue business as usual. In fact, its information campaign appears to be "thriving" (Washington Post). 

Even as its core territory in Iraq and Syria shrinks to insignificance, ISIS has posted a Spanish-language video, promising to reconquer al Andalus, the Iberian Peninsula the Umma finally lost to Ferdinand and Isabella of Spain in the fifteenth-century conclusion of the Reconquista (Times of London). Another ISIS inspirational video receiving wide circulation purports to show a ten-year-old American boy threatening President Trump. The boy, identified in the video only as "Yusuf," and said to be the son of an American soldier who served in Iraq, is shown saying in a mix of English and Arabic, "My message to Trump, the puppet of the Jews, Allah has promised us victory and has promised you defeat” (Military Times).

Security experts see ISIS as following a template established by ISIS rival al Qaeda (Foreign Policy).

ISIS killing has been a leading cause of the Middle Eastern refugee crisis, which has spawned human trafficking on a large scale. Some traffickers ("slave-trading gangs," the Times of London calls them) are posting torture images to Facebook in an attempt to extort ransom money from their captives' families. The gangs involved in the latest round of cruelty operate from Libya, from where they can readily intercept refugees trying to make it to Europe (Independent).

These posts, and the most recent wave of hacked celebrity pictures, are inducing some observers (the UN's International Organisation for Migration among them) to ask why tech companies aren't addressing such incidents with the focus and alacrity they brought to booting the loathsome Daily Stormer from their services (Fast Company). Is the outrage selective, the decisions arbitrary, or is the problem simply more complex than it seems?

China moves to tighten censorship. Researchers demonstrate a way of tap dancing around it.

The Great Firewall had until recently been susceptible to penetration by VPNs, but Beijing has moved to ban them, effectively forcing Web users in that country to use China's autarkic Internet (Foreign Policy).

Meanwhile, university researchers in the United States (at the University of Colorado at Boulder, Georgetown University's Law Center, the University of Michigan, and the University of Illinois Urbana-Champaign) have successfully demonstrated a refraction technique, "TapDance," that could be applied by Internet service providers (ISPs) to move requests for blocked pages around censorship mechanisms (Naked Security).

Fancy Bear update.

The Turla cyberespionage group has resurfaced, luring targets with phishbait that looks like a note from Germany's Federal Ministry for Economic Affairs and Energy inviting recipients to save the date for October's G20 meetings in Hamburg (ZDNet). Turla is generally believed to be a threat actor controlled by Russia's GRU, familiarly known for some time now as "Fancy Bear."

Fancy Bear has another adversary: Microsoft lawyers. Redmond won a trademark case in a Virginia Federal Court that gives it the right to takeover sites run by Fancy Bear that represent themselves as associated with Microsoft. It won't be a bear-killer, but it will make Fancy's life marginally more difficult (WinBuzzer). Microsoft began lawfare against Fancy Bear last year (Fortune).

Hacking fears in Ukraine.

Over a week ago Ukrainian security services warned the country that they were seeing early signs of another cyber campaign (Kyiv Post), and the country's central bank told the financial sector to expect a malware outbreak comparable in scale to June's NotPetya infestation (Reuters). Both fears were exacerbated by the approach of Ukraine's independence day, observed this Wednesday. Both fears also proved largely groundless.

There was one scare: the web server of Crystal Finance Millennium, an accounting software firm based in Kyiv, was discovered to have been compromised with Purgen ransomware. The attack seems merely criminal, not state-directed as is generally thought to have been the case with NotPetya. Purgen had been in the servers since at least August 18th, according to Kaspersky Labs (Bleeping Computer), and Ukrainian security firm ISSP's analysis of the malware indicates that it's conventional ransomware (Japan Times). 

Spy versus spy.

Russian sources are reporting the possible backstory to the arrest last December of three Russian men on charges of treason. They had FSB connections: Sergei Mikhailov, the deputy head of the FSB's Information Security Center, and two associates were taken into custody. It's believed they were instrumental in giving up prominent wanted hackers to the CIA, which then presumably turned the information over to the FBI and US Secret Service. Among the cyber criminals so fingered were Roman Seleznev and Yevgeniy Nikulin. Seleznev, now in US custody, is the son of a prominent Duma member. Nikulin is in Czech custody fighting extradition to the US. There are also suggestions that Mikhailov and his associates were connected to the Shotai Boltai—"Humpty Dumpty"—hacktivists who have doxed Russian oligarchs (Bleeping Computer).

The FBI has made an arrest in the OPM breach. The suspect is a Chinese national, Yu Pingan of Shanghai, who was picked up Monday when he arrived at Los Angeles International Airport on his way to attend a conference in the US. On Wednesday he appeared before the Federal Court for the Southern District of California on charges of having written the Sakula malware believed to have been used by the Chinese government to accomplish the breach (Case 3:17-mj-02970-BGS). This is the first arrest made in the case; the OPM breach has long been attributed to Chinese operators (Federal News Radio).

US officials, including FBI personnel, members of Congress, and, most recently, White House cybersecurity coordinator Rob Joyce, have been warning that security software from Kaspersky Labs constitutes, in effect, a virtual mole. Kaspersky denies the charges, and says it's no more a nest of FSB spies than are US companies who may do work for law enforcement agencies. Some industry observers, notably CSO, are calling for those making the accusations to provide evidence: put up or shut up.

Industry notes.

Root9B has defaulted on obligations and appears headed for bankruptcy and liquidation (Dark Reading). Investors are said to be circling, looking to pick up the company's assets (Register).

The zero-day brokers at Zerodium have a new shopping list. They're offering $500 million for weaponized zero-days enabling remote code execution and local privilege elevation for a variety of mobile messaging apps (Infosecurity Magazine).

eSentire announced a growth equity investment by funds associated with Warburg Pincus. The amount is not available, but is believed to be substantial (PRNewswire).

Versive has raised $12.7 million as investor bet on its AI security solutions (BusinessWire).


Today's issue includes events affecting China, Morocco, Russia, Spain, Syria, Ukraine, United States.

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.