skip navigation

More signal. Less noise.

When 95% of breaches are human error, why is it on the last line of our security budget?

Probably because until now, you haven’t found a solution that works. NINJIO produces 3-4-minute-long animated Episodes that teach your end-users how not to get hacked. This is done through Hollywood story telling. A new Episode is produced every 30 days on the most current breaches. Your end-users emotionally connect with the first scene of every Episode, so they’re engaged throughout the Episode. NINJIO tells stories, not lectures and has a 98.5% renewal rate. NINJIO works. See a free in person demo.

The Week that Was.

The Satori botnet is up and at 'em.

"Satori" is an evolved form of Mirai. Security firm Qihoo 360 Netlab reported discovering that the large botnet became active early in the week. Estimates of its size run to 280,000 bots, mostly routers.

The original versions of Mirai used Telnet scanners to find vulnerable devices. Satori doesn't—Qihoo 360 Netlabs says the botnet uses two embedded exploits that seek to connect with devices on ports 37215 and 52869. As Bleeping Computer points out, "Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components" (Bleeping Computer).

Qihoo 360 NetLabs thinks the exploit that connects to port 37215 is a zero-day. They've been tracking it and have it under analysis, but they're unwilling to discuss it further, for now. CenturyLink thinks the botnet may be abusing a zero-day in Huawei Gateway Home Routers.

There's less mystery surrounding the exploit that's hitting port 52869. That one is for a well-known, and relatively old, bug in some Realtek devices, CVE 2014-8361. Many Realtek devices have been patched for this one, which would suggest why this exploit has been the less successful of the two.

There are some similarities between Satori and the Mirai variant that hit Argentina over the weekend, but researchers are tracking it as a distinct threat.

And nothing yet, by the way, from Reaper, which has remained curiously quiet since its discovery (Cybrary). In their commentary on Satori, Bitdefender offers some suggestions that would help protect devices from infestation by any Internet-of-things botnet. They're not, of course, foolproof, but they do represent sensible hygienic measures. First, change IoT device default passwords. Second, update those devices with any security patches as they become available. Third, avoid enabling Universal Plug and Play on routers. And, finally, when buying an IoT device, purchase it from a company with a reputation for good product security.

Your cyber security posture is right of boom.

Whether you're focused on IT or national security, exploits and data loss incidents put your mission at risk. Your current tools assess and analyze content after it's breached your network - they all work right of boom. It's only a matter of time until boom happens to you. Don't let it.

Iranian hacking operations draw new concern (and respect).

Among Charming Kitten's capabilities are some non-negligible social engineering and fake media sites (CTECH). It's credited with surveillance of regional rivals, dissidents, human rights groups, and even with the hacking of HBO (ClearSky). The US has charged Iranian national Behzad Mesri (nom de hack “Skote Vahshat”) with the Game of Thrones hack, and there's speculation that he's connected to the Iranian government. Connected or not, he's still in Iran, where he's out of reach of US law (New York Times).

FireEye is tracking a distinct but possibly related group, APT34, which has been engaged in infiltration regional infrastructure. Their approach shows a patience, complexity, and sophistication not generally hitherto associated with Iranian operations, and many see them as representative of that country's future conduct of cyber operations (WIRED).

FireEye isn't alone in seeing Iranian activity as rising to a level formerly achieved only by Russian and Chinese actors. ClearSky and Crowdstrike say they're seeing the same trend (CyberScoop).

Why is VPN so important for Net Neutrality?

Next week FCC commissioners will vote on Net Neutrality. When removed, ISPs will be able to manipulate your Internet traffic, besides learning your activities. If your house connects to Internet via VPN then ISPs will see nothing but single stream of encrypted data. For that, “whole house VPN” via your home router is believed to be the silver bullet for anti Net Neutrality. Learn more about how VPN remedies anti Net Neutrality.

Shift in China's cyber operations predicted for 2018.

Observers (notably FireEye) think they discern a coming shift in the Chinese government's cyber espionage interests. They expect regional economic rivals, particularly India, to receive more attention from Advanced Persistent Threat groups. Regional political tensions are expected to provoke a rise in hacktivism, whether spontaneous, directed, or somewhere in between, directed against Southeast Asian nations, the Philippines, Japan, and South Korea (NDTV).

DevSecOps experts from Visa and CYBRIC talk cyber threat survival.

How can you protect yourselves against breaches like Equifax? Swapnil Deshmukh, Sr. Director of Emerging Technologies Security, Visa and Mike D. Kail, CTO, CYBRIC weigh in. Rapid innovation and continuous delivery via DevOps exposes organizations to a constant, evolving cyber threat. Seamlessly embedding continuous security within existing ecosystems will enforce security across the production environment. In this webinar, you’ll learn cultural changes needed for true DevSecOps. Register for this webinar December 12 at 1PM ET.

Other nation-state or quasi-state actor hacking.

Citizen Lab reports finding evidence that the government of Ethiopia is using lawful intercept software developed by Cyberbit to spy on journalists and opponents of the regime.

An ISIS video posted online promised to deliver a major cyberattack against the US this Friday. The former Caliphate, now clearly in its diaspora phase, has shown little ability to do much more than low-grade website defacements of indifferently defended targets, is probably feeling some pressure to demonstrate serious cyberattack capabilities. The "Electronic Ghosts of the Caliphate" or the "Caliphate Cyber Ghosts," threatened, "We will face you with a massive cyber-war…Black days you will remember.” 

As far as we can tell the only sign of ISIS hacking appears to have been some defacement of the Gloucester Township website (we believe this is the Gloucester Township in southern New Jersey). "The lions of the Caliphate will be at your door" is what Fleet Street's Daily Mail reported was scrawled there, but it seems to have been swiftly remediated. Still, it's never wise to grow complacent, even after a fizzle.

Zberp banking Trojan uses unconventional process injection technique.

A hybrid of the ZeusVM and Carberp malware, Zberp uses a variety of techniques to prevent detection while it gathers information from infected systems. Join the CyberWire for another episode of Research Saturday where Limor Kessem, executive security advisor for IBM, walks us through the details of this stealthy banking Trojan.

Impersonation attacks.

Malwareless impersonation attacks are up. These are cases in which email arrives pretending to be from some trusted or at least plausibly trustable source. Since the email itself isn't carrying a malicious payload, it passes through screens designed to catch known malicious signature. The point is social engineering: inducing the recipients to do something, perhaps share credentials, perhaps transfer funds, contrary to their interests (IT Wire).

Bitcoin DDoS.

Imperva Incapsula reported this week that 74% of all "Bitcoin-related" sites had experienced a distributed denial-of-service (DDoS) attack over the past year. There are many motives in play, but two stand out. The first and most obvious motive is extortion, clogging a deep-pocketed organization's network. Bitcoin depends upon high levels of network availability, and DDoS can obviously degrade that in ways that hurt, economically. There are also reports of a flourishing black market in Bitcoin-focused DDoS exploits and services. The customers are unscrupulous cryptocurrency operators interested in damaging the competition (Bleeping Computer). 

Other cryptocurrency hacks.

A prospective Bitcoin rival, Electroneum, had to call off its launch after too many members of its user community found their accounts "hacked." User complaints prompted Electroneum to call off its ICO (it had already raised several million in advance of the offering) and call in a security company to investigate (Kent Online).

Electroneum isn't alone among ICO victims of theft. Kaspersky Lab released an estimate that some $300 million has been lost in 2017 to criminal attacks on initial coin offerings (Finance Magnates).

NiceHash, a popular cryptocurrency mining site, was looted, with about $56 million in assets taken. NiceHash acknowledged the incident, temporarily suspended service, and opened an investigation (Computing). As Naked Security glumly points out, this whole sector is new, and neither banks nor governments are backing it: there's no crypto-FDIC to ride to the rescue.

Blockchain and speculative bubbles.

The DIY days of cryptocurrency mining may be coming to an end. It's said to be no longer worth your while to build your own Ethereum mining rig. The complexity of the equations now required to maintain the desired solution rate of one block every twelve seconds has grown considerably, exacting more effort from miners, and their rewards are dropping, too, from five Ether to three. And in 2018 the Ethereum network is expected to abandon its proof-of-work model for a proof-of-stake model: validation will be done by people who own Ether, weighted by how much they own (Motherboard).

Not everyone is taking cryptocurrency, and at least some early adopters are dropping it. Valve, for one, no longer will accept cryptocurrency as payment on its gaming distribution platform Steam. The valuations, they say, are too volatile, and the costs of processing transactions have risen to undesirable levels (Ars Technica). 

None of this has deterred speculators. Bitcoin surged to $15,000 over the forty-eight hours ending on December 7th, a jump of 25% (Ars Technica) By the end of the week Bitcoin was worth at least $20,000, a jump that ranks among the greatest "buying rushes" in history (Times). 

Does Bitcoin show the classic signs of a speculative bubble? Well, yes, according to experts in business and economic history at MIT and the University of Maryland interviewed by Ars Technica. There are the tales of fantastic wealth achieved by those who got in on the opportunity. New or at least unfamiliar financial instruments are sometimes involved. There's a gloss of innovation, whether that's the discovery of a new market (like the newfound desire for tulips in Seventeenth Century Europe) or the invention of a new technology (like railroads in the early Nineteenth Century, or the Internet at the close of the Twentieth) (Financial Times). There's a lot of excitement and a great deal of volatility. There's also difficulty is assessing valuation: who's to say what Bitcoin should be worth? What are its fundamentals?

The bubble ends, usually, after a period of intense volatility and excitement. Some incident precipitates a crash, and the speculators are sadder and poorer (CNN). Maybe wiser, but alas, maybe not.

Speculation and fraud, both historic and (allegedly) contemporary.

It's worth noting that sometimes there's an underlying reality to what's being traded, however badly the speculation may have ended for most. This was in the tulip mania and the early speculation in railroads (when the Erie Lackawanna was called "the scarlet lady of Wall Street"). But sometimes the bubble enables pure fraud, as it was in the case of one Gregor MacGregor, who in 1822 revealed himself to be the Prince ("Cazique," in his picturesque idiolect) of Poyais, a kingdom along the Black River around Honduras. The Cazique was prepared to offer land to the industrious in exchange for a modest investment. The catch? There was no such place as Poyais, but MacGregor made a fair bit of change before the scam fell in on him (BBC).

Bitcoin is one use case of blockchain technology, one particularly well-adapted to remittance, but it would be a mistake to conflate the two. There are other uses for the blockchain and similar distributed ledger technologies. A number of those use cases are being worked out in the security space, but Seeking Alpha cautions investors that "blockchain" itself has become a marketing term to conjure with. As the Seeking Alpha piece notes, "The Bitcoin bubble is spreading out of cryptocurrencies and into sound, successful businesses. Unprofitable, highly leveraged organizations are being valued at millions, even billions, for being related to Bitcoin." They may not be Poyais, but due diligence is never a mistake.

And, of course, there are new Poyais out there, too. The US Securities and Exchange Commission (SEC) is cracking down on Initial Coin Offerings (ICOs) it determines to be fraudulent. A week ago the SEC's new Cyber Unit (established in September)  froze the assets of PlexCorps, which has raised millions in an ICO for PlexCoin. The SEC had hard words for PlexCorps boss Dominic Lacroix, calling him a "recidivist Quebec securities law violator" (Forbes).

WikiLeaks under various US investigations.

WikiLeaks and its founder and public face, Julian Assange, are undergoing at least four distinct US investigations, three Congressional, one by a Federal prosecutor (Reuters).

Westminster seems to overshare passwords.

In the midst of a legal row over adult content allegedly found on a computer in First Secretary of State Damian Green's Parliamentary office (Green denies that he put it there) Conservative MP Nadine Dorries came to Green's defense by pointing out that many people could have had access to his device. It's common practice in Parliament, Dorries said, to share passwords widely with staff. She does so herself, and other MPs confirmed that they do the same, despite warnings from Westminster's IT services that this is a bad practice, and that there are other, more secure ways of enabling staffers to collaborate (Washington Post).

The Information Commissioner has remonstrated, reminding Members that they have a responsibility for data security in their offices (Telegraph). Security industry sources deplore poor password practices (Acumin). But such practices aren't confined to Parliament, of course ("password" remains one of the favorite passwords). There are ways of handling both collaboration and passwords more effectively and more securely, but if enterprises make security an impediment to doing business, doing business will take the path of least resistance (and sharing passwords is one of those easy paths).

Good news on Black Friday fraud holds up.

It's not cause for complacency, but it is good news. Early reports of a drop in online fraud in this year's Black Friday to Cyber Monday shopping surge seem to have held up. A study by Jumio reports a 33% drop of fraud over that long weekend.  (eSecurity Planet)

Uber payoff was brokered through HackerOne's bug bounty program.

The Uber hacker was, according to reports this week, a twenty-year-old living with his mother in Florida. The payment he received was apparently processed as a bounty through HackerOne, the firm that Uber used to manage its bug bounties. The hacker initially demanded the money as an alternative to releasing the information he'd obtained, which gives the affair much more the coloration of extortion than responsible disclosure. The determination to handle it as a bug bounty seems to many observers a dodge, intended to sidestep regulatory disclosure obligations (Business Insider).

Also, legal consensus...

...if you're thinking of using a disappearing app like Wickr to discuss your illegal activities, think twice and put down the app. It hasn't helped Uber in its dispute with Waymo (WIRED).

Historical metaphors.

This past Thursday was, of course, Pearl Harbor Day, the seventy-sixth anniversary of the surprise attack by the Imperial Japanese Navy that brought the United States into the Second World War. As we remember veterans and others who sacrificed and suffered in the war, it's also worth thinking about the way Pearl Harbor has become an organizing metaphor in thinking about cyber operations (Defense One).

Another major historical metaphor is now being invoked: Chinese work on artificial intelligence is being called a new "Sputnik moment" for the US (Forbes).

Patching news.

Apple issued a number of fixes this week (SANS Internet Storm Center). They appear to have dealt, after some missteps, with the "root" vulnerability (Ars Technica).

Google also patched, so Android devices should be receiving some maintenance (Security Week).

Microsoft issued an emergency patch for problems in its Malware Protection Engine (Register).

Industry notes.

Juniper Networks is said to be looking for acquisition targets (Light Reading). Apple is looking to buy companies whose technology will help it catch up with rivals in artificial intelligence who are perceived as enjoying an early lead (The Street).

Alcide exits stealth with a $5.2 million investment and a cloud-friendly network security platform (eSecurity Planet). Prevoty, which offers autonomous application protection, picks up $13 million in a Series B round led by Trident Capital Cybersecurity (Globe Newswire). Ironscales announces a $6.1 million funding round led by K1. Their intention is to use the investment to work on automated phishing detection, incident response, and intelligence sharing (PRWeb). Enveil, specialists in the encryption of data-in-use, gets partnership and investment from the venture capital arm of the US Intelligence Community, In-Q-Tel (Enveil).

Integrity 360 has purchased Metadigm for an undisclosed amount. It's regarded as a play in the British managed security services market (PRNewswire).

Kaspersky is closing its Washington, DC, office, but it doesn't intend to exit the US market, just the government sector (Bloomberg).

Silicon Valley bigwigs, Tim Cook among them, make nice with China (Observer). It seems to be part of the cost of doing business in the newly imperial-looking Middle Kingdom.


Today's issue includes events affecting .

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.