An approach to SIEM that works for resource-constrained organizations.
When it comes to deploying a SIEM, companies of all sizes face challenges such as budget, time and resource constraints which can seriously delay the time it takes to start detecting threats, and thus, return on investment. This new Executive Brief from Frost and Sullivan provides an overview of how AlienVault's unified approach to security addresses these challenges and provides resource-constrained organizations with an integrated solution for effective threat detection, incident response, and compliance.
The Week that Was.
July 30, 2017.
By The CyberWire Staff
Sweden's big breach.
Careless handling of data by Sweden Transportstyrelsen, the country's transportation agency, resulted in exposure of information touching most citizens, and containing some militarily sensitive data. This involves a great deal more information than would be lost in the breach of, say, an American state's department of motor vehicles. The data include weight capacities of roads and bridges (potentially useful to an invader) and the type, model, weight, operators and condition of government and military vehicles (from which, among other things, order of battle could be inferred). There was also much private information at risk, including the names, photos, and home addresses of air force pilots, anyone in police registers, people in witness relocation programs, and members of Swedish special operations forces (Hacker News).
The breach occurred in 2012, was noticed by security services in 2016, and won't be fully remediated until this autumn. The director-general of Transportstyrlesn, Maria Ågren, took the fall for the incident in January: she was fired and fined 70,000 krona (about $8500) for "careless[ness] with secret information" (Dagens Nyheter).
The root cause is being ascribed to failure to properly supervise a $100-million deal with IBM to handle driver's licensing and vehicle registration. The agency failed, apparently, to control what data it handed over, and how the data were controlled. Prime Minister Lofven called the breach of information “a total breakdown,” saying, “It is incredibly serious. It is a violation of the law and put Sweden and its citizens in harm’s way.” The head of the Security Service, Anders Thornberg, said “This is very serious because it could damage our operational business that we are conducting every day in order to protect Sweden.” The scandal is a major one. For Sweden this is probably a more serious matter than such large incidents as the OPM breach were for the US. Some observers think the Transportstyrelsen breach has the potential to bring down the government (New York Times). Two ministers have already resigned over the incident: Anders Ygeman (home affairs) and Anna Johansson (infrastructure) (Politico).
Can artificial Intelligence increase the precision of threat hunting?
Artificial intelligence is key to making sense of big data and scaling security data analytics. The “spray and pray” shotgun approach is too expensive and too imprecise to combat advanced attacks. So how do you harness the power of AI to increase precision and to proactively stay ahead of advanced attacks? How do you evaluate threat hunting tools? Join an online fireside chat with guests Josh Zelonis and Stephen Pieraldi to get the answers.
More from WikiLeaks' Vault7.
WikiLeaks has dropped more documents from Vault7. Late last week it was the UMBRAGE Component Library (UCL), a collection of publicly available exploits scouted, WikiLeaks says, by Raytheon under a CIA contract between November 2014 and September 2015. The tools described in the UCL include Embassy Panda's keylogging RAT, the Samurai Panda version of the NfLog RAT, surveillance malware Regin, command-and-control arranger HammerToss, and the information-stealing Trojan Gamker.
These are for the most part thought to be state-tools—the Pandas are believed to belong to China, and HammerToss is thought to be Russian—but WikiLeaks offers a sinister (if not fully convincing) spin: why would the Agency be interested if not to repurpose these tools for its own attacks? We can imagine a few reasons—security, counterintelligence, threat profiling, situational awareness all come to mind—but WikiLeaks is not in the business of looking on the sunny side of Langley (Threatpost).
This week's dump involved more alleged CIA tools (Hacking News). The documents released late Thursday describe three tools: "Achilles" (which backdoors Mac OS X disk images), "SeaPea" (a stealthy Mac OS rootkit), and "Aeris" (a Linux implant). WikiLeaks says the tools are associated with an Agency project called "Imperial."
The ShadowBrokers were heard from late Thursday, saying their subscribers got their exploits-of-the-month (details for subscribers only). They're also raising their prices "due to popular demand." Who the Brokers actually are remains unclear, at least to many (Threatpost), but the Pwnie Award the Brokers were honored with at Black Hat this week was unambiguous, crediting "Russia. Straight up: Russia" (CSO). US counterintelligence investigators are said to be looking for a disgruntled insider, or former insider, who may be leaking to the Brokers (International Business Times).
Wilted Tulip and CopyKittens: Iranian cyber operations.
Researchers at Trend Micro and ClearSky on Wednesday released their study of CopyKittens, a threat group associated with the Iranian government. It's been tracked publicly since 2015. The group is characterized as unsophisticated but effective, getting results by persistent phishing and waterholing. Its victims have for the most part been in the countries one would expect: regional rivals Saudi Arabia, Jordan and Turkey, perennial bêtes noirs Israel and the United States, and European leader Germany. Their techniques involve little novelty, and they're said to lack operational discipline (they tend to disclose their presence by tripping alarms when they get greedy, but they've succeeded in hitting government and industry targets with some success) (International Business Times).
Iran is also engaged in an active catphishing campaign in which the fictitious persona Mia Ash is being used to rope in unwary marks who occupy positions within the oil and gas industry. The Dell SecureWorks Counter Threat Unit presented their findings concerning Mia, represented as a 20-something woman, a photographer based in London who's an amateur model and a social media enthusiast. But Mia is an elaborately curated catphish run by the threat group Cobalt Gypsy (a.k.a. OilRig, TG-2889, or Twisted Kitten). Cobalt Gypsy is thought to be operating on behalf of the Iranian government. Its targets are governments, telecommunications infrastructure, defense companies, oil companies, and financial services outfits in the Middle East and North Africa. The operation's goal is to infect the marks with PupyRAT malware in a cyber espionage play (Threatpost).
Many will be reminded of Robin Sage, and those who doubt that catphishing would actually work should recall the 2009 experiment that showed, yes, it does. "Robin Sage" (the name was an inside joke: it's taken from the name of a recurring US Special Operations Forces exercise) was said to be a 25-year-old "cyber threat analyst" working at the Naval Network Warfare Command. She was represented, with deliberate implausibility, as an MIT alumna who already had a solid ten years' work experience. The experimenter, Thomas Ryan, set up social media profiles under the identity and was successful in convincing a number of marks that Robin was real, and the real deal. The catphish received offers of consulting gigs and not a few dinner invitations (Provide Security). So Iran's Mia Ash is by no means an implausible catphish.
Iran has demonstrated some cyber attack capability, sometimes wayward (as in the Bowman Street Dam incident), sometimes on point (as in attacks on Bundestag networks). Observers warn that more attacks may be on the way, especially as the US continues to squeeze the Islamic Republic over regional violence, its support for Hezbollah, and its suspected bad faith over nuclear ambitions (Foreign Policy).
Like the Week that Was? Find more critical insights in our Quarterly Report.
"So what do I get for becoming a Producer's Circle patron of the CyberWire?" we've been asked. Well, unlike that membership in the ShadowBrokers' exploit-of-the-month club you might have been considering (not that we'd necessarily recommend signing up for that club, Wealthy Elite), your support of the CyberWire gets you more than an EternalBlue tote bag or a Guccifer 2.0 bobblehead. You now receive exclusive access to our new Quarterly Report. If you'd like to see a sample (redacted, of course), here you go. And thanks to all the Patrons who've been so generous in their support of the CyberWire.
Germany is concerned about cyberespionage from China, Iran, and of course Russia.
German elections are scheduled for September, and that country's authorities are determined to conduct them without interference, especially Russian interference. The Bundesamt für Verfassungsschutz warns that Russia is interested in elections, China in IP, and Iran in many things. The German government has established a command center and beefed up security capabilities to deal with an elevated level of threat (CSO).
The Iranian threat may perhaps appear surprising, but Germany is an attractive target because of a long commercial history with Iran, the important position it occupies in the European Union, its capable defense and aerospace sector, its research and commercial ties to Israel, and its central role in the ongoing MENA refugee issue.
The future of an open, secure, and resilient internet is anything but certain. CFR’s Digital and Cyberspace Policy program cuts through the rhetoric to help you understand the politics of cyberspace. Through their “Net Politics” blog, reports, briefings, and interactive tools, the program’s leading cyber experts analyze the emerging global rules of cyberspace. Subscribe to their bimonthly newsletter to get their insights in your inbox.
North Korea hacks and rattles nukes, but may have its own vulnerabilities.
North Korea is famously isolated, but its rulers, admittedly a very small group, are about as connected as any Western imperialists you'd care to mention. A Recorded Future study concludes that Pyongyang's leaders are busy users of services like Facebook YouTube, and Amazon. There's also apparently a large North Korean Bitcoin mining operation in progress. Should the DPRK's nuclear saber-rattling drive the civilized world closer to some response, strategists may consider that there could be counter-value targeting options available to them in cyberspace.
Also in the study are some interesting observations about North Korea's use of foreign networks, sourced by Recorded Future to research done by Team Cymru. Chinese and Indian networks are most commonly exploited by Pyongyang's mix of espionage and criminal operators; The DPRK also uses networks in Kenya, Indonesia, Mozambique, Malaysia, and Indonesia. Surprisingly, New Zealand may also be used, which is unwelcome news to that country (Recorded Future).
Fearing interception and espionage, Australia wants nothing to do with an undersea cable built by Huawei.
The Solomon Islands want an undersea communications cable laid between it and Sydney. Australia's government supports the project, but not if it's going to be built by Huawei. Australia will not support, or permit, the construction of which its government regards as a royal road for Chinese espionage (Sydney Morning Herald).
Wells Fargo's e-discovery misfire.
Regulators (specifically FINRA, the Financial Industry Regulatory Authority) are taking a look at outside counsel's inadvertent compromise of Wells Fargo customer information earlier this month. (Dark Reading). The bank has asked a judge to order the return of the material mistakenly shipped out to an attorney during e-discovery (Infosecurity Magazine). The incident is being taken as a cautionary tale about third-party risk (eSecurity Planet). In fact, since the third party, the law firm that shipped the CDs, has blamed the e-discovery vendor it hired to prepare the material for disclosure, it might well be counted a case of fourth-party risk.
Wells Fargo is, of course, apologizing to affected customers as investigation into the breach occurred proceeds (Naked Security).
Hey, that cloud up there...it looks like someone's data, doesn't it?
And of course a slipped disk isn't the only way data continue to be inadvertently shared. Kromtech Security warned Thursday that KS Enterprises, a money-transfer service based in London, had unintentionally exposed some 11,000 customers' data in an unprotected Amazon Web Services file. The information found flapping in the breeze included "passport scans and proof-of-address documents such as tax bills, loan records and driving licenses." There were also internal company files available for general inspection. The data have now been secured, everyone says, but poorly configured cloud accounts seem to have become an unfortunate new normal (International Business Times).
Cryptocurrency hacks, and some white-hat vigilantes.
Another initial coin offering (ICO) was hit by cyber criminals. Last Sunday about $8.4 million in VERI tokens were stolen from Veritaseum's ICO (HackRead).
The White Hat Group has apparently been true to its word: it did indeed hack back and return Ethereum cryptocurrency to its owners in the wake of a criminal attack on an Ethereum exchange (Motherboard). How to secure cryptocurrencies? Some are turning to "cold storage," that is, keeping keys (whether written on paper or stored in some other retro fashion) inside bank vaults. Thus what was old is new again, and opposites meet (Quartz).
In the US, regulators gave the cryptocurrency community food for thought: the Securities and Exchange Commission ruled that Ethereum tokens in an ICO were "securities" (Motherboard). This will in all probability put the brakes on a fast-moving way of raising venture capital (Business Insider).
There will be some changes in Bitcoin this coming month. The cryptocurrency is now preparing for a hard fork, which users and investors have opted for to help address scalability issues. If plans go as intended, there will after August 1st be two currencies: Bitcoin and Bitcoin Cash (Computing).
FruitFlies infest Apples (for some reason).
The FBI is investigating FruitFly, a strain of Mac malware that's been quietly infesting such devices for at least five years. No one seems quite sure what the malware's been up to. Some think it's abandoned, others that it's been overlooked simply because it's being used in highly targeted attacks (Graham Cluley).
Android ecosystem notes.
Google has shut down some highly targeted spyware, "Lipizzan," associated with the Israeli lawful intercept vendor Equus Technologies. Lipizzan installs itself first as an anodyne-seeming app (in the Play Store or some third-party source—it's been seen in both) with a second-stage "license verification" that surveys the infected device, validates abort criteria, and then roots the device. Data are exfiltrated to a command-and-control servers. The spyware is capable of recording calls (including VoIP), recording from the device microphone, geolocating the device, capturing screenshots, taking photos with the device's camera, and retrieving essentially any data the infected Android device might hold or handle. Lipizzan was discovered in the course of Google's investigation of another unwanted lawful intercept product, Chrysaor, itself believed to originate with NSO Group (Computing).
Google, which has expelled the malware from the Play Store and blocked its developers, says Play Protect has notified victims and removed the infection from their devices. It encourages people to use Play Protect, and, of course, to download apps only from the Play Store. Mountain View notes that apparently fewer than 100 devices were infected—this is highly targeted malware (Android Developers Blog).
For its part, NSO Group is up for sale, with the Blackstone Group reputedly the buyer. The University of Toronto's Citizen Lab is urging Blackstone to reconsider, on the grounds that NSO's products have allegedly been used in repressive surveillance (CBC News).
Third-party app stores continue to be problematic, but this week one in Turkey set the bar for badness pretty high: every single app on offer in CepKutusu turns out to be malicious, according to researchers at ESET. It's apparently now been cleaned up, and it's not clear what was going on. The store might have been set up to distribute malware, or it may itself have been victimized by hackers or rogue insiders (Graham Cluley).
Adups adware is still circulating, despite the worldwide odium its soi-disant legitimate-business creators at Shanghai-based Shanghai Adups Technology have attracted. When confronted back in November 1016 with evidence that their product was illegitimately collecting data, the company said it was all a mistake, and that the collection would stop. It hasn't (Threatpost).
Dr. Web has found the Triada Trojan embedded in the firmware of a range of low-cost Android phones. It looks like a case of supply chain compromise, since not all phones or lines produced by the affected manufacturers appear to carry the infection (Bleeping Computer).
And at Black Hat a researcher said that Samsung's KNOX security platform resisted his attempts to root phones better than other Android systems had. But he worked the problem and said he's now got proof-of-concept success against KNOX, too (Motherboard).
Notes on research in quantum cryptography.
Chinese researchers have achieved some breakthroughs in maintaining quantum entanglement between pairs of photons at distances that render it possible to develop applications that would enable secure communications between satellites and ground stations (Information Security Buzz).
There were actually two successful demonstrations reported in quantum encryption technology, one from China, the other from Germany. Researchers from the University of Science and Technology of China at Hefei succeeded in maintaining photon entanglement between sites on Earth separated by up to 1200 kilometers. The researchers found that entanglement was easier to maintain in an exoatmospheric environment (Sydney Morning Herald). In the other experiment, researchers from the Max Planck Institute for the Science of Light, in Erlangen, Germany, used the geostationary Alphasat I-XL to measure quantum properties at a distance of 38,600 kilometers (IEEE Spectrum).
The two experiments represent different approaches to quantum cryptography. The former approach, exploiting photon entanglement, promises more powerful encryption tools. The latter approach, not dependent on entanglement, is believed to offer the prospect of nearer term deployment.
Regulations and standards of care.
Experts consider the financial sector's regulatory regimes and look for lessons in best practices and guidelines for standards of care (Infosecurity Magazine). FINRA's inquiries into the Wells Fargo breach will be worth watching, as will the SEC's new interest in initial coin offerings. Europe's GDPR continues to inspire worry in the tech sector: fears are expressed that the regulations will "stifle innovation" (IT Buzz News).
Economic fallout from NotPetya and WannaCry.
NotPetya disrupted marine shipping, and that had secondary effects throughout the logistics sector. In particular it may have contributed to barge-traffic backups on European inland waterways (as loading of ocean-going ships was impeded) and benefited cross-modal shippers as they picked up slack from idled ship operations (Loadstar). Maritime shippers weren't the only operations affected, of course, and the effects of the attack on FedEx subsidiary TNT have been widespread: the Federation of Small Businesses says its members have been clobbered (BBC).
Shippers are doing some introspection about security, and they're cautioned against acting like magpies, looking for the shiny thing that will make them happy (Seatrade Maritime News). Logistics solutions provider D.B. Schenker offered three pieces of general advice for the sector: (1) Hackers see over-the-road trucks as computers on wheels; thus Internet-of-things vulnerabilities need to be identified and addressed. (2) Shippers face a mix of threats, some broadcast, others highly targeted, and some external, others internal. When considering security, they should think about how the "human factor" affects what's connected to what. And (3) logistics companies should address security in five areas: visibility, validation, performance, risk mitigation, and efficiencies (Now that's Logistics).
Security practitioners look to war games for insight into how to fend off infrastructure attacks (War on the Rocks).
Corporations continue to warn of the effects NotPetya will have on revenue. In addition to shippers like Maersk and FedEx, manufacturers are also beginning to warn. Reckitt Benckiser said this week it expects earnings to be down this year; its share price took a foreseeable hit (NASDAQ). Merck also warned: the big pharma company disclosed that the attack took manufacturing offline during June, that the company is still in the process of returning to normal, and that, while it doesn't yet know what the financial impact of the attack will be, there will surely be some non-negligible consequences (Reuters).
For all the business and financial hurt NotPetya inflicted, the consensus remains that it was never about the money (Dark Reading).
WannaCry, which might have been about the money, albeit in a clumsy, botched way, has also had economic consequences. Industry observers say that the pandemic is driving enterprises to take a serious look at cyber insurance (Information Age).
2017's leading cybersecurity acquisitions (so far).
Last week CRN ranked the sector's most successful attractor's of private equity. This week the magazine listed the top ten acquisitions. Counting backward from number ten, they are: Hexadite (the incident investigation and remediation startup Microsoft acquired for $100 million in June), LightCyber (a machine-learning, behavioral-anomaly shop that Palo Alto Networks bought for $105 million in February), Open Systems AG (a managed security services provider acquired by EQT partners for $120 million in June). Invincea (the machine-learning specialists Sophos acquired for $120 million in February), Guavus (Thales bought this big-data analytics company in April for $215 million), Sotera (a provider of security and data analytics solutions acquired by KEYW in April for $235 million), BlueCat (enterprise DNS specialists picked up by private equity investors Madison Dearborn Partners this February for $400 million), Veracode (an application security startup CA Technologies bought in March for $614 million), LANDesk (a security management vendor that Clearlake Capital bought and in a complex transaction merged with its Heat Software, itself formed when Lumension merged with FrontRange; the acquisition of Heat is said to have been worth more than $1.1 billion), and m finally, Ixia (a security and visibility vendor Keysight Technology bought in April for $1.6 billion).
In other industry news, OpenText has announced its intention to buy Guidance Software (Sys-Con Media), SiteLock has bought Patchman (PRNewswire), and Checkmarx has bought Codebashing (Reuters). The proposed sale of Sandvine to a private equity firm tied to NSO Group has raised objections by Canada's opposition Conservatives concerned about NSO's alleged association with surveillance in the UAE (Record). NSO Group itself is being considered by Blackstone, said to be interested in a 40% stake (Reuters). Solar Winds says it's a buyer, looking for acquisitions (ARN). One company that's not on the block, as an IPO or a sale, is Raytheon's Forcepoint joint venture. Raytheon says it sees the unit as a long-term cyber play (Aviation Week).
In venture funding news, Bricata raised an $8 million Series A round (Bricata), PerimeterX received $23 million in a Series B round led by Canaan Partners (CyberScoop), and Protenus has just added $3 million to its Series A round (Technical.ly Baltimore).
Two captains of post-industry square off over AI.
Elon Musk (Tesla, SpaceX, many other ventures) and Mark Zuckerberg (Facebook) have traded sharply divergent views over whether artificial intelligence is benign or threatening. While some have seen the argument as being at least as much about personal branding as it is about the human prospect (Atlantic) one can't help noticing the extent to which science fiction appears to shape the discussion over AI. It's like a billionaires' version of an Oklahoma City jailhouse beef over whether Spock or Yoda was the sh*t (we bowdlerize for your protection) (Ars Technica). Were we better off when our cultural referents were the judgment of Paris and the wrath of Achilles? Anyway, having to choose between Spock and Yoda seems like a mug's game. Can't anybody work in some Vorlons and Shadows?
Today's issue includes events affecting China, Denmark, Iran, Israel, Kenya, Japan, Democratic Peoples Republic of Korea, Republic of Korea, Malaysia, Mozambique, Netherlands, New Zealand, Russia, Sweden, United Kingdom, United States.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.