In 2017, ransomware has wreaked havoc on hospitals, transportation, nuclear plants, and more. This flavor of malware is vicious and shows no signs of slowing. This webinar led by Senior Security Researcher Kyle Wilhoit will shed light on the positive side, which is that there is much to be learned from these attacks and ransomware actor profiling can help inform cyber security strategy.
The Week that Was.
October 22, 2017.
By The CyberWire Staff
Check Point warns against an Internet-of-things botnet forming that could be more disruptive than Mirai (Check Point Research). The new botnet ("Reaper") contains mostly compromised IP cameras (WIRED).
Survey says: frameworks are good, compliance could be better.
How does the public sector view the state of cyber risk management, IT modernization, and the role of cybersecurity standards in improving our nation’s cyber posture? A survey of government and industry attendees at the 2017 AWS Public Sector Summit provides a unique window into the perceptions, challenges and opportunities for cyber risk management. Download your copy of the 2017 Public Sector Cyber Risk Management Report.
Researchers at KU Leuven announced a key reinstallation attack ("KRACK") that breaks the widely used secure wi-fi protocol WPA2 by forcing nonce reuse. They explained, "In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value" (KU Leuven). They quietly disclosed the issue to wi-fi hardware vendors in July (Graham Cluley).
The vulnerability won't be that serious for those who use SSL encryption. WPA2 is an add-on, not a replacement for SSL (KrebsOnSecurity). Using a virtual private network is also good practice (Malwarebytes).
KRACK is an inherently short-range vulnerability, and some have taken comfort from this, but that comfort may be colder than one would like. Columbia University's Steve Bellovin points out that while an attacking KRACK computer must be within 200 meters of its target, attackers themselves could be essentially anywhere, working through a chain of vulnerable machines (SMBlog).
Many vendors have already patched their products (Engadget, Help Net Security). Devices like smartphones will be fairly rapidly fixed. But the vulnerability will persist in small Internet-of-things devices, in many cases to the end of their life (WIRED).
Several experts criticize the way the standards body responsible for WPA2, IEEE, does business (ZDNet), calling its standards vetting too closed, too inaccessible to outside researchers (WIRED).
Whether you're focused on IT or national security, exploits and data loss incidents put your mission at risk. Your current tools assess and analyze content after it's breached your network - they all work right of boom. It's only a matter of time until boom happens to you. Don't let it. getleftofboom.com
The code library developed by Infineon turns out to be flawed in ways that render its RSA keys easier to factorize than they ought to be. It would require significant resources and determination to execute what researchers are calling "ROCA" ("return of the coppersmith attack") but factorization concerns have already induced some changes to important systems. The vulnerability is believed to be the one Estonian officials were hinting at when they closed their national identification card public key database last month (Ars Technica).
Attackers could in principle exploit the flaw by signing software using a private key that enabled them to impersonate the victim (consider recent attacks that have used malicious software updates). They could also induce a Trusted Platform Module to run malware (Forbes).
Microsoft, Google, HP, Lenovo and Fujitsu, among others, have released patches and mitigations. More are expected (Computing).
Whether you are getting started with threat intelligence or seeking to expand an existing program, the Threat Intelligence Maturity Model provides a systematic guide to help you understand where your organization resides on the path to a mature threat intelligence program. Download this white paper to learn how to apply threat intelligence to identify adversaries, prioritize your efforts, and take decisive action to keep your business on course.
Black Oasis spreads FinFisher.
Black Oasis, a threat group operating from the Middle East, has been exploiting CVE-2017-11292, an Adobe Flash vulnerability publicly disclosed and patched Monday (ZDNet), distributing FinFisher spyware (Security Week).
Sofacy, a.k.a. APT28, generally regarded as a Russian state-directed actor, is also hustling to exploit CVE-2017-11292 before the patch is widely applied. Sofacy's targets include foreign ministries and associated organizations, and it's casting a very wide net (Proofpoint). The phishbait is a malicious document purporting to show how American terroristic practices drove North Korea to pursue its nuclear program, implausible insistence right out of the Cold War era slick publication Whence the Threat to Peace?. It says something about the success of information operations that this bait can be expected to find swallowers.
Looking for an introduction to AI for security professionals?
Your wait is over. A new book is out from the Cylance data science team, covering artificial intelligence and machine learning techniques in practical situations to improve the security professional’s ability to thrive in a data driven world. Whether you are reviewing logs or analyzing malware, being able to derive meaningful results and improve productivity is key. Order your free copy today.
PhishMe reports a trend: phishbait whose payload is keyed to the geolocation of the victim. A malicious VBScript is contained in what purports to be a scanned document that needs the mark's attention. If the payload determines that you're in Australia, Belgium, Ireland, Luxembourg, or the United Kingdom, you get TrickBot. Anywhere else and it serves you Locky ransomware. Locky has been resurgent lately: the Necurs botnet is now pushing it via malspam (Internet Storm Center).
ESET warns against DoubleLocker, Android specific malware that abuses accessibility functions to both encrypt data and lock the device (by changing the PIN) (WeLiveSecurity).
Ransomware has taken a much bigger blackmarketshare over the past year. Carbon Black reports a 2,502% increase in Dark Web ransomware traffic, with revenue jumping from less than $250,000 to more than $6.2 million (eSecurity Planet). Citrix deplores the way Bitcoin has made it too easy to pay the Dane Geld (no offense to Heimdal intended, of course).
Petty crook update: cryptocurrency edition.
Cryptocurrency miners are currently serving as a path-of-least resistance for petty cyberhoods to discharge their criminal energies. Epic Games is suing one such hoodie for allegedly distributing a miner disguised as a cheat for the free-to-play Fortnite game (Motherboard).
Data breaches and resistance to learned helplessness.
Reports from former employees say that Microsoft's private bug-tracking database was compromised by hackers in 2013, and that Redmond kept the incident quiet even as it patched the flaws (Reuters).
The US Internal Revenue Service, reaching for a silver lining in the Equifax story, tells Congress that the credit bureau's data breach isn't really that big a deal, since at least a hundred million of the people affected already had their personal data compromised in one way or another (Security Week). Some observers call for a revamped national identification system in the US, but others see this as creating a big target begging for attack (Federalist).
Expect more insider trading hacks. The sort of trouble that surfaced at the Securities and Exchange Commission isn't just a one-off, attorneys familiar with the SEC warn (Dark Reading).
Reckitt Benckiser, the UK consumer products giant, struggles with another quarter of disappointing revenue attributed in large part to the lingering effects of the NotPetya attack early this summer. Factory output was heavily affected; production has yet to catch up with the malware-induced backlog (Yorkshire Post).
Reckitt Benckiser's not alone, either. Insurers of big pharma leader Merck, whose manufacturing capacity was also hit hard by the pseudoransomware, are expected to have to pay out $275 million to cover the effects of the attack (Reuters). That's probably not the total cost of the incident, either. Analysts at Verisk think Merck has an unknown uninsured loss the pharmaceutical company will have to cover itself.
Shippers as well as manufacturers were hit hard by NotPetya, and the logistics sector continues to work through toward mitigating its own vulnerabilities (Maritime Logistics Professional).
North Korea as a serious cyber power.
North Korea is being taken seriously as a power in cyberspace (New York Times). Not only does Pyongyang continue to loot banks to redress its revenue shortfalls (Security Week), but it remains active in cyber espionage and destructive attacks, too (BBC, Diplomat). As is unsurprising with a nation committed to asymmetric conflict, North Korea seems not to receive the signaling its adversaries display toward it (Council on Foreign Relations).
It's possible, of course, that as Pyongyang gets more assertive in cyberspace, it will itself become an attractive cover in false flag operations by other powers (International Business Times).
Information operations (and a rising urge to control information).
US ambassador to the United Nations Nikki Haley called Russian attempts to interfere in US elections "warfare," which seems strong, and also to represent a hardening of the official US line (Fifth Domain). NATO's Deputy Secretary-General Rose Gottemoeller told a cybersecurity conference in Mons, Belgium, this week that the Atlantic Alliance had yet to come fully to grips with the hybrid warfare Russia has shown itself willing and able to wage, and that this deficit could erode the battlefield advantages NATO has assumed in the post-Cold War period (Stars & Stripes).
Influence operations continue (TrendLabs Security Intelligence Blog), and they may have as one goal what the Old Left would have called a "heightening of contradictions," inducing the targets of the operations to adopt increasingly repressive policies (New York Times). Twitter, for example, gets stern talk about unacceptable content (hateful, divisive, etc.) from members of the US Congress. The threatened consequences of failing to restrict speech are probably unconstitutional (Washington Post), but Twitter's nonetheless responded abjectly (TechCrunch). Facebook wants to get on the team, too. It's looking for cleared employees to help avoid getting enmeshed with foreign influence operations (Bloomberg).
Source code reviews and security.
US Senators ask the Department of Defense why it's OK with letting foreign governments inspect source code in software it uses. Symantec, for one, has said it will no longer entertain foreign governments' requests for such source code audit (Reuters).
Customers continue to pull Kaspersky security software from their systems for fear the company's anti-virus tools are reporting back to Moscow (Daily Beast). Some of the reporting seems harsher than strictly warranted by what's publicly known, but it seems clear that, fairly or not, Kaspersky is on the wrong end of a preference cascade (Data Center Knowledge, Philadelphia Inquirer).
Reauthorizing Section 702 (or not).
The US Senate Intelligence Committee will debate reauthorization of Section 702 in secret (Washington Post). Section 702 constitutes the legal authority for electronic surveillance of foreign targets by US intelligence agencies, specifically NSA. The Intelligence Community generally regards Section 702 reauthorization as essential to its ability to function effectively, but the law has drawn criticism for enabling collateral collection of the domestic side of foreign communications (The CyberWire). The House is considering the USA Liberty Act, which would reauthorize Section 702 with certain modifications (Lawfare). Critics think the Liberty Act insufficiently protective of whistleblowers (Electronic Frontier Foundation).
The EU is using Privacy Shield as a convenient stick to beat 702 into line (TechCrunch). For its part, the US says it fully intends to keep Privacy Shield in place (Security Week). The European Commission also went on record opposing backdoors in software mandated to subvert encryption (Infosecurity Magazine) as it passes a measure designed to require more privacy protections in Internet-enabled communication services (Help Net Security).
More posse than marque and reprisal.
The Active Cyber Defense Certainty Act resurfaced in the US House of Representatives as an amendment to the Computer Fraud and Abuse Act. If passed, it would allow authorized parties to conduct attribution, disrupt attacks, monitor attackers, use beaconing, and retrieve or destroy stolen files (Naked Security). For an extended thought experiment on how this might work in practice, see accounts of the Atlantic Council's Cyber 9/12 exercise (The CyberWire).
US Supreme Court will review 2nd Circuit's decision on access to offshore data.
A US appellate court ruled last year that Microsoft need not turn over emails stored in its Irish servers to US law enforcement authorities. The US Supreme Court has agreed to hear the Government's appeal of that ruling (Reuters).
DHS mandates email, Web security measures for US Federal agencies.
Binding Operational Directive 18-01 will require all US Federal agencies to improve their email security by applying DMARC (Domain-based Message Authentication, Reporting and Conformance), and to improve Website security by moving to HTTP Strict Transport Security (HSTS) (DHS).
US Cyber Command has taken its first toddler's steps with new acquisition authority granted as a functional combatant command, awarding $580,000 to Gartner for "IT research and executive advisory services" (C4ISRNET). The US Department of Homeland Security is also piloting "agile" acquisition of cyber tools (FedScoop).
SINET has made its formal announcement of the SINET 16, innovative startups who'll be recognized in Washington, DC, at the annual Showcase this November 8th and 9th. New to this year's event is an on-the-spot venture investment of up to $100,000 from the business development venture fund SixThirty CYBER (BusinessWire).
NSS Labs completes its 2017 testing of breach detection systems. "Of the seven products tested, four received a Recommended rating and two scored 100% for security effectiveness" (Business Insider). Lastline and Trend Micro products took the top scores.
GRIMM has spun out SCYTHE, a new cybersecurity company that will specialize in "continuous assessment" (BusinessWire). The Arlington, Virginia-based shop aims to offer the commercial sector real-time assessment in a production environment that includes audit and compliance, penetration testing, and red-teaming. Their intention is to deliver customer-tailorable threat campaign: "We emulate about ninety-some-percent of what's out there," CEO Bryson Bort said as he described the new company's Crossbow validation platform to the CyberWire. The new company emerged from stealth Tuesday with a formal launch Wednesday. They're looking for a dedicated threat intelligence partner to supplement their existing updates from the US Department of Homeland Security and the FBI.
Unicorn Tanium hires new executives as it continues to prep for its anticipated IPO (San Francisco Business Times). And there's a new unicorn in the sector, this one based in Michigan. Duo Security on Wednesday announced a $70 million Series D funding round, which brings the company's total valuation up to the $1 billion mark (Globes Newswire). Intezer has closed an $8 million Series A round, with much of the money coming from IT and security companies' venture capital arms (BusinessWire). "Self-protecting software" shop Contrast Security announced a $30 million Series C round (Business Insider).
Octo Consulting, after winning a five-year, $11.1 million IT management contract from the US Department of Health and Human Services (Executive Biz), announced plans to open a new satellite office in Maryland (Washington Business Journal).
CSRA announced its purchase of Praxis for $235 million (CRN). Splunk has acquired security machine-learning analytics shop SignalSense for an undisclosed amount of cash (ZDNet). Resolver has purchased RiskVision (BusinessWIre). Fidelis Cybersecurity has bought TopSpin, and intends to integrate TopSpin's network visibility product into its Elevate platform (BusinessWire). Cisco has acquired Perspica, which it intends to fold into its AppDynamics team (eWeek). And Booz Allen Hamilton said Friday that it's buying managed detection and response company Morphick (Street Insider).
The US Government Accountability Office (GAO) has decided against Northrop Grumman's protest of a $1 billion Homeland Security cyber contract. Raytheon will keep the work (Nextgov).
BAE has announced layoffs: 1900 jobs in the UK will be declared redundant, a bit more than a hundred of them in BAE's cybersecurity units (Consultancy).
The US Internal Revenue Service, which had awarded Equifax a bridge contract to perform fraud detection (at first blush faut de mieux, but there's more to the story) has suspended that contract in the wake of Equifax's recent problems with its website using third-party code that was directing visitors to a bogus and malicious Flash update (Ars Technica). US Federal contracting has some non-obvious ins-and-outs. In this case, Equifax lost the IRS fraud-prevention contract to a lower-cost bid from rival Experian, but since Equifax protested the loss (on the grounds that, according to Equifax, Experian was insufficiently technically qualified to be entrusted with the work) GAO rules required that Equifax receive a bridge contract while its protest was evaluated (Ars Technica). An editorial in WIRED argues that Equifax deserves a "corporate death penalty" under the laws of the state of Georgia that provide for a company's dissolution when it "has continued to exceed or abuse the authority conferred upon it by law."
Today's issue includes events affecting Australia, China, European Union, Democratic Peoples Republic of Korea, Republic of Korea, Russia, Taiwan, United Kingdom, United States.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.