waiting on content
The week that was.
Kenyan election results voided over "irregularities."
In a surprise ruling, Kenya's Supreme Court voided that country's presidential elections over "irregularities" in the balloting. The August 8th elections had returned incumbent Uhuru Kenyatta to office, and the losing opposition candidate, Raila Odinga, had petitioned the court to nullify the results, charging that the vote had been hacked and otherwise electronically manipulated (New York Times). Few thought Odinga's suit had much merit, particularly since international observers had concluded the election was fairly conducted. (Odinga himself seems as surprised as anyone by the decision.) The court has directed that a new election be held within sixty days (New York Times).
Are you good at identifying and eliminating hidden threats?
Industry takes down an Android DDoS botnet.
It's not the first time Android devices have been roped into a botnet cannon, but past incidents have been, relatively speaking, popguns when compared to the large calibre DDoS ordnance that's emerged from the Internet-of-things. This month, beginning on August 17th, however, an Android botnet managed to get big enough to work some disruption. A concerted effort by several companies succeeded in containing the botnet ("WireX") and reducing to low-order nuisance levels (Infosecurity Magazine). Bravo, then, to Akamai, Cloudflare, Flashpoint, Google, Oracle, RiskIQ and Team Cymru for a job well done (Threatpost). WireX was carried by malicious apps in Google's Play store; Google has purged some 300 as of this writing. (Forbes). Observers think we've probably not seen the last of Android botnets (Naked Security).
Fusing intelligence and operations with security orchestration.
New ransomware campaigns pose a particular threat to healthcare operations.
Proofpoint researchers found a new strain of ransomware, "Defray," infesting targets across a range of sectors: especially healthcare, but also manufacturing and "even an aquarium." Defray is a small-scale highly targeted effort, selective in its prospecting and not asking for an unusually high ransom ($5000 is the amount being mentioned). The campaign is unusual in its very plausible, carefully baited spearphishing (ZDNet).
Healthcare services operated by National Health Service (NHS) Lanarkshire in Scotland were hit last weekend by a ransomware attack that disrupted patient care into the week (BBC). NHS Lanarkshire, the Register sourly notes, was among the British healthcare operations hit by WannaCrypt earlier this year. The service's chief executive apologized to patients, asking them to bear with the healthcare provider as it brought its systems back online, and requesting that people delay non-urgent care (Scotsman). By midweek it had become clear that the ransomware involved was Bit Paymer, a relatively recently discovered strain, and one regarded as having been coded with some sophistication (Bleeping Computer).
Women in cyber security make connections with others in the field.
Phishbait currently chumming the Internet.
It raineth on the just and the unjust, St. Luke famously wrote. We might add that phishing lures equally the noble and the base, the virtual tarpon and the online toadfish. As usual, criminals perceive opportunity in widespread suffering and bereavement, and we see this again with Hurricane Harvey. At the beginning of the week scammers were already registering domains for sketchy crowdfunding relief efforts nominally intended to alleviate Houston's misery, but that in fact are simply designed to separate the compassionate from their cash. Hurricane relief is appearing as phishbait in email come-ons (KrebsOnSecurity).
The base? The base are being induced to bite on a bogus promise of pirated Game of Thrones episodes. Some of the Game of Thrones scamming, unconnected as far as anyone knows with HBO hacker "Mr. Smith," has come from the Chinese threat group APT 17 (SurfWatch Labs).
And we're not sure whether the noble or the base are being trolled with this one, but there's a spam campaign out there using bogus email spoofing the US Internal Revenue Service. It looks good, at a glance, but the prose has that telltale whiff of phisher diction (e.g. "the belonging of offshore companies") and in any case you should be wary of any email telling you that changes in "Tax Law" (sic) now require you to download and complete a questionnaire from the FBI. The real IRS would, however, like you to do one thing for them if you receive such an email: forward it to firstname.lastname@example.org (Bleeping Computer).
Ad-free podcasts now available to Patrons.
US Navy collision may not have been due to a cyber attack, but the maritime sector feels itself on notice.
It appears the destroyer USS John S. McCain was involved in an ordinary mishap and not a cyber attack when it collided with a merchant tanker off Singapore two weeks ago (Washington Times). This preliminary conclusion hasn't satisfied critics, who retail a variety of ways in which ship systems could be crippled or manipulated through cyber attack. Most of the methods being cited are familiar from the ICS and SCADA world: USB drops, compromised supply chains, malicious insiders, etc. (The Hill). Others note the warnings to the shipping industry prompted weeks ago by that industry's experience with NotPetya (Times). Maritime operators are warning one another that their high degree of connectivity renders their supply chains unusually vulnerable to compromise (Maritime Executive).
Cyberespionage targets both India and Pakistan.
Symantec reports that India and Pakistan have been targeted with a cyberespionage campaign since at least October of 2016. The company thinks it likely the effort is state-sponsored, but declines to name any particular state. The campaign uses "Ehdoor" malware to establish a backdoor; the code was distributed in malicious links to stories about South Asian security issues that appeared in Reuters, the Hindu, and Zee News. Ehdoor has been reported before in operations against Middle Eastern targets. This latest South Asian campaign reminds observers of espionage directed against Qatar earlier this year. That effort was similar in approach, but used different malware, "Spynote" and Revokery." There are several border disputes in South Asia, the most sensitive of which involve Kashmir (India and Pakistan) and Bhutan (India and China). More than one threat actor may be involved (Reuters).
Turla's back, with a second backdoor.
Turla, the Russian cyber espionage group known to have been active for the better part of two decades, has continued collection efforts this summer. ESET researchers have more on the group's technique, publishing an assessment of a second backdoor they've discovered in its toolkit. They call it "Gazer," and it's a second-stage backdoor installed once the first-stage, called "Skipper" is in and open (We Live Security). Kaspersky Lab has also been tracking Turla; they've referred to the attacks involving Gazer as "WhiteBear" (Threatpost).
Gazer's been around for awhile, making its appearance, it seems, in 2016. ESET thinks it likely that Turla will develop a successor backdoor now that Gazer has been detected and linked back to the espionage group. Turla doesn't use much repurposed commodity malware. Gazer, like most of the other tools in Turla's kit, was designed with care and sophistication by a well-resourced team. The backdoor's command-and-control mechanisms are interesting. As ESET says in their report, "Gazer… can receive encrypted tasks from a C&C server, which can be executed either by the infected machine or by another machine on the network." It also uses an encrypted container to store its components. Its list of command-and-control servers is embedded. They're all legitimate but compromised websites—most of them based on WordPress—that serve as a first layer proxy (Bleeping Computer).
Vault7 disgorges "Angelfire" (despite a defacement whack by OurMine).
This Thursday, WikLeaks posted documents said to describe a set of CIA tools collectively called "Angelfire." Angelfire is said to be a framework for the installation and management of implants in targeted machines running Windows 7 or Windows XP (RT). There is still no reliable word on how WikiLeaks gets the documents it releases.
WikiLeaks was itself the recipient of some hacking attention early Thursday, as the Saudi-based hacktivist, criminal, or white-hat pentesting group OurMine defaced WikiLeaks pages with a message that counted coup against Julian Assange's group and took a swipe at Anonymous, with whom OurMine has had a longstanding beef (Hack Read). (And you can take your pick of the three descriptions; the third one is self-applied by OurMine.)
WikiLeaks was quick to tweet that its servers hadn't been hacked, which seems true enough in that the incident was apparently a case of DNS poisoning (Silicon Republic).
WikiLeaks' liaisonware dump from Vault7 reverberates internationally.
The alleged CIA spyware tool ExpressLane described in WikiLeaks' August 24th dump seemed oddly to target mostly other US agencies in a kind of perverse form of liaison insurance (BleepingComputer). There are also suspicions that international partners were affected, too (Computing). Such suspicion runs particularly high in India, where people are already spooked by a running list of vulnerability disclosures affecting the Aadhar national identification system. Indian officials deny there was any CIA compromise of the system, but critics refuse to be mollified (Times of India).
Other leaks (and litigation).
Alleged leaker Reality Winner, the former NSA contractor accused of leaking highly classified material to the Intercept, has moved that remarks she made to the FBI Special Agents while they were executing a search warrant in her apartment should be suppressed during her trial. Winner says the agents questioned her without Mirandizing her, and thus the things she said to them should be inadmissible. Reports have indicated that her responses amounted to a confession (Task & Purpose).
States won't wait (in either hemisphere).
The government of Victoria revealed its comprehensive, whole-of-government cybersecurity roadmap, the first Australian state to come up with such a plan (InnovationAus.com).
New York State began phasing in its financial sector cybersecurity regulations on Monday. The state's Department of Financial Services now requires banks and insurance companies it regulates to maintain state-approved cybersecurity plans, and to report cyberattacks within seventy-two hours of their detection (New York Law Journal). Other measures will be phased in until the rules go into full effect at the beginning of February 2018.
Victoria's roadmap is designed to secure the state's cyber operations and inter alia position it as a global hub of cybersecurity research and development. New York's regulations are expected to influence standards of care for the financial services and insurance sectors, given the state's prominence in those industries.
Gander, meet sauce.
Kasperky Lab has remained on the receiving end of criticism from various corners of the US Government: the Russian company, whose security products are widely used around the world, is said to be too close to Russian intelligence services. Kaspersky has maintained that it's innocent of spying, and that while of course it does legitimate contract work for the Russian government (the way US security firms do legitimate contract work for US agencies), its products haven't been subverted to facilitate espionage. The Feds appear not to really buy this, and show small disposition to back off (CBS News).
In a coincidence (if you believe in such things) Moscow-based security firm Positive Technologies has reported finding a backdoor in Intel's Management Engine that enables participants in NSA's High Assurance Platform program to turn the Management Engine off (ZDNet).
Twitterbots and information operations.
Brian Krebs reports this recurring experience: whenever he tweets something about Russian President Putin, he receives a lot of not-really-relevant Twitter traffic about US President Trump. The tweets are driven by bots, with replies and retweets designed to amplify points of view or intimidate those holding opposing views (and inter alia manipulate and intimidate journalists).
Most discussions of responding to fake news have involved advocacy of some form of censorship, with a range of accompanying emotions running from enthusiasm to the clench-jawed reluctance with which one might choose the marginally lesser of two evils. It's not at all clear how online censorship would work, or indeed that it would work as intended. Recent discussions among Pakistani political figures, who are certainly alive to the prospects and dangers of radicalization, have suggested that comprehensive censorship is not only unworkable, but arguable self-defeating as well (International News).
But Krebs's experience prompts reflection about a different approach, one that's been commended to researchers for some time by former US Homeland Security Secretary Chertoff: find, identify, and screen bots. It's obviously not an information ops moonshot or Manhattan Project, but then nothing is, and such an approach might be less likely to do violence to civil liberties than others under consideration (the CyberWire).
Such tensions surrounding social control and information operations are not much in evidence in Cuba (Motherboard) or China (Dark Reading). When it comes to controlling information, some states are all-in.
Eight of the twenty-eight members of the US National Infrastructure Advisory Council (NIAC) resigned this week to register disapproval of President Trump's comments about Russian influence operations and Charlottesville rioting, and of what their resignation letters characterized as his inattention to cyber threats (Verge). It's been surprisingly difficult to determine exactly who resigned, but at least three of the eight were holdovers from President Obama's administration.
US Secretary of State Tillerson has outlined a Departmental reorganizational plan that would eliminate State's cyber office. Its functions would be folded into Office of the Secretary to the Bureau of Economic and Business Affairs. In general, the reorganization involves the downgrading or elimination of many special envoy or coordinator positions at State (The Hill).
Leaks have been contentious within the US Administration, but it appears that a new White House Chief of Staff has succeeded in reducing their frequency and impact. How this will affect reporters and their sourcing remains to be seen (Vanity Fair). We've heard from sources in a position to know that 2017's leakers may be usefully understood as falling for the most part into two categories, which those sources called "Game of Thrones" (that is, courtiers jockeying for the inside rail) and "Deep State" (mostly holdovers from the previous Administration).
From the private sector comes a suggestion for funding US Cyber Command: get the money from civil forfeiture of alleged cybercriminal assets (Information Security Media Group). (The private sector might think a bit harder about what it's actually wishing for here.)
On Monday, Forcepoint announced its acquisition of behavioral analytics shop Red Owl (Baltimore Sun). Financial details were not immediately available, but Forcepoint calls the move a play to enhance its leadership in "human-centric security."
SolarWinds has made its first-ever acquisition, picking up Netherlands-based email security shop SpamExperts (CRN).
Juniper Networks has acquired Cyphort (CRN). Terms are not yet public, but the acquisition is expected to close this month.
Qualys has completed acquisition of "certain assets" of Nevis Networks (Cellular News).
LookingGlass has raised $26.3 million in mezzanine funding (BusinessWire). Participants in this round included new investors Eastwood Capital and Triangle Peak Partners, with further investment from current backers Alsop Louie Partners, Neuberger Berman, and New Spring Capital. LookingGlass intends to use the funds for expansion into five continents (Antarctica being the odd continent out).
Qadium has raised $40 million in Series B funding. Backed by Peter Thiel among others, Qadium claims to be able to find just about anything connected to the Internet, and it says it can do so in about an hour (Forbes).
Bugcrowd is getting a new CEO: Ashish Gupta will succeed founder Casey Ellis. Ellis will become Chairman and CTO (Fortune).
A note to our readers: We hope all of you who are in a position to do so are enjoying this Labor Day weekend. We'll be taking tomorrow off in observance of the US Federal holiday (and probably the Maryland State Fair, too). The CyberWire Daily News Briefing and Daily Podcast won't publish tomorrow, but they'll resume as usual on Tuesday, September 5th.
This CyberWire look back at the Week that Was discusses events affecting Australia, China, Cuba, India, Kenya, Pakistan, Russia, United Kingdom, United States.
© 2018 CyberWire, Inc.
Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story.