skip navigation

More signal. Less noise.

2017 cyberattacks proved more numerous, sophisticated, and ruthless than in years past.

WannaCry, NotPetya, ransomware-as-a-service, and fileless attacks abounded. And, that’s not everything. The victims of cybercrime ranged from private businesses to the fundamental practices of democracy. Read The Cylance Threat Report: 2017 Year in Review Report and learn about the threat trends and malware families their customers faced in 2017.

Daily briefing.

In a week that's seen Microsoft, Facebook, and Twitter shut down influence operations from Russia and Iran, it seemed late yesterday that there'd been another election hack, this one a phishing campaign directed against the US Democratic National Committee (DNC). The DNC's CSO briefed party leaders, informed the FBI, and took a whack at the Administration for not doing enough to protect voting infrastructure.

It emerged over night, however, that there was, in fact, no hack. It was a poorly coordinated phishing awareness exercise. Lookout reported a fake login page for VoteBuilder that appeared to be after credentials for the DNC's voter database. The DNC ran with the false alarm. As Lookout has since tweeted (correctly) you don't know an alarm is false until you investigate. But the cock-up ("SNAFU," as CNN calls it) is embarrassing. It's good to be aware of security, but it's also good to be aware of it in ways that don't turn a fire drill into a Federal case.

No one's quite sure yet who ordered up the phishing test, but several people are pointing, on background, at Michigan's state branch of the Democratic Party.

Apache Struts has been found vulnerable to remote code execution. Semmle described the issue, which the Apache Foundation is addressing. 

Surveillance tool maker Spyfone left "terabytes" of data exposed in a misconfigured AWS S3 bucket.

Cisco's Talos unit reports that Breaking Security's Remcos remote admin tool is exploitable by hackers.

Kaspersky Lab finds North Korea's Lazarus Group pushing Mac malware.

Notes.

Today's issue includes events affecting Australia, China, European Union, Israel, Democratic Peoples Republic of Korea, Mexico, Russia, Ukraine, United Kingdom, United States.

Don’t let threats SOC you where it counts.

Protecting your organization from an attack involves much more than the traditional “block & tackle” tactics of the past. A good boxer doesn’t just block the punch they see coming, they move against the next anticipated punch. The modern Security Operations Center (SOC) requires a combination of automation and human tradecraft to successfully repel the adversary. Learn more about the modern SOC in LookingGlass’ webinar featuring guest IDC, August 29 @ 2pm ET.

In today's podcast we speak with our partners at the Johns Hopkins University, as Joe Carrigan gives us a rundown on Android vs. iOS data privacy. Our guest is Oren Falkowitz from Area 1 Security, discussing protection against phishing attempts.

Hacking Humans is also up. This week our hosts take up Hollywood script pitch event scams, a romance scam murder scheme, and the curious case of allegedly spontaneously combusting ATM cards. Our guest, Jayson E. Street from SphereNY, describes his experiences with security awareness engagements.

Cyber Security Summits: August 29 in Chicago & in NYC on September 25 (Chicago, Illinois, United States, August 29, 2018) Sr. Level Executives are invited to learn about the latest threats & solutions in Cyber Security from experts from The NSA, Darktrace, CenturyLink and more. Register with promo code cyberwire95 for $95 VIP admission (Regular price $350) https://CyberSummitUSA.com

IR18: Don’t Forget to Register for the first and only community-driven IR conference! Built by the community, for the community. (Arlington, Virginia, United States, September 5 - 6, 2018) IR18 is a conference for cybersecurity professionals to learn and develop playbooks to improve incident response processes. Receive 20+ hours of practical training on today’s best practices in IR topics, including 36 breakout sessions designed for all levels of experience.

Rapid Prototyping Event: The Chameleon and the Snake (Columbia, Maryland, United States, September 17 - 20, 2018) DreamPort, in conjunction with the Maryland Innovation & Security Institute and USCYBERCOM, is hosting a Rapid Protoyping Event that specifically targets malware signature diversity and signature measurement for Microsoft Windows in a simulated operational environment at a realistic pace. Join us September 17-20, 2018 at UMBC Training Center in Columbia, MD.

The force is stronger when MSPs and MSSPs come together. (Webinar, September 19, 2018) The managed service market has grown tremendously, with the demand for managed security being unprecedented. For managed service providers (MSPs) looking to answer those demands, partnering with a managed security services provider (MSSP) expands access to highly-skilled cyber security analysts and a full suite of security solutions. Join Delta Risk’s webinar, September 19 at 1 PM ET, to learn how the two sides can join forces.

5th Annual Cyber Security Conference for Executives (Baltimore, Maryland, United States, October 2, 2018) The 5th Annual Cyber Security Conference for Executives, hosted this year by The Johns Hopkins University Information Security Institute and Ankura, will be held on Tuesday, October 2nd, in Baltimore, Maryland. This year’s theme is cybersecurity compliance and regulatory trends, and the conference will feature discussions with thought leaders across a variety of sectors. Join the discussion and learn about current and emerging cyber security threats to organizations, and how executives can better protect their enterprises. To receive the early-bird rate, register now!

Dragos Industrial Security Conference (DISC) 11/5/18 (Hanover, Maryland, United States, November 5, 2018) Reserve your spot now for the Dragos Industrial Security Conference (DISC) on November 5th, 2018. DISC is a free, annual event for our customers, partners, and those from the ICS asset community. Visit https://dragos.com/disc/ for more information.

Cyber Attacks, Threats, and Vulnerabilities

False alarm: Democrats say feared hack attempt was actually just a test (CNN) The Democratic National Committee said late Wednesday night that what it had earlier feared was the beginning of a sophisticated attempt to hack into its voter database, was, in fact, an unauthorized "simulated phishing test" and not an actual attempt to hack into its systems by an adversary.

Analysis | The Cybersecurity 202: DNC says hack attempt on its voter database was a false alarm (Washington Post) It was actually just a test.

Lookout discovers phishing site targeting DNC (Lookout) As reported by The Washington Post and CNN today, Lookout has discovered a customer phishing kit targeted at the Democratic National Committee (DNC) via a third-party technology provider NGP VAN.

Lazarus Group Deploys Its First Mac Malware in Cryptocurrency Exchange Hack (BleepingComputer) Lazarus Group, the North Korean hackers who hacked Sony Films a few years back, have deployed their first Mac malware ever, according to Russian antivirus vendor Kaspersky Lab.

Islamic State Leader Urges More Attacks In First Purported Audio In Year (RadioFreeEurope/RadioLiberty) The leader of the Islamic State extremist group in his first purported audio recording in a year is urging his followers to keep fighting the group's enemies around the world despite recent defeats.

Organizations Hit With North Korea-Linked Ryuk Ransomware (SecurityWeek) A recent wave of Ryuk ransomware attacks against organizations around the world can be linked to a notorious North Korean threat actor.

Dark Tequila: A Distilled Threat for Mexican Targets (Threatpost) Dark Tequila, which has been active since 2013, is highly modular and targets victims in Mexico.

Iran Emerges as Latest Threat to Facebook and Twitter (WIRED) The social media companies removed hundreds of fake accounts with links to Iran and Russia that were engaged in "coordinated inauthentic behavior."

How FireEye Helped Facebook Spot a Disinformation Campaign (New York Times) The cybersecurity company has shifted its attention to detecting disinformation and uncovering social media campaigns intended to influence politics.

How Microsoft Tackles Russian Hackers—And Why It's Never Enough (WIRED) Microsoft has once again taken down Russian phishing sites, but that won't deter them for long.

Europe Worries as Facebook Fights Manipulation Worldwide (New York Times) The social network’s disclosure of a new misinformation effort shows manipulation of its platform isn’t a phenomenon limited only to Americans.

New Spyware Framework for Android Discovered (SecurityWeek) A newly identified spyware framework called Triout can be used to build extensive surveillance capabilities into Android applications, Bitdefender security researchers warn.

Triout - The Malware Framework for Android That Packs Potent Spyware Capabilities (Bitdefender) Android malware is neither new nor scarce. If anything, the proliferation of Android devices – from smartphones to tablets and smart TVs – has sparked renewed interest among malware developers in new and potent threats.

Attackers Using 'Legitimate' Remote Admin Tool in Multiple Threat Campaigns (Dark Reading) Researchers from Cisco Talos say Breaking Security's Remcos software allows attackers to fully control and monitor any Windows system from XP onward.

Spyware Company Leaves ‘Terabytes’ of Selfies, Text Messages, and Location Data Exposed Online (Motherboard) A company that sells surveillance software to parents and employers left “terabytes of data” including photos, audio recordings, text messages and web history, exposed in a poorly-protected Amazon S3 bucket.

Critical Apache Struts 2 Flaw Allows Remote Code Execution (SecurityWeek) Apache Struts 2 developers release updates that patch a critical remote code execution vulnerability tracked as CVE-2018-11776

Semmle Discovers Critical Remote Code Execution Vulnerability in Apache Struts (CVE-2018-11776) (Semmle) Today, the Apache Software Foundation announced a critical remote code execution vulnerability in Apache Struts, a popular open source framework for developing web applications in the Java programming language.

Airmail 3 Exploit Instantly Steals Info from Apple Users (Threatpost) Attackers can abuse URL requests processed by an email program for Mac to steal files from the victim -- sometimes without user interaction.

Reevaluate "low-risk" PHP unserialization vulnerabilities, researcher says (CSO Online) Over nearly a decade, PHP unserialization vulnerabilities have become a popular route for cyber-criminals to plant remote code execution or deliver other malware into systems. But new research, introduced at Black Hat this month, shows that malevolent hackers can introduce this vulnerability, even in environments that were previously considered low-risk for this attack.

Belkin IoT Smart Plug Flaw Allows Remote Code Execution in Smart Homes (Threatpost) An unpatched buffer overflow flaw allows remote attackers to completely take over the device and enter the home network.

Netflix, HBO GO, Hulu passwords found for sale on the Dark Web (Naked Security) On average, they’re fetching $8.71 (about £6.60) for one-time use, though some sellers are also selling bundles of accounts at higher prices.

Superdrug Held to Ransom After Breach (Infosecurity Magazine) High street retailer said to have spilled data on 20,000 customers

What a Forensic Analysis of 'Worst Voting Machine Ever' Turned Up (Dark Reading) University of Copenhagen associate professor discusses what he found when he dug into some decommissioned WinVote voting machines.

Serious Security: How to stop dodgy HTTP headers clogging your website (Naked Security) It’s been dubbed ReDos, for Regular Expression Denial of Service – where a few rogue HTTP requests could clog your whole site.

Fifty per cent of councils in England rely on unsupported server software (Computing) Lack of updates makes councils in England security targets

Cybercriminals Are Leveraging Agile Development, Organizations Must Keep Pace (SecurityWeek) Security teams need to adopt a more agile approach that enables them to not only see and defend against attacks, but also to predict where attacks are most likely to occur.

An introduction to the Chinese-language underground (IDG Connect) We speak to Mark Schaefer, an analyst on Flashpoint’s Asia-Pacific team, about the threat from the Chinese-language cybercriminal underground.

Babysitting app suffers ‘temporary data breach’ of 93,000 users (Naked Security) Babysitting-booking app Sitter “temporarily” exposed the personal data of 93,000 account holders, according to a researcher who recently discovered the trove of data using the Shodan Internet of Th…

1,464 Western Australian government officials used ‘Password123’ as their password. Cool, cool. (Washington Post) Try just a little harder, folks.

Security Patches, Mitigations, and Software Updates

Adobe Patches Critical Photoshop Flaws in Unscheduled Update (Threatpost) The two vulnerabilities are critical remote code execution flaws that exist in Adobe Photoshop CC.

Facebook Removes Data-Security App From Apple Store (Wall Street Journal) Facebook pulled its data-security app Onavo from Apple Inc.’s app store after the iPhone maker ruled that the service violated its data-collection policies.

It Takes an Average 38 Days to Patch a Vulnerability (Dark Reading) Analysis of 316 million-plus security incidents uncovers most common types of real-world attacks taking place within in-production Web apps in the AWS and Azure cloud ecosystems.

Cyber Trends

3 trends in the future of cyber conflict (C4ISRNET) Data will be more coveted, humans are the new attack vector and the homeland is increasing at risk in cyber conflicts of the future.

SMB Cybersecurity Report (Switchfast) Check your IT infrastructure against our report, which highlights the areas where small businesses become too complacent with their cybersecurity.

Ivanti Survey Reveals Tension in IT Departments between (Business Insider) Ivanti, the company that unifies IT to better manage and secure the digital workplace, today announced survey ...

Who owns application security? (Help Net Security) Information security is hard enough already, but it gets much easier when the whole team pulls together towards a common goal.

tCell Finds Web Application Attack to Breach Ratio Still High With Cross-Site Scripting (XSS) and SQL Injection the Most Common (PRNewswire) New application security report on Q2 2018 threats evaluated more than 300 million incidents to determine the most prevalent types of real-world attacks in cloud-based web applications

Untrusted, low-quality data is hurting decision-making in business (Computing) Organisations are overconfident when it comes to data-driven decision making

Security of smart utilities leaves a lot to be desired (Help Net Security) The security of smart utilities should be a primary concern. Unfortunately, digital security remains unimplemented during utility modernization.

IoT security: The work on raising the bar continues (Help Net Security) As the number of connected devices grows, so do IoT security challenges. However, the goal should be not to eliminate new technology, but to maximize value.

Bitglass study finds that EMEA cloud adoption continues to outpace rest of the world (GlobeNewswire News Room) EMEAimage desc for 1 cloud adoption has increased to 84image desc for 2 percent; 5 in 6 companies analysedimage desc for 3 have deployed at least one cloud application

Imperva Survey Reveals Nearly One-third of Organizations Still Not Completely Prepared for GDPR (BusinessWire) Imperva survey conducted at the Infosecurity Europe reveales that 28 percent of organizations do not feel completely compliant with GDPR.

Marketplace

Google Tried to Change China. China May End Up Changing Google. (New York Times) Google once held itself up as proudly nonconformist. A decision to abide by Chinese censors would mark a new era for the company — one of conventionality.

Microsoft's anti-hacking efforts make it an internet cop (Tristate Homepage) Intentionally or not, Microsoft has emerged as a kind of internet cop by devoting considerable resources to thwarting Russian hackers.The company's announcement Tuesday that it had identified and forced the removal of fake internet domains mimicking conservative U.S. political institutions triggered alarm on Capitol Hill and led Russian officials to accuse the company of participating in an anti-Russian witch hunt.

Leaving the SecurityWeek ICS Cyber Security Conference (Control Global) I have decided to discontinue my participation in the SecurityWeek ICS Cyber Security Conference. I will continue to participate in control system and ICS cyber security conferences, my Managing Directorship of ISA99, the blogsite at www.controlglobal.com/unfettered , and my focus on instrumentation and control system cyber security, reliability, and safety. I also will continue to provide independent expert support to end-users, vendors, and government organizations. Additionally, I look forward to continue being an evangelist and keynote speaker for the need to secure these critical, but not well-understood systems.

XTN Establishes North American HQ, Expands Global Reach & Leadership Team (XTN) XTN Inc., provider of advanced security and anti-fraud solutions based in Italy, today announced it has established

Products, Services, and Solutions

Caveonix Announces Proactive Risk Management Platform for VMware Cloud Provider Partners (PRNewswire) Company Releases RiskForesight 2.0 platform and supports VMware Cloud Provider Program (VCPP) as Independent Software Vendor (ISV) partner at VMworld 2018 US

Coalition Introduces Service Fraud Coverage (The Coalition) Citing the rise in cloud services and cryptomining-driven fraud, Coalition, the leading technology-enabled cyber insurance solution, today announced the first cyber insurance product to protect organizations against fraudulent use of their IT and telephony services, including cloud- and Internet-based services.

Polyverse Thwarts PHP Vulnerabilities, WordPress Attacks (Polyverse) Polyverse Corporation today announced its R&D project, Polyscripting, stops all PHP code injection and execution vulnerabilities detailed in a whitepaper recently released by Secarma Labs.

Fortanix addresses enterprise blockchain security requirements with private key protection (Help Net Security) Fortanix SDKMS delivers new encryption-based data protection and cryptographic algorithms to help address blockchain security gaps.

Exabeam and Okta partner to deliver security detection and response for identity (Help Net Security) The joint Exabeam and Okta solution will help security teams to monitor and protect enterprises against credential-based threats.

SailPoint’s IdentityIQ extends identity governance for AWS and SAP environments (Help Net Security) With IdentityIQ 7.3, SailPoint expands the definition of identities to govern non-human identities such as software bots, including RPA bots.

Intello and OneLogin partner to offer visibility into SaaS utilization (Help Net Security) Through this partnership, IT and tech security leaders and enterprise CIOs and CISOs, can manage their organization’s SaaS spend, usage, and compliance.

Pulse Secure Recognized as Leading Hybrid IT Secure Access Platform Vendor (Pulse Secure) Pulse Secure provides a consolidated offering for access control, SSL VPN, and mobile device security. Contact Pulse Secure at 408-372-9600 to get a free demo.

NSA approves tablet and communicator for Five Eyes special forces (C4ISRNET) NSA approves new secure communication device for immediate adoption by special forces.

Technologies, Techniques, and Standards

Wall Street Finds Limits with Current AI Applications (Wall Street Journal) Experts who are experimenting with various aspects of artificial intelligence at Goldman Sachs Group Inc. and Morgan Stanley say artificial intelligence could be useful in detecting fraud and reducing errors in algorithmic trading, but there are still many limitations with the technology as it exists today.

Victimology: Target Association (ThreatQuotient) In a previous life, I managed two SOCs with 40+ analysts each, where a large component of the team was dedicated to threat intelligence

Timeline Analysis to Identify Campaign Attacks (ThreatQuotient) Building from our previous spearphish investigation, let’s continue to dissect the robertwanger [at] aol.com spearphish attacks.

Attack Attribution (ThreatQuotient) This is the third and final blog in my series on victimology. Now that we have a relatively decent baseline, we can start to compare other spearphish

The single sign-on account hijacking threat and what can we do about it? (Help Net Security) Single sign-on (SSO) lets users avoid creating and managing accounts across different services, but can users remediate an account takeover?

Army leaders say this is the service’s ‘secret sauce’ (C4ISRNET) Enemies have begun to recognize and develop strategies to attack a key weapon system.

Design and Innovation

Facebook Is Rating Users' Trustworthiness, But It Won't Say How (Motherboard) In an effort to fight fake accounts and misinformation, Facebook is implementing a scale that ranks users’ trustworthiness from zero to one.

Research and Development

empow Drives SIEM Innovation with Six Patents Granted and 10 Pending (PRNewswire) Company's high patent volume focuses on using true artificial intelligence, natural language processing, security infrastructure abstraction and other innovations to automatically detect and respond to cyber attacks

Legislation, Policy, and Regulation

Australia bans Huawei, ZTE from 5G network (CRN Australia) In light of security concerns.

How the Defense Department views China’s cyberthreat (Fifth Domain) The Defense Department believes that China will use cyber as a way to deter future attacks, according to a new report.

EU unlikely to heed British call for more Russia sanctions (Reuters) The European Union is unlikely to heed London's call for it to match the latest U.S. sanctions against Moscow over an attack on a former Russian spy in Britain earlier this year, diplomats in Brussels said.

U.S. Widens Russia Sanctions Amid Calls They Don’t Go Far Enough (Wall Street Journal) The Trump administration imposed new sanctions against Russia, escalating U.S. diplomatic pressure on Moscow as the White House tries to fend off a push by lawmakers to deploy even-more-potent tools to cripple the Russian economy.

Sanctions on Russia Are Working (Foreign Affairs) On August 8, the Trump administration announced new sanctions on Russia in response to its use of the nerve agent Novichok to poison Sergei Skripal, a former Russian military intelligence officer, and his daughter, Yulia, in the United Kingdom in March. The penalties are set to go into effect in the coming days. Congress will soon consider further sweeping measures against Russia in retaliation for the chemical attack.

Russia to spurn certain U.S.-made electronic goods regardless of sanctions: RIA (Reuters) Russia plans to stop buying electronic devices and components from the United States that can be used for both civilian and military purposes regardless of new U.S. sanctions, Russian lawmaker Alexei Kondratiev was quoted as saying on Thursday.

Not Too Early to Start to Prepare for New California Privacy Law (Lexology) In late June, the California legislature signed into law Assembly Bill 375 (AB 375) as the California Consumer Privacy Act of 2018…

Litigation, Investigation, and Law Enforcement

How a hacker network turned stolen press releases into $100 million (The Verge) International hackers based in Ukraine stole unpublished press releases and passed them to stock traders to reap tremendous profits.

Rights Group Demands Government Take Action on Nuisance Calls (Infosecurity Magazine) ICO should be allowed to fine directors, argues Which?

Using smart meter data constitutes a search, but court allows them anyway (Naked Security) US cities using smart meters narrowly escaped a legal problem this month when a court decided that the benefits of these IoT devices outweighed the privacy issues created by collecting detailed hom…

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Newly Noted Events

RSA 2019 (San Francisco, California, USA, March 4 - 8, 2019) This year’s theme is, to put it simply, Better. Which means working hard to find better solutions. Making better connections with peers from around the world. And keeping the digital world safe so everyone...

Upcoming Events

The Air Force Information Technology & Cyberpower Conference (Montgomery, Alabama, USA, August 27 - 29, 2018) As the premiere Air Force cyber security annual event, the Air Force Information Technology & Cyberpower Conference (AFITC) returns to Montgomery, Alabama in August of 2018. As a critical intersection...

The Cyber Security Summit: Chicago (Chicago, Illinois, USA, August 29, 2018) This event is an exclusive conference connecting Senior Level Executives responsible for protecting their company’s critical data with innovative solution providers & renowned information security experts.

Intelligence & National Security Summit (National Harbor, Maryland, USA, September 4 - 5, 2018) The Intelligence & National Security Summit is the premier forum for unclassified, public dialogue between the U.S. Government and its partners in the private and academic sectors. The 2018 Summit will...

Cyber Resilience & Infosec Conference (Abu Dhabi, UAE, September 5 - 6, 2018) Interact with the top-notch cyber security specialists, learn new strategies and protect your company's future efficiently

9th Annual Billington CyberSecurity Summit (Washington, DC, USA, September 6, 2018) The mission of Billington CyberSecurity is to bring together thought leaders from all sectors to examine the state of cybersecurity and highlight ways to enhance best practices and strengthen cyber defenses...

SecureWorld Twin Cities (Minneapolis, Minnesota, USA, September 6, 2018) Connecting, informing, and developing leaders in cybersecurity. SecureWorld conferences provide more content and facilitate more professional connections than any other event in the Information Security...

CornCon IV: Quad Cities Cybersecurity Conference & Kids' Hacker Camp (Davenport, Iowa, USA, September 7 - 8, 2018) CornCon is a 2-day conference held in Davenport, Iowa including a professional development workshop on Friday and a full-day cybersecurity conference on Saturday. The workshop covers enterprise risk, privacy...

2018 International Information Sharing Conference (Tysons Corner, Virginia, USA, September 11 - 12, 2018) Join representatives from fellow information sharing groups with all levels of expertise, security practitioners, major technology innovators, and well-established cybersecurity organizations, as they...

SecureWorld Detroit (Detroit, MIchigan, USA, September 12 - 13, 2018) Connecting, informing, and developing leaders in cybersecurity. SecureWorld conferences provide more content and facilitate more professional connections than any other event in the Information Security...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.