2017 cyberattacks proved more numerous, sophisticated, and ruthless than in years past.
WannaCry, NotPetya, ransomware-as-a-service, and fileless attacks abounded. And, that’s not everything. The victims of cybercrime ranged from private businesses to the fundamental practices of democracy. Read The Cylance Threat Report: 2017 Year in Review Report and learn about the threat trends and malware families their customers faced in 2017.
The Week that Was.
August 4, 2018.
By The CyberWire Staff
Reddit gets hacked.
Reddit announced that between June 14 and 18 an attacker compromised a few employee accounts and gained access to backup data, source code and logs. Specifically, they downloaded an archived backup of all Reddit data from 2007 and before, including account credentials, email addresses and public and private messages. The data that were compromised were mostly old, dating to 2007, and therefore probably stale (TechCrunch). Reddit is working with law enforcement, and is reaching out to users who may have been affected.
The vulnerability exploited apparently came down to a two-factor authentication failure: the hackers defeated two-factor authentication with SMS interception. Reddit doesn't use SMS for two-factor authentication, employing the more secure tokens instead as their additional factor, but one of Reddit's providers apparently did use SMS (WIRED).
The incident ought not to discourage users from two-factor authentication as such. Time-based, one-time-password authentication apps are not susceptible to the sort of interception that affected Reddit (Hot for Security).
What do Floppy Disks, Han Solo, and Insider Threats Have in Common?
Visit the ObserveIT booth at Black Hat USA to find out! They’re going back to the 80s to reminisce about throwback technology and show you how to take a 21st-century approach to your insider threat management strategy—so you don’t have to be stuck in the past with your DLP and Flock of Seagulls haircut. And before you head out to Vegas, take ObserveIT’s quiz on which 80’s pop culture icon best represents your insider threat management strategy.
Sandworm phishes Swiss chemical weapons forensics lab.
The Sandworm group, a less famous relative of Cozy and Fancy Bear, is working against the Spiez Laboratory in Switzerland (Blick). Spiez is the chemical agent analysis facility that's performing forensic work on the Novichok attack against a former GRU officer who'd spied for the British, Sergei Skripal, and his daughter in the UK. A few first responders were also infected in that initial incident. The attack has since claimed two additional victims, including one who lost her life, through what appear to be residual samples of Novichok agent staged in England and probably simply abandoned.
The incident has prompted considerable international dispute. Russia has denied involvement in the chemical attack, but few believe this. Moscow's claims have been fairly opportunistic and far-ranging, but the basic line from the Kremlin is that the attacks were a put-up job by British and American intelligence services, probably abetted by someone like Czech intelligence. It's all aimed at framing Russia and sullying her good name, say various Russian spokespeople. As we've noted, few are convinced by this, but such is the information ops narrative being peddled.
The forensic investigation at Spiez is being performed in service of an international inquiry into the incident. Sandworm used phishing emails, spoofed so that they appeared to come from Spiez Laboratory accounts. The emails carried maliciously crafted Word documents. Many of the bogus emails went to people who planned to attend an international conference on chemical and biological weapons near Bern this autumn. The lab itself seems to have deflected the attack and warned the conference attendees. Sandworm is the same outfit believed to have used phishing against the Ukrainian power grid. Swiss authorities are investigating (Defense One).
It's a limping form of resilience, but some Alaskan towns have reverted to typewriters as they grapple with recovery from a ransomware infestation. On Tuesday officials of the Matanuska-Susitna Borough in Alaska officially declared a disaster over what they called the worst such cyber attack in the nation (KTUU). The town is taking various measures to contain and remediate its problems, including the above-mentioned and much remarked reversion to typewriters for routine tasks like preparing receipts. The attack included installation of the Emotet Trojan and BitPaymer cryptolocker ransomware (Motherboard).
Want to learn more about your organization's data exposure on the dark web?
Contact Terbium Labs today to discuss how our fully private and automated dark web solution, Matchlight, can help assess risk from sensitive data exposure.
SamSam ransomware and the cost of recovery.
Atlanta, Georgia, might dispute Matanuska-Sustina's claim to have been on the receiving end of the worst cyberattack on a municipal government. Atlanta's cost to remediate the SamSam ransomware attack it sustained in March is now estimated at $17 million, according to a confidential report the Atlanta Journal Constitution and WSB-TV obtained. It's not clear who wrote the report, but the city document indicates that another $11 million will be needed on top of the $6 million already spent on recovery. The Journal Constitution's lede is direct and damning: "Taxpayers foot bill for years of neglecting network security."
Obtain full visibility into your security team with Cybrary.
It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!
Threats to industrial control systems.
Dragos this morning reported that threat actor, "RASPITE," which Symantec has tracked as Leafminer in the Middle East, is operating against targets in Europe, East Asia, and North America. Operations against electrical utilities seem focused on the US. For now it seems that RASPITE, in Dragos's estimation, is capable of probes only, and not of disruptive or destructive attacks on industrial control systems. As usual, Dragos won't go farther in attribution to a nation-state, but Symantec in its account of Leafminer noted circumstantial evidence pointing to Iran (Symantec).
Amnesty International finds Pegasus spyware in phones.
Amnesty International says that at least one of its people had their phone infected with NSO Group's Pegasus spyware tool. Pegasus has been used by a number of governments to monitor dissent. The University of Toronto's Citizen Lab has confirmed the infection. The targets in this case appear to be Saudi dissidents (Infosecurity Magazine). NSO Group has a controversial record of selling to governments that use Pegasus for monitoring dissent.
Automotive cybersecurity under discussion in Detroit.
The second Billington Automotive CyberSecurity Summit was held in Detroit yesterday. Three trends are lending increased urgency to cybersecurity in the automotive industry: electrification, connection, and autonomy. These are seen as bringing considerable advantages in terms of safety, availability, convenience, user experience, and even environmental impact. Among the themes we heard at the summit were a general aspiration for more, and more effective, sharing of best practices and threat information across companies. There seemed to be a general commitment, expressed forcibly by General Motors, to treating cybersecurity as a safety issue, and not a matter where one one company ought to seek competitive advantage.
The two morning keynotes were delivered by Michael Chertoff (CEO of the Chertoff Group and former Secretary of Homeland Security) and GM President Daniel Ammann, who expressed optimism about the benefits of connected and autonomous vehicles. They argued that cybersecurity designed in from the beginning would be essential to securing those benefits, as would effective cooperation across the sector.
Chertoff urged those attending the conference not to overlook the implications of connectivity for data privacy. Complex systems like connected cars generate a great deal of data, and those data will inevitably attract those, legitimate businesses as well as criminals, who will be interested in monetizing them. The data being requested of cars (and their drivers) by insurers, for example, could amount to intrusive surveillance. One need look no farther than Facebook to see the possibilities of a serious consumer backlash. He also warned of the potential for terrorist exploitation of weaknesses in connected vehicles. "It's not too much of a leap to consider that some smart terrorist will decide it's easier to hack a vehicle and control it as a weapon." He closed with remarks about regulation, which will, he says, be inevitable, and will be better if industry anticipates it with voluntary standards. When it comes, he argued, it should be based on outcome and effects, and should not involve micromanagement. The SAFETY Act, designed to encourage investment in competent and capable counter-terror technologies, in his view represents a good legislative model. It might be worth extending this law to the auto industry.
GM's Ammann framed automotive cybersecurity as an issue that's converged with safety. It's also in his view a sector-wide issue. "Failure by any one company will be regarded by the public as failure by all." Thus cybersecurity must be a matter for cooperation across the industry. In this he reiterated a long-standing GM theme: the company says it won't treat cybersecurity as an area in which it seeks competitive advantage. Autonomous vehicles are poised to bring huge positive benefits in terms of availability, affordability, and safety. Cybersecurity incidents could halt progress toward those benefits, which means that customers are best served by industry-wide security collaboration.
Other panelists from industry talked about the speed with which the threat evolved, and how difficult it was to keep up with it, let alone get ahead of it. Stacy Janes, of Idento, observed that there was a high degree of collaboration among cybercriminals. "They move with the speed of a startup," as he put it. This is not to be understood as some sort of guild-like honor among thieves. It's a function of the criminal-to-criminal economics of the dark web souks.
Robert Anderson of the Chertoff Group offered a similar perspective. He said that in his view most people, and that includes people in the automotive industry, remained unaware of the advantage attackers enjoy in cyberspace. This advantage isn't a matter of superior technical capability, but rather has two principal sources. First, the criminals, hacktivists, and intelligence services that constitute the threat groups don't operate under the sorts of legal or even social restraints legitimate businesses in most parts of the world hold themselves, or at least to which the authorities hold them. In this we heard an echo of what we heard during a morning panel session from Jake Bilonski, Supervisory Special Agent in the FBI's Detroit Field Office. In the US, Bilonski pointed out, you can't go to the FBI or the NSA and say, "we need this widget—go steal it for us." In some other countries, notably China, you can.
The other attacker's advantage Anderson pointed out was the efficiency of the black market and its success in commodifying attack tools. You don't have to have any particular technical expertise any more, he said, to mount a damaging cyberattack. The means to do so are readily available in the dark web souks.
It is, finally, important to remember that cybersecurity must be achieved in ways that make business sense. Customers need to be able to repose the same trust in connected and eventually autonomous cars that they currently feel toward home appliances. And very small costs add up rapidly in large-scale production.
Crime and punishment.
In a story that broke this week, the US FBI and Department of Justice announced the arrest and indictment of three Ukrainian nationals alleged to be members of the notorious cybercrime group Fin7. The DOJ claims Fin7 are responsible for attacks on over 100 US organizations, stealing more than 15 million credit card records from companies like Chipotle, Chili's, Arby's, Red Robin, and Jason's Deli. The Seattle Cyber Task Force of the FBI and the US Attorney's office for the Western district of Washington led the investigation, and coordinated with law enforcement agencies in Poland, Germany and Spain (Register).
Courts and torts.
The first lawsuit against Facebook for its record-breaking and data-scandal-related stock price freefall has been filed in New York (New York Law Journal).
Policies, procurements, and agency equities.
As the US Intelligence Community and the Administration repeated warnings of increased risk of cyber operations, especially operations by Russia directed against critical infrastructure and the US midterm elections, the Department of Homeland Security announced formation of a new cyber intelligence sharing center (Wall Street Journal), and General Nakasone says that NSA and US Cyber Command will be helping with election security (US Department of Defense).
As expected, the FBI has again advocated for "responsible encryption" to reduce the risk of criminals and terrorists "going dark.' Obligatory moonshot analogy included for inspirational purposes (Techdirt).
Fortunes of commerce.
The punishment Facebook and Twitter sustained the week before last seems directly related to flatlining subscriber counts in lucrative advertising markets. As the Washington Post put it, the ghost of MySpace is haunting the two dominant social media platforms. Engagement with users, investors apparently fear, is reaching an inflection point with respect to the network effects that have driven their market value as high as it's been.
Chinese and Russian companies appear to have a firm place on the Pentagon's do-not-buy list (Bloomberg). In news that maybe they (or even you) can use, when confronted with sanctions, ZTE doubled down on lobbyists (New York Times).
Apple achieved a $1 trillion market cap Thursday as it announced strong third quarter results (Ars Technica). It's the first company to reach that valuation (Verge).
Symantec plans to cut 880 staff in the US as its board approves a $50 million restructuring plan that will realign the company after its 2017 series of divestitures (CRN).
Facebook's CSO Alex Stamos has set a date for his long-anticipated departure from the company: August 17th. He'll take a teaching and research post at Stanford University. Stamos and Facebook part with expressions of mutual esteem and the intention of continuing to work together. Facebook has no plans to fill the CSO position Stamos will vacate (Help Net Security).
The labor market.
More companies in many sectors are dropping degree and experience requirements from job descriptions. This is also affecting the tech job market (Wall Street Journal).
Canadian proposals address ways of increasing the cyber workforce that will have a familiar ring to those in other countries (Globe and Mail).
Mergers and acquisitions.
Cisco has announced its intention to acquire Duo Security for $2.35 billion in cash. Cisco believes that Duo's adaptive authentication will prove an important addition to its offerings (TechCrunch). Duo will become a business unit in Cisco's security group (CRN). Duo has told its customers to expect no changes to its service or commitment to customer service (Ars Technica).
Mimecast has made another acquisition, this one of Solebit, wanted for its threat detection product that scans incoming content for malicious code. Mimecast paid $88 million for the company, whose offerings it hopes will offer improved zero-day detection capabilities (CRN).
Integrity Applications International (IAI) has acquired Dependable Global Solutions (DGS). The Virginia-based technology contractor is interested in DGS's cybersecurity and counterintelligence contract work on space, missile defense, cybersecurity and intelligence programs. Terms of the acquisition were not disclosed (Washington Technology).
Bomgar has completed its acquisition of Avecto (OA Online).
GE Digital, one of the signature initiatives of former CEO Jeffrey Immelt, is being sold off. The unit has been losing money, and GE has not succeeded in achieving the market share in industrial control systems it had hoped to achieve (Wall Street Journal).
Investments and exits.
Sydney-based Cloud Conformity on Wednesday received a $2.8 million Series A round led by Paladin Capital Group with participation from Jump Capital. Cloud Conformity provides real-time security and compliance solutions for public cloud infrastructure (Paladin Group). The company has been expanding operations into North America and Europe, with offices in Montreal and London.
Hedera Hashgraph reports raising $100 million from "institutional and high net worth individual investors." The company intends to use the funds raised to complete development of its public distributed ledger platform and network, and to take them to market along with the apps being readied for them. The Dallas-based organization is offering its platform as a secure alternative to blockchain (Venture Beat).
Entrust DataCard has made a "strategic investment" in cloud security provider CensorNet. Entrust DataCard, which provides identity and secure transaction solutions, is interested in using CensorNet's "real-time threat awareness with enhanced pattern analysis for continuous authentication" (Finextra Research).
And security innovation.
Accenture is establishing an innovation hub for defense and national security in Canberra, Australia (OA Online).
Today's issue includes events affecting Canada, China, European Union, Germany, Russia, Saudi Arabia, Spain, Switzerland, United Kingdom, United States.
ON THE PODCAST
Research Saturday is up. Researchers at McAfee recently discovered code execution vulnerabilities in the default settings of the Cortana voice-activated digital assistant in Windows 10 systems. Steve Povolny, head of advanced threat research at McAfee, shares their findings with us.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.