2017 cyberattacks proved more numerous, sophisticated, and ruthless than in years past.
WannaCry, NotPetya, ransomware-as-a-service, and fileless attacks abounded. And, that’s not everything. The victims of cybercrime ranged from private businesses to the fundamental practices of democracy. Read The Cylance Threat Report: 2017 Year in Review Report and learn about the threat trends and malware families their customers faced in 2017.
The Week that Was.
August 11, 2018.
By The CyberWire Staff
Chipmaker shut down due to WannaCry secondary infection.
Taiwan-based chipmaker and Apple supplier Taiwan Semiconductor Manufacturing Co (TSMC) was hit with a cyber incident on Friday, August 3rd. The company brought its plants back online after an infection that caused them to shutter operations over last weekend. The malware in question is said to have been WannaCry, familiar from last year's widespread infestation. The company said the outbreak happened during software installation of a new tool, which then evidently carried the infection into other parts of the company's network. TSMC added that "neither data integrity nor confidential information were compromised."
The incident appears to have been due to operator carelessness, a secondary infection and not a direct attack, as had been widely feared in Taiwan when the malware infection was first reported. TSMC's CEO bluntly told the press, "This is purely our negligence so I don't think there is any hacking behavior." TSMC attributes the infection to failure to scan software for known threats before installation, and they say their staff won't make the same mistake again (SecurityWeek).
WannaCry, to review its history, is a ransomware strain that propagates itself as a worm. It was discovered on May 12 of 2017, and it's been associated with North Korea's Lazarus Group. As TSMC implied, it's a known threat, with readily available detection and mitigation. Still, a nasty piece of work the world has probably not seen the last of, especially as older Windows variants continue in use by manufacturers in many sectors. TSMC had unpatched WIndows 7 systems, and its losses from the incident, while still not determined, will be in the millions of dollars (Network World). Those losses won't be company killing, but they will be painful. Preliminary estimates cap the potential loss at $170 million (BankInfo Security).
US-CERT has warned of a new remote access Trojan released by North Korea (IT News). McAfee and Intezer have conducted joint research into Pyongyang's attack tools and they've found considerable code reuse: some of the code that continues in use goes back to 2009's Brambul, one of the earlier malware strains to come from the DPRK. Code reuse is an obvious labor-saver (ZDNet). Intezer is particularly confident that DPRK code-reuse offers strong evidence for attribution (Bleeping Computer); in a conversation at Black Hat they called it the malware's "DNA."
WannaCry, which took down TSMC's plants last week, figures prominently in Pyongyang's malware tree. Its first appearance exacted a high cost.
Want to learn more about your organization's data exposure on the dark web?
Contact Terbium Labs today to discuss how our fully private and automated dark web solution, Matchlight, can help assess risk from sensitive data exposure.
Iran believed preparing to hack for revenue.
As sanctions reimposed in response to its nuclear program begin to bite, Iran seems poised to follow the trail North Korea blazed in cyberspace: state-directed hacking that aims at direct theft to redress economic pain (Wall Street Journal). Accenture researchers have been tracking ransomware strains, many of them requiring payment in Bitcoin or other cryptocurrencies, and they've concluded that they represent an incipient Iranian campaign against targets of opportunity that offer the prospect of quick financial gain (CCN). Tehran's state-directed hackers have a reputation as being relatively less sophisticated than those run by Russia and China (and indeed those run by major Western powers, the Five Eyes and their closest friends) but they also have a reputation as determined fast-learners. The US is thought to be preparing to secure itself against a wave of cybercrime organized from Tehran (AP via News Gazette).
IBM is describing their work on DeepLocker, and what it has to say about potential exploitation of artificial intelligence by criminals and other threat actors. Reuters describes it as a looming "nightmare," which seems a bit breathless, but the technology certainly has potential for abuse. Among the more interesting implications of their work are conclusions about AI's utility in attack. It shows considerable promise in making malware more evasive. As so often happens with evasive malware, this approach lets the attack remain quiescent until it confirms it's in the right environment, not just outside a sandbox, but in the enterprise it was intended to target. Not only does it make attack code better at detecting and evading such useful security techniques as sandboxing, but according to IBM it can make reverse engineering malware "impossible" (Security Intelligence).
Obtain full visibility into your security team with Cybrary.
It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!
Slowly darkening hats.
A Malwarebytes-commissioned study on "the true cost of cybercrime" reports a disturbing trend: the rise of the gray hats, those security professionals who keep their legitimate day jobs but moonlight in cybercrime, or at least in questionable and dodgy activities. The study concludes that one in twenty security professionals in the US are "perceived" as gray hats, and the fraction is much higher in some other parts of the world. Their motivations are said to range from disaffection, to anger at their employer, to the lulz, to simple greed. How close the perception is to the reality may be open to debate. The prevalence of hacker-chic style in the security community may inflate it, but it's an unpleasant conclusion to contemplate (Computer Business Review).
Black markets place a premium on cryptocurrency ATM malware.
A report on one aspect of the criminal-to-criminal market suggests that one particular commodity is especially lucrative. Malware designed to steal cryptocurrency from ATMs that deal in the alt-coins is pricey. It commands fees as high as twenty-five-thousand dollars a pop, which suggests that the black market is betting on a continuing growth in popularity for cryptocurrencies. The utility of such malware for money laundering in particular would be high (ZDNet).
DarkHydrus uses commodity phishing toolkit.
Palo Alto Networks's Unit 42 describes a phishing campaign by unattributed threat actor DarkHydrus that's prospecting Middle Eastern governments. Unit 42 has observed them using the open source tool Phishery in a credential-harvesting campaign directed against a university (SC Magazine).
Ransomware hits the PGA.
The PGA was hit with a ransomware attack just before its current championship golf tournament got underway. Investigation and remediation are in progress, but there's widespread speculation that the ransomware used was a strain of Bitpaymer. The hoods want their ransom in cryptocurrency (Register).
Crime and punishment.
Authorities in the UK are preparing an extradition request for the Russian operators they hold responsible for the Novichok chemical agent attacks in England. They're confident they've identified and tracked the individuals responsible. Russia will almost certainly reject the request (Times).
Reality Winner, the ex-US Air Force, ex-NSA, ex-contractor who pled guilty to charges connected with leaking classified information to the Intercept, will be sentenced on August 23rd. Ms Winner was caught when the outlet she offered the document, the Intercept, sought to confirm its authenticity with the US Government. US counterintelligence officers were able to use dots on the printed copy to identify the specific printer on which the document had been run. From there it was possible to narrow the list of potential suspects to a small number of users of that particular printer, and then the access and printing were swiftly traced to Ms Winner's account (Fifth Domain).
A study at the University of Oxford looked at the role of the traditional mob, the Mafia, in cybercrime. The researchers concluded that the mob doesn't control or dominate organized cybercrime, but it is a player. It's principal contribution comes in the form of money-laundering expertise (Dark Reading).
Sanctions, lawfare, and hybrid conflict.
In a move applauded by in the UK, the US announced imposition of very heavy sanctions against Russia over Moscow's nerve agent attack in Salisbury, England (Times). Other sanctions for Russian misbehavior in cyberspace have also prepared, at least in draft. The Washington Post sniffs that these latter sanctions for election meddling are "toothless," but the measures the US is taking in response to the Novichok attack appear to be severe, and have been recognized as such by the Russian government (Deutsche Welle). The Kremlin swiftly denounced the Novichok sanctions as not only "illegal," but "unfriendly" (Reuters).
Various international investigations of the Novichok incident are in progress, and at least one laboratory consulted about the attack, the Spies Laboratory in Switzerland, came under a phishing attack during the last week in July. Investigation resulted in quick attribution of the phishing campaign to Sandworm, a lesser but still well-known relative of Fancy Bear, both of which, of course, are GRU hacking operations. Russia's Foreign Ministry claimed back in April that Spies confirmed the Novichok samples as being of non-Russian, Western origin. Spies of course said nothing of the kind. The Novichok agent is Russian.
The entire incident shows the full convergence of the elements of hybrid warfare on the low, but still very dangerous, side of the spectrum of conflict. It includes denial, lethal, kinetic operations, and extensive information operations campaign, and cyberattacks directed against targets involved in the response to the campaign.
It's worth noting that Russia has consistently denied both election influence operations and chemical attacks, but few observers in the West seem to buy Moscow's line. A full-blown series of tit-for-tat sanctions would seem to play into US strengths—it's difficult to see the economic bite Russian measures against the US might have—so there may well be an upsurge in cyber operations against US targets, whatever Moscow might be saying now. Indeed, Prime Minister Medvedev warned the US against tightening sanctions further, saying that they're already dangerously close to an act of economic warfare. At present the sanctions are expected to be felt most immediately in the denial of export licenses that would permit Russia to buy items with defense and national security uses.
Mr. Medvedev said, “If something like a ban on bank operations or currency use follows, it will amount to a declaration of economic war. And it will warrant a response with economic means, political means and, if necessary, other means. Our American friends should understand that." Whether the friendly Americans understand that or not, currency markets do: the ruble took a bath Friday, falling to its lowest level in two years (Time). "Other means" would almost surely include, one would think, offensive cyber operations against US interests (Fifth Domain). Cipher Brief offers a brief history of Russian hybrid operations. The GRU is likely to play an active part in such operations (Guardian).
Policies, procurements, and agency equities.
US Defense Secretary Mattis, pointing out that the military is there to defend the Constitution, says that the Department of Defense certainly has a role to play in fending off attempts to subvert, influence, or otherwise compromise elections (Fifth Domain). The principal threat is perceived as Russia, also said to be after the power grid (Military Times).
Officials in both the US and Australia repeat calls for closer cooperation between industry and government to secure infrastructure against cyber threats (CNBC, Computerworld). In the US the Department of Homeland Security's new National Risk Management Center hopes to be a principal locus of such collaboration, but industry may need some time to get used to the Center (Legaltech News).
Germany's Defense Ministry this week took a stiff line with respect to cyber operations. The Ministry said it believed it had all the legal authority it needed to strike back in cyberspace should retaliation for a cyberattack prove expedient (Fifth Domain).
NATO continues its ongoing operationalization of cyber doctrine (Fifth Domain).
South Korea's troubled Cyber Command is about to undergo reorganization. Seoul's Defense Reform 2.0 plans will rename the organization as the Cyber Operations Command and strip it of its former responsibilities for psychological operations. The Republic of Korea knows it lives in a very rough neighborhood of cyberspace, and it wants a dominant capability there, but it also doesn't want a repetition of the domestic election meddling scandals in which Cyber Command had become enmeshed (Yonhap).
Fortunes of commerce.
The US Congress may have acquiesced in the Administration's reprieve of ZTE, but the Chinese telecom manufacturer has sustained significant reputational damage over the security concerns raised by its close connections to China's intelligence and security services. Huawei has also been mentioned in dispatches, as it receives criticism for insecure practices involving use of outdated code (South China Morning Post). The US Democratic National Committee has advised candidates and campaign staff not to buy either Huawei or ZTE phones under any circumstances (The Verge).
The labor market.
Lockheed Martin has announced plans to expand its cyber labor force (ExecutiveBiz), and the various branches of the US military are working on ways of competing with the civilian cybersecurity sector for scarce talent (Army Times). The Services will offer some of that competition in the form of attractive direct commissions, some of them said to be in the rank of colonel or Navy captain.
Mergers and acquisitions.
Cisco, whose acquisition of Duo Security the week before last attracted so much interest, has an interesting recent history of acquisitions (LightReading). Analysts see three reasons for Cisco's interest in buying Duo for $2.35 billion. First, the company wishes to further develop its already not inconsiderable cybersecurity unit. Second, Duo brings important multi-factor authentication offerings. And third, the acquisition represented an investment made possible by Cisco's repatriation of $67 billion in overseas cash, a move the company made when US corporate tax rates were cut (Motley Fool).
Israel's business community is pleased with how attractive its home-grown cybersecurity companies have been to international acquirers (Calcalist).
Alion Science and Technology has acquired MacAauley Brown for an undisclosed sum. The goal of the acquisition, according to Alion's CEO Steve Schorer, is to “strengthen our inroads into emerging technologies in electronic warfare, artificial intelligence, cybersecurity and cloud solutions" (Washington Technology).
Capgemini is looking for new acquisitions as it continues its push into the Australian market (CRN).
Investments and exits.
Microsoft's venture capital arm, M12, is leading a $6.2 million funding round for anti-cybercrime startup Hyas. Hyas offers what it calls "to-the-doorstep attribution" that enables law enforcement organizations to apprehend cybercriminals on the ground (Fortune).
Accel has led a $25 million Series B round in RiskRecon, which specializes in third-party risk management (BusinessWire).
Casule8 has raised $15 million in a Series B round led by ClearSky, with participation by Bessemer Venture Partners, Rain Capital and others. The firm's intention is to expand engineering work and build on sales momentum for what it describes as its zero-day detection platform (GlobeNewswire).
For its part ClearSky Security has also been raising money for its investment fund. Ninety-four investors are in for some $244.7 million. The fund's goal is to raise $300 million (FINSMES).
And security innovation.
In her Black Hat keynote address, Google's Parisa Tabriz urged those in attendance to commit to the long work of enhancing security by working through fundamental causes, picking well-thought-out, achievable objectives, and working toward increased collaboration with those outside the security industry. Tabriz, who leads both Chrome security and Project Zero at Google, offered what amounted to a plea for well-structured, modestly hyped, and disciplined engineering (SearchSecurity).
DARPA, the US Defense Advanced Research Projects Agency, says that work it's sponsoring on deep fake detection is beginning to pay off (Naked Security).
Today's issue includes events affecting Australia, China, Germany, Iran, Israel, Democratic Peoples Republic of Korea, Republic of Korea, Russia, United Kingdom, United States.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.