skip navigation

More signal. Less noise.

Is your malware lab a pain to use? Want a ridiculously easy to use malware lab?

Security teams who use a cloud browser can reduce the time spent investigating cases by more than 50%. Instead of wasting time spinning up a VDI, using Tor or connecting to a jumpbox, get online in seconds with Authentic8 Silo, a secure cloud browser and egress from hundreds of points of presence around the world.

The Week that Was.

The Familiar Four are all interested in US elections (says Bolton).

US National Security Advisor Bolton pushed Russia Thursday over attempts to influence US voting (Deutsche Welle). Calling for better cyber deterrence, he'd earlier said it wasn't just Russia, but China, Iran, and North Korea, too (Washington Post).

On Wednesday the US Democratic National Committee told the FBI that unknown actors tired unsuccessfully to compromise a database (Guardian). But it was a false alarm, a botched phishing test the DNC's CSO (who sounded the alarm to party and press) knew nothing about (Washington Post). The Michigan state Democratic Party organized the test (Threatpost).

Learn how to identify the four types of threat detection.

There is a considerable amount of market confusion around the types of threat detection, how they are derived, and the uses for each. In this whitepaper, Sergio Caltagirone and Robert M. Lee of Dragos, Inc., address those challenges by identifying the four types of threat detection and offering sample use-cases focused on industrial control system (ICS) and industrial internet of things (IIoT) environments. Learn more about identifying the best threat detection method for your ICS organization.

Redmond springs its Bear trap.

Microsoft took down six sites associated with Russian influence operations in the US (Hack Read). Redmond's Digital Crimes Unit obtained and executed a court order giving it control of bogus domains established recently to impersonate public policy organizations (CSO).This time conservative organizations were targets: the Hudson Institute (a conservative think tank that's investigated corruption in Russia) and the International Republican Institute (a democracy-promotion not-for-profit) received attention. Three other impersonations masqueraded as US Senate sites. The sixth site, non-political, impersonated Microsoft (Dark Reading).

The Federal special master appointed in the case found "good cause" to conclude that such activities by this threat actor are "likely to continue." Microsoft thinks both major political parties are being targeted, and expects the attacks to widen as US midterm elections approach (Microsoft).

Moscow dismissed the domain seizure as a politically motivated stunt (Reuters). 

Get the top 10 vulnerabilities used by cybercriminals.

Recorded Future researchers have scoured open web, dark web, and technical sources to discover which vulnerabilities are being actively exploited by cybercriminals. Download the report now.

Facebook boots some Bears, too.

Facebook also took down six-hundred-fifty-two "pages, accounts, and groups" engaged in "inauthentic" behavior aimed at influencing US opinion. This is the second round of such takedowns in as many months. Facebook said the inauthenticity they squashed emanated from Russia and Iran. There's no evidence of coordination between the two states; both appear to have acted independently (ZDNet).

A judgment of "inauthenticity" is different from, and arguably less problematic than, Facebook's parallel effort to rate accounts for "trustworthiness" (Naked Security).

Is your company passionate about empowering women to succeed in the cyber security industry?

The CyberWire’s 5th Annual Women in Cyber Security reception is a networking event that highlights and celebrates the value and successes of women in the cyber security industry. Leaders from the private sector, academia, and government from across the region and at varying points on the career spectrum can connect with each other to strengthen relationships while building new ones. Consider sponsoring the event. Limited sponsorships are available. Visit our website to learn more.

Twitter, Facebook, and Google put the Cats out, too.

The Iranian information operation is an interesting one. Tehran's front accounts purchased about $6 thousand in ads to run on Facebook and Instagram, and organized some twenty-five events. They also established a number of "inauthentic" sites and a large set of associated and cooperating social media accounts, mostly also inauthentic, although with some amplification of messaging through what might be called "useful idiots." The activity seems directed more toward creating a climate of opinion favorable to Tehran than influencing elections (ZDNet). (It's worth noting in passing that not all Russian information operations aim at election influence. Many, maybe most, simply foment mistrust, as does a Russian campaign currently spreading anti-vaccine conspiracy theories (Times).)

Twitter also took down two-hundred-eighty-four accounts traced to Iran that engaged in "coordinated manipulation." This campaign used a network of front news organizations established for the purpose, and also organized a number of events. The themes were obvious choices: anti-Saudi, anti-Israeli, anti-Trump, pro-Palestinian (TechCrunch).

On Thursday Google closed dozens of YouTube channels that operated as propaganda fronts for Iran's state-run broadcasting service (Wall Street Journal).

FireEye researchers uncovered the Iranian campaign. Duly noting that attribution is an inexact science, the security company said it concluded with "medium confidence" that Tehran was indeed behind the accounts they flagged to Facebook and Twitter. They've traced several front media organizations and NGOs apparently run by the Islamic Republic: Liberty Front Press, Critics Chronicle, BritishLeft, Instituto Manquehue, USJournal, and the Real Progressive Front. All are accompanied by large shoals of social media pilotfish (FireEye). 

The Secureworks Counter Threat Unit yesterday disclosed its discovery of "COBALT DICKENS," an extensive Iranian credential stealing campaign that targeted universities across sixteen domains with more than 300 spoofed pages in fourteen countries.

Obtain full visibility into your security team with Cybrary.

It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!

Fresh North Korean activity.

Kaspersky reports Operation AppleJeus, which it attributes to Pyongyang's Lazarus Group. The campaign affects Macs, which is new, and its malware poses as a legitimate-appearing app from a cryptocurrency trading software vendor. When the victims take the bait they're infected with the Fallchill RAT (Bleeping Computer).

Check Point is tracking a global ransomware campaign, Ryuk, which they link to the Lazarus Group as well (SecurityWeek).

Hacking back?

Senator Sheldon Whitehouse (Democrat of Rhode Island) called for hacking back at Tuesday's hearings of the Senate Judiciary Subcommittee on Crime and Terrorism, "We ought," the Senator says, "to think hard about how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression." He calls this "active cyber defense" (Washington Post).

Hack-back skeptics see problems: retaliatory malware might prove difficult to contain, and the temptation for anti-competitive hacking might prove difficult to resist (Washington Post). One industry representative, Thomas Fanning, CEO of electric utility Southern Company, told the subcommittee he believes such retaliation belongs in military, not corporate, hands (Meritalk). 

Riposte and parry in the crypto-wars.

Industry is unconvinced that Australia's government isn't trying to mandate backdoors. The kind of technical cooperation it does intend to mandate amounts to effectively the same threat to security and privacy a backdoor would present. Critics see maintaining otherwise as invoking a distinction without a difference (Guardian).

The US Department of Justice is said to want an unwilling Facebook to break the Messenger's encryption to enable Government access. The case is currently under seal, so there's little publicly available (Reuters).

Patch notes.

Apache Struts has been patched for a remote code execution vulnerability (SecurityWeek). A proof-of-concept exploit has been found circulating in the wild (Security Boulevard). Patch with due speed: a known Struts vulnerability that Equifax failed to patch caused its epic data breach last year.

Microsoft patched Windows 10 for Foreshadow and Spectre (Computing).

Crime and punishment.

The US Justice Department and Securities and Exchange Commission are investigating Microsoft for alleged bribery in connection with software sales in Hungary (Wall Street Journal).

Reality Winner was sentenced to five years in connection with theft and disclosure of classified NSA documents (Fifth Domain).

The case of a Ukrainian crew who for years hacked press release sites to gain early access to company news sheds light on the intersection of hacking and insider trading (Verge). 

Courts and torts.

Facebook is on the receiving end of a lawsuit filed by people who claim the social media giant's collection and analysis of data has enabled housing discrimination. The US Department of Justice is supporting fair housing groups' attempts to block Facebook's efforts to have the lawsuit dismissed. In a separate action, the US Department of Housing and Urban Development has begun the process of lodging a complaint against Facebook for violating the Fair Housing Act by creating advertising tools that facilitate discrimination on the basis of "race, gender, Zip code or religion—or whether a potential renter has young children at home or a personal disability" (Washington Post).

Google is being sued in a California court over its data location collection and retention practices. The plaintiffs allege Google maintained user location data even when "Location History" was turned off, and that this violates both the California Invasion of Privacy Act and the right to privacy guaranteed by California's Constitution (Ars Technica).

Policies, procurements, and agency equities.

Australia has a new Prime Minister: Malcolm Turnbill is out, Scott Morrisson in (Government News).

The US Intelligence Community has established strategic priorities for its disparate collection of agencies. Principal Deputy Director of National Intelligence Sue Gordon outlined them as (C4ISRNET): 

  1. "Relying on Automated Intelligence using Machines, or AIM."
  2. "Developing the right workforce," one that will be capable of using machines effectively.
  3. "Developing a comprehensive cyber strategy."
  4. "Creating a modern data management infrastructure." In particular this means collecting data with a purpose, with ability to understand the data, and not simply because  it's possible to collect the data (and who can say what might come in handy?).
  5. "Increasing and leveraging partnerships with the private sector."
  6. "Improving acquisition agility." Security clearance reform figures into this.

Lieutenant General Stephen Fogarty, commander of US Army Cyber Command, thinks his organization should be renamed to more accurately reflect its mission, "age of information warfare" having succeeded the "age of cyber." Maybe "Army Information Warfare Operations Command" or "Army Information Warfare Dominance Command" (SIGNAL).

The US Department of Defense's very big cloud contract is out for bid. "JEDI," a twee Star Wars acronym that stands for "Joint Enterprise Defense Infrastructure," will have a total contract value of some $10 billion. The competition has moved beyond the intense and into the ugly. RosettiStarr, a high-end private investigation, security, and intelligence outfit, is retailing a dossier that alleges someone in Defense Secretary Mattis's inner circle is corruptly steering the award towards Amazon, the frontrunner if only because of its record of providing cloud services to the Intelligence Community. RosettiStar won't say who its client is, of course. The allegations in the dossier are generally thought thin and unconvincing, but some buy them. That such things are going on at all is interesting in a dispiriting kind of way (Defense One).

Fortunes of commerce.

Citing security concerns, Australia's federal government has banned both ZTE and Huawei from the country's 5G network (CRN).

Calls for comment on rules that would implement the US Federal ban on Kaspersky products drew little response—just three are said to have come in (Nextgov).

Private sector action against Russian and Iranian information operations by Microsoft, Facebook, and Twitter (the last two informed by FireEye intelligence) have given them favorable marketplace buzz (Motherboard). It's particularly welcome for Facebook and Twitter amid ongoing data use controversies.

Google's persistent, insistent, location tracking is drawing the attention of regulators, legislators, and consumers. You can turn it off, but it seems another instance of the sort of intrusive marketing and consumer data collection that's put Facebook in hot water as well (Washington Post). In general, many observers see signs of a shift in public mood concerning privacy (and growing resentment toward being that product they're not paying for) that some think companies whose business depends on dealing in data may find their business model overcome by events (Help Net Security).

The odium gathering around monetization of personal data seems to some likely to hit third-party app providers next (Forbes). Facebook, at Apple's instigation, is removing its Onavo Protect data security product from Apple's Store because Apple judged the product violated Apple's data collection policies. Onavo Protect had been available as a free download at the Store for several years. Facebook had used data harvested from the product "to track rivals and scope out new product categories" (Wall Street Journal).

Booz Allen Hamilton was awarded a $1.03 billion contract by the US Department of Homeland Security. The firm will upgrade cybersecurity across six Federal agencies. The award under the Government-Wide Continuous Diagnostics and Mitigation (CDM) Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) Program for Group D includes a base year and five one-year options (Booz Allen Hamilton).

Milan-based XTN Inc. has expanded to North America, with offices in New York and a regional headquarters in Chicago (XTN).

The labor market.

The FBI is looking for data scientists (Federal News Radio).

An attempt to unionize gig-economy bug-testers in Silicon Valley by the Temporary Workers of America seemed on the brink of success, but Silicon Valley was able to outlast them. Their employer, Lionbridge Technologies, eliminated their jobs, and a National Labor Relations Board complaint against Microsoft for union-busting dragged out too long for the workers' resources (Bloomberg).

Among the perceived obstacles to creating a healthy, rational cybersecurity workforce is an absence of clear career pathways (Help Net Security). Another aspect of creating a sound workforce is retention, and avoiding burnout. Some call out an infosec "hero culture" as contributing to swift exhaustion. Take a break (CSO).

Mergers and acquisitions.

The sub-sector of cybersecurity education and training has attracted M&A interest. Analysts see companies playing catch-up with their employee awareness after years of heavy investment in technology solutions (Forbes). The sector as a whole, however, has cooled off a bit when compared to last year. The total value of cybersecurity M&A came in at $4.1 billion for the first half of 2018. It stood at $6.2 billion at the end of the first half of 2017 (CRN).

Duo's acquisition by Cisco should be, the Detroit Free Press argues, recognized as a success. It's not like the old days, when (for example) American Motors being bought up in the 1970s was a sign of failure. Acquisition is now a path to reaching larger markets and enjoying a greater return on investment.

Intel has increased its artificial intelligence capabilities with the acquisition of Seattle-based Vertex.AI (OregonLive).

British managed services provider Six Degrees has picked up London-based cybersecurity consultancy CNS Group to increase its presence in the security market (CRN).

AT&T has closed its acquisition of AlienVault (AT&T).

Investments and exits.

Semmle, a San Francisco-based provider of software engineering analytics, announced early Tuesday a $21 million Series B round led by Accel Partners, with participation by Work-Bench. The company intends to use the funding "to accelerate its go-to-market efforts serving large technology and financial services companies around the world" (Semmle).

Bandura announced a $4 million Series A round, led by Grotech Ventures, Gula Tech Adventures, Maryland Venture Fund, and Cultivation Capital. The company intends to use the funding to strengthen its position in the Threat Intelligence Gateway (TIG) market (BusinessWire).

Bearing Point has invested in Insignary, specialists in binary code scanning and open-source software risk management (Help Net Security).

Maryland-based Attila Security, resident at DataTribe, is currently raising funds to expand its technology which, like its leadership, originates in Silent Circle (Baltimore Business Journal). Attila offers a portable security appliance with firewall, VPN, and an intrusion prevention system designed to reduce risk and increase user productivity.

CRN has ranked the top ten security companies by money raised during the first half of 2018. Here they are, in reverse order: (10) Fairwarning - $60 million, (9) Claroty - $60 million, (8) Bitsight - $60 million, (7) Ledger - $75.1 million, (6) IronNet Cybersecurity - $78 million, (5) Signifyd - $100 million, (4) Eze Castle Integration - $115 million, (3) Cylance - $120 million, (2) Tanium - $175 million, and coming in at (1) CrowdStrike - $200 million.

And security innovation.

Y Combinator's demo days were held this week (TechCrunch). Some of the start-up pitches touch on cyber-related areas. Inscribe is developing a suite of tools for identifying document fraud. AnnieCannons offers training in coding to victims of human trafficking. Regology has an AI-driven regulatory compliance solution. Numericcal tackles machine learning for mobile and IoT applications. Tall Poppy is an outfit that helps employers help employees protect themselves online. Berbix offers verification of photographic identification. RevenueCat manages in-app subscriptions for mobile app developers. Incentivai offers AI testing of smart contract incentive structures. Abacus Protocol "tokenizes both fungible and npn-fungible assets" in the services of automating compliance. Federacy facilitates bug-bounty programs for smaller companies (especially start-ups). Kyte promises to clean SMS inboxes of spam. Klarity has an artificial intelligence platform with natural-language processing that automates the contract review process. 

Notes.

Today's issue includes events affecting Australia, China, Hungary, Iran, Democratic Peoples Republic of Korea, Russia, United Kingdom, United States.

Research Saturday is up. In this week's issue we speak with threat intelligence firm Recorded Future about their recently published research describing espionage activities originating from servers at a major Chinese university. The espionage campaign coincided with international economic development efforts. Winnona DeSombre and Sanil Chohan are authors of the report, Chinese Cyberespionage Originating from Tsinghua University Infrastructure, along with their colleague Justin Grosfelt.

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.