Get your copy of the definitive guide to threat intelligence.
We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.
The Week that Was.
December 15, 2018.
By the CyberWire staff
Iranian hackers (or people who act like Iranian hackers).
A new version of the Shamoon malware has targeted at least two energy companies in the Middle East. Italian oil and gas company Saipem said more than three hundred computers had been affected. Saipem has recovered because it had its systems backed up (Reuters); the company doesn't expect significant financial effect (Reuters). A second, unidentified, heavy engineering company in the UAE was hit by Shamoon on December 10th (Forbes).
Shamoon is the wiper malware used in a massive attack against Saudi Aramco in 2012. That attack has been attributed to Iran. Some warn against jumping to conclusions regarding attribution (BleepingComputer); others think it worth noting that Saipem is a Saudi Aramco contractor.This new variant presents itself as cryptoransomware, not the direct data-destroyer the first version was. That presentation is bogus: this version simply overwrites data with gibberish that at first glance looks encrypted. The new variant also lacks hard-coded SMB credentials earlier versions used to self-propagate (which suggests Remote Desktop Protocol as the possible infection vector). Finally, the new version lacks a command-and-control server, and may have been deployed manually (ZDNet).
How to Budget for Insider Threat Management, Proactively
According to a Ponemon Institute study, 34% of cybersecurity professionals said a lack of budget was a major barrier to effective insider threat management. So, how do you ask for the budget you need to proactively detect and stop insider threats? The latest guide from ObserveIT gives you the in-depth information you need to ask for a dedicated insider threat line item in your cybersecurity budget. Download The Guide to Budgeting for Insider Threat Management today.
Charming Kitten returns.
Iran's the prime suspect in a new Charming Kitten campaign. The AP reported Thursday that hackers tried to break into the email accounts of US Treasury officials, as well as those belonging to "high-profile defenders, detractors, and enforcers of the nuclear deal struck between Washington and Tehran.” Other targets included Arab nuclear scientists, D.C. think tanks, and "Iranian civil society figures." Researchers at Certfa discovered the list of targets after the attackers left one of their servers exposed to the internet (AP). Certfa also found Iranian IP addresses used during attack preparation, and noted that the techniques used and targets selected in these attacks fit Charming Kitten's track record (Certfa).
Edgewise recently published Zero Trust Security for Dummies. We've got answers to questions like: What is zero trust? How do I get started with zero trust? Why is a data-centric model of zero trust the best approach? Download Zero Trust Security for Dummies today.
Seedworm squirms through backdoors.
Symantec published research on the "Seedworm" espionage group. The researchers discovered a GitHub repository where Seedworm stored its scripts, including a new variant of the Powermud backdoor. This backdoor compromised one-hundred-thirty-one organizations from late September to mid-November. Seedworm's attacks have hit the telecommunications industry, government agencies, and oil and gas production. Most of these targets are located in the Middle East, particularly Pakistan, but organizations in Europe and the Americas with ties to the Middle East have also been affected.
1 million credentials fall into criminal hands every single day.
That's just one of the findings from the 2018 Credential Spill Report, which analyzed all of the usernames and passwords that were reported as compromised last year. The report also studied credential stuffing attack data across four major industries, finance, airlines, retail, and hotels, finding that retailers were by far the most targeted for account takeover. Read the report to learn about new ways attackers disguise credential stuffing and the total cost of attacks.
Huawei's CFO makes bail. Sino-American tensions run high.
Huawei's CFO Meng Wanzhou was granted bail on Tuesday for $7.5 million (C$10 million). Ms. Meng will wear an ankle bracelet, observe a curfew, and pay for her minders. She will return to court on February 6th. Ms. Meng was arrested December 1st on charges forwarded by the US Justice Department alleging her involvement in skirting international sanctions against Iran. The US claims Huawei used an unofficial cut-out, Skycom, to conduct business in Iran (Politico). While the charges leveled against Ms. Meng relate to fraud, the arrest comes at a sensitive time for Huawei, which is facing strong security criticism from Western intelligence agencies over its ties to the Chinese government. Chinese espionage is a top concern for the US government, and senior officials from Department of Homeland Security, the FBI, and the Department of Justice expressed less-than-flattering views on the Chinese government at a Senate Judiciary Committee hearing. E.W. "Bill" Priestap, head of the Bureau's counterintelligence division, said that "the Chinese government’s economic aggression, including its relentless theft of U.S. assets, is positioning China to supplant us as the world’s superpower” (Washington Post).
Investigation into the Marriott breach suggests that Chinese intelligence services were involved (The New York Times). Investigators say the tools, techniques, and procedures are in line with China's past campaigns. The fact that stolen data haven't appeared for sale on the dark web also indicates, circumstantially, that the breach was an intelligence operation (Washington Post).
Hear stories of deception, influence & social engineering in the world of cybersecurity.
Every week on the CyberWire's Hacking Humans Podcasts we talk to social engineering experts, security pros, cognitive scientists, and those practiced in the arts of deception (perhaps even a magician or two). Try us out. You can even submit scams you received to be featured as our Catch of the Day. Sponsored by the experts at KnowBe4.
Researchers at McAfee observed a global campaign they call "Operation Sharpshooter." The campaign uses an implant, "Rising Sun," to infiltrate primarily government and defense-related targets. Sharpshooter seems to be first-stage reconnaissance. It uses phony job recruitment campaigns to deliver its malware.While the group's malware shares code with a backdoor North Korea's Lazarus Group uses, McAfee refrains from attribution—probably because the similarities are so obvious that they may be intentional false flags (McAfee).
Audit finds no microchips on Supermicro's motherboards.
In a statement released on Tuesday, Supermicro announced that a third-party audit by Nardello & Co. found no malicious chips on Supermicro motherboards. Nardello's investigation covered both current models and earlier products sold to Apple and Amazon (Reuters). Bloomberg’s widely criticized October 4th report claimed that Supermicro’s motherboards had been backdoored with Chinese microchips. Supermicro strongly denied the claims, as did a number of its customers. Amazon and Apple, both of whom have used Supermicro’s hardware, issued strong denials (Business Insider). The US Director of National Intelligence said he'd seen "no evidence" of the compromise (Cyberscoop), and both the FBI and Department of Homeland Security also expressed skepticism (Gizmodo).
Supermicro's shares, which dropped 41 percent after the report was published, still haven't recovered their previous value (TechCrunch).
A note on attribution and false flags.
China has come in for considerable recent criticism for its cyber operations. That China is an aggressive cyber power isn’t open to doubt, but criminals are increasingly flying Chinese false flags in attacks that have little to do with Beijing (Fifth Domain). Attacks in Russia also suggest that criminals are trying to pass themselves off as intelligence services, the better to deflect official suspicion (ComputerWeekly). The same reservations apply to those other two usual suspects, Iran and North Korea.
Google CEO Pichai floats like a butterfly.
Consensus is that the Senators didn't land a glove on Mr. Pichai.
Google's CEO Sundar Pichai's appearance before congress on Tuesday earned mixed reactions, with a number of observers calling it a wasted opportunity. Some regretted that committee members spent too much time leveling partisan criticisms rather than focusing on broader issues, including data collection and security breaches (WIRED). While much of the hearing did center around the company's alleged bias, the discussion was often unproductive (CNET).
Mr. Pichai gave ambiguous answers to a line of questioning regarding reports that Google is working on a censored search engine for China, saying the company had no plans to launch such a tool "right now" (The Verge). When he was asked directly if Google was considering “a tool for surveillance and censorship in China,” Mr. Pichai did not rule it out (Fifth Domain).
The day before the hearing, Google revealed that a security flaw allowed developers to view the profile information of more than 52 million Google Plus users. The discovery accelerated the company's plans to shutter the social network. Its new shutdown date has been moved up to April 2019 (The Independent). Pichai said he was aware that GDPR requires companies to disclose data breaches within three days of discovery, but Google believes that its Google Plus flaws aren't "breaches" under the terms of the regulation, since there was no evidence third parties had accessed the data (CNBC).
Equifax report released.
A House Oversight Committee report, released Monday by the Republican majority staff of the U.S. House of Representatives Committee on Oversight and Government Reform, confirms that Equifax's data breach was "entirely preventable." The report lays out an extensive list of security failures at every level of the company, including unpatched and outdated systems, hundreds of expired security certificates, and an overall lackadaisical attitude towards security (BankInfoSecurity).
After publication of the committee majority staff's report, the committee's Democrat minority staff released its own report laying out its suggestions on how to prevent future breaches, and criticized the majority for not including these suggestions in the main report.
Microsoft has patched ten critical vulnerabilities and thirty important flaws in its Patch Tuesday updates, including one zero-day that was actively being exploited in attacks against older versions of Windows (KrebsOnSecurity). The zero-day (CVE-2018-8611) was an elevation-of-privilege vulnerability which allowed a logged-on user to "run arbitrary code in kernel mode," and affects machines running Windows 7 through Server 2019 (Threatpost).
Samsung fixed three flaws in its mobile site that would have allowed attackers to reset users' passwords and hijack their accounts (The Register). The vulnerabilities, which were discovered by security researcher Artem Moskowsky, were cross-site request forgery bugs in the way Samusung's site handled user accounts' security questions (Naked Security).
Adobe released security patches for 87 critical and important vulnerabilities, after issuing an out-of-band patch for an actively exploited zero-day last week (Infosecurity Magazine).
Crime and punishment.
A large-scale operation launched by Europol and the law enforcement agencies of 13 countries resulted in the arrest of 235 individuals across Europe, most of whom were involved in the production and sale of counterfeit Euro banknotes on the dark web. Additionally, authorities seized a wide variety of weapons, from firearms to nunchaku, as well as drugs and cryptomining hardware. Two marijuana growing facilities, a cannabis plantation, and a counterfeit printing shop were also discovered in France (HackRead).
George Duke-Cohan, a British 19-year-old who sent bomb threats to thousands of schools, has been sentenced to three years in a UK prison (KrebsOnSecurity). Mr. Duke-Cohan was first arrested in March after emailing bomb threats 24,000 UK schools in an attempt to shut down a rival Minecraft server (Sky News). The next month, he sent even more hoax bomb threats to schools across the UK and the US (Infosecurity Magazine). After being released on bail for that offense, Duke-Cohan made a false report that a flight bound for San Francisco had been hijacked, causing the plane to be quarantined upon landing (National Crime Agency). He will serve one year in prison for the school bomb threats and two years for the plane hijacking hoax (BBC).
California man David Chelsey Goodyear has been sentenced to 26 months in prison for launching DDoS attacks against two astronomy websites. The sites had banned Mr. Goodyear several times for menacing, obstreperous behavior (SecurityWeek).
Courts and torts.
Facebook is being fined €10 million (US$11 million) by the Italian Competition Authority (ICA). The ICA said that Facebook violated four articles in the company's Consumer Code. Two of these articles were violated by allowing users to register for an account without immediately informing them "that the data they provide will be used for commercial purposes." Two other articles were violated by Facebook's business practices, which the ICA says "exerts undue influences on registered consumers." This includes using "opt-out" settings by default for data sharing services, among other pre-selected options (Naked Security).
San Francisco is suing two former IT employees for nepotism in giving a $1.2 million cybersecurity contract for city’s Department of Public Health to the ex-husband of one of the workers. Heather Zaltimo, a systems engineer for the health department, allegedly convinced the department to award the contract to Fidelis, where her husband worked as a regional sales manager. Fidelis is named as a co-defendant in the lawsuit (StateScoop).
Policies, procurements, and agency equities.
A Senate bill sponsored by Senator Harris (Democrat, California) and introduced on Wednesday would amend the Economic Espionage Act to allow American prosecutors to charge foreign hackers with economic espionage if their activities have a "substantial economic effect" on the United States. The bill is intended to act as a deterrent to the theft of trade secrets from US companies (Foreign Policy).
EU governments have agreed on draft legislation that will allow law enforcement agencies to seize cloud-based evidence directly from service providers across European borders. The Computer and Communications Industry Association (CCIA), which includes Facebook, Amazon, and Google, said the proposal lacks sufficient checks and balances (Reuters).
Representative Kelly (Democrat, Illinois) introduced legislation that would require government-purchased IoT devices to meet certain security standards (Congresswoman Robin Kelly).
California passed legislation requiring all internet-connected devices sold in the state to implement "reasonable security" features to protect data (ABA Journal). The law will go into effect on January 1st, 2020.The Marine Corps Forces Cyberspace Command is planning to sign its first OT contract by December 17th, according to Command Executive Director Gregg Kendrick. The project will involve securing and using big data (Nextgov).
Fortunes of commerce.
Huawei plans to spend some $2 billion to overhaul its software systems in an attempt to ease security concerns (The Telegraph). The company will reportedly present details of the plan to the UK's National Cyber Security Centre, which had previously identified technical security issues in Huawei's equipment (Bloomberg).
The Tor Project released financial documents showing that its revenue increased to $4.1 million in 2017, up from approximately $3.2 million in 2015 and 2016. Its funding from the US government has decreased significantly, dropping from 85% in 2015 to 51% in 2017. Last year, $600,000 came from the Swedish International Development Cooperation Agency, $522,000 came from Mozilla, $347,000 from New Venture Fund, and $25,000 from DuckDuckGo. Individual donations made up $425,000 of its funding (SecurityWeek).
France is trying to draw thousands of financial technology jobs out of the UK using a number of new benefits for companies that relocate to Paris. Paris-based incubator Le Swave, which is backed by the French government, is seeking to recruit 20 financial technology startups (The Telegraph).
Gemalto's acquisition by Thales cleared a major regulatory hurdle: the European Commission approved the merger provided Thales divests itself of one hardware line-of-business (Computer Business Review).
Venafi launched a $12.5 million development fund to sponsor a variety of developers who will improve machine identity protection. The first three sponsored companies are Jetstack, OpenCredo, and Cygnacom (BusinessWire).
And security innovation.
IARPA released a presolicitation for detection of attacker interference in AI training. Since AI is trained on vast sets of data, attackers can potentially insert misleading data that might cause the AI to behave unpredictably . IARPA's 24-month TrojAI program seeks to develop technology to automatically scan around 1000 AI systems per day for Trojan-like activity (Nextgov).
IARPA also posted a broad agency announcement (BAA) for the Secure, Assured, Intelligent Learning Systems (SAILS) program, which aims to ensure the privacy of individuals whose data is used to train AI models (Intelligence Community News).
The National Science Foundation has approved a research grant of nearly $1 million to researchers at the Missouri University of Science and Technology to develop new ways to secure cyber-physical systems (CPS). The project's head, Dr. Bruce McMillin, says that "the research aims to ensure that such systems ‘do what they’re supposed to do’ despite an attack by building in defenses that make sure each component behaves and works well with others” (Missouri S&T).
Today's issue includes events affecting Canada, China, European Union, France, Italy, Iran, Democratic Peoples Republic of Korea, Kuwait, Pakistan, Russia, Saudi Arabia, United Arab Emirates, United Kingdom, United States.
ON THE PODCAST
Speaking of attribution, as it happens that's the topic of this week's Research Saturday: "The Sony hack and the perils of attribution." Risk Based Security took a detailed look back at the 2014 Sony hack, comparing analysis that came out while the facts were still unfolding with what we know today. There are interesting lessons about attribution to be learned. Brian Martin, V.P. of vulnerability intelligence at Risk Based Security, talks us through what they found.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.