Looking for an introduction to AI for security professionals?
Your wait is over. A new book is out from the Cylance data science team, covering artificial intelligence and machine learning techniques in practical situations to improve the security professional’s ability to thrive in a data driven world. Whether you are reviewing logs or analyzing malware, being able to derive meaningful results and improve productivity is key. Order your free copy today.
The Week that Was.
February 4, 2018.
By The CyberWire Staff
Spectre and Meltdown exploits are under development.
AMD has, like Intel, announced that its next generation of chips will not be burdened with either Meltdown or Spectre. Patching efforts continue (Bleeping Computer). The vulnerabilities apparently haven't so far been exposed to exploits designed to take advantage of it, but one can't count on that forever. Malware exploiting the CPU vulnerabilities is expected to break into the wild in the near future (Bleeping Computer).
Researchers have observed more than one-hundred-thirty distinct samples of malicious code designed to attack these flaws. The security firms studying the activity—including AV-TEST, Fortinet and Minerva Labs—have concluded these aren't mere proofs-of-concept. Instead, researchers believe they're observing experimentation with new attack tools. The developers appear to be using proof-of-concept code released shortly after the vulnerabilities were disclosed, following the familiar post-disclosure path to weaponization (Computing).
Implement these seven cybersecurity best practices for 2018.
Is your organization prepared for the threat landscape of 2018? In this article, ObserveIT takes a look at seven cybersecurity best practices—ranging from preparing for GDPR to testing backup systems to leveling up user training—that will better prepare you for everything from spearphishing to insider threats. Rather than dwell on the past, take stock of where your organization stands today and put these best practices in place, and you’ll be well-prepared for the coming year.
Gold Dragon goes to the PyeongChang Olympics.
At week's end McAfee followed up on their Olympic threat research with warnings that implants, "Gold Dragon," "Brave Prince," "Ghost419," and "RunningRat" have been discovered establishing persistence in machines that executed malicious PowerShell script distributed in the spearphishing campaign McAfee described in its earlier research. "The implants covered in this research establish a permanent presence on the victim’s system once the PowerShell implant is executed," the latest report says. They target Korean-speaking users; their purpose appears to be data exfiltration.
Threat intelligence playbook helps make sense of indicators.
In 2017, ransomware advanced significantly and is now capable of taking out infrastructure and operations across the globe. As a result, many organizations are bogged down in reactive work and often overlook the value of crucial information. In this white paper, learn how to uncover some of the most critical insights from your organization’s alerts and indicators that will allow you to shift to a more proactive posture.
Grand Theft botnet.
Radware has identified a new Internet-of-things botnet, "JenX," whose functionality they liken to Mirai. They've traced the host to a hacking group, San Calvicie, which operates a server in the Seychelles. San Calvicie hosts the venerable online game Grand Theft Auto: San Andreas in an environment that enables players to create and share mods. They're also in the denial-of-service protection racket, and will keep you operating for just $16 a month. They offer denial-of-service-as-a-service, too. Customers can direct "Corriente Divina," that is, "Divine Stream," attacks against a target of their choice for $20.
San Calvicie initially offered attacks at 100Gbps, tripling the offer tripled to 300Gbps Monday as the hacking group began building JenX. Radware thinks the botnet could contain hundreds of thousands of machines (Ars Technica).
RockStar Games, producers of the base Grand Theft Auto game didn't offer any comment to CNET when they were contacted, and it's probably worth observing that San Calvicie isn't RockStar. It's also worth noting that Mirai's creators, now repenting at leisure during a sabbatical at Club Fed, were similarly interested in gaming. In the case of Mirai, their game was Minecraft. San Calvicie is interested in GTA. Their advertisement for JenX-enabled attacks says, "God's wrath will be employed against the IP that you provide us." Radware thinks it possible that attacks purchased from the vendors would be for the most part hired by hosts interested in taking down rival services. The prices seem low, which suggests either bad business acumen on the part of San Calvicie, or that they make their profits on volume. We hope it's the former.
Learn how to effectively integrate security into the development process for true DevSecOps.
Manual security testing processes using disparate tools can’t keep pace with accelerated development velocity and innovation. Cybersecurity thought-leader Dr. Chenxi Wang and CYBRIC CTO Mike D. Kail lend their expertise and provide real-world lessons on integrating security for #DevSecOps "from cradle to scale". In this webinar, you’ll learn how to get started, what metrics to use, and what security-at-scale can mean for you and your enterprise. Register for February 8 at 1PM ET webinar.
Charming Kitten paws at scientific phish.
Hackers thought to be associated with Iran have been phishing Israeli nuclear scientists. The bait consists of links to bogus British news sites. The links were to the fictitious "British News Agency," a false flag that had hitherto been flown in phishing expeditions against Iranian dissidents, human rights activists, academics with a scholarly interest in Iran, media personalities and the like. Researchers at the Israeli cybersecurity company ClearSky attributed those earlier efforts to the threat actor called "Charming Kitten" which ClearSky said was Iranian, and "state-sanctioned. The latest round of phishing that targeted Israeli scientists is also being attributed to Charming Kitten, but of course this is early, and attribution is notoriously both circumstantial and difficult (Times of Israel).
Obtain full visibility into your security team with Cybrary.
It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!
Biggest cryptocurrency heist ever (so far).
Japanese cryptocurrency exchange Coincheck lost $530 million in tokens (HackRead). To put this into perspective, this is nearly some $80 million more than the $450 million in Bitocoin now-defunct exchange Mt. Gox, the former record holder, had lost by the time it suspended trading in February 2014. (Motherboard). Coincheck has said it will do what it can to make coin traders whole. It said it will be able to restore 90% of customer losses (Infosecurity Magazine). The theft seems to have been committed against an Internet-connected hot wallet (Fortune).
The latest theft is expected to bring calls for more regulation and more decentralized trading of cryptocurrencies (PYMNTS). But the news didn't appear to dampen speculative enthusiasm: cryptocurrency-related stocks rallied Monday on Japanese markets (Bloomberg). Japanese police and regulatory authorities are investigating (Forexlive). The Financial Services Agency raided Coincheck's Tokyo headquarters on Friday "to ensure preservation of clients' assets" (SecurityWeek).
Fraud follows fad...
Fraud and the installation of miners continue to plague the cryptocurrency world (Infosecurity Magazine). There are now more than 1400 alternative currencies being traded, and there's a vigorous underground market for the services of coders who can assist in the creation of bogus initial coin offerings (Digital Shadows). Investors in BeeToken were relieved of about $1 million in a campaign that induced speculators to redirect their ICO investments to criminals' wallets (SC Magazine). Earlier this week scammers had parted Experty ICO speculators with some $150 thousand in Ether, also by getting them to deposit funds in crooks' wallets (SC Magazine).
...Even when the fad frays.
It would be premature to call an end to the cryptocurrency speculative bubble, but things are not so frothy as they were a couple of months ago. Bitcoin prices dropped to below $9 thousand this week, down more than 50% from December's highs (Ars Technica). Reasons for the falloff are thought to be manifold, but they include such things as Facebook's decision to limit cryptocurrency advertising on its platform, an investigation of Bitfines, and rumors that Tether is having difficulty converting its US dollar-pegged alt-coin to actual US dollars (TechCrunch).
Cryptominers are up.
A very large cryptomining botnet, called "Smominru," has been in circulation since last May. Smominru is thought to have infected more than half-a-million Windows machines and earned its criminal masters millions (CyberScoop). Its preferred coin is Monero; the bots it's herded have been found mostly in Russia, India, and Taiwan. The botnet's current daily take is estimated at $8500 (Threatpost). Proofpoint researchers say Smominru gets its entrée to victim machines through the EternalBlue exploit (CVE-2017-0144), which at least twenty-five hosts have been using in their attacks. EternalBlue, dumped by the Shadow Brokers in what the Brokers characterized as the release of stolen NSA Equation Group exploits, is the same one used by the WannaCry ransomware attack of last spring.
The WannaMine cryptominer described last week by CrowdStrike also continues to circulate. This fileless malware also uses the EternalBlue exploit. It appears that Smominru and WannaMine are distinct campaigns run by different threat groups, but these stories are still developing. (SC Magazine)
Attacks on Netherlands financial sector.
In the wake of last week's revelations concerning the Dutch intelligence service's apparent long-standing hack of Cozy Bear, Russia's FSB, financial institutions in the Netherlands and the national tax service have been subjected to intermittent distributed denial-of-service attacks. ESET reported that the ZeuS-based Zbot was used in the attacks. They also said the command-and-control servers for the botnet were based in Russia (Bleeping Computer). The attacks have been irritating but appear not to have been crippling. The identity and motivations of the attackers remain unknown (ZDNet).
Twitter bots, fake followers, and the calculus of influence.
The New York Times called the phenomenon "the follower factory" and condemned it, but the Atlantic reads Baudrillard (arguably an unsure guide to the moral universe) and thinks it's more complicated. In any case, if influence is measured and amplified by clicks, likes, retweets, and followers, and where the standard of truth is casual voting, then bots and catphish can shape mass opinion to a disturbing extent. How this phenomenon differs from Francis Bacon's Four Idols, beyond the obvious and tremendous increase in scale and speed, is unclear. But then, if "quantity has a quality all its own," scale and speed may be enough.
There are commercial motives functioning here as well as political ones: the corporate parent of Newsweek and the International Business Times is said to have bought traffic originating on pirate streaming sites in order to goose its numbers to support advertising charges for campaigns sold to the US Consumer Financial Protection Bureau (Buzzfeed). On Friday executives at the Newsweek Media Group resigned "after a regulatory investigation into fraud (USAToday).
The US Ninth Circuit Court of Appeals ruled for Twitter in a case brought by the estates of two American contractors murdered by ISIS. The plaintiffs had argued that Twitter had provided material support to terrorists by giving accounts to ISIS members, and so was in violation of the Anti-Terrorism Act. The 9th Circuit found the connection too tenuous (Ars Technica).
Social media: influence and inspiration versus sanity?
Its Caliphate may have been extirpated from the territory it once held, but ISIS continues to recruit and inspire in its online diaspora. They concentrate on the young, mostly teen and tween boys, feeding them music, slogans, and, tragically, beheading videos. Foreign Policy magazine calls it a continuing "war on families," many of whom have already lost (mostly) sons to terrorist inspiration. A lot of the fighters killed in Iraq and Syria were teenagers, and ISIS has concentrated, patiently, on wooing boys online over the course of years with its promise of transcendence and authenticity (Foreign Affairs). Jihad's religious appeal is a central part of ISIS messaging (BBC). Anyone who has observed how online gaming, music, and video can capture a child's attention will have at least dim some sense of what Syrian parents are up against.
Facebook, which has received some backlash for its Messenger Kids product, an app targeted at children between the ages of six and twelve, defended Messenger Kids as a good, safe product, and that families will be "better off because it exists" (TechCrunch). The social media platform had earlier acknowledged that some of its user interactions may be problematic from a mental health perspective (VOA). It's only fair to note that some see positive benefits in social media, especially for the young (Conversation). Social media providers are facing the prospect of regulation in the UK, especially if they don't crack down on extremist content and address the problem of "self-radicalization" online (Business Insider).
Punching above their weight...
The ability of Dutch intelligence operators to get inside Cozy Bear has prompted reflection that even smaller nations can play outsized roles in cyber espionage (Foreign Policy). The barriers to entry are low, the necessary resources affordable (even given the famously tight cyber labor market). Only a few countries can afford a constellation of reconnaissance and surveillance satellites, but any country can hack.
...Sometimes with a little help from their friends.
So far non-state actors have shown a relatively small ability to conduct significant cyber operations, but they too could develop such capabilities.Hezbollah may be on its way to achieving such capability. The Shi'ite Party of God, operating its political and military wings mostly from Lebanon, is said to have been under quiet Iranian tutelage in these arts for some time (CIpher Brief). Iran has also been described by Israeli sources as using "offshore" contractors as cutouts to mask their own cyber operations (CTECH).
US Cyber Command reaches full operational capability.
An important milestone for any young military organization in the US system (Fifth Domain). It means that "all units and/or organizations in the force structure scheduled to receive a system have received it and have the ability to employ and maintain it" (Defense Acquisition Acronyms and Terms).
Hey, they already know the answer to that (Scientific American). The Strava fitness app publishes a heat map showing where people were exercising. The map's point, Strava's CEO said, was to show users good places in their vicinity to work out. And of course like many other heat maps it was also attractive marketing eye candy. The story is interesting because it shows the sort of intelligence that can be developed even from anonymized and aggregated data. The US Department of Defense, concerned that locations of US forces were being exposed by the app, is now studying whether to ban fitness trackers and even smart phones entirely from certain locations (WIRED).
The Nunes Memo is out.
It's a disturbing but controversial document alleging FBI misconduct in obtaining FISA surveillance warrants (New York Law Journal). Both sides (roughly corresponding to Republicans and Democrats) with striking symmetry accuse the other of being in effect a fresh combination of the Rosenbergs, Senator McCarthy, and Watergate. It's early; the story's devoloping (Washington Post).
Cisco addressed a serious remote code execution vulnerability in its VPNs this week (CSO).
The ongoing series of fixes for Spectre and Meltdown goes on (TechRepublic).
ThreatMetrix, known for its digital identity platform, was acquired Monday by the RELX Group (formerly known as Reed Elsevier) for £580 million (about $817 million) in cash (ARN). It's a nice exit for ThreatMetrix, which had been valued at $237 million during its last funding round in 2014 (TechCrunch). GitLab has acquired Gemnasium, a service that alerts developers to known vulnerabilities in open source libraries and helps resolve them. It's basically an acquisition to hire Gemnasium staff en bloc; Gemnasium will shut down operations in mid-May (TechCrunch). Cisco's acquisition of Skyport is also seen as essentially a hire of "brainpower": Skyport's security products will sunset shortly (Data Center Knowledge). Bomgar has acquired Lieberman Software for an undisclosed sum. They're adding Lieberman's privileged access and identity offerings to their portfolio (Infosecurity Magazine).
Testing platform BrowserStack received a $50 million Series A round from Accel (TechCrunch). Logikcull, proprietor of a cloud-based discovery platform, has raised $25 million from backers led by New Enterprise Associates. The funding round includes participation of existing investors OpenView Venture Partners and Storm Ventures (BusinessWire). BehavioSec, specializing in continuous authentication by behavioral biometrics, has raised $17.5 million in a Series B round led by Trident Capital, with participation by Cisco Investments and ABN AMRO Digital Impact Fund. Existing investors include Octopus Ventures and Conor Venture Partners (Daily Telescope). Data protecticon startup BigID has raised $14 million from ClearSky Security and Comcast Ventures (New York Business Journal).
BoozAllen has been selected to prime the US Department of Homeland Security's six-year, $621 million Continuous Diagnostics and Mitigation (CDM) program (TheHill)
A bit more is now known about Chronicle, the new cybersecurity firm established by Google's parent, Alphabet (Popular Science).
Huawei continues to lose major US customers and parters as Verizon joins AT&T is dropping plans to sell Huawei phones (Ars Technica).
The Hacking Team, controversial vendor of lawful intercept products that critics say are widely abused by repressive regimes, is still in business, sustained by a new ownership stake quietly taken by a group of Saudi Investors (Motherboard).
Today's issue includes events affecting Iran, Iraq, Israel, Democratic People's Republic of Korea, Republic of Korea, Lebanon, Netherlands, Russia, Syria, United Kingdom, United States.
ON THE PODCAST
Don't forget to give yesterday's Research Saturday a listen. Adware is generally considered unsophisticated, and because of its low perceived threat level it's often ignored. Researchers from Booz Allen Dark Labs' Advanced Threat Hunt Team have recently published research describing a more advanced type of adware, using infection techniques usually attributed to nation-state actors. In this edition of Research Saturday, Booz Allen Dark Labs threat hunter and tech lead Jay Novak takes us through their research.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.