skip navigation

More signal. Less noise.

Learn how to effectively integrate security into the development process for true DevSecOps.

Security tools and processes aren't designed to keep pace with accelerated development velocity and innovation. Cybersecurity thought-leader Dr. Chenxi Wang and CYBRIC CTO Mike D. Kail lend their expertise and provide real-world lessons on integrating security for #DevSecOps "from cradle to scale". In this webinar, you’ll learn how to get started, what metrics to use, and what security at scale can mean for you and your enterprise. Register for February 8 at 1PM ET webinar.

The Week that Was.

Dark Caracal espionage campaign traced to Lebanon.

The Electronic Frontier Foundation and security firm Lookout describe an espionage campaign, "Dark Caracal" (named after the long-eared wildcat) that's afflicted Android devices since 2012. Lebanon's intelligence service, the General Directorate of General Security (GDGS), is believed responsible for the campaign. Targets included journalists, activists, military personnel, manufacturers, and financial institutions in more than twenty countries (Help Net Security). The GDGS exposed the information they took on an open server (Engadget).

No sophisticated malware was involved: Dark Caracal spread by phishing with baited software posing as legitimate communication apps, then used permissions victims granted (Motherboard).

The GDGS may have obtained its espionage tools and infrastructure from some third-party—researchers found Dark Caracal servers and malware used earlier by hackers apparently working on behalf of the Kazakh government (Threatpost). It's unknown whether Lebanon obtained the capability from Kazakhstan or vice versa, or whether both were supplied by some third-party, but appearances suggest what many have long taken as given: there's a functioning international market for espionage tools and infrastructure.

Threat intelligence playbook help make sense of indicators.

In 2017, ransomware advanced significantly and is now capable of taking out infrastructure and operations across the globe. As a result, many organizations are bogged down in reactive work and often overlook the value of crucial information. In this white paper, learn how to uncover some of the most critical insights from your organization’s alerts and indicators that will allow you to shift to a more proactive posture.

Duck and, wait...

Anxiety about North Korean nuclear saber-rattling has induced national and regional authorities to create or revive public attack warning systems. Eight days ago Hawaii's Emergency Management Agency (HEMA) inadvertently warned that missiles were inbound; on Tuesday Japan's national broadcaster NHK did the same thing (Naked Security). In neither case were systems hacked. The unrelated false alarms were apparently in both cases caused by human error abetted by cumbersome user experience and some poorly thought-out policies (Strategy Page).

The incidents prompted reflection on why emergency warning systems would be attractive to hackers. Such attacks could be the work of disgruntled insiders, or they could be the work of hacktivists interested in damaging the credibility of a particular government. They could also be "joyrides," as a Symantec researcher called them, where someone grabs control and races a system to destruction, just for the lulz. Such attacks could also serve a nation-state's interest in discrediting a rival, or, most disturbingly, as battlespace preparation for a planned physical attack (Popular Mechanics).

What do AI and machine learning mean for cybersecurity?

We hear about them everywhere in cybersecurity. They sound cutting-edge, but what do they mean? And what value do they add? Find out exactly how significant AI and machine learning are, and how small nuances in their use can make a big difference.

The DPRK stays busy.

North Korea seeks to redress sanctions-induced financial shortfalls through cybercrime (Cipher Brief). Recorded Future reports on the Lazarus Group's concerted spearphishing campaign in late 2017 against South Korean cryptocurrency exchanges and their users. South Korea is an attractive target for political, linguistic, and financial reasons. Besides stealing Bitcoin, the campaign also prospected South Korean university students interested in international affairs.

The campaign's malware used Ghostscript (CVE-2017-8291) against users of a popular Korean-language word processor, Hancom's Hangul Word Processor. There are interesting connections between this campaign and earlier ones linked to the Lazarus Group. The malware payload shared code with Destover, a strain used to hit Sony Pictures in 2014 and early WannaCry victims last year. Both the Sony and WannaCry attacks have been widely attributed to North Korea.

There's also fresh evidence of cyber espionage. Cisco Talos reports finding a new threat actor, "Group 123," which it considers responsible for six identifiable campaigns mounted last year and continuing into 2018: "Golden Time," "Evil New Year," "Are You Happy?" "Free Milk," "North Korean Human Rights," and "Evil New Year 2018." (The names allude to the campaigns' distinctive phishbait.) All except Free Milk targeted South Korean individuals and organizations; Free Milk was international in scope. Talos is commendably reticent about attribution, but signs do point to North Korea. Payloads have included both remote access Trojans and disk wipers (Infosecurity Magazine).

How are companies actually using machine learning for threat intelligence?

Artificial intelligence, and in particular machine learning, has seen huge strides in recent years and is now impacting all aspects of society and business. Learn the four ways machine learning is powering smarter threat intelligence with Recorded Future's latest white paper. Download your copy now.

CIA said to agree with Ukraine: NotPetya was a GRU operation. 

Sources say the US Central Intelligence Agency has concluded the NotPetya pseudoransomware that disproportionately but not exclusively affected Ukraine last summer was indeed a Russian (GRU) operation (Washington Post). Ukraine's SBU had reached this conclusion last July (Register).

Looking for an introduction to AI for security professionals?

Your wait is over. A new book is out from the Cylance data science team, covering artificial intelligence and machine learning techniques in practical situations to improve the security professional’s ability to thrive in a data driven world. Whether you are reviewing logs or analyzing malware, being able to derive meaningful results and improve productivity is key. Order your free copy today.

Russian influence operations begin again with phishing.

The Russian operators generally believed responsible for hacking the US Democratic National Committee (DNC) last election season are believed to be back. Fancy Bear, also known as Pawn Storm (both noms de hack associated with Russia's military intelligence service, the GRU) is thought to be trying to intrude into networks belonging or related to the US Senate. The presumed goal is disruption of this year's mid-term elections. The preferred tactic is phishing, just as it was in operations against the DNC. Trend Micro believes they're phishing for credentials to the Senate's Active Directory Federation Services (ADFS) server by setting up sites that spoof it. That won't get them into ADFS directly, but the credentials so obtained can be useful in both privilege escalation and lateral movement (Infosecurity Magazine).

What should be done about election influence operations?

The US Congress deliberates election security (Politico), but some observers are struck by the way in which the US, unlike for example France and Germany seems unable to shrug off disruptive propaganda. Russia has played a weak hand opportunistically, but with considerable success (Foreign Policy).

Some of the influence operations, like those of the Shadow Brokers, have done damage through espionage. Others have used bots and catphish to plant discreditable news stories, many bogus, some genuine, but all with malign intent. Consensus is forming that the Shadow Brokers are indeed a Russian operation, and that, more controversially, they may have got their sensitive documents by exploiting Kaspersky security software for deep inspection of targeted systems (Yahoo! Finance).

The private sector continues to grope for an appropriate role as governments push social media providers especially to do something about fake news. Facebook, which continues to grapple with content moderation, has agreed (at the instigation of the House of Commons' Digital, Culture, Media and Sport (DCMS) Committee) to investigate whether it was used to manipulate the UK's Brexit vote (The Bull). Twitter announced Friday that it planned to contact nearly seven-hundred-thousand US users of its platform that they had interacted in some way with the now-famous St. Petersburg troll-farm, the Internet Research Agency. This organization made heavy use of bots and catphish, and some of its catphish (notably the completely fictitious "Jenna Abrams") acquired significant followings (CNN).

Notes on a terrorist diaspora.

The territory it claimed now gone, ISIS has clearly entered its diaspora phase. Recognizing that it's no longer capable of taking, holding, and administering cities, the group is expected to concentrate on consolidating its presence in cyberspace and inspiring lone wolves to hit-and-run or suicide terror attacks (Foreign Affairs).

An example of what ISIS messaging is like shows that the online howling for the lone wolves' ears hasn't changed much. "Liberate yourself from hellfire by killing a kafir," is a fair sample This particular howl came from senior ISIS commander Abu Hamza al-Amriki. As his nom de jihad suggests, al-Amriki ("the American") hailed from the US. While the inspiration he's offering is not something you'd normally hear on the Jersey Shore, that is indeed where he's from: this particular al-Amriki grew up in Margate, just outside Atlantic City (NBC Philadelphia).

Deterrence and the costs of an attack.

A report by Flashpoint outlines the geopolitical state of cyberspace, where both Russia and North Korea are increasingly active. So what should be done about it? Deterrence would be nice, but how does one effectively deter a cyberattack, especially one that approached the devastation of a large natural disaster (ZDNet)? A draft of the US Defense Department's 2018 Nuclear Posture Review suggests that the US would reserve the right to respond to non-nuclear attacks, including "extreme" cyberattacks, with nuclear weapons (CSO, New York Times). An opinion piece in Politico calls the proposal "bonkers," since the devastation of a nuclear exchange would be enormously disproportional to the effects of an attack on water or electrical power infrastructure.

But if bonkers, it's at least bonkers in a way that has strong precedents: the US (and NATO) during the Cold War reserved the right of nuclear first-use in response to a conventional attack by the Soviet Union and the Warsaw Pact nations. US strategy assumed (as did Soviet strategy) that the Pact had conventional superiority in Europe, and that the only way of stopping an attack might be with tactical nuclear weapons, and that those would be used, not immediately, but when NATO was in extremis. Thus the analogy would be with Cold War tactical nuclear doctrine. No one is suggesting a nuclear attack in response to turning the lights off in Ivano-Frankivsk for a few hours. Rather, they're envisioning an attack sufficiently serious to take down a continental power grid for months, reducing societies to pre-electrical conditions, with scores of millions dead as food distribution and other modern infrastructure failed (The CyberWire).

There are recurrent calls for a "Manhattan Project" to fix cybersecurity, most recently by former US Director of Central Intelligence Brennan (Tom's Guide). But the analogy strikes many as facile and ultimately wayward: the Manhattan Project took on a big, expensive, well-defined problem. In this it resembled that other project often cited as a model for cybersecurity: Project Apollo's moonshot. Unlike Manhattan and Apollo, however, cybersecurity is composed of an indefinitely large number of small, ill-defined, quicksilver challenges.

Some different analogies may be more apt. A cyber Solarium Project—from the early 1950s, which was polymathic, adaptable, and significantly focused on information—might make more sense than either a cyber Manhattan Project or a cyber Apollo moonshot (Lawfare). Here's another approach: treat disinformation the way we do money laundering, getting around the lies' bodyguard of truth (Securing Democracy). A joint EU-NATO center in Finland, the European Centre of Excellence for Countering Hybrid Threats, has been devoting serious thought to the problem (Foreign Policy).

Risk and resilience.

The World Economic Forum has released its annual Global Risks Report, which prominently addresses cyber risk. They've also released a Cyber Resilience Report, which comes in two parts: "a reference architecture for public-private collaboration, and cyber policy models." The playbook, intended to be adaptable to any nation's values and interests, takes up fourteen policy topics and analyzes them in terms of their impact on five areas: security, privacy, economic value, accountability, and fairness.

US Congress renews Section 702 surveillance authority.

With Senate approval on Thursday, the US Intelligence Community will be authorized to continue electronic surveillance for foreign intelligence collection. The renewal is good for another six years (Federal Times). The Intelligence Community has long regarded Section 702 authority as essential to its mission. Privacy advocates see a high potential for abusive use against US citizens. Congress thinks safeguards render such abuse unlikely.

Congress also failed to reach a budget agreement, and so at midnight Friday "the Government shut down." What effect this will have on security remains to be seen. Perhaps not much (Mashable).

Skygofree malware affects Android devices.

Kaspersky Lab warns of a new and unusually dangerous strain of Android spyware, "Skygofree," whose capabilities include location-based audio recording, interception of WhatsApp messages through Android Accessibility Service, connection of victim devices to attacker-controlled Wi-Fi, Skype call recording, and a keylogger. Kaspersky thinks Skygofree is the work of Italian lawful intercept shop Negg International, in part because they've found the domain in the malware's traces; that domain is registered to Negg. The malware spreads via web landing pages that look like legitimate sites belonging to Vodaphone and other mobile carriers (Ars Technica).

Ransomware hits healthcare.

The SamSam ransomware group has been active and successful this year. Since December 25th of last year, one of their Bitcoin wallets (they may have others) has received around $300,000 in extortion payments. Recent victims have included not only facilities like Indiana's Hancock Health Hospital (which paid $50,000 despite having backups in place) and, more recently, electronic records provider Allscripts. The attackers preferred avenue of approach is through unsecured Remote Desktop Protocol. An unnamed US industrial control systems company is also believed to have been hit (Bleeping Computer).

Red-hot cryptocurrency market cooling?

Bitconnect, the cryptocurrency exchange slanged by observers as a Ponzi scheme and subjected to cease-and-desist letters from securities regulators in North Carolina and Texas, has shut down. Its own alt-coin, BCC, unrelated to Bitcoin, Bitcoin Cash, or any other more established cryptocurrency, is now held to be effectively worthless (TechCrunch).

Whether this is a bellwether or not remains to be seen, but valuations of major cryptocurrencies have fallen from their December highs. The collapse of Bitconnect has raised concerns that the market in these alternative currencies is being manipulated (CBS News). The US Securities and Exchange Commission (SEC) sent a letter (accurately described as "strongly worded" by TechCrunch) to the Securities Industry and Financial Markets Association and the Investment Company Institute in which the SEC warned against moving forward too quickly with cryptocurrency-based exchange traded funds. The SEC acknowledges that markets evolve, and that there's potential in cryptocurrency, but that given the current state of the sector, "we do not believe that it is appropriate for fund sponsors to initiate registration of funds that intend to invest substantially in cryptocurrency and related products."

Patch news.

Oracle's Critical Patch Update includes two-hundred-thirty-seven patches for one-hundred-fifty-three vulnerabilities. They address critical flaws in Fusion Middleware, PeopleSoft and MICROS retail software (Computing). 

Competitors can cooperate when they face a common problem. The industry response to Meltdown and Spectre shows how this can work: in this case Slack served as an extemporaneous, self-organizing war room (Ars Technica). Issues continue with the Meltdown and Spectre patches, however: Intel acknowledges that its patching seems to be causing unwanted reboots, particularly in later systems (ZDNet).

It's worth recalling that patching needs to be thought through, and especially that patches be taken only from legitimate sources. Fear of Meltdown and Spectre has spawned bogus patches that carry a malware payload wrapped in convincing spoofs (ComputerWeekly).

Industry notes.

Momentum Cyber, a new firm specializing in advising cybersecurity firms and investors throughout their business lifecycle, announced itself to the world this week. It will be chaired by former FireEye leader Dave DeWalt (BusinessWire).

IoT security shop VDOO has received $13 million in funding (CRN). Paris-based Ledger, a leading purveyor of hardware wallets, has secured a Series B round of $75 million (TechCrunch). Lumia Capital led a $40 million Series D funding round for threat detection and mitigation specialist Anomali (TechCrunch). Cybersecurity firm Merlin International has made a strategic investment of $10 million in Centerity, which specializes in "advanced performance analytics and business services management (BSM) for complex technology environments (IT & IoT)" (BusinessWire).

In M&A news, Broadsoft has been cleared by US authorities to be acquired by Cisco (Globe Newswire). One Identity has acquired Balabit to increase its privileged access management capability (Quest). WatchGuard has bought Percipient Networks, specialists in automated security solutions for small and medium enterprises (Dark Reading). Intelie Soluções em Informática SA, which does predictive analytics, has been acquired by RigNet (Street Insider). Allot Communications has bought Tel Aviv-based startup Netonomy for its connected home security capabilities (CTECH). Managed service provider ITC Secure has acquired G3's cybersecurity practice (BusinessWire). FireEye announced its acquisition of X15 Software for $20 million; X15 specializes in monitoring and analysis of machine-generated security data (CRN).


Today's issue includes events affecting China, Japan, Kazakhstan, Democratic Peoples Republic of Korea, Republic of Korea, Lebanon, Russia, Ukraine, United Kingdom, United States.

Don't forget to check out yesterday's edition of Research Saturday, in which we talk with researchers at ThreatConnect about how Fancy Bear has been pawing at the domains of anti-doping organizations.

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.