Threat intelligence playbook helps make sense of indicators.
In 2017, ransomware advanced significantly and is now capable of taking out infrastructure and operations across the globe. As a result, many organizations are bogged down in reactive work and often overlook the value of crucial information. In this white paper, learn how to uncover some of the most critical insights from your organization’s alerts and indicators that will allow you to shift to a more proactive posture.
The Week that Was.
January 28, 2018.
By The CyberWire Staff
Jackpotting hits the US.
In a story KrebsOnSecurity broke late yesterday, the US Secret Service is quietly warning banks that a jackpotting campaign has turned up in US ATMs. In jackpotting, automatic teller machines are induced to spew cash: the money comes out like a one-armed bandit's jackpot, hence the name. The crooks pose as maintenance workers and use an endoscope to connect with the ATM to deploy Ploutus.D crimeware. Once they've synched with the ATM, they remotely control it and can empty its contents at will to one of their mules.
Learn how to effectively integrate security into the development process for true DevSecOps.
Security tools and processes aren't designed to keep pace with accelerated development velocity and innovation. Cybersecurity thought-leader Dr. Chenxi Wang and CYBRIC CTO Mike D. Kail lend their expertise and provide real-world lessons on integrating security for #DevSecOps "from cradle to scale". In this webinar, you’ll learn how to get started, what metrics to use, and what security at scale can mean for you and your enterprise. Register for February 8 at 1PM ET webinar.
Domain name homographs.
Farsight Security warns that Internationalized Domain Names (IDNs) can use non-Latin characters (usually from the Cyrillic alphabet many Slavic languages use) to craft sites that impersonate urls that use the more familiar Roman characters. Spoofed sites are used for more persuasive phishing. Thus a Cyrillic soft sign, "ь" for example, can be used in lieu of a lowercase Roman "b" to spell "faceьook." This sort of imposture might fool the casual eyes of users normally alert to the urls they follow. Companies whose sites have been impersonated in this way include Apple, Adobe, Amazon, Bank of America, Cisco, Coinbase, Credit Suisse, eBay, Bittrex, Google, Microsoft, Netflix, New York Times, Twitter, Walmart, Yahoo, Wikipedia, YouTube, and Yandex (World Trademark Review). Companies concerned about this possibility may wish to protect their customers by registering some easily confused homographic forms of their official domains.
Cryptocurrency mining is on the rise, and it's not victimless.
Cryptocurrency mining shows a shift from Bitcoin to Monero. The XMRig campaign has now infected more than fifteen-million users with unwanted mining software. XMRig misuses url-shortener Bitly to hide red flags from users it seeks to induce to click malicious ads (Unit 42). Dr. Web reports that Windows systems running some versions of the Cleverance Mobile SMARTS Server, a legitimate Russian product that automates various industrial and logistical processes, are being infected with malicious DLL files that mine Monero. Trend Micro is following a similar campaign against Apache Struts and DotNetNuke servers. (Bleeping Computer). Computationally intensive, miners are far from harmless: they can render infected CPUs effectively unusable (CrowdStrike).
On this week’s episode of Research Saturday, we talk about a campaign that's targeting organizations involved with the upcoming Pyeongchang Winter Olympics. Raj Samani, chief scientist at McAfee, describes details of this clever campaign that was discovered by McAfee's Advanced Threat Research team.
Fancy Bear is no fan of luge.
Hacking during the run-up to the Pyeongchang Winter Olympics (games opening February 9th) continues with some doxing by Fancy Bear. In this case the target is the International Luge Federation. The documents Fancy Bear (associated with Russia's GRU military intelligence service) purport to show that lugers are evading anti-doping measures (TheHill). Doping has embarrassed Russia since the 2014 Sochi Olympics (New York Times). The country's team has been banned by the International Olympic Committee (IOC) from competing at Pyeongchang, but Russian athletes who can demonstrate that they're clean will be allowed to compete as individuals under the neutral fig-leaf OAR, "Olympic Athlete from Russia" (BBC). Neither the Russian flag nor anthem will be permitted to appear during medal ceremonies, and the IOC has presented OARs with a "conduct guide" to forestall unseemly patriotic demonstrations (Reuters).
Looking for an introduction to AI for security professionals?
Your wait is over. A new book is out from the Cylance data science team, covering artificial intelligence and machine learning techniques in practical situations to improve the security professional’s ability to thrive in a data driven world. Whether you are reviewing logs or analyzing malware, being able to derive meaningful results and improve productivity is key. Order your free copy today.
Hacktivists and website defacement.
Hacktivists have famously confined themselves to website defacement as opposed to more damaging forms of cyberattack. This has generally been ascribed to both a relative lack of technical sophistication and perhaps a failure to appreciate the more damaging possibilities of other attacks. A study of hacktivism by Trend Micro indicates that vandalism, virtual graffiti, remains the hacktivist's typical move, and that hacktivism remains predictably correlated with geopolitical events. There are signs, however, that this could be changing, and that hacktivists may now aspire to rise beyond their characteristic level of nuisance and embarrassment by installing backdoors, doxing, and information theft. There are also signs of a convergence between hacktivism and financially motivated cybercrime, particularly in ransomware attacks (Infosecurity Magazine).
Evrial snoops through Windows clipboards.
A new Trojan, "Evrial," has been discovered by researchers at MalwareHunterTeam and elsewhere. Evrial does some conventional scanning of browser cookies, files, stored credentials, and screenshots, but it also snoops through the contents of Windows Clipboard. As it does so it can not only identify strings of interest to its criminal controllers, but also replace those strings with code of its own choosing. This is significant because it affords a way of stealing cryptocurrency. Cryptocurrency wallets have addresses that are complicated pieces of text. It's much easier to copy and paste them than it is to type them when you wish to use them. Since most people don't check their cutting and pasting, Evrial's imposture is likely to succeed in redirecting cryptocurrency payments into its controllers' wallets (Bleeping Computer).
MalwareHunterTeam says that the code is being sold on Russian criminal fora for about $27. It's become a popular offering in the criminal-to-criminal market. How Evrial is being distributed isn't yet clear, so practice good digital hygiene and be especially alert for phishing attempts (TechRepublic).
Satori IoT botnet extends its reach.
IoT devices containing ARC chipsets are turning up in Satori botnets, which indicates that botnet controllers have significantly increased the number of maverick devices they can rope into their herd. 32-bit ARC processors are power-efficient chips found in automobiles (including electronic steering controls and entertainment systems), consumer goods like smart thermostats, personal fitness devices, and TV set tops, and also in industrial control systems (SC Magazine). More than a billion and a half systems ship with ARC chips annually. Arbor Networks, the firm warning of Satori's expansion, has an account of how it compares and contrasts with its Mirai ancestors.
Information operations and cyber espionage updates.
After some introspection, Facebook reported to Congress this week that Russian operators created one-hundred-twenty-nine events on the social media platform during the last US election cycle (Reuters). Twitter gets poor reviews from Parliament, which seems to think it's dodging questions about Russian attempts to influence the Brexit vote in the UK (TechCrunch).
The Algemene Inlichtingen- en Veiligheidsdienst (AIVD), the Netherlands' intelligence service, is said to have identified Cozy Bear, generally regarded as a unit of Russia's FSB, in 2014, a year before Cozy Bear began its intrusion into US political party networks (TechCrunch). In the DNC hack attention has tended to focus on Fancy Bear, Cozy's noisier cousin, but its worth recalling that Cozy was quietly snuggled into the networks first (Sydney Morning Herald). The AIVD had obtained access to Cozy Bear's networks. They were also tracking Cozy Bear on the ground: in the course of their operations they obtained remote access to security cameras in the vicinity of Cozy's headquarters in a Moscow university building which gave them a clear picture of everyone who entered and exited. AIVD provided US intelligence services via an NSA liaison some of the evidence used to develop the case that Cozy Bear had intruded into Democratic Party networks (The Age).
Dutch media accounts of the incident (filled with breathless national pride) cite Chris Painter, until his departure last August a senior US State Department official responsible for diplomacy and international norms affecting cyberspace, as saying, "We'd never expected that the Russians would do this, attacking our vital infrastructure and undermining our democracy" (Volkskrant). (Such lack of expectation seems naive beyond belief. One hopes Mr. Painter was misquoted, or taken badly out of context. Otherwise, what did Foggy Bottom think the Russian organs have been up to for the last hundred years or so if not "undermining our democracy"? Here's an account of the overview of cyber diplomacy Mr. Painter offered at the Billington International Cybersecurity Summit in 2016.)
The US Democratic National Committee has appointed Bob Lord, who led incident response during Yahoo!'s breach crises, to handle the party's cybersecurity (WIRED).
This is Rumour Control...
The UK will establish a national security organization to combat disinformation. The Prime Minister's office said, “We will build on existing capabilities by creating a dedicated national security communications unit. This will be tasked with combating disinformation by state actors and others. It will more systematically deter our adversaries and help us deliver on national security priorities.” GCHQ is expected to play a significant role in what's characterized as a "rapid" and "bi-directional" response (TechCrunch).
In official British eyes a major disinformation campaign would count as a "C1" attack under the National Cyber Security Centre's tripartite classification: a national emergency of the highest concern. Democratic processes are grouped with power grids as "critical systems or services." The NCSC's classification runs as follows. C1 attacks amount to a “National Emergency – an incident or threat which is causing or may cause serious damage including loss or disruption of critical systems or services.” There've been none so far against the UK, although election influence operations against France and the US might qualify. A C2 attack is a “significant incident or threat requiring coordinated cross-government response.” The UK has sustained thirty-four of these so far, including the WannaCry infestation at the National Health Service. C3 attacks include “sophisticated network intrusion, cybercriminal campaign for financial gain, or the large scale posting of personal employee information.” By the NCSC's tally, seven-hundred-sixty-two known incidents have been C3 attacks (Naked Security).
When NCSC's Ciaran Martin this week warned of the practical inevitability of a C1 attack, he was widely understood to be talking about the kind of widespread devastation that a destructive attack on a national power grid could produce, but he may have had other things in mind (Guardian).
Cyber epistemology has a ways to go.
Facebook is uneasy its platform's use for information operations and has expressed a commitment to giving more news-feed prominence to "trusted sources." It will ask people to vote on whether they trust a particular source, and then aggregate this into some sort of ranking (WIRED). This would be more like polling than a true prediction market.
Some of the more promising approaches seem boringly traditional, the sort of things that journalists and bunco squads have practiced forever, and they seem disappointingly fallible to an age that looks for algorithmic certainty. Too dependent on human labor, as well, for an age that wishes for precise and sinless artificial intelligence (Story Board).
Power: hard, soft, and sharp.
Political scientists are now dividing power into hard (kinetic capability), soft (culture influence), and sharp (information operations) (Foreign Affairs).
The next arms race is thought to be coming in the field of artificial intelligence (Fifth Domain). Many observers think they see a strong analogy between Chinese work in AI and the "Sputnik moment" that sparked the Space Race of the late 1950s and 1960s.
Cryptowars and content-management in Davos.
British Prime Minister May laced into encrypted comms providers at Davos this week, calling out Telegram in particular for enabling criminal and extremist conduct (Computing). She wishes to see more cooperation from the tech sector with criminal and intelligence investigations (TechCrunch).
There was some private-sector battlespace prep, too. Financier, philanthropist, and currency speculator George Soros excoriated Facebook and Google as monopolistic threats to global democracy, and as all too likely to work hand-in-glove with the Russian and Chinese governments (Quartz). Facebook acknowledged that its operations on the Internet are not an unmixed good, at least from a democracy-promotion standpoint (Pys.Org). Salesforce CEO Marc Benioff thinks we should regulate social media the way we regulate cigarettes, because both are addictive and bad for you (Digital Journal). This is anecdotal, but some studies claim there's evidence of a Facebook link to depression (Particle) rooted in insufficient accommodation of an individual's multiple roles (BoingBoing).
Source code inspections.
SAP, Symantec, and McAfee are reported to have permitted the Russian government to inspect their products' source code. Such inspection, required on security grounds, was a precondition of doing business in the country. It had been discovered in October that ArcSight software (developed by HP, now owned by Micro Focus) had submitted to similar review. There are concerns in the US that such source code inspection would enable Russian intelligence services to find exploitable vulnerabilities the products, which are widely used in the US Government (VentureBeat).
Fresh expressions of concern about Kaspersky Lab's connections with Russian security services also surfaced this week (Times). Britain's NCSC hasn't issued a blanket waring to the public against using Kaspersky software, although it has warned the Government not to use it in networks that hold official secrets. Parliament is asking why the warning hasn't been extended to the private sector as well (Times). Kaspersky denies FSB connections (Crime Russia).
Patch and unpatch.
Dell advised users not to install BIOS updates that address Spectre (Variant 2) vulnerabilities (Bleeping Computer). HP also pulled patches. The industry is waiting for a replacement round of BIOS fixes (ZDNet). WIRED's assessment of Spectre and Meltdown patching is that it's been a "total trainwreck." In many cases, patching can wait (Dark Reading).
Sumo Logic announced its acquisition of FactorChain, whose forensic platform they'll be integrating into their offerings (CNBC). Irdeto has acquired gaming security shop Denuvo in a move to improve anti-piracy and anti-cheat solutions for games played on various platforms (Gamasutra).
Boston-area start-ups Confirm and Sqrrl have been acquired (Xconomy). Amazon Web Services announced its acquisition of Sqrrl in a move designed to improve its cloud security capabilities (GeekWire). Terms were not disclosed, but AWS has been sniffing at Sqrrl for some months, and early speculation estimated that an acquisition could be priced at some $40 million or more (CNBC). Facebook said that it was acquiring Confirm, which specializes in identity verification. Facebook hopes its pickup will help it determine who's actually buying its ads (Computing). The company has also replaced its head of artificial intelligence (VC Circle). SharedLabs has acquired cloud solutions and security provider ExoIS for an undisclosed sum (PRNewswire).
Hysolate, an endpoint protection start-up, has emerged from stealth and announced an $8 million funding round. Hysolate is the fourth company to come from Team8's portfolio (Yahoo! Finance). Allure Security Technology, a Boston start-up with roots in Columbia University has received $5.3 million in a funding round led by Glasswing Ventures. Allure specializes in data loss prevention (Xconomy).
Alphabet, Google's parent holding company, announced formation of a security company, Chronicle, said to represent a big bet on machine learning (Reuters). KrebsOnSecurity asks rhetorically whether Chronicle is a "meteor aimed at planet threat intel."
Thales is establishing a joint venture to develop and deliver cybersecurity solutions for automobiles (Reuters).
Dell is rumored to be considering an IPO.The company, which took itself private in 2013, is also said to be considering acquiring the rest of VMWare, in which it currently holds a substantial stake (Bloomberg).
US-based WhiteHawk (Alexandria, Virginia) was listed on the Australian Securities Exchange Wednesday after the "online cybersecurity marketplace" raised A$4.5 million in an issue of 20 million shares priced at A$0.20 each (Small Caps).
A new venture fund, C5 Capital, advised by former British and American intelligence officials, plans to develop a "pan-European" portfolio of security companies (Reuters).
Spectre and Meltdown haven't hurt Intel's bottom line (CRN).
Today's issue includes events affecting .
ON THE PODCAST
Give a listen to yesterday's Research Saturday podcast. We talk to researchers at McAfee about what they've uncovered concerning cyber threats to the Winter Olympics.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.