Join us October 8 – 10 in New Orleans for the 8th Annual (ISC)2 Security Congress. Attendees leave the conference enriched and enabled to excel at advancing their careers – and securing their organizations. Save your seat at congress.isc2.org.
The Week that Was.
July 7, 2018.
By The CyberWire Staff
Charming Kitten uses reports on itself as phishbait.
The Iranian threat group Charming Kitten is building bogus websites purporting to be connected with Clearsky, the Israeli firm that's been tracking Charming Kitten for some time. Clearsky says the malicious site uses the URL clearskysecurity\[dot]net. The phishbait being dangled is Clearsky's reporting on the Iranian APT: the threat group copied pages from Clearsky's public reports and changed one of them to offer a "sign-in" option (Infosecurity Magazine).
Is your malware lab a pain to use? Want a ridiculously easy to use malware lab?
Security teams who use a cloud browser can reduce the time spent investigating cases by more than 50%. Instead of wasting time spinning up a VDI, using Tor or connecting to a jumpbox, get online in seconds with Silo, a secure cloud browser and egress from hundreds of points of presence around the world.
Phishing (and catphishing) as intelligence tools.
Members of Germany's Bundestag are being approached through social media, for the most part with fictitious profiles, in attempts to recruit them for Chinese intelligence services. The prospects were offered payment for various kinds of inside information, much of it apparently innocent, or at least not obviously criminal: in some cases they were asked to provide their analysis of certain issues. They were also invited to visit China, where presumably they would be further entangled. Some did visit, where unsurprisingly their mobile devices were compromised, as happens on such junkets (Deutsche Welle).
The Israeli Defense Forces report that some of its soldiers (shy of a hundred) were prospected in a phishing operation thought to be run by Hamas. The IDF is calling the campaign "Operation Broken Heart." A catphish representing herself as a recent immigrant to Israel (thus the message's imperfect Hebrew) invites the soldiers to download a malicious app, either romantically themed, (a dating app called "GlanceLove)" or sports-themed (especially ones offering World Cup updates, like "Golden Cup") (Register).
Get trending threat insights delivered to your inbox.
Do you want trending information on hackers, exploits, and vulnerabilities every day for free? Subscribe now to the Recorded Future Cyber Daily.
Typeform, whose widely used app delivers online quizzes businesses and government agencies use to make their sites stickier, has disclosed that it discovered a data breach last week, compromising first names, dates of birth, mobile numbers, and email addresses entered by quiz-takers. The company has been notifying its customers—the organizations who use their services, not the individuals who took the quizzes—and much information about the incident comes from those customers (Graham Cluley). It appears that the information accessed was in a "partial back-up" of Typeform's data. It also appears that the data were unencrypted (Register).
2017 cyberattacks proved more numerous, sophisticated, and ruthless than in years past.
WannaCry, NotPetya, ransomware-as-a-service, and fileless attacks abounded. And, that’s not everything. The victims of cybercrime ranged from private businesses to the fundamental practices of democracy. Read The Cylance Threat Report: 2017 Year in Review Report and learn about the threat trends and malware families their customers faced in 2017.
Facebook gave a number of partners more access to its users' data than had been generally supposed (Naked Security). The company acknowledged Tuesday that it remained under investigation by regulators in the US and the UK with respect to data use issues in the Cambridge Analytica incident, and said that it was cooperating fully (SecurityWeek).
Google has also proven generous with user data. Mountain View allows certain developers to read contents of Gmail users emails (Naked Security). In this case, it's said that permission to share in this fashion was granted by users who clicked through their Gmail EULA.
Is your company passionate about empowering women to succeed in the cyber security industry?
The CyberWire’s 5th Annual Women in Cyber Security reception is a networking event that highlights and celebrates the value and successes of women in the cyber security industry. Leaders from the private sector, academia, and government from across the region and at varying points on the career spectrum can connect with each other to strengthen relationships while building new ones. Consider sponsoring the event. Limited sponsorships are available. Visit our website to learn more.
EU copyright law will not be fast-tracked.
The European Union Thursday declined by a 318 to 278 majority to fast-track its proposed copyright law, regarded by opponents as a meme-killer at the very least, and probably something very much worse. In a rough-and-ready way, the recording industry and some big publishers lined up in favor of the law, with the tech industry and a broad range of Internet users falling in against it. The two most controversial aspects of the legislation have been Articles 11 and 13. Article 11 would impose what amounts, critics say, to a "link tax" that would hit news aggregators particularly hard. Article 13 would impose direct liability on platforms for their users' copyright infringements. This would push them strongly in the direction of pre-filtering content, with risk to both fair use and free expression (TechCrunch).
Fast-tracking would have been the normal course for EU legislation once out of the responsible committee. Reopening deliberations means the bill is unlikely to pass in its present form (Motherboard).
Follow-up: Novichok attacks.
A couple is critically ill in England, apparently poisoned by the same poison, Novichok nerve agent, used against the Skripals (Telegraph). The couple fell ill last Saturday in Amesbury, Wiltshire, not far from the original Salisbury incident (CNN). Investigators' working assumption is that the poisoning is an accidental side effect of the attempted assassination of the Skripals, and that the Russian government is behind the original attack (Guardian). Police investigations are centered on a hotel in Salisbury; they're looking for a syringe that may be connected to the original attacks (Times). The incident will continue to shape information operations as the subject of considerable propaganda and disinformation.
Crime and punishment.
Police in Maryland used a facial recognition system to determine that the man they had in custody as the suspected killer in the Capital Gazette shootings was Jarod Ramos (Ars Technica). Anne Arundel County police were assisted by the Maryland Coordination and Analysis Center's large searchable database of mugshots and driver's license photos (TechCrunch).
In an unusually repellent case of official corruption, Raphael A. Sanchez was sentenced to four years in US Federal prison for crimes relating to theft of immigrants' identities. Until he copped a guilty plea to one count each of wire fraud and identity theft in February, Mr. Sanchez was Chief Counsel at Immigration and Customs Enforcement's Office of the Principal Legal Advisor. Evidently unable or unwilling to scrape by on his Government salary of $162,000, he took data from Alien Files to create fake accounts for himself, defrauding various financial institutions of around $190,000. Mr. Sanchez began his scams in October 2013 and continued them into 2017 (Naked Security).
Israeli prosecutors have indicted an employee of NSO Group (described as "disgruntled") on charges related to theft of the company's controversial Pegasus lawful intercept product (Motherboard). Observers point out that this insider-threat case shows why mandating backdoors in software is a poor idea (Washington Post).
The brobdingnagian Kim Dotcom (né Schmitz) has lost the latest round in his court battle to avoid extradition to the US, where he faces criminal charges of conspiracy, racketeering and money laundering connected to his defunct Megaupload file-sharing site. New Zealand's Court of Appeal ruled against Mr. Dotcom, but the story's far from over: he's got at least one appeal left, to New Zealand's Supreme Court. It's a long-running story, Mr. Dotcom's engagement with the law going back at least to 2012 (CBS).
Courts and torts.
The US Securities and Exchange Commission has brought civil charges against a former Equifax manager, who has admitted to shorting the company's stock six days before its major data breach was publicly disclosed on September 7th, 2017. Sudhakar Reddy Bonthu, formerly an Equifax product development manager, has settled the SEC's civil complaint and agreed to return the roughly $75,000 he netted from his trades, plus interest. He also faces criminal charges (SecurityWeek).
The former employee Tesla is suing for alleged sabotage and other acts is crowdfunding his legal expenses. Martin Tripp, who says he was no malefactor, but rather a whistleblower, is seeking to raise $500 thousand (Teslarati).
Policies, procurements, and agency equities.
Speaking Wednesday at the International Institute of Communications Telecommunication and Media Forum, the chair of Australia's Productivity Commission floated various regulatory ideas concerning handling of consumer data. Peter Harris was particularly interested in pushing for consumers' rights not only to know what data are being collected, but with whom those data are shared (ZDNet).
The director of the US National Nuclear Security Agency thinks banning software is a losing proposition, and not the way to improve any enterprise's cybersecurity (Nextgov).
The US Federal Trade Commission would like to be the sheriff who brings order to the ill-governed Internet-of-things frontier (Information Security Buzz).
US Cyber Command has a major procurement out for bid. The US Air Force has issued a request for proposals (RFP) on behalf of Cyber Command for the Unified Platform under the GSA's Alliant governmentwide acquisition contract (GWAC). Only Alliant primes received the RFP. Lockheed Martin, Northrop Grumman, Raytheon and Booz Allen Hamilton are believed to be bidding. It's not known whether other Alliant primes intend to compete for the contract. Bids are due by the middle of this month. Other companies have been working on prototypes of the Unified Platform. One of the firms that has developed a prototype under earlier contract vehicles is Maryland-based Enlighten IT Consulting (Fifth Domain). Some in the press have called the project a "Cyber Carrier." Russia Today, in its concern that the American taxpayers not be bilked, sniffs that the bidding companies are "the usual suspects responsible for big boondoggles," so Moscow doesn't like the RFP, on evidently disinterested grounds.
Three US agencies (the Department of Defense, NASA, and the General Services Administration) are seeking authority for rapid purchases in the event of a cyber emergency. Procurements of up to $20 thousand would be considered "micro-purchases" under the proposed rule. The ceiling strikes some observers as too low to do much good in an emergency (Fifth Domain).
The US Department of Defense is continuing its research into artificial intelligence, as are its roughly-peer rivals in Russia and China, and so Project Maven is "just the beginning," as the commanding general of Air Combat Command put it (Defense One). The Pentagon opened a hub for research into artificial intelligence last week, the Joint Artificial Intelligence Center (JAIC) (C4ISRNET). Google's employees may not wish to have anything to do with the work, but it seems unlikely that this viewpoint will spread to other companies, and it may not prevail over the long term within Google itself (Foreign Policy).
US Army Cyber Command is looking within the Army itself, having realized that there's significant untapped talent in the ranks, and the approach appears to be paying off (WIRED).
An example of corporate desire for regulation surfaces in Malaysia, where an IBM Resilient cyber security and privacy program director urges enactment of laws requiring companies to disclose data breaches. It would bring clarity to the issue. It would also help bring national practices into line with GDPR (Star).
The US Marine Corps, in what is apparently a real story and not a running gag from Terminal Lance, seems to be exploring dating apps as recruiting tools (Marine Corps Times). Gunnery Sergeant Robin Sage was unavailable for comment.
Fortunes of commerce.
As expected, ZTE replaced its board a week ago in a further gesture of submission to US discontent over the company's conduct with respect to sanctions (Wall Street Journal). The company also fired a number of senior executives (TechCrunch), but its future and direction remain in doubt (CNBC).
The US Administration and Congress remain at odds over the treatment of ZTE and Huawei in particular, with Congress taking a much harder line as the Administration continues to see treatment of the companies as bargaining chips useful in getting China to pressure North Korea on its weapons programs (Washington Post). Huawei is also under pressure from the US Federal Communications Commission, which is considering effectively banning the company's devices from US telecommunications infrastructure (Verge). And, of course, any role the company hopes to play in Australia's 5G network remains in doubt (Strategist).
Some members of the US House of Representatives are calling for a national security investigation of the Sprint-TMobile merger. They express concerns that SPrint is too close to Huawei (TmoNews).
IBM received a £30 million contract from NHS Digital to provide data security services to the UK agency (Digital Health). The contract is part of NHS's response to last year's experience with WannaCry ransomware (IT PRO). IBM has also received a large data security contract ($740 million) from Australia's government (Bloomberg).
Since the Equifax breach, the cybersecurity-focused exchange traded fund (ETF) HACK has returned 31% to investors, roughly double the performance of the S&P 500 over the same period (CNBC).
Mergers and acquisitions.
Facebook has acquired London-based Bloomsbury AI, which specializes in natural language processing. The acquisition will cost "up to $30 million" (Computing).
Paris-based CS Communications & Systèmes, which offers mission critical systems, is issuing new stock to to raise €10.2 million for further expansion into the cybersecurity market. The company's acquisition of Novidy has already driven CS Communications & Systèmes' sales in the sector to approximately 20% of the company's revenue (Fifth Domain).
TransUnion has completed its acquisition of device-intelligence shop iovation (Globe Newswire).
Claranet has acquired pentesting company NotSoSecure with the goal of expanding its presence in Australian and US markets (Infosecurity Magazine).
Verint's acquisition of lawful intercept shop NSO Group is rumored to be in jeopardy. There's some speculation that the indictment of a former NSO employee for the alleged theft and attempted black-market sale of its signature Pegasus product may be giving those involved in the acquisition cold feet, but details are unclear (Globes).
Investments and exits.
Maryland-based Tenable, well-known as the creator of Nessus, has registered for an initial public offering. The company intends to trade on the Nasdaq under ticker symbol TENB (PRNewswire). The announcement prompts discussion of the company's sixteen-year path to its IPO, and of what other companies can learn from its journey (Baltimore Business Journal).
MedCrypt, which offers embedded cryptographic software for medical devices, has raised a $1.9 million seed round led by Eniac Ventures, with participation by Sway Ventures, Nex Cubed, Oronoco Investments and Friedman BioVentures (TechStartups).
ThetaRay, based in Tel Aviv, has raised $30 million to expand its international presence and meet demand for those of its solutions used against money laundering and other forms of financial crime. Investors include Jerusalem Venture Partners, General Electric, Bank Hapoalim, Israel’s OurCrowd and SVB (Reuters).
California-based Preempt Security, which offers enterprise threat management, has raised $17.5 million in Series B funding. ClearSky, Blackstone, Intel Capital and General Catalyst all participated in the funding round (Cyberscoop).
Michael Dell announced his intention of taking Dell public, again (Washington Business Journal). The company will return to the New York Stock Exchange through a stock-swapping plan in which Dell will exchange each share of DVMT VMware software business tracking stock for 1.3665 shares of Dell common stock at $109 per share (CRN). Analysts speculate that the company's return to public trading augurs a concentration on edge computing (WIRED). The return to public trading is likely to be lucrative for Dell's ownership (Forbes).
Thoma Bravo has completed acquiring its majority position in LogRhythm (Markets Insider).
And security innovation.
Facebook is offering bounties for detection of data abuse. They would function similarly to bug bounties, but are perhaps better thought of as unwelcome-feature bounties. Other companies may follow suit as data protection moves into a higher stakes world (Threatpost).
The Commonwealth of Virginia's CyberX initiative will put $25 million in state funding behind a cooperative industry-government-university cybersecurity business development effort (Virginia Business).
The US Air Force seems pleased with the progress of its archly named CROWS program, designed to assess the resiliency of weapons systems and standardize such assessments across the Service. "CROWS" is of course an acronym, "Cyber Resiliency Office for Weapons Systems," but it's also an allusion to the old demonym "crow" for ELINT operator, which suggests culturally at least the now-routine conversion of cyber operations and electronic warfare (SIGNAL).
Today's issue includes events affecting Australia, China, European Union, France, Germany, Iran, Israel, Russia, United Kingdom, United States.
ON THE PODCAST
Research Saturday is up. In this week's edition we talk with Daniel Hatheway, a Senior Security Analyst at Recorded Future. He takes us through their recently published research, Uncover Unseen Malware Samples with No Distribute Scanners. Sellers of malware on Dark Web forums often use No Distribute malware scanning tools to help verify the effectiveness of their wares while at the same time preventing legitimate virus scanning tools from adding the malware to their database. Find out how to shed some light on this corner of the criminal souk.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.