2017 cyberattacks proved more numerous, sophisticated, and ruthless than in years past.
WannaCry, NotPetya, ransomware-as-a-service, and fileless attacks abounded. And, that’s not everything. The victims of cybercrime ranged from private businesses to the fundamental practices of democracy. Read The Cylance Threat Report: 2017 Year in Review Report and learn about the threat trends and malware families their customers faced in 2017.
The Week that Was.
July 14, 2018.
By The CyberWire Staff
Ukraine says it stopped a VPNFilter attack.
The target is said to have been a plant that delivers chlorine for water purification. Details are sketchy, and it's unclear how the attack, as described, might have produced physical damage, but investigation is in its early stages. VPNFIlter is a modular attack platform well-suited to cyberespionage, but it could be adapted to deliver other payloads (Dark Reading). There's no solid attribution, yet.
Ticketmaster breach may have been part of a major card-skimming campaign.
RiskIQ believes the breach wasn't a one-off incident, but represents the reappearance in a big way of the Magecart card-skimming gang. More than eight-hundred e-commerce sites worldwide are thought to have been affected, with individual victims numbering in the tens of thousands (Help Net Security).
Get trending threat insights delivered to your inbox.
Do you want trending information on hackers, exploits, and vulnerabilities every day for free? Subscribe now to the Recorded Future Cyber Daily.
Timehop breach and GDPR considerations.
The Timehop breach has expanded: individuals' dates of birth, gender, and country codes were also compromised. Records falling within the scope of the GDPR privacy regulation include 2.9 million name and email address combinations as well as 2.2 million name, email address and date-of-birth records. On December 19th an unauthorized party used an admin's credentials to log into a third-party cloud account. The hacker subsequently created a new admin account and waited patiently for a suitable accumulation of personally identifying information. On July 4th, presumably expecting a relaxed guard over the holiday, the hacker stole the database.
The case may reveal how the EU will balance zeal against completeness when it evaluates the reporting of a breach (Infosecurity Magazine). The EU's Information Commissioner has blogged that, "We pride ourselves on being a fair and proportionate regulator and this will continue under the GDPR. Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action."
Join us October 8 – 10 in New Orleans for the 8th Annual (ISC)2 Security Congress. Attendees leave the conference enriched and enabled to excel at advancing their careers – and securing their organizations. Save your seat at congress.isc2.org.
Speculative execution side-channel attacks (spawn of Spectre).
Two new attack techniques similar to Spectre have been identified by researchers Vladimir Kiriansky and Carl Waldspurger. ARM, AMD, and Intel chipsets are all susceptible to the speculative execution side-channel attacks. Speculative execution is a common and important feature of contemporary chip design, so any exploits could be expected to have widespread impact. Intel, which paid a bug bounty of $100 thousand for the study, has offered advice on mitigating the issue. ARM says most of its chips are probably unaffected, but it has mitigation suggestions as well. AMD is still considering the matter, but will probably have its own recommendations available shortly (ZDNet).
Obtain full visibility into your security team with Cybrary.
It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!
Disclosure and information sharing.
Report of the new speculative execution issues roughly coincides with a US Senate Committee on Commerce, Science, and Transportation hearing on Spectre and Meltdown, itself a contribution to the larger issues of responsible disclosure, information sharing, and vulnerability equities. When they became aware of the issues last year, chipmakers did not inform the US Department of Homeland Security or any other responsible Federal agency until January's public disclosure. But they did warn their customers and partners. Intel shared the discovery with, among others, Chinese partners. ARM began sharing with affected customers within ten days of learning about the problem: "We do have architecture customers in China that we were able to notify to work with them on the mitigations." Chinese intelligence services don't seem to have exploited Spectre, but Senators find public-private relations in China too close for American comfort (WIRED).
Manuals for sale on the dark web.
Manuals covering US military systems including the MQ-9 Reaper drone have been found for sale in the dark web. Recorded Future says the asking price was only $200, but slack sales have knocked it down to $150. The person responsible (described by Naked Security as a "sad sack") apparently had no real understanding of what he or she had, what it was worth, or where to sell it. But the sad sack knew enough to find Netgear routers with the password "admin" and follow familiar steps to exploit an FTP vulnerability, change the password, and get access. Some of the material appears to have been stolen from a recent graduate of an Air Force cybersecurity awareness course. It should never have leaked, but the material doesn't appear to be particularly valuable: more interesting to hobbyists than spooks.
Intel patched its Processor Diagnostic Tool against remote code execution and privilege escalation vulnerabilities (SecurityWeek). It also announced fixes for speculative execution issues (HotHardware).
Monday Apple updated MacOS, watchOS, tvOS, Safari, iTunes for Windows, iCloud for Windows, and iOS (Bleeping Computer). The iOS upgrade attracted considerable attention, especially since it offered the much-anticipated USB Restricted Mode, which disables an iPhone or iPad Lightning port beginning one hour after the device was locked. USB Restricted Mode prevents data transfers until the device is properly unlocked. Beyond its value in reducing risk of losing sensitive data should an iPhone or iPad be lost or stolen, the mode is particularly attractive to people who don't want the authorities rummaging their devices. You can defeat it if you're quick enough: connecting a dongle within that one-hour window will prevent the device from entering USB Restricted Mode. A Lightning to USB 3 Camera Adapter will do the trick (HOT for Security).
Adobe patched a hundred issues Tuesday: one hundred five in Acrobat and Reader, two in Flash Player, three in Experience Manager, and three in Connect (SecurityWeek).
Microsoft was also busy, addressing fifty-three issues across fifteen products (Bleeping Computer). Its most significant patches were related to browsers (Dark Reading). There were also some fixes for speculative execution issues, especially with respect to Intel processors, with progress on AMD systems as well. We heard from Ivanti about this month's patches. Chris Goettl, Ivanti's director of product management, offered some recommendations on patching priorities. He thinks CVE-2018-8282 (a privilege escalation vulnerability) and CVE-2018-8287, 8288, and 8296 (which relate to the possibility of embedding ActiveX controls into an Office document) sufficiently important to warrant updating both Internet Explorer and the Windows OS soon. Updates to the .NET framework, while important, are less urgent, and can be applied after testing and as possible. Finally, Goettl points out that Oracle is expected to issue its quarterly update next week.
Crime and punishment.
US Special Counsel Robert Mueller yesterday secured indictment of twelve members of Russia's GRU military intelligence service for offenses related to hacking the Democratic National Committee and the Clinton campaign. The indictment also confirms that DCLeaks (nominally American) and Guccifer 2.0 (nominally Romanian) were both GRU sock puppets (CNBC).
So Kariva Cross, convicted of fraud involving identity theft, didn't necessarily get data from the OPM breach. The US Justice Department said last month that Ms Cross had used stolen OPM data, but this week corrected themselves in a letter to Senator Warner (Democrat, Virginia). Some of the victims whose data she'd used told investigators that they'd been affected by the OPM incident. But that's unsurprising: many people were so affected. There's no evidence Ms Cross actually used data from OPM in her crimes; thus Justice was "premature" in its conclusion (Federal News Radio).
A former Apple employee has been charged with theft of trade secrets related to Cupertino's work on autonomous vehicles (Mac Rumors).
Last Friday a former hedge fund manager and a former securities trader, Vitaly Korchevsky and Vladislav Khalupsky respectively, were convicted in a US Federal District Court of conspiracy to commit wire fraud, conspiracy to commit securities fraud and computer intrusion, conspiracy to commit money laundering and two counts of securities fraud. Their sentences could amount to twenty years (US Department of Justice). The two engaged in a running fraud over five years in which they enlisted hackers to get early, non-public access to press release services in New York and Toronto (Naked Security).
Courts and torts.
An Australian "litigation funder," IMF Bentham, has opened a class action suit against Facebook for privacy matters pertaining to the Cambridge Analytica affair (CRN Australia). On Thursday the US Securities and Exchange Commission (SEC) opened an investigation of whether Facebook misled investors (presumably through suppressio veri,suggestio falsi) about the scope and implications of its entanglement with Cambridge Analytica in the long-running data misuse scandal (Wall Street Journal).
Trustwave is facing a lawsuit in Illinois over alleged failure to detect or at least report an SQL injection attack on Heartland Payment Systems that resulted in a 2009 data breach. Two insurance companies, Lexington Insurance Company and Beazley Insurance Company, are seeking to recoup $30 million for claims they paid in the aftermath of the breach (Cook County Record). At issue are security audits Heartland had Trustwave conduct to help ensure, among other things, PCI standards compliance (KnowBe4).
The Daily Stormer received a cease-and-desist letter from Pepe the Frog's creator, demanding that the neo-Nazi publication take Pepe off their site. They complied (Motherboard).
Policies, procurements, and agency equities.
NATO's summit included a renewed commitment to Alliance operations in cyberspace, with special reference to hostile "disinformation campaigns" (Fifth Domain).
The US Defense Information Systems Agency (DISA) said Monday that the contract it let for a new system for managing security clearances was done as an OTA, "Other Transaction Authority." OTAs are intended to help the Government rapidly prototype technologies developed by small, innovative companies, bypassing some of the more cumbersome aspects of usual competitive contracting. The contractor, Enterprise Services, may be innovative but it's not small, and this has excited comment (Federal News Radio).
OTAs have also aroused suspicions that in effect they establish the GAO as another venue for contract protests (Breaking Defense).
The US Army made its first two direct commissions of officers for the new Cyber Branch (Fifth Domain).
Fortunes of commerce.
BAE Systems announced the formation of an intelligence-sharing association.
Huawei says it's confident it won't face crippling US sanctions, and that it intends to continue buying US chipsets (CRN). Australia did shut the company out of a major regional cable project (CRN).
The US Department of Commerce is expected to lift potentially company-killing sanctions against ZTE as the company prepares to place $400 million in an escrow account as an earnest of compliance and good behavior. The company has already replaced its leadership, as requested by the US (South China Morning Post). Markets reacted favorably: ZTE share prices rose on Thursday's good news by almost 24% (Reuters).
Kaspersky is seeking an eleventh-hour reprieve from Congressionally mandated sanctions against the Moscow-headquartered company. Most Federal agencies affected by the ban intend to put it into effect Monday. Kaspersky has maintained that the law amounts to an unconstitutional bill of attainder. The company is asking the US Court of Appeals for the DC Circuit. to delay implementation of the ban until its argument has been heard and considered (Nextgov).
The labor market.
Deloitte thinks that demand for cybersecurity workers in Canada will grow at 7% annually, and that at this rate demand will continue to outstrip supply (Business Chief).
But the labor market is curiously mixed, especially as companies outside of the technology sector continue to shed IT staff (Wall Street Journal). Such countercurrents are surely felt in the cybersecurity labor force as well.
Synack, with partners Nav Talent and Morgan Stanley, will offer the ThinkCyber Fellowship, designed to turn hack-minded individuals into ethical hackers (PRWeb).
An ESET security researcher reflects on the career importance of doing scut work (Dark Reading).
Mergers and acquisitions.
On Tuesday AT&T announced its acquisition of enterprise-grade security solutions provider AlienVault. The acquisition is expected to close in the third quarter of this year (AT&T).
Also on Tuesday Bomgar said it had acquired endpoint privilege management shop Avecto (Bomgar).
London-based Mimecast, known for its cloud-based email security platform, has acquired Maryland's Ataata, a twenty-person cybersecurity education and training firm. Ataata's platform includes risk scoring that helps deliver training tailored to an individual's "sentiment and behavior," and that is tuned to the sorts of threats that individual is expected to encounter (Help Net Security). Terms were not disclosed (Washington Business Journal).
L3 has agreed to acquire infosec shops Azimuth Security and Linchpin Labs with a view to enhancing both cybersecurity capabilities and international market penetration (BusinessWire).
Safe-T has acquired the intellectual property and trademarks of CyKick, whose flagship behavioral analysis product Telepath will be integrated into Safe-T's software-defined access offering (Business Insider).
Cloud security provider Netskope has picked up infrastructure-as-a-service shop Sift Security. Terms weren't immediately available, but the acquiring company intends to integrate Sift's Cloud Hunter breach detection, correlation, visualization, and response engine into Netskope's Security Cloud (PRNewswire).
Chip-maker Broadcom, some months ago a disappointed Qualcomm suitor, on Wednesday announced its purchase of CA Technologies for $18.9 billion. The large and surprising acquisition of a major software house is expected to take Broadcom in a new direction (Wall Street Journal). Investors are baffled by the acquisition, not seeing the strategic fit (CRN).
Security companies in Maryland and Virginia are successfully attracting investment that would formerly have gone to California (Washington Post).
Safe-T Group, software-defined access specialists based in Israel, last week filed for an initial public offering in which they hope to raise some $10 million (CRN). The company intends to trade on the Nasdaq under the symbol SFET (Seeking Alpha).
Thoma Bravo has acquired a majority stake in privileged identity management and identity-as-a-service company Centrify. This is the private equity firm's second significant cybersecurity investment in as many months: Thoma Bravo took a majority position in SIEM shop LogRhythm in May (SecurityWeek).
The distributed ledger project being realized as Oasis Labs has attracted pre-sale financing of $45 million (TechCrunch).
Maryland-based Quantum Xchange emerged from stealth with a $10 million venture round led by New Technology Ventures. Quantum Xchange's first network will secure Wall Street financial transactions and data, with back-office operations in New Jersey (Washington Business Journal).
Israeli ICS and SCADA security firm Radiflow has raised an $18 million funding round led by Singapore-based ST Engineering. The funding will, among other things, support integration of Radiflow's technology with ST Engineering's control systems (Security Week).
And security innovation.
The state of Georgia opened its new cybersecurity center, Tuesday. The Georgia Technology Authority intends the Georgia Cyber Center to be a location where industry, government, and universities will cooperate on cybersecurity research (Augusta Chronicle). Housing several distinct organizations, the facility will complement those the US Army's Cyber Command runs in the state at Fort Gordon (Fifth Domain).
Think Cyber Security, a start-up that seeks to apply insights derived from behavioral science to security training, has joined London Office for Rapid Cybersecurity Advancement (LORCA) (Infosecurity Magazine).
Down but not out, a group of Cambridge Analytica alumni have formed a new company that will use tools similar to those their former employer took to Facebook data. The new company, Auspex International, launched on Wednesday. It says that Google search data are a lot more valuable than Facebook data ever were (Computing). The new company, one of several to emerge from the reorganized remnants of Cambridge Analytica, has been received with predictable ambivalence.
Today's issue includes events affecting Australia, China, European Union, Israel, Russia, Ukraine, United Kingdom, United States.
And if you haven't already caught it, this week's Hacking Humans podcast up. We hear about a prank phone call to the White House, discuss the sad story of a woman robbed of her retirement savings, and offer some notes on Twitter account-recovery scams. We're also joined by Charles Arthur, author of Cyber Wars-Hacks that Shocked the Business World, who discusses social engineering with us.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.