2017 cyberattacks proved more numerous, sophisticated, and ruthless than in years past.
WannaCry, NotPetya, ransomware-as-a-service, and fileless attacks abounded. And, that’s not everything. The victims of cybercrime ranged from private businesses to the fundamental practices of democracy. Read The Cylance Threat Report: 2017 Year in Review Report and learn about the threat trends and malware families their customers faced in 2017.
The Week that Was.
July 21, 2018.
By The CyberWire Staff
Fancy Bear's Roman holiday.
CSE Cybsec's Z-Lab found Fancy Bear (also as APT28, Sednit, Pawn Storm, Sofacy, Strontium, and Russia's GRU) probing the Italian Navy. The Russian intelligence service is said to have installed an updated version of its familiar X-Agent malware in naval systems. The campaign, "Roman Holiday," seems the usual sort of collection against military systems (SC Media).
What are the hackers’ paths to your critical assets?
Find out how you can be equipped with a continuous 360° view of which critical assets are at risk, what security issues you should focus on, and how best to harness your resources to resolve them. Simulate, validate and remediate every hacker’s path to your organizational critical assets.
Proofreading Helsinki in Washington, and other clarifications.
Monday's Trump-Putin summit is said to have discussed ways of reducing tension between the US and Russia, with agreement to disagree about sanctions, competition, and Russia's aggression against Ukraine. The joint post-summit press conference attracted most attention, with President Trump saying, with respect to Russian influence operations during the 2016 election, "President Putin says it's not Russia. I don't see any reason why it would be" (Fifth Domain).
On Tuesday President Trump offered clarification, saying he didn't mean to say, "why it would be," but rather, "why it wouldn't be," and that he'd vigorously defend US elections against the Russians or anyone else. He also expressed agreement with the US Intelligence Community that Russian information operations have actively sought to disrupt American politics. "I have the strongest respect for our intelligence agencies," he said (Washington Post).
Denial of involvement, misdirection of suspicion, attempts to discredit intelligence services, and specious offers to help investigators have long been hallmarks of Russian propaganda and disinformation. The Skripal affair offers a recent example (Times). Skepticism about Russian information operations can serve those operations' goals (WIRED).
The US Justice Department said this week it intends to keep the public informed of foreign attempts to influence elections (Washington Post).
What do Floppy Disks, Han Solo, and Insider Threats Have in Common?
Visit the ObserveIT booth at Black Hat USA to find out! They’re going back to the 80s to reminisce about throwback technology and show you how to take a 21st-century approach to your insider threat management strategy—so you don’t have to be stuck in the past with your DLP and Flock of Seagulls haircut. And before you head out to Vegas, take ObserveIT’s quiz on which 80’s pop culture icon best represents your insider threat management strategy.
Kromtech reported finding a database with US voter information exposed in an unsecured AWS S3 bucket by Robocent, a robocalling firm specializing in selling its services to political campaigns. The material, now presumably secured, included names, addresses, dates of birth, gender, and the inferred political orientation of some thousands of registered voters. Kromtech also found an unsecured MongoDB database left open by the criminals who compiled it, presumably inadvertently (Register).
Amazon is experimenting with two tools, "Tiros" and "Zelkova," to help developers avoid AWS misconfiguration. Tiros maps network connections, and can display unexpected and unintended access from the Internet. Zelkova benchmarks S3 buckets against other elements of an enterprise's infrastructure, and helps reveal how permissive an AWS configuration is in comparison to the rest of the infrastructure (WIRED).
Criminals are monetizing stolen credit cards to make in-game purchases in popular games, then resell their purchases on third-party gamer markets, according to Kromtech. The games mentioned as particularly affected are Clash of Clans, Clash Royale, and Marvel Contest of Champions (Kotaku).
Obtain full visibility into your security team with Cybrary.
It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!
NIST to retire outdated cybersecurity publications.
The US National Institute of Standards and Technology (NIST) announced that, as of August 1st, it will withdraw eleven SP 800 series publications as outdated. They're simply being withdrawn, not replaced or updated. This seems appropriate because the publications in question either address outmoded, withdrawn, or deprecated technologies, or have been rendered obsolete by changes to laws, regulations, or executive orders, or fail to address newer technologies that have come into widespread use (NIST Computer Security Resource Center).
Clever social engineering is better than clever software engineering.
ESET this week issued a report on a criminal campaign that's targeting elements of the Ukrainian government. The remote access tools the criminals are using, "Quasar," "Sobaken," and "Vermin" have been delivered in malicious email attachments baited with filenames that seem dully plausible to their recipients.
Facebook declines to remove content being derided as "fake news," but it will "demote" it if users report it as bogus and if it fails fact-checking (Naked Security). The service has been under considerable pressure to come up with content moderation that would impede, in the first place, hostile state-directed information operations against a target population, but also and more controversially to develop either a platform-wide speech code or a full-up editorial desk comparable to what a major metropolitan newspaper would have had circa 1960. Facebook's work here would seem consistent with both commercial imperatives and a conscientious regard for freedom of speech.
As difficult as the task seems to be, some continue to look to Silicon Valley for salvation from fake news and influence operations (Foreign Affairs). The tech companies are in a difficult position. Congress is investigating the possibility that Big Tech has a progressive bias, and that platforms like Twitter, Facebook, and Google systematically disfavor conservative expression. Congress can of course investigate whatever it wishes, and it's not clear what effect such inquiries will have (if any), but the history of broadcast regulation may hold some lessons (Washington Post).
The US Congress may be mulling its own legislative intervention into content control. Section 230 of the Communications Decency Act of 1996 was designed to encourage online platforms to police themselves of obscene material while at the same time relieving them of liability for good-faith oversights. Some of the industry's Congressional inquisitors this week seeing both bias and disinclination to police foreign information operations, are asking why freedom to censor should be coupled with protection against certain liabilities. This is unlikely to change, but that the question is being raised at all seems significant (WIRED).
A number of governments in the Middle East, including those of Egypt, Saudi Arabia, and Turkey, are increasingly blocking their citizens' access to websites with a record of hosting content those governments find objectionable. This is regarded as following the Chinese model (Wall Street Journal).
Followers: good, bad, and bogus.
Many Twitter accounts, and celebrities' accounts in particular, took a sharp hit to the number of their followers early this week when Twitter purged locked accounts (Naked Security).
Oracle issued its quarterly patch Tuesday. It addresses three-hundred-thirty-four vulnerabilities, which the SANS Institute calls a record. Vulnerabilitites in Weblogic, Oracle Spatial, and Oracle Fusion Middleware MapViewer are rated as particularly significant. Attacks on Weblogic servers have figured in crytpojacking campaigns over the past year, and such attacks are expected to continue against unprotected systems.
Cisco has also patched, addressing vulnerabilities in Policy Suite, SD-WAN, WebEx and Nexus (SecurityWeek).
Swiss industrial software firm ABB patched an arbitrary code execution flaw that affects all versions of its engineering tool, Panel Builder 800 (SecurityWeek).
Crime and punishment.
Colton Ray Grubbs, 24, of Stanford, Kentucky, has taken a guilty plea to charges of conspiring to market and distribute the LuminosityLink RAT, a commodity remote access Trojan sold to criminal hackers. Mr. Grubbs was the author of the malicious tool (KrebsOnSecurity).
Xiaolang Zhang, formerly employed by Apple, on Monday entered a plea of not guilty to a single Federal charge of stealing trade secrets. US prosecutors allege that Zhang stole an Apple blueprint for a circuit board intended for use in autonomous vehicles (CRN).
Industry reaction to last Friday's indictment of twelve GRU officers has been along the lines of "See? We knew it all along," with an admixture of "And they use a lot of familiar techniques, too" (SecurityWeek).
Courts and torts.
The EU has clobbered Google's parent Alphabet with the largest antitrust penalty its ever imposed: $5 billion. At issue is Google practice of embedding its apps and their attendant revenue in Android phones, which the EU has concluded effectively stifle competing apps (Wall Street Journal). Google intends to appeal (TechCrunch), but many doubt that any outcome will do much to change the company's dominant position in the market (Motherboard). It grows clearer that Silicon Valley has entered a late Gilded Age. Sure, the captains of industry now repair to Esalen's Point Houses instead of Newport's cottages, doing tantric yoga instead of velocipedes. Some versions of a refreshed Sherman Anti-Trust Act seem to be on the horizon, a cloud no larger than a haptic glove, which is slightly larger than a man's hand.
Policies, procurements, and agency equities.
More AI developers, including the leading lights of Google's Deep Mind program, have signed a document (prepared by the Future of Life Institute) signaling their refusal to work on autonomous weapons (DefenseOne). The manifesto objects to weapons that kill without human intervention as destabilizing: they would render attribution difficult, tend to disinhibit groups from killing, and would be likely to prompt an arms race. The signatories call for "international norms, regulations and laws against lethal autonomous weapons." Just Security has an interesting take on the trend, if trend it is, of corporations refusing government work: an op-ed argues that doing so amounts under some circumstances to a failure of corporate social responsibility.
Why wasn't the US Undersecretary of Defense for Research and Engineering surprised by Google's disinclination to continue its work on Project Maven, an AI-based imagery interpretation program? Because he's lived and worked in Silicon Valley (C4ISRNET). The Defense Department plans to build its own, new, AI center (C4ISRNET).
Seven cloud vendors are seeking clearance to provide services to the Australian Signals Directorate (ZDNet).
OTAs, Other Transaction Authorities, are increasingly appealing to US Defense Department contracting authorities. What began as a family of vehicles designed to foster relatively small research and development contracts with a view toward rapid prototyping now represent a more mainstream approach to acquisition. Large primes seem best positioned to take advantage of OTAs. The dollar amounts are bigger these days, too: the US Army alone this year has some 561 OTA agreements worth $3.5 billion (Federal News Radio).
Michael Barry, the senior director of intelligence programs at the US National Security Council, is leaving his post. His departure (said to be "on good terms") is widely viewed as part of National Security Advisor John Bolton's remaking of the NSC (Daily Beast).
Fortunes of commerce.
Having seen enough, Australia has disinvited Huawei from participating in the coming build-out of the country's 5G infrastructure (CNET). The UK Government's Huawei Cyber Security Evaluation Centre reports that Huawei products had "underlying engineering issues" that affected national security, but that these seem to have been mitigated. Huawei spins the report as good news, but media accounts differ, with TechCrunch calling the report "inconclusive" and Infosecurity Magazine saying the Centre puts Huawei "on the naughty step."
A lawsuit filed in a Santa Clara County, California, court against Huawei by a former employee alleges that the company spied on a closed-door meeting Facebook had convened for one of its projects (SDxCentral).
Kaspersky Lab, denied an emergency injunction that would have blocked imposition of US Federal sanctions on the company, will continue to pursue its appeal of the Congressionally mandated ban (Washington Times).
Goldman Sachs is calling a coming bull market in cybersecurity stocks. It may be a swiftly passing bull, snorting because of concerns about the prospect of US midterm elections being hacked (CNBC). Some think a cyber investment portfolio (short-term, not necessarily buy-and-hold) is also an attractive hedge with respect to election outcomes (Barron's).
CACI has won a place in the US GSA's Alliant 2 Government-Wide Acquisition Contract, which covers all manner of IT services, including cybersecurity (Washington Executive).
One of the shyest, most sought-after unicorns of them all, Palantir, has not pursued its long-expected IPO. Analysts speculate that declining valuation may be the reason (Seeking Alpha).
The Unique Identification Authority of India (UIDAI) has appointed Deloitte as the sole agency authorized to conduct mandatory information security audits of organizations that use authentication based on the national Aadhaar biometric system. Some banks are unhappy with the decision: they say it creates a monopoly and besides, Deloitte's rates are too high (Medianama).
Perspecta is challenging Mantech's win of a $688 million cybersecurity contract from the US NSA (Washington Technology).
McAfee is reorganizing, with potential effects on its workforce and channel partners not yet clear (Channel E2E).
The labor market.
Industry groups in the US—the Aerospace Industries Association (AIA), the Intelligence and National Security Alliance (INSA), the Industrial Security Working Group (ISWG), the National Defense Industrial Association (NDIA), the Northern Virginia Technology Council (NVTC), and the Professional Services Council (PSC)—think a backlog of 750,000 security clearances amounts to a crisis, and they're urging Congress to reform the system in this year's Defense Authorization bill (ClearanceJobs.com).
A Gartner survey of CIOs concludes that 65% of organizations queried have cybersecurity experts on staff (Help Net Security).
Raytheon's Cyber Academy is engaged in building labor capacity in the Middle East (Breaking Defense).
Reflections on what it takes to become a chief scientist in an infosec organization (Help Net Security).
Mergers and acquisitions.
Accenture has acquired Kogentix with a view to beefing up its Accenture Applied Intelligence big data business (Street Insider).
Allied Universal expanded its security service offerings through its purchase of U.S. Security Associates (USSA) from Goldman Sachs Merchant Banking Division (SecurityInfoWatch).
California-based Okta has acquired Zero-Trust shop ScaleFT (Business Wire). Okta intends to scale their new acquisition's offering for large enterprises (TechCrunch).
ObserveIT closed a $33 million Series B round, with participation by Bain Capital Ventures, Spring Lake Equity Partners and NightDragon Security. The company intends to use the funding both to push research and development into insider threat protection and to expand its sales and marketing team (Help Net Security).
A-LIGN, Florida-based specialists in cybersecurity compliance and audit services, has received $54.5 million investment from FTV Capital. They intend to expand their market penetration with compliance assessments, industry-specific audit, pentesting and vulnerability scanning, and privacy and incident management planning (BusinessWire).
Integris Software, a data integrity shop based in Seattle, announced that it's secured an oversubscribed Series A round of $10 million. The investment is led by Aspect Ventures, with participation from Workday Ventures, Madrona Venture Group, and Amplify Partners (BusinessWire).
Tel Aviv-based Toka, a company that advertises special expertise in IoT surveillance, has raised $12.5 million in seed funding. Toka numbers former Israeli Prime Minister Ehud Barak among its co-founders (Forbes).
OpenPath, a company seeking to disrupt the keycard industry by enabling people to open locks with a smartphone, has raised $20 million in Series B funding (Business Insider).
Private equity and investment capital are flowing toward companies that offer compliance solutions (Wall Street Journal). As regulatory risk looms larger, security companies will increasingly need to show they can help their customers manage it.
And security innovation.
AFCEA's Small Business Innovation Shark Tank chose San Jose-based cybersecurity start-up Avocado as one of its three finalists. The company offers a distributed and deterministic layer-7 application security platform (SIGNAL).
Cisco has committed to opening a $100 million innovation center in London (CRN).
GrammaTech has received a grant from DARPA to work on autonomous botnet neutralization (PRNewswire).
Among the biggest mistake a security start-up can make is this: failing to envision a plausible use case for its product or service (Dark Reading).
Today's issue includes events affecting Australia, China, European Union, Italy, Russia, Ukraine, United Kingdom, United States.
ON THE PODCAST
Research Saturday is up. Virginia Tech's Gang Wang and Hang Hu recently conducted an end-to-end investigation of popular email providers and user reactions to spoofing. Gang Wang joins us to share the sobering results of their test of phishing and spoofing.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.