Phishing attacks: A data-driven assessment of emerging threats.
Today's savvy cybercriminals can evade even the most significant safeguards through increasingly sophisticated phishing attacks. That’s why you need the new State of the Phish™ Report from Wombat Security. This report analyzes data from tens of millions of simulated phishing attacks and an extensive survey of infosec professionals. It also explores data from thousands of end users in the US, UK, and Germany, measuring their knowledge of phishing, ransomware and more. Download your copy now.
The Week that Was.
June 16, 2018.
By The CyberWire Staff
Kim-Trump summit concludes.
The US-DPRK summit this past Tuesday contained mostly, as expected, discussion of denuclearization, not cyber conflict (Seattle Times). It ended on a hopeful note, but most observers expect North Korea to resume large-scale cyber operations shortly. Indeed, shortly after the summit concluded the US Department of Homeland Security warned that it had seen a spike in TYPEFACE Trojan infestations from Pyongyang's Hidden Cobra threat group (CNN). A cyberspace modus vivendi, if any is to be achieved, seems to lie in the relatively remote future. Meantime, the US Administration is being advised to hold North Korea accountable for any bad behavior (TheHill).
Discussions and session topics at RSA 2018 put cyber resiliency and collaboration front and center. To be effective, security needs to be woven throughout the business and infrastructure, which requires collaboration. What does this really mean for IT, security and development teams day-to-day? Join Mike Brown, Rear Admiral, USN (Ret), former Director, Cybersecurity Coordination for DHS and DOD for a discussion on the type of collaboration that can yield immediate results to teams and the criticality of protecting application infrastructure.
Another speculative execution CPU vulnerability.
Intel disclosed another side-channel vulnerability this week. They're calling it "Lazy Floating Point State Restore," or simply "Lazy FP." It affects the Core family of processors (Dark Reading). It's been denominated CVE-2018-3665. It's generally regarded as being of only medium severity, since exploitation would require that an attacker already have the ability to execute code locally on the affected system (Microsoft Security Tech Center). Some mitigations have already been released (although not for Microsoft products). The consensus is that the vulnerability is a nuisance to be taken seriously, but also that it would be difficult to exploit (ZDNet).
Is your malware lab a pain to use? Want a ridiculously easy to use malware lab?
Security teams who use a cloud browser can reduce the time spent investigating cases by more than 50%. Instead of wasting time spinning up a VDI, using Tor or connecting to a jumpbox, get online in seconds with a secure cloud browser and egress from hundreds of points of presence around the world.
Baba Yaga, cannibalistic malware.
Researchers at Defiant are tracking "Baba Yaga" malware, which generates spam links and redirections. It's also cannibalistic like its namesake: it removes competing malware from the devices it infects, effectively maintaining the WordPress sites it infects. The goal of BabaYaga is generating spam content. Defiant studied one particular campaign that had a commonly used theme and set of targets: essay writing services. The spam content BabaYaga generates is keyword heavy. Defiant calls it "meaningless word salad, designed to attract search engine traffic based on those keywords." The crooks get paid through affiliate marketing. They redirect site visitors to other sites selling things better left unpurchased (WordFence).
Detect Linux intrusions, malware and rootkits on your systems without loading agents. Sandfly works with no modifications or software to load on your endpoints. Automate security and forensic investigation of your Linux architecture in seconds. Watch a demo and learn more now.
Dixons Carphone breached.
Dixons Carphone, the large British electronics retailer, has sustained a big data breach that it disclosed early this week. Data for almost 6 million customer's paycards were exposed in the incident. Dixons says the effect of the loss was limited (most of the cards were chip-and-pin, and the information loss was partial, not enough to be of much immediate use to criminals). Dixons says it notified the card companies promptly, and they've seen no evidence of fraud emerging from the breach so far. It's too early, however, to say that the people whose data were affected are out of the woods: criminals can try to build on the limited information they do have to work up usable profiles of the victims. Dixons also said that 1.2 million records with non-financial personal data—names, email addresses, physical addresses, and the like—were also exposed. They've seen no fraud resulting from these, either, but the same principle applies here: such information can find cumulatively more damaging uses.
The company is referring to the incident as an "attempted" hack, but British authorities, including the National Crime Authority, the National Cyber Security Centre, the Financial Conduct Authority, and the Information Commissioner's Office, are investigating. The complexity of the investigation and the number of different agencies involved suggests its importance. Not only are national regulations increasingly prescriptive, but this is also the first major breach since GDPR came fully into effect late last month. Fines could be heavy. How this case is handled may shape expectations for future enforcement actions (Naked Security).
Obtain full visibility into your security team with Cybrary.
It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!
Wiper serves as misdirection for fraudulent SWIFT transfers.
SWIFT, the international, interbank financial transfer system, was used against Banco de Chile to steal about $10 million. The bank said the losses occurred during a May attack, when hackers successfully took the money via electronic transfer (Computing). The criminals used wiper malware to corrupt the master boot records of some 9000 systems. This aspect of the attack was apparently misdirection intended to distract IT staff while the hackers accomplished their main objective: SWIFT transfer fraud (Bleeping Computer).
World Cup host red carded.
People are waiting for the expected cyberattacks to hit the World Cup, now being played at various venues in Russia (Infosecurity Magazine). US authorities warn anyone traveling to see the matches that they can be expected to be targeted by foreign espionage services, especially if they connect their devices through local Wi-Fi (TheHill).
Coinrail, a cryptocurrency exchange based in South Korea, disclosed SUnday that it had been the victim of a cyberattack. It lost initial coin offering (ICO) tokens for Pundi X, NPER, and Aston. There's some possibility that tokens for Dent and Tron were stolen, too. The exchange estimates that between $30 million and $40 million were taken; it's working to freeze the stolen assets (Bleeping Computer). The incident spooked investors: cryptocurrency valuations took a significant hit as speculators dumped their holdings (City A.M.). Bitcoin itself dropped, down Monday from its 2017 high-water mark of $19.000 to $6785 (TechCrunch). CoinDesk put its value yesterday at $6547. Last year's highs may have been the result of price manipulation (New York Times), although the evidence is ambiguous (Bloomberg). And, of course, some see the fall-off in value as the dump side of pump-and-dump (CoinTelegraph).
Speculators did treat as good news a statement by senior members of the Securities and Exchange Commission that Ether and Bitcoin really weren't sufficiently like securities to be regulated in the same fashion. The cryptocurrencies will presumably receive less intense scrutiny from regulators (WIRED).
The world needs more dank memes, right? Or so one might conclude from some work at Stanford, where an artificial intelligence was trained to produce them (TechCrunch). The researchers think their AI has trouble capturing humor (Arxiv) but actually the production doesn't look significantly less funny than what human jokesters come up with, so people who spend their time on Boromir memes may find themselves outside looking in, just the way fast food cashiers will soon be edged out by ordering kiosks. The AI is biased toward offensive, insulting stuff, too: a chip off the old block, eh?
US Treasury Department sanctions Russian companies and individuals.
The US Treasury Department Monday announced sanctions against five Russian organizations and three individuals it designated as being in violation of Executive Order 13694, which authorizes measures against entities engaging in "significant malicious cyber-enabled activities" (Fifth Domain). Here's the Treasury Department's brief summary of what the sanctioned entities have been up to:
"Examples of Russia’s malign and destabilizing cyber activities include the destructive NotPetya cyber-attack; cyber intrusions against the U.S. energy grid to potentially enable future offensive operations; and global compromises of network infrastructure devices, including routers and switches, also to potentially enable disruptive cyber-attacks. Today’s action also targets the Russian government’s underwater capabilities. Russia has been active in tracking undersea communication cables, which carry the bulk of the world’s telecommunications data" (US Department of the Treasury).
Treasury links the five organizations and three individuals to Russia's FSB. The sanctioned organizations include Digital Security, ERPScan (which Treasury says is controlled by Digital Security, a claim ERPScan denies), Embedi (also said to be under Digital Security's control), Kvant Scientific Research Institute (supervised by FSB, Treasury says), and Divetechnoservices (suspected of undersea cable tapping). The three named individuals, all sometime managers at Divetechnoservices, are Aleksandr Lvovich Tribun, Oleg Segeyevich Chirikov, and Vladimir Yakovlevich Kaganskiy (Bloomberg).
Digital Security, which Treasury holds to be the owner or controller of both ERPScan and Embedi, is singled out for providing technical support to the FSB, specifically, since 2015, technical support that "would increase Russia's offensive cyber capabilities."
ERPScan is a name that will be familiar to many, since they do business in at least thirty-five countries as a business application security provider. They have major offices in Palo Alto, Amsterdam, Prague, and Tel Aviv. The company said "It would be superfluous to say this, but of course, we have nothing to do with Russian Federal Security Service as well as other government agencies worldwide. We always tried to avoid any political issues and were outside of political events" (ERPScan). ERPScan's CEO, Alexander Polyakov, says the company is being sanctioned only because he was born in Russia (Motherboard).
Kvant is a research institute the Russian government placed under the supervision of the FSB in 2010. It provides material and technical support to that intelligence agency, and has recently served as the prime contractor on an FSB project.
Divetechnoservices has delivered various underwater equipment to the FSB since, Treasury says, 2007. Divetechnoservices also produced a submersible craft for that intelligence agency. They are suspected of having contributed to Russia's ability to tap undersea cables, a matter of concern not only to the US, but to the United Kingdom and other nations as well.
Other Chinese and Russian companies continue to face headwinds driven by security concerns in different national markets. Kaspersky was hit with a significant setback in Western Europe: the European Parliament this week voted overwhelmingly in favor of a ban on the company's security products from official networks (CSO). Kaspersky has responded by freezing its cooperation with Europol in criminal investigations (Dark Reading).
ZTE's recovery remains in doubt, and the company remains in very bad odor with the US Congress (Computing). Congress is also taking an unfriendly look at Huawei, for similar reasons. The Chinese view is to dismiss US security concerns about the company as veiled protectionism: Huawei's phones are affordable and well-made, and that's the only threat they pose (says they) (South China Morning Post).
Australia's government is very leery of Huawei (Business Insider), and, although Huawei says it's still very much in the bidding (Guardian), is considering excluding the company from any work related to the build-out of the national 5G system. The Chinese device-making giant is getting some industry love in the controversy from other companies who would be involved in the 5G build-out. They see Huawei as a plausible partner. If Huawei and ZTE were excluded, that would leave the field essentially to Ericsson and Nokia (AFR).
Justice IG reports.
Thursday afternoon the US Justice Department's Inspector General released the report on the FBI's investigations of "Various Actions by the Federal Bureau of Investigation and Department of Justice in Advance of the 2016 Election," that is, it's look at the FBI's inquiry into former Secretary of State Clinton's private server and her handling of sensitive and classified information. The report's 586 pages find more impropriety and insubordination than political bias (Politico). Five FBI Agents have been referred to the Bureau's internal discipline procedures.
Microsoft will end tech support for several products that have reached the end of their life (ZDNet). Redmond's Patch Tuesday also included mitigations for the speculative execution issue known as "Variant 4" of the Spectre family of vulnerabilities (SecurityWeek).
Not every vulnerability is patched as soon as it's discovered, of course. Microsoft has made a draft document available that explains how it decides what to patch, and when (Register).
Up your game, or you're out.
That's the US Department of Defense "philosophy", now, on contractor access to Defense networks. If their security isn't up to a recently somewhat more exacting snuff, they won't be allowed in. DoD officers this week called it a "cultural shift" and a "new philosophy" as opposed to a formal policy, but policy may well follow philosophy (Breaking Defense).
Google's artificial intelligence principles have now been enunciated. We leave it as an exercise whether they're platitudinous in a good sense, like the Hippocratic Oath, or in the banal sense, or simply amount to the passing pieties of a corporate culture (Naked Security).
Industrial control systems security specialist Claroty has attracted a $60 million Series B round from a syndicate led by Temasek with participation by Rockwell Automation, Siemens, Schneider Electric, and other firms (Claroty). In addition to its investment, Siemens has also selected Claroty as a partner in advanced anomaly detection (Claroty).
Bluliv, known for its threat exchange community, intends to use the €4million it recently raised in a Series A round to expand into the UK market (Channel Eye).
Splunk will purchase devops incident management shop VictorOps for $120 million (Venture Beat).
Continuum has closed its acquisition of CARVIR, increasing the security offerings of its managed services solution (E2E).
ZenMate is pursuing a £660,000 crowdfunding round through Crowdcube. ZenMate is a VPN provider owned by ZenGuard (Crowdfund Insider).
Software intelligence company CAST has acquired Antelink, a software composition analysis shop, with the intention of integrating the acquired company's technology into CAST's application portfolio analysis offering (GlobeNewsWire).
Zimperium has bought application security shop Mi3. The intention is to integrate Mi3’s Security RECON Platform into the Zimperium z3A application analysis solution (BusinessWire).
ViaSat makes further inroads into the military secure network market by acquiring Horsebridge Defence and Security, specialists in secure, deployable networks (C4ISR).
There were several bits of news about venture capital and business incubation to emerge this week. Lockheed Martin has significantly increased its venture fund, by about $100 million. It's not all cyber, of course, but there's enough cyber in it to make it interesting (IHS Jane's Defense Weekly).
Bitdefender announced its forming an incubator for cybersecurity start-ups in Romania (Romania Insider).
US Cyber Command has awarded the Maryland Innovation and Security Institute (MISI) a five-year Partnership Intermediary Agreement. The goal is to establish an ecosystem in Columbia, Maryland, that will marshal the talents and capabilities of small businesses, entrepreneurs, academia, traditional businesses and others. Work will be organized in a new facility, "DreamPort," intended to "foster collaboration and prototyping in highly configurable laboratories, co-working spaces, project rooms, and conference facilities." Partners in the venture include SINET, FBC, CyberPoint, the Johns Hopkins University, the University System of Maryland, and the George Washington University. CyberPoint's CEO and co-founder, Karl Gumtow, will serve as MISI's director (MISI).
Dreamit Ventures has opened a security vertical (TechCrunch). Bob Stasio, brought in to run Dreamit's cyber portfolio, told us that they're interested in finding promising pre-Series-A companies who have an actual offering that addresses real use cases. They work with their companies in a three-stage process. The first phase is an intensive boot camp for the start-ups. In the second phase the companies are introduced to major customers. Phase three is a roadshow in which they pitch to investors. Their key metric, Stasio says, is raising a funding round within six months. Dreamit will accept applications from companies wishing to participate up through July 1st. They expect to have their first cohort of start-ups on board by September 4th.
Ave atque vale (and semper fi, Marine).
One of the last of the Second World War's Navajo code talkers has died. Rest in peace, Samuel Tom Holiday, who left us Monday at the age of 94. We honor his memory (Japan Times).
Today's issue includes events affecting Australia, Chile, China, European Union, Democratic Republic of Korea, Russia, Ukraine, United Kingdom, United States.
And the latest edition of Hacking Humans is up, too. We talk about some of the challenges professional athletes face in their online lives. They're high-profile targets for scammers of all kinds, and their experiences hold some important lessons for others. Stephen Frank from the National Hockey League Players Association joins us to share how professional athletes protect themselves from online scams. (And the only kind of Russian collusion anyone wants to see in the NHL is between Kuznetsov and Ovechkin.)
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.