Looking for an introduction to AI for security professionals?
Your wait is over. A new book is out from the Cylance data science team, covering artificial intelligence and machine learning techniques in practical situations to improve the security professional’s ability to thrive in a data driven world. Whether you are reviewing logs or analyzing malware, being able to derive meaningful results and improve productivity is key. Order your free copy today.
The Week that Was.
March 11, 2018.
By The CyberWire Staff
Memcrash DDoS exploits used for extortion.
Memcrash distributed denial-of-service attacks have been criminalized, as DDoS attackers extort cryptocurrency from victims (eSentire). Akamai researchers who've followed the DDoS campaigns closely (and played a major role in GitHub's swift recovery from what's been called the largest DDoS attack on record) spotted extortion notes buried in the attack traffic. The criminals are asking for Monero, attractive to them because of its greater anonymity relative to competing cryptocurrencies like Bitcoin (Mashable).
In addition to the well-known attack on GitHub, a partial list of other victims includes Google, the National Rifle Association, PlayStation Network, Amazon, and Kaspersky (HackRead).
Struggling with your DLP? It's time to rethink your data loss prevention strategy.
Traditional data loss prevention tools aren’t cutting it anymore. Why? They are high-maintenance and require endless fine-tuning. They often miss insider threats. They stymie communication between security and other departments. And they slow down endpoints, leading to crashes and failures that drive users crazy. Learn from ObserveIT why DLP tools aren’t getting the job done in 2018 and how you can stop data loss in its tracks. Read Now.
Developments in cryptojacking.
Microsoft succeeded in stopping a large-scale cryptojacking infestation that attempted to infect some four-hundred-thousand users over the space of a few hours. The undesirable software was carried as the payload of the Dofoil (or Smoke Loader) Trojan (Infosecurity Magazine). The mining application supports NiceHash, and so can work with a variety of cryptocurrencies. The attempt at infection crested over twelve hours on Tuesday (Bleeping Computer).
Other cryptomining attacks afflict a variety of servers. The SANS Institute particularly notes attempts on vulnerable Apache Solr, Redis, and Windows servers (SANS Internet Storm Center).
Obtain full visibility into your security team with Cybrary.
It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!
ComboJack rifles clipboards for multiple currencies' wallet addresses.
Palo Alto Networks has found "ComboJack," cryptocurrency-stealing malware that finds wallet addresses in its victims' clipboards and replaces them with the addresses of wallets controlled by attackers. The technique isn't new, but the adaptability is. ComboJack can steal Bitcoin, Ethereum Litecoin, and Monero. Earlier tools using this technique had confined themselves to one currency (Palo Alto Networks).
China's Ministry of State Security has altered publication dates in China’s National Vulnerability Database (CNNVD). The alterations, which seem have come as the result of an evaluation conducted in November, represent an apparent attempt to obscure exploitation of those vulnerabilities by Chinese security services (Recorded Future).
What do AI and machine learning mean for cybersecurity?
We hear about them everywhere in cybersecurity. They sound cutting-edge, but what do they mean? And what value do they add? Find out exactly how significant AI and machine learning are, and how small nuances in their use can make a big difference.
Espionage in Germany: updates.
Germany's Interior Ministry says relatively early detection of intrusion into a sensitive network averted what could have been considerably more extensive damage. The spokesman declined to offer attribution, but unofficial consensus is that the hack was a Russian operation (Fifth Domain). Part of the hackers' take was a sensitive file outlining EU responses to Brexit (Express). Russia's Foreign Ministry denies any involvement, calling this another case of Western governments reflexively (and in bad faith) blaming Moscow for anything that goes wrong in cyberspace (Business Insider).
Sanctions and deterrence.
Now that the Five Eyes are in public agreement in attributing NotPetya to Russian operators, new rounds of sanctions are widely expected. The US Administration in particular is thinking along those lines (Cipher Brief).
How cyber operations will fit into the laws of armed conflict remains unsettled (Lawfare). Senator King (Independent-Maine) has called for a national cyber deterrence strategy (Homeland Preparedness News), but it's unclear what such a strategy might be. As General Nakasone's testimony before the Senate suggested, America's adversaries really don't have much to fear from the US in cyberspace (New York Times).
People continue to point with alarm to the recently published US Nuclear Posture Review and its discussion of possible nuclear retaliation for a cyber attack (SecurityWeek). It's worth noting that the Review is very far from establishing a hair-trigger. It's comparable to Cold War nuclear policy, in which the US (and NATO) reserved the right to first-use of nuclear weapons in response to a general Soviet attack on Western Europe. Any cyber attack that would be considered as potentially warranting a nuclear response would have to be comparably devastating, a true existential threat causing widespread suffering and death. A few infrastructure attacks, particularly those that would disable a continental power grid for many months, might conceivably be sufficiently damaging to elicit a threat of nuclear retaliation, but a Bitcoin raid, Game of Thrones script theft, or a gaming server DDoS? Not a chance.
How well sanctions deter bad behavior is an open question to be answered on a case-by-case basis. Sanctions against North Korea may have brought Supreme Leader Kim to agree to denuclearization talks. On the other hand they also seem to have prompted cyber espionage: the UN's Panel of Experts charged with reviewing and overseeing economic sanctions against the DPRK sustained an intrusion by DPRK operators (Chicago Tribune). McAfee also reports that Pyongyang's Hidden Cobra group is conducting reconnaissance of Turkey's financial sector, presumably as preparation for cyber bank robbery (Dark Reading).
Reddit has yanked a number of "Russia-linked" accounts (Motherboard). By some accounts Reddit has had only mixed success with its purge (WIRED).
This sort of disinformation is tough to stop, and a fast news cycle makes it even tough to discern. The Columbia Journalism Review investigated the number of times Internet Research Agency (IRA) tweets were cited by mainstream journalistic outlets. The St. Petersburg troll farm had a lot of success getting liked by journalists. The study looked at "thirty-three major American news outlets for references to the hundred most-retweeted accounts among those Twitter identified as controlled by the IRA, from the beginning of 2015 through September 2017."
Huffpost came in first, with sixteen articles citing IRS tweets. RT (a.k.a. Russia Today) clocked in with just seven, placing seventh. Both traditional and new media swallowed the troll bait (Columbia Journalism Review). There may be some ideological will-to-believe operating, although the gullible appear to be roughly equally on the left, right, and center, but pressure to publish that eclipses verification probably plays an equally important if not more important role. (Except, of course, in the case of RT.)
Perhaps a sense of history can serve as a useful touchstone. Information operations, including those aimed at shaping elections, are nothing new (Strategy Page). Most attention has (rightly) gone to Russian efforts in this respect, but the Russians are far from alone in this field.
Nor are information operations strictly a contemporary phenomenon. George Kennan outlined what he called "organized political warfare" in a State Department policy planning memorandum circulated in May of 1948, and he was at some pains to point out even then that he was describing something that had been going on for a long time. He also noted that the US itself had done it, albeit in an unsystematic and often unaware fashion.
Recent discussions of hybrid warfare, "nonlinear warfare," especially as a systematic element of Russian military doctrine, the "Gerasimov Doctrine," have tended to emphasize not only its theoretical consistency but also its novelty (In Moscow's Shadows). The coiner of the expression "Gerasimov Doctrine" thinks both of these overblown, and that, while the phenomenon is real and deserving of study, it lacks the unity defense and foreign policy intellectuals have tended to see in it (Foreign Policy). (The Gruqg's Underground Tradecraft blog is an intelligent source of links to discussions of these issues.)
Concern about influence attempts directed against US midterm elections persists. Phishing emails received by the Senatorial campaign of Phil Bredesen (Democrat-Tennessee) suggest that the phishers may have achieved insider access to the campaign's networks (Dark Reading).
Espionage and influence converge in an assassination attempt.
We've been following reports from the UK concerning the attempted assassination of former GRU officer Sergey Skripal, convicted by Russian courts of spying for Britain's MI6 (Times). Skripal was resettled in the UK after a spy swap agreement (New York Times).
Russian media and diplomats are also following the story. One prominent Russian television news presenter, after a pro-forma statement of opposition to violence, framed the news as a warning to traitors (BBC). Russia's London embassyhas issued some provocative tweets, noting that, like Skripal, Alexander Litvinenko (poisoned with polonium), Boris Berezovsky (found hanged in what could have been a suicide, but is thought by many to have been murder), and Alexander Perepilichny (collapsed and died suddenly after a run) all worked for British intelligence or security services (Guardian). Assassination has long been a risk Russians recruited by foreign intelligence services faced (Times).
Reddit is struggling with some of the danker content that finds its way onto its platform (Motherboard). There's more than enough dank stuff to go around. Steam is apparently thoroughly infested with praise for school shootings and shooters (Motherboard). Some gaming companies are showing either shame or enlightened self-interest by deciding not to issue certain products. PlayStation, for example, will not sell a planned "pick-up artist" game (Motherboard).
State controls remain heavy-handed. As President Xi moves to consolidate and extend his power, China's domestic security grows tighter (Wall Street Journal). So does its online censorship, extending, reports say, to Winnie-the-Pooh and the letter "n" (New York Times).
SEC's cyber guidance assessed.
The US Securities and Exchange Commission's clarification to rules governing breach disclosure and related matters has received tepid reviews. Observers tend to see the guidance as warmed-over endorsement of well-known best practices and not a tougher regulatory stance. One area of fresh clarity is the SEC's warning against insiders dumping stock before a breach is disclosed (CSO).
Patches and updates.
Ethereum patched an eclipse flaw, one that prevents a user from connecting to a legitimate peer, that's said to have been easily exploitable (Ars Technica).
Android's march security updates addressed sixteen bugs. Eight were rated "critical," the remaining eight "high risk." Most of the vulnerabilities could be exploited to enable remote code execution (SecurityWeek).
Chrome 65 addressed forty-five security issues. Twenty-seven of the patches covered problems reported by researchers from outside Google (SecurityWeek).
Microsoft issued a new build for Windows 10 Fall Creators Update that fixed a problem Redmond inadvertently introduced in its February 13 update to the operating system. The problems are not believed to have been widespread, but they've now been addressed (ZDNet).
Notes from SINET ITSEF.
SINET's annual ITSEF conference was held in Silicon Valley this week, with its usual contingent of industry, government, technology, and venture capital leaders. Here are a few quick takeaways from the discussions. Deception technology received very favorable reviews from its users, surprisingly favorable, in the judgment of our stringer on site. They see it as a valuable, cost-effective detection mechanism, and they particularly value what they characterize as its low-false positive rate. No one sees it as a panacea, but deception solutions are clearly now a mainstream approach to cyber defense.
Experts continued to emphasize that most of the damage done by attackers was accomplished not through rare, exotic, and sophisticated attacks using never-before seen zero-days, but rather through social engineering, credential stuffing, and hitting unpatched systems with known exploits. Cyber hygiene was therefore much recommended (as it usually is). There was a great deal of thought devoted to incident response.
Vint Cerf, in his Thinking Forward talk, suggested we consider establishing the cyber equivalent of fire departments that could respond to incidents the immediate victims couldn't handle. But a recurrent recommendation was the importance of incident response planning and regular exercises of such plans. Several speakers strongly urged industry to look to military planning and exercise practices as a model. Adopting such a model should include refining plans on the basis of lessons learned developed during post-exercise reviews.
And there were some cautionary warnings about evolving regulatory regimes. Businesses should expect to be held liable for much of what goes on in their customers' endpoints. Indeed, data themselves may well be on their way to becoming "the new endpoint." The EU's GDPR and the US Federal Trade Commission are the twin engines driving this shift.
The CyberWire's coverage may be found here; more will be up early this week.
More security companies are doing what Dark Reading calls "putting skin in the game," mostly by offering warranties.
Huawei believes its size and success, not its security, are the reasons the US has singled it out as a problem (Express Tribune). Meanwhile, Ericsson and Xioami see Huawei's troubles as opportunity (Telecom).
The Committee on Foreign Investment in the United States (CFIUS) put a thirty-day hold on any Broadcom acquisition of Qualcomm (Register). Qualcomm is said to be not displeased (The Bull). It doesn't like the bid much itself. Among other things, it believes itself to be undervalued by Broadcom's offer, and has delayed planned shareholder meetings pending the outcome of the CFIUS inquiry (SecurityWeek). More details emerged at midweek, in the form of a Treasury Department letter, about why the US Government is skittish about the security implications of Broadcom's proposed acquisition of Qualcomm (Computing, 4Traders). There's been a shake-up in Qualcomm's board over the hostile takeover attempt (TechCrunch).
On Monday KnowBe4 announced its acquisition of Johannesburg-based Popcorn Security, a security training firm that will operated as a subsidiary of its new corporate parent (KnowBe4). Rivetz has acquired social encryption start-up CyberDeadBolt. Terms haven't been disclosed (PRNewswire). Plixer, the Maine-based network traffic analytics and incident response shop, announced Thursday that it had been acquired by Battery Ventures. Jeff Lindholm will join the company as CEO; founders Mike Patterson and Marc Bilodeau will remain with Pixer in executive roles (Plixer).
Also on Monday unicorn Zscaler announced the terms of its $110 million IPO (NASDAQ).
Jscrambler, a Lisbon-based web-security shop, has raised $23 million in a Series A round backed by Sonae IM with co-investment by Portugal Ventures (PE Hub). Bugcrowd explained how it intends to use the $30 million it just received: double the size of the company (Australian Financial Review). Recent funding prompts speculation about the Denim Group's plans for its new place in the global security market (San Antonio Business Journal). Web application security specialists Netsparker announced Thursday that they'd closed a $40 million funding round led by Turn/River Capital (BusinessWire). Threat intelligence shop Bandera announced that it will use the $3.5 million it raised in a seed round to expand staff and sales efforts (Baltimore Business Journal). Red Balloon Security announced raising more than $15 million in equity financing (Finance News).
Companies working in cloud security have been attractive targets for acquisition. Amazon Web Services, VMWare, and Oracle have all bought start-ups working in the field (SearchCloud).
Singapore has a new cybersecurity start-up incubator (e27).
Companies affected by major cyber incidents find the damage rising, even months after initial disclosure. Nuance Communications, one of the businesses hit by last year's NotPetya pseudoransomware, thinks the attack will eventually wind up costing it more than $90 million (SecurityWeek). Equifax, the credit bureau his by a major breach, not only found that 2.4 million more consumers were affected than originally believed, but also upped its estimate of losses by $275 million for a total loss of $439 million by the end of 2018. Ponemon thinks this is a lowball figure, and estimates that the cost of the breach could eventually reach "well over $600 million" (CFO). And Yahoo! has agreed to an $80 million settlement with shareholders who filed a class action suit after the company's breaches, first reported in 2016 (National Law Review).
Today's issue includes events affecting Australia, Canada, China, European Union, Democratic Peoples Republic of Korea, New Zealand, Russia, Singapore, United Kingdom, United States.
A note to our readers: the CyberWire is happy to have been chosen as a finalist for the Maryland Cybersecurity Diversity Award (and the Cybersecurity Association of Maryland's People's Choice Award). You can find out more about the awards (and how to vote for us, if you'd like) here.
ON THE PODCAST
Check out this week's Research Saturday, now available on our site. Lookout and the EFF have discovered an APT group operating out of Lebanon they've named Dark Caracal. The group is running a global espionage campaign, targeting journalists, military personnel, activists, lawyers, medical professionals and educational institutions. Mike Murray is VP of Security Intelligence at Lookout, and he's our guide through their research.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.