UK Prime Minister May demanded an explanation from Russia, by midnight Tuesday, of the March 4th attempted assassination by nerve agent of former GRU officer Sergei Skripal and his daughter Yulia. Russia didn't comply: Foreign Minister Lavrov dismissed any notion of Russian complicity as "nonsense." Essentially no one believes this. It would seem Russia either committed the attack or lost control of its weapon. The poison was al nerve agent—Novichok—the Soviet Union developed during the Cold War's endgame. No other country is known to have stocks of Novichok (Times).
The UK expelled twenty-three Russian diplomats in response (Guardian). Russia will follow suit. Prime Minister May will consider the "full range of measures" available for retaliation (Business Insider). The UK has asked for a UN Security Council meeting to address what Prime Minister May called "an indiscriminate and reckless act against the United Kingdom, putting the lives of innocent civilians at risk." She added, "Should there be no credible response, we will conclude that this action amounts to an unlawful use of force by the Russian state against the United Kingdom" (Times).
Home Secretary Rudd said retaliation may be covert or clandestine, which, in the context of Cabinet statements on cyber defense, hints at cyber reprisals (SC Magazine). The Russian government has demanded the UK explain cyber operations rumors (TASS). The UK is concerned about Russian cyber escalation: some fear a grid attack would leave the country "four meals from anarchy" (Telegraph).
What should a new CISO's priorities be at 30, 60, and 90 days?
A CISO’s first 90 days on the job are a window of opportunity to establish credibility, earn the support of other leaders, and make contributions with a positive impact. Coalfire has recommendations that will help newly-hired CISOs quickly add value and set the stage for a long-term success.
Moscow didn't do it, says Moscow, and besides, spies have it coming.
Moscow is unrepentant, both denying involvement and saying Skripal had it coming. It would seem difficult to have it both ways (Times). Russia has demanded to see the evidence, called the attempted murder a provocation—that is, actually committed by British intelligence services or their allies—warned against cyber retaliation, and, chillingly, cautioned Britain against threatening a nuclear power (US News & World Report).
Speaking for the Russian Foreign Ministry, Maria Zakharova said, "This is a circus show in the British Parliament. The conclusion is obvious. This is another information and political campaign based on provocation. Before composing new fairy tales, let someone in the kingdom tell you about how the previous ones about Litvinenko, Berezovsky, Perepilichny and many others ended" (CNN). The last three named are other Russians who were murdered in the UK, probably by Russian security services.
There was another wet operation this week. Russian businessman Nikolai Glushkov, a fugitive from Russian justice in an Aeroflot embezzlement case and a witness in the Litvinenko assassination died under "unexplained" circumstances Tuesday in his London home. By Friday had concluded the the death was murder by strangulation (NPR). (Litvinenko, former FSB officer, naturalized British subject, and thorn in President Putin's side, was killed in 2006 with a lethal dose of radioactive polonium-210 (BBC)).
Obtain full visibility into your security team with Cybrary.
It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!
NATO stands by Britain.
NATO has placed itself firmly behind the UK in its nerve agent dispute with Russia (Ars Technica). NATO Secretary General Jens Stoltenberg called the attack "unacceptable," saying nerve agents have "no place in the civilized world." The US, Germany, and France have been particularly sharp in their condemnation of Russia.
TASS says sources have told it that NATO won't invoke its Article 5 collective defense clause, presumably because the chemical attack in Salisbury was too small and too ambiguous.
Looking for an introduction to AI for security professionals?
Your wait is over. A new book is out from the Cylance data science team, covering artificial intelligence and machine learning techniques in practical situations to improve the security professional’s ability to thrive in a data driven world. Whether you are reviewing logs or analyzing malware, being able to derive meaningful results and improve productivity is key. Order your free copy today.
US sanctions Russia for influence operations and NotPetya.
The US Administration imposed sanctions Thursday in reprisal for both NotPeya and 2016 election meddling (TechCrunch). NotPetya spread from targets in Ukraine to a large number of victims elsewhere, especially in Western Europe but also in North America. Particularly targeted in the new US sancitions are individuals and institutions named in Justice Department indictments, like the notorious Internet Research Agency, the St. Petersburg troll farm. Also affected are some wealthy oligarchs who constitute mainstays of President Putin's rule.
Could your coffee breaks be exposing you to cryptomining?
On this week’s episode of Research Saturday, we talk about a recent epidemic of cryptojacking code injections, as bad actors attempt to cash in on the cryptocurrency craze through unauthorized cryptomining operations on unsuspecting users. Marcelle Lee, threat researcher at LookingGlass Cyber, describes her research and shares details of this epidemic.
US-CERT warns of ongoing Russian probes of critical US infrastructure.
US-CERT issued a Joint Technical Alert warning of Russian government intrusion into US Government and energy sector networks. The intrusion includes apparent preparations for industrial control system attacks (Ars Technica).
"DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS)." The continuing campaign goes back at least to 2016 (US-CERT).
Chinese hacking over South China Sea.
FireEye called out a Chinese threat this week. US engineering, defense, and maritime companies tied to US operations in the disputed waters of the South China Sea are being hit by Chinese hackers. FireEye thinks the attackers are controlled and directed by the Chinese government (Bloomberg).
Bugs, backdoors, and responsible disclosure.
On Monday CTS Labs disclosed what it characterized as significant flaws in AMD processors. AMD quickly said that it was investigating the report, but also that it had never heard of CTS Labs before the security researchers contacted it just a day before going public (Threatpost). One day's notice is of course far shorter than the sixty-to-ninety days most companies tend to follow. Google's Project Zero, for example, uses ninety days.
The flaws, which affect EPYC, Ryzen, Ryzen Pro, and Ryzen Mobile processors, require admin rights for exploitation, which can be gained in a variety of ways. CTS said the vulnerabilities "open the door to malware that may survive computer reboots and reinstallations of the operating system, while remaining virtually undetectable by most endpoint security solutions. This can allow attackers to bury themselves deep within the computer system and to potentially engage in persistent, virtually undetectable espionage, executed from AMD’s Secure Processor and AMD’s chipset" (CTS).
Assessment of the details is difficult—CTS redacted much technical information to prevent its use by bad actors (SecurityWeek). Security experts differ in their judgment of the problems' severity, but few seem willing to defend the way the vulnerabilities were disclosed (Ars Technica). CTS claims chipsets are shipping with exploitable manufacturer's backdoors, installed by Taiwan-based manufacturer ASMedia, a subsidiary of ASUSTeK. The backdoors thus seem to be a supply chain issue. Motherboard observes that ASUSTeK settled a US Federal Trade Commission case in February when the FTC complained that ASUSTeK hadn't been properly attentive to hardware security flaws in its routers.
There is disagreement about how serious a risk the vulnerabilities represent. Some agree with CTS Labs' very dark and alarming assessment. Others think that assessment overblown. The vulnerabilities are "second-stage vulnerabilities," that is, exploitable only by an attacker who had already obtained administrative access by some other means—phishing, perhaps (SecurityWeek). Linus Torvalds represents the extreme, nothing-to-see-here point of view. He told Computing magazine, "I refuse to link to that garbage. But, yes, it looks more like stock manipulation than a security advisory to me." Torvalds added, "When was the last time you saw a security advisory that was basically if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?" He also characterized the whole security industry as a "circus," with this disclosure standing as Exhibit A.
Torvalds's crack about stock speculation seems prescient. In the white paper describing its findings, CTS offered a disclaimer many observers have read with raised eyebrows: CTS said they may have, “either directly or indirectly, an economic interest in the performance of the securities" mentioned in the report.
Coincidentally or not, a short-selling investment firm, Viceroy Research Group, essentially simultaneously released an analysis of AMD's value explicitly based on CTS Labs' report. It reckoned the value of AMD at zero, and predicted the company's quick shipwreck in Chapter 11. This suggests that Linus Torvalds may have been on to something. The incident recalls to several observers the 2016 incident in which security researchers at MedSec coordinated disclosure of vulnerabilities in St. Jude medical devices with Muddy Waters short-sellers (Motherboard).
[3.12.18] Exploitation of memcache for distributed denial-of-service (DDoS) attacks continues to worry security experts. There's also some concern over a kill-switch Corero found last week. As reported in several news outlets, Corero thinks the kill-switch—a "flush_all" command—could provide a counter to very high-volume attacks the exploit can generate. But is flush_all "the cavalry," the Register asks, or questionably legal interference in someone else's computer? Cloudflare and Arbor Networks told eWeek that flushing all would amount to changing the contents of a non-cooperating computer. And, of course, that's illegal in many (most?) places (Register).
Could GDPR bring more spam, scams, and resilient botnets?
ICANN, the Internet Corporation for Assigned Names and Numbers, will take a few months to determine whether and how its WHOIS functionality can be brought into compliance with GDPR. At its conference in San Juan, Puerto Rico this week ICANN described its plans for WHOIS. They will begin redacting personal data belonging to people who register domains (name, phone number, physical address, and email address at least) from the domain information available from WHOIS. ICANN will thus have a two-tiered system, with the redacted GDPR-protected data being held in the second tier. The group is soliciting public comment on its plans (ICANN).
WHOIS data have been useful to security researchers attempting to take down spammers, scammers, and botnets. The European data protection regulation takes effect on May 25th. ICANN hopes to have its new accreditation system in place by December of this year. Accreditation would grant certain parties with legitimate interests access to personal data. Those to be accredited would include law enforcement officials, journalists, security researchers, and intellectual property rights holders. Upon presentation of a proper certificate, they would be able to access tier-two data in WHOIS. The accreditation system would become fully operational a few months after that, but such deadlines have sometimes proved difficult to meet in the past (KrebsOnSecurity).
Changes in US Executive Branch.
President Trump dismissed Secretary of State Rex Tillerson on Tuesday, thanking him for his service and in effect saying that he had decided to go in a different direction (Foreign Policy). The President will nominate Director of Central Intelligence Mick Pompeo for the job at State (Foreign Policy). Deputy Director Gina Haspel will fleet up to replace Pompeo as DCI (McClatchy). Both appointments are subject to Senate confirmation.
US Attorney General Jeff Sessions dismissed Deputy FBI Director Andrew McCabe Friday. Sessions did so on the recommendation of the FBI's Office of Professional Responsibility, who advised the firing on the basis of a report from the FBI's Office of Inspector General that found McCabe made an unauthorized disclosure to the news media and "lacked candor — including under oath — on multiple occasions" (TheHill). McCabe, who also served as Acting FBI Director between the dismissal of James Comey and the appointment of Christopher Wray to lead the Bureau, strongly denied any wrong-doing and denounced his firing as politically motivated. The dismissal is surprising in that it came Friday evening, just two days before McCabe's expected retirement (Washington Post).
US Department of Health and Human Services CISO Chris Wlaschin will step down at the end of March. His departure, announced Friday, is said to be for personal reasons. He had been involved since last September in a dispute with Departmental Deputy CISO Leo Scanlon and former Director of the Healthcare Cybersecurity Communications and Integration Center (HCCIC) Maggie Amato. Both officials have requested an interview with Secretary of Health and Human Services Alex Azar. (Federal News Radio)
SEC cyber guidance has some teeth after all.
Many wondered whether the US Securities and Exchange Commission's recently clarified cybersecurity guidance actually had teeth. Apparently it does: on Wednesday the SEC has brought insider trading charges against a former Equifax executive who dumped his company's stock after learning of its 2017 breach but before that breach was publicly disclosed.
The SEC alleges that Jun Ying, formerly CIO of one of Equifax's business units and in line to become the company's global CIO, concluded on the basis of confidential, non-public information—insider information—that Equifax has sustained a serious data breach. Indeed it had. Knowing about a breach isn't, of course, criminal, but exercising your vested Equifax stock options and selling the shares for nearly $1 million before public disclosure of the breach might well be, The SEC says that the alleged insider selling enable Ying to avoid more than $117 thousand in losses (US Securities and Exchange Commission).
The U.S. Attorney’s Office for the Northern District of Georgia has also issued an indictment of Ying (US Department of Justice). The SEC's investigation continues, and observers point out that Ying is not one of the three Equifax executives who've long been known to have sold significant quantities of stock. Equifax has maintained that the timing of those sales was purely coincidental. The position of the sellers in the corporate hierarchy struck many as rendering the claim of innocent coincidence implausible (CNN Money).
Broadcom gave up its attempt to take over Qualcomm after the acquisition was stopped by the US Administration (TechCrunch). The Committee on Foreign Investment in the United States (CFIUS) recommended that the deal be halted. Qualcomm (a company which received early funding as a start-up from the US Office of Naval Research's Small Business Innovation Research Program) is a leader in 5G research and development. CFIUS was concerned that Broadcom would have slashed R&D, effectively ceding the field to China's Huawei (Bloomberg). Broadcom, it must be noted, is a Singapore company, not a Chinese one, but such concerns play into widespread skittishness not confined to the United States about Chinese technology and its potential exploitation for espionage and other purposes of state (Asia Times). US officials are concerned about giving up leadership in such an important part of the infrastructure (SecurityWeek). Some observers have dismissed the move as arrant protectionism (Slate) but most see concerns about the future of 5th generation wireless infrastructure as real and serious (Los Angeles Times).
Zscaler's IPO exceeded most expectations. The security company got a strong start in its Friday IPO, raising $192 million and seeing its shares nearly double by day's end (Investor's Business Daily).
Palo Alto Networks has expanded its cloud security capabilities with the acquisition of Evident.io for $300 million in cash (Silicon Valley Business Journal). Critical Start will buy frequent SOC service partner Advanced Threat Analytics (Dark Reading). McAfee has bought VPN firm TunnelBear (Gizbot). CyberArk has acquired cloud security provider Vaultative (Infosecurity Magazine).
Behavioral biometrics shop BioCatch closed a $30 million funding round (SDXCentral). Security automation start-up Automox raised $2 million in venture funding (BizWest). Solebit has raised $11 million in a Series A round, which it will use to develop its SoleGATE Security Platform (SecurityWeek). Hybrid cloud security shop Luminate emerged from stealth with $14 million in funding (SecurityWeek).
Mossack Fonseca, the law firm hacked in the Panama Papers incident, has closed its doors, a casualty of doxing (SecurityWeek).
Today's issue includes events affecting China, European Union, France, Germany, Iran, Russia, Saudi Arabia, United Kingdom, United States.
A note to our readers: the CyberWire is happy to have been chosen as a finalist for the Maryland Cybersecurity Diversity Award (and the Cybersecurity Association of Maryland's People's Choice Award). You can find out more about the awards (and how to vote for us, if you'd like) here.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.