skip navigation

More signal. Less noise.

DomainTools & MISP enabling effective threat intelligence programs.

Join DomainTools for a threat intel best practices webinar and learn how a leading financial institution leverages MISP (Malware Information Sharing Platform) in their network security practice and managed service offerings. Watch the webinar today!

The Week that Was.

Fancy Bear watch.

There's some reason to think LoJack for Laptops may have been backdoored. LoJack for Laptops enables administrators to remotely lock, locate, and remove files from a stolen computer. Arbor Networks determined that five LoJack agents were communicating with four dodgy command-and-control domains, three of which have in the past been associated with Fancy Bear, Russia's GRU. Absolute Software, which makes LoJack for Laptops, says it's investigating, but doesn't believe its customers are at risk. Arbor Networks thinks the "small number of modified agents" is consistent with a "targeted operation." They're cooperating with various unnamed agencies in an investigation. (Register).

Looking for an introduction to AI for security professionals?

Your wait is over. A new book is out from the Cylance data science team, covering artificial intelligence and machine learning techniques in practical situations to improve the security professional’s ability to thrive in a data driven world. Whether you are reviewing logs or analyzing malware, being able to derive meaningful results and improve productivity is key. Order your free copy today.

The Yahoo boys are up and at 'em.

The Yahoo boys are the junior foot-soldiers of the gangs who commit 419 scams, also known as Nigerian prince scams, a common kind of advance fee scam. 419 scams, so-called after the section of Nigeria's criminal code that deals with fraud, have long been exposed for what they are, but the gullible and tender-hearted continue to fall for them. The come-on is familiar: an email claiming to be either a Nigerian prince or, more commonly, the widow or representative of a Nigerian prince. They ask the mark's assistance in moving funds, for which service they will compensate the mark with a very large payment. All they ask in return is a bank account and a few thousand dollars to expedite the transaction. What follows one can easily imagine.

Nigerian prince scams are run by organized crime, and the gangs have moved into a more lucrative market: business email compromise (BEC). The perpetrators are Nigerian gangs with roots in "confraternities" established at that country's universities. The younger members of the gangs are generically referred to as "Yahoo boys," from their early use of the email provider, and they combine ritual elements of traditional religion with a very wide array of crimes: prostitution, human trafficking, drugs, theft, money laundering, and various forms of fraud. The admixture of organized crime and quasi-religious cult is one of the striking features of the groups (WIRED).

CrowdStrike has been watching the Yahoo boys and their bosses. They describe the "Black Axe" group as the largest and most characteristic representative of the criminal subculture. Black Axe is organized as a pyramid, with the criminal bosses at the apex making the big money, and, while concentrated in Nigeria, also has cells ("zones") of Axemen active in Europe and North America. Their BEC operations have involved the usual wire transfers, but also payroll fraud and compromises designed to stage further spam campaigns.

The FBI finds that BEC usually occurs in five typical scenarios: (1) businesses working with an international supplier, (2) a senior executive requesting a wire transfer, (3) fraudulent email to business contacts sent through a compromised email account, (4) impersonation of an executive or an attorney, and (5) data theft (IC3).

The typical BEC scam begins with reconnaissance and target selection. The Black Axe will research the organization to familiarize themselves with the target's mission, organization, operations, and key personnel. The second stage is spearphishing. They seek to obtain credentials, either directly or through remote access Trojans or keyloggers, which are common payloads in phishing emails. The third stage is lateral movement designed to get credentials from high-payoff targets within the organization, usually in finance and accounting. The fourth stage is social engineering, use of compromised or spoofed accounts to initiate some transfer of funds. The fifth and final stage is monetization, in which the gang moves the money to an account they control, usually in a Chinese bank. Black Axe isn't as technically sophisticated as are some sections of, for example, the Russian mob, but they're well-organized and excel at money laundering.

One 419 variety—the romance scam, in which the lonely are duped into thinking they've found love online, and that their love could use help moving money—is now commonly enmeshed with BEC scams. The criminals use the romance scam to recruit money mules useful in laundering their take (CrowdStrike).

The gangs have pulled in a great deal of money over the last few years (Pulse). As CrowdStrike's vice-president of intelligence Adam Meyers told the New York Times, "It's really hard to stop; you can't stop it with anti-virus or any kind of software, it's really kind of a human problem."

New research into industrial threats and vulnerabilities.

Dragos and OSIsoft jointly authored and released a new white paper this week that presents a modern-day challenge of defending industrial environments and discusses how the Dragos-OSIsoft technology integration helps asset owners respond effectively and efficiently. Download the white paper, "Solving a Brew Mystery: Digital Forensics With the Dragos Platform and OSIsoft PI System," free.

Vulnerable home routers.

Researchers at vpnMentor have found an authentication bypass flaw (CVE-2018-10561) in gigabit-capable passive optical network (GPON) home routers. That flaw in turn opens up exploitation of a command injection vulnerability (CVE-2018-10562). The vulnerabilities make GPON routers attractive targets for botnet herders (Infosecurity Magazine).

Are you investing wisely in threat intelligence?

Download this free guide from Recorded Future to learn the 11 questions you must answer before buying threat intelligence.

No more domain fronting in AWS or Google.

Amazon and Google have, as expected, put an end to domain fronting, a feature widely used by services like Open Whisper's Signal to evade Internet censorship. Google began the process some weeks ago (pointing out that domain fronting had been an accidental and not a supported feature of their content-delivery system). Amazon shut the option down this week, telling Open Whisper that their use of Amazon's CloudFront would be suspended immediately if Open Whisper's Signal continued to use third-party domains without their permission (Naked Security).

In domain fronting, an app like Signal is able to obscure a connection's destination. Thus as far as a Russian, or Chinese, or Qatari, or other state censor is concerned, they're simply seeing a connection to Google or Amazon, not to a prohibited service like Signal. The censors could either block nothing, or they could shut down everything provided by the big content delivery networks, which would be as close to shutting down the Internet as makes little difference. The upshot, as the Electronic Frontier Foundation and others put it, is that Amazon and Google have elected, in their business models, to foreclose certain ways of evading censorship (Quartz).

Obtain full visibility into your security team with Cybrary.

It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!

PPD-20 revision?

Senator John McCain (Republican, Arizona) thinks the US should be throwing some sharp cyber elbows back at Russia in retaliation for that country's recent hacking and influence operations. He makes his case in a forthcoming book (Defense News).

The Senator may have some kindred spirits in the US National Security Council, where there are signs that some staffers would like to see the gloves taken off US Cyber Command. CyberScoop reports a movement among the NSC staff to rescind or modify Presidential Policy Directive 20 to streamline the process by which military commanders could receive approval for offensive cyber operations. It's worth noting that PPD-20 is a classified document, and so critiquing it involves much looking at what agencies do and reading between the lines, but it's generally been characterized by observers as a document that requires extensive interagency coordination across the Federal Government, in the interest (if one bets on form) of both proper coordination and restraint, and a due respect for agency equities.

US Cyber Command is now officially a Combatant Command.

On Friday US Cyber Command was officially elevated to Combatant Command Status, putting it on a par with major military organizations like US Strategic Command. General Paul Nakasone got his fourth star as he assumed command of Cyber Command and duties as Director, National Security Agency. Nakasone replaced Admiral Michael Rogers, who now enters retirement (Defense Daily).

General Nakasone will soon be considering how to staff Cyber Command, drawing the right balance among operators and analysts, for example, and drawing perhaps upon non-traditional pools of talent. He'll also consider the tools his command needs, and how to task organize it to support other Commands (Fifth Domain). Nakasone will also shape the implementation of Cyber Command's vision, and in particular will have to arrive at some clarity about how the Command will serve National strategic goals while conducting operations that are expected to be conflicts short of war (Lawfare).

Solitary, poor, nasty, brutish, and short.

And not just solitary, poor, nasty, brutish, and short, but holed up in Mom's basement with a keyboard, and weighing around 400 pounds, or so we hear (on Presidential authority).

Cyberspace looks to many like a Hobbesian state-of-nature, where the inevitable norm is the war of all against all, with all trolling all with bots that amplify their memes and make them trend in search algorithms. A lot of observers are reaching Hobbes's prescription, too: they think only a Leviathan ruler can secure the blessings of, if not liberty, at least order. Hence the various calls for regulation that have surfaced in the wake of the Internet Research Agency indictments, the Cambridge Analytica scandals, and questions about Facebook's handling of personal data.

A study by MIT's Media Lab finds that humans have a positive preference for spreading lies. (Here the Media Lab would appear to agree with several millennia of glum wisdom: whether you're stealing pears, reputations, or elections, what sweetens it is the sin). The bots don't care, but we apparently like lies and hogwash that shock and disgust (WIRED). So where's the fault? In us.

Part of Leviathan's to-do list: GDPR approaches.

GDPR takes effect at the end of this month, and a CompTIA survey suggests that more than half of US businesses are unprepared for the new European privacy and data protection law (Help Net Security). Two companies that appear better prepared than most are Google and Facebook, but their preparations aren't much to the liking of either European regulators or the publishing industry. The regulators see the two big advertising and data collection giants as seeking ways of evading at least the spirit if not the letter of GDPR—especially with respect to Facebook's new approach to privacy. And publishing concerns like Conde Nast, Bloomberg, Hearst, and the Guardian complain that Google is effectively trying to offload its responsibility for obtaining consent to use personal data onto the publishers, while Google itself refuses transparency in its own use of data obtained through the publishers' use of Google services. This, the publishers complain, increases both their burden and their liability.

Recorded Future has some advice on where companies can use threat intelligence to bring themselves into compliance with risk reporting aspects of the regulations. They offer a sector-by-sector rundown of how one might do so with a large array of regulations, from the continental (GDPR) to the sub-national (New York Department of Financial Services Cybersecurity Regulations).

And get ready for a flood of privacy inquiries. A lot of your consumers are. Some 42% of respondents to a survey of European citizens say they intend to file data privacy requests by November (Computing).

Disclosure or marketing? Or both?

Flashpoint's Chief Marketing Officer, Jennifer Leggio, delivered a talk at Hack-in-the-Box Amsterdam in which she outlined tension between production and sales as a risk peculiar to security companies. She calls the problem "logo disclosures," cases in which marketing is interested in getting out the results of research quickly, in a nicely packaged and branded public disclosure. Production wants, in opposition to this, to reduce risk. Caught in the middle are the researchers who find threats and vulnerabilities (SecurityWeek). 

Courts and torts.

Indian budget airline GoAir is suing its former CEO in a Bombay court over alleged data theft. Wolfgang Prock-Schauer left GoAir to become COO of rival IndiGo (Hindu Business Line).

Crime and punishment.

ZTE is fighting the US Commerce Department's denial order that prevents it from receiving US exports (Lawfare).

Hey, Feds: here's some news you can use, from the Office of Special Council, experts on the Hatch Act. The Act both limits political activity by US Federal employees, and protects such employees from workplace political coercion. If you were considering partisan tweeting on Government time, for example, or strong-arming your colleagues into working on a campaign, stop and think again (Federal News Radio).

Patch news.

Schneider Electric has patched a serious vulnerability in some of its developer's tools. The issues were found and disclosed by Tenable (Threatpost).

Becton Dickinson finds that some of its Wi-Fi-enabled medical devices are susceptible to KRACK attacks, and they've published some mitigations. The KRACK (key reinstallation attack) vulnerability is a feature of the Wi-Fi Protected Access II (WPA2) encryption used in the devices. Anything using WPA2 is open to KRACK, not just medical devices. KRACK is a family of related exploitable bugs whose discovery was announced last October (Naked Security).

Twitter says it wasn't hacked, but that discovery of "a bug" makes it advisable for users to change their passwords (Naked Security).

Industry notes.

Cambridge Analytics, whose use of Facebook and (probably) Twitter data drew so much odium to those companies, has closed its doors. It said Wednesday that it was ceasing operations "immediately," and that bankruptcy proceedings would soon follow (CNN).

Cisco's $270 million acquisition of Accompany represents a push into business collaboration, market intelligence, and customer relations management (CIO Dive). Tyler Technologies, an IT services provider, has acquired Sage Data Security for an undisclosed sum to increase its security-as-a-service capabilities (Press Herald).

Trident Capital Cybersecurity, the well-known venture firm specializing in cybersecurity, has rebranded itself as ForgePoint Capital. The shop doesn't plan significant changes to its mission and focus: co-founder and managing director Alberto Yepez says they intend to continue to concentrate on early-stage cybersecurity companies (PRNewswire). 

Trusted Key, a secure digital identity start-up, has raised $3 million from the Founders Co-op, with participation by Pithia Partners, in a seed round intended to support a pilot with healthcare-focused NS-ISAC (BusinessWire). Former Director NSA Keith Alexander's IronNet startup closed a $78 million Series B round led by London-based investor C5 Capital, with participation from existing investors ForgePoint Capital and Kleiner Perkins Caufield & Byers. IronNet intends further expansion into the industrial security market (Business Insider). Corero has raised £3 million from  Clydesdale and Yorkshire Bank. The DDoS-protection specialists intend to add features and analytical capabilities to the company's SmartWall product (Growth Business). Regulus Cyber, which develops security products to protect robots and other autonomous systems, raised $6 million in a Series B round funded by Technion, Sierra Ventures, Canaan Partners Israel and F2 Capital (Global University Venturing).

Carbon Black has completed its IPO, and began trading on Friday (Boston Globe).

Comodo Cybersecurity has a new President and CEO. Steve Subar moved into the job this week (PRNewswire). We spoke with him this week; he sees Comodo's distinctive advantage as its recognition of not only the capabilities of artificial intelligence and machine learning, but also their limitations. Subar thinks they've successfully combined default-deny for the known-bad with default-allow for the known-good, and wrapping the unknowns in an environment where they're given no write-permission. They interject human analysis, which they regard as indispensable, where the automation cannot be expected to produce a correct decision.

Zscaler's stock price took a hard blow when the company unexpectedly announced that COO William Welch was leaving. His last day will be May 14th. No reason for the departure was immediately offered. Zscaler went public in March, achieving a market cap of over $3 billion after its IPO (CNBC). 

Akamai plans to hire "several hundred" new employees this year, according to CEO Tom Leighton (Boston Business Journal).


Today's issue includes events affecting Canada, China, European Union, Italy, Nigeria, Russia, United Kingdom, United States.

Research Saturday is up. This week we speak with Kevin Epstein, Vice President of Proofpoint's Threat Operations Center. He talks us through their investigation of BlackTDS, a traffic distribution tool for sale in dark web markets. He also tells us about ThreadKit, a document exploit builder.

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.