As peace talks start, what do we know about the current cyberthreat from North Korea?
The geopolitical research team at Anomali, a leading provider of threat management and collaboration solutions, has produced a comprehensive report on this closed-off nation’s cyber landscape. While the possibility of historic peace on the peninsula looms large in the minds of politicians and the public, cyber peace may still be elusive. Download the report for more on what cybersecurity professionals need to keep in mind in the coming weeks.
The Week that Was.
May 12, 2018.
By The CyberWire Staff
US withdraws from Iran nuclear pact.
This Tuesday President Trump announced that US withdrawal from the Joint Comprehensive Plan of Action, known as the "Iran nuclear deal." The move had been long expected. Under the deal, finalized in July 2015, Iran undertook to limit or delay certain aspects of its nuclear weapons program. On April 30th of this year US and Israeli authorities stated that Iran had failed to disclose a past covert nuclear program to International Atomic Energy Agency inspectors (New York Times). Observers note that Iranian cyber operations had receded somewhat since the deal was concluded. They're expected to pick up again.
$8.76 Million: the average yearly cost of insider threats. Join ObserveIT 5/15 to learn more.
Insider Threat incidents come with a hefty price tag, according to the “2018 Cost of Insider Threats: Global Organizations” report released by independent research group, The Ponemon Institute. Make sure that you understand the full context (and cost) of these threats by joining an exclusive LIVE online discussion with The Ponemon Institute founder, Larry Ponemon, on May 15th at 11:00am EDT. Claim your seat now.
Revived Iranian-US conflict in cyberspace predicted.
The US decision to withdraw from the agreement is expected to reverberate in cyberspace, with concerns about critical infrastructure becoming sharper. We heard from Dragos CEO Robert M. Lee, who reminded us that when tension rise between states, so does the targeting of industrial control systems. Lee said, "In this case, activity moves beyond conducting early reconnaissance to gaining access to infrastructure companies and stealing information that could be used at a later date. However simply having access to the information does not mean an attack is easy or imminent. Avoiding such tension while also defending against such aggressive efforts is the goal."
We also heard from CyberX's Vice President of Industrial Cybersecurity Phil Neray, who reminded us of Iran's history of going after US targets. "Iran has a long history of going after US targets, including the massive DDoS attacks they conducted on twenty-four US financial institutions during 2012 and 2013," he said. Neray sees cyber operations as an asymmetric way of warfare. "Cyber is an ideal mechanism for weaker adversaries like Iran because it allows them to demonstrate strength on the global stage without resorting to armed conflict. I expect that Iran will continue to escalate its cyberattacks on US targets but will keep them below the threshold that would require a kinetic response from the US."
So far Iran's most damaging attacks have come against targets located in regional rivals like Saudi Arabia, but in principle they could be extended to the US or elsewhere. Neray points to the TRITON/TRISIS attacks on Saudi petrochemical plant safety systems as a disturbing indication of what may come.
Iranian cyber operations, if they materialize, are thought likely to provoke a strong US response (Council on Foreign Relations). Recorded Future has offered a lengthy assessment of Iran's cyber establishment. One interesting note: Tehran depends upon competing contractors for most of its offensive capabilities. At least fifty organizations vie for the work. Studies of wiper malware issued this week by Cisco's Talos group are also worth reviewing. Shamoon, a wiper used against Saudi Aramco in 2012, has generally been attributed to Iran (Threatpost).
The fastest and easiest way to conduct online investigations.
SOC analysts who use a cloud browser can reduce the time spent investigating cases by more than 50%. Instead of wasting time spinning up a VDI or connecting to a jumpbox, get online in seconds with a secure cloud browser and egress from hundreds of points of presence around the world.
Cyber reconnaissance of the power grid.
Dragos this week released a report on ALLANITE, a threat actor the company says has been actively prospecting US and UK electrical utilities. Dragos researchers have observed "watering-hole and phishing leading to ICS recon and screenshot collection." ALLANITE resembles the Russian Palmetto Fusion group the US Department of Homeland Security described last year. ALLANITE has succeeded in extracting information directly from industrial control systems. The campaign makes heavy use of phishing watering holes. So far ALLANITE has confined itself to information-gathering (Dragos).
"Sloppy at times," but also "advanced and extremely prolific." Researchers at ProtectWise conclude that previously unconnected threat actors tracked for a decade (EAD, BARIUM, Wicked Panda, GREF, PassCV, Axiom, and Winnti) are in fact under the same management. That management would be the Chinese government. Their targets were software and defense companies in Europe, Russia, and the US (Ars Technica).
Obtain full visibility into your security team with Cybrary.
It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!
User experience vs. security.
Avanan reports finding "baseStriker," a phishing technique that crafts HTML in emails so that malicious links, even those on a blacklist, pass through the Safe Links feature of Microsoft Office 365's Advanced Threat Protection. It works by using the "base" tag to split the malicious link in two. Safe Links passes it, but then the Outlook email client reassembles the link into a nicely renedered and clickable form (Avanan).
Botnets grow more difficult to purge?
In what Bleeping Computer describes as a "game changer," Bitdefender has described its discovery of the "Hide-and-Seek" botnet, an IoT botnet that survives device reboots. Under certain circumstances Hide-and-Seek copies itself to a folder that houses daemon scripts on Linux-based operating systems, and routers and IoT devices tend to run on a Linux-based OS. Hide-and-Seek seems still to be a work in progress, but it bears watching.
Equifax clarifies its data breach.
Equifax this week clarified details about its data breach in a report to the US Securities and Exchange Commission (SEC) and in a letter to the US Congress. There were relatively few changes to the total number of people whose data were affected, but Equifax has, with the assistance of Mandiant, worked through what kinds of data were actually lost (Infosecurity Magazine).
The data elements stolen included: name (146.6 million); date of birth (146.6 million); Social Security Number (145.5 million); address (99 million), gender (27.3 million); phone number (20.3 million); driver’s license number (17.6 million); email address (1.8 million); paycard number and expiration date (209,000); TaxID (97,500); and driver’s license state (27,000). They also reported that the following government-issued identification documents were compromised after they were uploaded to Equifax's dispute portal: 38,000 driver’s licenses; 12,000 Social Security or taxpayer ID cards; 3,200 passports or passport cards; and 3,000 other government-issued documents, including military IDs, state-issued IDs and resident alien cards (TechCrunch).
Observers consider that the data loss will continue to be leveraged in other attacks (Infosecurity Buzz). They're also dismayed that so many large corporations continue to download the vulnerable version of Struts exploited in the breach (SC Magazine).
Bots for influence.
Police in the UK are investigating death threats tweeted in the direction of Labour leader Corbyn's intraparty opponents in the wake of Labour's disappointing performance in last week's elections. The Twitterbots appear to be Russian (Times). Needless to say, they don't advertise themselves as such.
Memes for influence.
The US Senate Select Committee on Intelligence issued its interim report on Russian election interference this week. The committee's conclusion is that there's plenty of evidence Russian operators worked to undermine Americans' confidence in their electoral system, but that there's no evidence any vote counts were altered (SecurityWeek).
House Democrats have released some 3300 Facebook ads they characterize as linked to Russia (WIRED). Motherboard finds five distinct memes in the Facebook ads: (1) Black lives matter, (2) "generic millennial humor," (3) "[Eff], yeah, America!" (4) "pride," particularly around LGBTQ and other gender identities, and (5) a difficult-to-characterize group that's imperfectly or hyper-accurately directed, at, for example, ambivalent reactions toward border control, or at the undeniable tension between eroticism and Pokemon (especially Charizard).
ISIS seeks to disrupt Iraqi elections.
The Caliphate doesn't like what it takes as signs of sectarian rapprochement, and it's using both propaganda and violence to remind Iraqi Sunnis that they vote this weekend at their own risk (Atlantic).
Russian information operators fly a false ISIS flag.
Fancy Bear (Russia's GRU) represented itself as ISIS terrorists in threatening messages sent to US military spouses in 2015. A representative sample of the Facebook messaging, as reported by AP, runs as follows: "Dear Angela! Bloody Valentine's Day! We know everything about you, your husband and your children. We're much closer than you can even imagine" (AP). The specific false colors Fancy Bear was brandishing in this case were those of the Cyber Caliphate.
Facebook and Google are being asked for more transparency in their content moderation practices. These have met with widespread suspicion and incomprehension. The incomprehension at least is easy to understand: the problem they've set themselves is an inherently very hard one, especially when it must be done rapidly and at scale. The platforms themselves have difficulty explaining their methods. A group of interested parties this week met to discuss "Content Moderation and Removal at Scale," in the course of which they recommended the Santa Clara Principles to tech firms engaged in the problem. The recommended principles would involve quick reporting of what, when, and why content had been removed.They also outline reasonable appeal processes (TechCrunch).
Another anticipated effect of GDPR: threat analysts may have a great deal less data to analyze (IT Pro Portal).
One sign that enterprises remain unprepared for GDPR: breach disclosures continue to take noticeably more time than the regulations will permit when they take effect in two weeks (Bitdefender). And if you ask security leads at companies, they'll tell you themselves that they're not sure how well they'll do (MediaPost).
US National Security Council reorganization continues.
New National Security Advisor John Bolton is considering abolishing the Council's cybersecurity coordinator position when incumbent Rob Joyce departs. The coordinator's duties are expected to fall to Bolton's deputy, Mira Ricardel (SC Magazine). The plans have been cooly received by outside observers (Lawfare).
Hack back legislation vetoed in Georgia.
Georgia Governor Nathan Deal vetoed that state's ill-received State Bill 315 which would have criminalized many common and legitimate security research practices. It also would have authorized certain forms of hacking back under the rubric of "active defense." The "hack back" provisions of the law were also greeted with widespread skepticism—a number of commentators thought the bill would not only have criminalized innocent white hats, but also inspired poorly informed and difficult-to-contain cyber vigilante activity (CSO).
Crime and punishment.
Former Autonomy CFO Sushovan Hussain is awaiting sentencing for a fraud conviction involving dodgy accounting designed to make the company look more attractive to HP. His bail conditions require him to surrender his passport, wear a tracking bracelet, and post a $5 million bond (Computing).
If he needs a bail bondsman going forward, he won't find one in the ads Google serves up. Mountain View has decided it will no longer accept advertising from bail bond services, since it doesn't wish to be complicit in regressive incarceration practices or partner with businesses whose lack of transparency about terms and conditions enmesh the vulnerable in services that are against their best interests (Marginal REVOLUTION). One weird trick to show where you stand (or that's what the pop-up might say).
Microsoft fixed more than sixty vulnerabilities in its May release (KrebsOnSecurity). Two of the patches addressed bugs already undergoing active exploitation: CVE-2018-8174, a remote code execution flaw in VBScript engine handling of objects in memory, and CVE-2018-8120, an elevation of privilege vulnerability in Windows when Win32k mishandles objects in memory (TrendLabs Security Intelligence Blog). Going back to last month, April's Windows 10 update seems to be giving some Chrome users problems, notably with timeouts and freezes (Bleeping Computer).
Adobe also patched on Tuesday, issuing Flash Player and Creative Cloud updates (Threatpost).
Apple's iOS 11.4 beta will introduce "USB Restricted Mode," intended to thwart third-party physical access to data. Observers think Apple has done so to resist data extraction by tools from Grayshift and Cellebrite (Apple Insider).
Intel is working on patches for Spectre Next Generation issues, but was unable to get them out this week as planned. Fixes are now expected to become available on May 21st (CRN). Google has released a round of Meltdown mitigations for Android (SecurityWeek).
SAP has patched its Internet Graphics Server (SecurityWeek).
Siemens has issued an update that addresses two denial-of-service vulnerabilities in its SINAMICS medium voltage converters. Both issues are remotely exploitable (SecurityWeek).
Lenovo patched a Secure Boot vulnerability affecting some of its System x servers (SecurityWeek).
LG has fixed a set of keyboard vulnerabilities that permitted remote code execution (ZDNet).
LookingGlass, which specializes in threat intelligence solutions, has picked up Sentinel, the in-house SIEM platform developed by Goldman Sachs. Goldman Sachs received equity in LookingGlass in exchange for the platform, becoming a strategic investor in the security company (SecurityWeek).
DB Networks has changed its name. The San Diego data-loss-prevention shop will be rebranded as DB Cybertech (PRNewswire).
Carbon Black had a nice IPO a week ago. Shares in the cloud security specialists popped 26% during its May 4th debut on Nasdaq (MarketWatch).
Avast, preparing for its very large IPO on the London Stock Exchange, dropped its price guidance from 250-320 pence down to 250-270 pence. This revised guidance is still substantial. Upon listing, this range would give the Avast a market cap of between £2.5 billion and £2.7 billion, or between $3.38 billion and $3.65 billion. But the company's debut Thursday disappointed: Avast saw its share price drop 2.6% in early trading (Reuters).
SafeBreach, the breach and attack simulation shop, closed a $15 million Series B led by Draper Nexus (GlobeNewswire). At-Bay, a cyber insurance start-up, has secured $13 million in a Series A funding round (Insurance Journal).
KEYW has closed its new senior secured credit facilities. They amount to a $215 million First Lien Term Loan facility maturing in May 2024, a $75 million Second Lien Term Loan facility maturing in May 2025 and a $50 million senior secured Revolving Credit Facility maturing in May 2023 (Nasdaq).
Eight start-ups based in India draw favorable press attention as companies to watch: Lucideus Tech (web security and penetration testing), AppsPicket (advanced crypto), AppSecure (a platform that aggregates pentesting and bug-hunting), TAC Security Solutions (vulnerability assessment), Kratikal Tech (vulnerability assessment, pentesting, and security auditing), ShieldSquare (bot mitigation and management), Block Armour (blockchain-based identity management), and HaltDos (DDoS protection) (Your Story).
Symantec is conducting an internal investigation of a non-security related nature. What the investigation is about has yet to be revealed (it involves "concerns raised by a former employee") but the company's annual report will be delayed pending completion (Register). The company's share price has suffered from the generalized announcement (CRN).
Telstra has joined other providers in halting sales of ZTE phones. It cites issues of supply as opposed to security in its decision, and expresses hope that ZTE will be able to resolve its difficulties (CRN). For its part, ZTE says it has shut down its "main operations" as a result of US sanctions (CNN Money). The next two weeks, ZTE leaders say, will decide the company's fate. Its three main division (network gear, devices, and enterprise solutions) have all seen sales drop to nearly zero (Los Angeles Times). This may be the company's death knell: it seems ZTE cannot survive without the ability to import Android software and Qualcomm chips (Ars Technica).
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.