Looking for an introduction to AI for security professionals?
Your wait is over. A new book is out from the Cylance data science team, covering artificial intelligence and machine learning techniques in practical situations to improve the security professional’s ability to thrive in a data driven world. Whether you are reviewing logs or analyzing malware, being able to derive meaningful results and improve productivity is key. Order your free copy today.
The Week that Was.
May 19, 2018.
By The CyberWire Staff
The latest version of Mirai is Wicked.
Fortinet has found a new variant of the Mirai Internet-of-things botnet in the wild. Called "Wicked," this variant has three modules: "Scanner," "Attack," and "Killer." Unlike the original Mirai, which brute-forced its way into vulnerable connected devices, Wicked makes use of known exploits to establish access. It scans ports to establish a connection with its targets and uses an exploit appropriate to that connection. Wicked seems to be the work of the same coder who produced the Sora, Owari, and Omni botnets (SecurityWeek).
The fastest and easiest way to conduct online investigations.
SOC analysts who use a cloud browser can reduce the time spent investigating cases by more than 50%. Instead of wasting time spinning up a VDI or connecting to a jumpbox, get online in seconds with a secure cloud browser and egress from hundreds of points of presence around the world.
MEWkit drains Ether wallets.
RiskIQ describes MEWkit, an Ethereum phishing tool that makes novel use of automation in its attacks. MEWkit begins with a phishing email that's designed to induce the victims to go to a phony MyEtherWallet. The landing page harvests credentials in a conventional way. Where MEWkit represents an advance comes in the second step: it has a module that automatically uses the just-harvested credentials to drain the victims' real Ether wallets into the hoods' accounts. As RiskIQ explains, MEWkit combines traditional phishing with an automated transfer service to take advantage of what RiskIQ calls the relatively loose security of MyEtherWallet (ZDNet).
CyberSecJobs knows employers looking for your cyber expertise.
CyberSecJobs.com offers opportunities for ethical hackers, intrusion analysts, malware analysts, crypto architects and more to defend critical infrastructure. These jobs are available at various locations across the United States. For more information, visit cybersecjobs.com, and explore your future.
Updates on CHRYSENE ICS campaign.
Dragos Thursday offered new details on the CHRYSENE threat group, specialists in hitting industrial control systems. Associated with the 2012 and 2016 Shamoon attacks on Saudi Aramco, CHRYSENE has, Dragos says, developed a sophistication beyond groups like Greenbug (also known as OilRig). Dragos doesn't in its update discuss attribution, but the Shamoon 1 and Shamoon 2 attacks associated with the threat group have been widely thought to be the work of Iran. CHRYSENE's target list concentrates on the petrochemical, oil, gas, and electric generation sectors. The Dragos study notes CHRYSENE's concentration on initial penetration. It compromises a target, and then passes the machine it's pwned on for further exploitation. CHRYSENE may be extending its target list beyond its original Arabian Gulf range. The threat group's operations have now been observed in Iraq, Pakistan, Israel, and the United Kingdom.
Researchers at Lookout this week described two extensive Pakistani cyber espionage campaigns: Stealth Mango (which targets Android devices) and Tangelo (which works against iOS). The targets were diplomatic, military, and governmental personnel in India, the UAE, and Afghanistan, with strong interest shown in collecting against Pakistani dissidents as well. Some Australian, US, and German officials were apparently swept up in the campaigns as well. The campaigns, thought to be run by Pakistan's military, used convincing spoof sites, including bogus app stores, in conjunction with phishing to net the victims (Lookout).
Obtain full visibility into your security team with Cybrary.
It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!
DHS has a new cybersecurity strategy.
The US Department of Homeland Security has released its long-anticipated strategy. The plan has these major goals: better risk identification, improved reduction of both threats and vulnerabilities, better attack mitigation, reduce threats and vulnerabilities, mitigate the consequences of cyberattacks, develop infrastructure resilience, and improve management of the Department's cyber portfolio (SecurityWeek). The document has drawn generally positive initial reviews from industry (SC Magazine).
And the DoE has a cybersecurity plan.
The US Department of Energy has issued a three-year plan for cybersecurity. The overall goal is resiliency (Power Magazine). Specifically, the plan calls for better preparedness, coordinated incident response and recovery, and accelerated research and development for more resilient energy delivery systems (SecurityWeek).
A US Presidential advisory panel composed largely of industry cybersecurity experts is ready to recommend a "moonshot" program to the Administration. In a preview of their recommendations, the panel outlined, according to Nextgov, five tenets that will shape their report: "1) The status quo is unsustainable. 2) We need to be bolder and move beyond incremental cybersecurity fixes. 3) Because the status quo is unsustainable, we need a new approach that includes 'a more aspirational national vision for cybersecurity.' 4) 'We need to foster stronger whole-of-nation action.' 5) While the moonshot is a long-term project, it can create immediate and near-term benefits."
The moonshot metaphor, of course, is an allusion to Project Apollo, the literal moonshot people like to remember as having had a transformative effect upon science, technology, and industry in the United States. Two questions are worth considering. First, while Project Apollo undoubtedly had important effects, whether it was as transformative as legend has it is by no means clear. And second, it's worth recalling that the mission to the moon was a hard problem, but it was a well-defined problem. Does cybersecurity present that sort of big, unified challenge? Perhaps the war on cancer or the war on poverty are better (albeit less encouraging) metaphors for cybersecurity.
GDPR is now less than a week away.
The European Union's General Data Protection Regulation is expected to have global consequences. Enterprises in most countries are more-or-less prepared, but consensus is that their preparations are very imperfect. See, for example, this assessment of Australian businesses (IT Wire), or a University of California study of American readiness for GDPR (CLTC). And researchers continue to find large quantities of sensitive data exposed online (ITWeb).
The stringent reporting timelines have attracted much attention recently. The simplest way of understanding them is that GDPR imposes a seventy-two hour deadline by which organizations that experience a breach of protected data must take certain defined actions. A breached organization must investigate, notify regulators and affected individuals of the breach, specifically state what data were exposed, and express a plan for containing the damage going forward. Any failure to get this done within seventy-two hours must be explained to the regulators. Absent reasonable justification for the delay, the affected organization can expect penalties, and those penalties can be stiff (Imperva).
Human resources departments are expected to be particularly heavily effected by GDPR. The optimistic take on those effects is that they will "drive more transparency" in the way employee data are handled, which is one way of looking at it (Wall Street Journal).
Net neutrality gets some Senatorial love.
The US Senate, reacting to the Federal Communications Commission's move away from net neutrality, this week approved a bill that would have restored net neutrality as a matter of law. Most observers think the resolution is more gesture than a serious legislative attempt to enact net neutrality into law. It's unlikely to pass the House; indeed, it's unlikely even to come to a vote in the House (Naked Security).
Christopher Wylie, the whistleblower who drew attention to the use Cambridge Analytica was making of Facebook data, testified before the US Senate Judiciary Committee Wednesday. He described the company as having shared information with a variety of Russian organizations (including sanctioned company Lukoil). While he had no particular evidence that Cambridge Analytica was working with the Internet Research Agency (the now-notorious St. Petersburg influence operator) he thought it likely that the company was an intelligence target of Russian services. (WIRED).
Earlier in the week the New Scientist had reported finding that the University of Cambridge's Psychometrics Centre culled data from a Facebook personality quiz, myPersonality, and shared it with hundreds of researchers over a period of four years. Some three-million individuals were affected. The data were poorly secured and imperfectly anonymized. This is the same data collection project whose results were used by Cambridge Analytica, and have caused such embarrassment to Facebook. One wonders whether responsible human subjects research review boards at Cambridge were asleep at the switch or simply failed to recognize that the project might require their oversight.
US Federal leadership changes.
On Thursday the Senate confirmed Gina Haspel as Director of Central Intelligence (TheHill).
The position of White House cyber coordinator is gone (TechCrunch). National Security Advisor Bolton will assume the post's responsibilities. Two Democratic Representatives, Langevin of Rhode Island and Lieu of California, have introduced legislation that would require the White House to restore the position of cybersecurity coordinator (Executive Gov).
Crime and punishment.
US Federal prosecutors apparently have a suspect in the CIA material obtained by WikiLeaks and released as Vault 7. As many have long believed, the suspect, Joshua Schulte, is an insider who worked for the Agency from 2010 until 2017, and by some accounts briefly for NSA as well. But he hasn't been charged with the leaks, at least not yet. Instead he's in custody on a child pornography beef, and remains under investigation for the CIA affair (Motherboard). Authorities apparently believe he's their (alleged) man because of some (allegedly) poor OPSEC on his part: Mr. Schulte is thought to have uploaded Langley source code to a publicly accessible personal website linked to his real name (Motherboard). The FBI raided his residence on March 23rd, 2017, about two weeks after WikiLeaks dumped Vault 7. A related question: why didn't the CIA notice that he'd (allegedly) put this stuff on Github sooner (Daily Beast)?
Mr. Schulte is said to have tweeted his outrage at the Chelsea (née Bradley) Manning leaks, urging in coarse terms that Manning receive the death penalty (Motherboard).
Polish authorities say they've uncovered a Russian "hybrid warfare" operation aimed at increasing tension between Poland and Ukraine. One Russian has been expelled; four others are banned from the country. In this context "hybrid" means informational: the group was engaged in seeking to create mistrust through tendentious recasting of Eastern Europe's difficult and bloody history (Deutsche Welle).
Sergei Skripal, principal target of the Salisbury nerve agent attack, has recovered sufficiently to be released from the hospital (Radio Free Europe | Radio Liberty).
Serbian police have collared an alleged Dark Overlord, a Belgrade resident who's so far been identified only by his initials, "S.S." The FBI is interested in making Mr. S.S.'s acquaintance; he may face extradition. Serbian authorities also popped two goons they think were administrators of the criminal webstresser [dot] org site (SecurityWeek).
The other Dark Overlords, by the way, were quick to tell Motherboard that they're still in business. The Dark Overlords' particular criminal niche has been to steal sensitive data and, rather than hawking it in some dark web souk, go back to the data's owners and demand a ransom to return them unreleased. Their best-known caper was an extortion attempt against Netflix involving stolen episodes of Orange is the New Black.
Ruslans Bondars, a Latvian man who operated the counter-antivirus service Scan4You was convicted Wednesday on three counts in connection with that service (SecurityWeek). The charges were conspiracy to violate the Computer Fraud and Abuse Act (CFAA), conspiracy to commit wire fraud, and computer intrusion with intent to cause damage and aiding and abetting (US Department of Justice). Trend Micro was instrumental in taking down Scan4You (WIRED).
In Ohio, the FBI arrested an alleged member of Anonymous on charges related to denial-of-service attacks on the city of Akron (Bleeping Computer).
Courts and torts.
A ruling on whether a civil suit against President Trump's campaign organization that alleges collusion with Russia can proceed is expected soon. The suit was filed by Democratic operatives who allege they were injured by WikiLeaks' release of hacked emails. The judge heard arguments Thursday (NPR).
US District Judge James Donato refused to dismiss a class action suit against Facebook. The suit, filed three years ago, complained that Facebook had violated people's privacy by putting their images into its facial recognition database without their consent (Naked Security).
Parents of a Baltimore County high school student are suing another student for defaming their daughter online. They're also suing the Principal and School Board (Maryland Record).
Cisco patched three flaws in its DNA (Digital Network Architecture) Center (SecurityWeek). Red Hat patched a critical command injection flaw in Red Hat Enterprise's DHCP client (Naked Security). Adobe issued fixes for nearly fifty issues in Reader and Acrobat. Some two-dozen of them were rated critical (SecurityWeek). Samsung patched six problems in its handsets (Threatpost).
Microsoft called a temporary halt to Windows 10 rollout for devices with some models of Intel and Samsung solid-state drives. Redmond had received complaints of crashes and rapid battery draining (CRN).
Signal, Open Whisper System's secure messaging app, fixed a vulnerability in its desktop client commendably quickly. It took them less than four hours from disclosure to patching (CyberScoop).
Cambridge Analytica has filed for bankruptcy in New York. The company had already announced cessation of operations in the United Kingdom (Bloomberg).
Symantec, whose share price took a hit at the end of last week, saw a partial recovery this week. The company had announced that it would delay certain reports pending the completion of an unspecified investigation by its audit committee. This week it emerged that the investigation involved executive compensation, and is unlikely to require material revision to past reports (CRN).
Weary of suspicion aroused by its location in Moscow and proximity to Russian security and intelligence services, Kaspersky Lab has announced its intention to move "core processes" to Switzerland (SecurityWeek). The company hopes the halo effect of Switzerland's tough data protection laws and two centuries of stiff-necked neutrality will help allay customer fears that it's too close to the organs (Channel Web).
ZTE, another company that draws widespread suspicion, had been sanctioned by the US Commerce Department (Wall Street Journal). Those sanctions were punishment not for security crimes, but rather for the company's evasion of US sanctions against Iran and a handful of other countries. President Trump, in what appears to be a trade negotiation gambit, has said his Administration intends to offer ZTE a lifeline (to save jobs, etc.) (TechCrunch). Congress is unconvinced, taking testimony this week from FBI Director Wray on the security risks Chinese hardware companies represent. The Bureau is suspicious of any company it sees as "beholden to a foreign government" (Politico). Congress has also asked the Department of Homeland Security for a report on ZTE and security (CyberScoop).
In the hardware security modules space, Ultimaco has announced its intent to acquire Atalla from Micro Focus (BusinessWire). Risk management company TransUnion has acquired fraud-detection shop iovation for an undisclosed sum (Portland Business Journal). Barracuda Networks, formerly publicly traded, now privately held, expressed its intention of growing itself to unicorn status through acquisitions (Channel Web). Qualys has also said it expects to make more acquisitions in the not-too-distant future (Seeking Alpha).
Embedded security shop RunSafe received a $2.4 million seed funding round led by Alsop Louie Partners (PE Hub). Auth0, providers of identity-as-a-service, closed a Series D round worth $55 million. The investment was led by Sapphire Ventures (SecurityWeek). Cloud security specialist Protego announced that it had raised $2 million in seed capital (Calcalist).
Sources say that recent investment of $175 million by TPG Capital in Tanium has raised Tanium's value above $5 billion (Reuters). Machine-learning security firm DarkTrace is thought to have achieved unicorn status this week, with a recent investment pushing the company's value to $1.25 billion (Bloomberg).
Microsoft won a cloud contract with the US Intelligence Community, making strong inroads into a market dominated by Amazon. The win is thought to have put Microsoft in a better position to win significant Department of Defense cloud business (Bloomberg).
Today's issue includes events affecting China, European Union, Germany, Iran, Pakistan, Russia, United Arab Emirates, United Kingdom, United States.
ON THE PODCAST
In this week's Research Saturday, the CyberWire talks with Richard Hummel, who manages Arbor Networks' ASERT Threat Intelligence Team. They've recently published a report, "Lojack Becomes a Double Agent," that describes how threat actors alter the legitimate recovery utility software and simulate its command and control servers to gain access to target machines. Hummel talks us through their discovery.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.