skip navigation

More signal. Less noise.

Former DHS & DOD leader shares insights on collaborative defense.

Resiliency and collaboration were welcome, consistent themes from RSA 2018 and are underscored by the innovation coming out of the cybersecurity industry. But what does this really mean for IT, security and development teams day-to-day? Join Mike Brown, RADM, USN (Ret), former Director, Cybersecurity Coordination for DHS and DOD for a discussion on industry direction, the type of collaboration that can yield immediate results to teams and the criticality of protecting application infrastructure.

The Week that Was.

Speculative Store Bypass is Variant 4 to Spectre and Meltdown's first three.

Google's Project Zero disclosed another speculative execution flaw similar to Spectre and Meltdown. The vulnerability, Speculative Store Bypass, could be exploited to expose user data across a broad range of devices (ZDNet). Intel calls it "Variant 4," and classifies it as "medium risk." Microsoft characterizes the risk to users as "low," but Variant 4, which has been designated CVE-2018-3639, is nonetheless being taken seriously (CNET). The issue affects Intel and AMD x86 chipsets, POWER 8, POWER 9, System z, and some ARM processors as well (SecurityWeek).

Some vendors have already issued mitigations. Those who face a more challenging patching problem (including Intel) intend to make fixes available within the next few weeks. Analysts tell users to expect some performance decline after applying patches. Intel says tests of the coming fixes have shown a two to eight percent decline in performance (WIRED).

Avast has compiled a timeline for this family of chipset vulnerabilities (Security Boulevard).

Under GDPR non-compliant companies face trade-offs on borrowed time, says Control Risks.

Control Risks says non-compliance is a truly enterprise risk for companies operating in the EU. It burdens already taxed programs with particular measures to protect personal data and disclose security issues. Many worry that resources catching up to GDPR before an incident occurs trade-off other critical initiatives, leaving them vulnerable nonetheless. Companies must get executives and experts involved in managing the risk and competing priorities. Let  Control Risks help you be both secure and compliant.

VPNFilter looks like battlespace preparation.

Cisco's Talos Group this week reported the discovery of a new variant of malware affecting home and business routers, including devices made by Netgear, TP-Link, Linksys, MicroTik, and QNAP (Talos). It's called "VPNFilter," a modular and stealthy attack that's assembled a botnet of some five-hundred-thousand devices, mostly routers located in Ukraine. There's considerable code overlap with the Black Energy malware previously deployed in attacks against Ukrainian targets, and the US Government has attributed the VPNFilter campaign to the Sofacy threat group, a.k.a. Fancy Bear, Russia's GRU. VPNFilter seems to have quietly established itself over the last two years by exploiting known vulnerabilities left unpatched, and by gaining entrée into devices by taking advantage of weak or default passwords.

Cisco notes that the malware moves through a three-stage process. First, VPNFilter installs itself in such a fashion as to survive device reboots and to discover the IP address of the stage two deployment server. In stage two it downloads malware to the affected device. Stage three involves installation of plug-ins. Researchers have analyzed two plugins (there may be more): one sniffs traffic passing through the device, and the other enables communication via the Tor network. 

Ukrainian cybersecurity authorities think that this is battlespace preparation (Fifth Domain) with Russia gearing up a major cyberattack to disrupt either a Champions League soccer match or Ukraine's Constitution Day (Sky News). Talos's Craig Williams told WIRED, "This actor has half a million nodes spread out over the world and each one can be used to control completely different networks if they want. It's basically an espionage machine that can be retooled for anything they want." 

VPNFilter has been under investigation by US authorities since August, when a Pittsburgh resident agreed to let the local FBI Field Office inspect her router—infected with what at the time was characterized simply as "Russian malware"—and to put a network tap on her router to monitor traffic passing through. A warrant from a US Federal Magistrate that enabled the Bureau to seize control of ToKnowAll dot com, the node that enables VPNFilter to reestablish itself after a reboot (Daily Beast). The Justice Department says VPNFilter could be used for "intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities" (Reuters).

CyberX's Phil Neray commented on some implications of VPNFilter's code-sharing with BlackEnergy: "This is a very sophisticated, multi-stage malware that allows attackers to spy on all network traffic and deploy destructive commands to industrial devices in critical infrastructure networks. Russian threat actors have previously used similar tactics in cyberattacks on the Ukrainian electrical grid. While the recent burst of activity also targets the Ukraine, the malware exploits vulnerabilities in devices that are widely used around the world—which means the same attack infrastructure could easily be used to target critical infrastructure networks in the US, the UK, Germany and any other countries seen as enemies of the attackers."

The fastest and easiest way to conduct online investigations.

SOC analysts who use a cloud browser can reduce the time spent investigating cases by more than 50%. Instead of wasting time spinning up a VDI or connecting to a jumpbox, get online in seconds with a secure cloud browser and egress from hundreds of points of presence around the world.

XENOTIME, the threat group behind TRISIS ICS attacks.

Dragos has a report on a threat actor it's calling "XENOTIME" (Dragos). XENOTIME is the threat actor behind the TRISIS malware used to disable Schneider Electric Triconex instrumented industrial safety system. The TRISIS attack last December disrupted operations at a Middle Eastern petrochemical facility. Dragos is moderately confident that XENOTIME will prepare further campaigns. Although its initial targets were located in the Middle East, Dragos believes XENOTIME operates worldwide and has no known connections to other threat groups. They also probably have capabilities that enable them to work against systems other than the already targeted Schneider Triconex.

XENOTIME's objectives are clearly disruption, not espionage. The threat actor establishes itself in systems where it can cause future disruption or destruction. Their earlier attempt back in December wasn't fully successful. As Dragos explains, "The group created a custom malware framework and tailormade credential gathering tools, but an apparent misconfiguration prevented the attack from executing properly. As XENOTIME matures, it is less likely that the group will make this mistake in the future."

There's a gap in your data security. Eliminate the Data in Use vulnerability today.

Numerous technologies can encrypt data at rest and in transit to ensure security, but while important, this protection isn’t enough. Data today needs to be decrypted before it can be used, leaving your data exposed to loss or attack. Enveil’s Never Decrypt technology eliminates this Data in Use vulnerability, protecting data throughout the processing lifecycle. Ready to deploy on existing infrastructure, it’s the only scalable solution using homomorphic encryption techniques to enable nation-state level security.

Cyberwar and kinetic war.

Since VPNFilter, if it indeed proves to be a Russian operation, obviously involves at least the potential for cyberwar (Fifth Domain), it's worth noting that Britain's Attorney General has this week said that a massive cyberattack could constitute an act of war, and that a nation so attacked had the right to self-defense (Fifth Domain). This is either, as the peace-loving Putinists at Sputnik suggest, a bloodthirsty provocation just shy of dropping the SAS into Red Square, or, as the Register thinks, a threat to give you another good talking to, only louder. The reality will fall somewhere between these extremes.

Russia's President Putin expressed a view that seems not too far from this, although it's being read in the British press as carrying more veiled menace: nations need to evolve some norms and comport themselves properly in cyberspace lest they face "consequences for their actions" (Express). In the US, PPD-20 will probably continue to calibrate responses to campaigns like VPNFilter and threat actors like XENOTIME across Title 10 and Title 50 authorities (CipherBrief).

Obtain full visibility into your security team with Cybrary.

It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!

Truth (that is, правда) right, Mr. Musk?  And Mr. Zuckerberg's apology tour.

Elon Musk says he's going to attack fake news head-on with a truth service he's calling, with either hipster irony or post-Boomer cluelessness, "Pravda" (Gizmodo). Security Boulevard takes him seriously and sees this as a step on the path to becoming a Bond villain. If Mr. Musk isn't kidding, he should lawyer up: Pravda's still in business. The print version is still published by the Russian Communist Party (a sad rump of its former self); the online version is privately held. 

Facebook opened up about fake news a bit, and what it's trying to do about it (WIRED). CEO Mark Zuckerberg answered questions from the European Parliament. He was contrite about fake news and data collection, but observers think the format of the questioning enabled him to pick and choose what he'd answer to a greater degree than he could when speaking to the US Congress (Motherboard).

GDPR arrived yesterday.

Some say embrace it, and enjoy the process. It'll be good for you, and you can't do anything about it anyway (Help Net Security). Contrary to that sales call you keep getting, there's no simple solution that will guarantee compliance (Computing). So recognize it as a seafaring journey of exploration, only with fines and commissioners instead of maelstroms and a couple of kraken.

Have you been getting lots of compliance emails from publications, games, sites, and so forth you've interacted with over the years? We have. And here's some irony: a lot of those emails are probably non-compliant (Computing). Some are even phishbait.

Some observers see a law-enforcement downside to GDPR. CipherTrace thinks that investigations into cryptocurrency fraud and cryptocurrency-enabled crime will become noticeably more difficult after yesterday.

But if GDPR's been keeping you up at night, never fear. There's a softer side to the regulation: many are finding its text pleasingly soporific. Calm, a "sleep, health, happiness" app, has added "Once Upon a GDPR" to its soothing repertoire, and engaged Peter Jefferson (the BBC's "voice of the Shipping Forecast," the maritime weather report that became known as Britain's unofficial national lullaby) to read the regulation as a bedtime story for grown-ups. It's said to be even more gently reassuring than a quiet mulling over the Beaufort Scale for the Channel Approaches. The co-founder of Calm, Alex Tew, put it this way: "New laws aren’t meant to be exciting. But GDPR could sedate a buffalo." We question his metaphor, since buffalos have never struck us as particularly edgy, but we get his point. It's a homeopathic remedy in reverse: if a little bit of GDPR is depriving you of sleep, then treatment with a whole lot of undiluted GDPR will be just the ticket to dreamland. So sweet dreams, and don't let the information commissioners bite.

Cryptowars, and a defeat for arithmetic?

A programming error that counted entries in three data bases without deduplication induced the FBI to overstated the number of devices it couldn't crack. The Bureau has often said there were 7800 devices it was legally entitled to access but couldn't, because their encryption was beyond its ability to crack. In fact there were only between 1000 and 2000. The FBI said, in a note to Ars Technica, that the error resulted from the Bureau's move to "a new collection methodology." 

Good on the Bureau for coming clean on what is surely an embarrassing mistake (and an enduring one: the new methodology was put in place two years ago). The FBI says that discovering its error hasn't changed its mind over the need to do something about bad actors' ability to go dark. 

Crime and punishment.

The US Department of Justice, working with the Commodity Futures Trading Commission, has opened a criminal investigation into allegations of illegal Bitcoin price manipulation (Bloomberg).

Two members of the Syrian Electronic Army, neither of them in custody, have been indicted on US Federal hacking charges. Ahmad ‘Umar Agha ("The Pro") and Firas Dardar ("The Shadow") face eleven counts of conspiracy to commit computer fraud, conspiracy to commit wire fraud, and aggravated identity theft in connection with spearphishing activities (SecurityWeek).

John Kelsey Gammell, of New Mexico, was sentenced to fifteen years in prison for hiring criminal booter services to conduct distributed denial-of-service attacks against organizations he felt had wronged him, including former employers. He took some OPSEC pains but undid them by sending his victims taunting emails that were his eventual downfall (SecurityWeek).

The proprietors of are themselves posing for police cameras. Two of the site's four owners, Sahar Sarid and Thomas Keese, have been arrested in Florida on a California extortion warrant. The site specializes (specialized?) in posting mugshots without taking notice of whether those in the pictures were ever charged, were picked up in error, or had their cases dismissed. And also, of course, without so much as a by-your-leave to the subjects. The site allegedly charged hefty fees to remove pictures, and weren't particularly nice about it either (Naked Security).

Courts and torts.

Google is facing a representative action suit by the group Google You Owe Us in London's high court. The case (analogous to an American class action suit) alleges illicit tracking and data collection; the damages sought are £3.2 billion, which is roughly $42.2 billion. That's surely on the high end, but the problematic Safari Workaround in question has had Google in US regulatory hot water. Trouble began with the US Federal Trade Commission in 2012, with other judgments against it by various US states after that. US fines have come to about $39 million, so there may be some exposure in the UK (Naked Security).

A US Federal judge (Southern District of New York) has ruled that President Trump's practice blocking of critics from viewing his Twitter feed amounts to unconstitutional viewpoint discrimination, and must stop (Wall Street Journal). The ruling of course doesn't require him to pay attention to his Twitter engagements.

Patch news.

If you own one of the routers susceptible to VPNFilter, Naked Security has some advice on what you might do to become part of the solution, or at least to avoid becoming part of the problem. Tripwire also has a summary of how to respond to VPNFilter; at least reboot.

Next month Office 365 will begin blocking Flash, Shockwave, and Silverlight (Naked Security).

DrayTech has patched its Vigor routers (Naked Security). Dell has closed a local privilege escalation issue in SupportAssist, a tool that comes with most new Dell Windows machines (SecurityWeek).

Industry notes.

Microsoft and Dell have made big inroads into the US Intelligence Community market, winning a six-year cloud contract worth in the hundreds of millions of dollars (Washington Technology). The team's cloud services are now available to seventeen intelligence agencies (SDX Central). The win is viewed as strategically important for Redmond, which is in the running for the even larger Department of Defense JEDI cloud contract, a ten-year deal potentially worth $10 billion (Data Economy).

The on-again, off-again efforts to find a way in which ZTE might continue in business remained unresolved at week's end. The US and Chinese governments arrived at various compromises that would restore the sanctioned device-maker's access to its American supply chain (Wall Street Journal), possibly including leadership changes (Bloomberg) and compliance officers (CNBC), but the US Congress is in no mood to let ZTE off the hook (TheHill). In fact, Congress is prepared to give Huawei the same security-conscious heave-ho (Nextgov). Huawei's founder this week urged the company's employees not to harbor anti-American sentiments (South China Morning Post). The Commerce Department took punitive action recently against ZTE because of the company's willing evasion of sanctions against Iran and other pariah regimes, but Congress is concerned about the potential security risk ZTE devices present (Wall Street Journal).

Fishtech announced its intention to acquire long-time partner Haystax, a security analytics and risk management shop whose Constellation platform is of particular interest to Fishtech (Haystax). Parsons has bought Polaris Alpha, which has itself been on an acquisition spree. The intent of the acquisition is to augment Parsons' space and cybersecurity offerings (Washington Technology). TransUnion, the credit reporting bureau, has bolstered its fraud detection and identity management capabilities by acquiring iovation (Biometric Update). Mitek Systems has bought French artificial intelligence shop A2iA for $50 million. The acquisition is expected to increase both Mitek's document verification capabilities and its overseas reach (San Diego Union-Tribune).

Hardware protection shop RunSafe Security has raised $2.4 million ( DC). Threat Sketch, which specializes in cybersecurity management for small businesses, has closed an initial round of investment and a partnership with Strategic Focus Group (PRNewswire). Sentry, whose offering is designed to help developers find bug more easily, closed a $16 million Series B round (TechCrunch).

Syncsort has acquired most of Townsend Security’s products. The pick-ups are intended to augment Syncsort's security offerings for the IBM i platform (IT Jungle).


Today's issue includes events affecting China, European Union, Iran, Russia, Saudi Arabia, Syria, Ukraine, United Kingdom, United States.

A note to our readers: the CyberWire won't publish Monday as we observe the Memorial Day holiday. The day is, of course, an American holiday, begun to remember the Civil War dead and long called "Decoration Day," a day when families and communities would decorate the graves of their soldiers with the flowers spring brought back. Spare a thought for those so remembered, even more for those who would otherwise be forgotten. And we invite any of our international readers who wish to join us to remember those of any nation who gave what Lincoln called the last full measure of devotion.

We'll be back Tuesday as usual.

This week's Research Saturday is up. We speak with researchers at Akamai, who describe vulnerabilities with Universal Plug and Play capabilities in home routers, and how malicious actors could take advantage of them. Chad Seaman, senior CERT engineer at Akamai, is our guide to their results, which you'll also find in their white paper, UPnProxy: Blackhat proxies via NAT Injections

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.