skip navigation

More signal. Less noise.

Get your copy of the definitive guide to threat intelligence.

We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.

Daily briefing.

A CyberWire Daily News Briefing redesign is coming.

After the Thanksgiving holiday, we'll be rolling out a new format for our email. We've redesigned it the better to avoid falling into spam traps, or becoming inadvertently enmeshed in the array of anti-phishing measures increasingly deployed. You've seen some of these changes already with our addition of inline links to our summary. When the redesign is complete, you'll see fewer links to suggested reading in the email itself. That selected reading will remain present in its entirety on our website, posted as always with the appropriate Daily News Briefing. We hope you'll find the new format more user-friendly. We'll announce the date of the rollout as it approaches. And, as always, thanks for subscribing and reading.

Several nation-state threat actors have returned to action this week. They're back in familiar but upgraded forms.

North Korea's Lazarus Group is back, hitting financial institutions in Asia and Latin America. They're making improved use of backdoors. As usual with the Lazarus Group, the motive is financial (TrendLabs).

The Pterado backdoor campaign reported by Ukrainian authorities is now being attributed by observers to Russia, but that attribution remains preliminary and circumstantial. They associate Pterado with the Gamaredon threat group, widely believed to be a unit of Russia's FSB (Ars Technica).

Coincidentally or not, the newly reawakened Cozy Bear, also generally regarded as an FSB (or possibly SVR) unit, has deployed improved phishing techniques against US targets (WIRED).

And another Russian threat group, the Hades APT, is also back. Hades was responsible for the Olympic Destroyer wiper campaign that targeted the South Korean-hosted Winter Olympic Games. It's added anti-analysis and delayed execution as well as a single-stage dropper, which suggests that Hades is learning from and reacting to the measures used against it earlier n 2018 (Check Point).

Since November 12th, an unknown (but believed to be foreign) group has been attacking certified email accounts in Italy. Both the government and the private sector have been affected, with courts particularly disrupted (Reuters).

HackRead reports that both Facebook and Instagram are suffering widespread outages. This is the second significant outage in as many days: yesterday it was Messenger (Forbes). They're working on it: at this point the outages seem to be accidents.

Notes.

Today's edition of the CyberWire reports events affecting Canada, China, Ecuador, European Union, Iran, Italy, Democratic Peoples Republic of Korea, Russia, Singapore, Ukraine, United Kingdom, United States.

A quick note: we'll be observing Thanksgiving this week, so there will be no Daily News Briefing or Daily Podcast on Thursday or Friday, and no Week that Was this Saturday. Everything will return to normal Monday.

What are the brightest minds are saying about network security?

We're asking knowledgeable security insiders like you to take a short survey. In return, we're offering all qualified respondents a chance to enter a drawing to win one of three gift cards valued at $50 each. Join other cybersecurity leaders and share your viewpoints. Click here to take the survey.

Did you know that Amazon Alexa skills squatting is a thing? In today's podcast, up later this afternoon, Malek Ben Salem from our partners at Accenture Labs tells us about it. Our guest is Ronnie Tokazowski from Flashpoint, who describes his work with the Business Email Compromise Working Group.

International Spy Museum's 2nd Annual William H. Webster Distinguished Service Award Dinner (Washington, DC, United States, November 28, 2018) Join the Spy Museum for the second annual William H. Webster Distinguished Service Award Dinner honoring Admiral William H. McRaven on Wednesday, November 28 at The Ritz-Carlton. For tickets, visit spymuseum.org.

Cyber Security Summit: November 29 in Los Angeles (Los Angeles, California, United States, November 29, 2018) Sr. Level Executives are invited to learn about the latest threats & solutions in Cyber Security from experts from The CIA, The City of Los Angeles, Verizon, CenturyLink and more. Register with promo code cyberwire95 for $95 VIP admission (Regular price $350) https://CyberSummitUSA.com

Rapid Prototyping Event: The Turing Test (Columbia, Maryland, United States, December 11 - 13, 2018) DreamPort, in conjunction with the Maryland Innovation & Security Institute and USCYBERCOM, is hosting a Rapid Prototyping Event in which participants implement an automated process to interact with a Microsoft Windows machine just as a human user may do with the goal being to fool a human judge who is monitoring target computers via Remote Desktop Protocol (RDP) or Virtual Network Computing (VNC) into thinking a normal user is interacting with that machine and not an automated program or process.

Cyber Attacks, Threats, and Vulnerabilities

Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America (TrendLabs Security Intelligence Blog) The Lazarus cybercriminal group successfully planted their backdoor into several machines of financial institutions across Latin America.

Big foreign cyber attack targets Italian certified email accounts (Reuters) Unknown hackers gained access to thousands of Italian certified email accounts, ...

Iran-Linked Hackers Use Just-in-Time Creation of Weaponized Attack Docs (SecurityWeek) Documents used in cyberattacks by Iran-linked cyber-espionage group OilRig (APT34) were delivered to the victim via a spear-phishing email within 20 minutes after creation.

Hackers Impersonated State Department Spokeswoman, Experts Say (Bloomberg) Group that leaked Clinton emails believed to be behind attack. State Department, Nauert, deputy Stevenson not compromised.

Russia’s Cozy Bear comes out of hiding with post-election spear-phishing blitz (Ars Technica) Emails that seem eerily familiar masquerade as US State Department.

Russia's Elite Hackers May Have New Phishing Tricks (WIRED) Two new reports show an uptick in sophisticated phishing attacks originating from—where else—Russia.

Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign (Security Boulevard) Introduction FireEye devices detected intrusion attempts against multiple industries, including think tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government, and defense contracting..

Olympic Destroyer Wiper Changes Up Infection Routine (Threatpost) The Hades APT group continues its quest to stay under the radar.

Olympic Destroyer Returns with Improved Arsenal (Security Boulevard) The hacker group that attacked the 2018 Winter Olympic Games IT infrastructure is still active and has recently been observed attacking organizations with The hacker group that attacked the 2018 Winter Olympic Games IT infrastructure with the Olympic Destroyer malware is still active.

New Strain of Olympic Destroyer Droppers (Check Point Research) Over the last few weeks, we have noticed new activity from Hades, the APT group behind the infamous Olympic Destroyer attack. Moreover, this new wave of attack shares a lot with those previously attributed to the group but it seems that this time we are witnessing significant changes that may hint at a new evolution...

Analysis | What’s the strategy of Russia’s Internet trolls? We analyzed their tweets to find out. (Washington Post) The Internet Research Agency posed as local news outlets and spread outrage more than fake news.

Ukraine detects new Pterodo backdoor malware, warns of Russian cyberattack (Ars Technica) Revived Gamaredon threat group just part of wave of new attacks tied to Russia's FSB.

Hackers use Drupalgeddon 2 and Dirty COW exploits to take over web servers (ZDNet) Hacks could be easily avoided if people would patch their Drupal CMSs and Linux web servers.

Instagram Download Tool Exposes User Passwords (SecurityWeek) Instagram informs some users that their passwords may have been exposed as a result of using the “Download Your Data” tool

New Vehicle Hack Exposes Users’ Private Data Via Bluetooth (SecurityWeek) People who have synced their mobile phones with a wide variety of vehicle infotainment systems may have have their personal information exposed to a new type of in-vehicle Bluetooth hack Dubbed CarsBlues.

Is your Facebook and Instagram down? Well, you are not alone (Updated) (HackRead) Follow us on Twitter @HackRead

Facebook And Instagram Are Down In Second Snag This Week (Forbes) Global Facebook users reported outages Tuesday on the web's largest social media platform, as well as on sister platform Instagram.

Microsoft cloud suffers login fail (CRN Australia) Multi-factor authentication is down for some Azure and Office 365 users.

"Classic" bugs open TP-Link's SafeStream Gigabit Broadband VPN Router to attack (Help Net Security) Cisco Talos researchers have flagged four serious vulnerabilities in TP-Link's SafeStream Gigabit Broadband VPN Router (TL-R600VPN).

6,500 Dark Web Sites Offline After Hosting Service Attacked (Dark Reading) The actor behind the attack on Daniel's Hosting, and their initial point of entry, remain unknown.

Make-A-Wish website compromised to serve cryptojacking script (Help Net Security) The international website of the US-based non-profit Make-A-Wish Foundation has been compromised to serve a cryptojacking script.

Fake Email Leads the List of Cybercrimes to Watch Out for This Holiday (Valimail) Data collected by Valimail during the week of Thanksgiving in 2017 showed a dramatic rise in the number of fake emails sent that week.

The Mixed Forecast for Cybersecurity during Black Friday and Cyber... (Bricata) The first nine months of 2018 have not been easy in cybersecurity circles. Reporting indicates that while breaches and records exposed are down slightly, the statistics are still staggering: 3,676 breaches and 3.6 billion compromised records, according to Dark...

Beware Black Friday Scams Lurking Among the Holiday Deals (WIRED) Cybercriminals are always looking to steal your credit card or even your identity. But it pays to be on extra high alert come Black Friday.

Black Friday security alert as hackers spoof popular brands (IT Pro Portal) Shoppers need to be extra careful during the holiday season, report warns.

Every day is Black Friday (Naked Security) Scammers don’t stop trying to dupe you or take their foot off the gas just because it’s the day after Cyber Monday.

Credit card fraud in ANZ showing no signs of abating (ComputerWeekly.com) The value of fraudulent transactions more than doubled that of legitimate purchases during the third quarter this year

An Introduction to Magecart (Akamai) Since at least September, a number of criminals have been targeting online shopping carts and skimming credit card data at checkout. Collectively, these criminals are being called Magecart. Researchers at RiskIQ and Flashpoint Intelligence have identified...

Security Patches, Mitigations, and Software Updates

Microsoft: We've pulled buggy Outlook 2010 patches over crashes (ZDNet) Flawed updates cause Outlook and other apps to crash.

Patch Skype for Business now or risk DoS via emoji kittens! (Naked Security) So cute! So grabby with the bandwidth!

Update now! Dangerous AMP for WordPress plugin fixed (Naked Security) The popular plugin for implementing Accelerated Mobile Pages returned, patched, to WordPress.org last week.

Instagram kills off fake followers, threatens accounts that keep using apps to get them (TechCrunch) Instagram is fighting back against automated apps people use to leave spammy comments or follow then unfollow others in hopes of growing their audience. Today Instagram is removing from people’s accounts who use these apps inauthentic follows, Likes and comments that violate its policies; sen…

Microsoft Enhances Windows Defender ATP (SecurityWeek) Windows Defender ATP can now prevent Office communication applications, including Outlook and Adobe Reader, from creating child processes.

Cyber Trends

Exclusive poll: America sours on social media giants (Axios) Americans are waking up to dark side of the technologies that play big roles in their daily lives.

How artificial intelligence is disrupting cyber crime (Computing) Mariana Pereira, director at Darktrace, discusses how AI and machine learning technologies are changing the ways cyber criminals seek to attack enterprises and steal their data.

On Pace To Break 20k Mark For Disclosed Vulnerabilities (Risk Based Security) The number of vulnerabilities through Q3 of 2018, though significant and on track to be over 20,000, is down from the same time last year and will likely fall short of the record-breaking 2017 year end numbers of more than 22,000 disclosed vulnerabilities, according to Risk Based Security.

Small Businesses, Big Breaches (SecurityWeek) Board of directors, business partners, consumers, and legislators all play a role in defining how much risk is acceptable in their organizations.

India Among Top 4 Countries Targeted for Phishing Attacks: RSA Security (NDTV Gadgets360.com) India is among the top four nations targeted by phishing attacks. The other three are Canada, the US, and the Netherlands.

Marketplace

Mark Zuckerberg's 'war' footing at Facebook driving out executives (The Telegraph) Aggressive internal messaging from Facebook chief executive Mark Zuckerberg is causing rifts with allies and contributing to high-level departures.

Analysis | The Cybersecurity 202: Dem senator on Facebook: 'This isn't a public relations problem' (Washington Post) Sen. Mark Warner calls the company's issues more fundamental.

Perspective | Embattled and in over his head, Mark Zuckerberg should — at least — step down as Facebook chairman (Washington Post) Two devastating pieces of journalism show how disastrous the media giant has become.

Google threat to close Google News in the EU over 'link tax' plan (Computing) Google will do to Google News in the EU what it did to Google News in Spain in 2014, company warns.

Vodafone chief vouches for Huawei in security debate (Times) The new boss of Vodafone has backed Huawei, the Chinese telecoms supplier that is under scrutiny from the government amid concerns about risks to national security. Nick Read said that Huawei was...

Ford Eyes Using Personal Data to Boost Profits (Threatpost) Ford's CEO sees the tech company model as key to the company's next chapter.

FireEye Is Finally Getting Its Act Together (The Motley Fool) The cybersecurity specialist has won back investor confidence with its solid results and looks destined for better times.

Apple’s Tools Sneak Into Business (Wall Street Journal) This summer, Apple addressed a major IT pain point with the launch of Apple Business Manager, which lets administrators manage Apple devices, apps and accounts. It’s being used by more than 40,000 businesses, including sneaker companies GOAT and Flight Club.

Microservices Firewall Innovator Alcide Raises $7M to Redefine Cloud Security (GlobeNewswire News Room) Total Funding Reaches More Than $12M Only Seven Months After General Availability; Company Expanding to US and EMEA

Five key questions for Cylance partners following Blackberry takeover (CRN) What is a former smartphone maker doing buying a next-gen security start-up, and what will the deal mean for Cylance partners' margins and market opportunity?

Products, Services, and Solutions

Asigra TrueNAS Backup Appliance Built on iXsystems Open Source Storage to be Unveiled at VMWorld 2018 (Asigra) The Asigra TrueNAS Backup Appliance is a physical hardware solution configured with Asigra Cloud Backup Software version 14.

SyncDog Inc. Supports Utility Companies in Secure Communications During Emergency Power Outages (Digital Journal) generation mobile security and data loss prevention, today announced

empow Announces Partnership with Elastic (empow) Integration of empow’s intent-based NG SIEM with the Elastic Stack will provide unprecedented, rules-free proactive security coverage

F-Secure Boosts Endpoint Detection and Response With Unique On-demand Elevate to Experts (Markets Insider) Endpoint protection solutions and prevention are very effective when it comes to fighting commodity cyber t...

Rivierenland improves security, performance and availability with new VDI platform and support from Proact (News Powered by Cision) Water authority Rivierenland has modernised its VDI platform with support from specialists at

PayLeak-3PC: Pulitzer Prize Winning Newspaper Blocks Malicious Mobile Redirect (The Media Trust) Malicious campaign targets users of widely-used digital wallet.

Mobey Forum sets up digital ID expert group (Finextra) Mobey Forum, the global industry association empowering banks and other financial institutions to shape the future of digital financial services, today announces the formation of the Digital ID Expert Group.

A closer look at HTC’s blockchain phone, the Exodus 1 (TechCrunch) The Exodus 1 didn’t make its global debut on stage at TechCrunch Shenzhen. That was the plan, but stuff, as the saying goes, happens. It simply didn’t make its way from Hong Kong to China in time. I won’t lie, I was a bit suspicious of this latest turn of events. After month of teasing […]

Technologies, Techniques, and Standards

Here’s how Cyber Command’s ‘defend forward’ strategy protects the nation in cyberspace (Fifth Domain) Cyber Command is using its unique capabilities to provide important insights to civilian agencies and the private sector.

The Czech tech to overcome Russian jammers (C4ISRNET) Czech company Era is relatively unknown outside of the electronic surveillance community and civil aerospace sector, but it has a rich history in passive sensor technology.

The new way the Army will conduct information operations (Fifth Domain) A quietly released Army document provides in-depth steps and tactical guidance on how to conduct

Here’s what combatant commanders want from cyber teams (Fifth Domain) Combatant commanders are asking for this from their cyber commanders.

Can Army Afford The Electronic Warfare Force It Wants? (Breaking Defense) Army planners are thrashing out how many electronic warfare specialists the service needs, not just to rebuild radio-jamming and spoofing capability in combat units, but to create a training cadre that can sustain the EW corps for the long-term.

OWASP Sting: How Education Can Take the Bite out of Common Vulnerabilities (Infosecurity Magazine) It should be a wake-up call to the industry that the most common security threats have remained nearly unchanged since the first OWASP list 15 years ago.

CVSS Scores Often Misleading for ICS Vulnerabilities: Experts (SecurityWeek) While CVSS can be useful for rating vulnerabilities, the use of the standard for flaws affecting ICS can have negative consequences, particularly if an organization relies solely on it for prioritizing patches

Do Wearable Devices Connect People to the Internet of Things? (Clutch) People who own wearable devices mostly connect them to their smartphones, rather than other IoT devices, which limits their devices' functionality, according to our new survey.

Design and Innovation

Deception technology: An approach that is beginning to gain traction (Federal News Network) Tony Cole, the chief technology officer at Attivo Networks, explains how agencies can stop being one-step behind the cyber attackers.

Research and Development

Future military satcom system puts cybersecurity first - SpaceNews.com (SpaceNews.com) Electronic threats against satellite communication have rapidly escalated in the last few years and will continue to advance in the foreseeable future.

Academia

Gannon University launches cybersecurity program (GoErie.com) The initial vision for the six-story Knight Tower in downtown Erie calls for space for cyber labs, a hacking lab, a defense lab and a lab where they would

UTSA, NSA partner to accelerate degree completion and workforce development (UTSA Today) UTSA and the National Security Agency (NSA) have announced an articulation agreement to create accelerated degree plans in cybersecurity and modern languages and enhance workforce development in those fields.

Legislation, Policy, and Regulation

How China Walled Off the Internet (New York Times) The web was supposed to set the world free. China's is censored, but booming anyway.

A Little Less Complication: Does the UK Need a New Cyber Council? (Infosecurity Magazine) If approved, what impact would a UK Cybersecurity Council have?

Qatar beefs up incidence response capabilities against cybercrimes (MENAFN) Qatar's Cybersecurity Centre (CSC) has strengthened its incidence response capabilities to protect and assist its client organis

Singapore Signs Cybersecurity Agreements With US, Canada (SecurityWeek) Singapore signs cybersecurity agreements with Canada and the United States

The Bill Codifying The New Cybersecurity and Infrastructure Security Agency Is Short and Sweet (CTOvision.com) The nation has a new federal agency. The Cybersecurity and Infrastructure Security Agency (CISA) was created out of several existing organizations within the DHS. The CISA was codified by a law signed by the President on 16 November 2018. I read what DHS said about CISA (see more here). Then thought I should spend a …

​Department of Health wants to up security posture to Commonwealth standard (ZDNet) The Australian government department wants a solution to support its move towards compliance with the Essential Eight Security Controls.

HHS Deputy Secretary Eric Hargan Describes Cyber Initiative (BankInfo Security) So what's the mission of the newly launched Department of Health and Human Services' Health Sector Cybersecurity Coordination Center, and how will it function? HHS

The SEC and Cybersecurity Regulation (Lawfare) American companies are getting hacked, and the Securities and Exchange Commission wants corporate executives to do something about it.

Litigation, Investigation, and Law Enforcement

We can detest Assange but don’t lock him up (Times) As his lawyers might put it, Julian Assange’s best defence against extradition to America is that there is no law yet against being really annoying. Remarkably it is now a little over six years...

TalkTalk hackers jailed over 2015 data breach that affected 1.6 million customers (Computing) Matthew Hanley and Connor Allsopp sentenced to 12 months and eight months respectively.

Russian hacker arrested in Bulgaria for ad fraud of over $7 million (ZDNet) Alexander Zhukov, a supposed hacker who went online by the name of "Nastra," is currently fighting extradition to the US.

Woman in alleged homeless Marine veteran scam duped by boyfriend, says attorney (Marine Corps Times) A woman charged with scamming GoFundMe donors out of more than $400,000 with a fake story about a homeless veteran was duped by her former boyfriend and genuinely thought she was helping the man, her attorney said Monday.

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Newly Noted Events

Transport Security Congress (Washington, DC, USA, April 2 - 3, 2019) The Transport Security Congress brings together business and security leaders from all sectors of passenger and goods transportation to discuss solutions to the evolving security and safety risk landscape.

Australian Cyber Conference 2019 (Melbourne, Victoria, Australia, October 7 - 9, 2019) The Australian Information Security Association (AISA) is the premier industry body for information security professionals in Australia. As a nationally recognised not-for-profit organisation, AISA champions...

Upcoming Events

Kingdom Cyber Security (Riyadh, Saudi Arabia, November 20 - 21, 2018) Setting a game plan to boost cyber resilience at the national level.

API Security Summit (London, England, UK, November 21, 2018) The API Security Summit, taking place in London on the 21st of November 2018 will bring together the financial services community, regulators, fintechs, TPPs and associations from across UK and Europe to find solutions to the current lack of standardisation, debate what standards/legislation may emerge in 2019, and how to plan with these in mind.

Army Autonomy and Artificial Intelligence Symposium and Exposition (Detroit, Michigan, USA, November 28 - 29, 2018) This symposium will explore and showcase innovative ways the U.S. Army is developing critical capabilities in robotics, autonomy, machine learning, and artificial intelligence. The goals are to explore...

The Cyber Security Summit: Los Angeles (Los Angeles, California, USA, November 29, 2018) This event is an exclusive conference connecting Senior Level Executives responsible for protecting their company’s critical data with innovative solution providers & renowned information security experts.

IEEE WIE Forum USA East (White Plains, New York, United States, November 29 - December 1, 2018) IEEE WIE Forum USA East 2018 focuses on developing and improving leadership skills for individuals at all stages of their careers. Attendees will have the opportunity to hear inspirational and empowering...

Securing Digital ID 2018 (Alexandria, Virginia, USA, December 4 - 5, 2018) As an increasing number of transactions move online and are mobile-enabled, the conference will explore today’s complex world of digital identities and how they are used for strong authentication and remote...

First Annual Maryland InfraGard Cybersecurity Conference (College Park, Maryland, USA, December 5, 2018) InfraGard is a partnership between the FBI and members of the private sector. The InfraGard program provides a vehicle for seamless public-private collaboration with government that expedites the timely...

International Cyber Risk Management Conference (Hamilton, Bermuda, December 6 - 7, 2018) Now in its fourth year in Canada, the International Cyber Risk Management Conference (ICRMC) has earned a reputation as one of the world’s most trusted cyber security forums. We are proud to bring ICRMC...

2018 Cloud Security Alliance Congress (Orlando, Florida, USA, December 10 - 12, 2018) Today, cloud represents the central IT system by which organizations will transform themselves over the coming years. As cloud represents the future of an agile enterprise, new technology trends, such...

Wall Street Journal Pro CyberSecurity Executive Forum (New York, New York, USA, December 11, 2018) The WSJ Pro Cybersecurity Executive Forum will bring together senior figures from industry and government to discuss how senior executives can best prepare for hacking threats, manage breaches, and work...

National Cyber League Fall Season (Chevy Chase, Maryland, USA, December 15, 2018) The NCL is a defensive and offensive puzzle-based, capture-the-flag style cybersecurity competition. Its virtual training ground helps high school and college students prepare and test themselves against...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.