The Pesky Password Problem: Red and Blue Team Battle featuring Kevin Mitnick
The week that was.
BleedingBit affects Wi-Fi access points.
Armis reports finding two zero-day flaws in Texas Instruments' Bluetooth Low-Energy chips. These are widely used in Wi-Fi access points, including enterprise access points like those manufactured by Aruba, Cisco and Meraki. Armis calls the issue "Bleeding Bit."
The first of the two flaws involves flipping the highest bit in a Bluetooth packet, thus causing a memory overflow—causing the memory to "bleed." Once the device is in that condition, it's possible for an attacker to run malicious code on an affected device. This problem affects Cisco and Meraki equipment. The other bug exploits the device's failure to properly authenticate apparent trusted firmware updates. This problem affects Aruba devices. The absence of proper checks could enable an attacker to install malicious firmware.
This sounds like, and has been characterized as, a remote code execution vulnerability, but as TechCrunch points out, that's not literally true, since the flaw can't be exploited over the Internet. An attacker would have to be within Wi-Fi range, which is typically a hundred meters or less, perhaps greater with a good directional antenna. It's enough range for a wardriver parked next to an office building, for example. Once connected, an attacker can gain access to any network using the Wi-Fi access point.
Texas Instruments and the device manufacturers have issued patches since the vulnerability was disclosed to them in July. Texas Instruments has criticized Armis, which hasn't published exploit code, for allegedly exaggerating and misrepresenting the issue (TechCrunch), but Texas Instruments has nonetheless patched. Cisco and Aruba also have patches available (Threatpost).
Create a culture of cybersecurity awareness with Coachable Moments.
Updates on US midterm election meddling.
US National Security Advisor Bolton says that US Cyber Command is engaged in offensive cyber operations (short of war, he points out, and thus not needed more stringent approval) to thwart Russian disruption (Washington Post). Among other measures, the Command has been letting the trolls know that it knows what they're up to. This tactic in a more general deterrent strategy has admirers who think it clever and detractors who think it toothless, but it does appear likely to make operators think twice about their futures, and deterrence always and inevitably has a clear signaling component (Council on Foreign Relations).
Cyber Command may be preparing a more active retaliation should some direct Russian hacking occur in an attempt to disrupt voting on Tuesday (Daily Beast).
Trolling aside—and there's been no shortage of that—observers are wondering where the Russians are in the US midterm elections. Russia's cyber operators have been relatively quiet, which leads nervous commentators to predict a big surprise for next Tuesday's voting. Among the scarier speculations are corruption or denial-of-service attacks on voter registration databases that would effectively turn people away from their polling places, or even a takedown of significant portions of the power grid that would also disrupt the election (New York Times). And, of course, it's also possible that in fact Russia has effectively been deterred.
Americans apparently do form a credulous audience for Russian trolling. A study by Valimail found that people had difficulty distinguishing genuine from fraudulent campaign emails.
The case is similar with social media. The Daily Beast swotted through Twitter's recent dump of Internet Research Agency tweets—the Internet Research Agency is, of course, the Bear sisters' big troll farm in St. Petersburg—and concluded that trolling tweets also seem to work well. The Internet Research Agency's English-language service, if we may call it such, is assessed by the Daily Beast as being nine-times more effective than its offerings in Slavic and Baltic languages. This is measured by the "engagement" the English-language tweets attract.
In fairness to those who live in the US, people who lived in the old Soviet Union or former Warsaw Pact countries retain long, sad, living memories of Russian-style state propaganda. They expect it, and they've developed a kind of skeptical herd immunity that's lacking in North America. There's an interesting partial exception to that relative immunity, and it's found in Russia herself, where it's apparently becoming part of the received opinion that the Americans are on the verge of a shooting civil war, probably by 2020 (Foreign Policy). (Foreign Policy asks what's Russian for "fake news." We hear it might be "поддельные новости," although ironically "правда" if construed as a proper noun might work in some contexts, too.)
Controlled unclassified information requirements affect federal contractors.
Best practices in trolling.
Tehran's cyber operators have for some time had the reputation for not being as highly skilled as other nations', but for being active, fast-learners, eager to pick up best practices and quick to apply them. This has proved true in the sub-discipline of information operations as well as in hacking proper. Last Friday Twitter took down a number of inauthentic accounts run from Iran. Earlier Iranian influence operations had been artlessly direct in following the domestic and international policies of the Islamic Republic. This latest round of trolling, however, was effectively indistinguishable from the stuff that's long been shopped out of St. Petersburg. The content pushed was opportunistically divisive, and directed against fissures in both American and British society. The material targeted against Britain seems vaguely Corbynite, that sent against the Americans vaguely progressive, but in neither case was the messaging uniform. One interesting possibility: there are some signs that St. Petersburg's Internet Research Agency sites referred traffic bogus pages operated by the Iranians (WIRED).
Confused about zero trust?
Kraken Cryptor described.
Security companies Recorded Future and McAfee have released their studies of Kraken Cryptor, with particular attention devoted to how the ransomware is distributed through a black-market affiliate scheme. The ransomware, which was first spotted this August, operates by using email to interact with its victims as opposed to deploying a noisy and readily taken down command-and-control infrastructure, is hired out by its masters to criminal clients. The crooks keep about 80% of their take, with the other 20% going to the group whose frontman or marketing director uses the nom de hack "ThisWasKraken."
They distribute the ransomware with, for the most part, the Fallout exploit kit. Kraken Cryptor uses an online casino, BitcoinPenguin, to launder the ransom payments they receive. Those payments are delivered in the form—no surprise here—of Bitcoin. From looking at the countries excluded from attack by Kraken Cryptor, Recorded Future concludes that the gang operates from Iran, Brazil, or former Soviet Republics, or perhaps some combination of these.
Get your copy of the definitive guide to threat intelligence.
Possible BGP hijacking campaign.
Researchers claim that China has been running a successful, largely unnoticed man-in-the-middle campaign that proceeds by hijacking the Border Gateway Protocol (Naked Security). The researchers think China Telecom has been used to intercept traffic not covered by 2015's Obama-Xi agreement (Military Cyber Affairs)
Changing the criminals' risk-benefit calculations (by driving down the benefits).
GandCrab's extortionist masters have taken a bath recently, losing around a million dollars in unpaid demands for ransom (ZDNet). This ransomware loss is being attributed largely to the widespread availability of Bitdefender's free decryptor. This is an interesting example of the way legitimate business can out-compete black market actors.
Looking for love in all the wrong apps.
Zscaler warns that a matchmaking app, Soulmate, is making connections of the wrong kind. Found on Google Play, Soulmate is actually spyware. It may or may not link up simpatico people, but Soulmate certainly listens in on incoming and outgoing calls, intercepts SMS messages, rifles through contacts, and tracks users' current and last known locations.
Apple this week issued a range of patches and security upgrades for its devices.
Crime and punishment.
The US Department of Justice indicted two Chinese intelligence officers and eight accomplices on charges related to theft of intellectual property from US and French aerospace firms (ZDNet). The US Department of Justice yesterday released an unsealed grand jury indictment of ten Chinese nationals, at least two of them serving intelligence officers, charging them with industrial espionage against at least thirteen US companies in the aerospace sector. The activities revealed in the indictment, WIRED observes, show the Ministry of State Security's adherence to classic forms of agent recruiting and handling. This proceeds by spotting potential agents, assessing their value, developing them by accustoming the recruit to performing small, trivial, apparently innocent favors for the recruiter, then recruiting them, and finally handling them as they deliver information and receive whatever compensation the intelligence service has seen fit to provide.
Botnets survive the arrests fo their masters, sometimes. Researchers at CenturyLink report that the Satori botnet continues to evolve and remains a threat. This is noteworthy because the individual regarded as one of its principal—alleged—authors has been in custody for some time. Satori has over the last few months moved away from its original set of IoT targets, many of which it took from its Mirai precursor, and on to Android devices. That alleged author is one Kenneth Currin Schuchman, also known by his preferred nom-de-hack of "Nexus Zeta." He was arrested in August and granted pre-trial release. He's now back in custody for violating the terms of that release. What exactly he did, ZDNet reports, isn't known, but it was enough to land him back in the SeaTac detention center in the State of Washington (ZDNet).
Tyler Barris of California, the (alleged) SWATter (allegedly) responsible for the January death in Kansas of an innocent man uninvolved in Mr. Barris's online gaming onesupsmanship, has agreed to plead guilty to forty-six US Federal charges (Wichita Eagle). His trial is set for this coming January. Don't confuse the guilty pleas with self-awareness or remorse: Mr. Barris has disclaimed responsibility for the death, on the grounds that he didn't discharge a weapon (the SWAT team he summoned as a hoax did that). He also promised, from jail, to SWAT other people, apparently as an act of self-assertion. Also charged in connection with the incident were two of Mr. Barris's fellow clueless gamers, Casey Viner, of Ohio, and Shane Gaskill, of Wichita, Kansas. Mr. Viner and Mr. Gaskill have said they're not guilty (Naked Security).
Courts and torts.
Activist investor, devoted plaintiff, and inveterate board-room gadfly Carl Icahn is suing Dell, alleging inadequate disclosure of various equity moves as Dell prepares to take itself public again (CRN).
Policies, procurements, and agency equities.
NSA and US Cyber Command are considering separating their infrastructures (Fifth Domain). This is one instance of change being driven by a more assertive national strategy for cyberspace; others will follow (Fifth Domain). Federal CISO Grant Schneider, speaking at CyberCon, characterized that strategy as shifting from "policy and process" to "action and accountability" (Fifth Domain).
Fortunes of commerce.
ZTE is expected to post a $1 billion loss, driven mostly by US fines and sanctions (Telegraph).
Another Chinese hardware maker has also come under US sanctions. The Commerce Department has restricted US companies from selling goods to Fujian Jinhua Integrated Circuit Company, a manufacturer of microchips. Commerce says the restriction was imposed on national security grounds, insofar as it has determined that Fujian is likely to engage in activities injurious to the US (Wall Street Journal). Micron is also suing Fujian alleging theft of intellectual property, and on Thursday the US Justice Department announced the indictment of Fujian and its Taiwanese partner United Microelectronics Corporation for IP theft (Wall Street Journal).
The tight cyber labor market is reflected in the larger IT labor market, International Data Corp. estimates that in 2022 30% of IT positions worldwide will go unfilled (Wall Street Journal). Leidos has some thoughts on recruiting and retaining cyber talent (Federal News Network).
The US Marine Corps has found that, while there are challenges in both recruiting and retaining cyber operators, retention seems to be easier than recruiting (Fifth Domain).
Mergers and acquisitions.
In an acquisition not directly in the security space, but that will certainly have ramifications in that market, IBM has announced that it will buy hybrid cloud provider Red Hat for $34 billion. The move is expected to shore up IBM's position in subscription-based software (Yahoo!). The security implications of the merger are still being sorted out, but both companies as they discussed the transaction emphasized security as one of the most important things customers are looking for in cloud services (Dark Reading). The acquisition is regarded as something as a coming-out party for Linux in business software. It's been a presence there for a long time, but this represents a final arrival (Wall Street Journal).
Layered Insight, a container-native security company based in California, has been acquired by secure cloud provider Qualys, which intends to integrate their offerings into its Container Security solution, adding runtime defense and automated enforcement (Qualys).
Mobileum, the analytics-based roaming and risk management shop headquartered in Cupertino, California, has looked to the UK for an acquisition. It's acquiring Bristol-based Evolved Intelligence, whose capabilities provide a good complement to Mobileum's. Terms of the acquisition were not available (BusinessWire).
Intersections, which owns the consumer security platform Identity Guard, has agreed to an acquisition by WC SACD One Parent Inc., a joint venture of iSubscribed, WndrCo and General Catalyst.The acquisition is expected to prove a good fit with iSubscribed's Intrusta brand (Market Watch).
Investments and exits.
Area 1 Security has closed a $32 million Series-C round, led by Kleiner Perkins with participation by Icon Ventures, DCVC, Top Tier Capital Partners, Allegis Cyber and Epic Ventures. The anti-phishing shop intends to use the funding to expand its operations (FinSMES).
Shape Security announced a Series E round of $26 million led by Norwest Venture Partners with new investors JetBlue Technology Ventures and Singtel Innov8. Existing investors Kleiner Perkins, Allegis Cyber, Venrock, Baseline Ventures, Focus Ventures, and Tomorrow Ventures also participated. The capital will be used to expand Shape Security's anti-bot, anti-fraud, and anti-automation offerings internationally (Shape Security).
INKY has emerged from stealth, having raised $5.6 million in Series A funding from investors that include ClearSky Security, Gula Tech Adventures and Blackstone. Rockville, Maryland, based INKY offers Phish Fence, an AI-enabled email anti-phishing solution, and it intends to use the funding to support its go-to-market efforts (PRNewswire).
Attila Security, which offers intelligent, portable, next-generation VPN firewall appliance GoSilent, announced an initial funding round. The $2.5 million seed round (which was oversubscribed) was led by DataTribe, Bull City Ventures, and TEDCO's Seed Fund (PRWeb).
And security innovation.
RSA 2019, will add a shark-tank-like element to its long-running Innovation Sandbox this coming year. RSAC Launch Pad will give three companies ten-minutes each to pitch themselves to venture investors (Help Net Security).
Maryland-based Fugue, specialists in automating compliance and cloud security, has concluded a partnership with In-Q-Tel, the venture investor established by the US Intelligence Community. The partnership is expected to make Fugue's technology more easily accessible to US Government customers (BusinessWire).
This CyberWire look back at the Week that Was discusses events affecting Australia, Brazil, Canada, Israel, Iran, Romania, Russia, United Kingdom, United States.
On the Podcast
Research Saturday is up. Symantec technical director Vikram Thakur returns to share his team's look at threat groups APT 28 and APT 29 (respectively Fancy Bear and Cozy Bear), the influence they had on the 2016 election, and how the cyber security industry has responded in preparation for the 2018 midterms.
© 2019 CyberWire, Inc.
Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story.