2017 cyberattacks proved more numerous, sophisticated, and ruthless than in years past.

WannaCry, NotPetya, ransomware-as-a-service, and fileless attacks abounded. And, that’s not everything. The victims of cybercrime ranged from private businesses to the fundamental practices of democracy. Read The Cylance Threat Report: 2017 Year in Review Report and learn about the threat trends and malware families their customers faced in 2017.

The week that was.

Problematic apps chased from Apple's walled garden.

Apple continues to eject questionable security apps from its Store. Over last weekend it developed that researchers apparently associated some of these apps with Trend Micro (9to5Mac). Some call the ejection fast, others say it was still too slow, and that it's about time (Computing).

Learn how to achieve one source of truth for risk, compliance & vulnerability management.

Today most organizations are developing applications, either for external customers or to run the business. Either way, you need to make sure secure software is shipped, especially as the cybersecurity landscape is constantly changing in tactics and intensity. Read how IT resilience platform provider Zerto is using the CYBRIC platform to achieve one source of truth for risk, compliance and vulnerability management across its dynamic SaaS environment and making sure it has the right security processes in place for future growth.

And the problematic apps turned out to belong to Trend Micro.

Trend Micro acknowledged, after some initial investigation, that its products Dr Cleaner, Dr Cleaner Pro, Dr. Antivirus, Dr. Unarchiver, Dr. Battery, and Duplicate Finder all collected and uploaded what Trend Micro calls "a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation." They also pointed out that such collection, while an unintentional artifact of code library reuse, was fully disclosed in the end-user license agreement. The company says it understands the objections, EULAs notwithstanding, and regrets the incident. They've discontinued the objectionable features of the apps and have permanently deleted all the legacy logs (ZDNet). As they put it on their corporate blog, "We apologize to our community for concern they might have felt and can reassure all that their data is safe and at no point was compromised."

$8.76 million: The average yearly cost of insider threats. Get the report.

Insider threat incidents come with a hefty price tag, according to the “2018 Cost of Insider Threats: Global Organizations” report released by independent research group, The Ponemon Institute. Make sure that you understand the full context (and cost) of these threats by downloading the full report. Get your copy today.

British Airways breach, and other Magecart capers.

British Airways continues to struggle with its large data breach. Observers say that the airline's payment site was loading scripts from at least seven domains other than its own, and that it was out of PCI compliance (SC Magazine). 

A number of observers were struck by apparent similarities between the British Airways breach and the earlier incident at Ticketmaster (Computing). RiskIQ says the similarity is accounted for by "Magecart," a family of crimeware that's afflicted code libraries in the supply chain since 2015 at least. Magecart is not the name of a single gang, but rather of a loose set of different criminal organizations all of whom use the commodity malware that's freely traded in dark web souks. It remains in active use on an unusually large scale, employed for "digital skimming" attacks using malicious JavaScript against a range of enterprises.

At the end of this week another Magecart infection came to light. Attackers succeeded in compromising customer-engagement shop Feedify's shared JavaScript library. Feedify had actually been infected back in August, and cleaned out the bad code; this is a re-attack. RiskIQ recommends that anyone using the library remove the JavaScript link from their stores as soon as possible (Infosecurity Magazine).

A year in, companies unsure of risk under China's Cyber Security Law, says Control Risks.

Over a year into China’s Cyber Security Law, Control Risks experts say its vague definition and application leaves multinational companies struggling to understand their risk. Further, how strictly the government will crack down and the extent of penalties for non-compliance remain open questions. Nonetheless, companies operating in China must understand their unique exposure and specific cyber, physical and procedural requirements. Let Control Risks help you make the critical decisions to seize your opportunities in China.  

An Executive Order for imposition of costs.

US President Donald Trump Wednesday signed an Executive Order that would automatically impose sanctions on any foreign entity found to be interfering in US elections. "Imposing Certain Sanctions in the Event of Foreign Interference in a United States Election" declares a national emergency, and requires the Director of National Intelligence to regularly assess activities directed at influencing or otherwise disrupting US elections, and to report findings to the Departments of Justice and Homeland Security. Those Departments would determine within forty-five days whether the interference had occurred. If the conclusion is that someone did interfere, then the Departments of State and the Treasury would automatically impose a range of appropriate sanctions. Such sanctions could include, the executive order specifies, blocking of assets, blocking transfer of property, stopping US investment in sanctioned companies, and restriction of travel. National Security Advisor Bolton said that the order covered not only attacks on election infrastructure, which would presumably include voting machine hacks, data manipulation, and so forth, but also "distribution of propaganda" intended to have an effect on an election (Ars Technica).

WIRED calls the Order "a bandaid." Others see a workable system (Fifth Domain). Congress continues to work on cybersecurity legislation (Nextgov). Three pending Senate bills may be found here, here, and here. Much of the House legislation under consideration concerns Homeland Security and infrastructure protection (FCW). Some members of Congress say the Executive Order doesn't go far enough; others say the Executive Branch needs more legislative authority to act (Washington Post).

How the browser can win or lose the Midterm Elections.

Come learn how and why! Join Authentic8 in DC on September 20th for a happy hour and appetizers. The 2018 Midterm Elections can dramatically change the political landscape. The battle for campaign targeting in key seats often boils down to Web based content. Come learn how a browser can be tracked and used for campaign targeting, what technical hurdles are in the current campaign targeting landscape, and how you can protect yourself. Register now!

Unholy information operations.

Russia's President Putin says they now know who the two men are the British fingered for the Salisbury nerve agent attacks. He says they're just regular civilians, and that Russia had nothing to do with attempted assassination and successful manslaughter. Russian state television speculated that British Prime Minister May would resign in disgrace (BBC).

The two suspects did appear on Russian television and explained that they were simple tourists who made a quick trip to see Salisbury Cathedral and Stonehenge. No one really believes this. A spokesman for Prime Minister May (who hasn't resigned) called the remarks "ludicrous" and "an insult to the public's intelligence" (Times).

The case is an interesting study in Russian information operations: confusing cross-currents of misdirection, most recently concerning time stamps on surveillance footage of suspects Petrov and Boshirov, flat denials of involvement accompanied by sententious good-citizen offers of cooperation in the investigation, charges of foreign hostility to Russia, and allegations that whatever happened was a provocation. It's a familiar playbook and it will be seen again (BBC).

Russian intelligence services continue to work on Orthodox churches, which they wish to see remain firmly in orbit around the Patriarch of Moscow. They're especially interested in the Ukrainian branch of the church (Foreign Policy).

EU passes controversial copyright law.

The European Union passed its long-debated and widely feared copyright law, which incorporates what's been called a "link tax." There are some exemptions for smaller organizations and not-for-profits, but in general the law is very good news for rent-seeking big media companies and moderately bad news for everyone else, where the law is widely seen as opening up considerable possibilities for censorship (Motherboard). At a minimum, the measure seems likely to force YouTube-like content moderation on much of the Internet (Ars Technica).

Patch notes.

MIcrosoft's Patch Tuesday included fixes for three bugs undergoing active exploitation in the wild. One of them was the weakness revealed last week on Twitter by @SandboxEscaper, a privilege-escalation issue in Windows Task Scheduler (Threatpost).

Adobe also patched this week. Among their fixes were six critical vulnerabilities in Cold Fusion (ZDNet).

Crime and punishment.

The US indictment of alleged Lazarus Group member Park Jin Hyok, a North Korean government hacker said to have been involved in the Sony and Bangladesh Bank hacks, is said to have been made possible by the Lazarus Group's careless opsec (SecurityWeek). A number of observers have been impressed by the ability of investigators to develop the kind of attribution necessary to obtain an indictment (Buzzfeed). Pyongyang denounces the whole affair as a "smear campaign" which it promises will exhaust its patience in things like denuclearlization negotiations, but Mr. Park remains under indictment nonetheless (Washington Post).

Indictment of foreign intelligence officers (or their contract workers) from China, Iran, Russia, and now North Korea has come to form an important part of US policy with respect to imposing costs on hostile actors in cyberspace. (Economist).

Georgia extradited Russian national Andrei Tyurin to the US to face charges relating to the 2014 hack of financial services companies. It's generally known as the "JPMorgan hack," but there were other victims too, including  E*Trade Financial Corp, Scottrade, and Dow Jones & Co. He could receive up to thirty years if he's convicted of computer hacking, wire fraud and conspiracy. Mr. Tyurin and his alleged co-conspirators are thought to have made hundreds of millions in stock manipulation, Internet gambling, credit-card fraud and cryptocurrency money laundering. There's much speculation about what he knows concerning connections between the Russian government and the Russian underworld (Reuters).

The Kelihos botmaster, Peter Yuryevich Levashov, also a Russian national, took a guilty plea to fraud, conspiracy, computer crime, and identity theft charges (US Department of Justice).

Peteris Sahurovs, a Latvian national who conducted a waterholing attack staged on the Minneapolis Star Tribune's website visitors was sentenced to thirty-three months in Federal prison (Star Tribune).

Mitash Das, a former IT contractor for the US Army, was convicted of damaging computers at Fort Bragg with malicious code. He received a two-year sentence and was ordered to pay $1.5 million in restitution (Fifth Domain).

A prominent member of the Apophis Squad, George Duke-Cohan, has entered a plea of guilty to charges relating to his online distribution of empty but frightening bomb threats to shools. The skids of the Apophis Squad not only chose bad role models, aspiring to be like the equally skiddish Lizard Squad, but they were also gripped by hubristic arrogance, boasting that they'd be forever anonymous, and that "the Feds can't touch us." In fairness to Mr. Duke-Cohan, whose many noms-de-hack included "DoubleParallax," the Feds didn't: it was the Feds' cousins across the Pond who did the touching. He'll be sentenced at Luton Crown Court on September 21st, and is expected to be detained at her Majesty's pleasure for at least a year (Fifth Domain).

Courts and torts.

The European Court of Human Rights in Strasbourg ruled Thursday that bulk collection of communications by Britain's GCHQ violated the European Convention on Human Rights, mostly because it was conducted without adequate oversight and safeguards. The ruling was less sweeping than has been widely reported, awarding the plaintiffs no damages beyond court costs, and declining to find either intelligence sharing or bulk collection illegal. But it did warn against employing cooperating intelligence services to avoid restrictions on surveillance (Strasbourg was here scowling at the Five Eyes). And it included one interesting finding: surveillance, licit or not, occurs at the moment of collection, not when the data collected are inspected or analyzed by human operators (Ars Technica).

Another important EU case reached court this week. Google is challenging aspects of the EU's "right to be forgotten" (Wall Street Journal). In this case Google seems to be on the side of the free-speech angels: many observers see broad application of the right to be forgotten as the entering wedge of more intrusive censorship (Register). The outcome will be watched with considerable interest (Telegraph).

Fortunes of commerce.

British Airways, scrambling to recover from the data breach it disclosed last week, is also struggling with the prospect of a record fine should the UK Information Commissioner's Officer (ICO) find grounds to impose it: the airline could be assessed up to £500 million. Customers are also talking about a boycott (Times). It's been rough for British Airways, but observers are struck by the speed with which other companies, financial technology ones like Monzo and Revolut in particular, are reacting to the incident with security offerings to customers. And, of course, with quick offers to send out replacements for compromised cards (Quartz).

Canada joins the growing list of countries subjecting Huawei equipment to close security scrutiny (Globe and Mail). While the company attracted some defenders this week, particularly with respect to its banishment from Australian 5G work (South China Morning Post), other news hasn't been reassuring. Word that the company's been accused of goosing test items to achieve higher ratings in benchmarking evaluations have contributed to what Mashable characterizes as a reputation for shady behavior.

The US Federal ban on Kaspersky products goes into full effect on October 1st, and there's concern that a lot of Government contractors won't yet be in compliance (Nextgov).

While Google may look like a principled libertarian concern in its litigation over Europe's right to be forgotten, the view towards China is uglier. Mountain View has continued its quiet cooperation with Beijing to develop a censor-friendly search engine suitable for use inside the Great Firewall and, inevitably, many think, elsewhere (Foreign Policy). At least one senior Google scientist has resigned in protest over what he takes to be the company's betrayal of its publicly averred values (Intercept).

Big tech has not had a good week in the court of opinion, and Silicon Valley may be entering the end of its Gilded Age, at least with respect to its continued ability to engage in untrammeled commerce (Computing). Concerns over content moderation and excessive, monopolistic control over expression in cyberspace continue to provoke noises about anti-trust action (Bloomberg). There's noteworthy sentiment that Google in particular may have become too powerful for the common good (AP).

General Dynamics IT is reported to be undergoing a leadership shuffle involving its Defense and Intelligence Community lead executives (Washington Business Journal).

Mergers and acquisitions. 

Science Applications International Corp (SAIC) announced Monday that it had agreed to acquire Engility for $1.5 billion in stock. If the deal goes through SAIC will become the second-largest services contractor to the US Government. The acquisition is seen as part of SAIC's strategy to resume an important position as a provider to the US Intelligence Community (Reuters).

Temasek and StarHub have formed a joint venture, Ensign InfoSecurity, which they expect to establish itself as Asia's largest pure-play cybersecurity shop. The Singapore-based company will acquire the stock of both Quann and Accel, themselves controlled by Temasek and StarHub, respectively (Business Times).

Bitdefender acquired its Australian partner SMS eTech in what's regarded as a further push for global expansion move (Business Review). The move is thought to bring Bitdefender closer to its expected IPO (Axios).

Bomgar announced its acquisition of BeyondTrust, which the company believes will position it for leadership in privileged access management.

Investments and exits.

Sonatype has raised $80 million in an investment round led by San Francisco private equity fund TPG, with participation by Accel, Goldman Sachs and Hummer Winblad. Sonatype, based in Maryland, specializes in scanning software for vulnerabilities before that software is used to build applications (Washington Post).

OverWatchID has closed a $2.5 million extension of its seed funding round. The investment is led by WestWave Capital and Silicon Valley Data Capital, with participation by IrishAngels Ventures, OCA Ventures, Rockies Venture Club and Copper River Advisors. OverWatchID offers credential-theft and privilege abuse solutions; it intends to use the funding to expand research and development (Globe Newswire).

Secure Code Warrior, specialists in secure application development, has raised $3.5 million from Palladin Capital and Air Tree Venture. The company, which has offices in Sydney, Bruges, London, and Boston, intends to use the funding to expand US business and support its engineering hubs in Australia and Belgium (BusinessWire).

Sysdig has closes $68.5 million in series D funding led by Insight Venture Partners, with participation from previous investors Bain Capital Ventures and Accel. The company's products help enterprises monitor and secure containers and cloud-native applications (Help Net Security). 

Glasswall Solutions closed a strategic funding round to support product development and sales in the UK and US. Funding was led by Michael Spencer through his personal investment vehicle, IPGL. Glasswall offers "Deep-File Inspection, Remediation and Sanitisation Technology (d-FIRST™)" which validates known-good elements of files and recreates identical and safe copies.

And security innovation. 

DARPA has a $2 billion program, AI Next, that aims at transforming artificial intelligence into something more like an actual partner as opposed to a mere tool. It's said to aim at giving AI "contextual understanding" (FCW).

Australian cybersecurity incubator Cyrise thinks its current cohort shows unusual maturity for startups (CSO).

 

This CyberWire look back at the Week that Was discusses events affecting Australia, Canada, China, European Union, Russia, United Kingdom, United States.

On the Podcast

Research Saturday is up.

THE CYBERWIRE
Compiled and published by the CyberWire editorial staff. Views and assertions in source articles are those of the authors, not CyberWire, Inc.