Get your copy of the definitive guide to threat intelligence.
We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.
April 3, 2019.
By the CyberWire staff
Blackberry Cylance has a new report on OceanLotus, also known as APT32 or Cobalt Kitten. The Vietnamese threat group uses steganography (in the form of a png image file) to carry its loader to the target.
e-sushi, a self-described dabbler in cybersecurity and other things, called out Facebook Sunday for asking people to give up their third-party email credentials so Facebook can "automatically" verify those accounts. Yesterday the Daily Beast confirmed that Facebook is indeed doing this. Facebook says their intentions were good and they didn't actually store passwords, but they understand, and have stopped this form of verification. It struck most observers as appallingly bad practice.
Remote Administration Tool or Remote Access Trojan? If you ask the author of Orcus RAT, it's the former. If you ask the Mounties, it's the latter. KrebsOnSecurity has an account of last week's raid on Orcus Technologies.
Haaretz says OpIsrael preparation has begun, as hacktivists infect some one-hundred-twenty Israeli sites. OpIsrael is expected on April 7th.
Bitcoin's price spiked above $5000 early this week. The Telegraph and others think an April Fool's prank was behind the bull rush.
In a very odd incident, the US Secret Service Saturday detained a woman who showed up at President Trump's Mar-a-Lago. She was seeking entrance to a non-existent event, and was carrying a laptop, four phones, and a number of dongles, loaded with a lot of what the Miami Herald helpfully calls "malicious malware." She also had a Chinese passport and an interest in international trade.
Today's issue includes events affecting Australia, Canada, Chad, China, Colombia, Democratic Peoples Republic of North Korea, Japan, Niger, Nigeria, Russia, Thailand, United Kingdom, United States, Venezuela, and Vietnam.
Adversaries are creating new attacks at such a speed and volume that signature and sandbox-based threat detection can’t keep up. Deep learning can help. By exposing neural nets to threat data, deep learning can learn to identify malicious traffic, even zero days seen for the first time. But why are advances possible today? How does deep learning differ from machine learning? Where’s the best place to apply deep learning? Get the answers here.
ON THE PODCAST
In today's podcast, out later this afternoon, we speak with our partners at Webroot, as David Dufour shares results from their most recent threat report. Our guest is Roy Zur from Cybint Solutions, who reviews the essentials of hunting and fishing for information online.
Report: OceanLotus APT Group Leveraging Steganography(BlackBerry Cylance) BlackBerry Cylance recently uncovered a novel malware payload loader during our ongoing surveillance of the OceanLotus (APT32) group. The loader uses steganography to read an encrypted payload concealed within a .png image file. This white paper offers an in-depth look at two concerning technical achievements recently employed by this APT.
We found a massive spam operation — and sunk its server(TechCrunch) For ten days in March, millions were caught in the same massive spam campaign. Each email looked like it came from someone the recipient knew: the spammer took stolen email addresses and passwords, quietly logged into their email account, scraped their recently sent emails and pushed out personaliz…
Advantech WebAccess/SCADA(ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 9.8ATTENTION: Exploitable remotely/low skill level to exploitVendor: AdvantechEquipment: WebAccess/SCADAVulnerabilities: Command Injection, Stack-based Buffer Overflow, Improper Access Control2. RISK EVALUATIONSuccessful exploitation of these vulnerabilities may cause a denial of service and allow remote code execution.
Facebook Is Just Casually Asking Some New Users for Their Email Passwords(Gizmodo) Facebook has been prompting some users registering for the first time to hand over the passwords to their email accounts, the Daily Beast reported on Tuesday—a practice that blares right past questionable and into “beyond sketchy” territory, security consultant Jake Williams told the Beast.
Malware Actors Using New File Hosting Service to Launch Attacks(Security Boulevard) Bad actors are leveraging a new file hosting service in order to launch attack campaigns involving FormBook and other malware. Near the end of March, researchers at Deep Instinct observed a new FormBook attack. The infection chain for this campaign began with a phishing email that contains a malicious attachment.
Arizona Beverages knocked offline by ransomware attack(TechCrunch) Arizona Beverages, one of the largest beverage suppliers in the U.S., is recovering after a massive ransomware attack last month, TechCrunch has learned. The company, famous for its iced tea beverages, is still rebuilding its network almost two weeks after the attack hit, wiping hundreds of Windows…
Cybercriminals Fall for IoT Honeypots(Security Boulevard) On Sunday 24th February, the eve of Mobile World Congress 2019, Avast security researchers Martin Hron, Vladislav Iliushin, Libor Bakajsa, and Anna Shirokova set a project in motion: the deployment of 500 honeypots in 10 countries around the world that would run for the length of the show (four days), and beyond.
Israeli firm buys Ukrainian startup for nearly $4 million(KyivPost) Israeli internet company Perion is to pay $3.7 million as it acquires a small Ukrainian startup which develops artificial intelligence and works in online marketing. Septa Communications, or also known as Captain Growth, consists of only eight people. The startup produces artificial intelligence that helps companies to advertise on Facebook and through Adwords. It analyzes marketing …
2019 Women in Cybersecurity((ISC)²) (ISC)² took a new approach to surveying the cybersecurity workforce. This new look at the workforce revealed that the percentage of women in cybersecurity is roughly 24%.
What Can Your Company Do To Attract Top Cybersecurity Talent?(TechNative) Last year's cybersecurity scorecard did little to reassure consumers that large companies are serious about security and privacy Massive data leaks hit the news every month against the background buzz of hundreds of smaller breaches that didn't make the front page.
Behind the Scenes of Russia’s Military Detachment to Venezuela(Jamestown) On March 23, a Russian defense ministry Ilyushin Il-62 passenger jet and an Antonov An-124 military cargo plane arrived at Simón Bolívar International Airport, having departed from the Chkalovsky military airbase (with an intermediate stop in Syria). Carrying 35 tons of cargo, the two aircraft delivered 99 Russian military specialists, headed by the first deputy commander-in-chief of the Land Forces, …
Intel to examine deepfake videos in hearing(TheHill) The House Intelligence Committee is planning to hold a hearing in the coming months that will examine a series of national security matters, including the threat of videos manipulated by artificial intelligence that&
Kaspersky Lab appeals to court of public opinion with 'unbiased' assessment of Russian law(CyberScoop) The legal battle between Russian antivirus maker Kaspersky Lab and the U.S. government has quieted, but the court of public opinion is still open for arguments. Countering U.S. officials and critics who say otherwise, Kaspersky Lab on Tuesday released an analysis arguing that, under Russian law, the company would not be subject to certain demands from authorities for data.
Canadian Police Raid ‘Orcus RAT’ Author(KrebsOnSecurity) Canadian police last week raided the residence of a Toronto software developer behind “Orcus RAT,” a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. Its author maintains Orcus is a legitimate Remote Administration Tool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as a Remote Access Trojan.
GAO Denies Protest Over $55M Deloitte Army Cyber Deal(Law360) The Government Accountability Office on Tuesday denied MacAulay-Brown's protest over a nearly $55 million Army cyber analytics deal awarded to Deloitte, saying it has "no basis to question" the Army's evaluation of Deloitte's proposed price, which was millions less than MacAulay-Brown's.
Swedbank’s Crisis Management Questioned in Walk-Up to Money-Laundering Investigations (Wall Street Journal) A sequence of events at the Swedish lender, including the firing of CEO Birgitte Bonnesen last week, provides a case study in one of the riskiest balancing acts executives attempt when faced with a corporate crisis: trying to apply the right amount of weight to reassuring investors on one side and enough weight to publicly addressing the problem on the other.
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Newly Noted Events
IMPACT ’19(Chantilly, Virginia, USA, April 15 - 17, 2019) Prepare for the changes ahead and get out in front of the compliance curve by attending the 34th annual NSI IMPACT Forum on April 15-17 at the Westfields Marriott in Chantilly, VA. The theme of this year’s
key compliance strategies from hands-on security experts to safeguard classified information and minimize insider threats.
Cyber Security Transatlantic Policy Forum(Killarney, Ireland, May 10, 2019) The mission of the conference is to bring politicians, law enforcement, policy makers and cyber industry leaders together to create an annual dialogue. Our goal is to ensure that we expand and improve...
Insider Threat Program Development - Management Training Course(Mountain View, California, USA, July 15 - 16, 2019) The Insider Threat Defense Group will hold our highly sought after Insider Threat Program (ITP) Development - Management Training Course, in Mountain View, California, on July 15-16, 2019. This comprehensive...
InfoSec World 2019(Lake Buena Vista, Florida, USA, April 1 - 3, 2019) Cybersecurity has come a long way in 25 years, and InfoSec World has been there through it all. That's right, InfoSec World 2019 Conference & Expo is returning to Disney's Contemporary Resort on April...
Dynamic Connection 2019(Denver, Colorado, USA, April 2 - 4, 2019) Dynamic Connections 2019 will bring together over 1,000 attendees to learn, explore and create solutions needed today to help us thrive and operate successfully in the digital domain with confidence. Learn...
IP Expo Manchester(Manchester, England, UK, April 3 - 4, 2019) The event will showcase industry leaders and those at the forefront of technology, to encourage debate and inform attendees on the critical technological issues affecting modern business. IT and cyber...
QuBit Conference Prague 2019(Prague, Czech Republic, April 9 - 11, 2019) Over the past 5 years, QuBit has grown to be a leading cyber security community event in CEE region. This year's highlights include: excellent speakers and educational sessions, popular networking events,...
Mississippi College Cybersecurity Summit(Clinton, MIssissippi, USA, April 10, 2019) The 2019 Mississippi College Cybersecurity Summit is a conference designed to engage, educate, and raise awareness about cybersecurity across the nation. It will provide valuable cybersecurity tools and...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.