skip navigation

More signal. Less noise.

Get your copy of the definitive guide to threat intelligence.

We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.

Daily briefing.

Secureworks has identified a new threat group active in the Middle East. They're calling it "LYCEUM." It may have been active as early as April of 2018 (with some signs of activity in South Africa) but since late spring of this year it's increased its operations significantly. It's currently engaging Middle Eastern infrastructure targets, specifically in the oil and gas sector. While Secureworks says it sees some "stylistic" similarities to know threat groups COBALT GYPSY (itself connected to OilRig, Crambus, and APT34) and COBALT TRINITY (a.k.a. Elfin, or APT33), it says that it can't connect either the malware itself or the attack infrastructure to any of these actors. "As of this publication, there is insufficient technical evidence to support an attribution assessment." Other outlets are less circumspect. Bleeping Computer runs with LYCEUM's association with Hexane, tracked earlier by Dragos. Technology Review calls a culprit: Iran. The campaign's goal is apparently espionage.

Chinese intelligence services continue to use LinkedIn as a way of approaching people they would like to recruit as assets. The New York Times reports that former government officials are attractive potential agents. Counterintelligence officials in France, Germany, the UK, and the US have all warned against the recruitment efforts.

Imperva has disclosed an issue affecting its Cloud Web Application Firewall, the product formerly known as Incapsula. The source and scope of the incident remain under investigation.

Trend Micro says that the criminal group TA505 has updated its tactics to make better use of upgraded ServHelper and FlawedAmmyy malware.


Today's issue includes events affecting Australia, Canada, China, Czech Republic, Denmark, France, Germany, Hungary, Iran, Democratic Peoples Republic of Korea, Republic of Korea, Kuwait, NATO/OTAN, Nigeria, Romania, Russia, Serbia, Thailand, Turkey, United Kingdom, United States.

Bring your own context.

Heaven's Gate looks for antivirus tools before it executes.

"There's a list of types of antivirus file names that it's looking for, and it's not even looking for it in a linear way. It's doing it all over the code base, so it's much harder to see. And what happens is when it does hit that particular check, if it does find that antivirus file, it will terminate, and it won't execute any further. You can imagine if you're running this in the sandbox, it's problematic. Or if you're trying to automate analysis, it's problematic because they're checking for those types of tools."

—Craig Williams, head of Talos Outreach at Cisco, on the CyberWire Daily Podcast, 8.26.19.

It's an old technique, but in many cases "old" means "tried and true."

Conduct secure and anonymous research on the open and dark web.

If you are doing online research, the common web browser can betray you by exposing you and your organization to cyber attacks. Authentic8, the maker of Silo Cloud Browser and Silo Research Toolbox, ends this betrayal. Silo insulates and isolates all web data and code execution from user endpoints, providing powerful, proactive security even if you are gathering data and collections across the deep and dark web. Learn more.

In today's podcast, out later this afternoon, we hear from our partners at the Johns Hopkins University's Information Security Institute, as Joe Carrigan discusses the US Federal Cyber Reskilling Academy and its first graduating class. Our guest is Peter Smith from Edgewise, with thoughts on microsegmentation.

And Recorded Future's podcast, produced in cooperation with the CyberWire, is also up. The latest episode, "Hong Kong protests and the rise of online influence operations," discusses the back-and-forth between social media platforms and the Chinese government as the former tries to shut down the latter's coordinated inauthenticity.

Cyber Security Summits: Chicago on August 27 and on September 17 in Charlotte (Chicago, Illinois, United States, August 27, 2019) Register for reduced admission to the Cyber Security Summit with promo code cyberwire19 for $95 admission ($350 without code). Sr. Level Executives are invited to learn about the latest threats & solutions in Cyber Security from experts from The FBI, Google, IBM, Darktrace, and more. Breakfast, Lunch & Cocktail Reception are included with your admission. Passes are limited, secure yours today:

10th Annual Billington CyberSecurity Summit (Washington, DC, United States, September 4 - 5, 2019) The event will be an important Call to Action for the cybersecurity community and is the deepest examination of the cybersecurity and government at the local, state, Federal and International levels found anywhere.

Second Annual DataTribe Challenge (Online, October 1, 2019) Register now for a chance to be DataTribe's next world-class company. Finalists will split a $20,000 prize, and the winner may receive $2m in funding from DataTribe. Contestants have until October 1st to apply at­.

Zero Day Con (Washington, DC, USA, October 22, 2019) Zero Day Con hosts a day of expert discussion on security approaches to regain control over your systems, data, and information. Join us to examine insights, security technologies, and key priorities to secure your systems. Get a 30% discount for Labor Day using code LABOR30.

Cyber Attacks, Threats, and Vulnerabilities

Cyber Threat Group LYCEUM Takes Center Stage in Middle East Campaign (Secureworks) The previously unobserved LYCEUM threat group targeted critical infrastructure organizations without being detected for more than 12 months.

Lyceum/Hexane Threat Group Uses Common Hacking Tactics (BleepingComputer) A recently reported threat group focusing on critical infrastructure organizations in the Middle East uses simple techniques to compromise victims and deploy post-intrusion tools.

The Middle East is already a cyberwar hotbed. Things just got worse. (MIT Technology Review) A hacking group with links to Iran is the latest threat that makes the Persian Gulf one of the world’s most active theaters of cyberwar.

How China Uses LinkedIn to Recruit Spies Abroad (New York Times) Western intelligence officials say Chinese agents are contacting thousands of foreign citizens using LinkedIn, including former government officials.

Dridex Operator Updates Tactics and Targets (SecurityWeek) The threat actor behind the infamous Dridex and Locky malware families has updated tactics and expanded its target list in recent campaigns, Trend Micro reports.

China Chopper still active 9 years later (Cisco Talos) Threats will commonly fade away over time as they're discovered, reported on, and detected. But China Chopper has found a way to stay relevant, active and effective nine years after its initial discovery.

Imperva Notifies Cloud WAF Customers of Security Incident (SecurityWeek) Imperva learned recently that information belonging to Cloud WAF (Incapsula) customers who had accounts through September 2017 was exposed as a result of a security incident.

Imperva discloses data breach affecting some firewall users (CRN Australia) Exposed email addresses, hashed passwords, API keys and SSL certificates.

Business VPN flaws exploited by hackers (TechRadar) Vulnerabilities presented at Black Hat hijacked by hackers

Attackers Targeting Vulnerability in Pulse Secure VPN (Decipher) The CVE-2019-11510 vulnerability in Pulse Secure VPN is drawing considerable attention from attackers now that an exploit is publicly available.

Hackers Could Steal a Tesla Model S by Cloning Its Key Fob—Again (Wired) The same researchers who figured out how to clone a Tesla Model S key fob have done it again, cracking the replacement that was meant to fix the problem.

Delta Controls enteliBUS Controllers (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Delta Controls Equipment: enteliBUS Controllers Vulnerability: Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker on the same network to gain complete control of the device’s operating system and allow remote code execution.

Datalogic AV7000 Linear Barcode Scanner (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.8 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Datalogic Equipment: AV7000 Linear Barcode Scanner Vulnerability: Authentication Bypass Using an Alternate Path or Channel 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a remote attacker to bypass authentication through issues in the HTTP authentication process.

Worried about cyber pirates hijacking autonomous ships? Focus on port cybersecurity first (Help Net Security) On average, the U.S. Coast Guard issues between ten and twenty safety alerts annually. Alerts tend to function more as a public service announcement

Robertson County jail computers also impacted in cyber attack (KBTX) A recent cyber-attack against the Robertson County Sheriff's Office also impacted their jail computers.

Security Patches, Mitigations, and Software Updates

Hostinger upgrades password security after 14m accounts breached (Naked Security) Millions of customers of web hosting company Hostinger have received emails bearing the bad news of a data breach.

Cyber Trends

McAfee Report Uncovers Ransomware Resurgence (McAfee) McAfee Labs sees 504 new threats per minute in Q1 2019; Data breaches facilitate attacks on large organizations; Majority of targeted attacks bet on victims’ unwitting compliance.

Lares Top 5 Penetration Test Findings For 1H 2019 (Lares) Lares® encounters a seemingly endless number of vulnerabilities when we conduct a penetration test or red team engagement, regardless of organization size or maturity.

Growing cloud adoption introduces visibility gaps and security complications (Help Net Security) More than half of the respondents expressed concerns about integrating data with analytics tools and combining data across cloud environments.

Survey: SMBs Continue to Struggle with IT Security Due to Budget and Workforce Limitations | Untangle (Untangle) The latest Untangle survey explores the current state and trends of IT security for more than 300 SMBs...

RiskSense Research Report Finds Attackers Weaponized More Security Vulnerabilities Last Year than Ever Before (RiskSense) Despite Decrease in Adobe Software Flaws, Number of Exploits in 2018 More than Doubled Compared to 2017

Privacy Fundamentalism (Stratechery) The current privacy debate is making things worse by not considering trade-offs, the inherent nature of digital, or the far bigger problems that come with digitizing the offline world.

Black Hat 2019: Majority of Security Experts Would Use Bots to Gain an Unfair Advantage (PerimeterX Bot Defender) Black Hat 2019 survey of 304 attendees revealed that majority of security experts would use bots to gain an unfair advantage during during online flash sales.

A lot of what is sold as AI is simply marketing, says Eugene Kaspersky (Live Mint) 'The safest region in the world is northern Europe, followed by other areas in Europe, Russia and India'.'Have good (internet) security installed... Even if you know the sender and find an unexpected mail, then call back (to verify)'

Deloitte’s survey shows disconnect in cyber strategies, budget allocation - ET CIO ( Deloitte’s Future of Cyber Survey 2019 finds that only 4% of enterprises have cyber on their board agenda once a month.

Nearly Half of SMBs, Enterprises Still Using Windows 7: Kaspersky (SecurityWeek) Data collected by Kaspersky shows that nearly half of SMBs and enterprises are still using Windows 7, for which extended support will end in just a few months.


Ousting Huawei, Australia finishes laying undersea internet cable... (Reuters) The final piece of Australia's A$137 million ($92.53 million) undersea cabl...

Every telecom company can be hacked and "everybody should be suspect," Huawei USA’s chief security officer says (Vox) Andy Purdy talks with Kara Swisher about the pending ban on US companies doing business with Huawei.

Digital tax fears to blame for faltering tech deals (The Telegraph) For a country worried about losing its technology champions by having them snapped up too soon, it might seem like good news.

Axonius, a cybersecurity asset management startup, raises $20M in Series B (TechCrunch) Cybersecurity asset management startup Axonius has raised $20 million in its second round of funding this year. Venture capital firm OpenView led the Series B, joining existing investors in bringing $37 million to date following the startup’s $13 million Series A in February. The security sta…

Cybersecurity Firm McAfee Prepares for a Possible IPO (Fortune) The owners, including Intel and TPG, are hoping for a value of at least $8 billion.

Carbon Black SVP: VMware Will ‘Leapfrog’ Cisco, Palo Alto Networks (CRN) The combination of Carbon Black and VMware will leapfrog cybersecurity competitors Cisco and Palo Alto Networks, according to one exective.

Can VMware become a leading cybersecurity vendor? (CSO Online) VMware's recent acquisition of Carbon Black gives the company a strong security foundation to build on.

Experian just invested in a location data company, which is a little creepy (Fast Company) Experian is going to know a lot about you.

Northrop Grumman Awarded Army Secure Network Radio Contract (ClearanceJobs) ClearanceJobs is your best resource for news and information on security-cleared jobs and professionals. Learn more with our article, "Northrop Grumman Awarded Army Secure Network Radio Contract ".

Gemalto part of group awarded contract for 15 million biometric passports by Thailand (Biometric Update) Thailand’s Ministry of Foreign Affairs (MOFA) has awarded a contract for the supply of 15 million biometric e-passports over the next seven years to a consortium including Gemalto, according to a c…

The Pentagon Wants to Bolster DIU’s Cyber Defenses ( The department is looking for penetration testers, red teams and cyber training to protect its startup incubator from online attacks.

The Army wants these new defensive cyber tools (Fifth Domain) The Army outlined what capabilities it wants for its defensive cyber operators.

3 Tech Stocks with High Upside for Under $15 (Yahoo) With Amazon (AMZN) and Google (GOOGL) vacuuming up the reputation and the hype and the sky-high stock valuations, it sometimes seems that the tech sector isn’t for the budget-minded investor. Even the more staid stocks, like Microsoft (MSFT) can have share prices well above $100. So, what do you do if

Nixu Corporation’s growth ambition for 2020-2024 (Cision) European cybersecurity company, Nixu has announced today its growth ambition for the next five years, 2020 to 2024.

Centrify joins multiple working groups within Cloud Security Alliance (Intelligent CIO Africa) Centrify, a leading provider of cloud-ready zero trust privilege to secure modern enterprises, has announced that several of its executive leaders have joined

XM Cyber Chosen for Swiss Kickstart Innovation Program (PR Newswire) Breach and Attack Simulation Leader Joins Other Top Startups to Promote Tech Innovation in Switzerland

Louisiana plans new cybersecurity center in Baton Rouge (The Center Square) Louisiana state government plans to establish a “major cybersecurity center” in Baton Rouge alongside LSU experts and a private defense contractor, Gov. John Bel Edwards said Tuesday.

Products, Services, and Solutions

VMware AppDefense Breaks Down Silos in Latest Release (VMware vSphere Blog) (by Tom Corn, SVP & GM of Security products at VMware) It’s an exciting time for the VMware AppDefense team. We are making tremendous progress in our mission to help secure our customers’ data centers, and today we have great news to share. First, I’m proud to announce that we have released new functionality in

US Signal Unveils Managed Website and Application Security Solution (PR Web) Builds on existing DDoS protection to deliver unparalleled defense against malicious attacks on websites and applications

Shared Assessments Announces Assessment and Monitoring Module of Third Party Risk Management (TPRM) Framework (SYS-CON Media) The Shared Assessments Program, the member-driven leader in third party risk assurance, today announced an important new addition to its Third Party Risk Management (TPRM) Framework covering the subjects of periodic assessments and continuous monitoring.

DefenseStorm to Unveil New Fraud Monitoring Product at 2019 CUNA Tech (DefenseStorm) DefenseStorm FI CyberFraud reduces fraud-related costs and improves risk management of banking applications

Announcing Our First European Data Center (Backblaze Blog) We have big news. Starting today, our first European data center, in Amsterdam, is open and accepting customer data!

VMware Delivers Industry’s Only Complete Software-Defined Networking and Security Stack Built for the Multi-Cloud Era (VMware) VMware networking and security portfolio delivers greater automation, compliance, visibility, and scale across the data center, cloud, branch and edge

VMware Expands Telco and Edge Cloud Portfolio to Enable Better Connectivity and Automation for Communication Service Providers and Enterprises (VMware) VMware, Inc. (NYSE: VMW), a leading innovator in enterprise software, today announced that it has expanded its Telco and Edge Cloud portfolio to drive real-time intelligence for telco networks, as well as improved automation and security for telco, Edge and IoT applications. Already serving as a key infrastructure provider for most communications service providers and enterprise customers around the world,

Veristor and Synack Partner to Apply Ethical Hackers and AI Technology to Deliver Crowdsourced Security Vulnerability Identification (Veristor) #Veristor and #Synack perform comprehensive penetration testing using human and machine intelligence for smart #security testing at scale.

Fortinet Extends Support for VMware to Boost Cloud Security (Yahoo) With the extension of partnership, Fortinet (FTNT) will provide consistent security and monitoring for East-West traffic in addition to the already existing North-South traffic.

ReversingLabs Titanium Platform Finds Destructive Objects Existing Security Investments Miss (Beloit Bulletin) Reversing Labs, a leading provider of enterprise-scale file analysis, threat hunting, and malware intelligence solutions,

Technologies, Techniques, and Standards

The mind of the payment crook provides clues for the fight (PaymentsSource) There are several ways attackers take advantage of payment systems. Understanding that is part of the battle, according to Bill Horne of Intertrust Secure Systems.

Scammers are targeting your calendar—here's how to stop them (Popular Science) It's simple to tweak the settings in your Google calendar to stop spam from appearing in your schedule.

Design and Innovation

'Dangerous' AI offers to write fake news (BBC News) An AI that allows anyone to write fake news or rewrite old jokes such as "a man walked into a bar".

Your Pa$$word doesn't matter (TECHCOMMUNITY.MICROSOFT.COM) Every week I have at least one conversation with a security decision maker explaining why a lot of the hyperbole about passwords – “never use a password that has ever been seen in a breach,” “use really long passwords”, “passphrases-will-save-us”, and so on – is inconsistent with our research and wi...

Research and Development

Social Data Initiative (Social Science Research Council) For nearly a century, the Social Science Research Council has supported researchers as they pursue vanguard and rigorous scholarship for the public good. In keeping with this tradition, the Social Media and Democracy Research Grants program—a collaboration with a diverse group of eight philanthropic organizations, Social Science One, and Facebook—is an effort to make privacy-protected data available to social researchers to examine Facebook’s impact on elections and democracy.

Legislation, Policy, and Regulation

Cyber attack on NHS would trigger full Nato response, says alliance's general secretary (The Telegraph) A cyber strike similar to the computer hack that crippled NHS hospitals in 2017 could trigger a revenge attack from all Nato allies, its general secretary has warned.

We will hack back if you tamper with our shiz, NATO declares to world's black hats (Register) Starting a war over stopped trams? Unlikely, says intelligence boffin

Mikko Hyppönen Discusses When It's OK to Respond to a Cyber Attack with Missiles (TechSpective) Mikko Hyppönen joins me on the Inner Circle to chat about whether it's appropriate to respond to a cyber attack with missiles.

Seoul urged to tighten vigilance against North Korean hackers (Korea Times) South Korea should raise its guard against cyberattacks from North Korea, as it has been increasingly vulnerable to Pyongyang's tech-driven cyberwarfare, experts said Tuesday. They added that the international community should take North Korea's fast-advancing, cyber manipulation tactics more seriously, as cyberattacks are becoming an easier, more cost-effective alternative to nuclear and missile threats.

China’s Spies Are on the Offensive (The Atlantic) China’s spies are waging an intensifying espionage offensive against the United States. Does America have what it takes to stop them?

The Internet Freedom League (Foreign Affairs) Democratic states needs to split the Internet before Beijing and Moscow do.

On the offense: How federal cybersecurity is changing (GCN) A safer, more expansive cybersecurity infrastructure empowers the nation's defend-forward strategy, allowing government to mediate emerging threats from across the globe.

UK to make Huawei 5G decision 'by the autumn' (BBC News) Nicky Morgan told the BBC that the UK would make a decision over Huawei before the end of the year.

The Huawei challenge: Not ‘politics vs. economics,’ but balancing politics, economics, and national security (AEI) The decision over whether to ban Huawei from 5G networks is a question of what price countries are willing to pay for national security.

Trump should drop efforts to allow Patriot Act snooping on citizens and immigrants (Chicago Sun-Times) The Fourth Amendment protects the rights of the people from unreasonable searches and seizures of property.

DoJ opposes Google-backed undersea cable (Seeking Alpha) The U.S. Department of Justice wants to block the Pacific Light project backed by Google (GOOG,GOOGL), Facebook (NASDAQ:FB), and China's Dr. Peng Telecom & Media Group, according to Dow Jones sources.

Litigation, Investigation, and Law Enforcement

Microsoft faces new GDPR privacy investigation over Windows 10 telemetry (Computing) Ireland's Data Protection Commission to investigate claims of new, potentially unlawful uses of personal data harvesting by Windows 10

Former Google Engineer Charged With Stealing Trade Secrets (Wall Street Journal) Anthony Levandowski was charged by federal authorities with 33 counts of trade-secret theft.

Former star Google and Uber engineer charged with theft of trade secrets (Silicon Valley Business Journal) Anthony Levandowski, a former Google engineer and co-founder of the self-driving truck company Otto, in San Francisco, May 16, 2016. Levandowski was charged by federal prosecutors on Aug. 27, 2019 with 33 counts of theft and attempted theft of trade secrets from Google.

Doorbell-camera firm Ring has partnered with 400 police forces, extending surveillance reach (Washington Post) The home-security firm has made it easier than ever for local police to request homeowners' video. “If the police demanded every citizen put a camera at their door and give officers access to it, we might all recoil,” one legal expert said.

Court squeezes $1 million back from convicted phisher (Naked Security) Prolific phishing scammer Grant West has been sentenced to 10 years, 8 months, and reimbursement for victims.

Hundreds of pages of emails show Nellie Ohr researched Trump-Russia connections (Washington Examiner) Newly uncovered FBI documents show how Nellie Ohr fits into the Trump-Russia saga, documents that also paint an increasingly clearer picture of the Clinton-linked opposition research firm Fusion GPS's central role in 2016 and beyond.

Is Nigeria Really The Headquarters of CyberCrime in the World? (Guardian) “The key (to Cybercrime) really is the lack of law enforcement environment, the feeling that you can do almost anything and get away with it. They were able to grow and evolve into organized enterprises.”

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Newly Noted Events

Global Security Exchange (GSX) (Chicago, Illinois, USA, September 8 - 12, 2019) Global Security Exchange (GSX) is the only event that brings together security professionals from all vertical markets throughout the world to network, learn, and re-invest in the industry. It’s home for...

Upcoming Events

Industrial Control Systems Joint Working Group (ICSJWG) Fall Meeting (Springfield, Massachusetts, USA, August 27 - 29, 2019) The Cybersecurity and Infrastructure Security Agency (CISA) hosts the Industrial Control Systems Joint Working Group (ICSJWG) to facilitate information sharing and reduce the risk to the nation’s industrial...

Integrate (Melbourne, Victoria, Australia, August 27 - 29, 2019) Get ready to think beyond and lose yourself in the technology of tomorrow at Integrate 2019. Integrate is Australia's leading event dedicated to helping businesses harness the power of AV technology to...

Washington DC Cybersecurity Conference (Washington, DC, USA, August 29, 2019) Data Connectors brings together security professionals to discuss mitigating risk and improving their overall security posture. Eight industry speakers, an FBI/NSA/DHS keynote speaker, and a CISO Panel...

9th Annual Peak Cyber Symposium (Colorado Springs, Colorado, USA, September 3 - 5, 2019) The Peak Cyber Symposium is designed to further educate Cybersecurity, Information Management, Information Technology and Communications Professionals by providing a platform to explore some of today's...

9th Annual Peak Cyber Symposium (Colorado Springs, Colorado, USA, September 3 - 5, 2019) The Information Systems Security Association (ISSA) - Colorado Springs Chapter will once again host the 9th Annual Peak Cyber Symposium. This year's theme is "Cyber Hygiene: Everyday for Everyone." The...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.