Get your copy of the definitive guide to threat intelligence.
We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.
August 28, 2019.
By the CyberWire staff
Secureworks has identified a new threat group active in the Middle East. They're calling it "LYCEUM." It may have been active as early as April of 2018 (with some signs of activity in South Africa) but since late spring of this year it's increased its operations significantly. It's currently engaging Middle Eastern infrastructure targets, specifically in the oil and gas sector. While Secureworks says it sees some "stylistic" similarities to know threat groups COBALT GYPSY (itself connected to OilRig, Crambus, and APT34) and COBALT TRINITY (a.k.a. Elfin, or APT33), it says that it can't connect either the malware itself or the attack infrastructure to any of these actors. "As of this publication, there is insufficient technical evidence to support an attribution assessment." Other outlets are less circumspect. Bleeping Computer runs with LYCEUM's association with Hexane, tracked earlier by Dragos. Technology Review calls a culprit: Iran. The campaign's goal is apparently espionage.
Chinese intelligence services continue to use LinkedIn as a way of approaching people they would like to recruit as assets. The New York Times reports that former government officials are attractive potential agents. Counterintelligence officials in France, Germany, the UK, and the US have all warned against the recruitment efforts.
Imperva has disclosed an issue affecting its Cloud Web Application Firewall, the product formerly known as Incapsula. The source and scope of the incident remain under investigation.
Trend Micro says that the criminal group TA505 has updated its tactics to make better use of upgraded ServHelper and FlawedAmmyy malware.
Today's issue includes events affecting Australia, Canada, China, Czech Republic, Denmark, France, Germany, Hungary, Iran, Democratic Peoples Republic of Korea, Republic of Korea, Kuwait, NATO/OTAN, Nigeria, Romania, Russia, Serbia, Thailand, Turkey, United Kingdom, United States.
Bring your own context.
Heaven's Gate looks for antivirus tools before it executes.
"There's a list of types of antivirus file names that it's looking for, and it's not even looking for it in a linear way. It's doing it all over the code base, so it's much harder to see. And what happens is when it does hit that particular check, if it does find that antivirus file, it will terminate, and it won't execute any further. You can imagine if you're running this in the sandbox, it's problematic. Or if you're trying to automate analysis, it's problematic because they're checking for those types of tools."
—Craig Williams, head of Talos Outreach at Cisco, on the CyberWire Daily Podcast, 8.26.19.
It's an old technique, but in many cases "old" means "tried and true."
Conduct secure and anonymous research on the open and dark web.
If you are doing online research, the common web browser can betray you by exposing you and your organization to cyber attacks. Authentic8, the maker of Silo Cloud Browser and Silo Research Toolbox, ends this betrayal. Silo insulates and isolates all web data and code execution from user endpoints, providing powerful, proactive security even if you are gathering data and collections across the deep and dark web. Learn more.
Cyber Security Summits: Chicago on August 27 and on September 17 in Charlotte(Chicago, Illinois, United States, August 27, 2019) Register for reduced admission to the Cyber Security Summit with promo code cyberwire19 for $95 admission ($350 without code). Sr. Level Executives are invited to learn about the latest threats & solutions in Cyber Security from experts from The FBI, Google, IBM, Darktrace, and more. Breakfast, Lunch & Cocktail Reception are included with your admission. Passes are limited, secure yours today: www.CyberSummitUSA.com
10th Annual Billington CyberSecurity Summit(Washington, DC, United States, September 4 - 5, 2019) The event will be an important Call to Action for the cybersecurity community and is the deepest examination of the cybersecurity and government at the local, state, Federal and International levels found anywhere.
Second Annual DataTribe Challenge(Online, October 1, 2019) Register now for a chance to be DataTribe's next world-class company. Finalists will split a $20,000 prize, and the winner may receive $2m in funding from DataTribe. Contestants have until October 1st to apply at www.datatribe.com/challenge.
Zero Day Con(Washington, DC, USA, October 22, 2019) Zero Day Con hosts a day of expert discussion on security approaches to regain control over your systems, data, and information. Join us to examine insights, security technologies, and key priorities to secure your systems. Get a 30% discount for Labor Day using code LABOR30.
Dridex Operator Updates Tactics and Targets(SecurityWeek) The threat actor behind the infamous Dridex and Locky malware families has updated tactics and expanded its target list in recent campaigns, Trend Micro reports.
China Chopper still active 9 years later(Cisco Talos) Threats will commonly fade away over time as they're discovered, reported on, and detected. But China Chopper has found a way to stay relevant, active and effective nine years after its initial discovery.
Delta Controls enteliBUS Controllers(CISA) 1. EXECUTIVE SUMMARY
CVSS v3 9.8
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Delta Controls
Equipment: enteliBUS Controllers
Vulnerability: Buffer Overflow
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker on the same network to gain complete control of the device’s operating system and allow remote code execution.
Datalogic AV7000 Linear Barcode Scanner(CISA) 1. EXECUTIVE SUMMARY
CVSS v3 8.8
ATTENTION: Exploitable remotely/low skill level to exploit
Equipment: AV7000 Linear Barcode Scanner
Vulnerability: Authentication Bypass Using an Alternate Path or Channel
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a remote attacker to bypass authentication through issues in the HTTP authentication process.
McAfee Report Uncovers Ransomware Resurgence(McAfee) McAfee Labs sees 504 new threats per minute in Q1 2019; Data breaches facilitate attacks on large organizations; Majority of targeted attacks bet on victims’ unwitting compliance.
Privacy Fundamentalism(Stratechery) The current privacy debate is making things worse by not considering trade-offs, the inherent nature of digital, or the far bigger problems that come with digitizing the offline world.
Axonius, a cybersecurity asset management startup, raises $20M in Series B(TechCrunch) Cybersecurity asset management startup Axonius has raised $20 million in its second round of funding this year. Venture capital firm OpenView led the Series B, joining existing investors in bringing $37 million to date following the startup’s $13 million Series A in February. The security sta…
3 Tech Stocks with High Upside for Under $15(Yahoo) With Amazon (AMZN) and Google (GOOGL) vacuuming up the reputation and the hype and the sky-high stock valuations, it sometimes seems that the tech sector isn’t for the budget-minded investor. Even the more staid stocks, like Microsoft (MSFT) can have share prices well above $100. So, what do you do if
VMware AppDefense Breaks Down Silos in Latest Release(VMware vSphere Blog) (by Tom Corn, SVP & GM of Security products at VMware) It’s an exciting time for the VMware AppDefense team. We are making tremendous progress in our mission to help secure our customers’ data centers, and today we have great news to share. First, I’m proud to announce that we have released new functionality in
Your Pa$$word doesn't matter(TECHCOMMUNITY.MICROSOFT.COM) Every week I have at least one conversation with a security decision maker explaining why a lot of the hyperbole about passwords – “never use a password that has ever been seen in a breach,” “use really long passwords”, “passphrases-will-save-us”, and so on – is inconsistent with our research and wi...
Research and Development
Social Data Initiative(Social Science Research Council) For nearly a century, the Social Science Research Council has supported researchers as they pursue vanguard and rigorous scholarship for the public good. In keeping with this tradition, the Social Media and Democracy Research Grants program—a collaboration with a diverse group of eight philanthropic organizations, Social Science One, and Facebook—is an effort to make privacy-protected data available to social researchers to examine Facebook’s impact on elections and democracy.
Seoul urged to tighten vigilance against North Korean hackers (Korea Times) South Korea should raise its guard against cyberattacks from North Korea, as it has been increasingly vulnerable to Pyongyang's tech-driven cyberwarfare, experts said Tuesday. They added that the international community should take North Korea's fast-advancing, cyber manipulation tactics more seriously, as cyberattacks are becoming an easier, more cost-effective alternative to nuclear and missile threats.
China’s Spies Are on the Offensive(The Atlantic) China’s spies are waging an intensifying espionage offensive against the United States. Does America have what it takes to stop them?
DoJ opposes Google-backed undersea cable(Seeking Alpha) The U.S. Department of Justice wants to block the Pacific Light project backed by Google (GOOG,GOOGL), Facebook (NASDAQ:FB), and China's Dr. Peng Telecom & Media Group, according to Dow Jones sources.
Former star Google and Uber engineer charged with theft of trade secrets(Silicon Valley Business Journal) Anthony Levandowski, a former Google engineer and co-founder of the self-driving truck company Otto, in San Francisco, May 16, 2016. Levandowski was charged by federal prosecutors on Aug. 27, 2019 with 33 counts of theft and attempted theft of trade secrets from Google.
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Newly Noted Events
Global Security Exchange (GSX)(Chicago, Illinois, USA, September 8 - 12, 2019) Global Security Exchange (GSX) is the only event that brings together security professionals from all vertical markets throughout the world to network, learn, and re-invest in the industry. It’s home for...
Integrate(Melbourne, Victoria, Australia, August 27 - 29, 2019) Get ready to think beyond and lose yourself in the technology of tomorrow at Integrate 2019. Integrate is Australia's leading event dedicated to helping businesses harness the power of AV technology to...
Washington DC Cybersecurity Conference(Washington, DC, USA, August 29, 2019) Data Connectors brings together security professionals to discuss mitigating risk and improving their overall security posture. Eight industry speakers, an FBI/NSA/DHS keynote speaker, and a CISO Panel...
9th Annual Peak Cyber Symposium(Colorado Springs, Colorado, USA, September 3 - 5, 2019) The Peak Cyber Symposium is designed to further educate Cybersecurity, Information Management, Information Technology and Communications Professionals by providing a platform to explore some of today's...
9th Annual Peak Cyber Symposium(Colorado Springs, Colorado, USA, September 3 - 5, 2019) The Information Systems Security Association (ISSA) - Colorado Springs Chapter will once again host the 9th Annual Peak Cyber Symposium. This year's theme is "Cyber Hygiene: Everyday for Everyone." The...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.