What are the best practices and tools for SecOps in 2019?
Read the 2019 SANS Security Operations Survey report for key insights & strategies from principal SANS Instructor Christopher Crowley & SANS Director of Emerging Technologies John Pescatore. Download your copy now.
The Week that Was.
August 3, 2019.
By the CyberWire staff
LookBack malware in US utilities.
Between July 19th and 25th, Proofpoint identified spearphishing emails that hit at least three US companies in the utilities sector. The phishbait lay in the origin of the emails: they arrived from what Proofpoint thinks is an attacker-controlled domain, nceess[dot]com. The domain is designed to be mistaken for one owned by the US National Council of Examiners for Engineering and Surveying. The phish hook was an attached Microsoft Word document weaponized with malicious macros that install a malware package Proofpoint calls "LookBack," a remote access Trojan accompanied by a command-and-control proxy mechanism. The researchers believe there's enough evidence pointing to a nation-state as the actor behind LookBack, but the trail quickly grows cold. There are some overlaps with earlier campaigns associated with China's APT10, but these are insufficient for attribution.
Online card skimming is a growing problem.
Find out how you can be equipped with a continuous 360° view of which critical assets are at risk, what security issues you should focus on, and how best to harness your resources to resolve them. Simulate, validate and remediate every hacker’s path to your organizational critical assets.
Capital One is breached.
Data associated with about 106 million credit card users and applicants, mostly in the United States and Canada, were exposed in a breach said to have been committed by a Seattle-area woman, Paige A. Thompson. Capital One says the compromised data include "names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income." Also exposed were "customer status data, e.g., credit scores, credit limits, balances, payment history, contact information," and "fragments of transaction data from a total of 23 days during 2016, 2017 and 2018." A limited set of US Social Security Numbers (about 140 thousand), Canadian Social Insurance Numbers (about a million), and linked bank account numbers of credit card customers (roughly eighty thousand) were also taken. The Verge has an account of the misconfiguration that made the breach possible, and offers some speculation about the accused hacker's obscure motivation.
Some see the incident as calling cloud security as a whole into question (the Wall Street Journal summarizes this view), but this is surely overstated. Duo Security argues instead that the regular, reliable patching and updating the cloud offers represent an advantage, as does the broad view of threat activity cloud providers offer. But moving to the cloud does involve change, and so old processes and protocols can't simply be assumed adequate to their new environment.
65% of SOC analysts say they have considered quitting or a career change
Research conducted by Ponemon Institute and Devo discovered that a number of issues are driving frustration in the SOC:
Visibility: 65% say they lack visibility in to IT security infrastructure
Interoperability: SOCs do not have high interoperability with existing security intelligence tools
Alignment: 81% are not aligned or only partially aligned with business objectives
The result? Analyst burnout and SOC ineffectiveness. Download the full report to learn how to address the key sources of SOC challenges.
Small plane CAN buses vulnerable to cyberattack.
CISA has distributed a warning about vulnerabilities in small aircraft CAN buses. "An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment." It would be possible to deliver false instrument readings to the pilot, and that could cause the pilot to lose control of the aircraft. The immediate recommendation for mitigation is to restrict physical access to aircraft. The warning is based on research by Rapid7; their report includes a lucid overview of what the CAN bus is.
Dispatches from the Crypto Wars.
The UK's new Home Secretary Priti Patel hosted the Five Country Ministerial this week, at which senior officials from the Five Eyes countries discussed cyber threats and emerging technologies, Reuters reported. Among other things the meeting amounted to a joint salvo in the Crypto Wars. In a column in the Telegraph on Wednesday, Patel argued that end-to-end encryption "hamper[s] our own law enforcement agencies, and those of our allies, in their ability to identify and stop criminals abusing children, trafficking drugs, weapons and people, or terrorists plotting attacks." She objected in particular to Facebook's plans to implement end-to-end encryption in its messaging services. Patel indicated that companies that don't voluntarily assist law enforcement in gaining access to encrypted data could face consequences from the UK's forthcoming online harms regulator, Sky News noted.
How can industrial organizations stay ahead of ICS adversaries and proliferating threats?
Dragos identified the most dangerous threat to ICS, XENOTIME (the activity group behind TRISIS), has expanded its targeting beyond oil and gas--illustrating a trend that will likely continue for other ICS-targeting adversaries. To learn more about XENOTIME and the latest threats to ICS environments, visit our team at Black Hat or email email@example.com to set up a one-on-one meeting.
Crime and punishment.
Paige Thompson, the accused Capital One hacker, was arrested Monday on a charge of computer fraud and abuse. She is alleged to have gained access to Capital One customer data between March 12th and July 17th of this year. Her point of entry is said to have been a misconfigured firewall, the Wall Street Journal said. The Department of Justice says that Capital One was warned on July 17th by a GitHub user who'd noticed that their customer data had turned up on GitHub. Capital One had stored the data in AWS, and various reports have noted that Ms Thompson is a former Amazon employee, last working there in 2016, but Amazon Web Services do not appear to have been implicated in the breach.
[Update, 8.3.19: A GitHub spokesman offered the following information on the breach: "GitHub promptly investigates content, once it's reported to us, and removes anything that violates our Terms of Service. The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information. We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request.”]
This was quick work by law enforcement, as the Washington Post notes. Federal investigators found their task simplified by Ms Thompson's online boasting. Using the nom-de-hack "erratic," she had woofed about herself in Slack, Meetup, and Twitter channels, offering such commentary as, “I’ve basically strapped myself with a bomb vest, [redacted expletive] dropping capitol ones dox and admitting it. Such insouciance sadly left her during an appearance Monday in the United States District Court for the Western District of Washington at Seattle,Washington, where, Bloomberg reports, she "broke down and laid her head on the defense table." If convicted, she faces up to five years imprisonment and a $250 thousand dollar fine. As WIRED observes, Ms Thompson's online communications showed a person struggling with problems with living.
The FBI is sorting out claims in Ms Thompson's posts that she's also hacked other companies, the Wall Street Journal reports, but according to Computing, Amazon thinks those claims are unfounded, or at least that it's found no evidence of other victims.
The IRS is sending letters to 10,000 cryptocurrency holders who may have failed to report their income or pay taxes on transactions involving digital currencies, CNBC notes. The letters explain the recipients' obligations under the law and contain instructions on how to fix past tax filing errors. An IRS news release stated that "taxpayers who do not properly report the income tax consequences of virtual currency transactions are, when appropriate, liable for tax, penalties and interest. In some cases, taxpayers could be subject to criminal prosecution."
Have Your Users Made You an Easy Target for Spear Phishing?
Many of your organization’s email addresses and identities are exposed on the internet, and are easy for cybercriminals to find. With email’s enormous attack surface, cybercriminals are able to launch potentially devastating social engineering, spear phishing and ransomware attacks on your organization. Try KnowBe4’s Email Exposure Check Pro for free today, and see how you can identify the at-risk users in your organization by crawling business social media information and hundreds of breach databases.
Courts and torts.
A High Court decision in the UK sustained the 2016 Investigatory Powers Act's authorization for bulk collection and retention of data by the government. The Court found that the safeguards the Act put in place were sufficient to ensure that bulk collection remained compatible with European human rights law.
The US Federal Trade Commission's recently opened antitrust investigation of Facebook is, for now, concentrating on the social networks' acquisitions. The Wall Street Journals says that investigators are interested in seeing whether Facebook's acquisition of potentially disruptive, smaller rivals formed part of a deliberate strategy to neutralize competitors.
GitHub has restricted developers in Cuba, Iran, North Korea, Syria, and the Crimea region of Ukraine from accessing or creating private repositories on its platform, BleepingComputer reports. The company's CEO tweeted that "GitHub is subject to US trade law, just like any company that does business in the US," although he emphasized that he took no pleasure in enforcing the measure. Restrictions are based on user location rather than nationality. GitHub also said that users were prohibited from using proxies and VPNs to bypass the restrictions, although TechCrunch notes that it's not clear how this might be enforced.
The Australian Competition and Consumer Commission (ACCC) on Friday released a 623-page report outlining 23 recommendations concerning regulation for digital platforms, with a particular focus on Google and Facebook, according to TIME. The recommendations include reforming the country's Privacy Act with stronger protections for personal information and stricter penalties for companies that breach the act, and increasing monitoring for anti-competitive practices. The report also calls for investigations into the online advertising market, noting that Google and Facebook combined receive 71% of every AU$100 spent on online ads. ACCC chair Rod Sims told the Guardian that this report didn't advocate for breaking up the companies, although that option could be considered in the future. Sims added that the ACCC's current goal is pursuing five cases involving alleged breaches of competition laws by Google and Facebook.
Policies, procurements, and agency equities.
Robert A. Cohen, who led the US Securities and Exchange Commission's Division of Enforcement's Cyber Unit since its inception in 2017, will be leaving the agency in August after 15 years of service, the SEC announced this week.
Governor John Bel Edwards of Louisiana declared a state of emergency after three Louisiana school districts sustained cyberattacks last week, ZDNet reports. The declaration states that the "severe, intentional cybersecurity breaches" that occurred in the three school systems "may potentially compromise other public and private entities throughout the State of Louisiana."
Fortunes of commerce.
In the press release disclosing the breach it sustained, Capital One summarized the financial costs it expects to incur. "We expect the incident to generate incremental costs of approximately $100 to $150 million in 2019. Expected costs are largely driven by customer notifications, credit monitoring, technology costs, and legal support." This, of course, falls far short of exhausting the costs to Capital One. The company's reputation and stock price have taken a hit from the data breach. The Wall Street Journal reports that Capital One's share price dropped almost 6% on Tuesday. MarketWatch puts the hit to the company's market cap at $3.2 billion so far, but they do note that most such scandals eventually blow over.
Cloud backup provider Carbonite's CEO Mohamad Ali is stepping down in order to take over as CEO of International Data Group on August 1st. Carbonite will be led temporarily by its board chairman Steve Munford until the company finds a new CEO, Xconomy reports.
Boston-based Burning Glass Technologies has taken a look at the cybersecurity labor market and found that the much-reported talent gap persists. Efforts to increase the talent pool are showing some results, but they're basically keeping pace with rising demand, so the gap remains about where it was in 2015.
Mergers and acquisitions.
Reuters reports that BlackRock is in advanced talks to take over Cofense, after the Committee on Foreign Investment in the United States (CFIUS) asked Pamplona Capital Management to sell its 47% stake in the Virginia-based phishing awareness company for undisclosed reasons. According to the Wall Street Journal, Pamplona dragged its feet and failed to find a buyer for its stake by the July 19th deadline, so CFIUS is now threatening to levy daily fines against Pamplona and Cofense until the stake is sold. Several days ago, Pamplona resumed talks with BlackRock, which owns a 30% stake in Cofense.
Radware has told Calcalist that it's actively looking for acquisitions.
TechCrunch reports that Jamf, which specializes in managing Apple systems in the enterprise, has acquired Mac endpoint security start-up Digita Security. It's an augmentation of Jamf's capabilities, and it amounts to an acqui-hire: Digita's five employees now work for Jamf.
VMware has picked up Uhana for an undisclosed amount, ZDNet reports. Uhana is a startup that uses AI to automate network operations.
GoSecure has acquired email-security shop EdgeWave. EdgeWave brings with it some two-thousand customers and two-hundred channel partners.
The Boston Business Journal reports that Everbridge, a critical event management firm, has acquired threat intelligence software provider NC4 for cash and stock valued at $83 million.
Light Reading says A10 Networks is putting itself up for sale. Its founder and CEO is also departing. The company has been seeking to develop a strategy for growth as a 5G security shop.
Investments and exits.
Prevailion has raised $10 million in a Series A round led by AllegisCyber, with participation by previous investor DataTribe. Prevailion provides its customers with confirmed evidence of compromise for both the customers and the customers' partner ecosystem.
Palo Alto-based Confluera has raised $9 million in a Series A round, and has announced the launch of its new Real-time Attack Interception and Defense platform ("RAID"). The funding round (described as "oversubscribed) was led by Ravi Mhatre of Lightspeed Venture Partners, with the participation of other industry partners, SecurityWeek reports.
Maryland-based Trinity Cyber emerged from stealth on Monday with a $23 million investment from Intel Capital and other investors. Trinity Cyber offers a SaaS solution that monitors all traffic entering and exiting a client's network in order detect and disrupt cyberattacks as they occur, according to VentureBeat. The company's management team includes former Homeland Security Advisor Tom Bossert.
FanDragon Technologies has raised $12 million in funding from unnamed investors, according to the Los Angeles Business Journal. The startup will provide software that uses a blockchain to ensure secure and legitimate ticket delivery for companies and events.
Swiss startup accelerator Kickstart announced the forty-eight tech startups that have been selected for its fourth innovation program in Zurich. Some of the companies in this class are decepeton technology shop Illusive Networks, predictive cyber risk modeling firm Kovrr, automated breach and attack simulation provider XM Cyber, supply-chain security assessment provider CyNation, ICS, OT, and IoT security company Enigmedia, and data anonymization company Statice.
Australia's innovation center, Data61, is looking for a new CEO. ZDNet reports that Adrian Turner is moving on to found a new venture.
Today's issue includes events affecting Australia, Canada, China, European Union, Israel, New Zealand, Switzerland, United Kingdom, United States.
Digita's headcount has been corrected from six to five in the paragraph above on the company's acquisition by Jamf..
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.