The Secureworks Counter Threat Unit has observed a new threat group, "LYCEUM," active against targets in the Middle East. The researchers say the group's tradecraft bears similarities to APT33 and APT34 (two Iranian-linked threat actors), but they note that none of LYCEUM's known malware or infrastructure has any apparent connection to these or other groups. Secureworks concluded that there wasn't enough technical evidence for attribution, although they did determine this was the same group Dragos has been tracking as HEXANE.
LYCEUM targets "organizations in sectors of strategic national importance, including oil and gas and possibly telecommunications." Unlike Dragos, the Secureworks researchers didn't see any evidence that the group was interested in ICS or OT environments. However, they add that they "cannot dismiss the possibility that the threat actors could seek access to OT environments after establishing robust access to the IT environment." Dragos said the threat actor targeted IT environments to gather information about ICS-related entities, but concluded that the group probably doesn't yet have "the access nor capability to disrupt ICS networks."
Fancy Bear sighting.
Blackberry Cylance's ThreatVector team has released new research on a malware sample used by APT28, that is, of course, Fancy Bear, Russia's GRU. The sample was uploaded to VirusTotal by US Cyber Command on May 17th. Cyber Command didn't provide any context, but security researchers concluded the malware was probably X-Tunnel, a tool that allows APT28 to maintain encrypted communications with an infected network.
ThreatVector researchers research last month outlined their preparation for a detailed analysis of the binary using IDA Pro. They deduced that the malware was built with Microsoft Visual C++ and contained statically linked libraries—specifically, the POCO C++ framework and OpenSSL version 1.0.1e. The researchers recreated these libraries and used them to create custom IDA signatures to identify library code, which vastly narrowed down the code that needed to be analyzed. ThreatVector's new research lays out the results of their analysis. They found that the malware is "a multi-threaded DLL backdoor that gives the threat actor full access to, and control of, the target host."
Every business can benefit from a cookbook approach to developing a cloud strategy.
By focusing efforts on a living document, CIO’s can connect business strategy to cloud migration planning and implementation. Visit www.coalfire.com and download the latest Gartner Cloud Strategy Cookbook, 2019 The Cloud Strategy Cookbook provides actionable advice on structuring a cloud strategy document, while offering guidance on determining which applications go where.
Annual business losses from data breaches could reach $5 trillion by 2024.
New findings from Juniper Research, summarized in a white paper, predict that the annual losses caused by data breaches will surpass $5 trillion by 2024. That figure "includes both the direct and indirect cost of breaches, covering the replacement of hardware, additional staff required, abnormal churn and company devaluations caused by reputational damage." Data breaches currently cost around $3 trillion per year, which the researchers believe will rise by 11% annually. According to their press release, this rise will "primarily be driven by increasing fines for data breaches as regulation tightens, as well as a greater proportion of business lost as enterprises become more dependent on the digital realm."
Project Zero releases details of an iPhone watering hole.
Google's Project Zero has released details of its research into a quiet, sustained watering-hole campaign against iPhone users. They found five distinct exploit chains in use by the attackers. "There was no target discrimination," Google's blog says, "simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week." Apple patched the zero-day vulnerability the campaign exploited in February. Google notes that this is just one campaign, and "there are almost certainly others."
Cybersecurity Fabric: The Future of Advanced Threat Response
Today, it is not enough to protect your assets by collecting high quality threat intelligence – organizations need inline detection & mitigation at line-speed to protect themselves from incoming or existing threats on the network. As cyber strategy shifts towards a “Zero Trust” model, your organization needs to ensure that every device, user, workload, or system is being monitored with a Cybersecurity Fabric. Join LookingGlass for our upcoming webinar October 2, 2pm EST to learn more.
President Trump suggests that US companies look elsewhere for their supply chain.
US President Donald Trump tweeted a little more than a week ago that American companies should bring operations home from China. "Start looking for an alternative to China." Axios and other outlets that reported the tweets argued that a President doesn't have the authority to order companies to stop doing business in particular countries. But it seems that in fact he does. The President and others point out, as the Seattle Times observes, that invoking the International Emergency Economic Powers granted the President under 50 US Code Chapter 35 would seem to constitute such authority.
Silicon Valley Business Journal reported that share prices of Apple and other Big Tech firms dropped on the tweet, but the market has been unusually volatile, reading much into discussions believed to be held at the G7 meetings.
The discussion is part trade war, part supply chain security. Industry groups in the US have expressed reservations about the effect that the Entity List and other measures will have on American companies. Federal News Network reports that the Government Procurement Council, the National Defense Industrial Association, and the Professional Services Council, while in general finding themselves in support of measures taken to improve supply chain security, argue that the FAR Council's interim final rule restricting trade with Chinese companies will prove difficult and expensive to follow. The due diligence necessary to remain in compliance strikes them as particularly onerous.
Conduct secure and anonymous research on the open and dark web.
If you are doing online research, the common web browser can betray you by exposing you and your organization to cyber attacks. Authentic8, the maker of Silo Cloud Browser and Silo Research Toolbox, ends this betrayal. Silo insulates and isolates all web data and code execution from user endpoints, providing powerful, proactive security even if you are gathering data and collections across the deep and dark web. Learn more.
Crime and punishment.
Bulgarian authorities have recovered some deleted files from the computer belonging to Kristian Boykov, the principal suspect in the hacking of that country's tax authority. A transcript from security video at Boykov's company, TAD, also indicated that Boykov was concerned to delete certain files. Deleted they were, but apparently not irrecoverably so. TAD is thought by Bulgarian authorities to have hacked companies and then offered its security services for recovery and future protection, Computing reports. This seems more gray hat than white hat, even if it may not rise to the level of a protection racket.
Bulgaria's tax agency, NRA, is itself being held to account for the breach, with a fine that amounts to $3 million. NRA is appealing, and is itself considering legal action against the hackers, according to Reuters.
Charges have been added to the ones already facing accused Capital One hacker Paige Thompson. An indictment filed Wednesday adds charges of cryptojacking to the docket, Infosecurity Magazine reports. The new indictment does include some newly named victims of the alleged crimes: a “state agency outside the State of Washington; a telecommunications conglomerate outside the United States; and a public research university outside the State of Washington.
The Wall Street Journal reports in an exclusive that US Federal prosecutors are investigating Huawei for alleged intellectual property theft. The investigation includes at least one subpoena from the US Attorney for the Eastern District of New York, and this suggests to the Journal that the inquiry is looking into some hitherto unexamined case of IP theft. Huawei, which has denied that it steals intellectual property for almost as long as it’s been suspected of doing so, is currently fighting a case in a Seattle court that alleges the Shenzhen-based company illicitly obtained details of T-Mobile test equipment. Who the alleged victims in the present investigation may be remains unknown, and the US Department of Justice is remaining tight-lipped. But the Journal does say that the FBI has interviewed a Portuguese national who’s complained that digital imaging technology he developed had been misappropriated by Huawei.
Have Your Users Made You an Easy Target for Spear Phishing?
Many of your organization’s email addresses and identities are exposed on the internet, and are easy for cybercriminals to find. With email’s enormous attack surface, cybercriminals are able to launch potentially devastating social engineering, spear phishing and ransomware attacks on your organization. Try KnowBe4’s Email Exposure Check Pro for free today, and see how you can identify the at-risk users in your organization by crawling business social media information and hundreds of breach databases.
Courts and torts.
NASA is conducting an inquiry into what may turn out to be the first known case of crime committed from space. The New York Times reported Friday that astronaut Anne McClain told investigators that she accessed her estranged wife's bank account during a six-month tour aboard the International Space Station. She denied moving any money from the account, and is quoted in Heavy as saying she simply checked the account to monitor the couple's finances, as she has done throughout their time together. The astronaut's spouse, Summer Worden, filed a complaint with the US Federal Trade Commission alleging that McClain had committed identity theft. Ms Worden said that she didn't detect any theft from the account. Worden’s parents independently complained to NASA's Inspector General, alleging that Ms McClain had improperly gained access to private financial records in the course of the divorce and attendant child custody fight.
Ars Technica has followed up with Crown Sterling to hear its leaders explain their Time AI approach to encryption, and inter alia to give their account of what happened during their presentation at Black Hat. They were, as has been widely reported, booed during their talk, and they've since filed a lawsuit against Black Hat's organizer, UBM. Crown Sterling CEO Grant explained Time AI as follows: "It's based on mathematical constant numbers—like pi for example—that have infinite tails that can be derived through equations, that are then connected to an AI. Basically, the AI is writing its own music. And each of the musical notes has a time signature associated with it. And then we oscillate them at a scale of time that's at 10 to the negative ninth power, which is in the nano scale of time. So it's a very rapid moving target of a dynamic encryption key." Ars Technica concludes with a we'll-wait-and-see.
Policies, procurements, and agency equities.
"Senior American officials" have described the June 20th US cyberattack against Iranian targets. The New York Times says the officials see the operation as a success. In addition to taking down military networks, the cyberattack wiped out a database essential to the Islamic Revolutionary Guards Corps' operations against tankers in the Arabian Gulf. The Times report says that Iranian military and paramilitary authorities are still trying to recover their systems. The June 20th attack was chosen as non-lethal and indeed non-kinetic retaliation for Iran’s shoot-down of a Global Hawk drone operating in what the US and the rest of the civilized world consider international airspace. Iran disagrees, claiming that the drone was flying in Iranian airspace. The cyberattack was authorized after US President Trump rejected proposals for retaliatory airstrikes. The operation against the Revolutionary Guard is seen as an instance of the more assertive US posture or "persistent engagement" in cyberspace.
Recent attacks on US local governments suggest that one of the threats to expect during the 2020 elections will be ransomware. Reuters reports that CISA is working to help secure voter registration databases in particular against this form of attack. StateScoop sees the National Guard assuming a role in ransomware defense. US Air Force General Joseph Lengyel, currently Chief of the National Guard Bureau, said late last week that recent incidents in Texas and Louisiana have amounted, not exactly to a “cyber hurricane,” but to a major “cyber storm.” In both cases the National Guard was summoned to help. He expects this to become more, not less common, and as states and municipalities are hit by hacking, they’re likely to call out the Guard.
Last Thursday, the Cybersecurity and Infrastructure Security Agency published a document outlining the agency’s strategic vision, and CISA Director Chris Krebs summarized the strategy in a speech at Auburn University. As Federal News Network reported, Krebs said his agency’s overarching job is to act as the nation’s risk adviser, helping public and private sector entities form strategies to defend themselves against cyberattacks. CISA will focus on five specific operational priorities: China (especially with respect to supply chain security), election security, soft target (that is, crowded places) security, Federal cybersecurity, and industrial control system security.
The UK continues to nurture a healthy brood of tech unicorns, but they're being acquired at a lower rate than they and market watchers have expected. The Telegraph reports that concerns about digital taxes have made potential buyers skittish.
The latest call to break up powerful tech companies comes from a surprising source: Apple co-founder Steve Wozniak. And, according to the Silicon Valley Business Journal, the Woz includes Apple among those that might be broken up. His reasoning is familiar. Big Tech, he thinks, tends to achieve and then abuse a monopoly.
HackerOne reported Thursday that six hackers have now each cleared a million dollars in bug bounties.
The first class of thirty graduated from the US Federal Government's Cyber Reskilling Academy, but it's not clear that most or even many of them will be headed for cyber jobs, FCW reports. The basic stumbling block is a grade mismatch: many of those being reskilled occupied higher civil service grades than would come with an entry-level Government cyber job. Perhaps the value of the Reskilling Academy will be not so much to equip people for different career fields as to enable them to bring heightened security awareness and proficiency to their current track.
Mergers and acquisitions.
Elastic has acquired Endgame for $234 million. ZDNet reports that the search company intends to integrate its capabilities with Endgame's endpoint security technology in order to achieve a convergence of the endpoint and SIEM markets.
Investments and exits.
Fortune says that McAfee is positioning itself for an IPO, having hired underwriters to explore the possibility of an offering it hopes could raise as much as $8 billion. The company, whose owners include Intel, Thoma Bravo, and TPG, is working with both Bank of America and Morgan Stanley. Plans are far from final, and they could change, or be rescinded, but for now McAfee appears headed for the stock market. The company might take the opportunity of an IPO to engage in some major rebranding.
Axionus, whose cybersecurity asset management platform was featured in this year's Innovation Sandbox at RSA, has secured a $20 million Series B round. New investor OpenView led the round, with participation by existing investors Bessemer Venture Partners, YL Ventures, Vertex, WTI, and Emerge. TechCrunch says that much of the round will go toward expanding sales and marketing, with some earmarked for further product development.
Flush with cash from its recent IPO, CrowdStrike has formed a $20 million fund to invest in seed and A rounds for early-stage start-ups building applications for the company's Falcon platform. The new fund (with the obvious name "Falcon Fund") is being established in partnership with Accel, the announcement said.
And security innovation.
The US Army has outlined eight families of cybersecurity technologies it's interested in developing and fielding as quickly as possible. Specifically, an officer at its Cyber Center of Excellence says that the Service has requirements in place for "a garrison defensive cyber platform, a deployable defensive cyber system, cyber analytics, a defensive cyber tools suite, defensive cyber planning, a tactical defensive cyber infrastructure, a tool for insider threats and a tool for forensics and malware," according to Fifth Domain. The Army hopes to acquire these quickly, without becoming enmeshed in the sluggish coils of the acquisition system.
Nextgov reports that the Defense Innovation Unit, the Pentagon's now-permanent Silicon Valley incubator, has a request out to small businesses for services that will enhance the Unit's own security. "Silicon Valley" appears often in descriptions of the Defense Innovation Unit, but it's worth noting that this is intellectual geography, not a confining physical location.
The second annual DataTribe Challenge is open, with applications due October 1st. Competitors will be judged on "technical merit, market potential, and readiness of the team." The DataTribe startup foundry is interested in finding innovative cybersecurity and data science startups.
Today's issue includes events affecting Bulgaria, China, Iran, Russia, United Kingdom, United States.
ON THE PODCAST
Research Saturday is up. This episode is "Emotet's updated business model." The Emotet malware came on the scene in 2014 as a banking trojan and has since evolved in sophistication and shifted its business model. Researchers at Bromium have taken a detailed look at Emotet, and malware analyst Alex Holland joins us to share their findings.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.