Are your critical assets really secure?
The week that was.
More Fancy Bear sightings.
Microsoft said on Wednesday that it had spotted Russian cyber activity targeting European, Atlanticist think tanks. The targeted institutions include the German Council on Foreign Relations, the Aspen Institutes in Europe, and the German Marshall Fund. Redmond says spearphishing attacks targeted more than a hundred accounts belonging to employees in Belgium, France, Germany, Poland, Romania, and Serbia between September and December 2018. The primary suspect behind the attacks is Fancy Bear (APT28), Russia's GRU military intelligence service. Microsoft believes Fancy Bear's goal was influencing upcoming European elections, noting that the attacks validate warnings raised by European leaders about the threat level in the region.
Attending RSA? Book a Meeting Today – and Get a Free Expo Pass!
Australia thinks state espionage services responsible for cyberattack on Parliament.
Australian Prime Minister Morrison announced Monday that "a sophisticated state actor" was behind network intrusions that targeted Parliament and the country's three main political parties (Liberal, Labour, and National) (The Conversation). Alastair MacGibbon, head of the Australian Cyber Security Centre (ACSC), says investigators still don't know which data the attackers had access to, although Labor Party leader Bill Shorten notes that the political parties were compiling "large amounts of information" about voters in preparation for the upcoming federal election (The Verge).
Few details on the attacks have been disclosed, but they're said to have involved a new form of malware with China's "digital fingerprints." Authorities are aware that such fingerprints may be deliberate misdirection by some other nation-state actor (Sydney Morning Herald). MacGibbon said the attackers' level of sophistication restricts the list of suspects to "a limited number of countries" (Australian Broadcasting Corporation). In addition to China, those countries would be Russia, Israel, and the US (Register). (We might point out that such a list should include at least France and the United Kingdom as well.) But it's important to note that this remains public speculation based on conjectured national capabilities, and not on any actual evidence, circumstantial or otherwise. The general consensus, however, is that signs point to China as the prime suspect.
A preliminary attribution by the cyber company Resecurity, discussed Thursday in the Wall Street Journal, cited Iran's Mabna Institute as an even likelier suspect. The Mabna Institute has been indicted by the US for cyberattacks against American enterprises, and Resecurity thinks the activities reported and observed around Australian targets employ techniques Mabna has used in the past. Thus the spoor leading back to China would amount to a false flag operation. But this strikes most other observers as unlikely. The evidence publicly cited is circumstantial and ambiguous at best, including documents retrieved from a cloud server that may or may not been used by the hackers. Sources close to the investigation but willing to speak anonymously to the Sydney Morning Herald dismiss suggestions of Iranian involvement as far-fetched. They can’t yet speak on the record, but the anonymice in this case seem pretty certain that the attacks are traceable back to Beijing.
The Australian Broadcasting Corporation interviewed some academic experts on attribution. Their explanations of how one tells whether a nation-state is behind an attack are surprisingly impressionistic, more art than science, although there's a bit of science there, too.
Get comprehensive information about securing the DIB supply chain
Chinese and Iranian cyberespionage surge.
Chinese and Iranian cyberattacks against the United States have escalated recently, with the hackers exhibiting considerably improved levels of skill. Dozens of American corporations and several US government agencies have been attacked by Iranian hackers, and the scope of the attacks is wider than previously reported. The upsurge in Iranian espionage campaigns is thought to be in response to the Trump administration's withdrawal from the Iran nuclear deal. China also increased its espionage after an 18-month lull following the 2015 US-China Cyber Agreement. Chinese attacks are now said to occur as frequently as before the deal took effect. The new attacks are stealthier and more advanced. Boeing, General Electric Aviation, and T-Mobile are among those recently attacked, although it's unclear with what success (New York Times).
Register for the RSA Conference 2019 today!
Phishing in Facebook.
Researchers with the password manager service Myki discovered a "hyper-realistic" phishing campaign targeting Facebook users by spoofing single sign-on (SSO) login windows. The attackers used a block of HTML to present an SSO window nearly identical to the ones used by Facebook, complete with Facebook's legitimate HTTPS-based URL. The easiest way to detect the fraud is to try to drag the SSO window outside of the primary window. Legitimate SSO prompts can be dragged outside of the web page, while this pop-up will disappear past the edge of the window (Ars Technica). The Myki researchers point out that most users won't be aware of this technique, since it's not included in current phishing guidelines.
Access Unlimited Virtual Practice Labs - Limited Time Offer
Metaphor shift: not Pearl Harbor, but Hamel.
"Cyber blitzkrieg" is a more accurate metaphor for coordinated cyberattacks against multiple sectors of critical infrastructure than "cyber Pearl Harbor" or "cyber storm," according to Professor Greg Austin from the University of New South Wales. He writes that any such attack would be multi-vector, multi-wave, and involve both civilian and military targets. Austin told ZDNet that "states are exploring the use of related tactics very vigorously in a way in which they're not exploring similar tactics for nuclear warfare." He points out that the first known cyberattack against an electric grid happened two decades ago, and the threats have grown far more dangerous since then. Nation-states have mapped their rivals' critical infrastructure for years, and they're already staging disruptive attacks.
Scaling defenses to meet that sort of attack might be more difficult than defenders would wish. Australian Defence Force (ADF) Head of Information Warfare Major General Marcus Thompson worries that Australia wouldn't be able to defend against a large-scale, coordinated attack against its critical infrastructure (ZDNet).
(The defining characteristics of Blitzkrieg were combined arms, fast operational tempo, detailed planning, and closely coordinated mobile action. This approach to combat wasn't named until the Germans followed it in 1939, but Lieutenant General Sir John Monash was almost certainly its first practitioner, as early as 1918, with a coordinated attack using infantry, artillery, air, and armor. So give the Australian Army full credit, and instead of "Blitzkrieg," we'll say "Hamel.")
Black market report.
Researchers at Top10VPN compiled two reports on dark web commodity pricing in the United States and the United Kingdom, showing that a full online identity of the average person in the US is worth around $1200, while the average value of someone in the UK is approximately £800. The US report shows that hacked Amazon accounts are worth $30 each, topping the list of online shopping accounts. Best Buy accounts come in second at $26.50. The researchers say accounts with these two companies are the most valuable due to their high-value inventories. Stolen bank details in the US average $259. The UK report shows that a British Airways account is worth nearly £32, after the company suffered a massive data breach last year. The average price for someone's bank details in the UK is £347.
Researchers at Coveware and McAfee looked at communications between attackers and victims of ransomware attacks, noting that attackers in these cases, particularly in recent, targeted campaigns, often provide their victims with 'support' to walk them through the payment process and the subsequent decryption of their files (Coveware). Ryuk ransomware, for example, comes with one of two notes. One is friendly and well-written, and asks for about 50 Bitcoin. The other is brusque and to the point, but asks for a lower amount between 15 and 35 Bitcoin. Replies from Ryuk operators during negotiations are terse messages that typically convey the bare minimum of necessary information. After a victim pays the hefty ransom, the attackers will provide a decryptor, although the decryptor is very buggy and is likely to permanently destroy the encrypted files (Help Net Security).
Digital Shadows published a white paper revealing that cyber criminals are offering average annual salaries of $360,000, with one group offering a starting salary of $768,000, which will increase to $1,080,000 after the second year of work (Business Wire).
Two WordPress plugins have issued security patches. WP Cost Estimation & Payment Forms Builder fixed a directory traversal vulnerability, and the Simple Social Buttons plugin received a patch for a critical vulnerability that could allow privilege escalation (Infosecurity Magazine).
Adobe released another patch for the critical zero-day vulnerability in Acrobat Reader: last week's patch for the bug left a security hole (Threatpost).
Crime and punishment.
The strange case of Paul Whelan, detained in Russia on espionage charges, is still strange, as he and his family appear caught in a paperwork Catch-22, and as Russian authorities seem in no hurry to go to trial (Foreign Policy).
Laurie Love, arrested in 2013 by Britain's National Crime Authority for hacking but not charged, sued the NCA to get his seized devices back. The judge said no. Since by Mr. Love's admission the data they contained weren't his, he's not entitled to get them back (Naked Security).
The fraud case against Autonomy executives involved in the sale of that company to HP has touched DarkTrace, lightly. Nicole Eagan, co-CEO of the Cambridge unicorn, has held a voluntary interview with the FBI (Telegraph). Two Autonomy executives, former-CEO Mike Lynch and former-CFO Sushovan Hussain, had held seats on DarkTrace's board until they resigned last year after coming under suspicion of fraud. (Or, in Hussain's case, being convicted of fraud (Bloomberg).) DarkTrace does not seem to be suspected of involvement in the alleged securities fraud, but the company was the subject of the first investment by Invoke Capital, a venture fund Lynch founded after he sold Autonomy to HP in 2011 (City A.M.).
Courts and torts.
A class action suit alleging unfair "no-poach" agreements among US Federal contractors has been filed (HR Dive).
Policies, procurements, and agency equities.
Some inside baseball at the US Department of Homeland Security: Congress has told DHS to keep $90 million in cybersecurity research funding in its Science and Technology Directorate, stopping plans to shift the money to the Cybersecurity and Infrastructure Security Agency (FCW).
Fortunes of commerce.
Samsung is investing in its networking equipment line, hoping that international security concerns about Huawei will enable it to steal a march on its Chinese competitor (NDTV Gadgets 360).
Gizmodo says that NSO Group has renamed itself Q Cyber Technologies. The rebranding preceded this week's formation of a competing business alliance, Intellexa, in which a number of lawful intercept and spyware vendors will assemble to offer a "one-stop shop" for their wares.
Security concerns about Huawei were met with a double backlash. China accuses the US of simple trade-war bullying (Forbes). Beijing has also warned Canada of unspecified but costly consequences should that country exclude Huawei from its 5G buildout. Presumably those consequences would involve litigation over an alleged breach of a foreign protection agreement (CBC).
Sentiment in favor of closer regulation of tech companies, especially of social media, rises (Telegraph). Sources in the UK in particular see an end to Big Tech's "self regulation" (Telegraph). The Parliamentary report on fake news was scathing: "Companies like Facebook should not be allowed to behave like ‘digital gangsters’ in the online world, considering themselves to be ahead of and beyond the law."
Facebook CEO Zuckerberg, with whom the US Congress would again like to speak (Silicon Valley Business Journal), has delivered a talk on ethics as partial fulfillment of promises the company has made to do better (TechCrunch).
Splunk has decided to exit the Russian market (ZDNet).
Whatever the challenges, problems, and promises of artificial intelligence may be, one issue will surely be the available of human labor qualified to build it (WIRED). AI will produce as well as relieve labor shortages.
Military personnel systems aren't immune to changing needs and changing work forces. The US Army, for one, is studying ways to modernize its own personnel system (Federal News Network). But we imagine 11Bs and 13Bs will be with us always.
Mergers and acquisitions.
On Tuesday Palo Alto Networks made it official: its rumored acquisition of Israeli security firm Demisto will go through, at a price tag of $560 million. Demisto specializes in security automation and orchestration (TechCrunch). Here's the 8-k. Silicon Valley Business Journal discusses the acquisition as a case study in how venture capital works (since the obverse of every acquisition is an exit).
Virginia-based Dark Cubed has acquired Fenris IV Incorporated, also based in Virginia. Dark Cubed, which focuses on threat protection for highly regulated small and medium businesses, will integrate Fenris IV's endpoint protection, scanning, penetration testing, and other services into its offerings (PRNewswire). (As Technical.ly DC notes, Fenris IV is not to be confused with Fenris Digital, a different company.)
Several acquisitions announced earlier closed this week: Capgemini's acquisition of Leidos Cyber (GlobeNewsWire), BlackBerry's acquisition of Cylance (Information Age), and Zix's acquisition of AppRiver (ChannelE2E).
Investments and exits.
Anti-fraud start-up nsKnox has closed a $15 million Series A round led by Microsoft's M12 fund and Viola Ventures, with participation by Israel Discount Bank's Discount Capital. nsKnox intends to use the money for expansion into new markets (ZDNet).
London-based start-up Senseon (founded by DarkTrace alumnus David Atkinson) raised $6.4 million in seed funding. MMC Ventures and vArmour's Mark Weatherford led the round. Senseon calls its approach to security "AI triangulation," in which AI oversees network appliances, endpoints, and bots that investigate microservices.
Maryland-based Bandura Cyber, known for its threat intelligence gateway, has closed an expanded Series A round, bringing investment in that round above $10 million. The company intends to use the funding to expand into new verticals, and for accelerated product development (DCInno). Tenfore Holdings led the round, with participation from Grotech Ventures, Gula Tech Adventures, and Cultivation Capital (BusinessWire).
As it exits stealth, Silicon Valley-based Armorblox announces a $16.5 million Series A round. General Catalyst led the round, with participation from Point72 Ventures. Amorblox offers deep learning technologies designed to thwart social engineering (CrunchBase).
And security innovation.
RSAC 2019's Launch Pad will offer start-ups an opportunity to pitch venture capitalists (Help Net Security).
A note on some hundred AI start-ups thought to be worth watching (CB Insights).
Investors are concerned that moves in the Maryland Assembly to restrict TEDCO funding could inhibit the development of a robust startup community in the state (Baltimore Business Journal).
This CyberWire look back at the Week that Was discusses events affecting Australia, Canada, China, European Union, Germany, Russia, United Kingdom, United States.
On the Podcast
Research Saturday is up. In this episode, "Rosneft suspicions shift from espionage to business email compromise," we hear what researchers at security firm Cylance have learned as they tracked a threat group targeting the Russian oil company Rosneft. As Cylance uncovered details, suspicions shifted from state-sponsored espionage to business email compromise. Kevin Livelli is director of threat intelligence at Cylance, and he joins us to share what they found.
© 2019 CyberWire, Inc.
Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story.