Experiencing poor performance with your legacy antivirus? Try CB Defense.
Does your legacy antivirus slow down end user endpoints? Try Carbon Black's lightweight, next-generation antivirus + endpoint detection and response solution in your environment for free!
Compare CB Defense to your current solution using real-world scenarios, and see how operations transform across your security and IT teams. After you've finished your 15-day trial, you'll have everything you need to build a business case and make the switch. Gain superior protection, simplified operations, and actionable visibility today.
The Week that Was.
January 19, 2019.
By the CyberWire staff
Ashiyane: gone but not forgotten.
A report from Recorded Future's Insikt Group provides details on Iran's Ashiyane Forum, the country's largest security forum, which was shut down in August of 2018 for unknown reasons. The forum had 20,000 users, Its legacy, however, lives on. One possible reason for the Forum's suppression by the Islamic Republic may have been its involvement with online gambling (Casino.org).
Get comprehensive information about securing the DIB supply chain
According to a 2018 Ponemon report, 61% of surveyed organizations have experienced a data breach caused by a third-party vendor. Cyber criminals are targeting Defense Industrial Base (DIB) supply chain vendors in order to gain access to government networks. The latest case study from Attila Security will help identify solutions to keep your organization’s data secure while avoiding disruptions to the DIB supply chain. Download the Vulnerabilities Within The DIB Supply Chain Case Study today.
Oklahoma's not OK, at least online.
The Oklahoma Securities Commission suffered a major leak of government information, including a large number of files on sensitive FBI investigations. UpGuard discovered that millions of files—some three terabytes of data—were left on an unsecured server freely accessible from the Internet. The server's IP address appeared on Shodan on November 30th, and the server was secured on December 8th after UpGuard notified Oklahoma. UpGuard's research head Chris Vickery told Forbes that the exposure "represents a compromise of the entire integrity of the Oklahoma department of securities’ network."
UpGuard says the exposure occurred through "an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, allowing any user from any IP address to download all the files stored on the server." The data spanned three decades, from 1986 to 2016.
Companies Need Skilled Cybersecurity Talent Now - Join Cybrary
Everyone knows the cybersecurity field is in desperate need of talent, and Cybrary has built the world’s fastest growing free training platform for cyber and I.T. career development. Cybrary offers courses taught by industry leading experts, unlimited virtual labs, practice exams, live mentors, and job ready curriculums to support you in reaching your career potential. Cybrary’s talent network is filled with companies and recruiters actively seeking cyber professionals to fill roles open now. Join Cybrary Insider Pro for 30% OFF using discount code CYBERWIRE30.
Hackable RF controllers in industrial systems.
A Trend Micro report concludes that radio frequency (RF) controllers are vulnerable to command spoofing that could allow an attacker to take control of a machine that operates based on RF signals. Attackers can record RF packets, and then either replay them or modify them to craft arbitrary commands. Trend Micro's research team tested several different vendors at fourteen different locations, all of which were found to be vulnerable. They suggest that decades-old proprietary RF protocols are the root of the problem.
Bridge the Gap Between Policy & Technology at Georgetown
The Georgetown University Master's in Cybersecurity Risk Management prepares you to navigate today’s increasingly complex cyber threats. Ideal for working professionals, our program offers flexible options to take classes online, on campus, or through a combination of both—so you don’t have to interrupt your career to earn your degree. Join us for a webinar on Tuesday, January 29, at noon ET to explore our program.
Ryuk may reuse some DPRK code, but it looks like the Russian mob.
Similarities between the code used by Ryuk ransomware and the Lazarus Group's Hermes tool led to tentative suspicion that North Korean state-directed actors might have been behind Ryuk, too. But this seems to have been a case in which states and hoods sold and bought on the black market (SecurityWeek). The emerging consensus is that Ryuk is run by Russian gangs (ZDNet).
What if your security solution could provide zero doubt?
A foundation of artificial intelligence delivers smart, simple, and secure solutions that change how organizations approach endpoint security. Cylance provides full-spectrum, predictive threat prevention and visibility across the enterprise to combat the everyday - as well as the most notorious and advanced - cyberattacks. Let Cylance help you understand how you can create real confidence in your organization’s security posture and zero in on what really matters.
What attribution means in the cyber insurance market.
NotPetya took a big bite out of Mondelez, the candy and cookie company that owns Oreos and Cadbury (Information Security Buzz). But the company's insurer, Zurich, declined to pay, citing attribution of the malware to Russia as grounds for denying Mondelez's claim, since a state-directed attack amounts to an act of war, and the policy doesn't cover acts of war. Mondelez is suing Zurich for $100 million. As Bloomberg points out, this is the sort of thing one can expect when governments publicly blame one another for cyberattacks. To be sure, Moscow is by any reasonable construal of the evidence behind NotPetya, but some clarity about what amounts to war in cyberspace would be welcome. And in any case, if this is how things are going to be in the insurance world, take a close look at whatever war clauses your policies may include.
On the very idea of a cyber moonshot.
There was more talk at the Consumer Electronics Show about a cybersecurity moonshot. Unisys CEO Peter Altabef made the case we need "fundament[al] changes… at all levels of society, from education and policy to privacy and technology,” and that "governments and companies will need to actively leverage new technologies, including 5G communications, artificial intelligence, and biometrics, to make us safer – not just better connected" (MobileIDWorld). If by "moonshot" is meant "devoting lots of resources and training to the problem," then OK, but if a more serious analogy is intended, it might be worth thinking through what the literal moonshot was like: an ambitious goal, a single well-structured engineering challenge, with a clear end-state in mind. When Apollo 11 splashed down, the moonshot had been achieved. Is cybersecurity like that? A big challenge, to be sure, but it might be more like the war on poverty, or the war on cancer, than Project Apollo.
The National Security Telecommunications Advisory Committee (NSTAC) is preparing a report for the President that outlines a proposed cybersecurity moonshot. Rick Howard, CSO for Palo Alto Networks, said on the CyberWire's Daily Podcast that the establishment of proper incentives may differentiate this cybersecurity initiative from past initiatives that have failed. NSTAC believes that these incentives can be offered by the "Grand Challenge" philosophy; in other words, offering rewards for achieving key milestones towards a larger goal. A draft of NSTAC's report shows that the proposal focuses on six Strategic Pillars: technology, human behavior, education, ecosystem, privacy, and policy. A set of Grand Challenges seems a more promising explanation of "moonshot" than some we've heard.
A new Magecart group targets supply chains.
Collection #1 is big, but maybe not devastating.
On Thursday, a number of media outlets reported on Troy Hunt's discovery of "Collection #1," an 87 GB trove of email addresses and passwords posted to a hacker forum late last year (The Guardian). The folder contains around 773 million email addresses and 21 million passwords, but the data dump may not be as significant as it sounds. Brian Krebs talked to Alex Holden, CTO of Hold Security, who pointed out that most of the Collection was compiled from older breaches that have already been tracked (KrebsOnSecurity). Collection #1 is actually just one of several folders being offered for sale, comprising more than 993 GB of previously leaked data. "Its sheer volume is impressive," said Holden, but it's probably not that useful. Still, watch out for credential stuffing.
Sputnik trolls ejected from Facebook.
Facebook took down "coordinated inauthenticity" from Sputnik hitting Eastern Europe and the Near Abroad. Observers see Russian information operations (Atlantic Council). Sputnik sees infringement of its freedom of speech (Dark Reading).
Microsoft will cease free support for Windows 7 on January 14, 2020. Redmond will still issue patches for paying business customers (ZDNet).
Crime and punishment.
Daniel Kaye, a British subject, was sentenced to 32 months confinement at Her Majesty's pleasure for using a botnet to launch a series of DDoS attacks against Liberian phone and Internet provider Lonestar in late 2016 and early 2017 (KrebsOnSecurity). The attacks brought down most of Liberia's Internet, and cost Lonestar tens of millions of dollars in lost revenue and liabilities, Britain's National Crime Agency said (The Independent). An employee of Cellcom, Lonestar's top competitor, reportedly paid Mr. Kaye $10,000 a month to carry out the attacks (BBC).
The US Department of Justice charged two Ukrainian men, Artem Radchenko and Oleksandr Ieremenko, for their roles in the hacking of the US Securities and Exchange Commission's EDGAR reporting system in 2016. The indictment contains sixteen charges of "securities fraud conspiracy, wire fraud conspiracy, computer fraud conspiracy, wire fraud, and computer fraud." The two men allegedly stole thousands of files from the SEC, including "annual and quarterly earnings reports containing confidential, non-public, financial information," which they then sold to traders who used the data to gain an advantage before the information was publicly released (Fortune).
Courts and torts.
The SEC also filed a civil complaint on Tuesday against nine defendants for the EDGAR hack, including Oleksandr Ieremenko, six individual traders, and two entities. The defendants are charged with attempting to profit fraudulently from corporate information hacked from various databases (SecurityWeek). Steven Peiken, one of the SEC's Enforcement Division Co-Directors, said that the SEC's analysis of the defendants' trading activities provided "overwhelming evidence that each of them traded based on information hacked from EDGAR" (Forbes).
Bild reports that Germany's antitrust watchdog, the Federal Cartel Office, will require Facebook to stop gathering certain user data in order to comply with privacy laws. Concerns involve the way Facebook collects data from third-party apps (Dark Reading). Facebook said that it disputes these conclusions (Reuters).
Singapore's privacy watchdog has issued a total of $1 million in fines over SingHealth's data breach that affected 1.5 million patients between May 2015 and July 2018 (ZDNet). SingHealth's IT vendor IHiS took the brunt of the blame, since it was entirely responsible for the organization's cyber security operations. The vendor was fined $750,000. SingHealth itself was fined $250,000, because, the watchdog said, "even if organisations delegate work to vendors, organisations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers" (The Straits Times). An investigation into the breach concluded that the threat actor was likely linked to a nation-state, but Singapore's cybersecurity minister said that the perpetrator won't be named or pursued by Singapore's government for "national security reasons" (Associated Press).
Policies, procurements, and agency equities.
As the US Federal Government shutdown continues, so does worry about its effect on cybersecurity. TechCrunch points out that a lot of Federal website certificates are expiring.
Fortunes of commerce.
Google employees are angry over forced arbitration clauses in their contracts. They would prefer to sue over certain forms of workplace misconduct (Medium).
Chinese Foreign Ministry spokeswoman Hua Chunying wants countries to stop pushing "groundless fabrications and unreasonable restrictions toward Huawei and other Chinese companies," according to Reuters. Her remarks were made after Polish authorities arrested a Chinese Huawei employee and a former Polish security official on suspicion of espionage. Huawei quickly fired the employee and said that his alleged actions "have no relation to the company" (Infosecurity Magazine). The Polish government may consider "legislative changes" that would allow it to ban Huawei's products, and Poland's internal affairs minister is calling for NATO and the European Union to come to a joint conclusion on whether or not Huawei should be allowed in their markets (Reuters).
Huawei's founder and CEO Ren Zhengfei gave a rare interview to US media outlets on Tuesday, in which he denied that the company could be compelled to assist the Chinese government in espionage (Bloomberg). Zhengfei said that, while he loves his country and supports the Communist Party, he "will not do anything to harm the world" (BBC). He said that the company would survive being shut out of some foreign markets, but believes that its exclusion could create a disconnect between countries that use Huawei's products and those that don't (Fortune).
The Wall Street Journal reports that the US Department of Justice is conducting a criminal investigation into allegations that Huawei stole trade secrets from US companies. The investigation is reportedly nearing its conclusion, and the DOJ is expected to file an indictment against the Chinese company (Ars Technica).
Black, white, and gray markets converge when it comes to hackers for hire. The various skills required to be a successful hacker—ethical or otherwise—are in very high demand. These include programming expertise and extensive technical knowledge, combined with the ability to work well under pressure. Some US federal agencies, particularly the FBI, are known to outsource work to gray market hackers for hire because it lets them bypass the Vulnerabilities Equities Process. These agencies won't tolerate any and all activities, however, as evinced by the US Department of Justice's seizure of fifteen DDoS-for-hire web domains. Individuals with hacking skills are better off sticking to legal employment opportunities (Hacker Noon).
Enterprises wonder if reskilling or recruiting would be a better investment (Help Net Security).
Dallas-based Zix has agreed to acquire AppRiver for $275 million in cash (Help Net Security). Picking up AppRiver's cloud-based email security solution is seen as increasing Zix's partners in the small-and-medium business market tenfold (CRN). It's not always the larger company that does the acquiring: AppRiver is bigger than Zix, in both revenue and headcount (Dallas Morning News).
Cynerio, an Israeli start-up whose platform is designed to secure the medical device Internet-of-things, has raised $7 million from investors that include Accelmed, RDC, and MTIP (SecurityWeek).
UK-based Immersive Labs has picked up $7 million in a Series A round led by Goldman Sachs, and with participation by unnamed private investors. Immersive offers a gamified cybersecurity training platforms (TechCrunch).
Unicorn Rubrik has raised $261 million at a $3.1 billion valuation. Bain Capital Ventures joined previous investors Lightspeed Venture Partners, Greylock Partners, Khosla Ventures and IVP. Rubrik will use the investment to move further into the security and compliance markets. (TechCrunch).
A report from Strategic Cyber Ventures shows that venture capital investments in cybersecurity companies hit a record high in 2018, with a 20% increase from $4.4 billion in 2017 to $5.3 billion in 2018 (Reuters).
And security innovation.
The US Air Force plans a "Pitch Day" for March 6th. The event, to be held in New York, will give start-ups a chance to compete for a piece of $40 million in funding (FedScoop).
As the Georgia Cyber Center looks at its near future, it sees a hoped and planned-for influx of private investment (Augusta Chronicle).
In Maryland, there's a move afoot to bring smaller defense and aerospace contractors together into a problem-solving consortium (Defense News).
Today's issue includes events affecting Armenia, Azerbaijan, Canada, China, Estonia, Georgia, Germany, Iran, Kazakhstan, Kyrgyzstan, Latvia, Liberia, Lithuania, Moldova, Romania, Russia, Tajikistan, United Kingdom, United States, and Uzbekistan.
Monday is Dr. Martin Luther King, Jr. Day here in the US, and we'll observe the Federal holiday by taking a day away from publishing. Both the CyberWire's Daily News Briefing and our Daily Podcast will return, as usual, on Tuesday.
Today marks, officially, the third anniversary of the CyberWire Daily Podcast's public launch. You can check out that episode here, for a walk down memory lane. Thanks to all of you for reading and listening.
ON THE PODCAST
Research Saturday is up. This edition, "Luring IoT botnets to the honeypot," features the work of Netscout's ASERT team, which has been using honeypots to gather information on rapidly evolving IoT botnets that take advantage of default usernames and passwords to gain access and take control of unprotected devices. Matt Bing is a security research analyst with Netscout, and he guides us through their findings.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.