skip navigation

More signal. Less noise.

Are you centralizing all security-related data from across the business?

Is there a challenge with your security data you haven’t been able to wrangle? Devo enabled one their customers – a top five US retail manufacturer – to move fast enough to outpace malicious bots by reducing query time from 5 hours to 5 minutes. That was something they couldn’t do with anyone else.

See how Devo can modernize your approach to security analytics in this report by ESG.

The Week that Was.

Actually, since we took Independence weekend off, this issue represents the last two Weeks that Were. Here we go.

Sea Turtle is back, with some new kit.

Cisco Talos warns that the actors responsible for the Sea Turtle DNS hijacking campaign "are redoubling their efforts with new infrastructure." The researchers identified a new technique being used by the group that makes it much harder to track its activity. It uses different malicious name server hostnames and IP addresses for each target. Earlier attacks had used the same domains against a broad range of organizations, and that's easier to follow. The campaign's targets are mostly in the Middle East and North Africa. They include several government entities, energy companies, think tanks, and NGOs. New victims were spotted in Albania, Cyprus, Greece, Sudan, Switzerland, and the United States, according to Infosecurity Magazine.

Ugly disinformation.

An investigation by Yahoo News determined that the SVR, Russia's foreign intelligence service, was the first to spread a phony intelligence report that sparked the conspiracy theory that DNC staffer Seth Rich was assassinated at the behest of then-Presidential candidate Hillary Clinton. The theory initially held that Rich was a disgruntled Sanders supporter who was planning on talking to the FBI about corruption involving Clinton, and later morphed into claiming that the young staffer was WikiLeaks' source for the stolen DNC files. The latter theory was strongly implied by Julian Assange, who in August 2016 offered a $20,000 reward for information about the murder. Special Counsel Robert Mueller's report on Russian interference in the 2016 election concluded that Assange was thereby obscuring the true source of the leaks: Russia's GRU. Russia likewise benefited from pinning the leaks on someone else, thereby deflecting blame from its military intelligence service. DC police believe Rich's tragic murder was a botched armed robbery.

Make smarter decisions and move faster to block adversaries.

Understand how you can make smarter decisions to move faster — both by blocking an adversary and disrupting them altogether — by using orchestration with intelligence in this free white paper: Smarter = Faster: Security Orchestration with Threat Intelligence. You’ll learn how to automatically alert, block, and quarantine based on relevant threat intel as well as how to increase the accuracy, confidence, and precision of your security operations.

Magecart attackers are looking for open buckets.

RiskIQ describes a Magecart group that's scanning for unsecured AWS S3 buckets and automatically injecting their skimming code into them. The activity began in early April, and the attackers have since compromised a "vast collection" of buckets, affecting more than 17,000 domains. Many of the compromised targets aren't payment pages and therefore don't result in payment data being stolen, but due to the automated nature of the attacks, the attackers have hit enough attractive targets to make it worth their while.

In addition to the Magecart aspect, however, the researchers emphasize that the campaign "illustrates just how easy it is to compromise a vast quantity of websites at once with scripts stored in misconfigured S3 buckets." RiskIQ researcher Yonathan Klijnsma told WIRED that "pretty much anybody can do anything in those S3 buckets, and the reach of those is quite big."

Agent Smith.

Check Point is tracking a malware variant targeting Android devices. They call it "Agent Smith" after its ability to replace legitimate apps with malicious duplicates. ZDNet says the researchers tracked the malware to a company in Guangzhou, China, which helps app developers transfer their products to overseas markets. Some of the company's online job postings request skills that have nothing to do with such legitimate operations, but rather seem related to the capabilities Agent Smith displays. The malware in this case is being used to generate revenue via malicious ads, but Check Point notes that "there are endless possibilities for this sort of malware to harm a user's device."

Conduct secure and anonymous research on the open and dark web.

If you are doing online research, the common web browser can betray you by exposing you and your organization to cyber attacks. Authentic8, the maker of Silo Cloud Browser and Silo Research Toolbox, ends this betrayal. Silo insulates and isolates all web data and code execution from user endpoints, providing powerful, proactive security even if you are gathering data and collections across the deep and dark web. Learn more.

Google's leaky Assistant.

Google is facing criticism after a contractor leaked one thousand audio files that were recorded by Google Assistant without users' knowledge. VRT NWS, a Belgian news service that received the files, confirmed that a number of the recordings were legitimate by allowing users to listen to them. The audio files contained users' private conversations and were much lengthier than necessary. In 153 instances, the audio was recorded with no prompt from a user, apparently after Google Assistant misinterpreted a phrase as its "OK Google" trigger command. WIRED observes that Google's privacy policy doesn't state that human employees review audio recordings made by Google Assistant, which might place the company in violation of GDPR.

Another Florida city announces a cyberattack.

A third Florida city, Key Biscayne, has sustained a cyberattack, but appears to have recovered, the Miami Herald reports. The city announced it had experienced a "data security event" last Sunday. Some systems were taken offline during the recovery, but all were back up by Wednesday night. An investigation continues.

Customizable payment site skimmer up for sale.

Fortinet describes a new Magecart skimmer called "Inter" that's selling for $1,300. This skimmer can be customized to fit different types of websites and payment vendors, and it has built-in templates for eighteen popular payment forms. Dark Reading notes that the skimmer's sophistication, ease of use, and wide applicability means that it will likely be seen in use by other groups in the near future.

Register for RSA Conference 2019 Asia Pacific & Japan today!

Join industry leaders and peers at the region’s leading cybersecurity event, 16 – 18 July at the Marina Bay Sands in Singapore. Learn the latest issues and solutions, stay on top of new regulations, demo cutting-edge products, expand your skills and grow your personal network. Register now.

Patch news.

Tenable outlined a number of vulnerabilities in ICS vulnerabilities that the company has discovered over the past nine months, including a critical flaw in Siemens STEP 7 TIA Portal that would have permitted remote and unauthenticated root access to a device, as well as the ability to spread malicious code within an ICS.

Apple quietly released an update in response to a vulnerability in Zoom which could allow a website to force a Mac user to join a video call without any input from the user. Zoom reluctantly added ways to remove the feature on Tuesday, but Apple says the patch will protect users who haven't updated Zoom or who have uninstalled the application without removing the local Zoom web server, TechCrunch notes. Zoom describes the measures it took here.

Microsoft fixed seventy-seven flaws on Patch Tuesday, many of them addressing Explorer and Edge (Trend Micro offers a reaction). Adobe patched a relatively light set of flaws, none of them particularly serious. Surprisingly, as ZDNet notes, none involved Flash

Crime and punishment.

An unnamed US defense contractor was induced to send sensitive, highly classified communications intercept equipment worth about $3 million dollars to an international criminal gang. A search warrant request the US Department of Homeland Security filed with the United States District Court for the District of Maryland revealed the details. Homeland Security Investigations asked for Apple iCloud information pertaining to four email accounts of interest.

The criminals were allegedly in email correspondence with a Maryland firm identified in the affidavit only as "Company B." They posed as a US Navy contracting officer, "Daniel Drunz," and used a bogus US Navy email address, "Daniel[dot]Drunz@navy-mil[dot]us," to obtain shipment to parts unknown of export-controlled equipment A genuine US Navy email address would use the domain navy[dot]mil, without the [dot]us. The scammers are being called the Drunz Gang. They made off with more than just the comms intercept gear, too: their take included $6.3 million in televisions and $1.1 million in iPhones and iPads. Those will be a lot easier to fence than the classified equipment, but the Drunz Gang will probably find a buyer for that, too.

Have Your Users Made You an Easy Target for Spear Phishing?

Many of your organization’s email addresses and identities are exposed on the internet, and are easy for cybercriminals to find. With email’s enormous attack surface, cybercriminals are able to launch potentially devastating social engineering, spear phishing and ransomware attacks on your organization. Try KnowBe4’s Email Exposure Check Pro for free today, and see how you can identify the at-risk users in your organization by crawling business social media information and hundreds of breach databases.

Courts and torts.

In the UK, the Information Commissioner's Office this week fined two companies very heavily for data breaches that placed them in violation of GDPR. On Monday the ICO announced its intent to fine British Airways £183.39 million for a data breach that put the airline in violation of GDPR. It's a record fine, which the BBC reports the airline intends to fight, vigorously. The ICO followed that on Tuesday with a notice that it would fine Marriott £99,200,396 ($123 million) for a breach the hotel chain suffered in 2018 as it integrated its Starwood reservation system. The fine amounts to three percent of the chain's annual revenue, one percentage point lower than the maximum allowable fine under GDPR. Marriott, disappointed by the ruling, intends to appeal.

The Wall Street Journal reported late Friday that the US Federal Trade Commission approved a $5 billion settlement in the matter of Facebook privacy missteps.

Policies, procurements, and agency equities.

The US Senate has passed the Securing Energy Infrastructure Act (SEIA), a bipartisan bill that will see the Department of Energy and other agencies look at ways to harden the electric grid by replacing unnecessarily high-tech systems with simpler solutions that are harder to hack, Utility Dive notes.

The Inquirer and others have reported discussions within the US Administration over proposed controls on widespread availability of end-to-end encryption. This interagency discussion has been going on since early in the previous Administration. In general, Justice and especially the FBI have been most hostile to encryption (they worry about their ability to track criminals and terrorists who might "go dark," as the Bureau puts it). State, Commerce, and Defence (including NSA) have been more pro-encryption (in part because of concerns that backdoors introduce weakness into all systems). This isn't new: it's the latest round in the ongoing cryptowars.

A US Navy cyber operator will be nominated to become the next Chief of Naval Operations, the Service's uniformed leader. Vice Admiral Michael Gilday, currently Director of the Joint Staff and formerly head of US Fleet Cyber Command/US 10th Fleet, is a deep selection, Defense News points out: the first three-star picked for the senior billet since Admiral Elmo Zumwalt got the job in 1970.

Fortunes of commerce.

TechCrunch reports that Mozilla won't trust root certificates from UAE-based cybersecurity firm DarkMatter because (as Reuters reports) the company conducted espionage for the UAE government 

Labor markets.

A survey by Sophos found that 86 percent of IT departments are suffering from a skill shortage, with 80 percent saying they struggle with recruiting. Two-thirds of the respondents said they lacked the budget to hire the right people and buy the necessary technology. The survey also found that the average IT team spends more than a quarter (26 percent) of its time addressing cybersecurity issues.

Mergers and acquisitions.

On Monday Orange announced that it had closed its acquisition of SecureLink. The acquisition is expected to solidify Orange's position in the European cybersecurity market.

NTT Security has completed its acquisition of application-security shop WhiteHat SecurityBusinessWire reports.

Next-generation SIEM company Exabeam has acquired cloud-application security specialist SkyFormation for an undisclosed sum. In addition to SkyFormation's capabilities, Exabeam also gets an office in Israel which it intends to use to pursue talent. Reuters says the acquisition is Exabeam's first.

Zscaler is buying Romanian browser-isolation shop Appsulate for an undisclosed sum, the acquiring company reports.

IBM closed its acquisition of all the issued and outstanding shares of Red Hat for $190 per share in cash, which amounts to a $34 billion valuation. Red Hat will operate as a unit within IBM, which will retain Red Hat's brand, headquarters, and leadership, according to Intelligence Community News. Red Hat's existing partners are being reassured, CRN says, that their arrangements with the company will not be damaged by the acquisition.

Texas-based merchant bank Braes Capital has acquired Siege Technologies from Nehemiah Security. Braes sees Siege, which specializes in cyber research and development for the US Federal market, as one of a projected series of acquisitions that will enable Braes to deliver infrastructure protection services to Federal, energy, and financial services customers. For Nehemiah, the sale represents an opportunity to sharpen its focus on quantifying cyber risk in financial terms (Yahoo).

Motorola Solutions has acquired WatchGuard, which specializes in mobile video systems for law enforcement, a BusinessWire announcement disclosed Thursday. This is at least tangentially related to cybersecurity, particularly in the light of concerns about collecting and preserving evidence in an era of increasingly plausible fakes.

Investments and exits.

NowSecure, specialists in mobile app security, closed a $15 million stock financing round led by ForgePoint CapitalCISO Magazine reports.

Identity and encryption shop DigiCert will receive a "strategic investment" from Clearlake Capital and existing investor TA Associates. The two firms will become equal partners in DigiCert when the deal closes later this year (Olean Times Herald). Financial terms were not disclosed (PEHub). Thoma Bravo, formerly a major investor in DigiCert, has exited its position, AltAssets reports.

TrapX has closed an $18 million funding round, led by Ibex Investors. Earlier backers BRM, Opus Capital, Intel Capital, Liberty Technology Venture Capital, and Strategic Cyber Ventures also participated. CISO Magazine says the San Jose-based deception technology shop will use the investment to expand participation in global markets . 

Sometimes customers become investors. That was the case this week for London-based Digital Shadows, which has received a $10 million investment led by NAB Ventures, the investment arm of its customer, National Australia Bank. Digital Shadows intends to use the funds to scale its SearchLight service.

Menlo Security, the Palo Alto-based Internet isolation specialist, has raised $75 million in a Series D round led by "clients advised by JP Morgan Asset Management."  According to the company's announcement, existing investors also participating in the round included General Catalyst, Sutter Hill Ventures, Osage University Partners, American Express Ventures, HSBC, JP Morgan Chase, and Engineering Capital.

Prevailion has raised $10 million in a Series A round led by AllegisCyber Capital, with participation by DataTribe. The investment follows Prevailion's receipt of $2 million in a seed-funding competition held last year at DataTribe. The company, which maintains offices in Texas and Maryland, intends to use the new funding for talent acquisition, technical development, sales, and marketing, says Baltimore Business Journal. Prevailion specializes in third-party risk detection, enabling companies to determine which actual or potential partners have been compromised. Their use cases include risk management, incident response, due diligence, and asset management.

GDPR can now plausibly claim to have served as a unicorn incubator. OneTrust, founded two months after the EU enacted GDPR in 2016, is now valued at $1.3 billion. The company specializes in enabling its clients to manage the regulatory risk Europe's privacy regime imposes on them. Forbes reports that OneTrust's $200-million Series A round, announced on July 11th, pushed the Atlanta-based company over the $1-billion valuation threshold. Insight Partners led the investment. 

McAfee is readying an IPO as it prepares to take itself public by year's end, according to the Wall Street Journal. Silicon Valley Business Journal says that McAfee hopes to raise $1 billion in the offering 

Venture Beat says San Francisco-based TrustArc has raised $70 million in a Series D round led by Bregal Sagemount, with participation by existing investors Accel, Baseline Ventures, DAG Ventures, Icon Ventures, and Industry Ventures. The company intends to use the funding to expand its privacy and compliance offerings.

Silicon Valley-based VC firm YL Ventures has announced a $120 million fund for seed-stage Israeli cybersecurity companies, ZDNet reports.

And security innovation.

ZTE has followed Huawei's lead in the charm offensive designed to reassure European markets about the security and reliability of Chinese-manufactured equipment. ZTE announced its intention of establishing a cybersecurity center in Brussels, according to PCR Online and other sources. "Cybersecurity Lab Europe" will offer opportunities for more external scrutiny of the company's devices. ZTE calls it an important "transparency initiative," SDX Central reports. Both ZTE and Huawei are looking toward positioning themselves for the 5G market.


Today's issue includes events affecting Albania, China, Cyprus, Greece, Iran, Israel, Republic of Korea, Singapore, Sudan, Switzerland, United Arab Emirates, United States.

Research Saturday is up. In this episode, "Opportunistic botnets round up vulnerable routers," we speak with Richard Hummel, threat intelligence manager at Netscout. He takes us through Netscout’s ASERT Team’s recent report, Realtek SDK Exploits on the Rise from Egypt, describing the growth of botnets originating in Egypt and targeting routers in South Africa.

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.