skip navigation

More signal. Less noise.

Experiencing poor performance with your legacy antivirus? Try CB Defense.

Does your legacy antivirus slow down end user endpoints? Try Carbon Black's lightweight, next-generation antivirus + endpoint detection and response solution in your environment for free!

Compare CB Defense to your current solution using real-world scenarios, and see how operations transform across your security and IT teams. After you've finished your 15-day trial, you'll have everything you need to build a business case and make the switch. Gain superior protection, simplified operations, and actionable visibility today.

The Week that Was.

Fancy Bear and Sandworm are targeting EU governments.

Two Russian APT groups are targeting European NATO member states with cyberespionage campaigns ahead of the EU parliamentary elections in May. Researchers at FireEye observed both large-scale and highly-targeted phishing operations launched by Sandworm and APT28 (that would be Fancy Bear) against European government institutions, with the goal of stealing credentials. FireEye says their efforts seem to be coordinated, although the two groups use different tools and techniques. Sandworm generally uses publicly-available hacking tools, while APT28 prefers custom-made malware and zero-day exploits (CNBC).

The campaigns are believed to have three primary objectives: stealing information and credentials for use in future attacks, gathering intelligence to give Russia a diplomatic edge, and collecting data to assist in information operations. FireEye didn’t disclose which organizations were targeted, or whether the attackers were able to get their hands on sensitive data, but it did note that attack campaigns of this size are generally successful (ZDNet).

It’s not clear if these campaigns are directly focused on influencing Europe’s upcoming elections, or if they're part of a more wide-ranging cyberespionage operation. Benjamin Read, senior manager of cyber espionage analysis at FireEye, said it's clear that "the multiple voting systems and political parties involved in the elections creates a broad attack surface for hackers." FireEye’s warning comes after an announcement from Microsoft last month, in which Microsoft warned that APT28 was launching phishing attacks against European think-tanks and non-profit organizations.

Learn about COTS mobile communications solutions for classified networks

Organizations whose daily operations depend on sending and receiving real-time classified information should not be burdened with costly, antiquated encryptor devices for daily operations. The latest case study from Attila illustrates one government agency’s quest for a portable, CSfC-certified mobile communications solution for improved team agility and productivity. Download the case study: DoD Agency Mobilizes Communications For Classified Networks today.

Facebook left hundreds of millions of passwords exposed.

Facebook stored hundreds of millions of users’ passwords in plain text within a database that was searchable by 20,000 Facebook employees, Brian Krebs reported this week. The issue was discovered in January when a security team noticed that some new code was logging passwords in plain text. They launched a probe to determine whether this was happening anywhere else, and the problem seems to keep getting worse as the investigation continues. Krebs spoke with an anonymous senior Facebook employee who said between 200 and 600 million Facebook users may have been affected, dating back to 2012.

Facebook responded to the report in a blog post on Thursday, saying that it plans to notify "hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users" that their passwords "were being stored in a readable format" within the company’s internal systems. Facebook emphasized that the "passwords were never visible to anyone outside of Facebook" and the investigation has "found no evidence to date that anyone internally abused or improperly accessed them." Krebs's source, however, said that access logs showed that at least 2,000 employees made around nine million internal queries for data elements that contained the passwords.

The Irish Data Protection Commission, which has jurisdiction over Facebook’s European headquarters under GDPR, said it was notified by Facebook and it’s “currently seeking further information” (Washington Post).

Can you be spoofed? Find out how hackers can spoof your domain.

One of first things hackers do to get into your organization is spoofing an email from someone in your own domain. An email that looks to be from someone you know, or someone in authority, is often the most convincing phishing attack, luring users into clicking on malicious links or take actions that threaten your organization. Do you know if hackers can spoof your domain? Try KnowBe4’s free Domain Spoof Test today and find out.

FIN7 continues operations.

Flashpoint analysts revealed that the FIN7 cybercrime group is still active, and it's using two new strains of malware. The first, which the researchers have dubbed "SQLRat," executes SQL scripts on the infected system. The researchers say this tactic is "ingenious," because it can delete itself without leaving behind any forensic evidence. The second strain of malware, called "DNSbot," relays commands and receives data over DNS traffic. The criminals are also using a new attack panel called "Astra," which is a script-management system written in PHP that could handle scripts on compromised computers.

FIN7, also known as Carbanak, is one of the most notorious and sophisticated cybercriminal enterprises in the world. Last year, three of its members were arrested in Germany, Poland, and Spain, and charged by the United States (ZDNet). Flashpoint says this latest campaign has been ongoing since early to mid-2018, indicating that the group was undeterred by the arrests.

How can industrial organizations strengthen defenses and prepare for the changing threat landscape?

Dragos’ 2018 ICS Year in Review reports provide insights and lessons learned from our team’s first-hand experience tracking, hunting, and responding to ICS adversaries and offer industrial organizations recommendations for stronger defenses. Check it out today!

Finland investigates smartphone privacy concerns.

Finland's data protection authority is investigating a security incident following a report that some Nokia 7 Plus smartphones were transmitting sensitive customer data to China. NRK reported yesterday that every time one of the phones was switched on or the screen was unlocked, it sent an unencrypted data packet containing the phone's geographical position, SIM card number, and serial number to a server belonging to the Chinese state-owned China Telecom.

HMD Global, the Finnish company that develops the Nokia-branded phones, said the activity was due to misplaced phone activation software, and that issue was fixed in an update released last month. The company says the phones were mistakenly shipped with software elements meant for the Chinese market. This explanation would make sense, because the Nokia 7 was a China-exclusive product before a newer version was released for the global market. Collecting device data when a phone is first activated is a standard industry practice which allows telecom companies to activate the phone’s warranty, but it’s also possible that the activity was required for Chinese phones in order to comply with local data collection laws (ZDNet).

Some researchers think the matter is worth looking into further, however, since the report came at a time of heightened apprehension about potentially backdoored Chinese technology and HMD’s phones are manufactured in China. Finland’s data protection ombudsman has ordered an investigation, saying that his first reaction was that, at the least, this may be a violation of GDPR. HMD holds that no personal information was transmitted (Reuters).

Did you know that 91% of data breaches started with spear phishing?

With spear phishing being one the most successful ways to compromise an organization, IT experts highly recommend regular phishing tests as an additional security layer. Phishing your own users is as important as antivirus and a firewall. It’s also a fun and effective best practice for patching your last line of defense— your users. Find out today if your users are Phish-prone™ with KnowBe4’s free phishing test.

Norsk Hydro is recovering from ransomware.

Norway's Norsk Hydro, one of the world’s largest aluminum producers, suffered an extensive ransomware attack Monday night against its facilities in Europe and the United States. The Norwegian National Security Authority (NSM) said the attack used a fairly new strain of ransomware called "LockerGoga." A spokesman for Hydro said the company was able to continue production by reverting to manual methods, and that it has data backups to restore from as soon as the attack is neutralized.

By Wednesday, the company said it had identified the "root cause" of the attack and was working to restart its systems safely. As of Friday, Hydro's Extruded Solutions systems were still running at 50% of normal capacity, but the rest of the company's operations were running as normal. Some operations are still being performed manually, but Hydro's head of information systems Jo De Vliegher said in an update on Friday that many of the systems were shut down "not because they were infected but to contain the virus and prevent it from spreading further."

The public evidence so far seems to suggest that the attack was a criminal endeavor in pursuit of money, according to the Washington Post.

Mirai gets an update.

Palo Alto Networks' Unit 42 published a report on Monday outlining a new version of the Mirai botnet malware. This version is using a total of 27 exploits, 11 of which are new. It's also targeting a wider range of devices, including WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs. Since these devices are meant for use in business environments, the researchers believe this new strain indicates "a potential shift to using Mirai to target enterprises." Enterprises provide a larger attack surface and access to greater amounts of bandwidth, allowing for more powerful DDoS attacks. The researchers advise organizations to keep their devices up-to-date with patches. If a device can’t be patched, they advise, remove it from the network.

Patch news.

IBM released five patches for Java runtime flaws that left numerous versions of Watson Explorer and IBM Watson Content Analytics exposed to attacks (ZDNet).

Cisco released patches on Wednesday for a series of high-severity vulnerabilities in its IP Phone 8800 and IP Phone 7800. The most serious flaw is a cross-site request forgery vulnerability (Threatpost).

Version 66 of Firefox, released Tuesday, contains patches for 22 vulnerabilities, five of which are critical (SC Magazine).

Facebook paid a large bug bounty to a researcher from Semmle who discovered a critical denial-of-service flaw in in Fizz, Facebook’s open-source implementation of the TLS protocol. Facebook gave the company $10,000, even though its bug bounty program doesn't normally apply to denial-of-service bugs. Semmle donated the money to charity, so Facebook doubled the amount (SecurityWeek).

Crime and punishment.

Special counsel Robert Mueller submitted his confidential report on Russian interference in the 2016 election to Attorney General William Barr, a Justice Department spokeswoman said on Friday. Barr will summarize its contents for lawmakers in the coming days (Washington Post). The report's conclusions and contents aren't yet publicly available.

A Lithuanian man pleaded guilty in a New York court on Wednesday to scamming Facebook and Google out of $123 million over the course of three years. The man registered a company in Latvia that shared a name with Quanta Computer, a legitimate hardware manufacturer based in Taiwan. The man knew that Quanta supplied the two tech giants with equipment for their data centers, so he created fraudulent invoices and contracts to trick Facebook and Google employees into wiring him millions of dollars at a time. Facebook is said to have lost $100 million to the scams, while Google lost $23 million (Tripwire).

A 20-year-old Dutch man received 120 hours of community service and 377 days of juvenile detention for launching significant DDoS attacks between October 2016 and October 2017 against numerous high-profile websites. The hacker controlled a large IoT botnet that he created with the Mirai malware, and demanded ransom from his targets in exchange for stopping the attacks. According to investigators, he made approximately $150,000 from these ransom demands (ZDNet).

Four individuals were arrested in South Korea for secretly live streaming and recording 1,600 motel guests and selling the videos. The group set up wireless cameras in 42 rooms at 30 motels in ten South Korean cities. Their website had 4099 members at the time of their arrest, and they made $6,200 off of the endeavor (BleepingComputer).

A Japanese 18-year-old has been arrested for stealing $130,000 in cryptocurrency after hacking the Monacoin web-based wallet (BleepingComputer).

Courts and torts.

Google was fined €1.49 billion ($1.7 billion) by Europe's antitrust regulators for its search advertising brokering between 2006 and 2016. The company was accused of anti-competitive actions that shut out its competitors. European Competition Commissioner Margrethe Vestager said that "Google abused its dominance to stop websites using brokers other than the AdSense platform" (Reuters).

Kaspersky filed an antitrust complaint against Apple in Russia, claiming that Apple forced it to remove two parental control features from the Kaspersky Safe Kids iOS app in order to eliminate competition for Apple's Screen Time feature (ZDNet). Screen Time allows users to monitor and set time restrictions on the use of apps, which is one of the features Kaspersky was compelled to remove. Kaspersky acknowledges that Apple owns the App Store, but says that "by setting its own rules for that channel, it extends its power in the market over other, adjacent markets: for example, the parental control software market, where it has only just become a player."

Policies, procurements, and agency equities.

President Trump announced on Thursday that he plans to promote Michael Kratsios to US Chief Technology Officer. Kratsios has been the deputy CTO and de facto leader of the Office of Science and Technology Policy for the past two years. FedScoop notes that Kratsios "seems well-liked by his peers in government and industry."

EU law enforcement agencies have adopted an incident response protocol for major cross-border cyberattacks. A press release from Europol said the WannaCry and NotPetya attacks showed that previous incident response protocols were “insufficient to address rapidly evolving cybercriminal modus operandi effectively.” The new protocol gives a central role to Europol’s European Cybercrime Centre, and it aims “to complement existing EU crisis management mechanisms.”

Fortunes of commerce.

US General Joseph Dunford, the chairman of the Joint Chiefs of Staff, will meet with Google executives next week to discuss concerns about Google's artificial intelligence work in China. The Pentagon believes that any advanced technology or intellectual property that US companies use or develop in China will be used benefit the Chinese military, since foreign companies in China are required to have a cell of the Communist party present. Dunford said in a Senate Armed Services Committee hearing last week that "we watch with great concern when industry partners work in China knowing that there is that indirect benefit” (Washington Post).

Germany began auctioning off licences for its 5G network on Tuesday, after resisting pressure from the US to ban Huawei from consideration (NPR). The European Commission will urge European countries to share data related to 5G risks, but it will ignore calls by the US to ban Chinese 5G providers from European markets over security concerns, according to CNBC.

Homeland Security Secretary Kirstjen Nielsen emphasized these concerns in her State of Homeland Security Address on Monday, saying that “our adversaries are using state-owned companies as a ‘forward-deployed’ force to attack us from within our supply chain.”

Labor markets.

As the cybercrime industry grows increasingly organized and professional, criminals are beginning to compete with the private sector and the government for cyber talent, writes Emilio Iasiello for TechNative. A recent report showed that some criminals are offering more than a million dollars per year to information security professionals, so the monetary incentive blows away the competition. The bar of entry is also lowering, as inexperienced criminals can buy sophisticated, easy-to-use malware. Likewise, the risk for malware developers is decreasing, since they can profit off of selling their product without actually having to use it. Another report last year found that 12% of cybersecurity professionals around the world have seriously considered engaging in criminal activity, and 46% believe its easy to do so without getting caught. Iasiello concludes that "economic necessity, personal philosophy, and intellectual challenge may ultimately encourage more numbers to walk that thin line, keeping the greater cyber crime industry on forefront and the rest of the cyber security industry to keep pushing that boulder up the hill."

Mergers and acquisitions.

Industrial control system security firm Dragos has acquired the Atlanta-based ICS visibility technology company NexDefense (SC Media). The acquisition serves two ends for Dragos. First, it will augment its talent with NexDefense engineers. And second, they've acquired an asset identification tool that they intend to roll into their free Dragos Community Tools.

Thales announced last Friday that it was waiving its requirement that approval be given by Russian competition regulators before the company's €4.8 billion acquisition of Gemalto goes forward. Thales said in a press release that it's already gained the approval of all the regulators in other countries (Computer Business Review).

Investments and exits.

Cloud-native mobile security shop Blue Cedar closed a $17 million Series B round led by C5 Capital, with participation by existing investors Benhamou Global Ventures (BGV), Generation Ventures, Grayhawk Capital, and Sway Ventures. Blue Cedar intends to use the investment to further its growth (PRNewsire).

And security innovation.

Industrial control system vendor Nozomi has opened a research section (SecurityWeek). Nozomi Networkd Labs will, the company announced, be a collaborative effort. They're actively seeking research partners.


Today's issue includes events affecting China, European Union, Finland, Germany, Ireland, Lithuania, Norway, Poland, Russia, South Korea, Spain, United States.

Research Saturday is out. In this episode, "Ryuk ransomware relationship revelations," We hear that investigators from McAfee, working with partners at Coveware, have reevaluated hasty attributions of Ryuk ransomware to North Korea, and have explored the inner workings of the threat. John Fokker is head of cyber investigations in McAfee Labs Advanced Threat research unit, and he joins us to share their findings.

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.