Integrating threat intelligence into your security infrastructure.
Threat intelligence and information sharing has become a critical component of an organization’s threat mitigation strategy. However, most organizations lack the resources to consume, operationalize, and gain value from the many and varied sources of threat intelligence. Find out how organizations are operationalizing threat intelligence to improve their cybersecurity measures in the 2019 CYBEREDGE CyberThreat Defense Report. Download the report here.
The Week that Was.
March 30, 2019.
Why not share the CyberWire with colleagues who'd find it worth their while?
If you find value in the CyberWire, why not recommend it to colleagues (or maybe members of your C-suite or board) who'd also find it worth their time? And thanks for reading.
By the CyberWire staff
Influence operations and the Mueller Report.
Special counsel Robert Mueller concluded his investigation into Russian interference in the 2016 election and gave his report to Attorney General Barr last Friday. On Sunday, the Attorney General summarized the confidential report in a letter to the Senate and House Judiciary Committees, stating that the "investigation did not find that the Trump campaign or anyone associated with it conspired or coordinated with Russia in its efforts to influence the 2016 US presidential election."
According to Barr, the Special Counsel's report is divided into two parts, correlated with the scope of the investigation. The first focuses on Russian meddling and whether any Americans, including those associated with the Trump campaign, were involved with the interference. That section describes Russia's social media operations launched by the Internet Research Agency ("designed to sow discord") and the Bears' hacking of Democratic Party organizations. This part of the investigation resulted in criminal charges against numerous Russian military officers, but it didn't find evidence that the Trump campaign "conspired or coordinated" with the Russians.
The report's second part looks into "obstruction-of-justice" concerns raised by "a number of actions by the President." Special Counsel Mueller offered no conclusion on this, instead leaving the decision up to the Attorney General. Attorney General Barr and Deputy Attorney General Rosenstein concluded the evidence was insufficient to establish that the President had committed a crime, taking into account that the lack of evidence of Russian collusion "bears upon the President's intent with respect to obstruction."
Researchers at Kaspersky Lab discovered in January that hundreds of thousands of ASUS computers received a malicious backdoor after attackers compromised a server used for ASUS's automatic updates. Trojanized updates were signed with legitimate ASUS digital certificates, allowing the attack to remain undetected for at least five months. The researchers found that more than 57,000 Kaspersky users have installed the backdoor, and they estimate that the number of affected users worldwide may be over a million. Symantec confirmed Kaspersky's report, telling Motherboard that at least 13,000 of Symantec's customers had been infected with the malicious update signed by ASUS.
Kaspersky says it found evidence that connects this attack to two other supply chain attacks, both of which involved an APT group known as "Barium." The first is the 2017 ShadowPad incident, in which NetSarang's server management software was modified to include a malicious backdoor. The second was described by ESET earlier this month, and involved two backdoored games and a compromised gaming platform.
According to Tom's Guide, a Kaspersky spokesperson said that three unnamed software vendors in Asia were also "backdoored with very similar methods and techniques." Kaspersky will publish the full results of their investigation in a technical paper at the SAS 2019 conference in April.
Adversaries are creating new attacks at such a speed and volume that signature and sandbox-based threat detection can’t keep up. Deep learning can help. By exposing neural nets to threat data, deep learning can learn to identify malicious traffic, even zero days seen for the first time. But why are advances possible today? How does deep learning differ from machine learning? Where’s the best place to apply deep learning? Get the answers here.
LockerGoga: infestation and recovery.
Motherboard reports that two US chemical manufacturing companies were hit by LockerGoga, the same ransomware that infected Norsk Hydro's systems last week. Ohio-based Hexion and New York-based Momentive, which are controlled by Apollo Global Management, were attacked on March 12, six days before Hydro. Hexion released a statement last Friday evening saying that it was recovering from a "network security incident" that "primarily impacted the company's corporate functions." It said that the company's manufacturing systems run on different networks and "have continued to operate safely and with limited interruption."
LockerGoga was used in January French engineering consulting company Altran. Aluminum manufacturing giant Norsk Hydro was hit by the malware early last week. Hexion and Momentive bring the number of publicly-known victims to four, although incident responders at FireEye told WIRED that they had worked on numerous LockerGoga infestations at other industrial and manufacturing companies that haven't been publicly disclosed.
Looked at from an attacker's point-of-view, LockerGoga is so buggy that the malware almost resembles a NotPetya-style wiper disguised as ransomware. Nevertheless, Charles Carmakal from FireEye told WIRED that the attackers are indeed looking to make a profit, and some victims have had their files decrypted after paying hundreds of thousands of dollars in bitcoin. Carmakal wonders, however, if the inefficient design is intended to cause chaos, or if the bugs will be ironed out over time. Allan Liska, a threat intelligence analyst at Recorded Future, told Threatpost that "if the attackers are cybercriminals, which is the prevailing assumption, they are really bad at their jobs." Liska also stresses that there's no evidence at this point for "speculation that these are nation-state attacks designed to disrupt."
Norsk Hydro's operations are almost back to normal, and it's recovery is progressing quickly. By Thursday, the company's hard-hit Extruded Solutions business units were reaching 80-85% of their normal output, while the Building System's unit had increased to 40-50% of normal operations, up from 20% the day before. Hydro said on Tuesday that its preliminary estimated financial impact for the first week after the attack is around 300-350 million Norwegian crowns, or $35 - $41 million (SecurityWeek).
Work faster and smarter with a mobile solution for your classified network.
Organizations whose daily operations depend on sending and receiving real-time classified information improve agility and productivity when using mobile communications. Attila's latest case study illustrates one government agency’s quest for a portable, CSfC-certified mobile communications solution. Download the case study: DoD Agency Mobilizes Communications For Classified Networks today.
Facebook removes pages for "coordinated inauthenticity."
Facebook on Tuesday removed 2,632 pages, groups, and accounts from Facebook and Instagram which it claims were "engaged in coordinated inauthentic behavior." The company says the action was taken based on the behavior exhibited by the accounts, rather than the content they posted. The operations were localized to Iran, Russia, Macedonia, and Kosovo. Facebook says the sets of activities don't appear to be linked, although they use similar tactics, and the "people responsible are determined and well-funded."
Did you know that 91% of data breaches started with spear phishing?
With spear phishing being one the most successful ways to compromise an organization, IT experts highly recommend regular phishing tests as an additional security layer. Phishing your own users is as important as antivirus and a firewall. It’s also a fun and effective best practice for patching your last line of defense— your users. Find out today if your users are Phish-prone™ with KnowBe4’s free phishing test.
NSA released a patch to address three security vulnerabilities and a series of bugs in its open-source reverse engineering tool, Ghidra (TechTarget).
The Magento e-commerce platform patched numerous bugs on Tuesday, including an SQL Injection vulnerability which could be exploited without any form of authentication. Sucuri said Thursday that they'd developed a proof-of-concept exploit for the vulnerability. Responsibly, they haven't released it, but the hoods are unlikely to be far behind.
Microsoft issued a patch to remind Windows 7 users that the company is ending support for Windows 7 on January 14, 2020 (Naked Security).
Cisco confirmed independent findings that Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers remain vulnerable to exploitation by remote attackers. The vulnerabilities were thought to have been addressed by patches in January, but those are now known to have been incomplete. Cisco will have a fix out by mid-April. In the meantime, the company advises disabling the Remote Management feature.
Crime and punishment.
Former NSA contractor Hal Martin, described by friends and neighbors in Glen Burnie, Maryland, as an inveterate pack rat (and by defense counsel as a hoarder who couldn't help himself), changed his plea to "guilty" Thursday (Washington Examiner). He was not charged with espionage, but rather with twenty counts of “unauthorized and willful retention of national defense information.” The prosecution did not present any evidence that he'd given the fifty terabytes of classified information squirreled away in his home, car, and person to any third parties. Mr. Martin had until this week been expected to maintain his initial not-guilty plea into his June trial (Wall Street Journal).
A 24-year-old security researcher named Zammis Clark pleaded guilty in a UK court to hacking into Microsoft and Nintendo. Mr. Clark hacked Microsoft's servers in January 2017, then gave access to other individuals through an IRC chatroom. He eventually uploaded malware to the network, after which he was arrested. While he was out on bail, he hacked into Nintendo's game development servers, causing between $913,000 and $1.8 million in damages. Clark received a suspended sentence because he is autistic and the judge determined that he "would suffer disproportionately" in prison (Verge).
A British man who wiped 23 of his former company's AWS servers after he was fired has been jailed for two years. His actions cost the company around £500,000 ($700,000), and the data was never recovered (Naked Security).
Courts and torts.
The US Department of Housing and Urban Development is charging Facebook with a violation of the Fair Housing Act on the grounds that the data it collects and makes available enables invidious discrimination against people seeking to rent or buy homes (Wall Street Journal).
Office Depot and its partner, Support.com, have agreed to pay a combined $35 million as a settlement to the US Federal Trade Commission (Ars Technica). "PC Health Check," which Support.com provided and Office Depot administered between 2009 and 2016, was designed, the FTC said, to give "fake results" indicating the presence of malware on customers' machines. Those results were then used to induce people to purchase unneeded diagnostic and repair services at up to $300 a pop. The FTC will use the settlement to reimburse customers who were hornswoggled. The settlement required neither company to admit or deny the allegations.
The Wall Street Journal reports that the Federal Communications Commission (FCC) has issued $208 million in fines against robocallers since 2015, but has only collected $6,790 because it lacks the authority to enforce the fines. Likewise, the Federal Trade Commission (FTC) has only collected $121 million out of the $1.5 billion fines against robocallers it's issued since 2004. While the FTC has more authority than the FCC, the FTC will suspend fines after the defendant pays a certain amount, which is usually much smaller than the initial judgement (Ars Technica).
The UK's data protection authority fined a pensions company £40,000 for sending out almost two million spam emails. UK law prohibits companies from sending unsolicited marketing emails unless the recipient has given their consent (Infosecurity Magazine).
Policies, procurements, and agency equities.
The European Parliament passed its controversial upload filter and link tax legislation, widely regarded as catering to rent-seeking by publishers. The measures have a few more gates to pass, but they're now closer to becoming law (Verge).
Fortunes of commerce.
A report from GCHQ's National Cybersecurity Centre (NCSC) outlines "further significant technical issues" in Huawei's engineering processes, and states that "no material progress has been made by Huawei in the remediation of the issues reported last year." The vulnerabilities identified were related to "basic engineering competence and cybersecurity hygiene," and the NCSC doesn't believe they were placed there intentionally for Chinese intelligence services. The report concludes that "Huawei’s development and support processes are not currently conducive to long-term security risk management and, at present, the Oversight Board has seen nothing to give confidence in Huawei’s capacity to fix this" (Telegraph).
Huawei's smaller counterpart, ZTE, is looking for a place in the 5G market as it recovers from what the South China Morning Post calls the company's "near death experience."
The EU revealed its plan to assess the risks posed by Chinese equipment in upcoming 5G infrastructure. EU countries will report any threats to their national network infrastructure by June 30, and the European Agency for Cybersecurity will evaluate this information and produce a report by October 1st. The countries will then debate which course to take and come to a decision by the end of the year (SecurityWeek).
Dark Matter and NSO Group continue to receive unfriendly scrutiny from the press. UAE-based Dark Matter is said to have "poached" employees from Israel-based NSO Group with a view to enhancing Dark Matter's surveillance capabilities (CTECH). NSO Group's CEO has undertaken a charm counteroffensive in which he connects his company's products, services, and solutions to counterterrorism (CBS), but with mixed results (Gizmodo).
Companies look to new ways of filling security positions, such as seeking trusted partners, using third-party support services, and automating security tasks (Information Week).
The US Federal reskilling effort continues, and agency approaches to filling labor gaps continue to evolve (Federal News Network).
The US Department of Homeland Security advanced preparations to implement its Cyber Talent Management System. The system is meant to speed up the hiring process, improve applicant assessment, and offer more flexible performance-based compensation in order to compete with the private sector for talent. The DHS has requested $11.4 million in fiscal 2020 to launch the system, and it plans to hire 150 new cybersecurity employees by the end of next year (FedScoop).
The US Federal Government has been as busy as is realistically possible in its efforts to recruit university students to cybersecurity positions, but with mixed success. Why? Apparently students think that, first, Government work is probably going to be boring; second, that Government job descriptions indicate that there's no place for entry-level talent; and third, that the application process is protracted, painful, and horrible in all sorts of ways (FCW). The first is a misconception, the second could be resolved with greater care and flexibility in crafting job descriptions, and the third, well, alas, that one's just true. The US Government remains haunted by the ghost of President Garfield.
Mergers and acquisitions.
NSEIT Ltd, the IT-services focused subsidiary of the National Stock Exchange of India, has acquired the cybersecurity firm Aujas Networks for an undisclosed amount (VCCircle).
Carbonite will finalize its acquisition of Webroot in the coming days, provided that the $618 million deal receives regulatory approval before the end of Q1 2019 (ChannelE2E).
Cybersecurity services and training company Bolton Labs has acquired Philippine-based security solutions company Phylasso Security, as Bolton Labs expands into the Southeast Asian market (PRNewswire).
Ezenta, a Danish Managed Detection and Response provider, has been acquired by the Finnish cybersecurity services firm Nixu Corporation. The acquisition gives Nixu a foothold in Denmark's cybersecurity market (Global Security Magazine).
Cybersecurity technology provider Merlin announced a major investment in secure communications company Wickr. The partnership will allow Merlin to provide Wickr's technology to federal agencies, helping them comply with legal and regulatory requirements (BusinessWire).
Sayata Labs, based in Israel, has emerged from stealth with a $6 million seed round. Sayata sees itself contributing to the cyber insurance sector, providing the kind of "granular visibility" insurers will need to underwrite small and medium business risk. AXA is already a partner. Elron led the investment (SecurityWeek).
An Australian approach to cyber startup incubation: focus on partnerships first, exits second. AustCyber CEO Michelle Price told CSO that Australian startups "are feeling more and more confident about being able to stay at home and export from home."
Today's issue includes events affecting Australia, China, Denmark, European Union, Finland, India, Iran, Israel, Kosovo, Macedonia, Norway, Russia, United Kingdom, United States.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.