How can industrial organizations strengthen defenses and prepare for the changing threat landscape?
Dragos’ 2018 ICS Year in Review reports provide insights and lessons learned from our team’s first-hand experience tracking, hunting, and responding to ICS adversaries and offer industrial organizations recommendations for stronger defenses. Check it out today!
The Week that Was.
April 13, 2019.
By the CyberWire staff
The return of the Triton actor.
FireEye discovered another intrusion by the threat actor responsible for the Triton custom attack framework. This intrusion happened at an unnamed "critical infrastructure facility." The Triton malware is most notable for targeting safety systems in industrial environments. FireEye doesn't say whether this malware was seen in the latest attack, but they did observe the use of "new custom tool sets."
GossipGirl and connections among malware.
Chronicle, Alphabet's cybersecurity division, revealed the results of their investigation into Stuxnet, Duqu, and Flame—three strains of malware that have targeted industrial systems. Chronicle researchers believe the three strains are connected to a "supra threat actor" they're calling "GossipGirl."
Find out how organizations are operationalizing threat intelligence to automatically block network threats at massive scale while improving existing security team and tool efficiency. Get the guide today on how new technology, Threat Intelligence Gateways, work and complement TIPs, SIEMs, and next-generation firewalls.
WikiLeaks' Assange is out of the embassy and in custody.
Early Thursday morning Ecuador indeed withdrew the asylum they'd extended to WikiLeaks founder Julian Assange for the past seven years (Washington Post). Ecuador's government cited "repeated violations to international conventions and daily-life protocols" as the grounds for Mr. Assange's expulsion (Daily Beast).
London's Metropolitan Police were invited into the embassy where they took Mr. Assange into custody for bail jumping. Home Secretary Sajid Javid tweeted: "I can confirm Julian Assange is now in police custody and rightly facing justice in the UK." Mr. Assange will remain in custody until sentencing at some later time (Fifth Domain). He could face up to a year’s detention at Her Majesty’s pleasure.
He'll also remain in custody through the extradition hearing that will decide whether he's turned over to the US for trial. It's long been thought, based on an apparently inadvertent failure to fully redact a related indictment, that he would be charged in the US (TechCrunch). That's now confirmed: the US Justice Department unsealed an indictment shortly after the embassy showed Mr. Assange the door. He's charged under the Computer Fraud and Abuse Act with one count of conspiracy to commit computer intrusion (Washington Post). The alleged conspiracy was with former US Army Specialist Bradley, now Chelsea, Manning (Washington Post). If convicted, Mr. Assange could face five years in prison, and there's widespread speculation that the Justice Department might add additional charges. Observers note that the indictment seems carefully crafted to avoid running afoul of the First Amendment (Washington Post).
WikiLeaks was involved in some of the doxing that occurred during the 2016 US elections. The extent of that involvement, and its motivation, remain unclear and controversial (Washington Post).
CNN and the Guardian are both running updated coverage.
Can you be spoofed? Find out how hackers can spoof your domain.
One of the first things hackers do to get into your organization is spoofing an email from someone in your own domain. An email that looks to be from someone you know, or someone in authority, is often the most convincing phishing attack, luring users into clicking on malicious links or take actions that threaten your organization. Do you know if hackers can spoof your domain? Try KnowBe4’s free Domain Spoof Test today and find out.
Norsk Hydro's recovery, and questions about LockerGoga.
Norsk Hydro's production has returned to nearly normal levels after its disruption by a LockerGoga ransomware attack (Claims Journal). The company has received good reviews for its handling of the LockerGoga infestation that disrupted production at the aluminum producer. The "catastrophe modeling" shop RMS thinks Norsk distinguished itself in both public communication and technical response. It communicated quickly and effectively, with clear accountability. It also moved swiftly to contain the attack before it spread to unaffected sections of the enterprise, and it effectively reverted to manual operations where necessary. The attack came at an organizationally bad time for Norsk Hydro. Their CEO had retired the day before LockerGoga hit, and his successor was not yet in place (Insurance Journal).
Securonix has published an analysis of LockerGoga, and concludes that the malware's destructive tendencies might be intentional, suggesting the attackers may have additional goals in mind, including sabotage. Oleg Kolesnikov, the company's Director of Threat Research, commented on why LockerGoga hit Norsk Hydro as hard as it did: "One of the reasons that LockerGoga was so impactful in the Norsk Hydro attack was its scale. It infected multiple systems through copying to the shared directory and subsequent lateral movement, affecting the entire organization. This lateral movement is a technique that hasn’t been used commonly in other attacks so it’s not something that companies are used to detecting for, but should be included in protocols for future detection."
On Patch Tuesday Adobe fixed forty-three bugs in Acrobat, Reader, Flash Player, Shockwave Player, Dreamweaver, XD, InDesign, Experience Manager Forms, and Bridge CC. Microsoft addressed some seventy issues, two of them privilege-escalation exploits.
Businesses often defer software upgrades, including critical patches, out of a desire to avoid downtime and keep the business running (Silicon UK). Tanium, which conducted the study that reached this conclusion, calls it a "resilience gap."
There's an obvious risk in deferring updates. Consider the major credit bureau Equifax, whose 2017 breach of personal information was excoriated in a just-released report by the US Senate. Equifax was breached by attackers who exploited a known vulnerability in Apache Struts. A patch was available, and Equifax knew about the fix, but didn't apply it until the damage was done.
Did you know that 91% of data breaches started with spear phishing?
With spear phishing being one the most successful ways to compromise an organization, IT experts highly recommend regular phishing tests as an additional security layer. Phishing your own users is as important as antivirus and a firewall. It’s also a fun and effective best practice for patching your last line of defense— your users. Find out today if your users are Phish-prone™ with KnowBe4’s free phishing test.
Crime and punishment.
A woman who was arrested for gatecrashing Mar-a-Lago last week with two Chinese passports, four cellphones, and a malware-laden USB drive had other electronic equipment in her hotel room, including a fifth cellphone, nine USB drives, five SIM cards, and a device for detecting hidden cameras. Investigators also found several debit cards and $8,000 in cash, which seemed noteworthy but is probably neither here nor there. More to the point is her lack of a swimsuit, which tells against her story that she was there for a dip in the pool (New York Times).
A Secret Service agent involved in the investigation received generally poor reviews for tradecraft after revealing how he discovered that the woman's USB drive contained malware: he plugged the drive into his computer, whereupon it immediately began installing files (Daily Beast).
A former Democratic congressional aide pleaded guilty to doxing five Republican senators on Wikipedia (Washington Post).
Courts and torts.
Yahoo proposed a $117.5 million settlement over its massive data breaches. According to Reuters, this settlement includes "at least $55 million for victims’ out-of-pocket expenses and other costs, $24 million for two years of credit monitoring, up to $30 million for legal fees, and up to $8.5 million for other expenses." US District Judge Lucy Koh will decide whether to approve or reject the settlement. She rejected a previous version of the settlement earlier this year (Engadget).
Max Eddy at PCMag argues that Facebook's recent civil rights settlement over ads for housing, credit-related products, and employment should be a blueprint for further action regarding targeted political advertising. In its settlement with the ACLU, Facebook said it would limit the extent to which these advertisers could target specific users based on information Facebook collected about them. It's also agreed to make the advertising process more transparent to users. Microtargeted ads were an integral part of the Russian influence campaign during the 2016 US election. Russian operatives used legitimate Facebook tools to place their content in front of specific individuals. Eddy doubts Facebook would consider jettisoning its business model since it relies on targeted advertising, but he thinks Facebook "can find a way to make money while respecting users' privacy and not being complicit in worsening society's ills."
Policies, procurements, and agency equities.
Homeland Security Secretary Kirstjen Nielsen abruptly resigned from her post on Sunday. Her departure raised concerns about the future of the administration's cybersecurity efforts, since she was one of the few high-ranking civilian leaders with considerable cybersecurity experience (Washington Post).
The European Data Protection Supervisor (EDPS) is looking for GDPR violations in Microsoft's cloud and software deals with EU institutions (EDPS). The investigation was sparked by a Dutch inquiry into hidden telemetry in Microsoft Office last November. Dutch authorities discovered eight violations of GDPR in Office ProPlus and Office 365 (ZDNet). Microsoft made changes to these products to bring them into compliance with GDPR, but the EDPS believes it may find similar violations (Reuters).
The US General Services Administration (GSA) announced it has restructured its Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) in its IT Schedule 70 acquisition vehicle to allow agencies to access a wider spectrum of cybersecurity services (Fifth Domain).
The US Army last month issued awards on a cyber contract with a ceiling of $982 million (Fifth Domain). Northrop Grumman and General Dynamics revealed that they were among the companies selected for the R4 contract, which is an indefinite delivery, indefinite quantity (IDIQ) contract focused on research and development related to cyber and electronic warfare.
Fortunes of commerce.
The ambiguous and protean nature of cyber threats has led to some high-profile insurance claim denials, and this may be weakening policyholders' trust in cyber insurance providers, according to Dante Disparte and Andres Franzetti from risk advisory firm Risk Cooperative. Zurich and DLA Piper are both fighting two major claims arising from the NotPetya attack, arguing that the malware event was an act of war, and was therefore excluded from coverage. Disparte and Franzetti say that with ransomware in particular, "a force majeure or war risk exclusion could theoretically remain an industry ambiguity, eroding confidence in the sector and the insurance class writ large." Cyber insurers therefore need to "form a consensus on what constitutes a covered claim" if they wish to bolster trust in their industry (International Policy Digest).
Two familiar names in the industry are being replaced. Colorado-based PasswordPing has changed its name to Enzoic. The company will continue its focus on frictionless credential screening (PRNewswire). High-Tech Bridge has also rebranded. The app security testing and risk-scoring shop will henceforth be known as ImmuniWeb® (BusinessWire).
Cloud and email security shop Cyren is going through with its plans to delist itself voluntarily from the Tel Aviv Stock Exchange. It will cease trading on TASE as of April 10th (CTECH). The company will continue to trade on the Nasdaq under its ticker symbol CYRN (PR Newswire). Cyren's Wikipedia page explains the voluntary delisting as representing a move to simplify the company's regulatory filings and concentrate trading on one exchange.
The notorious shortage of qualified cybersecurity talent in the Government may not be up to the Government alone to solve. A private-sector initiative aims at redressing some of that shortage. The Partnership for Public Service, a Washington, DC-based non-partisan, not-for-profit organization, on Tuesday announced its Cybersecurity Talent Initiative.
The Initiative intends to recruit and place recent university graduates into two-year stints of service with one of eleven Federal agencies: CIA, FBI, the Office of Naval Intelligence, Department of Defense, the Department of Energy, the Department of Health and Human Services, the Department of Veterans Affairs, the Environmental Protection Agency, the Federal Election Commission, the National Oceanic and Atmospheric Administration, and the Small Business Administration.
The short-term, two-year commitment is noteworthy, but so are the three private-sector partners the Initiative will be working with: Mastercard, Microsoft and Workday. Once participants successfully complete their tour with the Government, they'll be offered a job at one of the three partners, and they'll also be given up to $75,000 in student loan repayment assistance (Nextgov).
Mergers and acquisitions.
California-based Juniper Networks acquired Mist Systems for $405 million. Mist will keep its name and run as a standalone company under Juniper's umbrella (CRN).
Herzliya-based cybersecurity firm Safe-T will acquire the IP proxy network shop NetNut, of Tel Aviv, for $9.7 million (CTECH).
Cloud-based security and backup provider Carbonite says its approach to integrating the recently acquired Webroot will be Hippocratic: first, do no harm. The combined companies expect an initial focus on ransomware (Tech Target).
The private equity firm Symphony Technology Group (STG) has taken 70% ownership of RedSeal. STG is said to have invested $70 million in the Sunnyvale, California, based resilience specialists (Reuters).
NSO Group, a company whose Pegasus lawful intercept tool has drawn controversy for its apparent delivery to (and unsavory use by) repressive regimes, is undergoing a management buyout. That's proving harder than many expected. The company's reputation has made lenders skittish, and they're asking for a premium before they'll fund the buyout. The two firms that agreed to provide the $500 million loan necessary for the transaction, Jefferies Financial Group Inc. and Credit Suisse Group AG, are said to have found themselves forced to sell the debt at a deep discount (Bloomberg).
And security innovation.
For all the talk of the coming age of artificial intelligence, and the way in which it will largely replace human operators for content moderation, watchstanding, and so forth, there may be some commercial grounds for mild skepticism. Google's business customers like its services, but they don't like the lack of human sales representatives to help them with those services. And so Mountain View is now re-investing in natural intelligence, that is, human beings (Wall Street Journal).
Amazon's Alexa also depends upon a large human staff, which Bloomberg reckons in the thousands, who are said to be employed in listening to audio recordings of users' interactions with the device. It is, Amazon explains, part of the training the artificial intelligence needs to be more responsive, and the data are not otherwise used, analyzed, or retained. While this will not assuage privacy concerns that have deterred many from bringing Alexa into their homes (Computing), it's perhaps more interesting as commentary on much artificial intelligence continues to depend upon human trainers and watchers.
Today's issue includes events affecting China, Ecuador, European Union, Israel, Netherlands, Russia, United Kingdom, United States.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.