skip navigation

More signal. Less noise.

Achieve FedRAMP ATO in half the time with automation: White paper

In this recently released white paper, learn how the use of new automation techniques pioneered by Coalfire and AWS empowers organizations to achieve FedRAMP ATO in half the time of traditional methods and at a significantly reduced cost. Download the free white paper, “Automation: Changing the cost and time of compliance.”

The Week that Was.

The Mueller Report is out.

The long-awaited and much discussed Mueller Report on Russian influence operations during the US 2016 elections was released in redacted form Thursday morning.

At a pre-release press conference, US Attorney General Barr reviewed the report and explained the reasons for redactions. He said the Special Counsel established that there was an effort on the part of Russian intelligence services to interfere in the US elections, but that no Americans were found to have collaborated with Russia.

Four categories of material were redacted:

  1. Grand jury material whose redaction is required by law.
  2. Material that might compromise intelligence sources and methods (or "investigative technique").
  3. Material whose release might impair other ongoing investigations or prosecutions (and this accounted for most of the redactions). Two of the cases the Attorney General mentioned in particular were the IRA and Roger Stone matters.
  4. Information affecting the privacy and reputation of "peripheral third-parties" mentioned in the investigation.

The White House reviewed the report's redacted version and declined to invoke executive privilege.

The Attorney General also said a bipartisan group of members of Congress would receive an almost unredacted version--the only material they wouldn't see would be grand jury material, disclosure of which is restricted by law.

The report concludes that "the Russian government interfered in the 2016 presidential election in sweeping and systematic fashion." Much of that interference occurred through leaks the GRU obtained and retailed through its DCLeaks and Guccifer 2.0 fronts, and through WikiLeaks as well. The Internet Research Agency ran an influence operation to disparage candidate Clinton and favor campaign Trump. While the Trump Campaign thought it would benefit from discreditable material so released, the investigation did not establish that any members of the Campaign conspired or coordinated with the Russians. That's true of both the hacking and the subsequent social media campaigns: "The investigation did not identify evidence that any US persons knowingly or intentionally coordinated with" the Russian organizations.

Case study: Engelberth improves network security using automated threat intelligence.

Most mid-sized organizations lack the resources to consume, operationalize, and gain value from threat intelligence. Find out how one regional company, Engelberth, reduced unwanted network traffic by taking action with threat intelligence to block threats before the perimeter with a Threat Intelligence Gateway. Read how Engelberth improved their network security here.

Heard of the Luhansk People's Republic?

Ukrainian military officials are being spearphished by someone seeking to install the Ratvermin backdoor, a second-stage payload delivered by a Powershell script. The phishbait used in this case is a malicious document that purports to come from a military contractor. FireEye, which identified the campaign, links it to the Luhansk People's Republic, a region in Eastern Ukraine controlled by Russia and represented by the occupiers as a successful breakaway state. Kiev regards Luhansk as an administrative fig leaf for Russian occupation. Kiev probably has it right.

The Washington Post sees the Luhansk operation as a troubling harbinger of small-state and non-state actors deploying increasingly sophisticated cyber weapons. FireEye's John Hultquist told the Post that "[W]e should bear in mind that if this small substate can put together a [hacking] capability, then anyone can." Maybe, but while there are genuine instances of attackers operating independently of other support, there are many more instances of attackers working deniably on behalf of a state.

FireEye said it found no evidence that Russia assisted the Luhansk Group, but absence of evidence isn't necessarily evidence of absence. The campaign might be more realistically viewed as a Russian attempt to achieve plausible deniability, not a small-group's breakout into the big time. FireEye's Hultquist later in his Post interview noted that Russia's hybrid war in Ukraine has been a proving ground for attack tactics and techniques: "It's created this consistent battle rhythm of activity that we'd never seen before." Russian cyber operators perfect their methods against Ukraine, and then use them elsewhere.

Are you looking to reduce vulnerabilities in your software and struggling to find application security talent?

Security teams are turning to secure development training to help them be more pro-active in reducing vulnerabilities in software and help scale application security. The use of real applications, real tools, and real coding exercises to teach both offensive and defensive security to developers has been shown to be more effective and more engaging than defensive training alone. Try a SQL injection lesson to see if this approach may work well for your team.

The energy sector faces a growing number of threats (mostly from states).

The energy sector's consolidation in search of economies has resulted in more single points of failure, both in plant operations and in their supply chain, a study released this week by F-Secure has concluded.

Sea Turtle is one of those threats to energy companies.

And also to military and diplomatic establishments. Researchers at Cisco Talos describe "Sea Turtle," a state-directed espionage campaign that's been active since early 2017. Most of Sea Turtle's operations have been in the Middle East, and the campaign is noteworthy for its sophisticated Domain Name System (DNS) manipulation. Cisco Talos divides the victims into "two distinct groups." The first group includes the targets proper: energy organizations, defense establishments, and foreign ministries. The second group are third-parties used to reach the primary targets: telcos, ISPs, and DNS registrars. CrowdStrike and FireEye had earlier described aspects of this DNS-manipulation campaign. FireEye tentatively attributed it to Iran. The US Department of Homeland Security issued a warning about this activity in January.

Cisco Talos finds the incident worrisome not so much in its immediate effects as in its realistic potential to undermine users’ trust in the Internet as such. The company includes a plea to put DNS as a whole off-limits to offensive cyber operations.

OilRig doxed.

Iran's APT34, the hacking group also known as OilRig, is itself being doxed. A Telegram channel called "Read My Lips" is dumping the group's tools and some of its identities online. WIRED compares them to the ShadowBrokers. Whoever they are (neither disgruntled insiders, opposition groups, nor foreign intelligence services can be ruled out) their declared motive is exposing "this regime's real ugly face."

Quickly identify threats that matter to your organization.

Download the free white paper, SIEM + Threat Intelligence, to see how security organizations can enhance their SIEM with threat intelligence to gain a fuller understanding of threats, eliminate false positives, and form a proactive, intelligence-driven defense.

YouTube fact-checks Notre Dame fire with 9/11 explanations and imagery.

The Cathedral of Notre Dame in Paris burned Monday. The cause is unknown and under investigation, but French authorities' initial take on the disaster is that it was probably neither arson nor terrorism, but possibly an accidental fire caused by renovation work (Fox News). YouTube's fact-checking system, however, which is heavily dependent upon an algorithm built to screen and control fake news, juxtaposed text and images describing the 9/11 terrorist attacks beside video of the burning cathedral (TechCrunch). YouTube flagged livestreamed video of the fire as possible misinformation and rolled out its truth-checking box to give the facts about the 9/11 attacks (Buzzfeed). YouTube apologized that its algorithm "made the wrong call," as they blandly put it (ABC News). Some observers saw the incident as another illustration of the difficulty of automating fact-checking and other forms of content control (Washington Post).

Copyright enforcement mistakenly used against news reports of copyright infringement.

The Starz television service apologized Monday for its "overzealous" copyright enforcement action against Torrentfreak for the news sites reporting on video piracy. Torrentfreak neither linked to leaked episodes of Starz shows nor even named sites that had engaged in the piracy, but a third-party company Starz had hired successfully demanded that Twitter take down tweets about the story. Some third-party tweets about the dispute were also removed. "The techniques and technologies employed in these efforts are not always perfect, and as such it appears that in this case, some posts were inadvertently caught up in the sweep that may fall outside the DMCA [Digital Millennium Copyright Act] guidelines," Starz said. "That was never our intention and we apologize to those who were incorrectly targeted" (Variety).

Link taxes and liabilities are now the law in Europe.

The European Union, unfazed by the difficulties suggested by stories like the two above, passed its controversial copyright reform law as nineteen of twenty-eight member countries voted to ratify the European Parliament's action. "With today's agreement, we are making copyright rules fit for the digital age," European Commission President Jean-Claude Juncker said, which is one way of looking at it. Critics see the law's Articles 11 and 13 as particularly objectionable. The former establishes a link tax to pay owners of copyrighted content, the latter makes platforms legally liable for any infringements their users post (VentureBeat).

Did you know that 91% of data breaches started with spear phishing?

With spear phishing being one the most successful ways to compromise an organization, IT experts highly recommend regular phishing tests as an additional security layer. Phishing your own users is as important as antivirus and a firewall. It’s also a fun and effective best practice for patching your last line of defense— your users. Find out today if your users are Phish-prone™ with KnowBe4’s free phishing test.

The Assange indictment, hacking, and journalism.

The indictment of Julian Assange is controversial, but assertions that it represents a legal adjustment of fire onto targeted publishers seem a stretch. The Observer has a useful rundown of such reaction, but as the New York Times noted with approval, it's striking how narrow the indictment is. Mr. Assange is accused of having conspired (with then-Specialist Manning) to break into a protected computer system. This would be, those who approve of the indictment might say, roughly analogous to a journalist conspiring with someone to break into a company or government office in search of sensitive documents. The riposte would be that conspiracy is a fig leaf to cover a direct assault on journalism, in particular, as the Intercept sees it, an attack on sources' ability to maintain their anonymity. But if this is an attack on the First Amendment, it will be some time before the assault wave even reaches its assembly area.

That WikiLeaks did harm to US military and intelligence operations seems incontestable, but that damage seems to have waned since the Manning leaks of 2010 as agencies have worked to alter their procedures and contain the damage. Among WikiLeaks' less-mentioned casualties, as NPR reminds its audience, were opposition figures in repressive governments who had been in quiet contact with the US.

Notre Dame fire scams.

Much misinformation, some of it connected to scams, will, as KnowBe4 warned at midweek, continue to circulate about the Notre Dame fire. ZeroFOX says it's observing a wave of opportunistic scamming conducted around the tragedy: ad fraud, direct fraud, malware installation, and even stock fraud.

Patch news.

VMware patched several denial-of-service and information disclosure vulnerabilities. The flaws affected graphics components in its ESXi, Workstation and Fusion products (SecurityWeek).

Microsoft’s recent security updates are causing issues on computers running security software from Sophos, Avast, Avira, and Arcabit. Some PCs running these products are becoming unresponsive after installing the updates. Avast has fixed the issue by updating its own software, and Microsoft has stopped rolling out the updates for users running Sophos and Avira. Arcabit is still working with Microsoft to find a solution (CRN).

Microsoft patched an actively-exploited Windows zero-day discovered by Kaspersky that allowed attackers to take full control of a victim's computer. The flaw was a use-after-free vulnerability in the CreateWindowEx function (The Inquirer).

Oracle released patches for 296 vulnerabilities, 44 of which were in MySQL (Computing).

Electronic Arts patched a vulnerability in its online gaming platform, Origin, which could have allowed an attacker to run any app on a Windows computer with Origin installed (TechCrunch).

Crime and punishment.

The gatecrasher who entered Mar-a-Lago with suspicious electronics and a Chinese passport was deemed a flight risk and will remain in jail. She's been charged with entering restricted grounds and lying to the Secret Service. A USB drive in her possession was thought to contain malware, according to a Secret Service agent who plugged it into his computer, but officials can't replicate the behavior described by the agent (Washington Post).

Courts and torts.

The US Attorney's Office for the Northern District of California has released details of a settlement reached with Fortinet over an employee's false labeling of some products as made in the US. The company will pay $545,000 to resolve allegations of violating the False Claims Act by misrepresenting products as being in compliance with the Trade Agreements Act. The employee (not named) is said to have directed personnel at Fortinet to affix labels reading "Assembled in the United States" or "Designed in the United States and Canada" to products distributors subsequently resold to the US military (CyberScoop). says that Fortinet probably received a lighter settlement because of the assistance the company rendered in exposing a corrupt lawyer involved in the case.

The UK's data protection authority fined parenting support company Bounty £400,000 after it shared the personal information of millions of its customers with third-party marketing agencies (Infosecurity Magazine).

Policies, procurements, and agency equities.

Regional and local governments are increasing their law enforcement and intelligence capabilities in cyberspace. New York City's Cyber Command, in operations for eighteen months, is building a secure, cloud-based, log aggregation capability (ZDNet). Police in England and Wales are getting their own organic cyber law enforcement capability (Infosecurity Magazine). And Ohio is considering establishing a state "cyber force" (Dayton Daily News).

The Russian Duma's lower house approved a draft law to increase the government's control over the Internet in the country in order to defend it against foreign disturbance. The law awaits approval by the upper house and then the President's signature (Reuters).

Fortunes of commerce.

Google has shut down another corporate artificial intelligence ethics board. The panel, based in the UK and organized around Google's AI research subsidiary Deep Mind, was to have reviewed issues surrounded healthcare, but its members in the end were reluctant to work under what some of them characterized as too-little autonomy and insufficient access to relevant data (Wall Street Journal). The other attempt at an ethics board, Google's Advanced Technology External Advisory Council (ATEAC) was closed on April 4th when employees objected to some of the announced members on progressive political grounds. Employee objections were amplified in social media, and that induced other prospective board members to resign (Computing).

CFIUS is pushing harder on foreign ownership of US security firms. The latest company to receive such scrutiny is Cofense, as Pamplona is being pushed to sell its stake. Despite its running-of-the-bulls-sounding name, Pamplona is a private equity firm controlled by Russian oligarchs (Pitchbook).

Do developers' goofball messages count as a supply chain hack? Facebook is embarrassed by messages embedded in Oculus VR preproduction controllers by Oculus developers: "This Space For Rent," "The Masons Were Here," "Big Brother is Watching," and "Hi iFixit! We See You!" The girls and boys may be yukking it up, but Facebook would rather this hadn't happened (Naked Security).

Labor markets.

Richard Ford from Forcepoint thinks an emphasis on human behavior is the new marketing trend that every product needs to advertise. He advises CISOs to ensure that vendors actually have something meaningful to offer and aren't just playing to the crowd (Fifth Domain).

Mergers and acquisitions.

IT service provider EDTS (based in the US state of Georgia) and its sister company, EDTS Cyber, were acquired by Philadelphia-based Inverness Graham for an undisclosed amount. The two companies will be merged into Inverness Graham portfolio company Corsica Technologies. The deal will allow EDTS' founder and CEO to focus on growing EDTS Cyber (Augusta Chronicle).

Australian managed cybersecurity and networking services provider Tesserent purchased Melbourne-based enterprise security specialist and Splunk provider Rivium for $3.5 million (ARN).

Investments and exits.

Password manager and identity management solution Dashlane raised $30 million in a debt financing round from Hercules Capital (TechCrunch).

London-based Provenance Blockchain, Inc, which runs the blockchain, completed a $20 million security token offering (PR Newswire).

Astroscreen, a London-based startup that detects social media manipulation, raised $1 million in an initial funding round led by Speedinvest, Luminous Ventures, and UCL Technology Fund (TechCrunch).

And security innovation.

Data61, the advanced R&D department of Australia's Commonwealth Scientific and Industrial Research Organisation (CSIRO), was recognized as a "global blueprint for digital and open innovation" by the Organisation for Economic Co-operation and Development (OECD) (Mandarin).

Tech Nation revealed the list of twenty UK cybersecurity startups accepted into its six-month growth program funded by the UK government (Information Age).


Today's issue includes events affecting Australia, France, Democratic People's Republic of Korea, Iran, Russia, Ukraine, United Kingdom, United States.

Research Saturday is up. Researchers have discovered a number of vulnerabilities in the SwissPost e-vote system which could allow undetectable manipulation of votes. In this episode we learn more about this research from Dr. Vanessa Teague, Associate Professor and Chair, Cybersecurity and Democracy Network at the Melbourne School of Engineering, University of Melbourne. She joins us to explain her team's findings.

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.