skip navigation

More signal. Less noise.

Automation is disrupting compliance—white paper details huge reductions in time; cost

Compliance frameworks are multiplying, challenging even the most robust security and compliance teams, straining organizations of all sizes. Automation is dramatically reducing costs, changing the times to compliance (in many cases by half), slashing the demands on in-house staff, reducing costs, and eliminating much of the redundant work across frameworks. Download the white paper explaining the benefits of new automation techniques pioneered by Coalfire and AWS.

The Week that Was.

Wipro has been active since 2015.

Flashpoint researchers have published their findings on the threat actors behind the Wipro hack. The researchers identified a number of indicators connecting the attack to phishing attachments and infrastructure used to carry out previous attack campaigns in 2017 and 2015. The Wipro hack and subsequent attacks against Wipro’s customers looks like gift-card fraud. Flashpoint says the attackers sought access to the portals managing gift card and rewards programs at the targeted organizations. Threatpost reports that the group appears to be organized and sophisticated, although the attack itself wasn't "particularly advanced." The hoods used a number of legitimate red-teaming and remote administration tools to breach companies and conduct reconnaissance. The group's strengths are "strong understanding of corporate relationships and environments as well as considerable attack infrastructure."

Get the In-Depth Guide to Operationalizing Threat Intelligence.

Threat intelligence is critical but often difficult to manage, automate, or operationalize. Threat Intelligence Gateways are an exciting, emerging network security technology that take the heavy lifting out of making threat intelligence actionable, operational, and useful. Learn about how this technology is turning threat intelligence into action to block threats at scale in the whitepaper, Operationalizing Threat Intelligence: An In-Depth Guide to Threat Intelligence Gateways.

The FBI says Russia remains a threat to the 2020 US elections.

FBI director Christopher Wray said Russia is still running influence campaigns on social media, which he described as a "a 365-day-a-year threat" (Daily Beast). The FBI sees Russian attempts to meddle in the 2018 midterm elections as "just kind of a dress rehearsal for the big show in 2020." The FBI is stepping up counterintelligence efforts accordingly, adding many more agents to the Foreign Influence Task Force. That task force, created before the 2018 elections, is now a permanent group. The Department of Homeland Security is making its election security task forces permanent as well (The New York Times).

Secretary of State Mike Pompeo said on Monday that Russia will remain a threat to US elections for "decades." He said that "it goes without saying they were a threat to our elections in 1974, they interfered in our elections in the '80s," adding that he found it "stunning" that anyone in Washington was surprised to learn that the Russians were still at it (The Hill).

Advice on social control from a Russian contractor.

CNN has seen documents from a Russian mining company called "M-Invest" which show that the company developed a plan to counter anti-government protests in Sudan by spreading misinformation and carrying out public executions of "looters." These documents were meant to advise Sudan's former president, Omar al-Bashir, who was receiving support from the Kremlin. Bashir was deposed in a coup last month. M-Invest had contracts with the now-deposed government of Sudan to mine gold in that country. The advice M-Invest gave Bashir would have followed a playbook similar to that adopted by St. Petersburg's Internet Research Agency (IRA) in information operations directed against the United States and other Western countries, except of course for the public executions. But whether this indicates common control by the GRU or simply a mining company's willingness to learn from the best is unclear.

Have Your Users Made You an Easy Target for Spear Phishing?

Many of your organization’s email addresses and identities are exposed on the internet, and are easy for cybercriminals to find. With email’s enormous attack surface, cybercriminals are able to launch potentially devastating social engineering, spear phishing and ransomware attacks on your organization. Try KnowBe4’s Email Exposure Check Pro for free today, and see how you can identify the at-risk users in your organization by crawling business social media information and hundreds of breach databases. 

Naming and shaming the opposition: all Five Eyes find value in doing so.

Intelligence chiefs say publicly attributing cyberattacks by nation-states can be an effective deterrent. ZDNet reports on a panel session at CYBERUK 19 in which senior cyber security officials from each of the Five Eyes outlined their nations' approaches. Rob Joyce, senior cybersecurity adviser for the US National Security Agency, said that "an important enabling component for making like-minded coalitions is bringing that intelligence forward, doing that attribution, and having a specific entity that we have to rally around and deter." He added that naming the offending countries publicly is necessary to put pressure on them. "We won't get international norms without being able to speak that truth," Joyce said. Ciaran Martin, CEO of the UK's National Cyber Security Centre, said they do attribution "as a means to an end and that end being better cybersecurity and better national security." He believes it has the added effect of helping organizations better defend themselves against nation-state hacking by letting them know which of their assets may be targeted by these threat actors. "That means you can frame your defense, because some people need to be worried about one country over another, some need to be worried about organised crime, some need to be aware about all of them," he said.

Jan Thornborough, unit manager of outreach and engagement at New Zealand's National Cyber Security Centre, said that they'll "only attribute an attack to another country if it's within our own national interests to do so." Scott McLeod, First Assistant Director-General of the Australian Signals Directorate’s Protect, Assure, and Enable unit, said that attribution for cyberattacks is difficult. "It's a very high bar for us, and we feed the information to the government and they make the decision on public attribution," he said (Sydney Morning Herald). Likewise, Scott Jones, the head of the Canadian Centre for Cyber Security, said there needs to be "extremely high confidence" before attribution takes place (ZDNet). 

The Hacking Humans team is taking our show on the road

Coming this week, the CyberWire’s Hacking Humans Podcast will be examining the social engineering scams, phishing schemes, and criminal exploits making headlines at Sponsor KnowBe4’s KB4-Con from Orlando, FL. We will be joined by KnowBe4’s Stu Sjouwerman and Kevin Mitnick. Follow us on Twitter @thecyberwire as we will be tweeting live from the event and stay tuned for a recording in the near future.

Taking down snakeoil domains.

Palo Alto Networks' Unit 42 worked with GoDaddy to take down 15,000 sub-domains that were peddling miracle products. The sites pointed to sub-domains belonging to several hundred GoDaddy customers whose accounts had been hacked, probably via phishing or credential stuffing (LiveMint). Unit 42 discovered the spam campaign after spotting "striking visual similarities in templates used to build websites selling seemingly unrelated goods." 

Crime and punishment.

Ex-CIA officer Jerry Chun Shing Lee has taken a guilty plea to US Federal charges of selling defense information to China. The maximum sentence is life, but Mr. Lee will probably not receive that much.

The US Justice Department has secured indictment of American engineer Xiaoqing Zheng and Chinese businessman Zhaoxi Zhang on charges related to trade secret theft from General Electric Power and Water. They were apparently after "proprietary design models, engineering drawings and specifications dealing with components and testing systems for GE gas and steam turbines," and the Justice Department sees the alleged theft as part of China's long-term strategy of enhancing its industrial base through intellectual property theft (Washington Post).

The Massachusetts Supreme Judicial Court ruled on Thursday that law enforcement needs a warrant to collect or request location data generated by mobile devices (Naked Security). The court said that "by causing the defendant's cell phone to reveal its real-time location, the Commonwealth intruded on the defendant's reasonable expectation of privacy in the real-time location of his cell phone" (ZDNet).

The Bundeskriminalamt, working with partners in Europol, the Netherlands and the US, has shuttered the Wall Street Market contraband souk and arrested three of its alleged proprietors (Reuters). The Wall Street Market has recently come under suspicion of preparing an exit scam to defraud its sleazy customers, but that's not what the arrests are about. It's the contraband, not the con.

WikiLeaks founder Julian Assange on Thursday began his likely-to-be-long fight against extradition to the US, with minor but foreseeable "Free Assange" demonstrations around the courthouse (Washington Post).

Did you know that 91% of data breaches started with spear phishing?

With spear phishing being one the most successful ways to compromise an organization, IT experts highly recommend regular phishing tests as an additional security layer. Phishing your own users is as important as antivirus and a firewall. It’s also a fun and effective best practice for patching your last line of defense— your users. Find out today if your users are Phish-prone™ with KnowBe4’s free phishing test.

Courts and torts.

A US Federal judge ruled Thursday that a lawsuit against the National Security Agency couldn't move forward without exposing classified information and threatening national security (Bloomberg Law). The suit, filed in 2008 by five plaintiffs represented by the Electronic Frontier Foundation, accused NSA of violating the Wiretap Act and the Electronic Communications Privacy Act (Courthouse News). In the ruling, the judge said that the defendants were "unable to defend the litigation or to pursue it to resolution on the merits without grave risk to the national security" (Law360). The judge found that the plaintiff's evidence was insufficient to support claims of injury from alleged mass surveillance.

An 18-year-old college student, Ousmane Bah, is suing Apple for $1 billion over its alleged use of facial recognition to mistakenly link him to thefts at Apple Stores (Naked Security). Bah was arrested by the NYPD in November, but was released after the detective on the case realized that Bah "looked nothing like" the suspect. Bah had also been summoned to a Boston court earlier last year over an Apple Store theft in that city, but those charges were dropped as well. The lawsuit states that the NYPD detective told Bah that the real suspect must have obtained Bah's interim driver's permit, which Bah had lost earlier in the year, and used it as a form of identification at one of the crime scenes. The interim permit didn't have a photo of Bah. The detective also told Bah that Apple uses facial recognition technology in its stores to identify theft suspects, which Apple denies. The lawsuit concludes that Apple linked the suspect's face with the information on Bah's driver's permit, so that all of the crimes committed by the suspect were attributed to Bah (Washington Post).

Facebook is getting closer to its reckoning with the US Federal Trade Commission. The eventual consent order is likely to cover WhatsApp as well as the basic Facebook services (Wall Street Journal). It's also likely to impose certain requirements on the composition of Facebook's board, and on its compliance officers (Politico). That, and of course a multi-billion-dollar fine is still thought likely.

Policies, procurements, and agency equities.

The US Department of Homeland Security has issued a Critical Functions List describing fifty-five areas that must be protected from cyberattack. The areas are divided into four categories: Connect, Distribute, Manage, and Supply. Connect covers communications, such as the Internet, radio, and satellite networks. Distribute deals with supply chains, electricity distribution, and the transportation of passengers, cargo, and materials. The Manage column covers a broad range of functions, from conducting elections and preserving constitutional rights to managing hazardous materials and maintaining fuel reserves. Supply deals with power generation, fuel and chemical production, and food and water services, as well as research and development. CISA director Chris Krebs told the Washington Post that one of the main benefits of this list is that it allows "government and industry to map out how a single digital threat—say an attack on the Global Positioning System or Internet routing services—might ricochet across numerous industries."

DHS also issued Binding Operational Directive 19-02, which establishes "Vulnerability Remediation Requirements for Internet-Accessible Systems." The directive builds on and supersedes Binding Operational Directive 15-01. Agencies will have to fix faster. The new directive requires that "critical vulnerabilities" be remediated within fifteen calendar days of initial detection. Agencies will have thirty calendar days to remediate "high vulnerabilities." The now superseded Binding Operational Directive 15-01 did not address high vulnerabilities (Federal News Network), and it allowed thirty days to fix critical vulnerabilities. That time has now been cut in half (Security Affairs). Binding Operational Directives apply to US Federal agencies, with exceptions for the Defense Department and the Intelligence Community. DHS is not so naive as to expect that all agencies will be able to meet the new deadlines every time, since it recognizes that agencies still depend upon legacy systems that have gone beyond their end-of-life, and for which patching is problematic, but it sees the fifteen- and thirty-day periods as laying down an important marker (ZDNet). One interesting note: vulnerabilities will be classified according to the older CVSSv2 severity system, not the newer CVSSv3 widely used elsewhere.

The Defense Industrial Base Sector Coordinating Council (DIB SCC) is looking at ways to ensure that smaller contractors meet the DOD's security requirements (FedTech). Several layers of subcontractors usually contribute to DOD contracts, making it difficult for the government to monitor the supply chain. The DIB SCC wants to help bring smaller companies into compliance without requiring them to overspend. Possible solutions that are being examined are technologies involving the cloud, digital rights management, and new detection tools.

Fortunes of commerce.

Curating app stores for security reasons proves challenging. Google is purging dozens of DO Global apps (with have hundreds of millions of downloads among them) after researchers call out DO Global for widespread ad fraud (Gizmodo). Apple defends its exclusion of mobile device management apps, and in particular the parental controls subset of them, on grounds of security and privacy, Infosecurity Magazine reports. Kaspersky Lab has filed an anti-trust claim in a Russian court against Apple over just this exclusion. 

Google's parent, Alphabet, posted a rare earnings miss Monday. It's being ascribed to more competition in the online advertising space, and serves as a reminder that, at bottom, Google is as much an advertising company as it is a tech firm (Wall Street Journal).

Norsk Hydro has increased its estimate of LockerGoga-induced losses to an upper limit of $52 million in Q1 (Reinsurance News). These estimates have crept steadily up from an early figure of $40 million (Computing). The cost is noteworthy, especially since most observers gave Norsk Hydro's incident response pretty high marks. A less well-prepared company might have suffered more heavily.

Labor markets.

A new Executive Order will make it easier for US Federal employees to move among cybersecurity positions in various agencies (Fifth Domain). There's widespread and bipartisan support for the Intergoverment-Personnel-Act-like measure; it resembles a bill that recently passed the Senate (Nextgov).

Internet-of-things proliferation, especially with the IoT expansion expected to come with 5G, is likely to put further strains on an already tight security labor market (Infosecuriy Magazine).

The US Cybersecurity Reskilling Academy is now accepting applications for its second cohort, and is now open to all Federal employees (Fifth Domain).

There are also private-sector approaches to the talent gap. In the UK, Raytheon will offer an apprenticeship to potential cybersecurity workers (Tech Radar).

Mergers and acquisitions.

Network management company SolarWinds has announced its purchase of Passportal, a Canadian password and documentation management shop. The intention is to enhance SolarWinds managed services (CRN).

Investments and exits.

ZeroNorth, the orchestrated risk management formerly known as Cybric, announced a $10 million Series A investment led by ClearSky VenturesCrosslink CapitalRally Ventures and existing investor Petrillo Capital also participated in the round. ZeroNorth intends to use the investment to sharpen its focus on risk management by adding engineering, sales, marketing, and services capacity (BusinessWire).

Aryaka, which specializes in SD-WAN, on Wednesday morning announced that it had closed a $50 million Series F round led by Goldman Sachs Private Capital Investing. Goldman Sachs joins existing investors Trinity Ventures,  Mohr Davidow VenturesNexus Venture PartnersInterWest PartnersPresidio VenturesThird Point Ventures, and DTCP. Aryaka intends to use the investment to scale its operations for further growth (Yahoo).

Red Canary has raised $34 million to expand its development of managed detection and response tools. Summit Partners led the round, with participation by existing investors Access Venture Partners and Noro-Moseley Partners (VentureBeat).

And security innovation.

Northrop Grumman has announced the formation of a research consortium intended to accelerate work on artificial intelligence and machine learning. The REALM (Research in Applications for Learning Machines) consortium will include researchers from Carnegie Mellon University, the Johns Hopkins University, the Massachusetts Institute of Technology, Purdue University, Stanford University, the University of Illinois at Chicago, the University of Massachusetts Amherst, and the University of Maryland, College Park. The consortium will concentrate on such customer applications as "multiple sensor track classification, identification and correlation, situational knowledge on demand, and quantitative dynamic adaptive planning." Total funding amounts to $1.2 million from Northrop Grumman.

Forcepoint has patented a blockchain security solution (Cryptonewsbytes).

Notes.

Today's issue includes events affecting Australia, Canada, China, European Union, Germany, India, Netherlands, New Zealand, Russia, United Kingdom, United States.

Research Saturday is up. In this week's episode, "Sea Turtle state-sponsored DNS hijacking," researchers at Cisco Talos discuss what they believe is a state-sponsored attack on DNS systems, with targets in the Middle East and North Africa. This attack has the potential to erode trust and stability of the DNS system, itself critical to the global economy. Craig Williams, director of Talos Outreach at Cisco, joins us to share their findings.

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.