skip navigation

More signal. Less noise.

Unite your team behind a common defense.

Today’s threat environment is complex and dynamic. Traditional response methodologies by themselves are no longer sufficient. To find out how your team can be more responsive and act faster on threat intelligence, download the ebook, Threat Intelligence Platforms: Everything you’ve ever wanted to know but didn’t know to ask. Read to the very end for a TIP checklist!

The Week that Was.

US off-off-year elections go off without noticeable difficulty.

The highly diversified and decentralized US election system kept a close eye on Tuesday's off-off-year elections and has more-or-less declared success, as a joint announcement from several Federal law enforcement and intelligence agencies asserted that election security had been “unprecedented.” That announcement did, however, note that attempts to influence or interfere with the 2020 elections could be expected to continue, with Russia, China, and Iran likely to be particularly active.

The concerns officials are voicing continue to focus on influence operations as opposed to direct manipulation of vote totals or other attacks on voting machinery. CISA Director Christopher Krebs told CBS News no one should get cocky. Speaking of Russian operators in particular, Director Krebs said, "They're going to be back. They're trying to get into our heads. They're trying to hack our brains, so to speak, and ultimately have us — lose faith in our processes."

Some private sector experts agree. FireEye CEO Kevin Mandia told CNBC's Mad Money that the biggest problem with election security isn't hacked voting machines, but rather misinformation disseminated over social media. Vice reports that disinformation relative to the 2020 elections is already flooding social media, and a study by Freedom House concludes that social media have increasingly become tools of influence operations and social control exercised by illiberal governments.

Direct hacking does remain a concern, however well this week's elections proceeded. McAfee told the Washington Post that many voting machines in swing states remain vulnerable to attack.

Without proper context, cyber threat intelligence is useless.

The appearance of new threats and security challenges requires effective tools for their timely identification and in-depth analysis. Without proper contextualization, intelligence is completely useless. Context™ – Cyber Threat Intelligence Platform for enterprises and government agencies delivers cyber threat intelligence harvested from millions of data points from the Deep and Dark Web, combined with data science for objective and actionable insights.

An oversight gave developers more access to Facebook Groups data than was right.

Facebook, which has been working to rein in developers' access to data, has found that an oversight in its Groups App gave video-streaming and social-media-management app developers access to private group member data like names and profile pictures. About a hundred developers, Facebook said in an announcement it posted Tuesday, had retained access to this information. 

With privacy upgrades the social medium had instituted in April of 2018, a Group admin should have been able to authorize an app developer to receive only such information as the group’s name, the number of users in the group, and the content of posts within that group. Users, that is, group members, would have had to opt in to provide access to more personal information, like profile pictures and names. Facebook is cleaning up this oversight, and says it’s convinced the relatively small number of developers who had the unintentional access didn’t abuse it.

Interested in cybersecurity law and policy?

Check out “Caveat,” the CyberWire's newest weekly podcast addressing cybersecurity law and policy, with a particular focus on surveillance and digital privacy. This podcast is hosted by our own Dave Bittner and Benjamin Yelin, Program Director for Public Policy and External Affairs at the University of Maryland Center for Health and Homeland Security. Each week, Dave and Ben break down important current legal cases, policy battles, and regulatory matters along with the news headlines that matter most. Have a listen.

Surveillance by Pegasus, in India.

The list of those WhatsApp warned of possible Pegasus infections strikes many in India as suggesting that the spyware was distributed by the Government. India's Government, the BBC reports, denies any such involvement in the incident. The Scroll describes the "activists, lawyers, [and] scholars" whose devices were affected.

Reuters cites a source as saying that 121 people in India were affected by Pegasus. One of those so afflicted was Priyanka Gandhi Vadra, the general secretary of Congress, India's main opposition party. WhatsApp is said to have warned Priyanka that her phone was hacked during this year's election campaign. The Scroll lists twenty-two people in India among those notified that they'd been targeted with Pegasus, and the individuals on that list strike observers as unlikely targets of foreign intelligence services. Technology writer Prasanto K. Roy told the BBC that he "can't think of a single foreign government, not even Pakistan, who would be interested in these particular private citizens."

Try cloud-native network detection and response for free!

ExtraHop Reveal(x) Cloud is SaaS-based NDR for AWS, giving you complete visibility, real-time detection, and automated threat response in the cloud. Request your free 30-day trial today.

BlueKeep is being exploited in the wild.

BlueKeep (CVE-2019-0708), the wormable vulnerability in Microsoft's Remote Desktop Protocol that Redmond disclosed in May of this year, has finally been exploited in the wild. That's not good, but it's not nearly as bad as months of warnings had led observers to expect. BlueKeep's initial discovery was alarming because a worm that enabled remote code execution could do serious damage. NotPetya, a different worm that exploited a different Microsoft vulnerability, did a great deal of harm.

But as WIRED summarizes the attacks, the exploitation so far hasn't gone farther than the installation of some cryptojackers. Thus there's neither reason to panic nor grounds for complacency: about three-quarters-of-a-million machines are believed vulnerable to BlueKeep. Microsoft this week issued another BlueKeep advisory with advice on how organizations can defend themselves against other, possibly more dangerous, attacks.

Thanks to all who connected at the 6th Annual Women in Cyber Security reception

The CyberWire just celebrated the contributions and successes of women in the cybersecurity industry with 400 women from across the nation at 6th Annual Women in Cyber Security reception. Thank you to our sponsors who helped make the evening possible: KnowBe4, McAfee, Northrop Grumman, Trinity Cyber, Centurylink, Cooley, Exelon, Recorded Future, Aon, CyberArk, FTI Consulting, ObserveIT, Saul Ewing Arnstein & Lehr, Synack, T. Rowe Price, Booz Allen, DataTribe, DeltaRisk, Dragos, Invictus, Maryland Innovation & Security Institute, Lewis, Verodin, CyberSecJobs, Edwards Performance Solutions, Katzcy, MindPointGroup, NetAbstraction and Shared Assessments.

Ransomware hits Spanish enterprises.

On Tuesday, Spain's largest radio station Cadena SER was hit by a ransomware attack that affected its local broadcasting, Reuters reports. McAfee says the ransomware strain involved was BitPaymer. Spain's INCIBE-CERT is helping the company with the recovery.

The same day, Everis, one of Spain's largest managed service providers, suffered a ransomware attack that also used BitPaymer, according to BleepingComputer. There were unconfirmed rumors that the BlueKeep vulnerability was used in this attack, but so far there's no evidence that this was the case. Security researcher Kevin Beaumont noted that Everis had hundreds of RDP servers connected directly to the Internet—a major vulnerability even if BlueKeep wasn't involved.

Patch news.

Apple updated the security features of macOS Catalina.

Crime and punishment.

The US has opened a case against three men for what’s being called, by the New York Times and others, spying for Saudi Arabia. In this case the spying has been directed against individuals as opposed to state secrets.

The US Justice Department has charged three men, two former Twitter employees and a Saudi national who apparently acted as their controller, with acting as an agent of a foreign government without notice to the Attorney General and with the destruction, alteration, or falsification of records in a Federal investigation. The Government accused Ahmad Abouammo, a US citizen, with snooping into three Twitter users' accounts. Ali Alzabarah, a Saudi national who, like Mr. Abouammo, worked at Twitter, allegedly accessed more than six-thousand Twitter accounts in 2015. Their liaison with Riyadh is alleged to be Ahmed Almutairi.

Mr. Abouammo is in custody, but Messrs. Alzabarah and Almutairi remain at large, probably in Saudi Arabia. The criminal complaint ties their activities to a charity, "Organization No.1," led by "Foreign Official-1," and "Royal Family Member-1," who owned the charity. The Washington Post identifies these respectively as Bader Al Asaker, MiSK, and Crown Prince Mohammed bin Salman. The Twitter accounts of interest to the alleged spies were, the Wall Street Journal reports, critical of the Saudi regime in general and the Crown Prince in particular.

The case arouses concern, obviously, about the security of social media companies and their susceptibility to being penetrated by state-run agents. The Telegraph reports, for example, that Mr. Abouammo worked at Amazon for three years after leaving Twitter. Somewhat less obviously, it raises another question: if the platforms can be penetrated to snoop on individual accounts, might they not also be penetrated to facilitate distribution of disinformation?

In another case, Joshua Schulte, the former CIA employee charged with five counts of violating the Espionage Act and Federal larceny statutes has asked the US Court for the Southern District of New York to dismiss the charges as being "unconstitutionally overbroad and void for vagueness," CyberScoop reports. The Government alleges that Mr. Schulte leaked the CIA tools WikiLeaks subsequently published as Vault 7.

The US Attorney for the Eastern District of New York has filed charges ("fraud, money laundering and illegal importation of equipment manufactured in China") against Long Island-based Aventura Technologies Ltd., alleging the company sold Chinese-made security and surveillance equipment falsely marked "made in USA."

Courts and torts.

WhatsApp has filed suit against NSO Group in a US Federal court. NSO Group, which is based in Israel and has in recent months publicly committed to rights-respecting corporate code of conduct, denies WhatsApp’s contentions, and says it intends to defend itself vigorously. Israel’s government has basically said, leave us out of this; we don’t have anything to do with it. Lawfare thinks the suit may permanently alter lawful interception and the market that supports it.

California has asked a court for more information on the company’s privacy enhancements. At issue are internal documents that Reuters says pertained to what was called the “Switcharoo [sic] Plan,” under which Facebook documents divided app developers into “three buckets: existing competitors, possible future competitors, [or] developers that we have alignment with on business models.” Thus the suspicion is that the company undertook anti-competitive steps under the guise of enhancements to privacy and user experience. The state's Attorney General has petitioned the San Francisco Superior Court to compel Facebook to comply with subpoenas for such documents.

Policies, procurements, and agency equities.

Russia's "sovereign internet" legislation went into effect on November 1st, the BBC notes. The law is designed to allow Russia's internet to function independently of the global internet if the Russian government deems it necessary to shut off connections to the rest of the Web. Observers believe the law's more practical function will be to enable more effective censorship, similar to China's Great Firewall. Engadget points out, however, that the law may prove technically difficult to actually put into practice: commerce and information itself have historically tended to introduce more entropy into systems of control than the controllers themselves would like.

The US and Taiwan held their first joint cyber-war exercise this week, which involved simulated phishing attacks against government and private sector employees, the BBC reports.

The US Foreign Intelligence Surveillance Act is up for renewal next month. The Foreign Policy Institute summarizes what's at issue.

Fortunes of commerce.

The US Treasury Department's Committee on Foreign Investment in the United States (CFIUS) has opened national security reviews of two Chinese companies: ByteDance (for its $1 billion acquisition of in 2017, according to Reuters) and of social medium TikTok.

Broadcom has closed its purchase of Symantec's enterprise business. Symantec's remaining consumer business changed its name Tuesday to NortonLifeLock. Broadcom owns the rights to the name "Symantec," and that name will continue to appear on Broadcom's enterprise security offerings. NortonLifeLock beat earnings Thursday, raised its dividend, and announced several executive appointments.

Vice is chanting a dirge over the "implosion" of Chronicle, the nominally independent cybersecurity company Google's parent Alphabet announced to the world with some éclat early last year. The problem, as Vice keens it, is that Chronicle wasn't, and couldn't be, genuinely independent, but would remain effectively a Google appendage, thus failing to achieve the expected disruptive agility. Chronicle hasn't been shuttered, but it is being folded into Google's Cloud department, and its CEO and CSO have left. Its CTO will depart shortly. The story is a cautionary one--announcing that you're setting up a disruptive moonshot can be more banshee's howl than business plan.

Labor markets.

Increased rates of cyberattacks, or at least increased concern about the rates of cyberattacks, are putting more pressure on companies already trying to hire scarce security talent in a tight labor market, CNBC says.

The (ISC)² Cybersecurity Workforce Study is out. Among its conclusions is the finding that there's a shortage of some four-million cybersecurity workers worldwide.

One obstacle to hiring, especially among US Federal contractors, is the laggard security clearance process, which a study by the Greater Washington Partnership sees as a major problem in addressing workforce shortfalls.

Mergers and acquisitions.

In a move the company expects to enhance its data-loss prevention capabilities, Proofpoint is acquiring ObserveIT for $225 million in cash. Proofpoint sees the synergy coming in the combination of ObserveIT's "lightweight endpoint agent technology and data risk analytics" and the acquiring company's "information classification, threat detection, and intelligence" solutions.

Security operations center (SOC) provider JASK has been acquired by Sumo Logic. Terms of the acquisition weren't immediately available.

Massachusetts-based NextGen managed services provider Thrive has acquired Maryland-based managed services provider EaseTech for an undisclosed amount.

Tempe-based offensive security testing shop Bishop Fox has announced its acquisition of SoNeMo's "key assets." The Barcelona startup specializes in "advanced attack-surface discovery and analysis," which Bishop Fox intends to integrate into its offerings. Borja Berastegui, SoNeMo's founder, has joined Bishop Fox's global managed security services unit; he'll operate from the company's Barcelona office.

Akamai has completed its acquisition of Latin American content delivery network (CDN) provider Exceda.

PreciseSecurity reports that the value of mergers and acquisitions in the information security sector is running at its highest since 2010: $21.6 billion, an increase of 44% over last year's $15 billion

Investments and exits.

Inrupt, a security and privacy startup led by Internet pioneer Tim Berners-Lee, raised £5 million from Octopus Ventures, according to Computing. Inrupt intends to build a new browser with an infrastructure backbone sufficient to shield users from snooping by Big Tech.

BusinessCloud reports that Bristol-based Immersive Labs has raised $40 million in a Series B round led by Summit Partners, with participation by existing investor Goldman Sachs. Immersive intends to use the investment in part to fund expansion into North American markets. The company has established an office in Boston with that end in view.

Nightfall, based in San Francisco (and formerly known as Watchtower AI) has emerged from stealth with a $20.3 million funding round. The lead investors are Bain Capital Ventures and Venrock. Pear VC, Atlassian's CTO Sri Viswanath, and New York Jets tackle Kelvin Beachum also participated. Nightfall, which offers a "cloud-native data loss prevention platform," intends to use the investment for research and development, and for increased market penetration.

Septio Systems, a start-up with operations in Israel and the US that offers protection against rogue hardware, has raised $6.5 million in a Series A round. Hanaco Ventures and Merlin Ventures led the round, with participation by existing investors Energias de Portugal (EDP), Mindset Ventures, and Pico Partners. Septio intends to use the money for growth into the US Federal market, and to that end will open an office in McLean, Virginia.

Cyxtera Technologies announced its intention to spin-off its cybersecurity business into a separate company. The spin-off will operate as AppGate, Inc., taking the name of Cyxtera's principal cybersecurity solution.

And security innovation.

CityBizList reports that DataTribe has announced the three finalists in its second annual Cybersecurity Startup Challenge. Bloomfield Robotics, SecurityAdvisor, and Code Dx will compete for up to $2 million in seed capital.

Bloomfield Robotics, based in Pittsburgh, Pennsylvania, is a Carnegie Mellon University spin-out that specializes in agricultural robotics and machine learning. Intended to help plant growers, breeders, and agricultural scientists, Bloomfield Robotics aims to bring advanced technology to a traditional industry.

Code Dx, from Northport, New York, automates application vulnerability management in a way that enables various testing tools to cooperate in developing a single, easily read set of correlated results. The aim is to lower costs and decrease secure application development time. Code Dx's research was funded by a Department of Homeland Security Science and Technology Directorate Small Business Initiative Research (SBIR) contract.

SecurityAdvisor, based in Sunnyvale, California, seeks to apply an artificially intelligent behavior management platform to assist users in becoming an integral part of their organization's cyber defenses. The winner will be selected by a panel of judges on November 14th, in Baltimore.


Today's issue includes events affecting China, India, Israel, Pakistan, Russia, Saudi Arabia, Spain, Taiwan, United States.

A note to our readers.

This coming Monday, November 11th, is Veterans Day, the US Federal holiday that both marks the end of the First World War and honors all veterans. We won't be publishing on the holiday, but we'll be back as usual on Tuesday, November 12th. And on the 11th, spare a thought for all veterans, everywhere.

Research Saturday is up. In this week's episode, "Monitoring the growing sophistication of PKPLUG," we speak with researchers from Palo Alto Networks' Unit 42 who've been tracking a Chinese cyber espionage group they've named PKPLUG. The group mainly targets victims in the Southeast Asia region. Ryan Olson is VP of threat intelligence at Palo Alto Networks, and he joins us to share their findings.

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.