Nation-states behaving badly. Big BEC. Guilty plea in FIN7 case. NIST standards out for comment. Industry news and notes.

CRASHOVERRIDE intended to cause long-term damage.

Analysts at Dragos have reassessed the 2016 cyberattack against Ukraine's power grid and have concluded that the blackout was intended to be far more damaging and longer-lasting than what was actually achieved. The attack appears to have had a final stage that failed for reasons unknown to Dragos. After the blackout was triggered, the attackers tried to launch denial-of-service attacks against the Siemens SIPROTEC protective relays in use by the plant. This initially seemed pointless, since the attack had seemingly already taken place. Dragos suspects, however, that the attackers wanted the plant's operators to reactivate the systems while lacking visibility and without realizing that the protective relays were disabled. This could have greatly intensified the attack, causing physical damage to equipment and harming employees.

Dragos' director of threat intelligence Sergio Caltagirone told WIRED that "they've pre-engineered attacks that harm the facility in a destructive and potentially life-threatening way when you respond to the incident. It’s the response that ultimately harms you."

North Korean hackers use obscure file formats to evade detection.

Prevailion researchers describe "Autumn Aperture," a North Korean campaign that's deploying rarely used file formats like Kodak FlashPix (FPX) to avoid being flagged by antivirus systems. The attackers are using malicious Word files with subject matter that's relevant to their targets, and they attempt to hide the resulting malicious functionalities by embedding them in FPX files. VirusTotal shows that these are much less likely to be detected than the standard VBA files. 

Prevailion believes the Kimsuky threat actors are behind the campaign, and the researchers conclude that "given the broad scope of entities targeted by Autumn Aperture, there is an increased likelihood that a third party within an organization’s ecosystem is at risk of exposure."

Israeli intelligence may have placed StingRays in DC.

POLITICO reported that three "three former senior officials with knowledge of the matter" said the US government concluded that Israel was responsible for the placement of a number of StingRay devices in Washington DC. One of the officials said the devices were probably intended to spy on President Trump. Israel has denied the allegations, and President Trump said, "I don't think the Israelis were spying on us....Anything is possible but I don't believe it."

BlueKeep RCE exploit now available to the public.

Rapid7's open-source Metasploit framework now has an easy-to-use module for exploiting BlueKeep to achieve remote code execution on Windows systems, ZDNet reports. The module can't be used for worm attacks, since it requires manual interaction for each system it's deployed against, but it's still quite effective against individual systems. ZDNet notes that there are still 700,000 vulnerable systems exposed to the Internet, and probably many more on internal networks.

Thrip cyberespionage group isn't new after all.

Symantec told CyberScoop that it believes the Chinese threat actor the company tracks as "Thrip" could actually be a manifestation of another group, "Billbug" or "Lotus Blossom," which has been active for about a decade. Symantec previously believed Thrip was a new operation discovered last year, but an analysis of one of its backdoors uncovered multiple striking similarities to a tool used by the older threat actor. Symantec's technical director Vikram Thakur told CyberScoop that "these guys are not absolutely brand new like we had pointed out last year. They seem to be using an evolution of a tool that has almost been used for ten years at this point."

Cobalt Dickens is back, and pretending to be your university library.

Researchers at Secureworks report a resurgence of activity by the Iranian threat group called "Cobalt Dickens." The threat actor has been associated with the Mabna Group and others the US Department of Justice indicted in 2018 in connection with cyberespionage Justice said was conducted on behalf of Iran's Islamic Revolutionary Guard Corps. Secureworks says the latest activity consists of a phishing campaign directed against American and British universities.

Stealth Falcon spyware campaign update.

ESET says it's associated a hitherto overlooked backdoor with Stealth Falcon. Stealth Falcon itself has been connected by the University of Toronto's Citizen Lab with the distribution of spyware against a range of Middle Eastern targets. It's regarded as being, probably, a United Arab Emirates' operation, linked to Project Raven, earlier described by Reuters.

Big business email compromise.

Toyota Boshoku, a Toyota parts unit, continues to investigate a business email compromise scam in a European subsidiary that may have cost the company ¥4 billion (approximately $37 million). According to Infosecurity Magazine, the incident occurred on August 14th, and if it followed the usual business email compromise template, the theft depended on social engineering. Toyota Boshuku says can't reveal more because of ongoing police investigations. It does say it’s working to recover the funds its subsidiary lost, and it asks for patience and understanding until investigations are complete.

Patch news.

Microsoft fixed seventy-nine security flaws on Patch Tuesday, seventeen of which were rated critical. KrebsOnSecurity notes that two of these vulnerabilities affected all supported versions of Windows and were being exploited in the wild.

Adobe patched two critical vulnerabilities in Flash Player that could have led to arbitrary code execution.

Crime and punishment.

The US Department of Justice announced on Tuesday that an international law enforcement effort called "Operation reWired" had resulted in the arrests of 281 people allegedly involved in business email compromise schemes. The operation involved law enforcement agencies in Nigeria, Ghana, Turkey, France, Italy, Japan, Kenya, Malaysia, and the United Kingdom, along with the United States' Department of Homeland Security, Department of the Treasury, Postal Inspection Service, and Department of State. 167 of the arrested individuals were in Nigeria and 74 were in the United States. The FBI also released updated statistics on BEC attacks, showing that there has been "a 100 percent increase in identified global exposed losses" between May 2018 and July 2019.

The Washington Post reported that Fedir Hladyr, a Ukrainian national US prosecutors said was affiliated with the FIN7 cybercriminal gang, took a quilty plea Thursday to two counts of hacking and wire fraud. Mr. Hladyr, who was arrested in Germany last year, was FIN7's admin. The group is believed responsible for carding and other forms of cybercrime that may have netted them a billion dollars, give or take a baker's dozen. In exchange for his plea, the Government agreed to drop twenty-four other charges, conviction on which would have earned the defendant hundreds of years in prison. As it stands he faces up to twenty-five years. Observers speculate that the Government made the deal in exchange for information Mr. Hladyr may provide on the rest of the gang.

Two Coalfire employees were arrested while conducting a physical penetration test at a courthouse in Iowa, according to the Des Moines Register. The two men had been hired by the state court administration to try to gain unauthorized access to court records, but the administration says it "did not intend, or anticipate, those efforts to include the forced entry into a building." The pentesters have been charged with third-degree burglary and possession of burglary tools, and as of this writing they're being held on a $50,000 bond.

Courts and torts.

Google will pay €965 million ($1.1 billion) to France to settle a four-year-long probe into whether the company avoided paying taxes in the country, Reuters reports.

Cloudflare voluntarily disclosed in a regulatory filing with the US Securities and Exchange Commission that its services may have been used by persons or organizations currently under US sanctions, the Wall Street Journal reported. The parties the company dealt with (presumably without fully understanding who they were) included some designated as terrorists or narcotraffickers.

Policies, procurements, and agency equities.

US President Trump yesterday extended the "National Emergency With Respect To Foreign Interference In or Undermining Public Confidence In U.S. Elections" for one year. The extension maintains the provisions of Executive Order 13848, issued on September 12, 2018, in force. 

France's finance minister said at an OECD conference that Facebook's Libra cryptocurrency should be blocked in Europe, and he suggested that the EU should develop its own public digital currency, Cointelegraph reports. Libra's head of policy and communications told the Independent that "we welcome this scrutiny and have deliberately designed a long launch runway to have these conversations, educate stakeholders and incorporate their feedback in our design."

US Federal agencies are working out roles and responsibilities in cyberspace during the course of wargames. Breaking Defense describes the exercises as bringing together organizations from the Departments of Defense and Homeland Security. The US Defense Department has also offered Congress a look at some of its current thinking on cyber deterrence. Deterrence is commonly thought of as involving the credible threat of retaliation, but the Department calls its approach to deterrence "multifaceted," with denial playing a significant part. An adversary can be deterred if they became convinced that their attacks would be futile.

Mergers and acquisitions.

Akamai is acquiring Exceda, its largest Latin American channel partner. In statements published by BNamericas, Akamai says that it sees the acquisition as a step toward meeting increased regional demand for its content delivery and cloud security services.

Investments and exits.

Cloudflare priced its IPO this week at a share price of $15, which should give the company a market capitalization of about $4.4 billion, PitchBook reports. The lead underwriters are Goldman Sachs, JP Morgan, and Morgan Stanley.

As expected, Colorado-based Ping Identity has filled for its IPO. The company will offer $12.5 million shares of common stock, which it expects to fetch between $14 and $16 a share.

Newly hatched unicorn Shape Security is said to be thinking of an IPO. The Silicon Valley-based company, which specializes in anti-fraud solutions, has raised $51 million in an investment round led by C5 Capital, VentureBeat says. Seven other firms also participated: Kleiner Perkins, HPE Growth, Norwest Ventures Partners, Focus Ventures, JetBlue Technology Ventures, Top Tier Capital Partners, and Epic Ventures. When will there be an IPO? That's not known, but Shape's Chief Marketing Officer told VentureBeat that “preparation for an IPO is part of our plan.”

HackerOne has raised $36.4 million in a Series D funding round. VentureBeat reports that the round was led by led by Valor Equity Partners, with participation from Benchmark, New Enterprise Associates, Dragoneer Investment Group, and EQT Ventures.

Threat intelligence startup Cyware Labs has raised $3 million in a seed funding round led by Emerald Development Partners. The company intends to use the funding for the usual growth purposes: product development and increased marketing.

Snyk, whose specialty is detecting and fixing vulnerabilities in open-source code, has raised $70 million. TechCrunch says the funding round was led by Accel, GV, and Boldstart Ventures.

Virginia-based Shift5, which specializes in software and hardware security for weapons and aerospace systems, has raised a $2.5 million seed round. Squadra Ventures led the round, with participation by Lamphere Capital, Outland, Nue Capital, and Emerging Ventures.

Lacework, the Silicon Valley-based cloud-security shop, has closed a $42 million investment round with Sutter Hill Ventures and Liberty Global Ventures. Lacework intends to use the funding to maintain its momentum in DevOps and workload security.

And security innovation.

New Zealand has decided to offer assistance to other Pacific nations as they develop their cybersecurity capabilities. The Government has decided, ZDNet reports, to earmark NZ$10 million over the next five years in aid.

SINET has announced this year's SINET 16. This annual selection of the most innovative, potentially disruptive companies in the cybersecurity industry picks sixteen winners from an international pool of applicants. This year’s selection was made from among one-hundred-sixty-one companies based in eighteen countries. In reverse alphabetical order, the SINET 16 class of 2010 includes:

• XM Cyber, which specializes in fully automatic breach and attack simulation that enables customers to recognize attack vectors and prioritize their remediation.

• Tigera, whose zero-trust network security supports continuous compliance for Kubernetes platforms across a range of environments.

• Tempered Networks, which provides simple and affordable means of segmenting and isolating control systems and industrial Internet-of-things devices.

• Sonrai Security, with a Cloud Data Control (CDC) service that delivers a risk model for identity and data relationships across a range of cloud and third-party data stores.

• Siemplify. an  independent security orchestration, automation and response provider whose workbench enables enterprises and managed security service providers. to manage and respond to cyber threats.

• OPAQ delivers security-as-a-service from its cloud that enables enterprises to overcome staffing and management challenges in the protection of their IT infrastructure.

• Kenna Security, whose platform delivers cyber risk predictions that enable security teams to get ahead of exploitation.

• Karamba Security’s embedded cybersecurity solutions protect connected systems with automated runtime integrity software that does particularly well against remote code execution.

• CyberSponse, which offers an automated incident response orchestration platform that automates security tools to make human experts more effective.

• CryptoMove, whose continuous moving target defense and distributed fragmentation offers a new approach to data protection for managing keys and DevSecOps secrets.

• BigID, a machine-learning shop that enables personal data discovery, correlation, and privacy automation for compliance at scale with regulations like GDPR and CCPA.

• Balbix, whose specialized artificial intelligence delivers continuous and predictive assessment of breach risk.

• Awake Security, which offers advanced network traffic analysis for a privacy-aware solution that can detect and visualize incidents in full forensic context.

• Arkose Labs, which solves fraud by pairing global telemetry with an enforcement challenge to control fraud without false positives or degraded throughput.

• Aqua Security, which secures container-based and cloud-native applications from development to production.

• And, finally, Acceptto, which delivers continuous identity access protection by inferring contextual data to analyze and verify user identity and behavior.

The sixteen winners will be featured at the SINET Showcase in Washington, DC, November 6th and 7th at the National Press Club.