skip navigation

More signal. Less noise.

Will Your Company Be Spoofed Over the Holidays?

One of the first things hackers try is to spoof an email address of someone on your domain. With that they can launch a "CEO fraud" spear phishing attack on your organization, and that is very hard to defend against unless your users are highly ‘security awareness’ trained.

Find out if hackers can spoof an email on your domain with this Domain Spoof Test and be entered to win a $500 Amazon Gift Card.

The Week that Was.

North Korean hackers carrying out economic and industrial espionage.

North Korean cyber operators have apparently been busy, recently. US Cyber Command posted seven DPRK-linked malware samples to VirusTotal which the Command says are "currently used for fund generation and malicious cyber activities including remote access, beaconing, and malware command." CyberScoop says the samples are malware loaders, backdoors, and backdoor builders that are similar to well-known North Korean malware families.

The motives in the other suspected North Korean attacks are less clear. Asia Times points to more evidence that North Korea was behind a malware attack on India's Kudankulam Nuclear Power Plant (KKNPP), citing an analysis by a researcher at Issue Makers Lab which found that North Korean hackers, traditionally associated with financially motivated hacking, "have now been tasked with either disrupting atomic plants or stealing atomic technologies." The researcher also concluded that the malware entered the plant's IT networks after someone connected to KKNPP's domain clicked on a malware-laden phishing link. What the Lazarus Group was after, assuming the attribution that’s being widely circulated in the press holds up, remains obscure, but Indian government sources told Asia Times that the attackers were trying to glean information about the plant's nuclear fuel yields, which could have helped them better understand India's military nuclear capabilities. And, of course, the operation could have also involved reconnaissance, staging, or simply collateral damage from some other campaign. In any case, Indian authorities continue to reassure the public that only administrative systems, and not control systems, were affected by the DTrack malware found at Kudankulam, but they're also remaining relatively tight-lipped.

More curiously, the Indian Express reports that ISRO, the Indian Space Research Organization, was also warned of a DTrack infestation, believed to be of North Korean origin. The warning arrived during the space agency's Chandrayaan-2 lunar mission which failed when controllers lost contact with the spacecraft during its September 6th landing attempt. Again, the motive for the attack is unclear, as is the effect, if any, it might have had on the flight. ISRO has been relatively tight-lipped about the cause of the lander’s failure. It is, we should note, the landing that failed; other aspects of the mission did not. Chandrayaan’s lunar orbiter is up and working, sending data back to ISRO’s ground station.

The group to which these various operations is being attributed is, of course, Hidden Cobra, also known as the Lazarus Group.

Unite your team behind a common defense.

Today’s threat environment is complex and dynamic. Traditional response methodologies by themselves are no longer sufficient. To find out how your team can be more responsive and act faster on threat intelligence, download the ebook, Threat Intelligence Platforms: Everything you’ve ever wanted to know but didn’t know to ask. Read to the very end for a TIP checklist!

Pemex hit by ransomware, but the impact isn't clear.

Pemex continues to work toward recovery from the ransomware attack it sustained over the weekend. The Mexican oil giant's administrative systems are believed to have been hit with DoppelPaymer ransomware. Reuters, which has been in email contact with people who may or may not be the attackers, says the extortionists complained that Pemex missed its chance at a "discount," and that the ransom is now $5 million in Bitcoin. Computing connects the attack to the Russian criminal gang also running Dridex and BitPaymer. (CrowdStrike has called that group Indrik Spider.) Pemex says, Reuters reports, that operations are back to normal, and that production was unaffected.Mexico's state-owned oil company Pemex was hit by a ransomware attack on Sunday, with the attackers demanding nearly $5 million in bitcoin, Reuters reports. Energy Minister Rocio Nahle said the company wouldn't pay the ransom. The ransomware involved is believed to be DoppelPaymer, which is related to BitPaymer. Computing notes connections between the ransomware strains and the criminal gang behind the Dridex banking Trojan.

Pemex told Reuters that less than five percent of its systems were infected and operations continued as normal, and Mexican Security Minister Alfonso Durazo and Finance Minister Arturo Herrera assured the press that the attack was "without consequences." However, two Pemex employees anonymously told Reuters that the situation is worse than the officials are suggesting, and that Pemex was still working to recover at week's end.

NERC holds GridEx V to test resilience.

The North American Electric Reliability Corporation (NERC) held its fifth GridEx exercise this past week, with widespread simulated cyberattacks against electric utilities. Jim Robb, president and CEO of NERC, said in a press call on Thursday that the focus of this year's exercise is on the operational realities and solutions required to respond to an overwhelming attack. Robb emphasized that the participants aren't expected to succeed, and the exercise is meant to highlight areas for improvement. GridEx is designed to test recovery efforts rather than simulate a plausible attack scenario, so the simulated attack is intentionally a worst case scenario. Kevin Wailes, co-chair of the Electricity Subsector Coordinating Council (ESCC), noted that this year's exercise has twice as many participants as GridEx IV. Brian Harrell, assistant director of CISA, called GridEx the "pinnacle" in terms of sector-specific exercises, and he recommended that other sectors come up with their own implementations of the exercise.

Interested in cybersecurity law and policy?

Check out “Caveat,” the CyberWire's newest weekly podcast addressing cybersecurity law and policy, with a particular focus on surveillance and digital privacy. This podcast is hosted by our own Dave Bittner and Benjamin Yelin, Program Director for Public Policy and External Affairs at the University of Maryland Center for Health and Homeland Security. Each week, Dave and Ben break down important current legal cases, policy battles, and regulatory matters along with the news headlines that matter most. Have a listen.

APT33 continues to reconnoiter the oil and gas sector.

Trend Micro has revealed new activity by the Iranian-linked threat group APT33. The researchers discovered about twelve active command-and-control servers being used to run "extremely targeted malware campaigns against organizations in the Middle East, the US, and Asia." The group has been using small botnets to gain a foothold within the networks of a very narrow set of targets. Trend Micro says that APT33 has been conducting "reconnaissance of networks that are relevant to the supply chain of the oil industry," and it "has a clear interest in websites that specialize in the recruitment of employees in the oil and gas industry."

Try cloud-native network detection and response for free!

ExtraHop Reveal(x) Cloud is SaaS-based NDR for AWS, giving you complete visibility, real-time detection, and automated threat response in the cloud. Request your free 30-day trial today.

Healthcare cyberattacks on the rise.

A report by Malwarebytes found that attacks targeting the healthcare sector are quickly increasing, with Trojan infections rising by eighty-two percent in Q3 2019 compared to the previous quarter. Unsurprisingly, Emotet and Trickbot were the two most frequently observed Trojans.

China hacked US manufacturing group.

Reuters reports that Chinese hackers breached the networks of the National Association of Manufacturers (NAM), a US industry group, over this past summer. The hack occurred just before a trade negotiation was set to take place between the US and Chinese governments. The most likely motive behind the attack was espionage, as China frequently tries to gather information that can assist them in negotiations.

Get your copy of the definitive guide to threat intelligence.

We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.

Patch news.

Trend Micro summarizes the patches released on November's Patch Tuesday. Microsoft released patches for seventy-five vulnerabilities. The services that received fixes include Microsoft's virtualization software Hyper-V, Microsoft Exchange, Windows TCP/IP, and Microsoft Office. One of the patches took care of a flaw in Internet Explorer that was being actively exploited in the wild, We Live Security notes.

The recent cryptojacking attacks facilitated by BlueKeep apparently haven't motivated users to patch the RDP vulnerability, according to SANS. Hundreds of thousands of machines remain vulnerable, and patching is steady but very slow.

Crime and punishment.

The US Justice Department sentenced Illinois resident Sergiy P. Usatyuk to thirteen months in prison for operating several booter services which were used to launch "millions" of DDoS attacks. The DDoS-for-hire services in question were ExoStresser, QuezStresser, Betabooter, Databooter, Instabooter, Polystress, and Zstress.

The Justice Department also charged two Massachusetts residents with carrying out SIM swapping attacks that allowed them to steal hundreds of thousands of dollars worth of cryptocurrency.

The Royal Canadian Mounted Police have charged a Toronto man, John "Armada" Revesz, for authoring the Orcus RAT and "operating an international malware scheme." Mr. Revesz argued that the RAT is a remote administration tool rather than a remote access Trojan, but it's been widely used for malicious activity and the Mounties aren't buying that story. While remote administration tools can be misused without their creator's knowledge, Brian Krebs points out that Orcus RAT has some nefarious built-in features, and that Mr. Revesz was providing technical support to people using the tool maliciously.

Aleksei Burkov, of Tyumen and St. Petersburg, Russia, arrived in the US Monday, courtesy of extradition from Israel, where he had been ensconced since his arrest in 2015. He’s now in US Federal custody, Ars Technica reports, held on suspicion of operating a large and lucrative carding shop. He's accused of wire fraud and access device fraud, as well as conspiracy to commit those offenses and conspiracy to commit identity theft and money laundering. The charges together carry a maximum of eighty years in prison, and prosecutors would also like to see Mr. Burkov forfeit his $21 million (give or take a baker's dozen) in allegedly ill-gotten gains. Cardplanet was one of those black market souks that mimicked legitimate business practices. It advertised itself as "the only service that would refund the price of invalid card data." It’s also said to have offered a fee-based service, “Checker,” that would allow downstream criminals to verify whether the cards they were considering buying were still valid.

The Washington Post observes that penetration testing companies remain concerned about the ongoing legal dispute involving two Coalfire employees who were arrested on the job at an Iowa courthouse. The confusion in the case appears to lie with the Iowa authorities, and in particular between the state court that hired Coalfire and a county sheriff determined to assert his authority over the physical courthouse.

Courts and torts.

Bhupesh Baghel, Chief Minister of the Indian state of Chhattisgarh, has formed a probe to investigate allegations that NSO Group's Pegasus spyware was used to target Chhattisgarh-based activists, the Hindustan Times reports.

Makan Delrahim, the chief of the Justice Department's antitrust division, warned technology companies that storing large amounts of customer data without adequate concern for privacy could be a matter of investigation for Federal competition regulators. The Washington Post quotes Delrahim as saying that "[a]lthough privacy fits primarily within the realm of consumer protection law, it would be a grave mistake to believe that privacy concerns can never play a role in antitrust analysis." Delrahim added that "[w]ithout competition, a dominant firm can more easily reduce quality — such as by decreasing privacy protections — without losing a significant number of users."

Scotland's highest civil court ruled that a former Peebles Media Group employee who fell for a spearphishing attack isn't liable for compensating her former employer for the money lost, the BBC reports. The employee unwittingly transferred £193,250 to the scammers, and the company sued her for the nearly £108,000 that wasn't refunded by the bank. The judge called it "a tragic case," but concluded that "the fraudster is the real culprit."

Policies, procurements, and agency equities.

The Australian government is investigating "unprecedented levels" of foreign influence at universities, according to University Herald. The government set new guidelines requiring Australian universities to identify all research collaborators and financial donors, as well as implementing improved cybersecurity measures to protect intellectual property.

The UK's Labour and Conservative parties were hit by DDoS attacks that were initially reported as being large-scale and sophisticated, but seem to have turned out to be nothing of real concern, according to Computing. Reuters correspondent Jack Stubbs cites a source as saying the attacks "looked like someone bored in their bedroom with a botnet." The former head of GCHQ Brian Lord told the Independent that such attacks could serve as a diversion for stealthier and more sophisticated attacks, and he said there should be an investigation to ensure that this wasn't the case. Lord only said this was a possibility that should be ruled out, however, and didn't suggest there was reason to panic based on the current evidence.

A letter from the Office of the Director of National Intelligence said the US National Security Agency stopped collecting location data from US cellphones last year, the Verge notes.

Reuters reports that the French government signed a three-year cybersecurity pact with eight of France's major companies: Airbus, Dassault Aviation, Thales, Safran, Ariane group, MBDA, Naval Group and Nexter.

Fortunes of commerce.

The Wall Street Journal reported on Monday that Google's Project Nightingale is the subject of a Federal inquiry by the US Department of Health and Human Services Office for Civil Rights to see if the program violated any HIPAA protections. Project Nightingale allows Google to collect and analyze data from tens of millions of patients of the Ascension healthcare system. The anonymous whistleblower who brought the project to light wrote in the Guardian that the health information Google was dealing with hadn't been anonymized and the subjects weren't informed of the data sharing or given the option to opt out. The stated goal of the program is to improve administration and clinical outcomes, but since it was conducted without the knowledge or consent of the patients, it's a bad look for Google.

Labor markets.

The Federal Times, reporting on the 2019 CyberCon conference, quotes a number of government and industry leaders who offered their input on how the government can retain cybersecurity talent. Venice Goodwine, chief information security office for the Department of Agriculture, advocated for reskilling people within the government and offering opportunities for cybersecurity workers to increase their knowledge while working for the government.

Mergers and acquisitions.

Canadian software company OpenText is acquiring Boston-based cloud backup provider Carbonite for US$1.4 billion, CRN reports.

Florida-based technology company Tech Data is being acquired by Apollo Global Management for $5.4 billion, according to the Tampa Bay Times.

Ernst & Young Australia has acquired Sydney-based cybersecurity firm Aleron for an undisclosed amount, ARN reports.

Cloud security provider Aqua Security has acquired cloud security posture management company CloudSploit. The terms of the deal weren't disclosed.

Santa Clara, California-based IT automation and security company Infoblox acquired SnapRoute, a Santa Clara-based company that provides a Cloud-Native Network Operating System, according to Help Net Security.

Email security company Mimecast has acquired DMARC setup, management, and analysis provider DMARC Analyzer, Financial Buzz reports.

Software assurance and cybersecurity company GrammaTech was acquired by Five Points Capital, according to CityBizList.

Maine-based network security company Plixer has acquired Minnesota-based endpoint visibility solutions provider Great Bay Software.

Investments and exits.

Maryland-based cybersecurity training and education company Cybrary has received $15 million in a Series B funding round led by BuildGroup, with participation from Arthur Ventures and Gula Tech Adventures, EdSurge reports.

Anti-phishing startup INKY has raised $6 million in Series A funding. The round was led by ClearSky Security, with participation from Gula Tech Adventures.

And security innovation.

We were at the second annual DataTribe Challenge in Baltimore this week. More than three-hundred pre-Series A start-ups competed for a $2-million purse, and the three finalists made their closing pitches Thursday. The finalists were Code Dx (from Northport, New York, which automates application vulnerability management in a way that enables various testing tools to cooperate in developing a single, easily read set of correlated results), Bloomfield Robotics (based in Pittsburgh, Pennsylvania, a Carnegie Mellon University spin-out that specializes in agricultural robotics and machine learning), and SecurityAdvisor (based in Sunnyvale, California, which applies an artificially intelligent behavior management platform to assist users in becoming an integral part of their organization's cyber defenses). Code Dx was chosen the winner by a panel of judges composed of executives from from AppGate​, CrowdStrike, Apple, AllegisCyber, Cisco, and Shopify.

Notes.

Today's issue includes events affecting Australia, Canada, China, Democratic People's Republic of Korea, France, India, Iran, Israel, Mexico, Russia, United Kingdom, United States.

Research Saturday is up. In this week's episode,  "Sodinokibi, a.k.a. REvil, and its connections to GandCrab," We speak with researchers at McAfee Labs Advanced Threat Research, who've been analyzing Sodinokibi ransomware-as-a-service. John Fokker is head of cyber investigations for McAfee Labs Advanced Threat Research, and he joins us to share their findings.

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.