skip navigation

More signal. Less noise.

Will Your Company Be Spoofed Over the Holidays?

One of the first things hackers try is to spoof an email address of someone on your domain. With that they can launch a "CEO fraud" spear phishing attack on your organization, and that is very hard to defend against unless your users are highly ‘security awareness’ trained.

Find out if hackers can spoof an email on your domain with this Domain Spoof Test and be entered to win a $500 Amazon Gift Card.

The Week that Was.

APT33 thought to be targeting industrial control systems.

Microsoft revealed that Iran's APT33 (also known as "Elfin" or "Refined Kitten") has turned its attention to industrial control systems, WIRED reports. At the CyberwarCon event in Arlington, Virginia, on Thursday, Microsoft researchers said APT33 routinely targets tens of thousands of organizations with password-spraying attacks, but over the past two months the group has lowered the number of targets to just two thousand companies. At the same time, they've vastly increased the number of accounts they target at each of these organizations. Around half of the top twenty-five most targeted organizations were companies that manufacture, supply, or maintain ICS equipment.

The researchers believe this activity suggests preliminary reconnaissance and battlespace preparation. They said the hackers are probably targeting these companies so they can learn how their equipment works, and then subsequently launch ICS-focused attacks against the companies' customers. Iran has mounted destructive attacks in the past, but the ICS targeting suggests that, unlike Shamoon, which Iran turned loose on Saudi Aramco networks in 2012, APT33 is now looking to cause physical damage as opposed to wiping data.

Unite your team behind a common defense.

Today’s threat environment is complex and dynamic. Traditional response methodologies by themselves are no longer sufficient. To find out how your team can be more responsive and act faster on threat intelligence, download the ebook, Threat Intelligence Platforms: Everything you’ve ever wanted to know but didn’t know to ask. Read to the very end for a TIP checklist!

Unsecured server held 1.2 billion personal records.

Independent security researchers Vinny Troia and Bob Diachenko discovered an unsecured Elasticsearch server containing four terabytes of data, more than 1.2 billion personal records. The data included names, email addresses, phone numbers, and profile information from LinkedIn, Facebook, Twitter, and GitHub. The researchers determined that the data originated from two different data enrichment companies, People Data Labs (PDL) and OxyData, but both companies said the server wasn't theirs. Troia says that based on the current evidence, the companies appear to be telling the truth. The owner of the server is unknown, but Troia suspects the data was aggregated by a customer of both PDL and OxyData who misused their access to the companies' datasets. PDL's co-founder Sean Thorne told WIRED that "[o]nce a customer receives data from us, or any other data providers, the data is on their servers and the security is their responsibility." Troia notes that, without a court order, the investigation has hit a dead end, since whoever owned the server is unlikely to come forward through their own free will.

Interested in cybersecurity law and policy?

Check out “Caveat,” the CyberWire's newest weekly podcast addressing cybersecurity law and policy, with a particular focus on surveillance and digital privacy. This podcast is hosted by our own Dave Bittner and Benjamin Yelin, Program Director for Public Policy and External Affairs at the University of Maryland Center for Health and Homeland Security. Each week, Dave and Ben break down important current legal cases, policy battles, and regulatory matters along with the news headlines that matter most. Have a listen.

Sandworm put malicious apps in the Google Play Store.

Google security researchers revealed that the Russian threat actor Sandworm uploaded malicious apps to the Google Play Store in an attempt to infect Android devices with malware, WIRED reports. Google discovered malicious versions of legitimate Korean-language apps in the Play Store in December of 2017, which were apparently part of Russia’s false-flagged efforts to disrupt the 2018 Winter Olympics.

That discovery led the researchers to another malicious app that had been in the Play Store for two months, this one targeting Ukrainians. Google's researchers noted that this was the first known case of Sandworm using Android malware, which is consistent with Russia's tactic of using Ukraine as a testing ground for cyberattacks. Sandworm also launched phishing attacks against Ukrainian Android application developers in an attempt to compromise their apps. The Sandworm team is probably best known for its deployment of BlackEnergy malware against sections of the Ukrainian power grid in 2015.

Louisiana still recovering from ransomware attack.

Louisiana continues its recovery from the ransomware attack it sustained Monday. According to StateScoop, the attack involved the Ryuk ransomware, and KPLC TV says the infestation originated with an "unauthorized download" on a state computer. Many services have since been restored, but all seventy-nine of the state's Office of Motor Vehicle (OMV) locations remained closed throughout the week, despite early estimates that they would reopen on Tuesday. The delay is due to the fact that all of the OMV's computers have to be reimaged, the Advocate reports. WWLTV says state officials now believe the OMV's systems will be operational by Monday, November 25th.

Explore your options at the CyberMaryland Job Fair December 5 in Baltimore!

Interview face-to-face with leading employers CISA, HPE, Leidos, Mission Essential, NSA, Perspecta, USCYBEROM and more. The CyberMaryland Job Fair is free, and open to cleared and non-cleared cyber security professionals and college-level students. Learn more.

Gekko Group exposes more than a terabyte of customer data.

Hotel reservation company Gekko Group exposed more than a terabyte of customer information in an unsecured Elasticsearch database, CNET reports. The number of people affected is estimated to be in the hundreds of thousands. The data included names, home addresses, personally identifiable information of children as well as adults, credit card numbers, email addresses, and a variety of travel details. Also among the data were plaintext usernames and passwords to accounts on Gekko Group’s platforms, including the credentials to the World Health Organization’s travel reservation account. Data from Gekko Group's partners, including and, was also exposed on the server.

The database was discovered by two independent researchers working alongside vpnMentor, who notified the company of the breach. Gekko Group and its parent company, French hospitality giant Accor Hotels, were initially unresponsive to vpnMentor’s attempts to make contact, but they promptly secured the database after the researchers notified CNIL, France’s data protection regulator. vpnMentor noted that most of the affected customers were European, so the companies should anticipate legal action under GDPR.

Get your copy of the definitive guide to threat intelligence.

We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.

Crime and punishment.

Australia’s second largest bank, Westpac, is accused by the country’s financial intelligence agency of breaching money laundering laws 23 million times. The Australian Transaction Reports and Analysis Centre (Austrac) said due to “serious and systemic non-compliance” the company failed to report millions of international fund transfers. Based on the number of violations, the Australian Broadcasting Corporation observes that under the law, Westpac could technically face a fine of up to $391 trillion. The actual penalties will of course be much lower than that, but the figure demonstrates the magnitude of Westpac’s alleged failings. iTnews has an account of the technical reasons why the transfers weren't monitored. According to Westpac's CEO Brian Hartzer, the team that was responsible for bringing the bank into compliance with Australia's 2006 AML/CTF law ran into technical difficulties nearly ten years ago, and many of the employees working on the poorly managed project were let go. New employees were hired to take over the project, and Hartzer says they didn't understand the task they were thrown into. As a result, the reporting notification system was overlooked, and it remained offline for nine years and eleven months.

Thomas Osadzinski, a computer science student at Chicago’s DePaul University, was arrested by the FBI and charged with writing code for ISIS. Specifically, according to ZDNet, he’s alleged to have been working on a Gentoo Linux distro intended to help the terrorist organization better handle multimedia propaganda accounts. He also wrote a Python script to facilitate sharing ISIS propaganda on social media. At least two of his online ISIS contacts turned out to be FBI, working under cover.

The Russian hacker who developed and used the NeverQuest banking Trojan was sentenced to four years in prison by the United States District Court for the Southern District of New York, Hacker News reports.

Courts and torts.

The US District Court for the Southern District of Ohio ruled that a class-action suit challenging the no-poach agreement between Booz Allen Hamilton Inc., Mission Essential Personnel LLC, and CACI International may proceed. The plaintiffs allege the agreement, which precludes each companies' employees from taking a job at the other, violates anti-trust laws, Bloomberg Law reports.

Ted Frank, director of the Center for Class Action Fairness at the Hamilton Lincoln Law Institute, objected to Equifax's $1.4 billion data breach settlement, saying that it unfairly favors certain customers over others, according to

Amazon Web Services's CISO Steve Schmidt sent a letter responding to Senators Elizabeth Warren and Ron Wyden's claims that Amazon bore responsibility for the Capital One breach, CNET reports. Schmidt argued that the breach occurred due to a misconfigured firewall at Capital One, and that the hacker didn't use a server-side request forgery attack, which was previously thought to be a possibility.

Reuters summarizes the answers the US House Judiciary Committee has received so far from Facebook, Apple, Amazon, and Google as part of its antitrust inquiry into Big Tech. Google argued that it didn’t favor its own services over its competitors, and that its advertising model benefits advertisers and doesn't exclude competition. The company failed to present a good deal of the data requested by the committee, however. Apple’s responses to the committee mostly involved things that are already publicly known about its Safari browser and App Store. Facebook acknowledged that it blocks apps such as Vine from its developer platform if those apps imitate core aspects of Facebook’s products, but the company offered vague answers when the Committee pressed for specific details relating to how these decisions are made. Amazon said that it uses data from merchants for “business purposes,” but that it doesn’t use this data to source private-label products. Amazon said it did ask third-party merchants to lower their prices if their products are sold for less on another site, but didn't reveal any details on the company's private-label products.

German spyware company FinFisher issued a cease-and-desist letter against German digital rights advocacy site Netzpolitik, Bloomberg reports. FinFisher demanded that Netzpolitik take down an article that claimed FinFisher had illegally sold its spyware to Turkey, which the company denies. Netzpolitik's accusation caused Munich prosecutors to open in inquiry into the spyware company, and FinFisher said the advocacy site is unfairly influencing the investigation. Netzpolitik's founder Markus Beckedahl said he stood by the accuracy of his site’s reporting, but he took down the article to avoid an expensive legal dispute.

Pennsylvania's Supreme Court ruled that the state's police can't force suspects to provide their passwords to unlock their phones, TechCrunch reports.

Policies, procurements, and agency equities.

The United Nations General Assembly will take its final vote on the Russian-led proposal to establish a working group to develop international norms that would aid in the suppression of cybercrime, Computing reports. Thirty-six human rights groups signed a letter opposing the measure. The US and most EU member states also object, seeing nothing in the proposed norms that would do much to reduce cybercrime (a great deal of which, some sourly observe, originates in Russia) but that would do a lot to justify national control of Internet traffic. However, such throttling of civil society is probably, from the point-of-view occupied by Russia and its co-sponsors (which include China, North Korea, Cuba, Nicaragua, Venezuela and Syria), a feature and not a bug.

On Tuesday India’s Minister of State for Home Affairs G. Kishan Reddy unambiguously answered Parliamentary questions about the government’s right to access citizens’ devices: the Indian Government is legally empowered to intercept and decrypt any digital information if such interception is deemed to be in the interest of national security or to maintain public order and friendly relations with foreign states. He cited Section 69 of the Information Technology Act, 2000, and section 5 of the Indian Telegraph Act, 1885, as providing this authority. TechCrunch notes that Reddy was responding to a member of Parliament who asked whether the government had used NSO Group’s Pegasus spyware to target WhatsApp users in the country, including nineteen activists, journalists, and politicians.

On Wednesday, India's Parliamentary Standing Committee voted in favor of discussing the WhatsApp-Pegasus issue, following a heated two-hour debate over whether the topic was relevant, the Business Standard reports. The Times of India says the meeting was inconclusive, and the issue will be taken up again next week.

China, Russia, North Korea, and Iran have historically been the most sophisticated adversarial cyber operators, but the Aspen Institute's Cyber Threat Assessment looks at how other nation-states and organized crime groups are quickly developing into formidable actors. Vietnam, for example, is imitating China's playbook for both economic espionage and for domestic control of the Internet. Saudi Arabia, the United Arab Emirates, and Qatar have been using their wealth to hire talented contractors and buy advanced hacking capabilities, many of which are imported from the US, Europe, and Israel. Some Brazilian cybercrime groups, meanwhile, possess advanced hacking skills that they sometimes use to influence Brazil's politics. Finally, Romania, like Russia, has become something of a safe-haven for criminal hackers, despite the fact that the Romanian government cooperates with US law enforcement to fight cybercrime. The level of cybercrime coming from Romania is on par with North Korea, a country that utilizes its state intelligence agencies to launch financially motivated attacks.

Fortunes of commerce.

Denver-based Optiv confirmed, CRN reports, that it's significantly downsizing its operations in the UK. The company doesn't characterized it as a withdrawal from the British market, but cites its plans for further expansion into Europe, and its intention to focus on mergers and acquisitions.

Labor markets.

IBM's "Space Rogue" makes a plea for giving old-school hackers a role in training the upcoming generation.

Mergers and acquisitions.

Kape Technologies is acquiring VPN provider Private Internet Access for $95.5 million, TechRadar reports.

IPKeys Power Partners has acquired Ontario-based critical infrastructure cybersecurity provider N-Dimension, according to Environmental XPRT.

Investments and exits.

Maryland-based cybersecurity company Prevailion received a strategic investment from Legion Capital, FinSMEs reports. Details of the deal weren't disclosed.

San Francisco-based zero trust company Banyan Security has raised $17 million in an investment round led by led by Shasta Ventures, with participation by Unusual Ventures.

Tel Aviv-based Perimeter 81, another zero trust provider, received $10 million in a Series A round led by SonicWall.

San Francisco-based ZecOps, which offers a solution it says automatically detects and remediates cyberattacks, has raised a Seed round of $10.2 million, according to VentureBeat. The funding was provided by CEAS Investments, Evolution Equity Partners, KPN Ventures, Plug and Play Ventures, and Stormbreaker Venture Group.

Seattle-based healthcare cybersecurity specialist CI Security raised an additional $6.4 million to augment its $16 million Series B round, GeekWire says. The additional capital comes from Concord Health Partners.

CyCognito announced that it had secured $23 million in a Series A round led by Lightspeed Venture Partners, with participation from Sorenson Ventures and a personal investment from John W. Thompson. Seed funders UpWest and Dan Scheinman also participated in the round.

Password-management shop 1Password has secured $200 million in a Series A round led by Accel with participation by the Slack Fund, Atlassian co-founders Mike Cannon-Brookes and Scott Farquhar, Atlassian president Jay Simons, and others, SecurityWeek reports.

External threat detection firm IntSights announced that it’s raised $30 million in a Series D round led by Qumra Capital.

San Francisco-based Abnormal Security, whose flagship product is a cloud email security platform, announced Tuesday that it had raised $24 million in a Series A funding round led by Greylock Partners.

Another San Francisco company, risk-analytics shop CyberCube, has raised an additional $35 million. The Series B round was led by Hudson Structured Capital Management Ltd. and ForgePoint Capital.

Beijing-based threat intelligence company ThreatBook has raised RMB100 million (US$14 million) in a Series C funding round led by Hillhouse Capital Group and Xinglu Investment, according to China Money Network.

VentureBeat reports that Clumio, a cloud-backup and data-recovery business based in Silicon Valley, has raised $135 million in a Series C round led by Sutter Hill Ventures’ managing director Mike Speiser and Altimeter Capital. Index Ventures, an existing investor, also participated.


Today's issue includes events affecting Australia, Brazil, Canada, China, Cuba, European Union, India, Iran, Israel, Democratic People's Republic of Korea, Republic of Korea, Nicaragua, Qatar, Romania, Russia, South Korea, Saudi Arabia, Syria, Ukraine, United Arab Emirates, United Kingdom, United States, Vietnam, Venezuela.

A quick note to our readers: the Week that Was will take next Saturday off as we observe the long Thanksgiving holiday. We'll be back as usual the first Saturday in December. In the meantime, a happy Thanksgiving to all.

Research Saturday is up. In this episode, "Mustang Panda leverages Windows shortcut files," we speak with the researchers at Anomali who've been tracking the China-based threat group, Mustang Panda. They believe this particular Panda is responsible for attacks making clever use of Windows shortcut files. Parthiban is a researcher at Anomali, and he joins us to share their findings.

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.