skip navigation

More signal. Less noise.

Get your copy of the definitive guide to threat intelligence.

We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.

Daily briefing.

Opening up a black box: NSA Cybersecurity Directorate's media roundtable.

We were able to attend a media roundtable the National Security Agency's Cybersecurity Directorate held at Fort Meade yesterday. We have a quick overview here.

ESET reports the discovery of "Attor," a modular espionage platform that has been deployed mostly against selected individuals in Russia, many of whom have shown an interest in using privacy-focused services. The malware has also been used against a smaller number of diplomatic and government targets in Eastern Europe, notably in Ukraine, Slovakia, Lithuania, and Turkey. Attor has been in use since 2013 at least, and ESET describes it as "professionally written." Its plugin architecture enables its controllers to customize Attor's functionality to specific targets. In general, the malware uses an unusual device-fingerprinting technique, automated data collection, and Tor-enabled exfiltration. ESET does not know what Attor's infection vectors have been, and the researchers think it probable that the malware has still-undiscovered plugins.

FireEye researchers catch FIN7 (also known as Carbanak) using new tools.

Morphisec finds Bitpaymer ransomware exploiting an Apple zero-day.

At the request of Chinese authorities, Apple has removed both a US news app and a mapping app from its Chinese service. The Telegraph notes that the optics aren't good for Cupertino, which some see as having joined the NBA in a kind of shadow extension of China's social credit program into the West. Verge says the app is Quartz's, blocked for "content not legal in China." (Quartz is both widely read and not typically seen as extreme.) The mapping app, HKmap.live, was allegedly used to target police and commit crimes where police weren't present: Apple had this latter information from the Hong Kong Cybersecurity and Technology Crime Bureau.

Notes.

Today's issue includes events affecting China, European Union, Iran, Lithuania, Russia, Slovakia, Turkey, Ukraine, United States.

Bring your own context.

The insider threat problem is a tough one to address.

"Employees feel very entitled to personal ownership. A large majority of our information security leaders that we surveyed, 72%, agree it's not just corporate data. It's my work and my ideas. Which, you know, that's a scary statistic because if people think that it's their work and their ideas, they're going to take it with them when they leave. And I don't think companies realize how impactful that can be until the data's gone. I talk to a lot of customers and potential customers, and just recently I was on the phone with a company that had an employee leave, start their own company, and that became a threat to the existing company or the initial company to the point where they had to buy out the company that was started with the employee's data - or with the employer's data. So I don't think companies really realize how impactful it is until it's probably too late."

—Jadee Hanson, CISO and VP of information technology at Code42, on the CyberWire Daily Podcast, 10.8.19.

As recent news out of Canada, the US, and the UK will attest, even capable, professional, and well-resourced intelligence and counterintelligence services have their insider threats, so it's not just you, small business. (But it is you, too.)

And a note to our readers.

Monday is Columbus Day, a US Federal holiday, and we'll be taking the day off. We'll resume publication as usual on Tuesday. Enjoy the long weekend, if you're able to take it.

Federal cloud market projected for major growth.

According to Coalfire’s latest report on FedRAMP, U.S. agencies spent $6.5B in cloud services in FY2018, an impressive 32 percent year-over-year increase, with the vast majority of Federal cloud migration still to come. SaaS/PaaS/IaaS providers can gain access to this market with significantly less investment in both time and cost by taking advantage of automation and recent FedRAMP program updates. Learn how.

In today's Daily Podcast, out later this afternoon, we speak with our partners at Bristol University, as Awais Rashid makes the case for real-world experimentation. Our guest, Kumar Saurabh from LogicHub, argues for the importance of making breach forensics public.

Cyber Security Summits: October 3 in NYC and October 17 in Scottsdale (New York City, New York, United States, October 3, 2019) Register for reduced admission to the Cyber Security Summit with promo code cyberwire19 for $95 admission ($350 without code). Sr. Level Executives are invited to learn about the latest threats & solutions in Cyber Security from experts from The U.S. Department of Justice, The FBI, Google, IBM, Darktrace, Center for Internet Security and more. Breakfast, Lunch & Cocktail Reception are included with your admission. Your full day’s attendance will earn you 6 CEUs. Passes are limited, secure yours today: www.CyberSummitUSA.com

The 6th Annual Journal of Law and Cyber Warfare Symposium (New York, NY, United States, October 17, 2019) The 6th Annual Cyber Warfare Symposium features discussions around emerging cybersecurity issues, focusing on cyber warfare and how companies can respond to cyber-attacks. Use discount code CyberWire50 for 50% off. Email info@jlcw.org for a chance to receive a complimentary ticket.

IMAGINE, A MISI salon-style bespoke dinner event (Columbia, Maryland, United States, November 1, 2019) IMAGINE a world where more young women can see themselves in the faces of the legendary women of science & technology – and say, "Yes I can!" The event on November 1 is a fundraiser in support of the region's unique and inclusive STEM program and will be held at the DreamPort Facility in Columbia Maryland. While its focus is on the under-represented young women, young men are also included in MISI's STEM programs.

NXTWORK 2019 (Las Vegas, Nevada, United States, November 11 - 13, 2019) Join us at NXTWORK 2019 to learn, share, and collaborate with GameChangers from companies across the networking industry. This year’s event features keynotes from Juniper executives, as well as special guest speaker Earvin “Magic” Johnson, along with 40+ breakouts and master classes led by Distinguished Engineers, as well as various opportunities for certification testing and training.

Cyber Attacks, Threats, and Vulnerabilities

Magecart Attack on Volusion Highlights Supply Chain Dangers (Dark Reading) Attackers compromised Volusion's Google Cloud environment to load malicious skimmer code onto more than 6,500 customer sites.

Imperva blames data breach on stolen AWS API key (ZDNet) Imperva said it accidentally exposed an internal server from where a hacker stole an AWS API key.

FIN7 Attackers Roll Out New Tools (Decipher) The FIN7 group has begun deploying new tools, including a module that specifically targets a remote administration tool for payment card systems.

Ransomware gang uses iTunes zero-day (ZDNet) BitPaymer ransomware spotted abusing iTunes for Windows bug to bypass antivirus detection.

Apple Software Update Zero-Day Used by BitPaymer Ransomware (BleepingComputer) Several companies from the automotive industry were targeted by BitPaymer ransomware operators during August, in attacks that used an Apple zero-day vulnerability impacting the Apple Software Update service bundled with iTunes and iCloud for Windows.

iTunes Zero-Day Exploited to Deliver BitPaymer (Dark Reading) The ransomware operators targeted an unquoted path vulnerability in iTunes for Windows to evade detection and install BitPaymer.

Microsoft NTLM vulnerabilities could lead to full domain compromise (Help Net Security) Researchers have discovered 2 vulnerabilities that may allow attackers to achieve full domain compromise of a network through NTLM relay attacks.

New Malware Spies on Diplomats, High-Profile Government Targets (BleepingComputer) A new modular and malware designed to target diplomatic and government entities was spotted by ESET researchers while being utilized in attacks aimed at Russian-speaking individuals for at least 7 years.

ESET discovers Attor, a spy platform with curious GSM fingerprinting (WeLiveSecurity) ESET experts discover a previously unreported cyberespionage platform used in targeted attacks against privacy-concerned users in diplomatic missions and governmental institutions.

Pass the Hash attacks are symptomatic of much bigger security problems (SC Magazine) A newly published survey reveals that some 68 percent of IT security stakeholders don't know if they've experienced a Pass the Hash (PtH) attack. That isn't necessarily a cause for too much concern.

Bug in popular firewall exposed corporate networks to hackers (TechCrunch) Sophos said it is fixing a vulnerability in its Cyberoam firewall appliances, which a security researcher says can allow an attacker to gain access to a company’s internal network without needing a password. The vulnerability allows an attacker to remotely gain “root” permissions …

Political Campaigns Know Where You’ve Been. They’re Tracking Your Phone. (Wall Street Journal) Voter targeting has grown more invasive with location data that apps can transmit from cellphones. The data allows political groups to track down voters based on places they’ve been, including rallies, churches and gun clubs.

D-Link routers have major security flaws - but there's no fix (TechRadar) It won’t ever be patched because these four routers are no longer supported

Planting Tiny Spy Chips in Hardware Can Cost as Little as $200 (Wired) A new proof-of-concept hardware implant shows how easy it may be to hide malicious chips inside IT equipment.

Philips Brilliance Computed Tomography (CT) System (Update A) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.4 ATTENTION: Low skill level to exploit Vendor: Philips --------- Begin Update A Part 1 of 3 ---------- Equipment: Brilliance CT Scanners and MX8000 Dual EXP --------- End Update A Part 1 of 3 ----------

Interpeak IPnet TCP/IP Stack (Update A) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low skill level to exploit/public exploits are available Vendors: ENEA, Green Hills Software, ITRON, IP Infusion, Wind River Equipment: OSE by ENEA, INTEGRITY RTOS by Green Hills Software, ITRON, ZebOS by IP Infusion, and VxWorks by Wind River Vulnerabilities: Stack-based Buffer Overflow, Heap-based Buffer Overflow, Integer Underflow, Improper Restriction of Operations within the Bounds of a Memory Buffer, Race Condition, Argument Injection, Null Pointer Dereference

Interpeak IPnet TCP/IP Stack (Update B) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low skill level to exploit/public exploits are available Vendors: ENEA, Green Hills Software, ITRON, IP Infusion, Wind River Equipment: OSE by ENEA, INTEGRITY RTOS by Green Hills Software, ITRON, ZebOS by IP Infusion, and VxWorks by Wind River Vulnerabilities: Stack-based Buffer Overflow, Heap-based Buffer Overflow, Integer Underflow, Improper Restriction of Operations within the Bounds of a Memory Buffer, Race Condition, Argument Injection, Null Pointer Dereference

Siemens Industrial Products Local Privilege Escalation Vulnerability (Update I) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 6.4 ATTENTION: Exploitable locally Vendor: Siemens Equipment: Industrial Products Vulnerability: Improper privilege management 2. UPDATE INFORMATION This updated advisory is a follow-up to the updated advisory titled ICSA-16-313-02 Siemens Industrial Products Local Privilege Escalation Vulnerability (Update H) that was published June 14, 2018, on the ICS webpage on us-cert.gov.

Siemens SIMATIC WinCC and PCS7 (Update C) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.2 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Siemens Equipment: SIMATIC WinCC and SIMATIC PCS7 Vulnerability: Unrestricted Upload of File with Dangerous Type 2.

Siemens SIMATIC PCS7, WinCC, TIA Portal (Update D) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.1 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Siemens Equipment: SIMATIC PCS7, WinCC Runtime Professional, WinCC (TIA Portal) Vulnerabilities: SQL Injection, Uncaught Exception, Exposed Dangerous Method 2.

Siemens PROFINET Devices (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Siemens Equipment: PROFINET Devices Vulnerability: Uncontrolled Resource Consumption 2. RISK EVALUATION Successful exploitation of this vulnerability could cause a denial-of-service condition.

Siemens Industrial Real-Time (IRT) Devices (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Siemens Equipment: Industrial Real-Time (IRT) Devices Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could cause a denial-of-service condition.

Cybercriminals could potentially shut down hospital operating rooms: report (Tri-City News) In the absence of proper precautions, cybercriminals can shut down hospital operating rooms, expose highly personal health data and damage the ability of health professionals to provide service, . . .

City Of Carrollton Victimized By Cyber Attack (CBS DFW) The city said it's working with both state and federal officials to investigate and considers the hack a criminal act.

DCH Health System resumes normal operations following cyber attack (WVTM) All three DCH locations are now accepting all patients again after being crippled by a cyber attack.

Victorian hospitals slowly restoring systems after cyber attack (iTnews) Some systems still offline.

Security Patches, Mitigations, and Software Updates

iTerm2 Patches Critical Vulnerability Active for 7 Years (BleepingComputer) The most popular terminal emulator for macOS, iTerm2, has been updated to fix a critical security issue that survived undisclosed for at least seven years.

Cyber Trends

Kevin Mandia’s 10 Scariest Statements At FireEye Cyber Defense Summit (CRN) FireEye CEO Kevin Mandia dishes on why deepfakes will erode public confidence, why researchers are struggling to find the initial victim of cyberattacks, and why cyber espionage is here to stay.

93 percent of Cybersecurity Professionals Concerned About Cyberattacks Shutting Down Operations (Tripwire) New research explores cybersecurity concerns in industrial control system environments

Axiomatics Federal, Inc. Reveals 2020 Security Trends for Federal Agen (PRWeb) Axiomatics Federal, Inc., the leader in fine-grained dynamic authorization for customers and partners of the federal government, today unveiled data security

Marketplace

VMware builds security unit around Carbon Black tech (Network World) VMware has wrapped up its $2.1 billion buy of cloud-native endpoint security vendor Carbon Black to provide more comprehensive integrated security.

Westcon signs security vendor Menlo (CRN Australia) Cloud-hosted isolation solution tackles web-and-mail-borne threats.

DLT Solutions and CrowdStrike Launch GovCybersecurityHub (PR Newswire) DLT Solutions, a premier government technology solutions aggregator, is launching the GovCybersecurityHub...

Twitter Puts Profit Ahead of User Privacy—Just Like Facebook Did Before (Wired) Twitter funneled two-factor authentication phone numbers into their ad targeting platform—but they weren't the only ones.

U.S. Department of Defense Awards HackerOne Second ‘Hack the Army’ Bug Bounty Challenge (BusinessWire) Through partnership with the Defense Digital Service, the U.S. Department of Defense (DoD) and HackerOne, the number one hacker-powered pentesting and

Who Wants to Hack the Army Again? (Nextgov.com) Active U.S. military, federal civilians and individuals invited by HackerOne can participate in the service’s second bug bounty.

This is how much Zomato paid to hackers for fixes (Zee Business) Food delivery platform Zomato has paid more than $100,000 (over Rs 70 lakh) to 435 hackers till date for finding and fixing bugs on its platform. In fact, $12,350 (over Rs 8.7 lakh) in bounties were paid in the last 90 days alone, said HackerOne, hacker-powered bug bounty platform. With the help of HackerOne`s bug bounty programme since July 2017, Zomato has successfully resolved 775 vulnerabilities report, HackerOne told IANS on Thursday. "Zomato security team is tasked with protecting sensitive information for over 55 million unique monthly visitors," it added.

Products, Services, and Solutions

DigiCert Issues Verified Mark Certificate to CNN, Laying Crucial Foundation for BIMI Email Standard (DigiCert) DigiCert to support new standard requiring validated logos through the pilot phase, production LEHI, Utah (October 10, 2019) – DigiCert, Inc., the world’s leading provider of TLS/SSL, IoT and PKI solutions, today announced that it has issued the world’s first Verified Mark Certificate (VMC) for a domain that sends email at scale: CNN.com. With this …

Bricata Delivers Network Protection with Enhanced Customization Features (Bricata) Bricata Delivers Network Protection with Enhanced Customization Features Users can Tailor their Experience with New Metadata Filters, Dashboard Customization and Smart Alerts Grouping Columbia, MD – O

Okta Launches Okta SecurityInsights to Protect Global Workforces (AP NEWS) Press release content from Business Wire. The AP news staff was not involved in its creation.

Block Armour announces a Blockchain-Enabled Cybersecurity Solution for IoT Systems (NBC29) Targeted at Smart Cities, Autonomous Mobility, and other related use cases, IoT Armour offers Zero Trust security for critical infrastructure, connected devices and IoT networks.

TACLANE-Nano network encryptor certified by NSA (Military Embedded Systems) General Dynamics Mission Systems (GDMS) announced that the National Security Agency (NSA) has certified its new TACLANE-Nano (KG-175N) network encryptor to secure voice, video, and data information classified Top Secret/SCI and below traversing public and private IP networks.

Technologies, Techniques, and Standards

Microsoft Partners with NIST To Improve Enterprise Security 'Hygiene' (Redmond Channel Partner) Microsoft will 'soon' kick off an effort to help organizations better patch their software, with help from the National Institute of Standards and Technology.

Nemty Ransomware Decryptor Released, Recover Files for Free (BleepingComputer) Victims of the Nemty Ransomware finally have something to be happy about as researchers have released a decryptor that allows them to recover files for free.

Stop Doing These 4 Things Online — Immediately (NerdWallet) Some of your routine online practices could be putting your personal information at risk. Cybersecurity experts recommend breaking these habits — now.

Research and Development

Test bed for 5G wireless security will accelerate cyber research in Virginia (VT News) The test bed, a powerful resource for researchers, companies, and government agencies exploring 5G technology, is a flagship project of the Commonwealth Cyber Initiative.

Academia

USD launches cybersecurity boot camp (KGTV) In an effort to help companies fill the thousands of open cybersecurity jobs currently available in San Diego, USD is starting a cyber security bootcamp that promises to get people job-ready in just 26 weeks.

School of Computing Recognized for Cyber Defense Education (UNF Spinnaker) UNF’s School of Computing has been designated a National Center of Academic Excellence in Cyber Defense Education by the National Security Administration and the Department of Homeland Security. This designation, which lasts through 2024, is awarded to programs that meet specific academic guidelines and are validated by experts in the cybersecurity field. It also makes...

Legislation, Policy, and Regulation

Making intelligence actionable. (The CyberWire) NSA's Cybersecurity Directorate's missions aren't new, but the Directorate seems intent on accomplishing them with a more expansive set of customers in mind.

Expect more Iranian Cyber Attacks as Sanctions Continue to Bite (International Policy Digest) Expect more cyber activity by Iran in the coming months.

EU warning over 5G security risks from state-backed entities (Computing) EU report warns that non-EU firms bidding for 5G network contracts could be subject to interference when they have strong ties to government - but doesn't mention Huawei or ZTE.

EU hints at Huawei risk in 5G security assessment (www.euractiv.com) The European Union hinted strongly it viewed Chinese tech group Huawei as a security risk to its roll-out of 5G networks in a report released Wednesday (9 October).

Fury as Apple pulls US news app Quartz from China 'over Hong Kong coverage' (The Telegraph) Apple has blocked a US news app from its Chinese service as the iPhone maker is accused of bowing to pressure from state censors over pro-democracy protests in Hong Kong.

California outlaws facial recognition in police bodycams (Naked Security) The bill was introduced by Phil Ting: one of 26 state lawmakers misidentified as suspects in an ACLU test of the technology.

Iowa Sec. of State assures voters that upcoming elections are safe and secure (KMEG) With the upcoming local and state elections, making sure your vote is safe and secure is a top priority for the State of Iowa. Iowa's Secretary of State Paul Pate has been working with state and national officials to make sure, come election day, voters can be confident in not only the election process but those counting votes as well. "I want to assure Iowa voters, and United States voters, that your elections are covered, we've got you," Secretary Pate told Siouxland News.

Report sent to Gov. Ned Lamont warns of lack of communication between feds and states about cyberthreats to utilities (Hartford Courant) A report released by Gov. Ned Lamont Thursday warned of a lack of communication between federal agencies and the states about potential cyberthreats to utilities.

Litigation, Investigation, and Law Enforcement

Former BAE Systems contractor charged with 'damaging disclosure' of UK defence secrets (Register) 49-year-old to appear at the Old Bailey next month

Rudy Giuliani’s Ukraine fixers arrested over donations (Times) Two close associates of President Trump’s personal lawyer have been charged with funnelling foreign cash into a campaign backing his election. Lev Parnas and Igor Fruman, American citizens born in...

Iowa Judicial Branch shares findings of investigation into courthouse break-ins (KCCI) Iowa Judicial Branch releases new information regarding courthouse break-ins in Polk and Dallas counties.

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Newly Noted Events

CyberForce (College Park, Maryland, USA, November 7, 2019) A gathering of government and industry to bridge the managerial, operational, and technical skills gap of today's cybersecurity workforce.

Insider Threat Program Development & Management Training (College Park, Maryland, USA, December 3 - 4, 2019) The Insider Threat Defense Group will hold its highly sought after and very affordable Insider Threat Program (ITP) Development & Management Course, at the University of Maryland College Park Campus.

Upcoming Events

driving.digital Conference 2019 (Nitra, Slovakia, October 14 - 15, 2019) An international program conference focused on cyber security in the automotive industry and mobility. Conference themes will address the topic of stability of digital solutions in the automotive and mobility...

SecureWorld Twin Cities (Minneapolis, Minnesota, USA, October 16, 2019) Connecting, informing, and developing leaders in cybersecurity. For the past 17 years, SecureWorld conferences have provided more content and facilitated more professional connections than any other event...

7th Annual Cyber Resilience Summit (Arlington, Virginia, USA, October 16, 2019) As the journey to secure our nation’s IT cyber infrastructure gains momentum, it is important to apply proven standards and methodologies that reduce risk and help us meet objectives for acquiring, developing...

Cyber Hygiene: Why the Fundamentals Matter (Online, Software Engineering Institute at Carnegie Mellon University, October 16, 2019) In this webcast, as a part of National Cybersecurity Awareness Month, our experts will provide an overview of the concept of cyber hygiene, which bears an analogy to the concept of hygiene in the medical...

EXCHANGE 2-19 (New York, New York, USA, October 16 - 17, 2019) BitSight presents EXCHANGE 2019, The Intersection of Business and Cyber Risk, an event for security and risk professionals to navigate the demands of today's dynamic cyber risk landscape. During this two-day...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.