skip navigation

More signal. Less noise.

Federal market presents growing opportunity for SaaS/PaaS/IaaS providers.

According to Coalfire’s latest report on FedRAMP, U.S. agencies spent $6.5B in cloud services in FY2018, an impressive 32 percent year-over-year increase, with the vast majority of Federal cloud migration still to come. SaaS/PaaS/IaaS providers can gain access to this market with significantly less investment in both time and cost by taking advantage of automation and recent FedRAMP program updates. Learn how.

The Week that Was.

Cozy Bear wasn't hibernating after all.

Cozy Bear, also called "APT29" or "the Dukes," has been very active since it was discovered in the DNC's networks 2016, ESET has found. ESET calls the group's newly discovered activities "Operation Ghost." The activities began in 2013 and have continued to the present day, using three previously undiscovered malware families: PolyglotDuke, RegDuke and FatDuke. The group uses social media sites like Twitter and Reddit to host its command-and-control URLs, and it uses steganography to obscure its C2 traffic. Cozy Bear compartmentalizes its attacks to avoid using the same infrastructure to target different victims, a practice the researchers say "is generally only seen by the most meticulous attackers."

Operation Ghost's targets include the Ministries of Foreign Affairs in at least three European countries, as well as "the Washington, DC embassy of a European Union country." The targets were previously hit by known Cozy Bear malware, including CozyDuke, OnionDuke or MiniDuke. ESET researchers note that Cozy Bear shows both considerable patience and focus on its targets. It's also stealthy. Compromised organizations must ensure that all of the group's malware is removed from the environment within a short period of time, or else the attackers will use any leftover footholds to quickly reinfect your systems.

Unite your team behind a common defense.

Today’s threat environment is complex and dynamic. Traditional response methodologies by themselves are no longer sufficient. To find out how your team can be more responsive and act faster on threat intelligence, download the ebook, Threat Intelligence Platforms: Everything you’ve ever wanted to know but didn’t know to ask. Read to the very end for a TIP checklist!

Chinese industrial espionage gets results.

A report from CrowdStrike concludes that China's C919 passenger jet was built as a result of industrial espionage conducted by the Nanjing-based Jiangsu Bureau of the Ministry of State Security, or JSSD, which CrowdStrike tracks as "Turbine Panda." CrowdStrike explains that the Chinese government "uses a multi-faceted system of forced technology transfer, joint ventures, physical theft of intellectual property from insiders, and cyber-enabled espionage to acquire the information it needs." These efforts involve a combination of cyber operations and human intelligence operators to provide China's state-owned enterprises with the intellectual property they need.

China launched its C919 commercial aircraft in 2017, hoping to challenge the Boeing-Airbus duopoly. Most of the C919's components are imported from other countries, and some of its Chinese-built equipment—notably the CJ-1000AX engine produced by the Aero Engine Corporation of China—bear striking technical similarities to products built by other companies. CrowdStrike says intellectual property stolen by the MSS probably saved the developers of the CJ-1000AX several years and potentially billions of dollars.

CrowdStrike concludes that these types of attacks will continue, because "the potential benefits of cyber-enabled espionage to China’s key strategic goals has seemingly outweighed the consequences to date."

Ransomware hits Pitney Bowes and Groupe M6.

Connecticut-based shipping and postage metering company Pitney Bowes announced on Monday that it had experienced a ransomware attack that disrupted customer access to its services. On Wednesday, the company disclosed that the attack involved the Ryuk ransomware. The company continued to post updates on its recovery process throughout the week.

Additionally, French media company Groupe M6 disclosed that it had fallen victim to a malware attack, which L'Express says was a ransomware incident. The attack occurred Saturday morning. The company said some broadcasts may be degraded, but won't be interrupted. L'Express notes that Groupe M6 has a cyber insurance policy covering damages up to €40 million.

Graboid cryptojacker spreads to Docker hosts.

Palo Alto Networks's Unit 42 describes Graboid, the first known cryptojacking worm that goes after misconfigured Docker hosts. The malware is hard to detect because it operates inside Docker containers, which usually aren't inspected by security software. Once the malware is installed, it begins to mine Monero and periodically checks for new unsecured targets to infect. Unit 42 identified more than 2,000 Docker hosts that are accessible from the Internet without any authentication. The researchers judge that Graboid itself is "relatively inept," but they caution that the worm can receive new instructions from its command-and-control servers, so it can "can easily repurpose itself to ransomware or any malware to fully compromise the hosts down the line."

Reduce fraud, minimize the attack surface and save millions of dollars.

Let Resecurity collaborate across your vulnerability and risk, threat intelligence, penetration testing and broader security teams to quickly reduce fraud, minimize the attack surface and shut down ongoing attacks, ultimately saving your company millions of dollars. We constantly research the latest techniques and tradecrafts of cybercriminals and nation-state actors, and analyze massive amounts of data in order to stay ahead of the bad actors. 

Apple's relationship with Tencent comes under scrutiny.

Apple has been sending IP addresses of its devices in China to the Shenzhen-headquartered conglomerate Tencent via the Safari browser, according to an article by Reclaim The Net. The data sharing occurs as part of Apple's Fraudulent Website Warning feature, which is turned on by default on Apple devices (and really shouldn't be switched off). Apple sends the data to Google or Tencent to check URLs against databases of malicious sites. Matthew Green, a cryptographer and professor at Johns Hopkins University, noted in a blog post that Google's original implementation of this service was "a privacy disaster," although it's since been improved by performing the checks locally and hashing the data that Google actually receives. Green notes that even with k-anonymized data, a company could still extract information about users if they had enough data. Google might not be motivated to do this, but Tencent has close ties to the Chinese Communist Party and could be compelled to do so.

The story isn't as damaging (or as new) as many reports make it out to be. Apple told the Verge in response that the "the actual URL of a website you visit is never shared with a safe browsing provider." For users outside of China, Apple uses Google's database, and "for devices with their region code set to mainland China, it receives a list from Tencent." ZDNet notes that Apple uses Tencent inside China because Google domains are banned in the country, and Forbes points out that users in China should assume the government is tracking their browsing activity anyway.

It's not just Tencent, and it's not just Apple, either...

Apple CEO Tim Cook is in China and, WIRED describes the company's close relationship with that country's government, which successfully got Apple to take down an iOS app that Hong Kong protesters were using to track police activity. Apple's not alone in this regard, either: as WIRED summarizes elsewhere, Blizzard, Google, and the NBA have also distanced themselves from people and stances that could be interpreted as imperfectly aligned with Chinese policy.

Apple is concerned that the news offers more ammunition for those accusing the company of compromising its standards at the behest of the Chinese government. The Verge observes that Apple is particularly sensitive to such criticism because it presents itself as more privacy- and security-focused than other major technology companies, and because the optics of its recent compliance with Beijing's demands that the company suppress tools the Hong Kong protesters had been using to organize their activities.

...but Facebook says include them out.

Apparently Cupertino and Mountain View are apparently closer to Beijing than they are to Menlo Park, at least this week, at least in the regions of the spirit. Facebook CEO Mark Zuckerberg came out swinging Thursday like a First Amendment true-believer. The Telegraph reports that he said, in an address at Georgetown University, that his company won't pursue business in China because it doesn't want to submit to the government's content-control regime.

Zuckerberg expressed Facebook's strong commitment to free speech as grounds for refusing to moderate any political content, even mendacious ads for candidates. He argued that the Chinese government’s values ought not to set the norms for the Internet as a whole. The New York Times reports that he observed with concern that free speech seemed to be under assault in the West as well, where he says too many people have come to believe that their political objectives are so important that opposing views should be suppressed.

Free ICS Webinar: Threat Intelligence Explained, Examined & Exposed

Join Dragos and the CyberWire on October 22 to hear how threat intelligence can help your organization reduce risk by improving detection, response and prevention of critical infrastructure. We’ll share real world insights from hunting some of the most sophisticated threats and cover vulnerable assets that need protection. Register today.

Developing artificial intelligence safely.

In a report provided to the CyberWire, the Krakow-based Kosciuszko Institute outlined a number of concerns and recommendations regarding the ethical use of artificial intelligence. As a result of advances in artificial intelligence, the think tank predicts that "the quality and quantity of attacks will increase, more entities will be able to launch attacks, while well known types of attacks will develop, e.g. phishing will become personalised so that it’ll be difficult to tell whether we are corresponding with a machine or with a real person."

To maintain control over the AI decision making process, the algorithms "should be developed in a way ensuring strict compliance with the rules of conduct applicable in a given organisation." This entails treating the development of these algorithms "like raising a child – we need to “teach” our machines to act the way we need and expect them to." Izabela Albrycht, Chairperson of the Board at the Kosciuszko Institute, stressed that "AI should, first and foremost, be trustworthy."

The Institute believes the public sector will play a large role in ensuring that AI is used safely and ethically. For example, the report points to the German government's requirement that autonomous vehicles always prioritize human life over material damage when faced with an impending accident.

The report also highlights the beneficial uses of AI, such as detecting cancer, supporting rescue missions, and assisting the elderly. Even military applications of AI can save lives by increasing accuracy and replacing human soldiers with robots.

Patch news.

Adobe was quiet on Patch Tuesday last week, but it dropped patches for eighty-two vulnerabilities in Acrobat and Reader this week, most of which are critical, Help Net Security notes.

Oracle released patches for 219 vulnerabilities across its products, nineteen of which have a CVSS score above 9.0, SecurityWeek reports. Fusion Middleware was the most affected with thirty-seven flaws, thirty-one of which could be exploited remotely without authentication.

Calling all Women in Cyber Security: Join us!

The CyberWire will be bringing together women from around the region and across the nation to celebrate their contributions and successes in cybersecurity industry. Join us at the International Spy Museum in Washington, DC on October 24th at 6th Annual Women in Cyber Security reception. Request an invitation.

Crime and punishment.

A federal grand jury in the District of Columbia on Wednesday unsealed a nine-count indictment against a South Korean national, Jong Woo Son, for operating Welcome To Video, by volume the world's largest child exploitation market. The IRS Criminal Investigation (IRS-CI) division identified Son "through the sophisticated tracing of bitcoin transactions," and he was arrested in March of last year in a joint operation involving the IRS-CI, US Immigration and Customs Enforcement (ICE)’s Homeland Security Investigations, the UK's National Crime Agency, and the Korean National Police. Son has already been convicted in South Korea, where he's currently serving his sentence. The Justice Department said the operation resulted in arrests and charges against three-hundred-thirty-seven other site users in twelve countries. It also led to the rescue of twenty-three children in the US, the UK, and Spain who were being abused by members of the site.

Anna Bogacheva, one of the thirteen Russians US Special Counsel Mueller indicted for allegedly interfering with the 2016 US presidential election, was detained by Belarus on Sunday but soon released, according to the Washington Post. The Belarusian prosecutor general’s office concluded there were no grounds to detain her further. The Post notes that Belarus has a "a complicated but close relationship with Russia," and so it's surprising she was detained on American charges in the first place. Ms Bogacheva promptly decamped for Russia.

CyberScoop says investigators have found that alleged Capital One hacker Paige Thompson had between twenty and thirty terabytes of stolen data, and they don't want the accused moved from jail to a halfway house, because twenty terabytes presents a potent temptation to flight.

Courts and torts.

The SEC has sued Telegram to stop its proposed global cryptocurrency network, the Wall Street Journal reports. The company had raised $1.7 billion by selling tokens called "Grams" to investors, which would be used on the upcoming network. The SEC claims the "defendants failed to register their offers and sales of Grams, which are securities, in violation of the registration provisions of the Securities Act of 1933." Stephanie Avakian, co-director of the SEC’s Division of Enforcement, said the action was taken "to prevent Telegram from flooding the U.S. markets with digital tokens that we allege were unlawfully sold."

Policies, procurements, and agency equities.

Two unnamed US officials told Reuters that the United States conducted cyber operations against Iran in retaliation for the September 14th drone attacks on Saudi Arabian oil facilities. The cyber strike "affected physical hardware" and was intended to disrupt Iran's propaganda distribution capabilities. According to Ars Technica, Iran's Minister of Communications and Information Technology Mohammad Javad Azari-Jahromi denied the attacks had any effect and said the Americans "must have dreamt it."

The Australian Security Intelligence Organisation (ASIO), Australia's national intelligence agency, says it doesn't have enough resources to counter foreign interference, according to Reuters. Australia's Minister for Home Affairs Peter Dutton said the agency would get the funding it needs.

In the US, the recently formed Space ISAC is advocating that the space sector be designated as critical infrastructure, Air Force Magazine reports. The US Department of Homeland Security regards sixteen sectors as "critical Infrastructure:" chemical; commercial facilities; communications; critical manufacturing; dams; the Defense Industrial Base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; nuclear reactors, materials, and waste; transportation systems; and water and wastewater. This strikes some observers as too many, either because the distinctions are drawn too closely or on the Napoleonic grounds that those who defend everything defend nothing, but the space sector seems to have as strong a claim to criticality as any of the others.

Fortunes of commerce.

The Washington Post reports that Huawei's stockpile of US-produced equipment is beginning to run low, so the next few months could reveal whether or not the Chinese company can continue to dominate the market without access to the US market.

The UAE-based cybersecurity company DarkMatter is attracting former Israeli intelligence officers with annual salaries of up to $1 million, according to Haaretz. Many of the employees apparently worked for Israel-based NSO Group before moving to work in DarkMatter's Cyprus office. Haaretz notes that DarkMatter works for the UAE's intelligence agency, and its not clear if these employees received clearances from Israel's Defense Ministry.

Labor markets.

The Wall Street Journal says companies are adding incentives to lure IT workers. Martha Heller, CEO of Heller Search Associates, told the Journal that one of her company's clients was offered a $250,000 signing bonus for a CISO position, along with a higher-than-average salary and the ability to work from home in California rather than moving to Chicago. Michael Solomon, co-founder of 10x Ascend, said his firm managed to triple an initial equity grant for one of its IT clients who landed a job at a technology company.

Mergers and acquisitions.

American private equity firm Thoma Bravo is buying UK-based cybersecurity company Sophos for $3.8 billion, Yahoo Finance reports. The Guardian notes that Sophos joins a growing list of UK technology companies that have been bought out by foreign investors, particularly in the US. UK investors are concerned that this is indicative of a lack of funding for British technology firms, and they worry this trend will continue.

Identity governance company SailPoint has acquired cloud security provider OverWatchID for $21 million and cloud access governance company Orkus for $16.5 million, CRN reports.

Clearlake Capital Group and TA Associates have completed their acquisition of DigiCert for an undisclosed amount.

Investments and exits.

Splunk's venture arm (Splunk Ventures) has a $150 million fund to invest in big data startups. ITWire reports on the fund's Australian roadshow.


Today's issue includes events affecting Australia, Belarus, Brazil, Canada, China, Czech Republic, European Union, France, Germany, Ireland, Russia, Saudi Arabia, South Korea, Spain, United Arab Emirates, United Kingdom, United States.

Research Saturday is up. In this episode, "Hoping for SOHO security," we hear from Independent Security Evaluators (ISE), who've recently published a report SOHOpelessly Broken 2.0, Security Vulnerabilities in Network Accessible Services. This publication amplifies previous work ISE did examining small office/home office (SOHO) routers, network-attached storage devices (NAS), and IP cameras. Shaun Mirani is a security analyst at ISE, and he joins us to share their findings.

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.