skip navigation

More signal. Less noise.

Get your copy of the definitive guide to threat intelligence.

We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.

Daily briefing.

Fancy Bear returns, resuming its use of the Zebrocy toolkit against a familiar range of targets, for the most part embassies and foreign ministries in Eastern Europe and the Middle East. ESET, which says the renewed activity dates to late August, also notes that Zebrocy's suite of downloaders, droppers, and backdoors has shown some evolution into marginally more effective forms. Fancy Bear is also known as Sednit, Sofacy, Group 74, Strontium, and APT28, but Russia's GRU military intelligence service is always the man behind the curtain.

The University of Toronto's Citizen Lab describes a campaign directed against Tibetan diaspora groups by a threat actor the Lab calls "Poison Carp." A successor to Ghostnet, the campaign has used a suite of Android and iOS exploits; its typical infection vector was social engineering. Reuters observes that this appears to be the same threat actor that has been active against China's predominantly Muslim Uighur minority.

An anonymous researcher has published a zero-day affecting the widely used vBulletin web forum software. ZDNet says the vulnerability is a pre-authentication remote code execution bug. It’s unclear whether the posting was done with malign intent or simply amounted to a bungled disclosure. 

Few will be surprised to hear that the GandCrab gang has returned from retirement. SecureWorks reports that the group has reassembled itself, and is responsible for attacks using REvil ransomware (also known as Sodinokibi).

Iovation predicts insurance fraud committed over mobile devices will include "Application," "Bad Debt," "Ghost Broking," "Account Takeover," "Claim," and "Contact Center."

Notes.

Today's issue includes events affecting Australia, Canada, China, Ecuador, Russia, South Africa, Turkey, United Kingdom, United Nations, United States.

Bring your own context.

Why smart TVs raise consumers' hackles.

"But that's the kind of thing I'm talking about. You know, if it stays within the company and they're just trying to make the service better, that's fine. But if they're selling my data and profiting from me, I want that to come back in some way."

—Joe Carrigan, of the Johns Hopkins University's Information Security Institute, on the CyberWire Daily Podcast, 9.23.19.

Service improvement is one thing, but making the consumer the product is another. To be sure, everyone gets that businesses need to advertise, and that advertising has to be profitable, but selling personal data seems...sorry, personal.

Is your cybersecurity program aligned with your business goals and objectives?

Cybersecurity is a business risk, not an IT problem, and a critical part of business strategy. Security should not be an afterthought. Taking a proactive approach facilitates board-level cyber initiative buy in, supports traction across business units, establishes management alignment for key priorities, and manages data complexity. Let Edwards Performance Solutions better structure and position your cybersecurity program – making it a business asset for continued success. Learn more

In today's Daily Podcast, out later this afternoon, we speak with our partners at the University of Maryland's Center for Health and Homeland Security, as Ben Yelin discusses White House moves to block Congress from auditing cyber offensive strategy. Our guest is Tim Keeler from Remediant, who takes a look at lateral movement in the context of the NotPetya attacks.

And Recorded Future's podcast, prepared in cooperation with the CyberWire, is also up. In this episode, "The Intersection of Political Science, Risk Management, and Cybersecurity," Matt Devost, CEO and co-founder of OODA LLC, shares his insights on managing cyber risk in a complex world, as well as his thoughts on threat intelligence.

Second Annual DataTribe Challenge (Online, October 1, 2019) Register now for a chance to be DataTribe's next world-class company. Finalists will split a $20,000 prize, and the winner may receive $2m in funding from DataTribe. Contestants have until October 1st to apply at www.datatribe.com/challenge­.

Zero Day Con (Washington, DC, USA, October 22, 2019) Zero Day Con hosts a day of expert discussion on security approaches to regain control over your systems, data, and information. Join us to examine insights, security technologies, and key priorities to secure your systems. Get a 20% discount: CYBER_WIRE20

Cyber Attacks, Threats, and Vulnerabilities

Another unprotected server leaking personal data of millions of Ecuadorian citizens uncovered by researchers (Computing) Latest Ecuadorian data breach attributed to company called DataBook using the data on a an unsecured server

Second phishing campaign featuring LookBack malware targets US utilities (SC Magazine) Cyber-criminals continue to target US utilities with LookBack malware

This map connects Russia's deadly malware to the espionage groups behind them (The Next Web) Notorious threat actors like Potao Express, BlackEnergy and Turla account for as many as 79 unique malware families, a new map of the Russian cyberespionage ecosystem has revealed.

Russian APT Ecosystem Map (Check Point | Intezer) The russian APT map is a web-based, interactive map that shows the different families and actors that are part of the Russian APT ecosystem, as well as the connections between them.

Iranian Government Hackers Target US Veterans (Dark Reading) 'Tortoiseshell' discovered hosting a phony military-hiring website that drops a Trojan backdoor on visitors.

Poison Carp cyber-espionage group targeting Tibetan officials with mobile malware (SC Magazine) Threat group Poison Carp uses Android exploits to plant spyware on devices operated by various Tibetan leaders

Chinese hackers who pursued Uighurs also targeted Tibetans: researchers (Reuters) Chinese hackers who used a previously unknown iPhone security flaw to target ethnic minority Uighurs also went after Tibetans in exile, according to a report published on Tuesday.

A cyber-espionage effort against Tibetan leaders leveraged known Android, iOS vulnerabilities (CyberScoop) Hackers aimed to infect mobile phones belonging to senior members of Tibetan groups, including people who worked directly for the Dalai Lama, as well as lawmakers in Tibet’s parliament, according to new findings from a team of researchers at the University of Toronto.

Son of Ghostnet: the mobile malware that targets Tibetans abroad (Boing Boing) Citizen Lab (previously) is one of the world’s top research institutions documenting cyber-attacks against citizen groups, human rights activists, journalists and others; ten years ago, they …

Zebrocy Infects Targets with New Golang-Based Backdoor via Dropbox (BleepingComputer) A recently observed campaign from the Zebrocy APT operators relied on a revamped backdoor to maintain access to victim hosts and extract profiling information.

No summer vacations for Zebrocy (WeLiveSecurity) ESET researchers break down new components in the Zebrocy malware family that the Sednit group has deployed in a recent campaign.

Anonymous researcher drops vBulletin zero-day impacting tens of thousands of sites (ZDNet) New zero-day could trigger a new forum hacking spree across the internet.

Data Breach: Thousands Exposed as Dating App Leaks Private Data (WizCase) WizCase has recently found an open Elasticsearch database on the Turkish based online dating app, Heyyo. The leak contained private information, including ...

New Online Fraud Complexities May Arise for Insurance Companies (iovation) With more online U.S insurance transactions expected, iovation and TransUnion see the emergence of several new fraud schemes

'Carpet-bombing' DDoS attack takes down South African ISP for an entire day (ZDNet) Carpet bombing - the DDoS technique that's just perfect for attacking ISPs, cloud services, and data centers.

Notorious hacker group 'returns from retirement’ (BBC News) The gang is thought to be behind ransomware attacks that have caused havoc in Texas.

Instagram phish poses as copyright infringement warning – don’t click! (Naked Security) Your Instagram account has value to the crooks – so they’re coming up with some cunning tricks to get at your passsword.

Dubai firm loses £42,000 in phishing attack (SC Magazine) Spoofed email trick customers of Dubai-based company into transferring £42,000 overseas

Apple says a bug may grant ‘full access’ to third-party keyboards by mistake (TechCrunch) Apple is warning users of a bug in iOS 13 and iPadOS involving third-party keyboards. In a brief advisory posted Tuesday, the tech giant said the bug impacts third-party keyboards which have the ability to request “full access” permissions. iOS 13 was released last week. Both iOS 13.1 a…

The Rise of Disruptionware: A Cyber-Physical Threat to Operational Technology Environments (Institute for Critical Infrastructure Technology) Disruptionware is an emerging category of malware designed to suspend operations within a victim organization through the compromise of the availability, integrity, and confidentiality of the systems, networks, and data belonging to the target.

Control system cyber security organizations are still not focusing on what is most important –the process (Control Global) For industrial and manufacturing companies, organizations such as credit rating agencies and insurance companies are concerned about the risk to the enterprise not just the networks. The OT security community needs to recognize the most important risks to the organization are the process not the networks. This will require changing the governance model to require teaming with engineering and security with engineering taking the lead.

Lee County back online after apparent cyber attack (The News-Press) Internet and computer network service has been restored to Lee County after a four-day outage that officials suggest was caused by a cyber attack.

Northshore School District hit by significant cyber attack (KOMO) A cyberattack has crippled some of the systems in the Northshore School District, which covers Bothell, Woodinville and Kenmore. The district is calling this a "significant" attack that's taken out some phones and all voice mail servers, but adds there's no evidence that student or staff information has been compromised. In addition to the phones, the food service payment system took a hit.

Security Patches, Mitigations, and Software Updates

Jira development and ticketing software hit by critical flaws (Naked Security) Admins have a spot of patching work on their hands after the company released updates addressing two critical flaws.

Microsoft sends another warning: Update Windows now to fix critical security issues (CNN) Microsoft issued two emergency updates yesterday for its users to protect against "critical" and "important" vulnerabilities impacting Internet Explorer and Windows Defender, the anti-virus software.

Microsoft Released Out-of-Band Security Updates (Qualys Blog) Microsoft released an out-of-band update yesterday that fixes two critical vulnerabilities – The Internet Explorer remote code execution vulnerability (CVE-2019-1367) and Microsoft Defender Denial of…

Apple restricts old adblocking tech (Naked Security) Apple has turned off the ability for adblocking companies to use their own blocking mechanisms in Safari.

Cyber Trends

Just How Secure is the Technology Sector? (BitSight) Learn about the security performance of the technology sector and see how the cybersecurity posture of tech companies compares to other industries.

Cloud Attacks Prove Effective Across Industries in the First Half of 2019 (Proofpoint US) No industry vertical was spared from cloud-related attacks in the first half of 2019.

Third-Party Code: The Hidden Risk in Your Website (PerimeterX) This new survey of application security professionals underscores the lack of awareness people have about website vulnerabilities in third-party client-side scripts.

Survey: 85% of Employees Don’t Have All the Resources They Need on Day One to do Their Job (Ivanti) Findings Show the Security and Compliance Gaps of Ineffective Employee Onboarding and Offboarding

WatchGuard’s Q2 Internet Security Report Finds Malware Hiding on Popular Content Delivery Networks (West) Data also shows Kali Linux modules cracking malware top ten list and a dramatic year-over-year increase in overall malware volume

CISO role grows in stature, but challenges remain (Help Net Security) In order to find out how CISOs perceive the state of their profession, Optiv Security interviewed 200 CISOs or senior security personnel with equivalent

The Evolving Roles and Responsibilities of CISOs (CIOReview) The Evolving Roles and Responsibilities of CISOs By James Shira, Network & US Chief Information & Technology Officer, PWC - In order to address these new threats while maintaining operations, growing the business, executing the mission, and...

Criminals are far too successful at recycling old threats that defeat enterprises’ legacy systems (IT Pro Portal) Continued use of insecure legacy Windows operating systems is placing major organisations and businesses across the UK at risk of cyberattack.

ESET: 91% of Russians Prefer Pirated Content Over Legal (TorrentFreak) If the results of a survey carried out by ESET are any indicator, Russia faces an uphill battle to combat piracy. The security company reports that just 9% of those surveyed prefer exclusively legal content over pirated, with 75% citing high prices as a reason to use illegal sources.

Marketplace

$5 trillion threat of cyber attacks spurs investments in solutions, talent and tech (Help Net Security) IT & Business Services M&A Market's disclosed deal value reached a whopping $97 billion in 1H 2019 – the highest total on record for a six-month period.

Cyber Insurance Is Of Immense Importance In Today’s Time (Outlook Indiua) Cyber-attacks are perceived as a substantial global risk

Arceo.ai Secures $37 Million of Funding led by Lightspeed Venture Partners and Founders Fund (PR Newswire) Arceo.ai, provider of the leading end-to-end cyber risk analytics and insurance platform, today announced it has...

Cybersecurity Startup Uses AI To Automate Screening Process (Forbes) Greg Martin is on his third cybersecurity startup, the second time as a founder, and he has raised $39 million to date for his latest company, JASK, launched in 2015.

NTT Security CEO on 'bad-guys-as-a-service' and consolidation in the MSSP space (CRN) CRN's sister publication Channel Partner Insight speak to Matt Gyde

120 jobs to be created in Belfast with salaries over £30k (Belfas Llive) Invest Northern Ireland has offered £786,500 towards the project

Scale Computing Boosts Executive Team with Promotion of Scott Loughmil (PRWeb) Loughmiller’s appointment to Scale Computing’s executive team is part of the company’s high-growth plans for 2019

Mimecast Announces Departure of Ed Jennings and the Appointment of New Chief Revenue Officer, Dino DiMarino (West) Mimecast Limited (NASDAQ: MIME), a leading email and data security company, today announced the departure of Chief Operating Officer, Ed Jennings, who will transition his departure at the end of 2019 to pursue his career goal of leading a technology company.

Flashpoint Appoints Ian Schenkel Vice President of EMEA as Global Growth Accelerates (West) Industry Veteran Brings More Than 25 Years of Business and Sales Leadership

High Wire Networks Hires Veteran CISO to Lead Overwatch Managed Security Platform-as-a-Service (Yahoo) High Wire Networks, providers of the Overwatch Managed Security Platform-as-a-Service, announced today that IT security veteran Philip Burnett has joined the company as Chief Information Security Officer (CISO). Burnett brings two decades of executive security

Products, Services, and Solutions

LookingGlass® Cyber Solutions Launches Industry’s Most Adaptive Software-Defined Threat Response Platform (BusinessWire) LookingGlass Cyber Solutions, a leader in intelligence-driven risk management, today announced the general availability of the LookingGlass Aeonik Sec

Segasec Announces Early Threat Detection Capability for Account Takeovers (West) The new feature would alert potential fraud victims to online scams before their accounts are overtaken, protecting them and the brands with which they’re interacting.

Coronet, Slice and AXA XL Announce Cybersecurity Partnership (PRWeb) The AI and cloud technology alliance expands small business resources for securing on-demand cyber insurance protection.

Sonatype Delivers First-of-Its-Kind Automated Malware Prevention For Open Source Libraries (West) Nexus Intelligence research engine now automatically detects counterfeit and malicious code injections into open source software supply chains

Portshift Enhances Cloud-Native Application Security Platform with Advanced Policy Advisor (Benzinga) Portshift, a leader in identity based workload protection for cloud-native applications, today announced its new Policy Advisor control interface, providing DevOps professionals with the ability to establish and automate policies for container-based microservices delivered in the cloud.

OmniMesh Taps AIS for Cybersecurity in its Content Delivery Solutions (Yahoo) Addition of world-class, defense-grade security assures privacy and security in content management

Contrast Security and PagerDuty Integration Delivers Application Security and Threat Intelligence Visibility and Monitoring Across Full Incident Management Lifecycles (PR Newswire) Contrast Security joins the PagerDuty Integration Partnership Program to resolve cyber threats and attacks more rapidly for distributed DevSecOps teams

Contrast Security and PagerDuty Integration Delivers Application Security (EnterpriseTalk) Contrast Security announced the release of its PagerDuty integration with Contrast Protect and its inclusion in PagerDuty's Integration Partner Program.

BULLETPROOF launches new security service powered by Microsoft Azure Sentinel (PR Newswire) Bulletproof 365 Enterprise is Now Available.

Mimecast Announces Integration with Rapid7 (West) Mimecast’s Integration with Rapid7’s SOAR Solution, InsightConnect, is Engineered to Enable Security Teams to Respond to Incidents Faster, Helping to Strengthen Cyber Resilience

Senseon joins Endace Fusion Partner Program - Endace (Endace) Partnership will see Senseon’s cyber AI security platform integrated with the EndaceProbe Analytics Platform

Ionic Security Democratizes Access to Machine-Scale Data Protection (PR Newswire) Ionic Security, the leader in machine-scale data protection, today announced a free and easy onramp for developers to...

Technologies, Techniques, and Standards

6 Tips for Building an Effective SOC (Bricata) A presentation from RSA Unplugged 2019 offers several tips to security leaders seeking to build or improve their security operations center (SOC).

Algorithms Are Not What You Smartypants Think They Are (Wired) Grasping algorithms just enough, thinking they're within our puny reach, only makes them more powerful.

Passwordless authentication is here ​now​, and it is vastly superior to using a password (Help Net Security) Mirko Zorz, Help Net Security’s Editor in Chief, recently published ​an article about the state of passwordless authentication​ that predicted a long

Design and Innovation

Burt's Bush And XXXTentacion's Death: Why Facebook Mods Fail (BuzzFeed News) Muddled communications from Facebook and a barrage of constant updates make low-paid outsourced moderators’ jobs impossible.

Facebook promises not to stop politicians’ lies & hate (TechCrunch) Facebook confirms it won’t fact check politicians’ speech or block their content if it’s newsworthy even if it violates the site’s hate-speech rules or other policies. This cementing of its policy comes from Facebook’s head of global policy and communication Nick Clegg…

Microsoft's new 'Data Dignity' team could help users control their personal data (ZDNet) Microsoft is staffing up a new Data Dignity team in its CTO's office which could help users to control their own personal data, ultimately to the point of buying and selling it.

Could audio warnings augment your ability to fight off cyber attacks? (Help Net Security) On an organizational level, auditory monitoring will help companies deal with the chronic talent shortage facing most security organizations.

Legislation, Policy, and Regulation

World powers are pushing to build their own brand of cyber norms (CyberScoop) Two competing groups tied to the United Nations are trying to outmaneuver one another when it comes to establishing behavior norms in cyberspace.

27 Countries Sign Pledge to Play Nice Online (Infosecurity Magazine) Joint statement promises to punish bad behavior in cyberspace

China to place government officials inside 100 private companies, including Alibaba (CNBC) Chinese government officials are to be sent to work inside 100 private companies working in the tech hub of Hangzhou, according to local state media.

U.S. lawmakers propose $1 billion fund to replace Huawei equipment (Reuters) A U.S. House panel unveiled bipartisan legislation this week that would authoriz...

Analysis | The Cybersecurity 202: White House blocking Congress from auditing its offensive hacking strategy (Washington Post) Rep. Jim Langevin says it might be time to force the president's hand.

‘But who’s in charge’ is the question for feds in cybersecurity (Fifth Domain) Government officials consistently argue that no single agency could take responsibility for the cybersecurity of the federal government. But a Wisconsin senator recently pushed officials to answer the question of who takes the lead for information security.

Every Sailor a Cyber Warrior (CIMSEC) Every Marine a rifleman. This mantra resonates with the nation and highlights a fundamental fact about the USMC – no matter what a Marine’s primary job is, they are expected to be able to pick up a weapon and fight.

Litigation, Investigation, and Law Enforcement

Army vaguely warns of ‘potential mass shooting’ at premiere of new ‘Joker’ film (Task & Purpose) A credible threat of a mass shooting at an unspecified movie theater is being flagged to Army installation leaders.

DHS FISMA ratings go up (FCW) The Department of Homeland Security's information security practices have gone from good to better, according to a new inspector general audit.

Huawei CFO fighting US extradition says her rights were violated (CNBC) Meng Wanzhou's lawyers argued that Canadian authorities abused their powers and violated her rights to gather evidence against her.

Opinion: In Ortis case, the RCMP’s fight against cyber crime takes a big hit (The Globe and Mail) We may now be unprepared for the next wave of ransomware attacks along with other threats to online security

Australians are reporting cybercrime activities once every 10 minutes (ZDNet) The new head of the Australian Cyber Security Centre has said financial loss from cybercrime down under is ticking through to the billions.

Ex-intelligence officer gets 10 years in espionage case (Military Times) A former U.S. intelligence officer convicted of trying to pass defense information to China was solemn as he was sentenced Tuesday to 10 years in prison and said he

No, RSA Hasn’t Been Cracked. But Crown Sterling Is Very Confused (Security Boulevard) A new cryptography company claims to have broken RSA 256-bit encryption. But is Crown Sterling Limited's claim legit or smoke and mirrors?

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

GlobalPlatform Technical Workshop (Shenzhen, China, September 24 - 25, 2019) GlobalPlatform is hosting two free-to-attend workshops in Shenzhen, China on 24th and 25th September. Both workshops will focus on device security and the deployment and use of secure devices. The agendas...

2019 FAIR Conference (National Harbor, Maryland, USA, September 24 - 25, 2019) Hosted by the FAIR Institute and our sponsoring partners, the 2019 FAIR Conference brings leaders in information and operational risk management together to explore best FAIR practices that produce greater...

SecureWorld New York (New York, New York, USA, September 25, 2019) Connecting, informing, and developing leaders in cybersecurity. For the past 17 years, SecureWorld conferences have provided more content and facilitated more professional connections than any other event...

Little Rock Cybersecurity Conference (Little Rock, Arkansas, USA, September 26, 2019) Data Connectors brings together security professionals to discuss mitigating risk and improving their overall security posture. Eight industry speakers, an FBI/NSA/DHS keynote speaker, and a CISO Panel...

The Risk Institute's 6th Annual Conference: Emerging Technologies (Columbus, Ohio, USA, September 26, 2019) The Risk Institute at The Ohio State University Fisher College of Business, a leading risk-management research organization, will host its Sixth Annual Conference, focused this year on Emerging TechnologiesThe...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.