Analysts at Dragos have reassessed the 2016 cyberattack against Ukraine's power grid and have concluded that the blackout was intended to be far more damaging and longer-lasting than what was actually achieved. The attack appears to have had a final stage that failed for reasons unknown to Dragos. After the blackout was triggered, the attackers tried to launch denial-of-service attacks against the Siemens SIPROTEC protective relays in use by the plant. This initially seemed pointless, since the attack had seemingly already taken place. Dragos suspects, however, that the attackers wanted the plant's operators to reactivate the systems while lacking visibility and without realizing that the protective relays were disabled. This could have greatly intensified the attack, causing physical damage to equipment and harming employees.
Dragos' director of threat intelligence Sergio Caltagirone told WIRED that "they've pre-engineered attacks that harm the facility in a destructive and potentially life-threatening way when you respond to the incident. It’s the response that ultimately harms you."
Is your cybersecurity program aligned with your business goals and objectives?
Cybersecurity is a business risk, not an IT problem, and a critical part of business strategy. Security should not be an afterthought. Taking a proactive approach facilitates board-level cyber initiative buy in, supports traction across business units, establishes management alignment for key priorities, and manages data complexity. Let Edwards Performance Solutions better structure and position your cybersecurity program – making it a business asset for continued success. Learn more.
North Korean hackers use obscure file formats to evade detection.
Prevailion researchers describe "Autumn Aperture," a North Korean campaign that's deploying rarely used file formats like Kodak FlashPix (FPX) to avoid being flagged by antivirus systems. The attackers are using malicious Word files with subject matter that's relevant to their targets, and they attempt to hide the resulting malicious functionalities by embedding them in FPX files. VirusTotal shows that these are much less likely to be detected than the standard VBA files.
Prevailion believes the Kimsuky threat actors are behind the campaign, and the researchers conclude that "given the broad scope of entities targeted by Autumn Aperture, there is an increased likelihood that a third party within an organization’s ecosystem is at risk of exposure."
Cybersecurity Fabric: The Future of Advanced Threat Response
Cyber Attacks continue to increase in size and speed, requiring greater flexibility to defend and respond to emerging security threats. Organizations need inline detection and mitigation to be successful against threats to the evolving network. The solution is one that weaves security throughout your network into a seamless fabric providing coordinated detection and response. Join LookingGlass for our upcoming webinar October 2, 2pm EST to learn how a Cybersecurity Fabric will strengthen your security strategy, simplify your stack, and advance your defenses.
Israeli intelligence may have placed StingRays in DC.
POLITICO reported that three "three former senior officials with knowledge of the matter" said the US government concluded that Israel was responsible for the placement of a number of StingRay devices in Washington DC. One of the officials said the devices were probably intended to spy on President Trump. Israel has denied the allegations, and President Trump said, "I don't think the Israelis were spying on us....Anything is possible but I don't believe it."
Every business can benefit from a cookbook approach to developing a cloud strategy.
By focusing efforts on a living document, CIO’s can connect business strategy to cloud migration planning and implementation. Visit www.coalfire.com and download the latest Gartner Cloud Strategy Cookbook, 2019 The Cloud Strategy Cookbook provides actionable advice on structuring a cloud strategy document, while offering guidance on determining which applications go where.
BlueKeep RCE exploit now available to the public.
Rapid7's open-source Metasploit framework now has an easy-to-use module for exploiting BlueKeep to achieve remote code execution on Windows systems, ZDNet reports. The module can't be used for worm attacks, since it requires manual interaction for each system it's deployed against, but it's still quite effective against individual systems. ZDNet notes that there are still 700,000 vulnerable systems exposed to the Internet, and probably many more on internal networks.
Setting the Trap with Kevin Mitnick: Crafty Ways the Bad Guys Use Pretexting to Own Your Network
Today’s phishing attacks have evolved beyond spray-and-pray emails that mass target victims. Instead, the bad guys have carefully researched your organization to set the perfect trap. And pretexting is the key.
Join us for this exclusive webinar where Kevin Mitnick, the World's Most Famous Hacker and KnowBe4's Chief Hacking Officer, will show you how the bad guys craft such cunning attacks. And he’ll share some hacking demos that will blow your mind.
Symantec told CyberScoop that it believes the Chinese threat actor the company tracks as "Thrip" could actually be a manifestation of another group, "Billbug" or "Lotus Blossom," which has been active for about a decade. Symantec previously believed Thrip was a new operation discovered last year, but an analysis of one of its backdoors uncovered multiple striking similarities to a tool used by the older threat actor. Symantec's technical director Vikram Thakur told CyberScoop that "these guys are not absolutely brand new like we had pointed out last year. They seem to be using an evolution of a tool that has almost been used for ten years at this point."
Cobalt Dickens is back, and pretending to be your university library.
Researchers at Secureworks report a resurgence of activity by the Iranian threat group called "Cobalt Dickens." The threat actor has been associated with the Mabna Group and others the US Department of Justice indicted in 2018 in connection with cyberespionage Justice said was conducted on behalf of Iran's Islamic Revolutionary Guard Corps. Secureworks says the latest activity consists of a phishing campaign directed against American and British universities.
Stealth Falcon spyware campaign update.
ESET says it's associated a hitherto overlooked backdoor with Stealth Falcon. Stealth Falcon itself has been connected by the University of Toronto's Citizen Lab with the distribution of spyware against a range of Middle Eastern targets. It's regarded as being, probably, a United Arab Emirates' operation, linked to Project Raven, earlier described by Reuters.
Big business email compromise.
Toyota Boshoku, a Toyota parts unit, continues to investigate a business email compromise scam in a European subsidiary that may have cost the company ¥4 billion (approximately $37 million). According to Infosecurity Magazine, the incident occurred on August 14th, and if it followed the usual business email compromise template, the theft depended on social engineering. Toyota Boshuku says can't reveal more because of ongoing police investigations. It does say it’s working to recover the funds its subsidiary lost, and it asks for patience and understanding until investigations are complete.
Microsoft fixed seventy-nine security flaws on Patch Tuesday, seventeen of which were rated critical. KrebsOnSecurity notes that two of these vulnerabilities affected all supported versions of Windows and were being exploited in the wild.
Adobe patched two critical vulnerabilities in Flash Player that could have led to arbitrary code execution.
Crime and punishment.
The US Department of Justice announced on Tuesday that an international law enforcement effort called "Operation reWired" had resulted in the arrests of 281 people allegedly involved in business email compromise schemes. The operation involved law enforcement agencies in Nigeria, Ghana, Turkey, France, Italy, Japan, Kenya, Malaysia, and the United Kingdom, along with the United States' Department of Homeland Security, Department of the Treasury, Postal Inspection Service, and Department of State. 167 of the arrested individuals were in Nigeria and 74 were in the United States. The FBI also released updated statistics on BEC attacks, showing that there has been "a 100 percent increase in identified global exposed losses" between May 2018 and July 2019.
The Washington Post reported that Fedir Hladyr, a Ukrainian national US prosecutors said was affiliated with the FIN7 cybercriminal gang, took a quilty plea Thursday to two counts of hacking and wire fraud. Mr. Hladyr, who was arrested in Germany last year, was FIN7's admin. The group is believed responsible for carding and other forms of cybercrime that may have netted them a billion dollars, give or take a baker's dozen. In exchange for his plea, the Government agreed to drop twenty-four other charges, conviction on which would have earned the defendant hundreds of years in prison. As it stands he faces up to twenty-five years. Observers speculate that the Government made the deal in exchange for information Mr. Hladyr may provide on the rest of the gang.
Two Coalfire employees were arrested while conducting a physical penetration test at a courthouse in Iowa, according to the Des Moines Register. The two men had been hired by the state court administration to try to gain unauthorized access to court records, but the administration says it "did not intend, or anticipate, those efforts to include the forced entry into a building." The pentesters have been charged with third-degree burglary and possession of burglary tools, and as of this writing they're being held on a $50,000 bond.
Courts and torts.
Google will pay €965 million ($1.1 billion) to France to settle a four-year-long probe into whether the company avoided paying taxes in the country, Reuters reports.
Cloudflare voluntarily disclosed in a regulatory filing with the US Securities and Exchange Commission that its services may have been used by persons or organizations currently under US sanctions, the Wall Street Journal reported. The parties the company dealt with (presumably without fully understanding who they were) included some designated as terrorists or narcotraffickers.
France's finance minister said at an OECD conference that Facebook's Libra cryptocurrency should be blocked in Europe, and he suggested that the EU should develop its own public digital currency, Cointelegraph reports. Libra's head of policy and communications told the Independent that "we welcome this scrutiny and have deliberately designed a long launch runway to have these conversations, educate stakeholders and incorporate their feedback in our design."
US Federal agencies are working out roles and responsibilities in cyberspace during the course of wargames. Breaking Defense describes the exercises as bringing together organizations from the Departments of Defense and Homeland Security. The US Defense Department has also offered Congress a look at some of its current thinking on cyber deterrence. Deterrence is commonly thought of as involving the credible threat of retaliation, but the Department calls its approach to deterrence "multifaceted," with denial playing a significant part. An adversary can be deterred if they became convinced that their attacks would be futile.
Charles Kupperman, Fox News reports, will serve as interim National Security Advisor to the US President. Kupperman had been serving as deputy to the now-departed John Bolton. A search for a permanent replacement is in progress.
NIST is seeking public comment on the Final Public Draft of NIST Special Publication (SP) 800-160 Volume 2, "Developing Cyber Resilient Systems: A Systems Security Engineering Approach." The comment period closes on November 1st. The Institute has also released a preliminary draft of the new NIST privacy framework. Comments on this draft are due by October 24th.
Fortunes of commerce.
Symantec, as it goes through Broadcom's acquisition of its enterprise security business, and as other investors show an interest in its Norton and LifeLock units (the Wall Street Journal says suitors may be offering more than $16 billion), has begun a round of layoffs. The San Francisco Chronicle reports that the company has begun layoffs in California, cutting one-hundred-fifty-two jobs at its corporate headquarters in Mountain View, eighteen in San Francisco, and thirty-six in Culver City.
The Wikimedia Foundation received a $2.5 million donation from Craigslist founder Craig Newmark. The money is intended to help the organization boost its cybersecurity in the wake of a DDoS attack that hit Wikipedia last weekend, Infosecurity Magazine reports.
Mergers and acquisitions.
Akamai is acquiring Exceda, its largest Latin American channel partner. In statements published by BNamericas, Akamai says that it sees the acquisition as a step toward meeting increased regional demand for its content delivery and cloud security services.
Threat intelligence startup Cyware Labs has raised $3 million in a seed funding round led by Emerald Development Partners. The company intends to use the funding for the usual growth purposes: product development and increased marketing.
New Zealand has decided to offer assistance to other Pacific nations as they develop their cybersecurity capabilities. The Government has decided, ZDNet reports, to earmark NZ$10 million over the next five years in aid.
SINET has announced this year's SINET 16. This annual selection of the most innovative, potentially disruptive companies in the cybersecurity industry picks sixteen winners from an international pool of applicants. This year’s selection was made from among one-hundred-sixty-one companies based in eighteen countries. In reverse alphabetical order, the SINET 16 class of 2010 includes:
XM Cyber, which specializes in fully automatic breach and attack simulation that enables customers to recognize attack vectors and prioritize their remediation.
Tigera, whose zero-trust network security supports continuous compliance for Kubernetes platforms across a range of environments.
Tempered Networks, which provides simple and affordable means of segmenting and isolating control systems and industrial Internet-of-things devices.
Sonrai Security, with a Cloud Data Control (CDC) service that delivers a risk model for identity and data relationships across a range of cloud and third-party data stores.
Siemplify. an independent security orchestration, automation and response provider whose workbench enables enterprises and managed security service providers. to manage and respond to cyber threats.
OPAQ delivers security-as-a-service from its cloud that enables enterprises to overcome staffing and management challenges in the protection of their IT infrastructure.
Kenna Security, whose platform delivers cyber risk predictions that enable security teams to get ahead of exploitation.
Karamba Security’s embedded cybersecurity solutions protect connected systems with automated runtime integrity software that does particularly well against remote code execution.
CyberSponse, which offers an automated incident response orchestration platform that automates security tools to make human experts more effective.
CryptoMove, whose continuous moving target defense and distributed fragmentation offers a new approach to data protection for managing keys and DevSecOps secrets.
BigID, a machine-learning shop that enables personal data discovery, correlation, and privacy automation for compliance at scale with regulations like GDPR and CCPA.
Balbix, whose specialized artificial intelligence delivers continuous and predictive assessment of breach risk.
Awake Security, which offers advanced network traffic analysis for a privacy-aware solution that can detect and visualize incidents in full forensic context.
Arkose Labs, which solves fraud by pairing global telemetry with an enforcement challenge to control fraud without false positives or degraded throughput.
Aqua Security, which secures container-based and cloud-native applications from development to production.
And, finally, Acceptto, which delivers continuous identity access protection by inferring contextual data to analyze and verify user identity and behavior.
The sixteen winners will be featured at the SINET Showcase in Washington, DC, November 6th and 7th at the National Press Club.
Today's issue includes events affecting China, European Union, France, Ghana, Iran, Israel, Italy, Japan, Kenya, Democratic Peoples Republic of Korea, Malaysia, New Zealand, Nigeria, Russia, Turkey, Ukraine, United Arab Emirates, United Kingdom, United States.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.