Dragos and CrowdStrike Partner to Provide Early Visibility of OT Threats
Dragos is proud to announce the launch of the Dragos ICS/OT Threat Detection app on the CrowdStrike Store. This new application bridges the IT and OT security divide for customers by providing early visibility and detection of ICS (industrial control systems) / OT threats found on IT endpoints, using data leveraged from the CrowdStrike Falcon® platform. Learn more.
The Week that Was.
September 21, 2019.
By the CyberWire staff
Tortoiseshell goes after IT providers.
Symantec describes a previously undocumented threat actor that's targeting the IT supply chain. The group, which Symantec has dubbed "Tortoiseshell," has attacked at least eleven organizations, and achieved admin-level access in at least two of them. Most of the targets were based in Saudi Arabia. An interesting aspect of the attacks is that in two of the targeted organizations, the attackers infected "several hundred" computers, which the researchers note is "an unusually large number of computers to be compromised in a targeted attack." The group is using a unique backdoor along with several public pieces of malware. In one case, the researchers observed Tortoiseshell use a variant of a backdoor associated with OilRig (APT34), but they note that OilRig's tools were leaked on Telegram in April, so this finding has little bearing on attribution.
Russian operators compromised FBI networks.
Yahoo reports that Russian intelligence services successfully compromised FBI and possibly other Intelligence Community communications from 2010 until 2016. US counterintelligence authorities became aware of the compromise, which involved among other things the ability to break encrypted cell phone communications among FBI counterintelligence teams, some time in 2012. Internal disputes within the Obama Administration’s national security apparatus, which experts who witnessed deliberations characterized to Yahoo as “reset hangover” delayed a comprehensive response until December 2016, after the last US Presidential election. That response took the form of the expulsion of more than thirty Russian diplomats declared persona non grata for their involvement in the espionage campaign. It also involved US seizure of two comfortable vacation homes (both with nice proximity to the ocean) used by the Russian delegation, one on Long Island, New York, and the other on Maryland’s Eastern Shore. The FBI began to move to alternative communications systems after suspecting something was up in 2012. Observers describe that move as “expensive.”
Is your cybersecurity program aligned with your business goals and objectives?
Cybersecurity is a business risk, not an IT problem, and a critical part of business strategy. Security should not be an afterthought. Taking a proactive approach facilitates board-level cyber initiative buy in, supports traction across business units, establishes management alignment for key priorities, and manages data complexity. Let Edwards Performance Solutions better structure and position your cybersecurity program – making it a business asset for continued success. Learn more.
Sources say China was behind Australian Parliament hack.
Reuters reports that the Australian Signals Directorate determined in March that China's Ministry of State Security (MSS) carried out the cyberattacks against Australia's Parliament and three dominant political parties earlier this year. Reuters cites five sources with "direct knowledge of the findings of the investigation." Two of the sources said the Australian government did not release its findings to avoid disrupting trade negotiations with China. Beijing is Australia's top trading partner, and one of the sources said authorities believed such an accusation would have a "very real prospect of damaging the economy." Despite the Australian government's reticence, most observers assumed at the time that China was the most likely suspect in the hacks. China's Foreign Ministry denied the claims, telling Reuters in a statement that "when investigating and determining the nature of online incidents there must be full proof of the facts, otherwise it’s just creating rumors and smearing others, pinning labels on people indiscriminately. We would like to stress that China is also a victim of internet attacks."
More information operations shut down by Twitter.
Twitter announced on Friday that it had suspended thousands of accounts for inauthenticity. Two-hundred-sixty-seven accounts originated in the United Arab Emirates and Egypt, and were being used in information operations targeting Qatar, Iran, and other countries. Six accounts were tied to Saudi Arabia's state-run media, and "presented themselves as independent journalistic outlets while tweeting narratives favourable to the Saudi government." Two-hundred-sixty-five accounts were operated by Spain's Partido Popular with the goal of increasing popular sentiment in Spain. One-thousand-nineteen accounts were linked to Ecuador's PAIS Alliance political party. Finally, Twitter published more data concerning four-thousand-three-hundred-one of the most active accounts in the large-scale Chinese information operation that targeted the Hong Kong protests last month.
Cybersecurity Fabric: The Future of Advanced Threat Response
Today, it is not enough to protect your assets by collecting high quality threat intelligence – organizations need inline detection & mitigation at line-speed to protect themselves from incoming or existing threats on the network. As cyber strategy shifts towards a “Zero Trust” model, your organization needs to ensure that every device, user, workload, or system is being monitored with a Cybersecurity Fabric. Join LookingGlass for our upcoming webinar October 2, 2pm EST to learn more.
Selfie apps serve adware in the Google Play Store.
Wandera has discovered two popular selfie apps laden with adware in the Google Play Store. The apps, cheerily named "Sun Pro Beauty Camera" and "Funny Sweet Beauty Selfie Camera," had a combined total of more than 1.5 million downloads. The apps would remain active even after the shortcut was uninstalled, and could record audio at any time without user confirmation. Their primary functions were to present full-screen ads outside of the app. Both apps were swamped with negative reviews, but these were counterbalanced by presumably fake five-star reviews.
An update to Windows Defender released earlier this week broke the antivirus software's ability to perform Quick or Full scans, according to BleepingComputer. Users could still scan their files normally using Custom scans. Microsoft fixed the issue by Wednesday with security intelligence update v1.301.1684.0, Help Net Security says.
iOS 13 was released on Thursday, but observers including WIRED note that the initial release seems noticeably buggy. The Verge reports that the release still contains a lock screen exploit that could allow unauthenticated access to contact lists. Apple is releasing iOS 13.1 on September 24th, which will reportedly fix these issues. AppleInsider and others advise users who haven't upgraded already to hold off for a few days until iOS 13.1 drops.
The director general of the Royal Canadian Mounted Polices' National Intelligence Coordination Centre, Cameron Ortis, has been charged with breaching Canada's Security of Information Act and Criminal Code, the CBC reported last Friday. CNN quotes John MacFarlane of the Public Prosecution Service of Canada as saying, "Without going into too much detail, it is alleged he obtained, stored, and processed sensitive information, the Crown believes with the intent to communicate that information with people he shouldn't be communicating to." According to the Washington Post, Ortis had access to information shared by Canada's Five Eyes partners. The CBC cites Canada's Communications Security Establishment's preliminary assessment, which said "damage caused by the release of these reports and intelligence is HIGH and potentially devastating in that it would cause grave injury to Canada's national interests."
A 65-year-old Senegalese man living in the US pleaded guilty to identity fraud and theft of public property after living for thirty-one years under the stolen identity of a child who died in 1957, according to the San Diego Union-Tribune. Investigators discovered the fraud by linking his email address to a Facebook profile that contained pictures that matched the impersonator's DMV photos.
Andrei Tyurin, a Russian hacker extradited from the Republic of Georgia last year, will plead guilty to participating in the 2014 JPMorgan Chase hack, Bloomberg reports. Tyurin reached a plea agreement with Federal prosecutors and is scheduled for a plea hearing next week.
Courts and torts.
The 9th Circuit Court of Appeals reversed an earlier dismissal of a lawsuit filed by Enigma Software against Malwarebytes, MediaPost reports. Malwarebytes stated that Enigma's SpyHunter and RegHunter products use scare tactics to trick customers into buying subscriptions, and argued that Section 230 of the Communications Decency Act allowed them to flag Enigma's products as threats. Two out of three judges of the 9th Circuit disagreed, writing that "Section 230 does not provide immunity for blocking a competitor’s program for anticompetitive reasons."
A court in the British Virgin Islands ruled that the CEO and founder of Comodo, Melih Abdulhayoglu, cheated the family of his deceased business partner out of their shares in the company, according to the Telegraph. Around 100 other investors in Comodo may also benefit from the ruling. Abdulhayoglu could lose control of the business depending on the outcome of a second upcoming court battle over share ownership.
The US Commodities Futures Trading Commission (CTFC) announced that the Phillip Capital Inc., a Chicago based futures brokerage, will pay $1.5 million in restitution and penalties over the firm's response to a cyberattack that led to a customer losing $1 million, Reuters reports. The attack occurred in May after an employee fell for a phishing email. The CTFC said employees didn't follow the company's security procedures following the attack, and the chief compliance officer was unfamiliar with cybersecurity.
As part of an antitrust probe, the House Judiciary Committee has asked Amazon, Apple, Facebook, and Google to hand over detailed information about "financial data about their products and services, private discussions about potential merger targets and records related to 'any prior investigation' they have faced on competition grounds," the Washington Post notes.
Setting the Trap with Kevin Mitnick: Crafty Ways the Bad Guys Use Pretexting to Own Your Network
Today’s phishing attacks have evolved beyond spray-and-pray emails that mass target victims. Instead, the bad guys have carefully researched your organization to set the perfect trap. And pretexting is the key.
Join us for this exclusive webinar where Kevin Mitnick, the World's Most Famous Hacker and KnowBe4's Chief Hacking Officer, will show you how the bad guys craft such cunning attacks. And he’ll share some hacking demos that will blow your mind.
The US Treasury Department has levied sanctions on three North Korean hacking groups controlled by Pyongyang's primary intelligence agency, the Reconnaissance General Bureau. The three crews singled out are the Lazarus Group and two of its subgroups, Bluenoroff and Andariel. Treasury said the Lazarus Group was involved in the 2017 WannaCry attack and was "directly responsible" for the 2014 Sony hack. Bluenoroff is known for attacking the SWIFT financial transfer system and conducting various other "cyber-enabled heists" around the world. Andariel focuses on carding and ATM theft, in addition to conducting espionage against South Korea.
Many observers doubt that the sanctions will do much to deter North Korea's hacking, but most agree that calling the groups out is a good move. CrowdStrike's CTO Dmitri Alperovitch told the Washington Post that "this yet another indication of how forward-leaning the U.S. government’s position has become in a relatively short period of time on doing attribution of malevolent cyber actors. A few years ago, this type of action would have been unprecedented. Today it is routine."
Reports in Fifth Domain and Army Times this week suggest that the US Army is contemplating further decentralization of offensive cyber operations. Comments from Army representatives indicate that the Service increasingly thinks of cyberattacks the way it does calls for fire support. That is, if we’re to take the analogy seriously, that a call for cyber action could be made from a very low tactical level, answered quickly by a battalion-level organization.
JTF Ares, according to CyberScoop, is heavily engaged with ISIS. Action against ISIS presents some distinctive challenges, Fifth Domain says. The sometime Caliphate is not generally reckoned to show a high level of technical sophistication, but its resilience in cyberspace has lain in large part with its use of commercial infrastructure. That makes ISIS's online operations difficult to disrupt without doing unacceptably high and sometimes collateral damage. If cyber attack is analogous to fire support, may resemble fire support delivered during combat in a densely populated city.
Fortunes of commerce.
On Friday Facebook suspended about ten thousand apps (the work of some four-hundred different developers) that Facebook believes mishandled or misappropriated user data. The suspension is the result of the internal investigation begun in the wake of the Cambridge Analytica data-handling scandal. As the Washington Post notes, this matter is already enmeshed in various legal actions, and the discovery of more data abuse is likely to reinforce calls for closer regulation of the social network.
On Wednesday the Wall Street Journal reported that Huawei has been temporarily (at least) expelled from FIRST, the Forum of Incident Response and Security Teams. FIRST suspended Huawei because of US strictures related to security concerns about the company.
During a panel discussion at CISA's Annual National Cybersecurity Summit, government officials discussed how their agencies are dealing with the cybersecurity workforce shortage. Anne Neuberger, Director of NSA's Cybersecurity Directorate, said one of the primary ways NSA gets boys and girls interested in cybersecurity at a young age is through the agency's GenCyber camps for students across the country. Neuberger also noted that there are countless different aspects of cyber, and she pointed to community outreach as a way of getting people to realize that there may be aspects of interest to them. Tonya Ugoretz, Deputy Assistant Director of the FBI's Cybersecurity Division, said the Bureau is looking at aptitude testing to see if people have skills they might not be aware of. The FBI also focuses on developing its current employees' cybersecurity skills with six-month training sessions. Suzette Kent, Federal CIO of the Office of Management and Budget, said the White House is focused on alternative pathways to bring in cybersecurity skills from both inside and outside of the government.
Mergers and acquisitions.
HP Inc. on Thursday announced its acquisition of endpoint security shop Bromium, for an undisclosed amount. HP sees Bromium as "complementing and enhancing" HP's security platform with "hardware enforced application isolation and containment." Terms were not immediately disclosed.
Connecticut-based Owl Cyber Defense and Maryland-based Tresys Technology are merging after Owl's owner, DC Capital Partners, acquired Tresys. Owl's CTO told Jane's that the two companies are "very complementary" because Owl is practiced in hardware security while Tresys specializes in software security.
Switzerland-based cybersecurity provider Acronis has reached unicorn status after raising $147 million in a funding round led by Goldman Sachs, TechCrunch reports.
And security innovation.
The Australian Capital Territory Government and AustCyber have launched the Canberra Cyber Security Innovation Node, ZDNet notes. The Node has already been working with cybersecurity companies including Archtis, Cogito Group, Penten, and Quintessence Labs.
Startup foundry DataTribe is holding its second annual DataTribe Challenge to identify high-technology startups in cybersecurity and data science. Three finalists will split $20,000, and the winner will receive up to $2 million in seed capital from DataTribe.
Melissa Goldate, a cyber risk management and legal professional, has founded an invitation-only professional networking organization called Thraxos to bring together CEOs and founders of companies focused on artificial intelligence, cybersecurity, and data analytics.
Cybersecurity accelerator CyLon announced the nine companies selected for its tenth accelerator program. The companies are Astroscreen, a social media manipulation detection company; 418sec, which monitors for vulnerabilities in open-source code; YEO, a confidential communications platform provider; SIRP, a SOAR platform provider; OneClick, a secure cloud provider; Salvador Tech, a cyberattack recovery company; eXate, which specializes in data control access; Safetech, an industrial network security company; and Alterant, which offers "a platform for licensing, deploying and managing capabilities to markets such as smart cities, telecoms, finance, autonomous vehicles, emergency services and defense."
The city of Los Angeles and Goren Holm Ventures have partnered to host "Block Tank," a Shark Tank-style contest for blockchain startups.
Chris Lynch, who started the Defense Digital Service at the Pentagon, has launched Rebellion Defense, a company that develops software for defense and national security applications, according to Defense One. He hopes to draw Silicon Valley talent to Defense Department projects.
The Texas Manufacturing Assistance Center (TMAC) South Central Region, which is managed by the Southwest Research Institute, is offering services to help Federal contractors comply with the NIST cybersecurity framework.
The Slovak Spectator reports that ESET intends to anchor a Slovak version of Silicon Valley in its new campus along the Danube, in Bratislava. (We hope the well-known anti-virus and security company sends some jobs east toward Košice, too.)
Today's issue includes events affecting Afghanistan, Australia, Canada, China, Democratic Peoples Republic of Korea, Ecuador, Egypt, Iran, Qatar, Saudi Arabia, Slovakia, South Korea, Spain, Switzerland, United Arab Emirates, United States.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.