The CyberWire Daily Briefing 01.05.16
Late December's cyber attack on a Ukrainian electrical utility has been linked to a variant of the BlackEnergy Trojan long disseminated by the "SandWorm" threat actors. The attack produced rolling blackouts in Western Ukraine, but ESET researchers believe the operation sought to affect a much wider area than a single oblast: they've found the malware in at least two other utilities' networks.
The attack was accompanied by a flood of calls to utility support centers, effectively distracting responders through misdirection and some telephony denial-of-service. BlackEnergy includes both persistence and file destruction functionality.
Ukraine's SBU security service unambiguously blames Russia for the operation (the Kremlin has not commented) and Western observers tend to agree. The nature of the attack, ongoing tension between Ukraine and Russia, and the absence of an obvious criminal motive strongly suggest state activity. Coming after revelation of Iranian reconnaissance of a small New York State dam's control system, this attack exacerbates concerns about infrastructure cyber vulnerabilities.
Hackers DDoS the Saudi Ministry of Defense to protest a leading Shiite cleric's execution. (Iran says the hackers are Saudi Shiites.)
As authorities hunt for "Jihadi John," the latest murderous online face of ISIS, the case for Daesh's effective use of crypto strikes observers as increasingly weak.
PlayStation succumbed to a DDoS attack last night (responsibility claimed by the PhantomSquad skids).
Emsisoft reports finding new Java-based ransomware, "Ransom32." It's evasive and works across several operating systems.
Cisco Jabber is vulnerable to man-in-the-middle attacks. No patch or workarounds are as yet available.
Notes.
Today's issue includes events affecting Canada, China, Estonia, European Union, Iran, Iraq, Ireland, Israel, New Zealand, Poland, Russia, Saudi Arabia, Syria, Ukraine, United Kingdom, and United States.
Cyber Attacks, Threats, and Vulnerabilities
Ukraine utility cyber attack wider than reported: experts (Reuters) A central European security software firm said on Monday that a cyber attack last month in Ukraine was broader than initially reported last week when the nation's secret police blamed a power outage on Russia
Из-за хакерской атаки обесточило половину Ивано-Франковской области Больше читайте здесь (ТСН) Прикарпатьеоблэнерго назвало причину отключения электроэнергии, которое имело место накануне, 23 декабря. Причиной стала хакерская атака, сообщает ТСН. Больше читайте здесь
Ukraine faces world's first blackout caused by hackers (The NextWeb) While 2015 was rife with news of hackers stealing data from governments, health insurers and adultery sites, it looks like targeting our energy infrastructure might be the next big thing in cyberattacks
"Russian" BlackEnergy malware strikes at Ukrainian media and energy firms (SC Magazine) Cyber-criminals behind the BlackEnergy trojan made a comeback in 2015, launching attacks against media and energy companies in the Ukraine, according to infosec researchers
BlackEnergy Malware Caused Ukrainian Power Outage, Confirms Researchers (Tripwire: the State of Security) Researchers have confirmed that a variant of the BlackEnergy malware was behind a power outage that occurred around Christmas Eve last year
BlackEnergy APT is back, deleting files and killing computer systems (Help Net Security) The BlackEnergy APT — or SandWorm group, as some researchers call it — has been active since 2007 (at least)
BlackEnergy cyberespionage group adds disk wiper and SSH backdoor to its arsenal (Computerworld) The group recently attacked Ukrainian energy distribution and media companies causing power and data loss
Українські ЗМІ атакують за допомогою Black Energy (CERT-UA) Нещодавно декілька українських ЗМІ у дні проведення місцевих виборів було атаковано невідомими зловмисниками. Про це у мережі оприлюднювалась досить дозована інформація про успішні хакерські атаки, напрямлені на них. До CERT-UA також звернулись з цього приводу і ми вважаємо за важливе повідомити про деякі деталі
First known hacker-caused power outage signals troubling escalation (Ars Technica) Highly destructive malware creates "destructive events" at 3 Ukrainian substations
The Attack We Have Long Predicted Just Occurred: Highly destructive cyber attacks drop a power grid (CTOVision) An article posted in the Ukrainian news services TSN reported that massive outages suffered in the country were caused by highly destructive malware that infected at least three regional power authorities in Ukraine. The site reported that the only way to restore power was to return to manual methods, something that may be hard to do in other nations (including the U.S.)
Experts separate fact from hype in reports of Iranian hacking (Christian Science Monitor Passcode) Recent stories suggest that foreign hackers are making dangerous inroads into utilities, putting critical infrastructure at risk of devastating cyberattacks. Yet, experts say these breaches aren't cause for panic
The 'mind-boggling' risks your city faces from cyber attackers (MarketWatch) During a 2014 cybersecurity drill New York City officials held with intelligence agencies in 2014, the Federal Bureau of Investigation posed several scenarios. What if the city noticed that the 911 system had shut down? What if criminals attempted to coordinate a computer attack on emergency infrastructure with a physical attack?
DDoS Attack Shuts Down Saudi Ministry of Defense Website (Hack Read) A group of unknown hackers conducted a DDoS attack on Saudi Arabian Ministry of Defense website forcing it to stay offline for more than 24 hours
The Flaw in ISIS's Favorite Messaging App (Atlantic) And what it says about the difficulty of encryption
China hacked thousands of Hotmail accounts belonging to Tibetan and Uighur minorities (Security Affairs) After many years, Microsoft admitted that Chinese authorities hacked thousands of Hotmail accounts, belonging to China's Tibetan and Uighur minorities
PlayStation Network is Back Online, Phantom Squad Claims They DDoSed It (Hack Read) A few hours ago it was reported that Sony's PlayStation network on PlayStation Vita, PlayStation 3 and PlayStation 4 were down worldwide
Difficult to block JavaScript-based ransomware can hit all operating systems (Help Net Security) A new type of ransomware that still goes undetected by the great majority of AV solutions has been spotted and analyzed by Emsisoft researchers
Meet Ransom32: The first JavaScript ransomware (Emsisoft Blog) Software as a service (or SaaS) is a relatively new model of how a lot of software companies are conducting their business today — often to great success. So it comes as no surprise that malware writers and cyber crooks are attempting to adopt this model for their own nefarious purposes. In the past year a whole bunch of these "Ransomware as a Service" campaigns appeared, like for example Tox, Fakben or Radamant. Today we want to spotlight the newest of these campaigns
Ransom32: The first javascript ransomware (Internet Storm Center) We have all seen how ransomware is becoming a pretty common trend in cybercrimes. Well, there is a new variant and this one has been build using javascript. This malware fakes the NW.js framework. Once installed, connects to its C&C server on TOR network port 85 to get the bitcoin address and the crypto key used for encryption
Cisco says chat client vulnerable to man-in-the-middle attack (SC Magazine) Californian tech giant Cisco has released an advisory statement explaining that its chat client Jabbar is currently vulnerable to a man-in-the-middle attack
Cisco Jabber STARTTLS Downgrade Vulnerability (Cisco Security Advisory) A vulnerability in the Cisco Jabber client could allow an unauthenticated, remote attacker to perform a STARTTLS downgrade attack
STARTTLS downgrade vulnerability in the Cisco Jabber client (Synacktiv) The Cisco Jabber client exists for different platforms (Windows, iOS, BlackBerry, and Android). This software uses the Jabber1 protocol (XMPP), SIP and SRTP streams to help collaborators, but also partners and customers to communicate more quickly and securely without running a VPN as it is mentioned in the Cisco website
Researchers Out Default Passwords Packaged With ICS/SCADA Wares (Dark Reading) 'SCADAPass' tool debuts; meanwhile, some PLCs found hackable via long, random passwords
18 million targeted voter records exposed by database error (CSO) There were 56 million voters in the database, and more than 18 million of them were further singled out with targeted profile data
The Curious Case of Creepy @FFD8FFDB Twitter Bot Spying and Posting Images (Hack Read) A while ago we reported about a creepy website was showing live footage from 73,000 private security cameras. Now, a Twitter Bot with the aforementioned account name is posting uncanny images with random, incomprehensible pieces to text regularly. Only recently, the man behind the bot has revealed that the Bot posts images from unsecured webcams that it looks for and discovers
Scam IRS emails deliver malware payload (SC Magazine) Just in time for tax season in the U.S., scammers are once again using fake emails from the Internal Revenue Service (IRS) to launch attacks
Security bod watches heart data flow from her pacemaker to doctor via…er, SMS? 3G? Email? (Register) Wow, beats me
2015: The Year Of 'Attacks on Trust' (Dark Reading) Nine attacks that leveraged stolen, compromised, or unprotected cryptographic keys and digital certificates show how easy it is for cybercriminals to bypass security controls and hide their actions
Security Patches, Mitigations, and Software Updates
Google Patches Another Critical Mediaserver Vulnerability (Threatpost) Since last summer's Stagefright vulnerabilities toppled the Android world for a few weeks, researchers inside and out of Google have been taking a close look at not only the maligned media playback engine, but also at Mediaserver where it lives
Google Nexus devices will get their January Android security updates anytime now (Phone Arena) This past summer, following the two episodes of the Stagefright scandal, Google started delivering monthly Android security updates
Cyber Trends
Minimizing Risk in the Face of FCPA Compliance (Legaltech News) Mitratech's paper offers a way for organizations to keep afloat as compliance grows more complex, though not everyone agrees
Upheaval and Flux: Privacy and Data Security in 2015 and Beyond (Legaltech News) Examining the overarching trends and providing practical, actionable advice for managing risk and liability in such challenging times
Demanding accountability: The need for cyber liability (Help Net Security) GCHQ director Robert Hannigan pulled no punches last month when he stated that the free market is failing cybersecurity
Digital divide widens as the Web adopts stronger encryption standard (Christian Science Monitor Passcode) Because the switch to a newer encryption algorithm means older phones won't be able to use basic Web security measures, many in the developing world will be at greater risk from criminals and online surveillance
Marketplace
FireEye bucks tech weakness, rising 4.8% after getting Buy rating (Seeking Alpha) Though equity markets are down sharply, FireEye (NASDAQ:FEYE) has rallied after receiving a Buy rating and $35 target from Summit Research's Srini Nandury
3 Reasons FireEye Will Bounce Back in 2016 (Motley Fool) After a rough 2015, FireEye investors are hoping for a much happier new year
FireEye acquisition rumors resurface (FierceEnterpriseCommunications) Last spring, Cisco executives squashed rumors that it was planning to acquire network threat prevention vendor FireEye, but a Seeking Alpha article has brought those rumors to the forefront again
Israeli malware detection co TopSpin Security raises $7m (GLOBES) Investors in the cyber security startup include Shlomo Kramer, Mickey Boodaei, Zohar Zisapel, and Rakesh Loonkar
Maine entrepreneur's latest venture: Making the Internet safer for everyone (Portland Press Herald) The 38-year-old who — with his partner — sold OkCupid for $50 million in 2011 intends to bring encryption technology to the masses
Wynyard Group inks $27m deal with security agency (NBR) NZX-listed Wynyard Group says it has inked a $27 million deal with a "national security bureau"
Corero Network Security wins order for defence system (DigitalLook) AIM-listed online protection solutions provider Corero Network Security has won a significant order for its SmartWall Threat Defense System (TDS) from a US hosting provider valued at over $400,000 (£272,000)
Five cybersecurity names to follow in 2016 (CSO) A look at tech industry leaders who are influencing the cybersecurity industry
Products, Services, and Solutions
For the First Time, EU Workplaces Gain Full Visibility into the Connected Devices Posing Threats to their Networks (MarketWired via EIN News) Pownie Express launches Pwn Pulse SaaS Platform in Europe to automatically detect the wireless and wired devices putting European businesses and critical infrastructure at risk
Security firm Guardtime courting governments and banks with industrial-grade blockchain (International Business Times) Guardtime is a cyber-security provider that uses blockchain systems to ensure the integrity of data. In a recent announcement, its technology will be used to protect the UK's nuclear power stations, flood-defence mechanisms and other critical infrastructure
A10 Networks Delivers Advanced DDoS Mitigation Service (CloudWedge) With recent high profile DDoS attacks happening to mainline news websites such as the BBC and others, the concept of protecting your data against a multi-vector DDoS attack is fresh on everyone's mind
HP tackles 'visual hacking' with privacy filters in laptop, tablet screens (IDG via CSO) HP wants to prevent Peeping Toms from stealing data with new privacy filters integrated in laptops
Technologies, Techniques, and Standards
Kid spends $5900 playing Jurassic World on Dad's iPad. Here's how to prevent that happening to you. (Naked Security) Nothing like memorizing dad's passwords — both for his iPad and his Apple ID — to buy all the scaly goodness your little heart desires
White House aims to engage private sector, international organizations in global cybersecurity standards development (FierceGovernmentIT) The Obama administration issued a strategy late last month that it hopes will better position the United States government to support the development of international cybersecurity standards
Testing for DNS recursion and avoiding being part of DNS amplification attacks (Internet Storm Center) Yes, it has been said too many times, but still there are too many DNS servers out there allowing recursion to devices outside their network, which could be used for DNS amplification attacks. How? The attacker sends a spoofed DNS request with the victim IP address, usually from a botnet. When the misconfigured DNS answers will send the packet to the victim IP address causing a DDoS attack
IPv6 celebrates its 20th birthday by reaching 10 percent deployment (Ars Technica) Twenty years ago this month, RFC 1883 was published: Internet Protocol, Version 6 (IPv6) Specification. So what's an Internet Protocol, and what's wrong with the previous five versions? And if version 6 is so great, why has it only been adopted by half a percent of the Internet's users each year over the past two decades?
5 sins cybersecurity executives should avoid (CSO) With the advent of 2016, I was tempted to touch upon my thoughts on what the future of the cyberlandscape will hold, prognosticating trends and shifts and what the next big threat would be
Phpsploit — Stealth Post-Exploitation Framework (Kitploit) PhpSploit is a remote control framework, aiming to provide a stealth interactive shell-like connection over HTTP between client and web server. It is a post-exploitation tool capable to maintain access to a compromised web server for privilege escalation purposes
Tips to Protect Your Personal Information While Online (IRS Security Awareness Tax Tip Number 7) The IRS, the states and the tax industry urge you to be safe online and remind you to take important steps to help protect your tax and financial information and guard against identity theft. Treat your personal information like cash — don't hand it out to just anyone
Design and Innovation
The Nature Lover's Guide to Cyber Security (Wall Street Journal) Biomimicry is catching on in the cyber security field as engineers take inspiration from nature to develop improved technologies for protecting data and thwarting cyber crime
From sci-fi to real life: Government's changing role in tech innovation (C4ISR & Networks) Anyone who ever saw an episode of the original "Star Trek" TV series will recognize the similarity between a flip phone and the show's communicator, the device that Starfleet personnel use to talk to one another across vast distances with no need for wires and dials
Research and Development
On normalized compression distance and large malware (Journal of Computer Virology and Hacking Techniques) Towards a useful definition of normalized compression distance for the classification of large files
Legislation, Policy, and Regulation
The Top Five Cyber Policy Developments of 2015: United States-China Cyber Agreement (Council on Foreign Relations) Over the next few days, Net Politics will countdown the top five developments in cyber policy of 2015. Each policy event will have its own post, explaining what happened, what it all means, and its impact on cyber policy in 2016. In this post, the United States-China Cyber Agreement
Canadian Financial Regulatory Organization Releases Cybersecurity Guides (Legaltech News) The two guides look to help investment dealers protect themselves and their clients against cyber attack
Approved — Cybersecurity Act of 2015 (Lexology) It is official, on December 18, 2015 President Obama signed the Cybersecurity Act of 2015, which encompassed the Cybersecurity Information Sharing Act of 2015 ("CISA"), into law
Clearance Process Will Include Social Media Checks (Security Clearance Jobs Forum) One of the items included in the 2016 omnibus appropriations bill is the Enhanced Personnel Security Program. Why is this significant? Because it will direct agencies to screen social media sites twice within every 5 years as a part of the continuous evaluation process
IG questions DoD cloud computing oversight (FierceGovernmentIT) The Defense Department doesn't have a standard definition for cloud computing or a comprehensive inventory of cloud computing service contracts, according to findings in a recent DoD Office of Inspector General report
DoD Needs an Effective Process to Identify Cloud Computing Service Contracts (Inspector General, US Department of Defense) Our objective was to determine whether selected DoD Components performed a cost-benefit analysis before acquiring cloud computing services. In addition, we were to identify whether those DoD Components achieved actual savings as a result of adopting cloud services
DoD Gives Extension for Vendors to Implement NIST Cloud Security Requirements (ExecutiveGov) The Defense Department has issued an interim rule that amends a provision in the Defense Federal Acquisition Regulation Supplement to enable contractors to implement National Institute of Standards and Technology security requirements through Dec. 31, 2017
Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013– D018) (Federal Register (h/t Rogers Joseph O'Donnell)) DoD is issuing an interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to provide contractors with additional time to implement security requirements specified by a National Institute of Standards and Technology Special Publication
Air Force bolsters its cyber ranks by 40 percent (Defense Systems) With the projected completion of the Defense Department's Cyber Mission Force slated for 2018, the individual services are staffing up to fill their requirements to the overall force, expected to number more than 6,000
Head of Russia's military intelligence dies (Military Times) Russia's Defense Ministry says the head of the military's main intelligence service, Col.-Gen. Igor Sergun, has died at age 58
Litigation, Investigation, and Law Enforcement
Exclusive — Pete Hoesktra: NSA Spying on Congress Requires Suspending State of the Union Invite (Breitbart) Elected officials and leaders of the U.S. Intelligence Community (IC) must maintain the integrity of America's vast intelligence enterprise as a lawful, neutral, independent and fair arbiter of facts. Recent news that the Obama White House obtained intelligence containing private conversations of members of Congress and American Jewish organizations from the National Security Agency (NSA) suggests the integrity of our intelligence agencies have been undermined
Another View — Rand Paul: Fighting terror without sacrificing liberty (New Hampshire Union Leader) Recent revelations that the Obama administration abused the powers of the National Security Agency and spied on members of Congress is exactly why we need immediate reform of our government's lawless surveillance
The hunt to unmask the new 'Jihadi John' (Washington Post) The hunt is on to identify the new "Jihadi John," the masked, British-accented Islamic State militant who on a newly released video calls British Prime Minister David Cameron an "imbecile" and then helps slaughter five men suspected by the group of spying for Britain
Britain denounces Islamic State video showing 'spies' shot (Reuters) An Islamic State video showing a young boy in military fatigues and an older masked militant who both spoke with British accents is "desperate" propaganda from an organization that is losing ground, Prime Minister David Cameron said on Monday
London man says child in Isis video is his grandson (Guardian) Henry Dare tells Channel 4 that the boy is Isa, son of his daughter Khadijah, who left for Syria several years ago
Bumbling would-be UK bomber asked Twitter followers for target suggestions (Ars Technica) Once again, encryption was not used to cover tracks in any way
Microsoft back in court over US access to Irish servers — 'could have impact' on Safe Harbour talks, says firm (Computing) Microsoft is concerned that the upcoming recommencement of its legal battle to prevent the US government from accessing sensitive data in a data centre located in Ireland could have an impact on ongoing Safe Harbour negotiations between the EU and the US
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
cybergamut Tech Tuesday: The Threat Landscape and the Path Forward: Fundamentals of a Risk-Aware Organization (Elkridge, Maryland, USA, Jan 5, 2016) John McLaughlin of IBM Security provides a quantitative analysis of the attacks seen by IBM and the thousands of IBM customers in the preceding year. Specific attention will be paid to the protocols engaged, attack patterns, and trends seen in these attacks. In addition, these attacks are characterized by targets, time, and degree of success. Following the quantitative reporting, the remainder of the presentation focuses on an actionable plan for securing the enterprise. Simply describing the problem is no longer sufficient. This plan consists of a multi-step roadmap, a product independent approach to securing the enterprise against the previously described attack vectors
CES CyberSecurity Forum (Las Vegas, Nevada, USA, Jan 6, 2016) Premiering at CES 2016 — the global stage for next generation technologies — The CyberSecurity Forum will bring together security experts and technology visionaries with executives and policymakers to tackle current and looming cyber security challenges. Registration is limited to ensure a highly interactive experience and opportunities for networking
FloCon 2016 (Daytona Beach, Florida, USA, Jan 11 - 14, 2016) The FloCon network security conference provides a forum for large-scale network flow analytics. Showcasing next-generation analytic techniques, FloCon is geared toward operational analysts, tool developers, researchers, and others interested in applying the latest analytics against large volumes of traffic
Breach Planning & Incident Response Summit: Proactive Collaboration Between Private Industry and Law Enforcement to Mitigate Damage (Odenton, Maryland, USA, Jan 12, 2016) The Cybersecurity Association of Maryland, Inc.(CAMI), Chesapeake Regional Tech Council, Maryland Chamber of Commerce, Chesapeake Innovation Center, Tech Council of Maryland are partnering together to host this event designed to attract and educate CIO's, CISO's, CEO and Compliance officials from small to mid-sized commercial firms on the practical actions taken by the government, firms and organizations post-hack
Cyber Security Breakdown: Chicago (Chicago, Illinois, USA, Jan 12, 2016) This half day session will provide you with the critical information you need to start formulating an effective response in the eventuality of a cyber security event. Rather than try and handle the breach during the chaos of the event, you'll understand how to build in advance, the best practices to respond effectively. Attend the Cyber Security Breakdown event that is focused on the unique issues and threats facing legal professionals
Insider Threat Program Development Training Course — Georgia (Atlanta, Georgia, USA, Jan 12 - 14, 2016) The National Insider Threat Special Interest Group website has some very "eye opening" examples of how "damaging and costly" an "insider threat incident" can be. The FBI Insider Threat Alert states companies victimized by current or former employees incur costs from $5,000 to $3 million. bring? Is your company required to establish an Insider Threat Program per the requirements of NISPOM Conforming Change 2? Insider Threat Defense has trained a substantial number of U.S. Government Agencies (DoD, IC), Defense Contractors, Critical Infrastructure Providers, Aviation Security Professionals, large and small businesses on Insider Threat Program Development and Insider Threat Risk Mitigation
FTC PrivacyCon (Washington, DC, USA, Jan 14, 2016) The Federal Trade Commission will in January hold a wide-ranging conference on security and privacy issues lead by all manner of whitehat security researchers and academics, industry representatives, consumer advocates
National Insider Threat Special Interest Group Meeting (Laurel, Maryland, USA, Jul 16, 2015) Topics to be discussed at the meeting; Insider Threat Program Development & Implementation, Behavioral Indicators Of Concern, Legal Considerations When Developing & Managing An Insider Threat Program. There is no cost to attend this meeting
POPL 2016 (St. Petersburg, Florida, USA, Jan 20 - 22, 2016) The annual Symposium on Principles of Programming Languages is a forum for the discussion of all aspects of programming languages and programming systems. Both theoretical and experimental papers are welcome, on topics ranging from formal frameworks to experience reports
Automotive Cyber Security Summit — Shanghai (Shanghai, China, Jan 21 - 22, 2016) The conference, which brings together automakers, suppliers, various connected-services providers and security specialists, will focus on government regulations, emerging automotive cyber security standards and new products and solutions designed to deal with the growing threats
SANS Institute: Information Security Training (Las Vegas, Nevada, USA, Sep 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security training courses taught by real-world practitioners. The site of SANS Network Security 2015, September 12 - 21, is Caesars Palace, the majestic Las Vegas hotel
CyberTech 2016 (Tel Aviv, Israel, Jan 26 - 27, 2016) Cybertech is the most significant conference and exhibition of cyber technologies outside of the United States. Cybertech provided attendees with a unique and special opportunity to get acquainted with the latest innovations and solutions featured by the international cyber community. The conference's main focuses are on networking, strengthening alliances and forming new connections. Cybertech also provided an incredible platform for Business to Business interaction
Fort Meade IT & Cyber Day (Fort Meade, Maryland, USA, Jan 27, 2016) The Ft. Meade IT and Cyber Day is a one-day event held at the Officers' Club (Club Meade) on base. The event is held on-site, where industry vendors will have the opportunity to display their products and services to IT, Communications, Cyber and Intelligence personnel