The CyberWire Daily Briefing 12.12.16

Cyber Trends

Ransomware attacks against businesses increased threefold in 2016 (CSO) Kaspersky Lab recorded one ransomware attack every 40 seconds against companies in September

Webroot sheds light on the short, sharp lifecycle of phishing websites (Security Brief Asia) Phishing websites have shorter lifecycles than ever before, but their numbers becoming much more prevalent - and Google, Paypal, Yahoo and Apple are the main targets, according to new Quarterly Web Update findings from Webroot

IoT - powered DDoS attacks and SCADA incidents will make top security headlines in 2017, Bitdefender predicts (Global Security Mag) Bitdefender experts predict a marked rise in IoT attacks against individuals and companies alike, continuing trouble with encrypting ransomware, IoT botnets, adware and the revival of darknet markets for illegal goods and services

Corporate Lawyers at Risk as Cyberattacks Target IP, 'Legal Data' (Corporate Counsel) A SANS Institute Survey found cybercriminals are increasingly shifting their focus toward attorney-managed enterprise data

On the Fifth Day of Christmas, the Industry Predicted…More Social Media Attacks (Infosecurity Magazine) The festive season is upon us and Christmas is approaching fast! The big day will be here before we know it and soon many of us will be enjoying some hard-earned time off as we enjoy the holiday season and welcome a new year

On the Sixth Day of Christmas, the Industry Predicted…a Big Year for IoT (Infosecurity Magazine) The run up to Christmas is in full swing and we’ll be ushering in a new year in no time at all. So as we bid farewell to 2016 and a very busy 12 months for the cybersecurity world with a plethora of breaches and incidents making the headlines across the globe, what are the experts predicting about what we can expect to come up against in 2017?

Legislation, Policy and Regulation

China’s Cybersecurity Law: Game over for foreign firms? (IDG Connect) The “de-Americanisation of China’s IT stack” has taken another major step forward with the introduction of the new Cybersecurity Law. It not only enshrines strict new rules for foreign companies in various industries trading in China, but will also further restrict the online freedoms of citizens inside one of the most surveillance-coated nations on earth. But while the reports talk of “dismay” and “rattled” foreign multi-nationals, did they really think it would be any other way?

Understanding Beijing's Cyber Priorities (Cipher Brief) The decentralized and global nature of the Internet is both an asset and a burden of our modern era. It provides resilience for our communication pathways and facilitates commerce and cultural exchange, yet also enables abuse like terrorist planning and recruitment, as well as criminal activity on a global scale. Less tangibly, but equally important, it poses serious challenges to traditional conceptions of sovereignty, rule of law, and privacy. Data continuously flows across national borders and is stored on servers beyond individual nations’ legal jurisdictions, creating technical loopholes for predatory actors; all while encryption lends anonymity to dissidents, criminals and terrorists alike

3rd US & China Joint Dialogue on Cybercrime and Related Issues (American Security Today) On December 7, 2016, in Washington, D.C., Attorney General Loretta E. Lynch and Department of Homeland Security Secretary Jeh Johnson, together with Chinese State Councilor and Minister of the Ministry of Public Security Guo Shengkun, co-chaired the third U.S.-China High-Level Joint Dialogue on Cybercrime and Related Issues

US Congressional report warns that China is getting even better at stealing US military technology and secrets (Next Big Future) US intelligence agencies determined that several years ago China stole secrets relating to the F-35 jet fighter from a US contractor. The design secrets were detected in China’s new J-20 stealth fighter and the J-31

Espionage Strategy: Russia's Long View vs. America's Short-Term Goals (Cipher Brief) As part of our special coverage of Foreign Influence, Domestic Division: Russia, the 2016 Election, and Trump’s Rebuke of the U.S. Intelligence Community, The Cipher Brief’s Executive Editor Fionnuala Sweeney speaks to Rob Richer, former CIA Associate Deputy Director for Operations and formerly chief of Russian Operations. She asked him for his opinion on Russia’s objectives and how it conducts itself in the field of espionage

Bill to Elevate Cybercom Heads to Obama’s Desk (NextGov) A major defense policy bill that elevates U.S. Cyber Command to a full combatant command is on its way to President Barack Obama’s desk after the Senate voted overwhelmingly for passage Thursday

How President Trump Can Make American Intelligence Great Again (National Review) Eliminate the director of national intelligence and put the CIA back in charge

Will Vulnerable U.S. Electric Grid Get a New Protection Mandate? (Brink News) In the new Trump administration, protecting the electric grid will likely be a topic that garners serious attention, owing to President-elect Trump’s stated intentions to invest in upgrading and modernizing America’s energy infrastructure, which dovetails into another of his priorities: a strong focus on national security issues

The Marine Corps Is Looking For A Few Good Nerds: Gen. Neller (Breaking Defense) No thank you, Donald Trump. While the President-Elect wants to boost Marine Corps combat units by 50 percent — with 12 new battalions of infantry and one of tanks — the Commandant of the Marine Corps respectfully suggested that there are other additions the Marines need more. Don’t think good old-fashioned grunts: Think warrior nerds

Trump Proposes Lifetime Ban on Defense Firms Hiring DoD Contracting Officials (Defense News) President-elect Donald Trump has put forth the idea of banning the defense industry from hiring former Pentagon contracting officials, just days after creating a stir in the defense industry by saying Boeing's contract for an Air Force One replacement should be cancelled

Products, Services, and Solutions

Viewpost Receives 2017 CS050 Award From Leading Security Resource Publisher (Yahoo! Finance) Viewpost, the secure B2B network for electronic invoicing, payments and cash management, has been named an honoree of a 2017 CSO50 Award from IDG’s CSO. This prestigious honor is granted to a select group of organizations that have demonstrated that their security projects and initiatives have created outstanding business value and thought leadership for their companies

Rosoka Analyst Overview (Rosoka) Imagine turning big data into smart information

OpenVPN to get two separate security audits (Help Net Security) Private Internet Access (PIA) announced that they have contracted noted and well-reputed cryptographer Dr. Matthew Green to perform a security audit of OpenVPN. However, it seems that there will be two separate security audits of OpenVPN

Blockchain Startups Suggest New Approaches to Counter Cyberattacks and DNS Poisoning (CoinTelegraph) Banks, financial institutions, government agencies and large corporations are still struggling to deal with cyber attacks and DNS poisoning, that often lead to billions of dollars in losses every year. Several Blockchain startups are attempting to solve the Internet’s vulnerability issues by integrating an immutable and public ledger into the Internet’s existing framework

Cisco Systems is Working Smarter Not Harder With ITAM (Satellite PR News) Continuum GRC provides Cisco Systems with next generation governance, risk, and compliance platform

Pulse Secure Expands Secure Access Platform Hosting To Europe (Source Security) The launch is part of an ongoing commitment to meet the local data protection needs of Oulse Secure's global customer base

FPC Tops Deloitte EMEA Rankings (Find Biometrics) Fingerprint Cards has been ranked first in the Deloitte Technology Fast 500 EMEA program, which Deloitte describes as “an objective industry ranking that recognizes the fastest-growing technology companies in Europe, the Middle East, and Africa” for the past four years

USAF accepts Lockheed Martin's SBIRS Block 10 ground system (Air Force Technology) The US Air Force (USAF) has accepted Lockheed Martin's newly upgraded space-based infrared system (SBIRS) Block 10 ground system, designed to support missile warning, missile defence, battlespace awareness, and technical intelligence

Malwarebytes Anti-Exploit Standalone information (ghacks) Malwarebytes 3.0, released a couple of days ago, marks a big jump from the company's previous policy of releasing individual security tools

Digital Rights Foundation Launches Pakistan’s First Ever Cyber Harassment Helpline (Feminism in India) Digital rights are not a very commonly known section of the human rights issues – especially in the South Asian context. The masses are unaware of the effects that their presence in online spaces can have and are often oblivious of the crimes they commit while being in digital spaces. Education regarding digital rights and privacy is in a very nascent phase right now in the South Asian countries – particularly in countries like Pakistan, India, Bangladesh, Afghanistan etc. Though there are organizations working to raise awareness regarding privacy and digital rights and responsibilities, the number is limited and the burden is overwhelming

Technologies, Techniques, and Standards

New minimum code signing requirements for use by all CAs (Help Net Security) The Certificate Authority Security Council (CASC), an advocacy group committed to the advancement web security, announced the Code Signing Working Group has released new Minimum Requirements for Code Signing for use by all Certificate Authorities (CA)

Buying stolen data (TechCrunch) Think about your most prized possession. Imagine it in your mind’s eye. Maybe it’s a family heirloom, or something a close friend gave you, or something you worked hard to afford. Now imagine it gets stolen

5 Questions to Ask your IoT Vendors; But Do Not Expect an Answer. (SANS Internet Storm Center) This year shapes up to become the year that IoT exploits started to become "mainstream news." Mirai, car hacking, and ubiquitous router exploits are now being discussed outside security conferences. One question that comes up from time to time is what a "minimum standard" could look like for IoT security. Today, default passwords and basic web application security flaws are the number one issue. But we all know that as one vulnerability is being patched, two more are discovered. Asking vendors to deliver a "vulnerability free" product is not realistic. So what should we ask our vendors?

Give the gift of a social engineering demo this Christmas (Naked Security) Wondering what gifts to give your coworkers this Christmas?

Never Stand Alone: Collaboration In The Face Of Cyber Threats (Information Security Buzz) The world’s increasing interconnectivity has given rise to greater efficiency and the easier exchange of data. However, as networks become borderless and institutions freely exchange data with partners, a data breach in one organisation’s network can now provide hackers with an avenue into multiple other companies. Before any can respond, a chain reaction of breaches

12 tips for implementing secure business practices (Help Net Security) Optiv Security shared a list of a dozen tips for implementing secure business practices during the 2016 holiday season. Security experts developed these recommendations to help security and IT teams better prepare their companies and employees to address the increase in cyber threats that occur during this time of year

Marketplace

Security startup Wallarm raises $2.3M after going through Y-Combinator (TechCrunch) Back in 2013 we covered the seed funding of Wallarm, a “next gen” web security startup which aimed to protect businesses from application level hacker attacks. The team of ex-white hat hackers had previously helped Russian companies like Mail.ru, Yandex, and Parallels to block security threats. It’s perhaps little surprise that, with Russia being a tough place to raise money these days, Wallarm re-appeared in in the US

IPO Market Loses Again as KKR Buys Optiv From Blackstone (Wall Street Journal) The sleepy market for new listings lost another deal Tuesday to a buyer with deep pockets

Accenture acquisition made with an eye to improve cybersecurity for federal agencies (GSN) In a move designed to extend its advanced cyber defense and response service capabilities in support of the U.S. federal government, Accenture (NYSE:ACN) has completed its acquisition of Defense Point Security LLC (DPS). DPS is now a wholly owned subsidiary of Accenture Federal Services (AFS). Terms of the transaction are not being disclosed

Research and Development

Can Blockchain Technology Secure Digital Voting Systems (PRNewswire) Kaspersky Lab challenged 19 universities with protecting e-Voting from cyberattacks in competition; awards three top finalists

Experts unsure if cyber attribution research will yield results (TechTarget) Georgia Tech received a contract to research the science of cyber attribution, but experts disagree on whether it is possible to succeed in this endeavor

Security Patches, Mitigations, and Software Updates

Five-Year-Old Bait-and-Switch Linux Security Flaw Patched (Bleeping Computer) Maintainers of the Linux Kernel project have fixed three security flaws this week, among which there was a serious bug that lingered in the kernel for the past five years and allowed attackers to bypass some OS security systems and open a root shell

Verizon refuses to release Samsung’s Galaxy Note 7 software update (Fast Company) Verizon said today that it will not release a Galaxy Note 7 software update that would prevent all recalled devices from charging. The software update was just announced by Samsung in an attempt to make all recalled smartphones inoperable

Yahoo patches critical XSS vulnerability that would allow hackers to read any email (Mirror) Yahoo patches critical XSS vulnerability that would allow hackers to read any email – Yahoo, which was in the limelight for revealing a massive hack on its users earlier this year, has fixed a highly critical cross-site scripting (XSS) security flaw in its email system that would have allowed attackers to access any email

Cyber Attacks, Threats, and Vulnerabilities

Russian Hackers Acted to Aid Trump in Election, U.S. Says (New York Times) American intelligence agencies have concluded with “high confidence” that Russia acted covertly in the latter stages of the presidential campaign to harm Hillary Clinton’s chances and promote Donald J. Trump, according to senior administration officials

Trump team disputes Russian influence on US election (Boston Globe) An extraordinary breach has emerged between President-elect Donald Trump and the national security establishment, with Trump mocking U.S. intelligence assessments that Russia interfered in the election on his behalf, and top Republicans vowing investigations into Kremlin activities

We Must Be Hesitant To Frame Russian Cyber Hack As Necessarily “Pro-Trump” (The Pavlovic Today) It took only a moment for all media networks to adopt the Washington Post’s view on the CIA’s “confirmation” that Russia helped Trump get elected

Reince Priebus falsely claims no conclusive report whether Russia tried to influence election (Politifact) Reince Priebus, chairman of the Republican National Committee and President-elect Donald Trump’s incoming chief of staff, tried in an interview on Meet the Press to dismiss news reports that the CIA believes Russia aimed to boost Trump’s election chances

How Russian Hackers Can Blackmail Donald Trump—and the GOP (Daily Beast) If it is true that the Russians hacked the Republican National Committee as well as the DNC, then their power over POTUS potentially knows few bounds

North Korea denies involvement in cyber attack on South Korea's MND (IHS Jane's 360) North Korea has denied any involvement in a hacking attack against South Korea's Ministry of National Defense (MND), saying Seoul is pulling off "a childish plot" to divert public attention from a political crisis, Yonhap news agency quoted North Korea's state-run Uriminzokkiri website as saying

European Surveillance Companies Were Eager to Sell Syria Tools of Oppression (Motherboard) In 2007, Syrians could only access the internet through state-run servers, and services like Microsoft Hotmail and Facebook were sometimes blocked. But Bashar al-Assad, who had been head of the Syrian Computer Society before becoming president, knew the internet would inevitably spread more, and he knew he had to tighten his grip over it

Lighting the Path: The Story of the Islamic State's Media Enterprise (War on the Rocks) The Battle for Mosul kicked off earlier in the fall and this campaign to end Islamic State control of the historic city continues. As Patrick Ryan and Patrick Johnston noted recently in War on the Rocks, this will not be the end of the Islamic State movement any more than its defeat in 2007 in the face of the “surge” and the Awakening movement. It is likely that nothing can convince this movement’s core leadership and dedicated members to give up their political vision of achieving the Caliphate. While its products are often examined by analysts for its influence on foreign fighter migration or macabre efforts to terrorize its enemies, the Islamic State’s media department itself is understudied — a remarkable oversight since it was a crucial part of keeping the dream of a Caliphate alive during the dark years of 2008 to 2011

Attackers use hacked home routers to hit Russia's 5 largest banks (CSO) The routers were likely hacked through a recent vulnerability in the TR-069 management protocol

CERT Warns Users to Stop Using Two Netgear Router Models Due to Security Flaw (Bleeping Computer) The United States Computer Emergency Readiness Team (US-CERT), an organization within the Department of Homeland Security (DHS), has published a security alert yesterday, warning owners of Netgear R6400 and R7000 models against using their routers for the time being, because of a severe security flaw

Netgear working to fix flaw that left thousands of devices open to attack (CSO) Several routers in the Nighthawk line affected, CERT recommends customers discontinue use

Mirai - now with DGA (SANS Internet Storm Center) Shortly after Mirai was attributed to massive DDOS on OVH and Brian Krebs the source code for Mirai was released on Github. This was a double edged sword. It gave security researchers insight into the code, but it also made it more available to those who may want to use it for nefarious purposes. Within days Mirai variants were detected. Now chinese researchers Network Security Research Labs are reporting that recent samples of Mirai have a domain generation algorithm (DGA) feature. The DGA is somewhat limited in that it will only generate one domain per day, so a total of 365 total domains are possible and they are all in the .tech or .support TLDs. Further investigation reveals that some of these possible domains have already been registered, presumably by the Mirai variant author

Now Mirai Has DGA Feature Built in (Network Security Research Labs) Nearly 2 weeks ago, 2 new infection vectors (aka TCP ports of 7547 and 5555) were found being used to spread MIRAI malwares. My colleague Gensheng quickly set up some honeypots for that sort of vectors and soon had his harvests: 11 samples were captured on Nov 28th. Till now 53 unique samples have been captured by our honeypots from 6 hosting servers

The TalkTalk Situation Gets Even Worse (Router Check) The situation with British ISP TalkTalk has become even worse as a variant of the Mirai worm has allowed hackers to create a large botnet from its subscribers’ routers and the ISP’s response has been insufficient

Points mean prizes in gamified DDoS platform (Beta News) Gamification is increasingly used by business as a means of enhancing the usability of software. But now it seems hackers are exploiting the technique too

Malicious exploit kit targeting Internet Explorer users, on global scale (Security Brief NZ) Researchers at ESET have discovered a new exploit kit spreading through the internet via malicious ads on reputable websites with high traffic

Tesco Bank debit cards risked cyber crime, warn rivals (Financial Times) FCA is checking if other banks also used sequential numbers

Your neighbourhood ATM may turn into a hacker’s paradise (Economic Times) The next time you queue up at the ATM for cash—an experience that has become increasingly onerous since demonetisation— it’s not just the long wait that should worry you

Linux Kernel up to 4.8.12 Fragmented IPv6 Packet Handler Net/Ipv6/Icmp.C Icmp6_Send Denial of Service (vuldb) A vulnerability was found in Linux Kernel up to 4.8.12. It has been rated as critical. Affected by this issue is the function icmp6_send of the file net/ipv6/icmp.c of the component Fragmented IPv6 Packet Handler. The manipulation with an unknown input leads to a denial of service vulnerability (kernel panic). Impacted is availability

Ransomware Gives Free Decryption Keys to Victims Who Infect Others (Threatpost) Researchers say they have uncovered ransomware still under development that comes with a novel and nasty twist

“Proof of Concept” Project Spawns Three Real-Life Ransomware Families (Virus Guides) Three new and real ransomware families have been spawned by the open-source CryptoWire ransomware project, which is uploaded as a “proof of concept” on GitHub

Scammers can trick Microsoft Edge into displaying fake security warnings (Hot for Security) Hopefully, by now, many readers will be aware of the scam messages that can pop up on your computer screen telling you that your computer may be at risk, and to call a special number for “technical support”

New Exo Android Trojan Sold on Hacking Forums, Dark Web (Bleeping Computer) Malware coders are advertising a new Android trojan that can be used for phishing banking credentials, intercepting SMS messages, locking devices with a password (ransomware-like behavior), and more

Hackers stole technical trade secrets from German steelmaker (Help Net Security) German-based ThyssenKrupp, one of the world’s largest steel producers, has announced that it has been the target of a cyber attack

Windows XP ‘still widespread’ among healthcare providers (Naked Security) Microsoft ended Windows XP support a couple years ago, and any veteran security practitioner will remember the constant barrage of malware hurled their way through trivial exploits of the old OS

London Councils Running Outdated Software (Infosecurity Magazine) Nearly 70% of London’s borough councils are using out of date operating systems, exposing them to greater cybersecurity risk, according to new research from Databarracks

Thieves Using Radio Jammers to Prevent Drivers from Locking Their Cars (Bleeping Computer) British police are warning drivers to check their doors after they use their remote key to lock their car because thieves may be using jammers to block door locking signals, leaving the vehicles unlocked

Black Hat Hackers: Counterfeit Coupons (Wapack Labs) Wapack Labs research into the hacker underground has uncovered a group of black hat hackers who claim to have taken over a coupon counterfeiting business

Vijay Mallya's Twitter account hacked, personal and sensitive information leaked (International Business Times) The hackers have dumped data on Mallya's bank accounts, business holdings, passwords and more

Litigation, Investigation, and Enforcement

Obama orders review of US election amid Russian hacking concerns (Christian Science Monitor Passcode) After reports of "malicious cyberactivity" during the election season, Obama's top counterterrorism adviser Lisa Monaco says key stakeholders need fuller answers

Obama orders intel probe of election hacks (SC Magazine) After months of allegations that Russia had interfered in the presidential election through a series of cyberattacks on organizations and people affiliated with the Democratic party and calls for review from lawmakers on both sides of the aisle, President Obama directed U.S. intelligence agencies to conduct a full investigation and deliver a report before he leaves office January 20, according to the president's homeland security adviser counterterrorism advisor Lisa Monaco

Homeland Security investigating ‘cyber attack' against Secretary of State's office (WSB TV 2) The United States Department of Homeland Security is responding to a letter from Georgia’s Secretary of State after an apparent cyber attack, trying to breach the fire wall of the department’s computer system

Exclusive: DHS Says Georgia Hack May Have Been Rogue Employee (Lifezette) Officials tell members of Congress the attack on state firewall could have been inside job

No, there’s no evidence (yet) the feds tried to hack Georgia’s voter database (Ars Technica) State election official bungles the case that DHS tried to breach his office

Law enforcement operation targets users of DDoS tools (Help Net Security) From 5 to 9 December 2016, Europol and law enforcement authorities from Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom and the United States carried out a coordinated action targeting users of DDoS tools, leading to 34 arrests and 101 suspects interviewed and cautioned

Russian Authorities Make Arrests In Wake Of Central Bank Cyberattack (Dark Reading) Arrests in the $19-million theft were made in a joint operation by FSB and Interior Ministry, says central bank official

US: Case Challenges Mass Internet Surveillance (Human Rights Watch) A federal appeals court heard oral argument on December 8, 2016, in Richmond, Virginia, in the case brought by the American Civil Liberties Union on behalf of a broad group of organizations challenging the National Security Agency’s mass interception and searching of Americans’ international internet communications

Another Lawsuit Highlights How Many 'Smart' Toys Violate Privacy, Aren't Secure (TechDirt) So we've talked a bit about the privacy implications of smart toys, and the fact that people aren't exactly thrilled that Barbie now tracks your childrens' behavior and then uploads that data to the cloud. Like most internet-of-not-so-smart things, these toys often come with flimsy security and only a passing interest in privacy. As such we've increasingly seen events like the Vtech hack, where hackers obtained the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids

Design and Innovation

Op-ed: I’m throwing in the towel on PGP, and I work in security (Ars Technica) “If you need to securely contact me... DM me asking for my Signal number”

Learning in the Dark: Lessons Learned in Unsupervised Learning (CyberPoint) CyberPoint has seen great success in using supervised machine learning for malware detection. A while back, however, some colleagues and I set out to investigate whether we could make any interesting discoveries by applying unsupervised learning to CyberPoint's malware dataset

US IC says Russia worked against Clinton campaign; President Obama orders investigation. More DDoS threats emerge even as police round up suspects. Ransomware offers decryption in exchange for collaboration.