OSCE hacked (Fancy Bear is the animal-of-interest). US still mulling retaliation for Russian network intrusions, influence operations. Leet offers Mirai some DDoS competition. New Android threats.
The Organisation for Security and Cooperation in Europe (OSCE) sustained a cyber espionage attack last month. OSCE disclosed the attack yesterday, but said it had insufficient evidence to attribute it to any particular actor. Le Monde is not so coy: their sources (in an unnamed "western intelligence service") tell them it's Fancy Bear. OCSE is an intergovernmental human rights and confidence-building organization that has been monitoring the fighting in eastern Ukraine.
Fancy Bear is widely believed to be Russia's GRU, and is generally thought responsible for supporting Russian hybrid warfare in Donbass and compromising networks of US political parties during the last election cycle. That latter activity may still prompt long-threatened US retaliation—Senators are talking about sanctions, and observers think covert US cyber operations against Russian targets a possibility.
Another large distributed denial-of-service attack was observed before Christmas. Imperva says its Incapsula network mitigated a 650 Gbps attack that had nothing to do with any Mirai botnet. Mirai exploits IoT devices, but IP spoofing has so far made it impossible to determine what devices were compromised into this new botnet, called "Leet." Unlike Mirai, Leet used relatively large SYN packets in its attack traffic.
Two threats affecting Android systems come to light. One, the "Switcher" Trojan, gets to TP-Link routers via Android devices on the routers' WiFi networks, then hijacks DNS settings. The second threat is to smart TVs—a Cyber.Police ransomware variant bricks LG TVs. LG seems to have been able to help affected customers unbrick their sets.
Today's issue includes events affecting Canada, China, Germany, India, Israel, Democratic Peoples Republic of Korea, Nigeria, Russia, Ukraine, and United States.
A note to our readers: New Year's Day falls on Sunday, and so we'll take a break on Monday, January 2nd. Other than that we'll publish on our normal schedule. Best wishes for the new year from all of us at the CyberWire.
You can find information security lessons everywhere. We think we see some in the new Star Wars flick, "Rogue One." Here's a thought: the Empire's contractors on Eadu were apparently less than fully NISPOM compliant. Didn't Director Krennic require them to self-certify? (For background on NISPOM, see this account of a CRTC symposium, and lawyer up, padawans. Even the Empire has privacy and employment laws. We're pretty sure...although Krennic's HR policies seem a little strict...)
The CyberWire podcast this week offers a series of end-of-year long-form (but still brief) episodes. We're running extended interviews that include never-before aired conversations with some of our most interesting partners and guests. Our normal programming returns on January 3rd. If you've been enjoying the podcasts, please consider giving us an iTunes review.
You may also find the special edition of our Podcast of interest—the topic is venture capital. In it we examine the current state of investment in cyber security, speak to experts in the field, and learn from top cyber security-focused venture capitalists about what they expect before they invest.
Cyber Attacks, Threats, and Vulnerabilities
La Russie soupçonnée d’être responsable d’un piratage informatique contre l’OSCE (Le Monde) L’organisation basée à Vienne, chargée notamment d’observer le cessez-le-feu en Ukraine, a été la cible d’une attaque de grande ampleur attribuée à Moscou
OSCE victim of cyber attack (Reuters) The Organisation for Security and Cooperation in Europe has been the target of a cyber attack, a spokeswoman said on Wednesday
Group That Monitors Ukraine Conflict Suffers Cyber-Attack (ABC News) The organization charged with monitoring the Russia-fomented conflict in eastern Ukraine confirmed on Wednesday that it suffered a data breach “compromising the confidentiality” of its computer network
Is Russia Responsible for a Cyber Attack Against the OSCE? (Foreign Policy) The Organization for Security and Cooperation in Europe, a rights watchdog that for more than two years has monitored the ground war between Ukrainian forces and Russian-backed separatists, acknowledged Wednesday it had been hacked. The likely culprit, according to Le Monde: Russia
Malware in Ukraine armed forces app linked to DNC hackers (SC Magazine) A malicious remote access toolkit recently found in an app used by Ukrainian military forces is an Android version of the same proprietary malware that helped hackers steal files from the Democratic National Committee, researchers from CrowdStrike have reported
Another Massive DDoS Closes Out 2016, But Mirai Not To Blame (Dark Reading) Using a new malware variant called Leet, the 650 Gbps DDoS attack matched Mirai's floods of traffic
650Gbps DDoS Attack from the Leet Botnet (Imperva Incapsula) As the end of the year approaches, it’s natural to contemplate the future and look for signs of things to come. Sometimes, however, you don’t have to search too hard. Sometimes, these “signs” hit you like a ton of bricks
Switcher Android Malware Hacks TP-Link Routers, Changes DNS Settings (Bleeping Computer) An Android trojan named Switcher (Trojan.AndroidOS.Switcher) targets Android devices in order to take over local WiFi routers and hijack the web traffic passing through them
Android Trojan Switcher Infects Routers via DNS Hijacking (Threatpost) A new Android Trojan uses a victims’ devices to infect WiFi routers and funnel any users of the network to malicious sites. The malware doesn’t target users directly – instead its goal is to facilitate further attacks by turning victims into accomplices
LG Smart TV Screen Bricked After Android Ransomware Infection (HackRead) The victims have been asked to pay $500 to get their TV unlocked
Android Ransomware Infects LG Smart TV (Bleeping Computer) Security firms have been warning us for more than a year about the possibility of Android malware jumping from phones and tablets to other Android-powered devices, such smart TVs
Ransomware Economics: Why the Threat is Here to Stay (Infosecurity Magazine) The concept of extorting a victim for money is nothing new; in fact it’s older than the internet by many centuries. Over the years, however, malware has evolved from spying on users and harvesting information, to promoting malicious links for clickbait, to the current straight forward tactic of ‘give us your money'
Security Alert: GootKit and Godzilla Infostealers Target Victims’ Financial Information (Heimdal Security) These examples show how cyber attackers operate to collect & steal your financial data
Updated Sundown Exploit Kit Uses Steganography (Trend Micro) This year has seen a big shift in the exploit kit landscape, with many of the bigger players unexpectedly dropping out of action. The Nuclear exploit kit operations started dwindling in May, Angler disappeared around the same time Russia’s Federal Security Service made nearly 50 arrests last June, and then in September Neutrino reportedly went private and shifted focus to select clientele only. Now, the most prominent exploit kits in circulation are RIG and Sundown. Both gained prominence shortly after Neutrino dropped out of active circulation
'Frequent flyer points put at risk by website flaws' (BBC News) Airline booking systems lack basic security checks that would stop attackers changing flight details or stealing rewards, warn experts
Holiday Inn Parent IHG Probes Breach Claims (KrebsOnSecurity) InterContinental Hotels Group (IHG), the parent company for more than 5,000 hotels worldwide including Holiday Inn, says it is investigating claims of a possible credit card breach at some U.S. locations
Agent applications for Nevada’s medical marijuana program exposed (CSO) Altering the URL enables anyone to view submitted applications
Facebook Doesn’t Tell Users Everything It Really Knows About Them (Pro Publica) The site shows users how Facebook categorizes them. It doesn’t reveal the data it is buying about their offline lives
Security Patches, Mitigations, and Software Updates
Critical PHP 7 flaws detected and patched, Check Point (SC Magazine) Security researchers found three zero-day vulnerabilities in PHP 7, all of which could prove extremely dangerous to any site using the web programming language
How Artificial Intelligence Will Solve The Security Skills Shortage (Dark Reading) Unlike industries that fear the intrusion of AI, the infosec world is embracing this revolutionary technology, and the seismic changes it will bring to threat detection and mitigation
Four New Normals for 2017 (Threatpost) Let’s not talk about cybersecurity predictions for 2017. Let’s talk instead about new normals, things that have ceased to be novel because, well, they happen all the time and everywhere
What's Ahead for 2017: Predictions from the RSAC Advisory Board (RSA Conference) After an eventful year, it can be comforting to put a framework around the uncertainty of the future and try to look ahead at what next year may bring. And it’s in that spirit that we talked to the RSA Conference Advisory Board to find out what they think will happen in the world of cybersecurity as we enter 2017
Encryption in 2016: Small victories add up (Computerworld) The move from SHA-1 to SHA-2, a Congressional victory over backdoors, and the rise of encrypted communications are leading us toward a more secure world
Burrowing Bad? Ransomworms Deepen Crypto-Ransomware Threats in 2017 (IBM Security Intelligence Blog) What’s worse than ransomware? Ransomworms. According to CSO Online, 2017 may be a rough year for information security teams. Combined with evolving cryptography and ransomware techniques, cybercriminals are hoping to burrow even deeper into corporate networks. Here’s a look ahead
Gemalto Index highlights credentials concern (Planet Biometrics) Gemalto has released the findings of its Authentication and Identity Management Index, which revealed that 90% of enterprise IT professionals are concerned that employee reuse of personal credentials for work purposes could compromise security. However, with two thirds (68%) saying they would be comfortable allowing employees to use their social media credentials on company resources, Gemalto’s research suggests that personal applications (such as email) are the biggest worry to organisations
2017 – the tipping point for data being outside your control? (IT Pro Portal) More companies are betting on public Cloud services and applications
66 Percent of U.S. Consumers Have Given Their Phone Passcodes to Others (eSecurity Planet) One in four said something embarrassing has popped up on their phone while someone else was holding it, a recent survey found
Cyber attack will topple major company next year, business lobby group warns (Belfast Telegraph) A cyber attack will topple a major company next year as firms face a growing threat to their security systems from online hackers, according to an influential business lobby group
How Companies Need to Address Cybersecurity Risks in 2017 (Wall Street Journal) Peter Beshar, executive vice president and general counsel of Marsh & McLennan Companies, a global professional services firm that includes Marsh, an insurance brokerage and risk advisor, speaks about the current state of cyberthreats, what companies should be doing to protect themselves and the potential impact the Trump administration will have on cybersecurity
FireEye Inc's Best Moves in 2016 (Fox Business) I've generally been bearish on FireEye (NASDAQ: FEYE), the once-promising cybersecurity firm that lost over 40% of its value in 2016. The company's declining revenue growth, widening GAAP losses, unstable cash flow, and executive exodus all indicate that the stock could fall further next year. However, those challenges shouldn't completely overshadow its accomplishments this year. Let's take a look back at three of FireEye's smartest moves in 2016
Machine learning and artificial intelligence to get massive VC boost – FX automation generation nearing? (Finance Feeds) Pitango is a specialist in financing very successful FX industry ventures. Now the VC firm has launched a $175 million fund for machine learning and artificial intelligence. We take a close look at why this matters and where it will help firms develop and grow
Agencies embrace bug bounty programs (Government Matters) Federal Times editor Aaron Boyd discussed the proliferation of bug bounty programs across government and the January launch of Sightline Media Group’s new cybersecurity hub, FifthDomain.com
US Air Force Awards Satellite Anti-jamming Contract to Raytheon (Defense News) Raytheon has been awarded a $37 million Air Force contract to support anti-jamming efforts for satellite communications
illusive networks named 'Industry Innovator' by SC Magazine (GSN Magazine) illusive networks today announced that its pioneering Deceptions Everywhere® cybersecurity was selected by SC Magazine as a Next-Generation Security Monitoring and Analytic Innovator in its award-winning annual Reboot '16 Innovators issue
Former FCI Exec Julie Mehan Named MetroStar Systems Director of Cybersecurity Strategy and Alignment (GovConExecutive) Julie Mehan, former Femme Comp Inc. principal cybersecurity analyst, has been appointed as MetroStar Systems‘ new director of cybersecurity strategy and alignment as part of that company’s push to expand its cybersecurity capacity and thought leadership
Products, Services, and Solutions
5 Great 'Starter' Cybersecurity Certifications (Business News Daily) Looking for a career change in the new year? There's no better time to consider a career in cybersecurity: U.S. businesses and government agencies are spending billions of dollars each year to protect their data and assets from malicious attacks, with Forbes reporting that $170 billion will be spent worldwide by 2020
Secure your Chrome browser with the Avast Online Security extension (Windows Report) Google Chrome is the most popular browser among Windows users. Nowadays, hackers are extremely clever and use every possible gateway to reach their goals. In many cases, the main malware entry point is your browser
Here’s North Korea’s Totalitarian Android Tablet (Motherboard) When you think of North Korea, the first thing that springs to mind is probably not a well-featured tablet PC. But that's just what researchers at the Chaos Communication Congress hacking festival revealed on Tuesday
Technologies, Techniques, and Standards
FDA issues new security guidelines so that your pacemaker won’t get hacked (TechCrunch) This week, the US Food and Drug Administration issued a set of recommendations for securing medical devices that could jeopardize the safety and privacy of their users. The report, titled “Postmarket Management of Cybersecurity in Medical Devices,” focuses on security throughout the lifecycle of a device, emphasizing that robust cybersecurity is an ongoing process that requires maintenance and regular software updates, just like any non-medical piece of hardware would
Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff (US Food and Drug Administration) The Food and Drug Administration (FDA) is issuing this guidance to inform industry and FDA staff of the Agency’s recommendations for managing postmarket cybersecurity vulnerabilities for marketed and distributed medical devices. In addition to the specific recommendations contained in this guidance, manufacturers are encouraged to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device
The Non-Refundable Fundamentals: Estimating the Cost of a Data Breach (Infosecurity Magazine) Quantifying the financial impact of a data breach before it occurs is like assuming you can win roulette using insider trading. How is that? The average cost of a breach per record stolen today is roughly $221, according to research released earlier this year by the Ponemon Institute. Of that figure, one-third is a predictable direct measurement. When estimating the monetary ramifications of a data breach, calculating the direct costs for resolution matters – such as technical services and notifications – is easier than predicting indirect expenditures such as customer retention and employee loss
What is ISR in non-physical domains? (C4ISRNET) Ask commanders what they want more of, and one of the top responses is more intelligence, surveillance and reconnaissance. ISR has become a critical asset in planning operations and understanding trends within a commander’s battlespace. Non-physical domains and maneuver spaces are becoming more prominent in emerging and future conflicts. But how will commanders be able to “see” in cyberspace or the electromagnetic spectrum?
Are APT Reports Still Valuable or Have They Become Marketing Fluff? (LookingGlass) Now that APT reports have been exposed, the “thrill” of discovering and calling out suspected nation state actors engaged in clandestine cyber activity has become almost routine. Excitement over what was once considered a difficult thing to do (detecting “advanced” cyber adversaries) is now expected. And therein lies the problem. The rush to attribute and increase marketing visibility in the wake of such incidents has taken the place of adding value through the exchange of actionable information
33C3: Understanding Mobile Messaging and Its Security (Hackaday) If you had to explain why you use one mobile messaging service over another to your grandmother, would you be able to? Does she even care about forward secrecy or the difference between a private and public key is? Maybe she would if she understood the issues in relation to “normal” human experiences: holding secret discussions behind closed doors and sending letters wrapped in envelopes
PayThink 'Threat intelligence' technology can fight big box data breaches (Payments Source) Financial institutions and e-commerce merchants have become targets of massive financial fraud as cyber criminals have used stolen payment card data from major data breaches, such as the ones involving Wendy’s restaurants in 2015, Home Depot in 2014, and Target in 2013 to make illegal purchases online
Design and Innovation
Mixing biology with technology: what could possibly go wrong? (Naked Security) If you were in the security business a dozen years ago, you’ll remember all the speculation around cellphone malware. The iPhone and other smartphones weren’t yet ubiquitous and attacks against such devices were discussed in the context of some distant future
Ford hits milestone in path to steering-wheel-less, pedal-less autonomous cars (Ars Technica) Company wants to mass-produce self-driving cars for ride-sharing services by 2021
Georgetown research center adds Farsight Security to industry member roster (GSN) The Security and Software Engineering Research Center at Georgetown University (S2ERC ) announced today that Farsight Security, Inc., provider of the world’s only real-time DNS intelligence, has become an affiliate member as S2ERC continues to expand its base of industry members
Legislation, Policy, and Regulation
China’s Cybersecurity Law Seeks Scrutiny Of Technology (Dark Reading) Country's top internet regulator releases framework for stricter cyberspace laws, including review of local and foreign technology
China renews calls for tighter cyberspace security (Pakistan Observer) China’s top cy-bersecurity body reaffirmed its commitment to height-ened cybersecurity surveil-lance on Tuesday, calling for increased scrutiny of local and foreign technology used in industries deemed critical to the national interest
‘Meltdown’ over international cybersecurity agreement (Naked Security) How do you keep dangerous exploit software away from bad guys (and countries) and still let the good guys (security researchers, white-hat pentesters) have it when they need it? It’s never been easy – and it’s even tougher when 41 countries need to agree. They’ve been trying all year… and, for the moment, they’ve just given up
Obama's options on Russian hacks range from covert to military (Bloomberg via the Chicago Tribune) President Barack Obama has vowed that the U.S. will respond to Russian hacking undertaken during the U.S. presidential campaign. Yet the public may never hear about it
U.S. senator says Russia can expect sanctions after cyber attacks (Reuters) Russia and its president Vladimir Putin should expect tough sanctions after cyber attacks during the presidential election won by Donald Trump, U.S. Republican Senator Lindsey Graham said on Wednesday
U.S. losing cyberwar, security chief tells NJ-Israel Commission (New Jersey Jewish News) Christopher Rodriguez, the director of New Jersey’s Office of Homeland Security and Preparedness, warned members of the New Jersey-Israel Commission Dec. 20 that the United States is losing battles of cyberwarfare with “our adversaries"
CMAI Association of India emphasises the need for digital payment laws to check e-frauds (Tech2) As digital payments go up post-demonetisation, the country needs separate digital payment laws and digital payment courts should be established across India along with an appropriate legal framework, the CMAI Association of India (CMAI) said on Wednesday
Litigation, Investigation, and Law Enforcement
The 2016 Election Wasn’t Hacked, But the 2020 Election Could Be (Motherboard) After partial vote recounts in certain states, US election officials found no evidence that votes had been manipulated by a cyberattack on voting machines, security researchers told an audience at the Chaos Communication Congress hacking festival on Wednesday. But, the researchers called for a vast overhaul in voting machine security and related legislation, warning that an attack is still possible in a future election
Lawmakers urge Pentagon to probe Huawei deal (Washington Times) Three Republican members of Congress are urging Defense Secretary Ash Carter to investigate the security risks to American facilities and military forces in South Korea posed by a Chinese telecommunications company’s role in a new wireless network in the country
Trio charged with $4m insider trading by hacking merger lawyers (Register) Up to seven New York law firms targeted, say Manhattan prosecutors
Macau Resident Held In US For Hacking, Insider Trading (Dark Reading) Iat Hong and two others allegedly breached computers of major US law firms and stole confidential exchange on M&A transactions
Germany: Suspected contact of Berlin attacker arrested (Military Times) German prosecutors said Wednesday that they have detained a Tunisian man they think may have been involved in last week's truck attack on a Christmas market in Berlin
Islamic State arrests reveal jihadi threat near seat of U.S. government (Washington Times) Law enforcement agencies have arrested nine Northern Virginia residents on charges of aiding the Islamic State since the terrorist group rose to power in Syria and Iraq in 2014 and launched social media propaganda to attract followers, a government message to police states
Police ask: “Alexa, did you witness a murder?” (Ars Technica) Drowning in hot tub was followed by 140-gallon hose-down recorded by utility
Business Man Pleads Guilty for Operation Resume Hoard (Bleeping Computer) David W. Kent pleaded guilty last week of hacking his former company to boost his current business, which he then tried to sell back to his former firm, together with the stolen data
Sultry Sextortion Sisters Meet Their Match In Nigerian Oil Billionaire (HackRead) Jyoti Matharoo and Kiran Matharoo messed with the wrong Nigerian business tycoon
21 Biggest Cybercriminal Busts Of 2016 (Dark Reading) This year has been a tornado of major cyberattacks and hacker arrests. Here, we look back on the 21 most interesting 'cyberbusts' of 2016
For a complete running list of events, please visit the Event Tracker.
CES® CyberSecurity Forum (Las Vegas, Nevada, USA, Jan 5, 2017) Now in its second year, the CES® CyberSecurity Forum presented by CyberVista is designed to ensure all stakeholders in developing high tech solutions understand the complexity and the need for action in the cybersecurity arena. The IoT, connected cars, new payment systems, VR and AR, wearables and our mobile devices all add new levels of concern to protecting our personal and corporate data. In this day-long conference, we’ll tackle the world of cybersecurity that demands we go far beyond the simple passwords and anti-virus protection of yesterday.
SANS Security East 2017 (New Orleans, Louisiana, USA, Jan 9 - 14, 2017) Start the year off right by choosing from outstanding, cutting-edge courses presented by our top-rated instructors. SANS is looking forward to an exciting kickoff of 2017 with SANS Security East 2017 in the "Big Easy" in January. Now is the time to improve your information security skills and laissez les bons temps rouler!
Global Institute CISO Series Accelerating the Rise & Evolution of the 21st Century CISO (Scottsdale, Arizona, USA, Jan 11 - 12, 2017) These intimate workshops address the challenges that Board of Directors are placing on security and risk executives, and how to successfully manage and communicate today’s enterprise and organizational threats. These are an intense “roll your sleeves up” thought leadership discussions on How Cyber is Driving the New Board Perspective on Enterprise Risk Management. Attendance is limited to 30 Security and Risk Executives from Global 2000 corporations. For Chief Security Information Officers, Chief Information Officers, and Chief Risk Officers, by invitation only (apply to attend).
Cybersecurity of Critical Infrastructure Summit 2017 (College Station, Texas, USA, Jan 11 - 13, 2017) An inaugural event to convene thought-leaders, experts, and strategic decision makers from government, industry, and academia to discuss the technology and policy implications of the ever-evolving cyber-threats to critical infrastructures. This summit will focus on two sectors that are among those at greatest risk, the energy and manufacturing sectors. Highlighting emerging technologies and policy initiatives, this event will foster the development of high impact strategies to address the many interrelated cybersecurity challenges we face in the protection of our nation’s critical infrastructures.
ShmooCon 2017 (Washington, DC, USA, Jan 15 - 17, 2017) ShmooCon is an annual east coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and open discussions of critical infosec issues. The first day is a single track of speed talks called One Track Mind. The next two days bring three tracks: Build It, Belay It, and Bring It On.
SANS Las Vegas 2017 (Las Vegas, Nevada, USA, Jan 23 - 28, 2017) Attend SANS Las Vegas 2017, where SANS will provide outstanding courses in IT security, forensics, and security management presented by the best cybersecurity teachers in the country. At SANS events you get the kind of hands-on, immersion training that you can put to work immediately.
BlueHat IL (Tel Aviv, Israel, Jan 24 - 25, 2017) Announcing BlueHat IL – a special edition of Microsoft's leading cyber security conference for top professionals, to be held for the very first time in Tel Aviv, Israel. Over the past 10 years, BlueHat conferences have drawn the brightest minds in security to discuss key industry challenges. And now, BlueHat IL is here to crank it up by exploring and creating new cyber security thoughts and boundaries. This exclusive, by invitation only, single track event will host top cyber security professionals from around the world, who will come together to tackle the present and peek into the future. It will feature brilliant speakers and focus on breakthrough research, key trends and emerging threats in the field. Registration closes December 28.
SANS Cyber Threat Intelligence Summit & Training 2017 (Arlington, Virginia, USA, Jan 25 - Feb 1, 2017) Join SANS at this innovative Summit as we focus on enabling organizations to build effective cyber threat intelligence analysis capabilities. Most organizations are familiar with threat intelligence, but have no real concept of how to create and produce proper intelligence. The 2017 Summit will focus on specific analysis techniques and capabilities that can be used to properly create and maintain Cyber Threat Intelligence in your organization. Attend this summit to learn and discuss directly with the experts who are doing the CTI analysis in their organizations. What you learn will help you detect and respond to all ranges of adversaries including some of the most sophisticated threats targeting your networks
Blockchain Protocol and Security Engineering (Stanford, California, USA, Jan 26 - 27, 2017) This conference will explore the use of formal methods, empirical analysis, and risk modeling to better understand security and systemic risk in blockchain protocols. The conference aims to foster multidisciplinary collaboration among practitioners and researchers in blockchain protocols, distributed systems, cryptography, computer security, and risk management.