Palo Alto researchers have discerned how Shamoon spreads its destructive payload: its operators use a mix of "legitimate tools and batch scripts" to download it to hostnames the attackers know exist on the target network.
FireEye offers some insight into how APT29 (a.k.a. Cozy Bear, that is, by general consensus, Russia's FSB) evades detection—the threat actor uses domain fronting to disguise traffic with the appearance of its being directed to a host allowed by network censors. (Domain fronting has also been used by less sinister organizations to bypass government censorship. The technique is ambivalent.)
Two warnings are out to the healthcare sector. First, the US FBI has warned that "malicious actors" attackers are attacking File Transfer Protocol (FTP) servers to establish access to protected health information belonging to medical and dental patients. The motive is apparently a mix of extortion, harassment, and potential identity theft. Second, researchers at Schneider & Wulf have found the embedded webserver in the Miele Professional PG 8528 (an Internet-connected washer-disinfector used to sterilize biomedical instruments) vulnerable to directory transversal attack. There's no patch, yet.
iOS users visiting adult sites are being hit by scareware. The consensus among experts concerning both ransomware and scareware remains that victims should not pay.
British Home Secretary Amber Rudd joins US FBI Director Comey among the anti-encryption dead-enders. The Westminster attacks have prompted her to call for restrictions on encrypted communications.
A US prosecutor forges a judge's signature on a surveillance warrant to spy on her rival in a love triangle.