To improve the quality, relevance and overall value of the CyberWire’s content, we’ve put together a short audience survey that should take five minutes or less to complete. This survey is (obviously, we needn't add, but will) completely voluntary, anonymous and confidential. Click here to take our survey and look for your chance to win some official CyberWire swag at the end.
We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.
3rd-party breach affects Quest Diagnostics. HelixKitten tool leaked? Ransomware notes. Antitrust comes to Silicon Valley.
In an 8-k filed this week with the US Securities and Exchange Commission, the large medical testing firm Quest Diagnostics disclosed that American Medical Collection Agency (AMCA), a third-party collection services firm, notified Quest that AMCA had detected unauthorized activity in its network. As reported by TechCrunch and others, the breach appears to have affected nearly 12 million people. The "unauthorized user" took personal data, medical information, and credit card numbers from AMCA, which believes the intruder was active between August 1 of last year until this past Friday.
Another apparent leak from someone close to Iran's cyber operations has released Jason, a tool designed to hijack Microsoft Exchange email accounts, BleepingComputer says. Jason is associated with OilRig (also known as APT34 or HelixKitten), generally attributed to Iran's Ministry of Intelligence and Security. The leaker or leakers, who go by Lab Dookhtegan, began releasing Iranian attack tools in March.
Eurofins Scientific, a Luxembourg-based provider of food, environmental, and pharmaceutical testing, disclosed yesterday that it sustained a ransomware attack over the weekend. The infection has impeded some IT operations, but appears to have been contained.
It seems increasingly unlikely that EternalBlue was involved in the ransomware attack on Baltimore. Researchers at Armor obtained attack code samples and found no signs of EternalBlue or other propagation mechanisms in what they told KrebsOnSecurity was "vanilla ransomware." Armor also has found communications from people claiming to be the attackers, but their responsibility can't be verified.
Today's issue includes events affecting China, Iran, Israel, Luxembourg, North Macedonia, Russia, Sri Lanka, United Arab Emirates, United Kingdom, and United States.
Bring your own context.
So criminals go after the really valuable stuff, and steal it, and then resell it, right? Sometimes, but maybe not as much as they formerly did.
"Targeted ransomware is a lot different than your normal commodity ransomware. When you think about ransomware, you think about random emails showing up that have been blasted out to millions of people. Someone clicks a link and boom, their hard drive or their documents have all been encrypted with an automatically generated link that says click here, deposit a bitcoin into this wallet, and we'll email you the key. There has been a dramatic turn into something a little bit more nefarious. Now cyber criminals, instead of penetrating an organization and finding the high-value assets and taking them out of the enterprise, they're just simply encrypting them in place because they've realized that when you steal data, you have to monetize that. You run the risk of dealing with law enforcement. You've got to deal with the dark web and finding a buyer and registering in underground forums."
—Justin Harvey, global incident response leader at Accenture, on the CyberWire Daily Podcast, 5.31.19.
The criminal is not an artist. The criminal follows the path of least resistance to the money.
Threat intelligence is critical but often difficult to manage, automate, or operationalize. Threat Intelligence Gateways are an exciting, emerging network security technology that take the heavy lifting out of making threat intelligence actionable, operational, and useful. Learn about how this technology is turning threat intelligence into action to block threats at scale in the whitepaper, Operationalizing Threat Intelligence: An In-Depth Guide to Threat Intelligence Gateways.