Secureworks has identified a new threat group active in the Middle East. They're calling it "LYCEUM." It may have been active as early as April of 2018 (with some signs of activity in South Africa) but since late spring of this year it's increased its operations significantly. It's currently engaging Middle Eastern infrastructure targets, specifically in the oil and gas sector. While Secureworks says it sees some "stylistic" similarities to know threat groups COBALT GYPSY (itself connected to OilRig, Crambus, and APT34) and COBALT TRINITY (a.k.a. Elfin, or APT33), it says that it can't connect either the malware itself or the attack infrastructure to any of these actors. "As of this publication, there is insufficient technical evidence to support an attribution assessment." Other outlets are less circumspect. Bleeping Computer runs with LYCEUM's association with Hexane, tracked earlier by Dragos. Technology Review calls a culprit: Iran. The campaign's goal is apparently espionage.
Chinese intelligence services continue to use LinkedIn as a way of approaching people they would like to recruit as assets. The New York Times reports that former government officials are attractive potential agents. Counterintelligence officials in France, Germany, the UK, and the US have all warned against the recruitment efforts.
Imperva has disclosed an issue affecting its Cloud Web Application Firewall, the product formerly known as Incapsula. The source and scope of the incident remain under investigation.
Trend Micro says that the criminal group TA505 has updated its tactics to make better use of upgraded ServHelper and FlawedAmmyy malware.