OilRig is back.
The OilRig cyber espionage group, generally linked to Iran, resurfaced at week's end with a campaign that served a Trojan ("OopsIE") using a variant of the ThreeDollars delivery document. Palo Alto Networks, whose Unit 42 has studied OilRig, says that the targets are an insurer and a financial services company, both based in the Middle East and having operations in Lebanon (Palo Alto Networks). Palo Alto's blog doesn't attribute OilRig, but others are less circumspect: the threat group is generally believed to operate on behalf of the Iranian government (SecurityWeek).
Lazarus's kid brother steps out (but not at the Olympics).
The Pyeongchang Olympics closed today. It was reported this morning that US Intelligence officials confirmed (anonymously) that opening ceremony cyberattacks were a Russian false-flag operation designed to look like a North Korean attack (Chicago Tribune). The attack infrastructure established for the Games may be expected to resurface later (SC Magazine).
Innocence of those hacks, however, and public gestures toward international good citizenship haven't however indicated restraint in Pyongyang's cyber operations (Nikkei Asian Review). FireEye reports ("with high confidence") that North Korean government cyber operators are showing new sophistication and ambition. The threat group variously known as Reaper, APT37, Group123 (Cisco's Talos unit's name for them), and ScarCruft (as Kaspersky called it) seems to have expanded its target list from South Korea to international corporations (Reuters).
Most of Reaper's attacks are initiated, FireEye says, with sophisticated social engineering. Crowdstrike, which tracks the group as "Labyrinth Chollima," sees an ability to bridge airgaps by unspecified means (NBC News). Reaper has been known for pursuing government, defense, and media targets, but it's recently added the chemical, electronic, aerospace, healthcare, automotive, and manufacturing verticals (CISO).
After news of fraudulent SWIFT fund transfers hit the wires, criminals hope sensitivity to such fraud will render users susceptible to SWIFT-themed phishing. Comodo Threat Research Labs researchers report observing spam whose payload is the Adwind Trojan. The email's subject and text declare it to be a notice that there's been a SWIFT transfer to the recipient's account ("wire bank transfer to your designated bank account"); the attachment is said to contain the details.
This version of Adwind does a variety of things: registry modification, antivirus and other security software tool installation checks (and, if possible, AV software kills), and then connection with the Tor network. It also seeks to disable the Windows restore option, and tries to disable User Account Control, normally enabled to prevent software from being installed without the user's knowledge.
The campaign may represent reconnaissance and preparation for more damaging attacks (Comodo). The choice of subject may be timely, but execution is a throwback to old-school nonstandard English grammar and eccentric idiomatic control.
Credential stuffing and regulatory risk, American style.
In credential stuffing a hacker tries credentials exposed in one breach against other sites. Since people unfortunately tend to reuse their passwords, criminals can get enough hits to make this worth their while. The US Federal Trade Commission, among the more aggressive cybersecurity enforcers in the regulatory world, this week moved on credential stuffing, adding regulatory to reputational and financial risk. The FTC obtained a consent decree from online tax-prep service TaxSlayer because TaxSlayer didn't do enough to protect its customers from themselves.
The FTC held that the business might have done more: using multifactor authentication, requiring strong passwords, validating email addresses during account creation, adopting such measures as IP blacklisting, and alerting customers promptly when passwords, addresses, or security questions changed. Businesses interested in how standards of care are shaping up under the FTC's regulatory lash would do well to consult TaxSlayer's experience (Bloomberg).
Extortion and regulatory risk, European style.
The European Union's General Data Protection Regulation (GDPR) takes effect in May. Enterprises worldwide look forward to it with varying degrees of trepidation. Businesses could be subjected to heavy, potentially company-killing fines for failure to properly protect data they handle.
Researchers at Trend Micro think we're likely to see a new theme emerge in cyber blackmail: extortion based on perceived regulatory risk. Blackmailers might estimate how much a company would stand to lose in fines for GDPR violations, and then demand a ransom lower than that figure in exchange for not squealing to EU enforcers. The presumed expectation is that a CEO might pay rather than face exposure. Trend Micro thinks this an eventuality companies would do well to prepare for (Help Net Security).
But is this a myth? Professor Eerke Boiten of Simon de Montfort University says it is, and a dangerous one, too. Regulators have said they don't intend to levy heavy fines or make an example of companies found in violation of the new standards soon after they take effect this May. Besides, companies who paid ransom but failed to disclose a breach could face fines of up to €10 million. Thus, focusing on the maximum fines and arousing fear of harsh enforcement would if anything tend to play into the hands of extortionists. "Criminals might only try this blackmail if sufficiently many victims fear serious fines; this is why media hyperbole over fines and suggestions of GDPR extortion are actually irresponsible" (Computing).
Two points are worth considering. First, relying on the expressed intentions of some regulators in assessing regulatory risk seems arguably naive, analogous to the traditional military planner's mistake of working on the basis of presumed enemy intentions as opposed to known enemy capabilities. Second, participants in markets, including criminal markets, don't always exhibit the sort of game-theoretic rationality that would lead them to decide a GDPR blackmail attempt wasn't worth the trouble. (If you do think they are that rational, then you might be interested in an introduction to a Nigerian prince. We hear he's selling Voppercoin and Petro futures.)
Advice most would agree on: if you're hit by GDPR extortion, disclose the incident to the proper authorities and don't pay the blackmail.
And more clarity on regulation from the Americans.
On Tuesday the US Securities and Exchange Commission (SEC) approved new guidance to clarify cyber risk disclosure (Reuters). The guidance, which the SEC notes amounts to more clarification than change, stresses that companies should "establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity." It stresses the importance of judging the materiality of information (and extends to risk as well as incidents like breaches). It also emphasizes that company insiders ought not to trade their stock on the basis of non-public material information (SEC 17 CFR Parts 229 and 249). The document is heavy on encouragement and qualitative guidance.
It's a frame-up, we tell ya. (Доверяй, но проверяй...ёлки палки? )
Russian diplomats denounce British attribution of NotPetya to Russian security services (Xinhua). They also denounce American contentions that Russia is a safe haven for cyber criminals who enjoy a cozy relationship with security services. The complaint comes down to an alleged absence of evidence: no Western intelligence service, Russia says, has offered any proof that Russia is a "bad actor in cyberspace." To strengthen his accusation of American bad faith, Petr Svirin, First Secretary of the Russian Embassy in Washington, asks why, if the Americans are so concerned about cybercrime, they have turned down Moscow's invitations to crime-fighting cooperation (CyberScoop).
First Secretary Svirin's complaint came at a DC event this week in which McAfee and the Center for Strategic and International Studies presented their joint study of the economic impact of cybercrime (CSIS). They see that impact rising: it's now up, they say, to $600 billion worldwide annually, up a hundred billion since a similar study in 2014. Discouragingly, they also conclude that whether countries spend a lot or a little on security against cybercrime, they wind up with similar outcomes (CyberScoop).
The study does call out Russia along with several other centers of cybercrime: Brazil, India, and Vietnam, where the issues aren't so much state policy as they are the lawlessness of an entrenched and technically capable criminal subculture. North Korea is a different matter. There the government itself arranges the crime, and has the state security and intelligence apparatus commit it directly.
And, of course, there's the interesting case of Russia. The contention that so angered Mr. Svirin is that the Russian security services, notably the FSB and the GRU, connive with cyber mobs and permit them to hit the right targets. Right, of course, from the point of view of the Russian government. The operation under Western eyes looks like a reverse protection racket (The CyberWire). Nice little ransomware program you got there. Shame if something happened to it. Of course, if you'd like to take out a Ukrainian power utility, all might be overlooked.
Comic books and post cards as tools in information warfare.
Facebook will require political ad buys to confirm their identity by mailing in a postcard. As a company executive explained, "If you run an ad mentioning a candidate, we are going to mail you a postcard and you will have to use that code to prove you are in the United States. It won’t solve everything" (Naked Security). Not solve everything? You said it, kiddo, as Boris Badenov might have put it. Still, it may solve a few things, Fearless Leader.
Speaking of Mr. Badenov, what about comic books? US Cyber Command is publishing a "Threatcasting" comic, which seems aimed at an internal audience as opposed to addressing any adversary's hopes or fears (SOFREP). The issues Silent Ruin and Dark Hammer are slickly executed, but how their collection of cyber MacGuffins will go over with readers is unclear. But the plot premises seem on the whole less plausible and engaging than those found in, for example, back issues of PS: the Preventive Maintenance Monthly (a fixture in G.I. latrines since the Truman Administration). But good luck to them: may they enjoy at least as much success as PS. Perhaps plot lines addressing infosec and network defense might prove valuable in educating the forces.
US Federal officials are sharing classified information about cyber threats to elections with state voting authorities (FCW). The Department of Justice has also announced formation of a task force to combat election interference (Fifth Domain).
The House Intelligence Committee's minority memo on the FISA warrant obtained during the 2016 election is out (Washington Examiner). It downplays the influence of the Steele dossier. Both sides (again) claim vindication (CBS).
Crytpocurrrencies against financial shortfalls.
While North Korea may have turned to stealing alt-coins to redress its financial problems, Venezuela seeks to use crytpocurrency in another way. Caracas launched its own national cryptocurrency, the petro, and claims to have raised $735 million on its first day. These claims were received with considerable skepticism. Venezuelan opposition leaders call the petro an illegal debt issue. The US Treasury Department warns that petro investment may violate sanctions that (alongside mismanagement and failed polices) have thrown Venezuela's fiat currency, the bolivar, into steep decline. Blockchain experts say the petro looks like a dodgy investment (Reuters).
Each petro is said to be backed by one barrel of Venezuela's nationalized oil. The issue comes during a period of intensified domestic repression and hyperinflation. President Maduro says the new currency will transform Venezuela into an "economic powerhouse," but essentially nobody believes this, probably not even Mr. Maduro. Observers think the petro unlikely to survive President Maduro's rule. Should he fall, the cryptocurrency is likely to be declared illegitimate (CNBC).
Cyber threats to the US economy (with particular reference to the power grid).
The US Council of Economic Advisors has reported on cyber threats to the US economy. They estimate that "malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016." The damage manifested itself in data and property destruction, theft (including theft of intellectual property), and business disruption (including denial-of-service). The Council noted that damage is often not confined to the original target of an attack, that it spills over into other enterprises. Two particularly interesting points in the report are its emphasis that "lax cybersecurity imposes negative externalities" and its observation that "scarce data and insufficient information sharing impede cybersecurity efforts and slow down the development of the cyber insurance market" (Council of Economic Advisors).
Intel intends a vigorous defense in Spectre/Meltdown class action suits.
The chipmaker doesn't intend to roll over and accept liability for damages people claim to have sustained from Spectre and Meltdown (CRN). More than thirty class actions suits are in progress against the chip manufactures over the CPU vulnerabilities disclosed last month (ZDNet). Alphabet (Google's corporate parent) and Apple have told Congressional investigators that Intel knowingly covered up the vulnerabilities. Letters from the companies say that Intel didn't inform US-CERT of the bugs until the news had already leaked (Computing).
Intel itself acknowledges that it didn't inform US national security authorities of the flaw, but that this was in accord with well-established and Government-sanctioned procedures: there were no indications the vulnerabilities were being exploited in the wild, and the Government itself encourages cooperation among companies to resolve flaws. It doesn't require, Intel explained in a letter to a member of the US House of Representatives, that the companies involve the Government (OregonLive).
Intel has released additional fixes for the Spectre and Meltdown vulnerabilities (ComputerWorld).
Trend Micro has fixed some issues with its email gateway (ITWire).
Google goes public with a Microsoft vulnerability because Microsoft didn't fix it under Google's disclosure deadline (ComputerWeekly).
Qualcomm has rejected Broadcom's latest offer of acquisition (Computing) and accelerated its own bid for NXP, for which Qualcomm is now said to be offering $44 billion. That acquisition, if it goes through, might make Qualcomm too big for Broadcom to swallow (Computing). Google is set to buy IoT management platform Xively from its parent, Logmein, for a reported $50 million (SecurityWeek).
ZScaler has filed for an IPO in the US; the anticipated value is $100 million (CRN).
Morphisec has closed a $12 million Series B round (ReadITQuik). Vectra Networks, specialists in artificial intelligence for threat detection and response, and a 2015 SINET 16 winner, has raised $36 million. They also say they're hiring (Silicon Valley Business Journal). Since graduating from YCombinator last summer, startup Templarbit has raised $3 million to support its goal of replacing legacy web application firewalls (Fortune). Texas-based AI firm SparkCognition since last June has seen its Series B round jump from $32.5 million to $56.5 million as new investors joined the funding round (Silicon Hills).
Kaspersky's challenge to a Congressional ban of its software proceeds. Essentially, Kaspersky argues that legislation forbidding the Government from using their products amounts to an unconstitutional bill of attainder (Federal News Radio). The opposing side draws attention to Kaspersky's obligation under Russian law to render assistance to the security services (Lawfare).
Not everyone is buying US animadversions about Huawei and ZTE (My Broadband). The UK's National Cyber Security Centre at least has announced it will continue to use Huawei products (Telegraph).