We're working to improve the quality, relevance and overall value of the CyberWire’s content, and so we’ve put together a short audience survey that should take five minutes or less to complete. This survey is (obviously, we needn't add, but will) completely voluntary, anonymous and confidential. Click here to take our survey and look for your chance to win some official CyberWire merchandise at the end.
According to a 2018 Ponemon report, 61% of surveyed organizations have experienced a data breach caused by a third-party vendor. Cyber criminals are targeting Defense Industrial Base (DIB) supply chain vendors in order to gain access to government networks. The latest case study from Attila Security will help identify solutions to keep your organization’s data secure while avoiding disruptions to the DIB supply chain. Download the Vulnerabilities Within The DIB Supply Chain Case Study today.
Info ops updates. Baltimore's bad month. The Huawei Affair. Third-party breach hits medical labs. Industry and legal notes.
Information operators and fake news contractors.
Symantec found that the Russian information operators during the 2016 US election cycle were well-organized and professional, and portions of their operations were being planned as early as May 2014 (SecurityWeek). Symantec's researchers came to this conclusion after analyzing a massive dataset released by Twitter containing millions of tweets from thousands of accounts associated with Russia's Internet Research Agency.
Most of the IRA's fake news accounts were created in the Spring and Summer of 2014, but didn't start tweeting until January 2015. The accounts were largely automated, although human operators would often step in to mix things up. The underlying strategy employed by the IRA was "utilizing a small core of accounts to push out new content and a wider pool of automated accounts to amplify those messages." The targeting of the campaign was more ideologically balanced than previously thought, with the top twenty most retweeted accounts "split evenly between conservative and liberal messages."
The BBC outlines a fake news operation based in North Macedonia, in which employees rewrote legitimate US news articles, changing words and falsifying details to make them more inflammatory, thereby driving more traffic and generating ad revenue.
Staying safe and secure is a necessity while doing online research. Using a common web browser can betray you by exposing you and your organization to cyber attacks.
That’s why Authentic8 built Silo Research Toolbox. Built on a remote, isolated browser, Silo Research Toolbox offers managed attribution to research teams who need to conduct secure, geographically distributed data analysis across the web. Learn more.
The Baltimore ransomware attack.
It seems increasingly unlikely that EternalBlue was involved in the ransomware attack on Baltimore. Researchers at Armor obtained attack code samples and found no signs of EternalBlue or other propagation mechanisms in what they told KrebsOnSecurity was "vanilla ransomware." Armor also has found communications from people claiming to be the attackers, but their responsibility can't be verified. For its part, NSA has denied that the agency's tools had anything to do with the Baltimore ransomware attack. In particular, NSA said it had no evidence the EternalBlue vulnerability played a role in the incident (CyberScoop). Some have read this as a non-denial denial (see examples in the Washington Post) but the general sentiment seems to be that Baltimore is less sinned against than sinning, and that in fact tools from NSA, leaked, stolen, used or otherwise compromised, had little or nothing to do with the incident. There are some suggestions there may have been more than one threat actor in the city's systems (Wall Street Journal).
Ever wonder how hackers gather such detailed intel on their targets? Kevin Mitnick, the world's most famous hacker and KnowBe4's Chief Hacking Officer, knows. It is shockingly easy to gather detailed intelligence on individuals and organizations. Everything the bad guys need is out there for the taking through publicly available resources. There’s even a name for it: Open Source Intelligence (OSINT). Find out what you need to know before it’s too late. Save your spot!
The Huawei Affair: twists, turns, and a high-minded offer to agree not to spy.
Huawei's chairman Liang Hua accused the US of "acting inappropriately" toward his company, NPR reports, but then proffered the same kind of no-spy deal Shenzhen has dangled before Germany and the UK. Huawei's reputation with respect to non-disclosure agreements and partners' IP make it unlikely the offer will be accepted. Nor would offers of collaborative security testing be likely to find favor: Huawei is said to have been secretly testing exploits for Nokia and Ericsson devices, then passing the vulnerabilities to nominally independent testers in order to polish Shenzhen's comparative reputation (Forbes).
Meng Wanzhou, the Huawei CFO detained by Canadian authorities in Vancouver, will have her extradition hearing in 2020. She's wanted in the US in connection with alleged money laundering and sanctions evasion (CTV).
Observers continue to give US trade measures mixed reviews on their effectiveness in enhancing national security (Washington Post). Restrictions on Huawei's ability to purchase US products, especially semiconductors, are nonetheless generally seen as posing a serious threat to the company despite its long-running drive toward manufacturing self-sufficiency (Wall Street Journal). The effects of placement on the US Entity LIst are showing up internationally as well. Sophos has halted sales to Huawei (ChannelE2E), and Huawei is selling its majority stake in an undersea cable venture (Wall Street Journal).
Join industry leaders and peers at the region’s leading cybersecurity event, 16 – 18 July at the Marina Bay Sands in Singapore. Learn the latest issues and solutions, stay on top of new regulations, demo cutting-edge products, expand your skills and grow your personal network. Register now.
Third-party breach at collection agency afflicts medical labs' data.
There's been a major data breach affecting a US healthcare firm. In this case it’s a third-party problem. In an 8-k filed this week with the US Securities and Exchange Commission, the large medical testing firm Quest Diagnostics disclosed that American Medical Collection Agency (AMCA), a third-party collection services firm, notified Quest that AMCA had detected unauthorized activity in its network. The breach appears to have affected nearly 12 million people. The "unauthorized user" took personal data, medical information, and credit card numbers from AMCA, which believes the intruder was active between August 1 of last year until this past Friday. AMCA said it was notified of the possibility of a breach by a credit card company, and upon investigation concluded that someone had indeed been in its network (TechCrunch). Another major testing company, LabCorp disclosed at midweek that it, too, was affected by the AMCA breach. LabCorp puts the tally of those affected in its part of the incident at 7.7 million (KrebsOnSecurity).
Every week on the CyberWire's Hacking Humans Podcasts we talk to social engineering experts, security pros, cognitive scientists, and those practiced in the arts of deception (perhaps even a magician or two). Try us out. You can even submit scams you received to be featured as our Catch of the Day. Sponsored by the experts at KnowBe4.
Don't believe Microsoft about the importance of patching legacy versions of Windows against the BlueKeep RDP vulnerability? Maybe you'll believe NSA's Central Security Service? They think you should patch, too. To further motivate patching, a security researcher reports developing a proof-of-concept exploit for the wormable vulnerability (Computing).
Crime and punishment.
Andrii Kolpakov, a Ukrainian man accused of involvement in the financially-motivated FIN7 hacking group, has been extradited to the US from Spain. He appeared in Federal court in Seattle earlier this week, and his arraignment is set for this coming Monday (Washington Post).
A judge has removed the lead prosecutor from the case of a Navy SEAL accused of war crimes after the prosecutor sent emails with embedded tracking code to defense lawyers and a Navy Times journalist. The prosecutor says he was trying to find the source of news leaks, but his attempts to do so were unauthorized (Washington Post).
Courts and torts.
Big Tech is facing increased antitrust scrutiny. According to the Silicon Valley Business Journal, the US Department of Justice has been in conversations with the Federal Trade Commission to see who will take on the case of Apple, and Justice is thought to have been given the first bite. The Justice Department has also begun preparing an anti-trust case against Google (Wall Street Journal). The Federal Trade Commission is thought to have responsibility for Facebook and Amazon (Wall Street Journal). Not to be left out of the picture, Congress will hold its own inquest. The House Judiciary Committee announced its intention to hold hearings on competition in digital markets, which can be expected to be relatively wide-open (Washington Post).
There are many signs that Big Tech doesn't intend to go gentle into that good break-up night. Silicon Valley has assembled a K Street brigade to fight a major lobbying campaign in Washington (New York Times). Facebook is beefing up its legal team in anticipation of antitrust action (Wall Street Journal).
First American Mortgage Corporation is being investigated by New York's Department of Financial Services over the insurance company's exposure of around 885 million mortgage documents on its website. The company is also facing a class-action lawsuit from a Pennsylvania man who "was involved in at least 11 real estate transactions where First American was the title insurer" (BankInfoSecurity).
Policies, procurements, and agency equities.
The US Government has released its draft Data Strategy. Federal agencies have until July 5th to submit comments. The Strategy emphasizes three overarching principles: Ethical Governance, Conscious Design, and a Learning Culture. The Strategy seems concerned to identify relevant data and ensure their accuracy, integrity, and availability. Transparency and an effort to restrain agencies from collecting information without a need to do so appear to be important points of emphasis.
The House Subcommittee on Intelligence and Emerging Threats and Capabilities wants US Cyber Command to "maintain a comprehensive and dynamic inventory of subordinate elements’ accesses and tools, and emphasize the importance of sustaining these cyber-specific capabilities" (Fifth Domain).
Recent coordinated efforts by the FDA, the HHS-OIG, and the DHS to improve the security of connected medical devices may serve as an indicator that industry best practices will soon be held to a higher standard (New York Law Journal).
The New York Department of Financial Services' Cyber Requirements (23 NYCRR 500) went into full effect on March 1st. The New York Law Journal says that the Cyber Requirements show that "regulators are highly focused on holding companies accountable for incidents arising from third-party failures, thereby discouraging the practice of outsourcing risk through contract."
Fortunes of commerce.
Facebook's response to a series of scandals over the last few years, and the hostile regulatory scrutiny the company faces, disturbs its independent investors, outsiders and ordinary shareholders aggrieved by what they see as the company's arrogance. In a vote rendered meaningless (except as an expressive gesture) by the founder's control of voting shares, Facebook investors voted to oust Mark Zuckerberg as the company's chairman (Business Insider).
There may be antitrust sentiment rising with respect to 5G suppliers. It's been noted for some time that Europe has national device-manufacturing champions that may well represent a best-value alternative to Huawei, whose low prices may be unsustainable, and whose devices may come with higher costs over their entire lifecycle. Some of those companies, Nokia and Ericsson among them, see Huawei's security troubles as an opportunity to capture the 5G market (Yahoo). But even should Nokia and Ericsson succeed in displacing Huawei, that won't mollify critics who see the 5G device sector as dangerously consolidated. GCHQ's Ian Levy (director of the UK's National Cyber Security Centre) sees the market as "fundamentally broken." A critical sector with just five principal suppliers (Nokia, Ericsson, Huawei, ZTE, and Samsung) is "insane," Levy thinks (Wall Street Journal).
The cybersecurity sector remains attractive to investors and acquirers (Washington Post). Four recent acquisitions are seen as bellwethers (TechCrunch). Palo Alto Networks last week purchased cloud native security provider Twistlock for $410 million, along with serverless security company PureSec for an undisclosed amount. Palo Alto has spent at least $1 billion on acquisitions since the beginning of 2018, and The Motley Fool says the company's strategy is smart because it allows it to keep pace with the rapidly changing industry. Additionally, last Tuesday, FireEye bought security testing company Verodin for $250 million. Finally, Insight Partners purchased a controlling stake in threat intelligence provider Recorded Future for $780 million (SC Magazine). The threat intelligence market is estimated to grow by around 18% per year over the next three years, reaching $8.94 billion by 2022 (CNBC).
The Dimension Data brand is slated to disappear over the course of a month, as the South African company's Japanese parent, Nippon Telegraph & Telephone, merges NTT Communications, Dimension Data, and NTT Security into a single unit. The new NTT will be led by Dimension Data's current CEO and headquartered in London (CRN).
Fake data, but for good: start-up Tonic generates synthetic data developers and engineers can use, for example, in testing, so they don't need to access or manipulate real, sensitive data (Hypepotamus).
Oracle is expected to lay off a large number of workers as it works its way through to a cloud future. Company rumors suggest that as many as ten percent of the company's workforce may be gone by the time cuts are complete (Silicon Valley Business Journal).
Mergers and acquisitions.
Cisco appears ready to enter the industrial IoT security market. The company has announced its intention to acquire French ICS device visibility and security shop Sentryo. Terms of the acquisition have not been disclosed (CRN).
Search company Elastic has announced its intention to buy Endgame, subject to the shareholder and other approvals required under Dutch law. The acquisition is expected to close in the third quarter. Elastic sees Endgame bringing endpoint security to its stack, lending a distinctive holistic quality to the company's offerings (Elastic Blog). Elastic this week reported strong quarterly earnings (Yahoo). Endgame had until recently been thought to be off the block, but now its sale has fetched some $243 million (Washington Business Journal).
Google is buying Looker, which specializes in data analytics and business intelligence, for $2.6 billion. The major acquisition is expected to figure in Google's cloud plans (Silicon Valley Business Journal).
Investments and exits.
As CrowdStrike nears its long-expected IPO, the industry press speculates that it may be the largest initial offering of any security company that's gone public (Silicon Valley Business Journal). The company is expected to offer 18-million shares of Class A common stock at between $19 and $23 a share (Built In).
SentinelOne has closed a $120 million Series D round. Insight Partners led the investment round, with participation from Samsung Venture Investment Corporation, NextEquity and several previous investors (Third Point Ventures, Redpoint Ventures, Granite Hill, Data Collective, and others). The company sees the funding as an important step in its push to "displace incumbent antivirus vendors" (CRN). The Silicon Valley Business Journal describes SentinelOne as a "CrowdStrike competitor," and SentinelOne itself is willing to challenge other endpoint security shops. CEO Tomer Weingarten, for example, thinks BlackBerry's acquisition of Cylance has introduced uncertainty into the market, which he sees as an opportunity for SentinelOne to take both business and staff from that competitor.
Automotive cybersecurity shop GuardKnox has raised $21 million in a Series A round. Fraser McCombs Capital led the funding, with participation by Faurecia,SAIC Capital (Shanghai Automotive), Glory Ventures, NextLeap Ventures, VectoIQ, Plug and Play, Allied, Cyphertech, and Kardan LTD (BusinessWire).
Fluree has announced a $4.7 million seed round. 4490 Ventures led the investment. Revolution’s Rise of the Rest Seed Fund also participated. Fluree, based in North Carolina, specializes in blockchain-secured databases (TechCrunch).
ThreatConnect has received a strategic investment from Providence Strategic Growth. The company intends to use the funds to speed its Platform (with its attendant Playbooks) to market (ThreatConnect News).
Cylus, specializing in cybersecurity for rail transportation, has raised $12 million in a Series A round. Magma Venture Partners and Vertex Ventures led the investment, with new investors Cyient, Cerca Partners, GlenRock, and FollowTheSeed. Previous investors also participated (SecurityWeek).
And security innovation.
Innovate Israel pats itself on the back for the country's record of successful start-ups. Dome9, Secdo, Adallom, Sygnia, Hexadite, Demisto, and Secure Islands are mentioned in dispatches (Times of Israel). Maryland's DataTribe also gets a favorable look from the Last Watchdog.
Criteria venture capitalists use when deciding to fund very early-stage start-ups are impressionistic, because among other things, how would one value a company without sales? A lot of those impressions are about the founder (WIRED).
Today's issue includes events affecting China, France, Iran, Israel, the Netherlands, North Macedonia, Russia, the United Kingdom, and the United States.
Research Saturday is up. In this episode, "Xwo scans for default credentials and exposed web services," we hear from researchers at AT&T Alien Labs, who've been tracking a new malware family they’ve named “Xwo” that’s scanning systems for default credentials and vulnerable web services. AT&T Alien Labs' Tom Hegel shares their findings.