This Week in CyberSec Headlines, 02 March 2018

German Defence and Interior Ministries Networks Breached, Russian threatgroups suspected

BBC, Fancy Bear: Germany investigates cyber-attack ‘by Russians’

“Germany is investigating a security breach of its defence and interior ministries’ private networks, a government spokesman has confirmed. A notorious Russian hacking group known as Fancy Bear, or APT28, is being widely blamed in German media. They are thought to be behind a number of cyber-attacks on the West, including breaches in the 2016 US election.

The hack was first realised in December and may have lasted up to a year, the DPA news agency reported. The group is reported to have targeted the federal government’s internal communications network with malware.

Washington Post, Apparent attack by Russian hackers penetrated Germany’s foreign ministry

“German officials said Wednesday that the government’s information technology networks had been infiltrated and that evidence pointed toward a Russian hacking group that’s been implicated in high-profile cyberattacks worldwide.

The breach, acknowledged by the interior ministry in a statement, had been known since December, when security experts discovered malware in the secure computer networks of the foreign ministry”

New York Times, Germany Says Hackers Infiltrated Main Government Network

“Hackers using highly sophisticated software penetrated the German government’s main data network, a system that was supposed to be particularly secure and is used by the chancellor’s office, ministries and the Parliament, government officials have said.

German news outlets, citing security sources, have widely blamed a Russian hacking group backed by the Russian government — either one called Snake, or another known as APT28, or Fancy Bear. But Berlin has not publicly said who was behind the attack.

The attack was narrowly targeted, apparently seeking specific information, said Patrick Sensburg, a lawmaker with the governing Conservative Party. Officials would not say how successful the intrusion was, or what data the hackers may have taken.”

Cellebrite & Unlocked iPhones

Forbes, The Feds Can Now (Probably) Unlock Every iPhone Model In Existence — UPDATED

“In what appears to be a major breakthrough for law enforcement, and a possible privacy problem for Apple customers, a major U.S. government contractor claims to have found a way to unlock pretty much every iPhone on the market.

Cellebrite, a Petah Tikva, Israel-based vendor that’s become the U.S. government’s company of choice when it comes to unlocking mobile devices, is this month telling customers its engineers currently have the ability to get around the security of devices running iOS 11 (right up to 11.2.6). That includes the iPhone X, a model that Forbes has learned was successfully raided for data by the Department for Homeland Security back in November 2017, most likely with Cellebrite technology.”

ArsTechnica, Cellebrite can unlock any iPhone (for some values of “any”)

“Cellebrite—the Israel-based forensics company that has been a key source for law enforcement in efforts to crack the security of mobile devices to recover evidence—has reportedly found a way to unlock Apple devices using all versions of the iOS operating system up to version 11.2.6, the most recent update pushed out to customers by Apple. The capability is part of Cellebrite’s Advanced Unlocking and Extraction Services, a lab-based service the company provides to law enforcement agencies—not a software product.

But security experts are dubious of any claim that Cellebrite can defeat the encryption used by iOS to protect the contents of Apple devices. Rather, they suggest Cellebrite’s “Advanced Unlocking Services” may have found a way to bypass the limits on PIN or password entry enforced by interfering with the code that counts the number of failed attempts—allowing the company’s lab to launch a brute-force attack to try to discover the passcode without fear of the device erasing its cryptographic key and rendering the phone unreadable. With a sufficiently secure password, it would be nearly impossible for the technique to recover the contents of the device.”

Other News

Bleeping Computer, Virus Knocks Out Cash Registers at Tim Hortons Franchisees

“A computer virus is suspected of crashing cash registers this week at over 1,000 Tim Hortons coffee and donuts fast food restaurants. The problem is not yet fully resolved, and some stores are still experiencing problems.

The problems appeared earlier this week when XP-based cash registers began crashing.

Outages initially affected at under 100 locations, but as the week progressed, news outlets reported that over 1,000 stores were affected, almost a quarter of Tim Hortons locations across Canada.

Some stores had to shut down for small amounts of time while they tried to fix their Point of Sale (PoS) systems, but others had to close for good.”

[Remotely wiped]

Global Weekly Executive Summary, 09 FEB 2017

Spearphising the Olympics

A recent report by security software company McAfee reveals that unknown hackers launched a spearphishing campaign targeting organizations preparing for the 2018 Winter Olympics in Pyeongchang, South Korea.

The primary target were groups affiliated with ice hockey that worked to provide infrastructure or in some other supporting role, but the McAfee report continues, “The attackers appear to be casting a wide net with this campaign.

The first documented phishing email was sent on December 22, 2017, seven weeks before opening ceremonies, at a time when Olympics preparations were ongoing. The phishing emails were addressed to with several organizations included in the BCC field. The email sender’s address was spoofed to  indicate that it came from the National Counter-Terrorism Center of South Korea, an organization that was conducting anti-terror drills in preparation for the Olympics at that time.

According to McAfee, the emails actually came from an IP address in Singapore. It was written in the Korean language and instructed readers to open a text document titled, “Organized by the Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics.” After opening the text file, a message written in English and repeated in Korean asks the user to “enable content to adjust this document to your version of Microsoft Word.”

The malware-infected document launches a PowerShell script when user clicks to “Enable Content.”  The PowerShell script “downloads and reads an image file from a remote location and carves out a hidden PowerShell implant script embedded with in the image file to execute.”  Steganography is used to hide the PowerShell script and is created using the open-source tool Invoke-PSImage. The purpose of the PowerShell implant is to establish communication with the attacker’s server and collect “basic system-level data.”

The McAfee report describes further implants used to gain persistence, gather data, and capture keystrokes. The implants are called Gold Dragon, Brave Prince, Ghost419, and RunningRAT. Gold Dragon and Brave Prince are Korean-language implants.

A notable detail in the McAfee report is that steganography was used in some cases. This is the second mention of the use of steganography in recent weeks. Last week, a Motherboard article detailed a custom-made encryption app called Muslim Crypt in the Middle East that allowed users to hide messages in an image file.

Ice hockey plays an important role for North and South Korean relations this Olympics. In January, the North and South Korean governments announced that they would host a joint women’s hockey team, the first team that combined athletes from both countries to appear at the Olympics. North and South Korean athletes marched in the Olympic Opening Ceremonies under a unified flag.


McAfee, Malicious Document Targets Pyeongchang Olympics

Motherboard, This Custom-Made Jihadi Encryption App Hides Messages in Images

New York Times, Olympics Open With Koreas Marching Together, Offering Hope for Peace



This Week in CyberSec Headlines. 09 FEB 2018

North Korea

2018 Winter Olympics

CSCC Article, Spearphising the Olympics

McAfee, Malicious Document Targets Pyeongchang Olympics

“McAfee Advanced Threat Research analysts have discovered a campaign targeting organizations involved with the Pyeongchang Olympics.”

AFP, Hackers Already Targeting Pyeongchang Olympics: Researchers

Security Week, Gold Dragon Implant Linked to Pyeongchang Olympics Attacks

North Korea targets South Korean Cryptocurrency Exchanges

Recorded Future, North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign

“North Korea continued to target South Korea through late 2017 with a spear phishing campaign against both cryptocurrency users and exchanges, as well as South Korean college students interested in foreign affairs. The malware in this campaign utilizes a known Ghostscript exploit (CVE-2017-8291) and is tailored to target only users of a Korean language word processor, Hancom’s Hangul Word Processor.”

Reuters, South Korea Says North Stole Cryptocurrency Worth Billions of Won Last Year

“South Korea said on Monday that North Korea last year stole cryptocurrency from the South worth billions of won and that it was still trying to hack into its exchanges.”

Security Week, North Korean Hackers Prep Attacks Against Cryptocurrency Exchanges: Report

“North Korean hackers, loosely categorized as the Lazarus Group, have continued their attacks against South Korean interests, with particular emphasis on cryptocurrency exchanges.”

Bangladesh and Philippines Banks prepare to sue each other over cyber heist attributed to North Korean threat group

AFP, Bangladesh to File U.S. Suit Over Central Bank Heist

“Bangladesh’s central bank will file a lawsuit in New York against a Philippine bank over the world’s largest cyber heist, the finance minister said Wednesday.”

AFP, Philippine Bank Threatens Counter-Suit Over World’s Biggest Cyber-Heist

“The Philippine bank used by hackers to transfer money in the world’s biggest cyber heist warned of tit-for-tat legal action Thursday, after Bangladeshi officials said they would sue the lender.”

North Korean Cyber Capabilities

Talos, Korea In The Crosshairs

A one year review of campaigns performed by an actor with multiple campaigns mainly linked to South Korean targets.

“This actor was very active this year and continued to mainly focus on South Korea. The group leveraged spear phishing campaigns and malicious documents the contents of which included very specific language suggesting that they were crafted by native Korean speakers rather than through the use of translation services.”

Bloomberg, Inside North Korea’s Hacker Army

Breaches and Leaks

Apple iBoot Source Code Leak

The Hacker News, Apple’s iBoot Source Code for iPhone Leaked on Github

The Register, Apple’s top-secret iBoot firmware source code spills onto GitHub for some insane reason

Motherboard, Key iPhone Source Code Gets Posted Online in ‘Biggest Leak in History’

“Someone just posted what experts say is the source code for a core component of the iPhone’s operating system on GitHub, which could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve.

The GitHub code is labeled “iBoot,” which is the part of iOS that is responsible for ensuring a trusted boot of the operating system.”

Telegraph, Secret iPhone code published online in ‘biggest ever’ leak

Swisscom Breach

SC Media, Dial ‘B’ for Breach: Unauthorized party access data on 800K Swisscom customers

Reuters, Swisscom tightens security after sales partner breached

InfoSecurity Magazine, Swisscom Breach Hits 10% of Swiss Population

Sacramento Bee Breach and Ransomware

Sacramento Bee, Voter, Bee databases hit with ransomware attack

“The intrusion, which was discovered by a Bee employee last week, exposed one database containing California voter registration data from the California Secretary of State and another that had contact information for 53,000 current and former Bee subscribers who activated their digital accounts prior to 2017.”

SC Media, Ransomware attack on Sacramento Bee database exposes voter records of 19.5M Californians

“The Sacramento Bee deleted two databases hosted by a third party after a ransomware attack exposed the voter records of 19.5 million California voters and 53,000 current and former subscribers to the newspaper.”

Dark Reading, Sacramento Bee Databases Hit with Ransomware Attack

“An anonymous attacker demanded a Bitcoin ransom in exchange for the data. The Bee chose not to pay and has deleted both databases to prevent further attacks.”

Gizmodo, Sacramento Bee Leaks 19.5 Million California Voter Records, Promptly Compromised by Hackers

“The Sacramento Bee said in a statement that a firewall protecting its database was not restored during routine maintenance last month, leaving the 19,501,258 voter files publicly accessible. “

Crypotocurrency Mining Malware

Sewage Plant Targeted to Mine Cryptocurrency

SC Media, First SCADA cryptominer seen in the wild

“The first documented cryptominer attack on a SCADA network of a critical infrastructure operator was seen in the wild.Radiflow researchers spotted the malware attacking the OT network of a water utility company in order to mine the Monero cryptocurrency, according to a Feb. 8 press release.”

The Register, Now that’s taking the p… Sewage plant ‘hacked’ to craft crypto-coins

“Several servers used to monitor and regulate critical water supplies were found to have been infected with code that quietly harvested Monero cyber-dosh and sent the coins over the internet to its masterminds.”

Cryptomining Malware Infects Tennessee Hospital Server

SC Media, Adversary breaches Tennessee hospital’s medical records server to install cryptominer

“Decatur County General Hospital in Parsons, Tenn., has publicly disclosed that an unauthorized party accessed the server for its electronic medical record system and secretly implanted cryptomining malware.”

Decatur County General Hospital, Notice Letter PDF

“On November 27, 2017, we received a security incident report from our EMR system vendor indicating that unauthorized software had been installed on the server the vendor supports on our behalf. The unauthorized software was installed to generate digital currency, more commonly known as ‘cryptocurrency.’”

PZChao, Iron Tiger Connections

The Hacker News, Cyber Espionage Group Targets Asian Countries With Bitcoin Mining Malware

“Security researchers have discovered a custom-built piece of malware that’s wreaking havoc in Asia for past several months and is capable of performing nasty tasks, like password stealing, bitcoin mining, and providing hackers complete remote access to compromised systems.” “Researchers believe nature, infrastructure, and payloads, including variants of the Gh0stRAT trojan, used in the PZChao attacks are reminiscent of the notorious Chinese hacker group—Iron Tiger.”

Bitdefender, Operation PZChao: a possible return of the Iron Tiger APT

“In the analysis process, we managed to retrieve the malware payloads hosted on one of the command and control servers along with some statistics, such as the total number of downloads and logs containing the targeted victims. Among the most-downloaded malicious files, we found variants of Gh0st RAT used in Iron Tiger APT operation. Interestingly enough, these new samples now connect to the new attack infrastructure.”


Air-Gaps and Faraday Cages Not Safe Enough

Infosecurity Magazine, Air Gaps, Faraday Cages Can’t Deter Hackers After All

“Conventional wisdom says that if something isn’t connected to the outside, it can’t be hacked. But research shows that Faraday rooms and air-gapped computers that are disconnected from the internet will not deter sophisticated cyber-attackers.”

The Hacker News, Hackers Can Now Steal Data Even From Faraday Cage Air-Gapped Computers

“A team of security researchers… have published another research showcasing that they can steal data not only from an air gap computer but also from a computer inside a Faraday cage.

Security Week, Stealthy Data Exfiltration Possible via Magnetic Fields

Gas Station Software Vulnerabilities

SecureList, Gas is too expensive? Let’s make it cheap!

Before the research, we honestly believed that all fueling systems, without exception, would be isolated from the internet and properly monitored. But we were wrong. With our experienced eyes, we came to realize that even the least skilled attacker could use this product to take over a fueling system from anywhere in the world.”

Motherboard, Flaws in Gas Station Software Let Hackers Change Prices, Steal Fuel, Erase Evidence

“Earlier this week, security engineer Alec Muffett noticed that had turned into something altogether more troubling – a clone of, most likely intended to phish user credentials.”

FireEye, ReelPhish: A Real-Time Two-Factor Phishing Tool

US News

DHS Official: Russian Hackers Penetrated US Voter Systems in 2016 US Elections

Cyberscoop, DHS steadily moving state-by-state on election security outreach

SC Media, DHS Manfra says Russians successfully penetrated some state election systems

“Russian hackers successfully penetrated voter registration rolls in a number of U.S. states, Department of Homeland Security (DHS) cybersecurity chief Jeanette Manfra said Wednesday.”

NBC News, Russians penetrated U.S. voter systems, top U.S. official says

“We saw a targeting of 21 states and an exceptionally small number of them were actually successfully penetrated.”

Ukraine Cybersecurity Cooperation Act

CyberScoop, U.S. moves to develop grand cybersecurity partnership with Ukraine, a favorite target for Russian hackers

“During a week where multiple senior Ukrainian government officials came to visit Washington, a bill designed to foster further collaboration on cybersecurity efforts between the U.S. and Ukrainian governments passed the House of Representatives late Wednesday night.”, H.R.1997 – Ukraine Cybersecurity Cooperation Act of 2017

Other US News

SC Media, Fancy Bear targets defense contractors email to steal tech secrets

“Russian hacking group Fancy Bear, whose interference in the U.S. presidential election set off a firestorm of concern in the security, defense and intelligence communities, has actively exploited weakspots in the email systems of defense contract workers to access top secret information on U.S. defense technology, including drones.”

Washington Post,  A sensitive DHS report about anthrax got outed — because it was left in a plane’s seat pocket

CyberScoop, Senators push bill banning Chinese tech firms Huawei and ZTE from being used in government

Middle East

Security Week, Actor Targeting Middle East Shows Excellent OPSEC

“An actor making extensive use of scripting languages in attacks on targets in the Middle East demonstrates excellent operational security (OPSEC), researchers from Talos say.”

Cisco, Talos, Targeted Attacks In The Middle East

“These campaigns show us that at least one threat actor is interested in and targeting the Middle East. Due to the nature of the decoy documents, we can conclude that the intended targets have an interest in the geopolitical context of the region. The attackers used an analysis report alleged to be written by Dar El-Jaleel, a Jordanian institute specialising in studies of the region. Some of these documents are tagged as confidential.”

“Researchers have demonstrated that a piece of malware present on an isolated computer can use magnetic fields to exfiltrate sensitive data, even if the targeted device is inside a Faraday cage.”

In Other News

SC Media, Malicious Reddit ‘twin’ discovered

Sophos, Naked Security, Reddit users, beware its evil twin

Sophos, Naked Security blog, Uber data breach aided by lack of multi-factor authentication

Graham Cluley, WordPress update stopped WordPress automatic updates from working. So update now

Palo Alto, Threat Brief: Hancitor Actors

“Hancitor is a malware that focuses getting other malware onto the victim’s system. In the case of Hancitor, it’s typically banking Trojans that steal the victim’s banking information.”

Crowdstrike, Meet CrowdStrike’s Adversary of the Month for February: MUMMY SPIDER

“MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo. First observed in mid-2014, this malware shared code with the Bugat (aka Feodo) banking Trojan. However, MUMMY SPIDER swiftly developed the malware’s capabilities to include an RSA key exchange for command and control (C2) communication and a modular architecture.”

Strava Fitness App’s Global Heatmap Reveals Sensitive Military Locations

Strava, “the social network for athletes,” released an updated version of their Global Heatmap that improved the quality and resolution of the map in ways that reveals information about locations and user routines that could potentially compromise security and the safety of users and reveal sensitive military information.

The Strava app allows users with Android or Apple phones and wearable devices like the Fitbit and Apple Watch to track their exercise activity, view statistics related to their activities, and share this information with others. Strava’s Global Heatmap is a data visualization that maps all Strava user fitness activity across the world and is available freely on the internet. The Heatmap shows all shared Strava user paths as they move through common exercise locations in parks and hiking trails, but the map also highlights paths through neighborhoods, labeled airports, schools, and military bases across the world.

Strava’s Global Heatmap is impressive, but the problem is that the app may be tracking and displaying the movements of personnel on military bases or at posts in sensitive locations and conflict zones abroad.

When displaying the movements of thousands of people in a crowded city, a single user’s path blends in and becomes anonymous. When a small number of users move along a repeated path in a location where no one else for miles around is using the app, their movements display as a clear path. In remote areas, the tracked activities of a small number of people moving along repeated paths in a location where no one else for miles is using a fitness app are starkly highlighted against a black background on the Global Heatmap.  An observer might be able to use the map to spot areas where an unusual number of outsiders or foreigners have gathered, view the streets outlining the grounds around a location, trace the paths of a security patrol that does not deviate, and use this information to breach security or cause harm.


The Strava app users can choose to “opt out” and make their activities private, but the app default is set to automatically share user activity data to the Heatmap. The app’s privacy settings include a choice labeled “Private By Default,” but the selection toggle is set to “off” by default. For more information about Strava privacy settings and directions on how to hide user activity, view Strava’s informational blog post, How to Manage Your Privacy on Strava.

A Pentagon spokesperson announced last Monday that Defense Secretary James Mattis has ordered a DoD-wide review of the policies regarding the use of fitness apps and wearable fitness trackers to determine if the policies “need to be updated.” The spokesperson stated in a Military Times article that additional policies may include limitations on wearable devices able to track user location, “to include smart phones.”


BBC, Fitness app Strava lights up staff at military bases

Ars Techinica, “Heatmap” for social athlete’s app reveals secret bases, secret places

Military Times, Mattis orders review of how troops use Fitbits, other fitness apps following breach

Strava Heatmap

This Week in Cybersec Headlines, 26 JAN 2018

University of Hawaii Data Breach Affects 2,400, CSCC article

Russian government inspected source code for Symantec, McAfee, other software used US government

Reuters, Tech firms let Russia probe software widely used by U.S. government

“Major global technology providers SAP (SAPG.DE), Symantec (SYMC.O) and McAfee have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government, a Reuters investigation has found.”

SC Media, Global tech firms let Russian defense agency peek into source code to search for flaws

“To do business with Russia, U.S. tech companies often must obtain certification from the country’s Federal Service for Technical and Export Control (FSTEC), the FSB, the Russian intelligence agency, and other agencies.”

RATANKA, North Korea-Linked Lazarus Targets Cryptocurencies

Trend Micro, Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More

“The malware known as RATANKBA is just one of the weapons in Lazarus’ arsenal. This malicious software, which could have been active since late 2016, was used in a recent campaign targeting financial institutions using watering hole attacks.”

Security Week, North Korea-linked Lazarus Hackers Update Arsenal of Hacking Tools

Dutch Intelligence Service Spied into Cozy Bear’s Networks During the 2016 US Elections, Dutch agencies provide crucial intel about Russia’s interference in US-elections

“Hackers from the Dutch intelligence service AIVD have provided the FBI with crucial information about Russian interference with the American elections. For years, AIVD had access to the infamous Russian hacker group Cozy Bear.”

FinFisher Cracked?

SC Media, Elusive FinFisher spyware can finally be cracked, researchers believe

ESET, We Live Security blog, ESET’s guide makes it possible to peek into FinFisher

Maersk chair describes NotPetya Aftermath

The Register, IT ‘heroes’ saved Maersk from NotPetya with ten-day reinstallation bliz

“Speaking on a panel at the World Economic Forum this week, Møller-Maersk chair Jim Hagemann Snabe detailed the awful toll of the ransomware epidemic as necessitating the reinstall ‘4,000 new servers, 45,000 new PCs, and 2,500 applications’… ‘And that was done in a heroic effort over ten days,’ he said.”

Social Media and Foreign Interference

Twitter, Update on Twitter’s Review of the 2016 U.S. Election

“As previously announced, we identified and suspended a number of accounts that were potentially connected to a propaganda effort by a Russian government-linked organization known as the Internet Research Agency (IRA).” “In total, during the time period we investigated, the 3,814 identified IRA-linked accounts posted 175,993 Tweets, approximately 8.4% of which were election-related.”

Reuters. Facebook: Russian agents created 129 U.S. election events

“Facebook Inc said Russian agents created 129 events on the social media network during the 2016 U.S. election campaign, according to testimony to Congress”

Washington Post, Russians got tens of thousands of Americans to RSVP for their phony political events on Facebook

Washington Post, Twitter to tell 677,000 users they were had by the Russians. Some signs show the problem continues

“Twitter says it will notify nearly 700,000 users who interacted with accounts the company has identified as potential pieces of a propaganda effort by the Russian government during the 2016 presidential election.”

In Other News

Dark Reading, Industrial Safety Systems in the Bullseye

Triton/TRISIS article

Infosecurity Magazine, Mastercard to Implement Biometrics for In-Store Card Payments

“The financial giant said that all consumers will be able to identify themselves with biometrics such as fingerprints or facial recognition whenever they pay in stores with Mastercard.”

Infosecurity Magazine, High-Profile Twitter Accounts Hit by Turkish Propaganda Campaign

CyberScoop, New global cybersecurity center announced at Davos

“The World Economic Forum announced plans Wednesday to launch a new coordinating group to counter emerging cybersecurity threats and help connect leaders from business and government to collaborate on various security issues as well as share best practices.Named the “Global Centre for Cybersecurity,” the loosely defined, Geneva-based organization will act as a sort of independent, multinational cyberthreat information sharing platform for companies to improve digital security writ [sic] large”

University of Hawaii Data Breach

The University of Hawaii system suffered a data breach as the result of a spear phishing campaign that exposed personal information of up to 2,400 faculty, staff, students, and student applicants. The breach occurred on 25 SEPT 2017, and a description of compromised information was later revealed in October 2017.

The compromised personal data included faculty and staff names and Social Security numbers along with graduate student admissions data, which would include date of birth, address, and “educational information.”

In a Honolulu Star-Bulletin article, Dan Meisenzahl, director of communications for the University of Hawaii system, says that the UH system was targeted in a spear phishing campaign and that “‘multiple servers’ within one school in the university system were affected, and those servers were taken offline.” The affected school was not identified because of the ongoing investigation. UH is working with the FBI to assist in the investigation.

A University of Hawaii System Report to the 2017 Legislature released last week lists the nature of data exposure as “files containing sensitive information discovered while investigating a Business Email Compromise (BEC).”

The section titled “Incident Description” begins, “In October 2017, while investigating an email compromise, network devices on the University of Hawai`i (UH) network were found to contain sensitive information. At this time, UH cannot confirm that any of the sensitive information was taken or that it was misused.” The description of the breach continues, “The network was protected by a firewall, but the attackers were able to find a way around it and retrieved login information to gain access to the network.”

The section titled “Remediation” describes changes to UH policy for encrypting sensitive data at rest and deleting unnecessary data, increased staff education and training, rebuilding, checking, and monitoring systems for backdoors and indicators of compromise, and reviewing network architecture and security controls.

A sample notification letter to possible data breach victims included in the report reads “We are implementing additional security measures in an attempt to detect and prevent similar attacks.” The letter includes an offer for one year of free credit monitoring services which must be activated by 12 FEB 2018.

The University of Hawaii has been affected by five data breaches between 2009 and 2011, which Meisenzahl described as a “much larger-scale-type incident” than the latest data breach.

UH Information Technology Services (ITS) has sent out several warning emails about phishing scams in recent weeks.


Honolulu Star-Advertiser, 2,400 were exposed to phishing scheme, UH tells lawmakers

University of Hawaii, Report to the Legislature on Data Exposure at the University of Hawaii (PDF)

This Week in CyberSec Headlines, 19 JAN 2018

Dark Caracal, Cyberespionage, and Lebanon, CSCC Article

Hawaii’s False Missile Alert Headlines

TRISIS/Triton, Schneider Electric, Saudi Arabia

CyberScoop, Schneider Electric: Trisis leveraged zero-day flaw, used a RAT

CyberScoop, Trisis has the security world spooked, stumped and searching for answers

Dark Reading, Schneider Electric: TRITON/TRISIS Attack Used 0-Day Flaw in its Safety Controller System, and a RAT

Security Week, Triton Malware Exploited Zero-Day in Schneider Electric Devices

KillDisk targets Latin America

Trend Micro, New KillDisk Variant Hits Financial Organizations in Latin America

“KillDisk, along with the multipurpose, cyberespionage-related BlackEnergy, was used in cyberattacks in late December 2015 against Ukraine’s energy sector as well as its banking, rail, and mining industries. The malware has since metamorphosed into a threat used for digital extortion, affecting Windows and Linux platforms.”

SC Media, KillDisk wiper malware sets sights on Latin American financial organizations

Indiana Hospital Hit by Ransomware

Greenfield Daily Reporter, Hospital hit by ransomware: Attackers demand Bitcoin to release control of system

“A ransomware attack at Hancock Regional Hospital in Greenfield, Indiana has forced the facility to shut down its computer network to limit damage.”

SC Media, Ransomware shuts down Greenfield’s Hancock Regional Hospital

Russian Cyber Capabilities

Infosecurity Magazine, Russia, China’s Cyber-Capabilities Are ‘Catastrophic’

Flashpoint blog, Business Risk Intelligence Decision Report: 2017 End-of-Year Update

The Hill, Russian hackers move to new political targets

Dark Reading, Feds Team with Foreign Policy Experts to Assess US Election Security

MailChimp Email Address Leaks

Terence Eden, MailChimp leaks your email address

Infosecurity Magazine, MailChimp Found Leaking Email Addresses

US Legislation

SC Media, House passes Cyber Diplomacy Act

Reuters, Senate passes bill renewing internet surveillance program “The U.S. Senate on Thursday passed a bill to renew the National Security Agency’s warrantless internet surveillance program for six years… “ US Senate votes to reauthorize FISA Section 702.

Hawaii’s False Missile Alert Headlines

Headlines and Links related to Hawaii’s False Missile Alert

CNET, Hawaii missile alert on smartphones was false alarm

Reuters, Tears and panic as false missile alert unnerves Hawaii

The Atlantic, Pandemonium and Rage in Hawaii

Washington Post, ‘BALLISTIC MISSILE THREAT INBOUND TO HAWAII,’ the alert screamed. It was a false alarm.

New York Times, Hawaii Panics After Alert About Incoming Missile Is Sent in Error

AP, The Latest: Hawaii governor apologizes for false alert

Wired, How Hawaii Could Have Sent a False Nuclear Alarm

Wall Street Journal, U.S. Reviews Emergency-Alert System After Hawaii Mishap

Washington Post, Hawaii missile mess: That was no ‘wrong button.’ Take a look.

Civil Beat, False Alarm Fallout: Worker Reassigned And Trump Weighs In

Graham Cluley, Hawaii’s ballistic missile false alarm and a user interface failure

Civil Beat, Hawaii Distributed Phony Image Of Missile Warning Screen

Ars Technica, The interface to send out a missile alert in Hawaii is slightly less bad

Bitdefender, Hot for Security, Hawaii’s missile alert agency keeps its password on a Post-it note

Business Insider, A password for the Hawaii emergency agency was hiding in a public photo, written on a Post-it note

New York Times, Days After Hawaii’s False Missile Alarm, a New One in Japan

Honolulu Star-Advertiser, After false missile alarm, Ige couldn’t log on to Twitter

SC Media, Hawaii slow to Tweet missile alert update when governor forgets Twitter password

Vox, Hawaii governor: I was slow to correct the bogus missile scare because I forgot my Twitter password

Honolulu  Star-Advertiser, HI-EMA executive officer Clairmont retiring this year

Honolulu Star-Advertiser, HI-EMA ‘button pusher’ refusing to cooperate with FCC, internal investigators

Raytheon, Clean, clear and error-proof, Lessons from Hawaii: Smart graphics can help prevent human error

Honolulu Star-Advertiser, ‘Button pusher’ not cooperating with multiple investigations

Global Weekly Executive Summary, 19 JAN 2018

Dark Caracal


A newly discovered global cyberespionage threat group has ties to a government intelligence agency in Lebanon, according to a joint report from Lookout Mobile Security and the Electronic Frontier Foundation (EFF). The previously unknown threat group has been named “Dark Caracal” by Lookout, a San Francisco-based mobile security company. The joint report released on 18 JAN by researchers at Lookout and the EEF say this threat group has been conducting a prolific and evolving cyberespionage campaign using mobile devices for at least six years with targets in over 21 countries across four continents.

Key Findings 

  • The targets are individuals and institutions including “governments, utilities, financial institutions, manufacturing companies, and defense contractors.”
  • The report states that they identified “hundreds of gigabytes of data exfiltrated from thousands of victims, spanning 21+ countries in North America, Europe, the Middle East, and Asia,” including victims in the US.   
  • Dark Caracal used “a series of multi-platform surveillance campaigns that began with desktop attacks and pivoted to the mobile device.” Social media, phishing, and physical access methods were used to compromise targets accounts and devices.
  • Android malware (called “Pallas”) and Windows malware (called “Bandook RAT”) were used to obtain screenshots and photos, record audio, view files, phone backups, text messages including secure messaging content, GPS locations, corporate documents, contacts, and account information.  
  • Dark Caracal purchases/uses mobile and desktop tools found on the dark web.
  • Custom mobile spyware (Pallas) was found in trojanized Android apps that masqueraded and operated as legitimate apps like WhatsApp, Signal, Adobe Flash Player, and Google Play Push and were made available to targets in a false Android app store.
  • This threat group may be operating out of the Beirut, Lebanon headquarters of the General Directorate of General Security (GDGS), a Lebanese government agency that “gathers intelligence for national security purposes and for its offensive cyber capabilities.”
  • The location of the operations base was determined by correlating data generated by test devices and wi-fi network information as well as observing logins to the C2 server from IP addresses owned by the government of Lebanon that geolocate to an area near the GDGS building.
  • According to an Associated Press article, the surveillance operation was discovered “after careless spies left hundreds of gigabytes of intercepted data exposed to the open internet…which includes nearly half a million intercepted text messages, had simply been left online”. The article continues with a quote from Lookout’s head of intelligence, Mike Murray, “It’s almost like thieves robbed the bank and forgot to lock the door where they stashed the money.”
  • According to a Reuters article, “Major General Abbas Ibrahim, director general of GDGS, said he wanted to see the report before commenting on its contents. He added: ‘General Security does not have these type of capabilities. We wish we had these capabilities.’”


These findings are significant and surprising because of the methods used (primarily mobile), the scale of the operation (21 countries, thousands of targets speaking several languages, hundreds of gigabytes of exfiltrated data, multiple campaigns operating simultaneously), and Lookout Mobile Security’s ability to tie the operation to a specific government agency at a specific building address in Lebanon.

As Eva Galpern, director of cybersecurity at the EFF says, “Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.” We have come to expect cyberespionage on a global scale only from large countries with an abundance of government support for cyber operations, but with malware and hacking services available for purchase on the dark web coupled the large prevalence of vulnerable mobile devices holding personal and professional information, we see that even country that was not previously considered to be a major player in international cyberespionage is capable of running a successful, large scale, long-running international surveillance campaign out of a building on a street corner in Beirut.


Lookout Security blog, Mobile Advanced Persistent Threat actor conducting global espionage campaign from Lebanon

Electronic Frontier Foundation Press Release, EFF and Lookout Uncover New Malware Espionage Campaign Infecting Thousands Around the World

AP, Report links hacking campaign to Lebanese security agency

Reuters, Lebanese security agency turns smartphone into selfie spycam: researchers

Related Articles:

CyberScoop, Hackers linked to Lebanese government caught in global cyber-espionage operation


The Verge, Researchers have discovered a new kind of government spyware for hire

The Register, Someone is touting a mobile, PC spyware platform called Dark Caracal to governments

AFP, Booby-Trapped Messaging Apps Used for Spying: Researchers

The New Vulnerabilities Equities Policy and Process Charter

An updated “Vulnerabilities Equities Policy and Process for the United States Government” charter was released on 15 NOV 2017 and describes the decision-making process for determining whether new vulnerabilities found by US government departments and agencies are disclosed or restricted.  

According to the White House Fact Sheet (pdf) on the Vulnerability Equities Process (VEP), the new charter “determines whether the Government will notify a private company about a cybersecurity flaw in its product or service or refrain from disclosing the flaw so it can be used for operational or intelligence gathering purposes.”

Rob Joyce, White House Cybersecurity Coordinator, outlined “key tenets” of the new The Vulnerability Equities Process (VEP) in a White House blog post about the process

  • Improved transparency is critical.
  • The interests of all stakeholders must be fairly represented.
  • Accountability of the process and those who operate it is important to establish confidence in those served by it.
  • Our system of government depends on informed and vigorous dialogue to discover and make available the best ideas that our diverse society can generate.

Joyce discussed the difficulties that accompany updating the VEP in his White House blog post, “The challenge is to find and sustain the capability to hold rogue cyber actors at risk without increasing the likelihood that known vulnerabilities will be exploited to harm legitimate, law-abiding users of cyberspace.”

The White House Fact Sheet on the VEP (pdf) states that “new and not publicly known cyber vulnerabilities are reviewed by multiple departments and agencies to determine whether they should be disclosed to the public using what is known as the VEP. At its most basic, the VEP balances whether to disclose vulnerability information in the expectation that the vulnerability will be patched, or temporarily restrict the knowledge of the vulnerability to the Federal Government so it can be used for national security or law enforcement purposes.”

Joyce, formerly of the National Security Agency, would be familiar with what he describes as  “the tension that exists between the desire to publicize every vulnerability discovered by the Federal Government in the conduct of its law enforcement and national security responsibilities and the need to preserve some select capability for action against extremely capable actors whose actions might otherwise go undiscovered and unchecked.”


The White House, Vulnerabilities Equities Policy and Process

for the United States Government

The White House, White House Fact Sheet on VEP

The White House blog (Rob Joyce), Improving and Making the Vulnerability Equities Process Transparent is the Right Thing to Do

Fifth Domain, White House calls for greater transparency in cyber Vulnerability Equities Process

Dark Reading, White House Releases New Charter for Using, Disclosing Security Vulnerabilities