The Forescout Cyber Roundup is a weekly blog series highlighting some of the previous week’s cyber headlines and explaining why they matter. Each article includes a closer look at the potential implications of the news or event, predictions about what might happen next and suggestions for all readers, from the C-suite to end users. Articles are ordered by date, not necessarily priority.Here’s a look at the cyber news for the week of November 5-9, 2018:
- The Pentagon has prepared a cyberattack against Russia (November 2, 2018)
Summary: U.S. military hackers have been given the go-ahead to gain access to Russian cyber systems as part of potential retaliation for any meddling in America’s elections.
Why it matters: The threat landscape has evolved rapidly over the last decade with more and more nation-states leveraging cyberattacks as a means to political influence and economic gain. After Russian meddling in U.S. elections in 2016, a ‘Hack Back’ bill, formerly known as the Active Cyber Defense Certainty Act, was introduced in 2017. Although it gained a number of sponsors, there’s been considerable controversy around whether the bill would curb attacks from malicious actors or result in an increase in offensive cyber behavior from U.S. adversaries; consequently, the bill hasn’t made much progress since last year. What’s important about this recent introduction of the National Security Presidential Memorandum 13, however, is that it indicates the U.S. is shifting from a strictly defensive cyber posture and integrating offensive cyber as part of its overall military and national cyber strategy. This shift doesn’t mean that the U.S. is going to begin actively attacking other nation-states without cause. Instead, it suggests that the U.S. is taking action to deter Russia and other nation-states from pursuing future attacks on the U.S. The distinction between offensive and defensive cyber can be difficult to decipher, but an effective national cyber strategy must be comprehensive enough to include both, and contain clear rules to govern the effective use of each. Put simply, in today’s cyber arena, one simply cannot exist apart from the other.
- Fake Elon Musk Twitter Bitcoin Scam Earned 180K in One Day (November 5, 2018)
Summary: Cyber thieves recently leveraged various verified Twitter accounts to steal more than $180,000 in a single day.
Why it matters: While it’s not yet clear exactly how the attackers gained access to the accounts—possibly through brute force—what’s very clear is that they developed a comprehensive social marketing strategy. Starting with the well-known account of Elon Musk, the actors took multiple steps to promote the scam and ensure their payout—at one point, hacking verified government accounts, which they then used to convince any doubtful victims. A verified account, signified by a blue badge on Twitter, is designed to let other Twitter users know that the account is authentic. Interestingly, the process for verification has been unavailable since earlier this year, and the social giant seems to be developing a new strategy and means to verification. Musk recently tweeted about losing followers—while some of those followers may have stopped following due to the bitcoin scam, Twitter has also been in the process of deleting millions of fake accounts since July. Follower count and verification process aside, what’s clear is that very often, strategic social engineering is just as important to an effective cyberattack as the technical mechanisms employed. It’s critical then, that cyber defenses don’t just focus on technical solutions—people are very much part of the equation, and often, are the weakest link.
- USB threat to industrial facilities comes into sharp focus with new Honeywell data (November 5, 2018)
Summary: A recently published research report from Honeywell sheds some light on the risks posed by USB drives and the implications for industrial operators.
Why it matters: This article offers a nice summary, but the 12-page report from Honeywell is definitely worth the read. There are some compelling statistics peppered through the report, but perhaps most interesting is that 15% of the total threats detected and blocked were high-profile, well-known threats, including Stuxnet (2%), Mirai (6%), TRITON (2%) and WannaCry (1%). These threats aren’t new – Stuxnet alone has been in the wild for nearly a decade. The report also found that roughly 10% of the malware variants were less than a week old. That combination highlights how critical it is for organizations, especially those in OT, to develop and implement a comprehensive security strategy that includes daily patching. Doing so can address new zero-day exploits, as well as older vulnerabilities, and prevent malware from accessing a system in an OT environment, moving laterally, and ultimately impacting the nation’s critical infrastructure. Forescout solutions allow for granular control of peripherals on certain boxes, enabling the identification of in-use USB ports, and the ability the disable those ports when necessary.
- Texas Instruments Microcontrollers CC2640 and CC2650 are vulnerable to heap overflow (November 6, 2018)
Summary: A new vulnerability within two Texas Instruments microcontrollers has been identified. To effectively leverage the vulnerability before it’s patched, an attacker would need to be within physical proximity to trigger vulnerable code.
Why it matters: This is one of the more obscure articles from the week – and one that, at a glance, might not seem that important. However, these vulnerabilities are, in fact, very important because they affect microcontrollers—key components in IoT devices. The CC2640 and CC2650 are wireless MCUs targeting Bluetooth applications specifically designed to operate with very low current and power consumption – making these particular devices ideal for operation on small coin cell batteries and energy-harvesting applications. This article points out three major vendors that are potentially affected and also highlights the criticality of supply chain security. IoT devices, in and of themselves, are not malicious or dangerous tools. But because of vulnerabilities like the ones identified in this article, and because of susceptibility to attack through the supply chain, IoT devices can be leveraged by bad actors to wreak havoc on any network to which those devices are connected. Vulnerabilities such as these are the reason it’s critical to gain device visibility across your entire organization and mitigate the associated risks through network segmentation. The good news is that this vulnerability falls under the category of local proximity, not remote threats; and, most devices are distributed with Bluetooth turned off by default—an additional inhibitor to a successful exploit.
- Midterms Security Watch: Quiet Election Day early sign of cyber policy success (November 6, 2018)
Summary: This live blog from Justin Lynch of Fifth Domain provides an insightful timeline of election day cyber events.
Why it matters: So far, there have been no signs or reports of direct election meddling or tampering. However, according to the Department of Homeland Security (DHS), there have been both intentional and unintentional disinformation efforts, which can be just as troubling. As of November 5, Facebook suspended more than 100 accounts due to suspected disinformation activities. Disinformation, or fake news, is designed to alter and influence the way individuals calculate their decisions—but the frequency and volume of disinformation have made it increasingly difficult to distinguish between what’s fake and what’s real. Monitoring platforms for disinformation is one way to reduce fake news, as Twitter, Facebook and others have done—and we can expect that just as political activists and foreign nation-states have leveraged the power of AI and machine learning to amplify their message, social media giants, too, will employ AI and machine learning to silence the unnecessary noise.