- Cyber -

Last update 09.10.2017 12:44:39

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6

Cybersecurity's Venture Capital and Private Equity Money-go-Round
8.1.2018 securityweek Cyber
Access to Money at the Right Time is Essential for Cybersecurity Firms Given the Volatility of the Market

Security firms bought by and consumed within larger firms can easily lose their way. It happened with McAfee, bought by Intel in 2010 for $7.68 billion, and extracted with a 51% purchase by private equity (PE) firm TPG in April 2017. The extraction valued McAfee at only $4.2 billion.

McAfee will be hoping that it can emulate SonicWall -- which also lost its way after being bought by Dell (from Thoma Bravo) in 2012. In the summer of 2016, Francisco Partners and Elliott Management extracted SonicWall (along with Quest Software) for a price reported by Reuters to around $2 billion. Thoma Bravo did not disclose the price Dell paid for SonicWall, but the Wall Street Journal suggested it was $1.2 billion.

Dell acquired Quest Software for $2.4 billion in 2012 -- making the combined cost of the two firms somewhere in the region of $3.6 billion. In short, the two firms together fell in value from $3.6 billion to just $2 billion in the five years they spent as part of Dell.

Since then, SonicWall has been turned around under PE guidance and the stewardship of CEO Bill Connor. A little over a year after purchasing the two firms, Francisco Partners announced that it had completed a $2 billion debt refinancing, due to the strong operating performance of the firms. The refinancing was significantly oversubscribed, it reduces the operating overheads of the firms, and positions them nicely for further growth.

Private Equity in Cybersecurity

Access to money at the right time (and a few other things like the right management team) is essential for cybersecurity firms given the volatility of the market in both emerging start-ups and changing technology. This means that finding the right backers and understanding the investment market could be fundamental to the prospects of almost any cybersecurity firm. Excluding the unknown potential of the new small-scale crowdfunding options, there are three primary sources of serious money: angel investment, venture capital (VC) and private equity (PE).

'Angels' tend to be individuals -- or possibly collections of individuals -- who invest their own money in promising ideas. They are often important in getting a new company started; but do not normally have sufficient funds to take a growing company to the next level.

That next level of funding generally comes from venture capital (VC). VC funds "like Paladin, Amadeus and others step in to provide capital to entrepreneurs just after their angel or ‘proof of concept' phase of funding," explains Nazo Moosa. Moosa this year formed a new European VC firm called VT Partners, with the express purpose of injecting U.S.-style funding and growth into the under-performing European cybersecurity company market.

The key point for VC is that it funds new companies with new ideas. At this stage they are promising rather than proven; some will succeed, many will fail. Because of the additional risk to the investors, VC money is invested at high interest rates. This is the biggest problem area for the cybersecurity industry -- because of the high interest rates, returns need to be made relatively fast, and/or additional investment found. A company's value is often based on the number of its users, so sales can in many cases be more important than further product development.

Of course, not all VC firms are there just for a quick return. Dan Schiappa, Sophos SVP and GM, explains, "The top echelon investors are not in it for the quick turnaround, but instead they are long-term investors that will add value to a management team and towards building a long term viable company." But he adds, "VCs who look to build a company for acquisition from the get-go are the ones to avoid, as they may drive behaviors that are not beneficial to customers or product quality."

The problem is that cybersecurity attracts both types of VC money, simply because it is hot. "Everybody is under attack all of the time," comments Connor "from other countries, cybercriminals, and hacktivists. So it's a hot area and hot areas tend to attract a lot of opportunity and a lot of money. From that there are a lot of start-ups with new 'silver bullets' that attract VC."

Schiappa believes there is a common cycle for new security companies. Initial idea and development is followed by VC investment. The money enables strong marketing, which effectively makes or breaks the business depending on the inherent strength of the initial product.

"At the end of the day," Schiappa explains, "much of the problem is that tech entrepreneurs follow the logic of getting product out as quickly as possible and gaining feedback. While in some circumstances that is a good and viable strategy, in others, it produces low quality products, that may be innovative, but are not suitable to build a scalable business. Startups get hyped, their innovation gets adopted; but then -- when they hit a scale that goes beyond the business or the product -- they enter the trough of sorrow, where investment is needed to build the product properly. During this period of time, you usually see a pickup in marketing in order to keep the momentum going. It can takes years for a company to exit the trough with the quality product and business operations to scale to a legitimate business."

The problem for the cybersecurity industry is that new ideas do not often have 'years' to spare; they are constantly being supplanted by new and different ideas and technology.

"The hype cycle is where a startup can make it or break it," he continues. "If they are building quality products during the hype cycle, they will withstand the scale and not enter the trough, or enter it very briefly. Those who ship a product that is barely more than a prototype are destined for disaster."

Some VC investors collude in this cycle by insufficiently understanding cybersecurity. "There is a lot of money at play in the security space," warns Connor, "because it's such an interesting area, and an area that's not going to go away -- and there's also a lot of money that doesn't really understand security. It's not necessarily dumb money, but it's at risk in this space."

A good VC is not just a money lender -- it's a mentor who, adds Schiappa, "will guide the company properly and even provide technical advisers who can ensure that the product is built with production quality."

Company founders and private investors usually have one common long-term aim -- to maximize a return on their time and capital. There are three primary routes: sale to a larger company; going public and raising money on a stock exchange; and attracting the next level of private investment. The next level is 'private equity'. It is 'big money' that generally becomes available to companies that have been through the early growth phases of venture capital and have demonstrated the potential for future growth.

PE differs from VC in two primary ways: firstly there is generally more money available than there is in VC; and secondly, PE usually seeks to take a greater stake in the company -- if not actual ownership -- rather than simply investing in it. "PE firms tend to take on more ownership and liability of a company," comments Nathan Wenzler, "and so, they tend to have a stronger motivation to invest in the long term viability of it."

In this way, private equity firms play a different role in the evolution of a company. A PE firm looks for demonstrable potential. It is not interested in firms that have maxed their potential, but in firms that are perhaps slightly under-performing.

"They tend," explains Schiappa, "to acquire a company that has been an established vendor, has meaningful billings and revenues, but might not be operating at its full potential." SonicWall and McAfee both fit this bill. By improving performance, the PE firm will be able to gain its own return through one of two exit strategies: sale to a big security firm (or a larger PE firm); or going public. Unlike the majority of VC firms, PE tends to take a longer term view of the growth of its investment.

One method of improving performance -- beyond simply injecting capital -- is to strengthen the management team. A PE firm, says Schiappa, will "typically bring in professional leaders to guide the company to the public markets or to a larger exit. The PE firm is definitely investing with an exit in mind and their goal is to build value in the asset towards meeting that need. In most cases it is always beneficial to the company and their strategy and operations."

When Francisco Partners acquired SonicWall from Dell, it was because SonicWall was losing its way despite having proven product, and therefor potential. "What Francisco Partners saw," explains Connor, "was a multiple $100m dollar company where the revenue was going down. It was losing money, but some of us -- and that included myself -- knew that the company had been growing before and made money before; both when it was private and public. So we knew it just needed to get restructured, or rebuilt and refocused -- which is what I've done over the last years."

The first thing the PE company did was to bring in Bill Connor as the new CEO. Connor already had successful experience in working with a PE firm, having taken Entrust through its four-year period with Thoma Bravo to its sale to the Datacard Group in 2013; for what he says was six and a half times the PE firm's original investment.

This is the cybersecurity money-go-round. VC firms look for the next silver bullet that could give the investors a high return over a short period. It tends to be new technology or an innovative idea; but there is no company track record. The risks are higher, so the cost of the money is more expensive. This can lead to increased pressure on the company to grow as fast as possible. If that growth can be sustained, the company will succeed; if it cannot, it will fail.

If the company succeeds, it can then become a target for private equity investment. That company now has a track record, but PE is looking for the potential for even greater growth through a combination of additional funds and perhaps improved leadership. There are, and there always will be, casualties -- both in silver bullet companies that prove to lack luster, and buyers of those products. During the hype phase of VC, users can be persuaded to buy a product that under-performs and ultimately fails -- and that could prove costly to the user beyond the price of the product. The PE phase is more stable. PE firms are confident that the product is good and the market is strong.

Overall, the system works. By far the majority of big cybersecurity firms are U.S.-based, with only a handful of European firms reaching a similar scale. It is no coincidence that the U.S. has five times the venture funding as that of Europe. But to use the system profitably, new companies need to choose the right VC investment in their early years. Cybersecurity firms should examine the track record of VC firms just as closely as PE firms examine the track record of the cybersecurity firms.

Incidentally, Dell, which first bought SonicWall and then sold it to PE firms Francisco Partners and Elliott Management, has its own investments history. It started in 1984 with Michael Dell building and selling personal computers while he was a student at the University of Texas at Austin, using $1,000 capital provided by his family. As he proved his worth, his family increased their 'investment' to a loan of $500,000, similar to early stage 'angel' investments.

As his firm grew, Dell did not proceed to the venture capital stage. Instead, he hired a retired merchant banker and venture capitalist, Lee Walker, as president and CEO. Walker helped secure the firm's first serious credit -- a bank's line of credit for $10 million. Dell also skipped the private equity stage, and raised capital in a private placement in 1987 and went public via an initial public offering in 1988. Michel Dell retained a significant position in the company, but no longer had personal control.

During the 1990s, the company continued to prosper, but started to suffer from the increasing commoditization of personal computers after 2000, and the later effect of mobile devices on the PC market. Dell's market dominance declined -- but in 2013 Dell announced that Michael Dell and Silver Lake Partners, together with a $2 billion loan from Microsoft, would take the company private in a $24.4 billion leveraged buyout deal. In essence, Michael Dell used private equity to escape from public ownership rather than the more usual route of using it to prepare for public ownership.

It was the PE-backed Dell that announced the purchase of EMC for $67 billion in October 2015, completing the deal in September 2016. The combined companies became Dell Technologies, the world's largest privately controlled integrated technology company, which also includes security industry pioneeer RSA.

Pavel Lerner, head of EXMO cryptocurrency exchange, was kidnapped in Ukraine
30.12.2017 securityaffairs Cyber

According to Ukrainian media, the head of the EXMO cryptocurrency exchange Pavel Lerner has been kidnapped in Kiev, the police is investigating the case.
According to Ukrainian media, the Russian IT expert Pavel Lerner has been kidnapped in Kiev.

Pavel Lerner (40) is a and managing director EXMO, one of the largest cryptocurrency exchanges, and according to a Ukrainian media Strana.ua he stopped responding to phone calls on December 26.

“According to the applicant in the case, Lerner was abducted near his workplace – an office center in Stepan Bandery Street (before renaming – Moscow Avenue). The programmer was dragged into the car of Mercedes-Benz Vito brand (state number AA 2063 MT) by unknown persons in dark clothes and balaclava, and taken away to an unknown destination.” states the Strana.ua.

Lerner has been kidnapped while he was leaving his office in Stepan Bandera Prospect in Kiev.

The IT specialist led a number of startups, related to blockchain technology and cryptocurrency mining.

Ukrainian police are investigating the case, at the time I was writing it is still unclear who and why kidnapped the man.

EXMO confirmed the news of the kidnapping and clarified that company operations were not affected by what has happened. EXMO also added that Lerner did not have direct access to any cryptocurrency account or other personal data.

“We are doing everything possible to speed up the search of Pavel Lerner. Any information regarding his whereabouts is very much appreciated,” PR-department of EXMO said.

“Despite the situation, the exchange is working as usual. We also want to stress that nature of Pavel’s job at EXMO doesn’t assume access either to storages or any personal data of users. All users funds are absolutely safe.”

Info Stealing – The cyber security expert Marco Ramilli spotted a new operation in the wild
30.12.2017 securityaffairs Cyber

The Italia cyber security expert Marco Ramilli, founder of Yoroi, published an interesting analysis of a quite new InfoStealer Malware delivered by eMail to many International Companies.
Attack attribution is always a very hard work. False Flags, Code Reuse and Spaghetti Code makes impossible to assert “This attack belongs to X”. Indeed nowadays makes more sense talking about Attribution Probability rather then Attribution by itself. “This attack belongs to X with 65% of attribution probability” it would be a correct sentence.
I made this quick introduction because the following analysis would probably take the reader to think about specific attribution, but it won’t be so accurate, so please be prepared to have not such a clear conclusions.

Today I’d like to show an interesting analysis of a quite new InfoStealer Malware delivered by eMail to many International Companies. The analysis shows up interesting Code Reuse capabilities, apparently originated by Japanese Attackers reusing an English Speaker Attacker source code. Again I have not enough artifacts to give attributions but only few clues as follows. In the described analysis, the original sample was delivered by sarah@labaire.co.za (with high probability a compromised South Africa account) to one of my spamming email addresses.

The obtained sample is a Microsoft Word document within macro in it. The macros were heavily obfuscated by using four rounds of substitutions and UTF-8 encoding charsets (which, by the way, is super annoying). The following image shows the obfuscated macro code with UTF-8 charsets.
Stage 1: Obfuscation
By using oletools and “tons” of cups of coffee (to be awake until late night to make recursive steps) I finally was able to extract the invoked command, showed in the following image.
Stage 1: Invoked Command
A fashionable powershell command drops and executes: hxxp://ssrdevelopments.co.za/a2/off.exe. Powershell seems to be a “must have” in contemporary Malware. Analyzing the “dropping” url and tracking down the time it is in “Index Of” mode (2017-0-13), I suspect it is not a compromised website rather a crafted web server or a compromised host of a dead company.

Info Stealing
Dropping Web Site
By surfing the Malware propagator website I founded out many malicious executables (sees IoC section) each one showing up specific behaviors such as: password stealers, RAT, and Banking Trojans. Even if the samples were developed for different targets, all of them shared the following basic behaviors:

Check for victims IP address before getting into Malicious activities (maybe related to targeted activities)
Install itself into auto execution path
Tries to fingerprint the target system (such as CPU, HD, Memory, Username, System, etc..)
Sniff for Keystrokes
I’d like to write a simple analysis for each found sample, but today time is not my friend, so let’s focalize to one of the malicious samples. Let’s get done the received sample by digging into the “second stage” dropped by the pPowerShell “first stage” from ssrdevelopments.co.za/a2/off.exe. After few seconds on second stage (off.exe) it became clear that it was a .NET software. By reversing the interpreted .NET language some clear text comments appeared interesting. Japanese language such as comments and variable names came out from static analysis. Let’s have a look to them.

Stage 2: Apparently Japanese characters
While the sample pretends to be compiled from “Coca-Cola Enterprise” (maybe a target operation against Coca-Cola ? Or a targeted operation agains Coca-Cola Suppliers ? So why it ended up to my inbox ? Anyway … ) google translator suggests me that Japanese characters are in text: such as the “Entry Point”, “Class names” and “Function Names”.
Stage 2: Japanese Names and Self Encoding Structures
It was not hard to figure out that Stage 2 was auto-extracting bytes from itself (local variables) and saving them back to hard drive after having set up auto execution registry key on windows local registry. The following image shows the xoring function used to decrypt converted bytes to the real payload.
Stage 2: Xoring function to extract Stage 3
On my run, the xored payload took the name of GIL.exe; another .NET executable. We are now facing the third stage. By analyzing the decompiled sample it became clear that:

The coding style was quite different from the previous stage (Stage 2)
The implementation style was different from the previous stage as well
The sample was interested in information about the user, the machine, the web services on the PC and to many more windows specific parameters.
Stage 3: New Language in Strings and Class names

Stage 3: New Code Style
By closely investigating Stage 3, the analyst would probably notice the heavy presence of “decorators”, a different format in the definition style and last but not least the core composition. Everything looks like belonging to different single developers. The variable language, the comments structure and the general usage of terms, takes the analyst to believe in having found two different developers belonging to different cultures (maybe countries). Finally the malware looks for users, computes, and web services informations and drops everything up to C2 by posting parameters to : ssrdevelopments.co.za/cgi-bin/
Following the principal IoC for the described threat.
Hash Stage 1:
Hash Stage 2:
Hash Stage 3:
Persistence: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\kij %APPDATA%\Roaming\kij\kij.exe
Dropping URL:
Command and Control:
Related hashes from harvesting Dropping URL:
As final thought I’d like to highlight the following key concept of that analysis:

From a single email, the analyst could discover attacker’s assets, mapping them and disarming them (through IoC).
The analyzed code shows apparent evidences to belonging to different groups of attackers.
The analyzed samples show code reuse. Code reuse is dangerous because it makes attackers more powerful and extremely quick to change Malware behavior.
Hope you enjoyed.

The original post published by Marco Ramilli on his blog at the following URL:


2018 Cyber Security Predictions

28.12.2017 Symantec Cyber
As 2017 draws to a close, here is what you can expect over the course of the upcoming year
This past year, cyber criminals caused major service disruptions around the world, using their increasing technical proficiency to break through cyber defenses. In 2018, we expect the trend to become more pronounced as these attackers will use machine learning and artificial intelligence to launch even more potent attacks.

Gear up for a busy year ahead. Incidents like the WannaCry attack, which impacted more than 200,000 computers worldwide in May, are just the warmup to a new year of more virulent malware and DDoS attacks. Meanwhile, cyber criminals are poised to step up their attacks on the millions of devices now connected to the Internet of Things both in offices and homes.

As 2017 draws to a close, here is what you can expect over the course of the upcoming year:

Blockchain Will Find Uses Outside Of Cryptocurrencies, But Cyber criminals Will Focus On Coins and Exchanges

Blockchain is finally finding applications outside of crypto-currencies, expanding to inter-bank settlements, fuelled by increasing traction in IoT. However, these use cases are still in their infancy and are not the focus for most cyber criminals today. Instead of attacking Blockchain technology itself, cyber criminals will focus on compromising coin-exchanges and users’ coin-wallets since these are the easiest targets, and provide high returns. Victims will also be tricked into installing coin-miners on their computers and mobile devices, handing their CPU and electricity over to cyber criminals.

Cyber Criminals Will Use Artificial Intelligence (AI) & Machine Learning (ML) To Conduct Attacks

No cyber security conversation today is complete without a discussion about AI and ML. So far, these conversations have been focused on using these technologies as protection and detection mechanisms. However, this will change in the next year with AI and ML being used by cyber criminals to conduct attacks. It is the first year where we will see AI versus AI in a cybersecurity context. Cyber criminals will use AI to attack and explore victims’ networks, which is typically the most labour-intensive part of compromise after an incursion.

Supply Chain Attacks Will Become Mainstream

Supply chain attacks have been a mainstay of classical espionage and signals-intelligence operators, compromising upstream contractors, systems, companies and suppliers. They are highly effective, with nation-state actors using human intelligence to compromise the weakest links in the chain, as well as malware implants at the manufacture or distribution stage through compromise or coercion.

These attacks are now moving into the mainstream of cyber crime. With publicly available information on technology, suppliers, contractors, partnerships and key personnel, cyber criminals can find and attack weak links in the supply chain. With a number of high-profile, successful attacks in 2016 and 2017, cyber criminals will focus on this method in 2018.

This past year, cyber criminals caused major service disruptions around the world, using their increasing technical proficiency to break through cyber defenses. In 2018, we expect the trend to become more pronounced as these attackers will use machine learning and artificial intelligence to launch even more potent attacks.

File-less and File-light Malware Will Explode

2016 and 2017 have seen consistent growth in the amount of file-less and file-light malware, with attackers exploiting organizations that lack in preparation against such threats. With fewer Indicators of Compromise (IoC), use of the victims’ own tools, and complex disjointed behaviours, these threats have been harder to stop, track and defend against in many scenarios. Like the early days of ransomware, where early success by a few cyber criminals triggered a gold-rush like mentality, more cyber criminals are now rushing to use these same techniques. Although file-less and file-light malware will still be smaller by orders-of-magnitude compared to traditional-style malware, they will pose a significant threat and lead to an explosion in 2018.

Organisations Will Still Struggle With Security-as-a-Service (SaaS) Security

Adoption of SaaS continues to grow at an exponential rate as organizations embark on digital transformation projects to drive business agility. This rate of change and adoption present many security challenges as access control, data control, user behaviour and data encryption vary significantly between SaaS apps. While this is not new and many of the security problems are well understood, organizations will continue to struggle with all these in 2018.

Combined with new privacy and data protections laws going into effect globally, these will pose major implications in terms of penalties, and more importantly, reputational damage.

Organisations Will Still Struggle With Infrastructure-as-a-Service (IaaS) Security – More Breaches Due to Error, Compromise & Design

IaaS has completely changed the way organisations run their operations, offering massive benefits in agility, scalability, innovation and security. It also introduces significant risks, with simple errors that can expose massive amount of data and take down entire systems. While security controls above the IaaS layer are a customer’s responsibility, traditional controls do not map well to these new cloud-based environments – leading to confusion, errors and design issues with ineffective or inappropriate controls being applied, while new controls are ignored. This will lead to more breaches throughout 2018 as organizations struggle to shift their security programs to be IaaS effective.

Financial Trojans Will Still Account For More Losses Than Ransomware

Financial Trojans were some of the first pieces of malware to be monetised by cyber criminals. From simple beginnings as credential-harvesting tools, they have since evolved to advanced attack frameworks that target multiple banks, and banking systems, sending shadow transactions and hide their tracks. They have proven to be highly profitable for cyber criminals. The move to mobile, application-based banking has curtailed some of the effectiveness, but cyber criminals are quickly moving their attacks to these platforms. Cyber criminals’ profits from Financial Trojans is expected to grow, giving them higher gains as compared to Ransomware attacks.

Expensive Home Devices Will Be Held To Ransom

Ransomware has become a major problem and is one of the scourges of the modern Internet, allowing cyber criminals to reap huge profits by locking up users’ files and systems. The gold-rush mentality has not only pushed more and more cyber criminals to distribute ransomware, but also contributed to the rise of Ransomware-As-A-Service and other specializations in the cyber criminal underworld. These specialists are now looking to expand their attack reach by exploiting the massive increase in expensive connected home devices. Users are generally not aware of the threats to Smart TVs, smart toys and other smart appliances, making them an attractive target for cyber criminals.

IoT Devices Will Be Hijacked and Used in DDoS Attacks

In 2017, we have seen massive DDoS attacks using hundreds of thousands of compromised IoT devices in people’s homes and workplaces to generate traffic. This is not expected to change with cyber criminals looking to exploit the poor security settings and lax personal management of home IoT devices. Furthermore, the inputs and sensors of these devices will also be hijacked, with attackers feeding audio, video or other faked inputs to make these devices do what they want rather than what users expect them to do.

IoT Devices Will Provide Persistent Access to Home Networks

Beyond DDoS attacks and ransomware, home IoT devices will be compromised by cyber criminals to provide persistent access to a victim’s network. Home users generally do not consider the cyber security implications of their home IoT devices, leaving default settings and not vigilantly updating them like they do with their computers. Persistent access means that no matter how many times a victim cleans their machine or protects their computer, the attacker will always have a backdoor into victims’ network and the systems that they connect to.

Attackers Exploit The Move To DevOps

The agile, DevOps and DevSecOps movements are transforming IT and cyber-security operations in every organisation. With improved speed, greater efficiencies and more responsive delivery of IT services, this is quickly becoming the new normal. While all this works to the greater good, like any disruptive change, it offers opportunities not only for errors, but also for attackers to exploit. Much like the issues facing the move to SaaS and IaaS, organizations are struggling to apply security controls in these new models of CI/CD and automation. As environments change constantly, anomaly detection gets harder, with many existing systems creating far too many false positives to be effectively dealt with. In the next year, we’ll see a greater number of attackers taking advantage of this to cover their activities inside a victim’s environment.

Cryptowars Redux Enters Its Second Phase

The cryptowars were fought and won in the 1990s, or so everyone thought. Over the last two years, however, the struggle has re-emerged with governments, policy makers, law enforcement, technology companies, telcos, advertisers, content providers, privacy bodies, human rights organisations and pretty much everyone expressing different opinions on how encryption should be used, broken, circumvented or applied. The war will continue to be fought on a mostly privacy versus government surveillance basis, particularly for device and communications (email and messaging) encryption. Beyond that, though, expect to see content providers, telcos and advertisers influencing much of the adoption of transport layer encryption, as it’s often viewed as being at odds with their business models.

ISIS & Al Qaeda: What’s Coming Down the Line for the U.S. in 2018
13.12.2017 securityaffairs Cyber

ISIS & Al Qaeda: What’s Coming Down the Line for the U.S. in 2018. From drones to chemical attacks, which are the major risks?
Last month, the Department of Homeland Security (DHS) warned that, “our enemies remain focused on attacking the United States, and they are constantly adapting. DHS and its partners are stepping up efforts to keep terrorists out of America and to prevent terrorist recruitment and radicalization here at home, and we urge the public to remain vigilant and report suspicious activity.”

The DHS also indicated the U.S. is facing a significant, ongoing terror threat and the agency’s website displayed an “Elevated” alert level (second from the most severe), which means a credible threat of terrorism against the U.S. exists.

Guess Who’s Back

Al Qaeda never really went away, of course. The 30-year-old terrorist organization had just, for the most part, receded to the background while the Islamic State took center stage. While ISIS has been driven out of Iraq and Syria, they are alive and well in Africa and Europe. ISIS supporters can be found in the U.S. as well, as evidenced by recent activity by the group’s devotees.

Al Qaeda has reemerged as stronger now than they were when Bin Laden was killed. While the world was focused on ISIS, al Qaeda was quietly amassing power, planning, strengthening alliances and fundraising.

Earlier in the year, Stratfor reported that some are concerned that al Qaeda and ISIS may reunite:

“The idea of the global jihadist movement’s two major poles joining forces is certainly a troubling one. The combined capabilities of the Islamic State and al Qaeda could pose a significant threat to the rest of the world, making them a much more dangerous enemy together than divided.”

Though both groups follow Salafist ideology, it might be difficult to merge the two groups’ divergent goals. The Islamic State seeks global conquest in the establishment of Caliphate, while Al Qaeda is focused on the demise of the United States. Al Qaeda boasts a sophistication gained from years of experience, selectivity in recruiting and an assortment of well-educated scholars, including scientists and engineers.

Viewed as crude, by al Qaeda, ISIS also lacks the restraint exercised by al Qaeda.

Some collaboration, between these two terrorist groups, has already occurred in Syria, where fighters with Hayat Tahrir al-Sham (HTS), also known as al Qaeda in Syria, and ISIS were found to have a somewhat cooperative relationship. Additionally, al Qaeda emir Ayman al Zawahiri has been attempting to build bridges among groups with similar enemies. And, al Zawahiri reiterated the fact that the U.S. is al Qaeda’s number one priority.

In comparing the two groups, Critical Threats points out that, “while ISIS had used conquest and bombastic proclamations to capture popular support and gain momentum, al Qaeda worked quietly with a softer approach to securing support.”


“The strengthening of al Qaeda is more dangerous than the success of ISIS. Al Qaeda’s softer approach to building popular support at the grassroots level evoked little, if any, reaction from the West. The West bought al Qaeda’s line that its local focus is a local issue. Al Qaeda further managed the reactions of the communities into which it was insinuating itself by permitting outbursts of local resistance and adjusting its time line to avoid generating backlash. ISIS’s conquest, by contrast, resulted in the West mobilizing a military effort against the group and harsh reaction from its conquered communities over time. ISIS’s coerced popular support in the Muslim world will collapse. Al Qaeda is positioned to absorb the remnants of ISIS, benefit from ISIS’s global mobilization, and sustain its own momentum within Sunni communities to strengthen the Salafi-jihadi movement.”

Al Qaeda does have sleeper cells, within the U.S., who are responsible for planning and launching attacks. But, there are also “lone wolf” supporters of Al Qaeda, in addition to ISIS proponents, in the U.S., who are preparing to launch attacks on their own.

There has also been found to be increasing collaboration among various terror groups in the Maghreb- particularly in Libya. They have been exchanging ideas for training, military tactics, PR, recruitment, and financing.

AEI reports:

“Libya is a key node for the global Salafi-jihadi movement.7 The Libyan base provides the global movement with a destination for jihad, a transit and training zone, and a key node for global foreign fighter flows. It is already an important enabler for the global Salafi-jihadi threat against the United States, Europe, and American interests.

Al Qaeda and ISIS are consolidating a safe haven in Libya from which they will directly threaten the West over the long term.”

Add to that the fact that al Qaeda in the Maghreb (AQIM) has managed to turn a profit of around $100 million through ransom, drug trading, taxing locals and donations from around the world, according to a study by the Foundation for Defense of Democracies.

The global Salafi-jihadi movement was and remains more than just al Qaeda—or ISIS, however. The American Enterprise Institute cautions that, “the need is urgent. Al Qaeda, the Islamic State, and the global Salafi-jihadi movement together are stronger today than they have ever been.”

Holiday season threats have been issued primarily to Europe, but to New York City, also:

The Hill reports: “An ominous poster of Santa Claus standing next to a box of dynamite in Times Square appeared in a pro-ISIS forum earlier this week with the headline ‘we meet at Christmas in New York soon.’ A picture of a masked jihadi, with a rifle in the front seat of a car driving toward the Vatican marked with the banner ‘Christmas Blood so wait’ appeared a few days before that.”
A new series of threatening images posted on social media and messaging apps, with ISIS imagery, is being shared. These graphics call for terror attacks on New York City, Paris and London.
Other posters include images of London’s Regent Street and the Eiffel Tower in Paris, with images of jihadists and blood superimposed on them. A chilling message in English, German and French is included: ‘Soon on your holidays.’
According to Metro.co.uk, “a propaganda poster emerged showing a terrorist in the Vatican with a rocket launcher. The message warned that ‘the crusaders feast is approaching’, suggesting they are planning to attack the Catholic church’s holy city. Another was shared online showing a masked figure driving towards St Peter’s Basilica with a gun and a backpack inside his car, with the message ‘Christmas blood’ written in red underneath.”
Potential Terror Threats to the U.S. in 2018

Hezbollah – “While I’m not here today to speak publicly about any specific, or credible, or imminent threat to the homeland, we in the intelligence community do in fact see continued activity on behalf of Hezbollah here inside the homeland,” National Counterterrorism Center Director Nicholas Rasmussen said. Rasmussen went on to say that it is the center’s, “assessment that Hezbollah is determined to give itself a potential homeland option as a critical component of its terrorism playbook.” He pointed out the recent arrests of alleged Hezbollah operatives in Michigan and New York.
The two alleged operatives that were arrested are Ali Kourani and Samer el Debek. Charged with providing material support to Hezbollah’s Islamic Jihad Organization, Kourani described his role as a “sleeper.” And, according to the complaint, El Debek was trained in making landmines and other explosives.
Dirty Bombs – Terrorist could use drones to drop dirty bombs or poison on U.S. cities. Security officials have said that it may just be a matter of time before such schemes could come to fruition in America. In August, Australian federal police disrupted an ISIS plot to construct an “improvised chemical dispersion device,” which they planned to deploy in urban areas. Hydrogen sulfide, a poisonous gas, would have been spread over the urban areas had the plot not been foiled.
Possible Backlash – Some Muslim leaders have said they view the plan to move the U.S. Embassy to from Tel Aviv to Jerusalem as “a declaration of war.”
Also, Jihadists across the ideological spectrum have beseeched Muslims to take physical action instead of merely protesting the planned move of the U.S. Embassy to Jerusalem.
For its part, al-Qaeda has urged followers all around the world to target U.S. interests, its allies and Israel in response to the U.S. Embassy plan. “A statement posted Friday on al-Qaeda’s media arm as-Sahab, in both Arabic and English, urged holy war or jihad and described America as a modern-era ‘pharaoh’ oppressing Muslims. Branches of the global terror network, including the North Africa branch known as Al-Qaeda in the Islamic Maghreb and also al-Qaeda in the Arabian Peninsula, issued similar statements.”
Then too, Sheikh Hamza bin Laden, son of Osama bin Laden, has called for the group’s supporters to “embrace the kinds of ‘lone wolf attacks’ used by Islamic State, its bitter rival, in which jihadists execute terror operations acting largely on their own and without direction.”
Attacks on the US Government & Critical Infrastructure – Some experts anticipate that in 2018 a major attack on U.S. critical infrastructure will occur. “Additionally, tension between the U.S. and other countries could escalate to online cyberattacks. In October, the FBI and DHS warned of advanced persistent threat activity targeting energy, nuclear, water, aviation, construction, and critical manufacturing sectors. Critical infrastructure companies are behind in preparing their operational facilities to confront cyberattacks – making them an easy target for politically-motivated attackers – Adi Dar, CEO, Cyberbit”
On social media and encrypted messenger apps, training materials are being produced and shared at an alarming rate and volume. This includes an astonishing assortment of bomb-making instructions and recipes for a whole host of gases and volatile compounds.
Of late, in these online forums, a lot of emphasis is placed on bioterrorism, with detailed training materials being provided on how to execute attacks on “kuffars” using substances such as anthrax, ricin and botulism.
Regarding bioterrorism, former White House biodefense aide Robert Kadlec said that, “the trends indicate more terrorist groups are interested in conducting such attacks.”
In 2016, ISIS operatives planned to contaminate water sources in Turkey with bacteria causing tularemia, which is a potentially fatal human illness. In another ISIS-linked ploy, an anthrax attack in Kenya was thwarted by the police. And, in yet another instance in Nigeria, the army intercepted poisoned fish believed to have been brought into the country by Boko Haram operatives.
Both al Qaeda and ISIS have threatened public transportation in the U.S., but online, al Qaeda has been heavily promoting its train derailment tool, providing detailed instructions on how to use it and the best routes across the country to use it on.
On the Telegram app, there are channels in which collaboration among the supporters of ISIS, al Qaeda and other Salafist terrorist groups, such as Ansar al Sharia, is taking place. Shared on these channels is a seemingly endless array of tools for lone wolves, including remote control detonators, a device that explodes when one opens a door, car bombs, hidden bombs and much more. Very detailed instructions are given for all of these explosive devices. The channels generally have hundreds of participants and the channels get reported and shut down frequently, but are back up again shortly afterwards. Channel administrators simply continue distributing materials to those who desire to be a well-equipped, adequately trained lone wolf.

The massive cache of Islamic State propaganda videos found on the cellphone of Sayfullo Saipov, the man accused of using a truck to mow down pedestrians and cyclists recently in New York City, provided a glimpse of the vast amount of jihadist content on the internet.

Along with 90 videos and 3,800 images found,were depictions of beheadings and bomb-making instructions.

The amount of jihadist content on the internet is staggering. The efforts of law enforcement, intelligence agents and private intel agencies around the world are not sufficient to thwart every planned attack, though many have been thwarted.

One way individuals can help is by always being aware of their surroundings. People should report any suspicious behavior potentially related to terrorism to law enforcement.

And, since many terror attacks are closely linked to online activity such as planning attacks, garnering materials and instructions on how to carry out attacks, warnings about attacks and gloating immediately following an attack, be sure to also report suspicious behavior you see online.

Did Major Cyberattacks of 2017 Impact Security Budgets?
12.12.2017 securityweek Cyber
The Effect of WannaCry and NotPetya Outbreaks on Corporate Security Budgets is...Complicated

Despite common perception, the WannaCry and NotPetya outbreaks of 2017 have not -- at least, not yet -- had any marked effect on security budgets.

AlienVault surveyed 233 IT professionals globally to see how roles have changed following the high profile attacks of 2017 that many commentators assumed would act as a wake-up call for senior management. The results disprove this. Just 14% of the respondents have had their budgets for cyber security increased, and only a fifth (20%) have been able to implement changes or projects that were previously put on hold.

"WannaCry and NotPetya are generally believed to have marked a turning point in cyber awareness, but the reality on the ground paints a different picture," comments AlienVault security advocate, Javvad Malik.

The questions posed by AlienVault can loosely be described as three categories: did you get more quantifiable support from senior management; have attitudes towards security changed since the outbreaks; and how has your company reacted to the outbreaks? For the first, 70% of the respondents replied that the outbreaks have made no difference financially to their role; that is, WannaCry and NotPetya have not resulted in the expected security budget increase.

Similarly, there has been little change in attitude towards the security function, either internally to the organization, or externally in the wider marketplace. For example, less than 10% of boards have shown any greater interest in the security role, while more than 60% of respondents replied that the outbreaks have made no difference to the way they are viewed within their organizations. And while 7% of respondents have noticed an increase in new job offers since the outbreaks, 90% say they have made no difference.

Of the questions posed in this survey, two, however, show the practical effect of WannaCry and NotPetya on patching and posture. Two-thirds of the respondents say they are now more up-to-date with patching than they were before the outbreaks, while just one-third say it has made no difference. Further, 58% of respondents carried out a review of their organizations' security posture following the outbreaks (41% did not).

What isn't clear, however, is whether these actions were the result of board pressure or support, or simply the respondents taking their own action from within their existing budgets. The latter is implied by the apparent lack of reaction by boards shown in the other questions -- and this is further supported by a recent PwC survey.

PwC's annual Global State of Information Security Surveys question around 10,000 security professionals in more than 100 different countries. The 2017 survey found that UK security budgets (where firms and especially the NHS were badly hit by WannaCry) stood at around £6.2 million (double the previous year's £3 million average). The latest 2018 survey, announced after the WannaCry and NotPetya outbreaks in October 2017, shows the UK slashing average budgets back down to £3.9 million.

Surprisingly, however, both of these surveys seem to be in contrast to Gartner published only last week. Gartner's Ruggero Contu commented, "Overall, a large portion of security spending is driven by an organization's reaction toward security breaches as more high profile cyberattacks and data breaches affect organizations worldwide. Cyberattacks such as WannaCry and NotPetya, and most recently the Equifax breach, have a direct effect on security spend, because these types of attacks last up to three years."

Noticeably, Gartner increased its global security spend prediction for 2018 by $3 billion over an earlier prediction in August 2017; apparently on the expected effect of WannaCry, NotPetya and the Equifax breach.

Three major firms have now commented on security budgets in the last two months; all of them after the WannaCry and NotPetya outbreaks (with two of them specifically referencing those outbreaks). One (Gartner) says that budgets will increase because of the outbreaks; another (AlienVault) implies 'no change' despite the outbreaks; while the third (PwC) indicates slashed budgets in a country that was severely hit by WannaCry.

This discrepancy highlights the problem with all surveys and predictions. Each one is accurate, but only within the context of its delivery. Gartner based its forecast on the results of a 2016 survey where the highest percentage of respondents said that a security breach is the main security risk influencing their security spending. On this basis, security spend will undoubtedly increase.

The PwC figures covering the UK show a decrease in budget, but only after the previous year's rather dramatic increase; which, according to PwC, took the UK to "over one and a half times more than their global counterparts."

The AlienVault survey questioned a relatively low number of "233 IT professionals." We don't know where they are located, what size company they work for, nor their specific cybersecurity role. AlienVault decided to press-headline the survey results with "Cyber Threats Are Still Being Brushed Aside, Even After WannaCry and NotPetya". (The associated blog title is less dramatic: "The Impact of NotPetya and WannaCry".)

When challenged by SecurityWeek, Malik suggested that the AlienVault and Gartner results may not be so very different. Despite the headline, he told SecurityWeek, "Our results are not based on our opinion, but are the aggregated results of a survey from the Spiceworks community -- which may or may not be representative of the wider market. So, while only 14% have claimed that their budgets for cybersecurity have increased, the broader survey does show that over half of organizations carried out a review of their cyber security posture, two thirds are more up-to-date with patching, and half are using threat intelligence more."

One thing is clear from these differences: if you want to get an accurate picture of what is really going on, you need to look beyond the individual headlines.

Industrial Firms Slow to Adopt Cybersecurity Measures: Honeywell
6.12.2017 securityweek Cyber
Industrial companies are slow to adopt cyber security capabilities and technology to protect their data and operations, according to a report released on Wednesday by industrial giant Honeywell.

A survey of 130 strategic decision makers from around the world revealed that more than half of industrial organizations have suffered a cybersecurity incident, including ones involving removable media, denial-of-service (DoS) attacks, malware, hackers breaking into plant IT systems, state-sponsored attacks, and direct attacks on control systems.

However, the study found that organizations underinvest in cybersecurity best practices in terms of people, processes and technology – three elements that need to work in harmony for an organizational culture that takes security seriously, Honeywell said.

Forty percent of respondents said they do have a cybersecurity chief in their organization and 15 percent plan on creating the role in the future. When it comes to having someone in charge of cybersecurity for manufacturing, only 35 percent of firms surveyed by Honeywell said they have someone in this role.

As for cybersecurity processes, nearly half of organizations have an enterprise- and plant-wide IT account management policy, and 22 percent plan on implementing one within the next year. A similar percentage also has or plans on having a definitive list of connections to the plant and what data flows through them.

Only one-third of respondents said they continually monitor their systems for suspicious activity and one quarter claim they plan on implementing such measures within a year. On the other hand, roughly 70 percent of organizations conduct risk assessments at least once a year, and more than 60 percent test their firewalls at least yearly.

When it comes to adoption of cybersecurity technologies, the Honeywell study shows that many organizations still have a long way to go. A majority of companies only have a firewall between plant and business systems, and only less than one-third have implemented proper access control and authentication measures for devices in the plant.

Security measures implemented by industrial companies

While the industrial sector is typically slower to adopt new technologies compared to other sectors, many organizations either already have an initiative for digital transformation or they plan on having one within a year. As companies move towards the adoption of the Industrial Internet of Things (IIoT), the main technology pitfall is cyber security, Honeywell said.

The company has advised organizations to ensure that cybersecurity is on the CEO’s agenda. Security needs to be part of the digital transformation strategy, and organizations must focus on adopting best practices.

Honeywell’s complete report, titled “Putting Industrial Cyber Security at the Top of the CEO Agenda,” is available for download in PDF format.

Anonymous launch Brazilian Corrupt Public Sector Entities Data Leak
3.12.2017 securityaffairs Cyber

In an astonishing move, Anonymous leak public sector entities infrastructure topology data for the people of Brazil in the midst of Lava Jato scandal.
The compromised data includes IP addresses from the public sector, ranging law enforcement agencies and local municipality. This data leak comes at a moment where a strong fight against corruption is taking place.

The data leak represents a lack of maturity in adopting a framework, like NIST, for maintaining the secret of information in today’s country information technology marketplace.

Nowadays, it may seem quite usual see these events take place in the evolving, and changing, the threat landscape of digital menaces, but it was expected to take place as hackers usually comes with new attacks as the year approaches its end.

The data reveal in high details, how is structured the network topology of critical services infrastructure including routers, firewalls and other open services.

Anonymous Brazil data leak

It is important to notice that all IP ranges from São Paulo military and civil police was leaked, including servers related to public identification and public safety. The compromised data also describes the police servers entirely exposing not only the identity of every police officer, but also the entire public security office.

As it is presented with a message, the intent of the hackers were in the fight against corruption in Brazil, where it took a new ground: the 5th domain. The cyber domain has reached the public opinion where the scrutinity of the society claiming for justice can be reached on the click of a mouse. These corrupt law enforcement agencies are globally known to be involved in extortion, drug traffic dealing, murdering, oppression, violation of the United Nations Human Rights and violence against minorities like black people and homosexuals alike.

The fight against corruption, abuse of power and authority can be a new front line to Lava Jato operation, including the police of the state of São Paulo, where the population lives as hostages to the public service colluding with the organized crime. As shown in the media outlets this week, a strong instance must be taken to reach out the public demands of justice and morality in the tax paid from every citizen.

This single event brings forth an important question: The importance of developing and implementing a security framework like NIST to address the cyber security on ICS/SCADA industrial control system. It is important to notice that the framework is structured in such way that it can be adapted to the existing current model in use. The critical infrastructure, in the face of today’s challenge of information security, must address rogue nation’s threat like North Korea and China.

The data leak is available at the following URL


AWS Launches New Cybersecurity Services
30.11.2017 securityweek  Cyber
Amazon Web Services (AWS) announced this week at its AWS re:Invent conference the launch of several new cybersecurity services, including for threat detection, IoT security, and secure communications for Virtual Private Cloud.

Amazon GuardDuty

One of the new products is Amazon GuardDuty, an intelligent threat detection service that helps customers protect their AWS accounts and workloads by continuously looking for unauthorized and malicious activity.

Amazon GuardDuty, which can be enabled from the AWS Management Console, creates a baseline for normal account activity, and uses machine learning to identify any irregular behavior. If suspicious activity is detected, the AWS account owner is immediately notified.

The new service obtains threat intelligence from both AWS itself and third-party sources such as CrowdStrike and Proofpoint, it does not require any new hardware or software, and it can be integrated with products from Alert Logic, Evident.io, Palo Alto Networks, RedLock, Rapid7, Sumo Logic, Splunk and Trend Micro.

The list of organizations already using GuardDuty includes Autodesk, Netflix, Mapbox, GE, and the Financial Industry Regulatory Authority (FINRA).

AWS PrivateLink

Another new product launched this week is AWS PrivateLink, a managed service that allows developers to securely access third-party SaaS applications from their Virtual Private Cloud (VPC).AWS launches new security services

A majority of Amazon EC2 cloud instances run in VPCs these days, but using third-party SaaS applications can introduce security risks. With AWS PrivateLink, AWS allows users to initiate connections to third parties without exposing their VPC to the Internet, or connect their internal services across different VPCs and accounts.

The list of SaaS applications that support AWS PrivateLink can be found on the AWS Marketplace. Companies such as CA Technologies, Aqua Security, Dynatrace, Cisco and SigOpt have announced that they support PrivateLink.

AWS launches new security services

AWS also announced the launch of several new services designed for managing, protecting and monitoring Internet of Things (IoT) devices. These are AWS IoT 1-Click, IoT Device Management, IoT Device Defender, IoT Analytics, Amazon FreeRTOS, and Greengrass ML Inference.

Three of the new IoT services help improve security. AWS IoT Device Management, which is available immediately, allows organizations to securely onboard, manage and monitor IoT devices, including to apply patches and software updates.

AWS IoT Device Defender, expected to become available in the first half of 2018, monitors devices for any suspicious activity, such as traffic going to an unknown IP, and ensures that IoT systems are compliant with security policies.

Amazon FreeRTOS allows users to securely connect small, low-power devices that use the FreeRTOS operating system (e.g. light bulbs, motion sensors) to AWS cloud services. The list of microcontroller manufacturers that support Amazon FreeRTOS includes Microchip, NXP Semiconductors, STMicroelectronics, Texas Instruments, Arm, IAR, Percepio, and WITTENSTEIN.