2017 cyberattacks proved more numerous, sophisticated, and ruthless than in years past.
WannaCry, NotPetya, ransomware-as-a-service, and fileless attacks abounded. And, that’s not everything. The victims of cybercrime ranged from private businesses to the fundamental practices of democracy. Read The Cylance Threat Report: 2017 Year in Review Report and learn about the threat trends and malware families their customers faced in 2017.
The Week that Was.
December 8, 2018.
By the CyberWire staff
Huawei: security concerns and an arrest.
Canadian authorities arrested Huawei’s CFO, Meng Wanzhou, in Vancouver at the request of the US Justice Department, which suspects that Ms. Meng violated international sanctions on Iran. Reuters reported on Thursday that the investigation includes accusations of bank fraud. Prime Minister Justin Trudeau said the arrest was purely judicial and there was no political involvement in the decision (BBC). Canadian prosecutors argued she should be denied bail because she's a wealthy flight risk (Wall Street Journal). Ms. Meng is the daughter of the Huawei's founder, Ren Zhengfei, and is the company's highest profile executive (Wall Street Journal). Scott Jones, director of the Canadian Centre for Cyber Security, said the country is prepared in case of any Chinese retaliation against Canada (Global News).
Western intelligence services have frequently raised concerns that Huawei’s tech could be compromised by the Chinese government, and the United States, Australia, and New Zealand have effectively barred the company’s equipment from upcoming 5G networks. Japan also plans to ban government use of Huawei and ZTE products, and Canada is conducting a security review of the company’s technology (Reuters). The UK's National Cyber Security Centre has "technical concerns" regarding the company (The Telegraph).
In a rare public speech Monday, MI6 chief Alex Younger issued strong warnings regarding the risk Huawei's kit poses, saying its 5G technology will be more difficult to monitor (Financial Times). Rapidly evolving technology poses a "potentially existential threat" to democracies, he said, and the UK needs to take control of this urgent matter. "We and our allies face a battle to make sure technology works to our advantage, not to that of our opponents," said Younger. "There will be a dividing line between those intelligence services that grasp this, as the UK agencies have, and those services that don't" (Business Insider).
How to Budget for Insider Threat Management, Proactively
According to a Ponemon Institute study, 34% of cybersecurity professionals said a lack of budget was a major barrier to effective insider threat management. So, how do you ask for the budget you need to proactively detect and stop insider threats? The latest guide from ObserveIT gives you the in-depth information you need to ask for a dedicated insider threat line item in your cybersecurity budget. Download The Guide to Budgeting for Insider Threat Management today.
Facebook and Parliament's fake news inquiry.
A UK parliamentary committee released a trove of confidential correspondence between Facebook CEO Mark Zuckerberg and his staff. MP Damian Collins, the head of the Parliament’s Digital, Culture, Media and Sport Committee, summarized six key issues revealed in the files (BBC).
First, Facebook whitelisted several companies which were allowed to retain full access to the data of users’ friends, even after Facebook restricted that data from most developers in 2014. Second, these data on users’ friends was a clear financial driver behind Facebook’s Platform 3.0 upgrade. Third, data reciprocity between Facebook and app developers was a key objective in Platform 3.0. Fourth, Facebook intentionally made it extremely difficult for users to find out that its Android permissions changes in 2015 allowed the Facebook app to collect a record of users’ phone calls and texts. This data collection behavior was reported by Ars Technica in March, 2018. Fifth, Facebook used the VPN app Onavo to gather information on users’ app usage. According to Collins, this was apparently done without users’ knowledge. In August Facebook voluntarily removed Onavo from the App Store at the request of Apple, which claimed that the app violated its data collection policies (ZDNet). Sixth, Facebook cut off access to its data from app developers that it viewed as potential rivals, with Mr. Zuckerberg himself authorizing his staff to shut down access for Twitter’s video platform Vine.
Mr. Zuckerberg responded to the revelations in a Facebook post on Wednesday, in which he insists that Facebook never sold anyone's data. "I understand there is a lot of scrutiny on how we run our systems," he writes. "That's healthy given the vast number of people who use our services around the world, and it is right that we are constantly asked to explain what we do. But it's also important that the coverage of what we do—including the explanation of these internal documents—doesn't misrepresent our actions or motives. This was an important change to protect our community, and it achieved its goal."
What are the four types of threat detection in industrial security?
There is a considerable amount of market confusion around the types of threat detection, how they are derived, and the uses for each. Sergio Caltagirone and Robert M. Lee of Dragos, Inc., will address those challenges and offer sample use-cases focused on industrial control system (ICS) and industrial internet of things (IIoT) environments, so you can learn more about identifying the best threat detection method for your ICS organization. Register for the webinar.
Cyber operations in Russia's hybrid war against Ukraine.
An Adobe Flash zero-day was used in a campaign targeting a Russian healthcare clinic. The exploit was being distributed in a Microsoft Word document that had the appearance of a job application for the Russian hospital (Naked Security). The files were discovered separately by Gigamon and Chinese security company Quihoo 360. The former found that two of the malicious documents, nearly identical to each other, were uploaded to VirusTotal within a short time period from the same Ukrainian submission ID. It’s unclear if the files were uploaded to VirusTotal by one of the malware’s victims or by its developer (ZDNet). However, Qihoo 360 and other observers believe the documents are connected to the Ukraine-Russia conflict, since the files were uploaded shortly after the Kerch Strait incident.
The Security Service of Ukraine stated on Tuesday that it had thwarted a major cyberattack led by Russian special services (Kyiv Post). The attackers used phishing emails with malicious documents to target Ukraine's judicial information system (ComputerWeekly).
1 million credentials fall into criminal hands every single day.
That's just one of the findings from the 2018 Credential Spill Report, which analyzed all of the usernames and passwords that were reported as compromised last year. The report also studied credential stuffing attack data across four major industries, finance, airlines, retail, and hotels, finding that retailers were by far the most targeted for account takeover. Read the report to learn about new ways attackers disguise credential stuffing and the total cost of attacks.
Australia has passed legislation allowing law enforcement to force companies to give them access to encrypted communications and data without the user’s knowledge. The Assistance and Access Bill, which was drafted in August and introduced into Parliament in September, was passed on Thursday after the Labor Party dropped its opposition. The party had originally proposed 173 amendments to the bill, but agreed to debate them next year (BBC).
The bill permits Australian federal, state, or territory law enforcement and anti-corruption entities to issue three types of notices to companies. The first, a Technical Assistance Notice, compels companies to use data interception capabilities to assist law enforcement. The second, a Technical Capability Notice, would force a company to create interception capabilities to comply with Technical Assistance Notices. The third type of notice is the Technical Assistance Request, which—though not compulsory—is vague and requires little oversight (ZDNet). The legislation allows fines to be imposed on those who fail to comply with the first two types of notices—up to A$10 million for companies and up to A$50,000 for individuals (Ars Technica).
Outside the Australian government, the bill apparently has very little support. The law has been criticized by numerous tech firms and digital rights organizations, including Apple, Cisco, Mozilla, Google, and Facebook. Apple previously called the bill “dangerously ambiguous” (TechCrunch).
Ground Truth or Consequences: the challenges and opportunities of regulation in cyberspace.
CyberWire-X is a new series of multi-part specials we’ve launched to share deeper discussions of important, complex security topics affecting individuals and organizations every day, and all over the world. Our second episode takes a look at the impact GDPR has had since its implementation in May 2018. We hear from our Sponsor Gemalto as well.
Cyber deterrence and a longing for marque and reprisal?
Hacking back is a tempting response to a cyberattack, and companies often believe they would benefit from retaliation, either through achieving attribution or by creating deterrence. As a result, private corporations are increasingly calling for hackbacks to be legalized. In many cases, however, the counterattacking organization could find itself in a worse position than it was in after being attacked the first time. Jan Kallberg at Fifth Domain lays out five reasons why hacking back is generally a bad idea for companies.
First, the belief that a counterattack will end the exchange is flawed. The initial attacker likely has the ability to launch a second, more damaging attack in response to the counterattack. The fight is also asymmetrical. The retaliating organization often has sparse information on the attacker, and may find itself punching above its weight. If, for example, the attacker turns out to be a nation-state actor, most companies will wish they'd instead turned the case over to a competent government agency. Furthermore, multi-national companies who practice hacking back risk affecting the status of their assets in other countries. Finally, increasing the volume of cyberattacks in the wild brings with it the inevitability of collateral damage, especially if under-trained employees are doing the retaliatory hacking. Kallberg concludes that retaliation to illegal hacking, especially hacking by nation-states, is better left in the government domain.
The US Government, meanwhile, may be giving us an opportunity to see if an aggressive approach to cyber defense is effective at the nation-state level. The Trump administration has adopted a policy of "defending forward" and "persistent engagement" for its cyber operations. So far, however, its effectiveness is difficult to gauge. According to Jason Healey, a former Bush administration White House official, the nature of deterrence makes it impossible in most cases to make a concrete judgement on whether or not it's worked (Fifth Domain).
Security researchers discovered and patched a critical privilege escalation flaw in Kubernetes. All Kubernetes-based products were affected by this vulnerability and should be upgraded to the latest versions as soon as possible (Infosecurity).
Adobe has released a patch for two vulnerabilities in Flash Player, including a zero-day observed last week by researchers at Gigamon Applied Threat Research and Qihoo 360 Core Security (Help Net Security).
Zoom has patched a bug that could have allowed attackers to take over computers by hijacking video conferences (Naked Security).
Crime and punishment.
A Federal grand jury in Atlanta has indicted two Iranian nationals for the SamSam ransomware attack that hit Atlanta in March, 2018 (Ars Technica). The two men were previously charged for SamSam attacks that targeted the Port of San Diego, the City of Newark, the Colorado Department of Transportation, and the University of Calgary in Canada (SecurityWeek).
Max Ray Vision, a hacker serving a thirteen-year prison sentence for wire fraud involving the theft of nearly two million credit card numbers that yielded $86 million in fraudulent purchases, is facing new charges for allegedly orchestrating the aerial delivery of cell phones, drugs, and tobacco into the prison using a drone (Naked Security).
Courts and torts.
Oath, the Verizon-owned umbrella company of AOL and Yahoo!, has agreed to pay about $5 million to settle charges that its online advertising practices violated the Children’s Online Privacy Protection Act of 1998 (COPPA). According to the New York Times, AOL used children’s personal data, such as cookies and geolocation, to place targeted ads on hundreds of websites aimed at children. The settlement is the highest penalty a company has ever paid for violating COPPA (TechCrunch).
Marriott is facing its first lawsuits over the massive data breach that affected nearly 500 million customers. Baltimore-based law firm Murphy, Falcon & Murphy, with their co-counsel Morgan & Morgan, filed a class-action lawsuit against Marriott International last Friday seeking an undisclosed sum. Two Oregonians also filed a suit on the same day, seeking $12.5 billion in damages (International Business Times). Additionally, New York’s attorney general has launched an investigation into the Marriott data breach, accusing Marriott of violating New York law by failing to notify the attorney general’s office immediately after discovering the breach (The Hill).
Google CEO Sundar Pichai’s appearance before Congress has been rescheduled for Tuesday, December 11th, after his original hearing was postponed last week due to funeral events for former President George H.W. Bush (Washington Post).
Policies, procurements, and agency equities.
The European Union on Wednesday presented its Action Plan to tackle disinformation ahead of the 2019 European elections. The plan focuses on four key areas. First, improving detection of disinformation by more than doubling the budget of the Strategic Communication Task Forces and the EU Hybrid Fusion Cell in the European External Action Service. Second, setting up a Rapid Alert System to share knowledge of disinformation campaigns and threats between EU member states. Third, taking action to thwart the efforts of online bots and fake accounts, as well as making political advertising transparent. Fourth, raising media literacy and awareness among EU citizens (TechCrunch).
The Defense Information Systems Agency has extended the deadline for vendors to submit proposals on how to use cloud technology to quarantine the Defense Department’s networks from the public internet. The deadline is now December 14th (Nextgov).
Fortunes of commerce.
Symantec’s president and Chief Operating Officer Michael Fey resigned last week, along with the company’s Chief Marketing Officer Michael Williams and the senior vice president of its Go-to-Market teams Bradon Rogers. The company's CEO, Greg Clark, will take over the role of president (Bloomberg).
British telecommunications company BT will bar Huawei from core 5G contracts and is removing Huawei equipment from the core 4G network of BT’s mobile subsidiary, EE (Computing). BT stressed, however, that this move has been expected since BT acquired EE in 2016, and will bring the company into accordance with network architecture principles laid out in 2006 (Register). BT will continue to use some Huawei equipment on the edge of its networks. Huawei's UK revenues and profits have fallen over the past year as the company faces security criticisms from Western intelligence agencies due to its links to the Chinese government (The Telegraph). Australia, New Zealand, and the US have already barred the use of Huawei's equipment.
Eight members of congress have sent another letter to Jeff Bezos requesting further information on Rekognition, Amazon’s facial recognition program, claiming that Amazon provided insufficient answers to earlier inquiries. The letter questions Amazon’s privacy protection and data retention policies, as well as the accuracy of the program’s recognition capabilities (Ars Technica).
Canadian companies will be in need of over 8,000 cybersecurity employees over the course of the next two years, according to a study by Deloitte. Ottowa's new cybersecurity center alone will need more than 140 cybersecurity analysts (Global News).
Mergers and acquisitions.
US-based insurance and investment company The Hartford purchased Y-Risk, a managing general underwriter that offers cyber insurance, among other lines of insurance. Y-Risk will keep its entire staff and will remain at its location in Unionville, Connecticut (Intelligent Insurer).
Six security companies from New Zealand and Australia have come together to form a new company called Optic Security Group. The six companies have combined revenues of over A$100 million (ChannelLife Australia).
The Department of Homeland Security’s Science and Technology Directorate announced an initiative to research ways in which blockchain and other distributed ledger technologies can be used to prevent forgery and counterfeiting (Nextgov).
DHS also wants to create a large social network that can be used by thousands of small and medium-sized businesses to share important information on cyberattacks. The agency hopes that peer-to-peer sharing of experiences and insights will help these organizations collectively tackle the challenge of cybersecurity “knowledge management” (Fifth Domain).
Today's issue includes events affecting Australia, Canada, China, European Union, Japan, New Zealand, Russia, Ukraine, United Kingdom, United States.
ON THE PODCAST
This week's Research Saturday is up. In this edition, "Operation Red Signature targets South Korean supply chain," we hear how researchers at Trend Micro uncovered a supply chain attack targeting organizations in South Korea. With the goal of information theft, attackers compromised the update server of a third party support provider, resulting in the installation of a RAT, or remote access trojan. Rik Ferguson is Vice President of Security Research at Trend Micro, and he guides us through their discoveries.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.