Get your copy of the definitive guide to threat intelligence.
The week that was.
Shamoon spreads out.
More details have emerged about the recent Shamoon 3 attacks. McAfee observed the malware targeting organizations in the oil, gas, energy, telecom, and government sectors across the Middle East and Southern Europe. Symantec revealed that a Saudi organization affected by the malware was also targeted by APT33, a threat group linked to Iran. That organization was also hit by a separate strain of malware known as Stonedrill, which has been tied to Shamoon (SecurityWeek). Symantec also notes that this version of Shamoon comes with a new component called Fileraser, which—as its name suggests—erases files on an infected system before Shamoon wipes the master boot record (Dark Reading).
How to Budget for Insider Threat Management, Proactively
Fluent in American Troll: two reports on Russian influence operations.
The Senate intelligence committee released two new reports showing that Russian influence operations are still active. The first report, compiled by brand-protection firm New Knowledge, focused on "a multi-year coordinated disinformation effort" by St. Petersburg's Internet Research Agency (IRA) on Facebook, Instagram, Twitter, and Google. The IRA was apparently very good at its job, and the researchers say its workers were "fluent in American trolling culture." The general goal of the operation was to spread doubt and confusion, which researchers believe was achieved with "skill and precision" (CNBC).
One significant finding was the extent of the activity that took place on Instagram. There were 187 million user interactions on the Facebook-owned social network, as opposed to 77 million on Facebook itself (New York Daily News). The IRA shifted its primary area of interest to Instagram in 2017 after Facebook activity drew too much media coverage.
New Knowledge also criticized Facebook, Twitter, and Alphabet for failing to provide complete sets of data to the Senate Select Committee on Intelligence. The data turned over lacked key components necessary to measure the operations' impact. One of these platforms said that "no specific groups were targeted," while another claimed it didn't know whether or not the IRA discouraged targeted users from voting. Both statements turned out to be misleading or untrue. The report states that "it is unclear whether these answers were the result of faulty or lacking analysis, or a more deliberate evasion."
The second report was compiled by the Computational Propaganda Research Project, a joint effort by Oxford researchers and social media research company Graphika. This report reached many of the same conclusions New Knowledge did. It found that the IRA's campaign targeting the US began in 2012. They started using Twitter in 2013 and quickly spread to other platforms. The report states that organic posts by the trolls were far more effective than advertisements, and that organic posting skyrocketed between 2015 and 2017. Another finding was that the IRA encouraged "African American voters to boycott elections or follow the wrong voting procedures in 2016" (PBS).
The Wall Street Journal found that an arm of the IRA had posed as a digital marketing startup called Your Digital Face to gain information on US businesses and take over their social media accounts. In addition to the US, the supposed startup also operated in Russia, Iran, China, Vietnam, Cuba, and the United Arab Emirates (MarketWatch).
Confused about zero trust?
What Ivan would do? Don't do it.
After the reports on Russian trolling were released, New Knowledge CEO Jonathon Morgan queasily admitted that he imitated, on a small scale, IRA influence tactics by using an inauthentic social media account and a small amount of purchased engagement to see if he could produce a discernible effect in an Alabama Senatorial contest (New York Times). It was an experiment, too small to have much effect, but Alabama's not amused (Washington Post).
1 million credentials fall into criminal hands every single day.
Hacking diplomatic cables.
Hackers intercepted more than a thousand diplomatic messages from the European Union over three years (New York Times). Researchers at Area 1 discovered the documents while investigating a phishing campaign against the government of Cyprus. After successfully phishing Cypriot diplomats, the hackers apparently discovered passwords on Cyprus' systems that gave them access to the European Union's COREU correspondence system. Area 1's co-founder and CEO Oren Falkowitz said “people talk about sophisticated hackers, but there was nothing really sophisticated about this.”
The hackers also infiltrated the networks of the United Nations, the American Federation of Labor and Congress of Industrial Organizations (AFL-CIO), and numerous ministries of foreign affairs and finance around the world. The AFL-CIO hack targeted material related to Trans-Pacific Partnership negotiations, while the UN material focused on private meetings of the Secretary General with Asian diplomats and leaders.
Area 1 thinks the tradecraft points to Chinese intelligence services. The New York Times quoted Area 1's co-founder Blake Darché as saying, "After over a decade of experience countering Chinese cyber operations and extensive technical analysis, there is no doubt that this campaign is connected to the Chinese government." Others in the field are more tentative of this attribution, since Area 1 offered no more than circumstantial evidence (Computer Business Review).
While the fact that the systems were hacked is significant, most of the cables' content is fairly mundane (Register). Diplomats (as one would expect) discussed Afghanistan's instability, the unpredictability of the US Administration, and concerns about Iran and North Korea (Guardian). The Times notes that the leaked documents are low-level classified; the more sensitive communications were stored and sent using a separate platform.
Ground Truth or Consequences: the challenges and opportunities of regulation in cyberspace.
Facebook data-sharing troubles.
Facebook allowed certain major tech companies to retain a much deeper level of access to users' data than it publicly claimed, according to internal Facebook documents obtained by The New York Times. The report states that Facebook allowed Netflix and Spotify to read Facebook users' private messages, and Microsoft's Bing search engine was given access to all Facebook users' friends lists.
The facts of the matter appear to be far more innocuous than the headlines suggest (Ars Technica). Facebook explained in a blog post on Wednesday that Netflix, Spotify, Dropbox, and the Royal Bank of Canada had read, write, and delete access to users' messages to allow those apps to build messaging integrations with Facebook. For example, users could recommend movies or songs to their Facebook friends by sending a message through Netflix or Spotify. Facebook stresses that no third party was reading or writing private messages. "Many news stories imply we were shipping over private messages to partners, which is not correct," the blog post says. It does admit, however, that the Instant Personalization APIs shouldn't have been left in place after the service was shut down in 2014.
Despite Facebook's insistence that none of this activity constitutes a scandal, the general impression of bad news surrounding the company is taking a toll. Facebook's stock price fell by 7.3 percent on Wednesday in its second steepest drop of the year (CNBC).
In a separate case, the Irish Data Protection Commission (DPC) has launched another probe into Facebook after the company admitted that a flaw in its Photo API potentially exposed the unposted photos of 6.8 million users. Ireland's DPC has jurisdiction over Facebook in Europe because the company's international headquarters are located in Dublin (SecurityWeek).
US indicts Chinese hackers amid international denunciation of Beijing's industrial espionage.
Deputy Attorney General Rod Rosenstein and FBI Director Christopher Wray on Thursday unsealed an indictment of two Chinese hackers, Zhu Hua and Zhang Shilong, whom it connected with a wide-ranging campaign to steal intellectual property from at least twelve countries. The men are also accused of stealing the Social Security numbers of more than 100,000 members of the US Navy. The indictment says that the two men are members of APT10, a threat actor that has been linked to China’s Ministry of State Security (TechCrunch). Their targets included more than 245 organizations in Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, the United Kingdom, and the United States. Rosenstein says the activity laid out in the indictment was a direct violation of the 2015 economic espionage act between China and the US (Ars Technica).
Reuters reports that IBM and HPE were two of the managed service providers that were hacked by China's Ministry of State Security. The hackers used the access to steal secrets from clients of IBM and HPE.
Germany's Office for Information Security (BSI) warned a number of German firms that they were possible victims of Chinese hacking attacks. The BSI was tipped off to the attacks by US authorities, according to Germany's Süddeutsche Zeitung daily newspaper. The targets included construction and materials research firms, as well as engineering companies (Reuters). The US is expected to charge the Chinese hackers with involvement in the Cloudhopper espionage operation (Deutsche Welle).
WordPress 5.0.1 patches seven security flaws, one of which was presented by Secarma researcher Sam Thomas at Black Hat in August. This flaw could allow someone to inject malicious objects using the PHP unserialization function. Another bug sometimes caused the user activation screen to be indexed unusually by search engines, in rare cases exposing emails and passwords. Three of the vulnerabilities involved cross-site scripting. One flaw let unauthorized users delete files, and another allowed unauthorized posts to be created. (Naked Security).
Twitter has fixed a flaw that allowed third-party apps to access a user's direct messages. The bug affected apps that required a PIN to authorize access to Twitter (BleepingComputer).
Microsoft released an out-of band patch for an zero-day remote code execution vulnerability in Internet Explorer. The flaw must be patched manually until Microsoft's next security release in January (Computing).
Crime and punishment.
The US Department of Justice announced on Thursday that it had seized 15 attack-for-hire websites (also known as "booter" or "stresser" sites) and charged three men who had operated two of those services. Pennsylvania resident David Bukoski, who operated the extremely popular, long-running booter service Quantum Stresser, was charged with aiding and abetting computer intrusions. Quantum Stresser had been active since 2012 and was used in over 50,000 attacks in 2018 alone.
Matthew Gatrel from Illinois and Juan Martinez from California were charged for operating Downthem, a booter service that was used to launch attacks at more than 200,000 targets over the course of its existence. Assistant U.S. attorney for the Central District of California Cameron Schroeder said, "This is the biggest action US law enforcement has taken against booter services, and we’re doing this in cooperation with a large number of industry and foreign law enforcement partners" (KrebsOnSecurity).
Courts and torts.
Washington DC is suing Facebook for failing to protect its users' data. Lax oversight and misleading privacy settings are among the reasons cited for allowing the misuse of millions of users' personal information (The Register). "Facebook failed to protect the privacy of its users and deceived them about who had access to their data and how it was used," said DC's Attorney General Karl A. Racine. "Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users’ permission" (OAG DC). The lawsuit is seeking an injunction against the company, as well as restitution for consumers.
Fortunes of commerce.
All of the Five Eyes reportedly agreed during a July meeting in Canada that Huawei constitutes a security threat (The Sydney Morning Herald). While the countries have taken different approaches to the telecommunications giant's presence within their borders, they all agreed that the company's potential to facilitate Chinese espionage needed to be contained (Gizmodo).
Huawei continues to lose support from companies in Europe, its largest market outside of China (Bloomberg). French telecom giant Orange SA announced that it won't use Huawei's equipment in its 5G networks, and the UK's BT is implementing prearranged plans to phase out Huawei's kit. Germany's Deutsche Telekom AG is also considering excluding Huawei from its upcoming networks (MarketWatch).
Meanwhile, Huawei's CFO Meng Wanzhou is out on bail in Vancouver, where she awaits her return to court on February 6th. In a move that's widely viewed as retaliatory, Chinese authorities confirmed that they had arrested two Canadians on suspicion of "engaging in activities that harm China’s national security" (The Guardian).
ZTE is also facing increasing pressure over similar concerns, after US authorities warned that the company's equipment and devices provide opportunities for Chinese spying. The company has enlisted the help of former US senator Joe Lieberman to conduct an independent security assessment of the company's products (Politico).
Google has shut down a data analysis system that it was using in the development of its censored Chinese search engine after complaints were raised by the company's privacy team, according to The Intercept. The project, known as "Dragonfly," would have used blacklists to block out topics that are frowned upon by the Chinese government, including search terms related to democracy, free speech, and human rights (The Intercept). Amnesty International was happy to hear the news, but wants assurances that the shutdown is permanent, particularly after Google CEO Sundar Pichai's waffling answers on the topic in front of Congress last week. (Computing).
A number of employees are ghosting their employers or interviewers without warning, according to the Federal Reserve Bank of Chicago's latest Beige Book. Analysts believe the trend is due to the high number of job openings in the US, with more people deciding they simply don't need to take the time to give notice to their employers. This practice became common in China over the past decade for similar reasons, and some recruitment firms in that country have started making multiple offers for every job because they assume that some candidates won't show up (Washington Post).
Mergers and acquisitions.
Thoma Bravo is rumored to be in talks to buy McAfee from TPG and Intel at a price significantly higher than the company's 2016 $4.2 billion valuation. Sources told CNBC that a deal—which is still in early discussions and may still fall apart—would end Thoma Bravo's consideration of a Symantec acquisition (CRN).
The Australian Competition and Consumer Commission (ACCC) will allow Thales to go through with its $7.7 billion purchase of Gemalto, so long as Thales agrees to divest competing business interests (iTnews).
Investments and exits.
DEVCON, a cybersecurity company focused on combating ad fraud, raised $4.5 million in seed funding. The round was led by Las Volas VC, with participation from individual investors Paul Judge, executive chairman of Pindrop, and Adam Ghetti, founder of Iconic Security (Associated Press).
A note to our readers: the CyberWire takes its annual holiday break this coming week, with Christmas and New Year's Day coming up. This is our last Week that Was for 2018. We'll resume regular publication on January 5th, in the new year. Our best holiday wishes to all of you, and thanks for reading.
This CyberWire look back at the Week that Was discusses events affecting Brazil, Canada, China, Cuba, Cyprus, Finland, France, Germany, India, Iran, Ireland, Japan, Russia, Sweden, Switzerland, United Arab Emirates, United Kingdom, United States, Vietnam.
On the Podcast
Research Saturday is up. In this episode we hear how researchers at Duo Security have been looking into Apple's Device Enrollment Program (DEM) and have discovered vulnerabilities that could expose users of the service to potential issues from social engineering and rogue devices. James Barclay, Senior R&D Engineer at Duo Security, joins us to share what they've found.
The latest edition of CyberWireX is also up: "Risk and regulation in the financial sector." We take a look at risk and regulation in the financial sector, and specifically at how it intersects with cyber security. How do organizations operate in a heavily regulated global financial environment, while protecting their employees, their customers, and the integrity of a system largely built on trust? Joining us are Valerie Abend from Accenture and Josh Magri from the Bank Policy Institute. Later in this same CyberWireX podcast we'll hear from Jason Hart, CTO for enterprise and cybersecurity at Gemalto, the program sponsor.
© 2018 CyberWire, Inc.
Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story.