Are your browsers exposing you to dangerous web code? Authentic8 can help.
The week that was.
Researchers at Snyk have identified a vulnerability in the way open source software libraries handle archive files. Snyk describes it as a "widespread arbitrary file overwrite critical vulnerability, which typically results in remote command execution" (Tech Republic). Attackers can create Zip archives that overwrite files in affected systems through path traversal. Such files are either destroyed entirely or replaced with malicious content. Snyk has posted a list of vulnerable projects to GitHub (Naked Security).
$8.76 million: The average yearly cost of insider threats. Get the report.
VPNFilter reconstitutes its botnet, and affects more devices.
The VPNFilter botmasters may be attempting to reconstitute their botnet. Researchers at JASK and GreyNoise reported late Friday that the threat actors behind the first round of infestations are working to herd another set of routers. In an attempt to work around the US FBI's sinkholing of the "ToKnowAll" domain, they're actively scanning Mikrotik routers with port 2000 exposed online, and they're looking only for routers in Ukrainian networks. The focus is unsurprising, given that the threat actor in question is widely believed, on compelling if circumstantial evidence, to be Fancy Bear, Russia's GRU. The interest in Ukrainian targets is significant, but no one in any country should be blasé about the possibility of router infection (Bleeping Computer).
Cisco's Talos unit has added several models to its running list of devices they've found susceptible to herding by VPNFilter. The malware has now been found to infect more models than it had formerly captured with infestations found in ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE devices. (Cisco Talos).
Scared about Linux hosts being attacked? Get agentless security with Sandfly.
The US has charged former US Army warrant officer and Defense Intelligence Agency contractor with spying for China. Ron Rockwell Hanson was arrested in Seattle on his way to boarding a flight for China (ClearanceJobs). Charges came at the beginning of a week that saw an upswing of revelations and concerns about Chinese espionage.
CrowdStrike says China has resumed large-scale theft of US intellectual property, which suggests that it's moved on from the 2015 agreement to refrain from such hacking (McClatchyDC). Observers speculate the shift is due either to recent trade tension with the US or simply the coming-of-age of China's large, young, consolidated Strategic Support Force, whose mission includes the economic goals of the country's "Made in China 2025" plan.
Friday US officials speaking under conditions of anonymity told the Washington Post that Chinese intelligence services had hacked an unnamed contractor working at the Naval Undersea Warfare Center in Rhode Island and successfully exfiltrated sensitive data concerning submarine operations (TheHill).
Widespread concern in the US Congress and elsewhere concerns the HUMINT threat posed by the commercial relationships between US companies, especially Facebook and Google, and Chinese companies, especially but not exclusively Huawei (South China Morning Post).
Facebook did acknowledge earlier this week that it had shared access to its data with a number of Chinese companies that included, Lenovo, Oppo, TCL, and, of course, Huawei. They did so, said Facebook's Vice President of Mobile Partnerships, in a "controlled" way (New York Times). Controlled or not, Huawei denied collecting or analyzing Facebook user data (San Jose Mercury News).
The US Congress has asked both Facebook and Google (also an alleged data-sharing partner) for explanations (Bloomberg).
Under GDPR non-compliant companies face trade-offs on borrowed time, says Control Risks.
Cyber and summit.
Preparations for the US-North Korea summit continue (Foreign Policy). Various security and foreign policy wonks are advising President Trump to stay focused on nuclear issues and not complicate matters by bringing up cybersecurity at his summit next week with North Korean leader Kim (Fifth Domain).
Other interested countries have increased the tempo of their cyberespionage efforts in an attempt to gain insight into the summit. According to FireEye, Russia and China have in particular targeted South Korea. The two threats groups FireEye calls out are TempTick, a Chinese outfit hitherto best known for its collection against domestic dissident or otherwise suspect groups, and Turla, best known for its Trojan of the same name. Turla is a Russian government group that's been active at least since 2008, generally believed to be associated with Russia's FSB (Independent).
CyberSecJobs knows employers looking for your cyber expertise.
Concerns about Russian election meddling persist. In the US especially these operations seem largely to consist of amplified divisive, "hyper-partisan narratives" as opposed to direct disinformation. The goal fundamentally remains erosion of public trust and confidence in the institutions of civil society. Here again lies receive a bodyguard of truth—there's usually some truth somewhere in even the most hyperpartisan narratives (Politico).
FireEye says a news site that popped up last month, USA Really, is in fact a Russian information operation, run out of the same building in St. Petersburg that housed the notorious Internet Research Agency troll farm (McClatchyDC). Some of the features are charmingly bizarre (blood-sucking mosquitoes invade Wisconsin, Louisiana should secede from the union again, etc.) but the intent is thought to be malign erosion of civic trust (South China Morning Post).
Russian influence operations in Europe, notably in Germany and Italy, have tended to rely upon various mouthpieces in political parties whose platforms and interests tend to align, opportunistically at least, with Moscow's goals. An international group is being formed to counter the effects of Russian influence operations. It will be called the "Transatlantic Commission on Election Integrity." Its two co-chairs suggest a seriousness of purpose: NATO Secretary General Anders Fogh Rasmussen and former US Secretary of Homeland Security Michael Chertoff (Politico).
New business email compromise group found.
At the end of the week Booz Allen Hamilton’s Dark Labs reported their identification of an active and effective business email compromise operation. They've hit financial, consumer, manufacturing, and aerospace companies, and succeeded in getting some payouts. They've used phoney impersonations of Fortune 50 domains in bogus invoice schemes. Dark Labs found some five-hundred-eighty impostor domains used by the gang. Their use of information scraped from legitimate websites and social media (especially LinkedIn) shows that criminals can good use of open source intelligence (Booz | Allen | Hamilton).
Atlanta's cyber attack looks worse with every bit of news that dribbles out.
The ransomware attack the US city of Atlanta sustained on March 22nd looks worse than ever, arguably the worst any US city has suffered (TechCrunch).
The city's interim CIO told the City Council that more than a third of the four-hundred-twenty-four "software programs" the city uses were affected by the ransomware incident, and that some 30% of the affected programs were "mission critical" (Reuters). Such metrics must be treated with caution (one hesitates in the face of such specificity—what counts as a "software program," for example?) but they surely mean nothing good. Among the data lost, apparently beyond recovery, are years of police dashcam imagery (Naked Security).
The city has resisted providing information on the scope of the attack, presumably for the publicly stated concerns about preserving the integrity of the investigation, not giving attackers insight into remediation, and so on, but people are getting impatient with what's now widely regarded as stonewalling. The City Council has joined criticism of the Mayor, with the City Council President this week calling for more transparency (Reporter Newspapers).
Back on April 12th the Atlanta Journal-Constitution put the cost of recovery at $2.7 million but warned that it would surely go up. The paper had it right. This week it looks as if it will take another $9.5 million to put matters right (Engadget).
Crime and punishment.
The FBI got access to former Trump campaign manager Paul Manafort's encrypted messages via a warrant for his iCloud account. Some see this as undermining the FBI's position in the cryptowars (Motherboard).
After the Alpha Bay and Hansa takedowns, criminals dealing in contraband are increasingly leaving their dark web souks, relying instead on peer-to-peer communications, messaging, and the like (Dark Reading). So criminal channels are adaptable, but the law-abiding may take some satisfaction in knowing that takedowns and other law enforcement actions can at least complicate the life of crime (SecurityWeek).
Courts and torts.
Google seems likely to be hit with a record EU anti-trust fine over the way in which it manages apps in its Android ecosystem. The fines, expected to announced the week of July 9th, are thought likely to exceed the €2.4 billion the company endured last year. The 2017 fines were over the ways in which its search engine favored its own products over those of competitors (Reuters).
Want to complain about cryptojacking? The US Federal Trade Commission says it would like to hear from you (Bleeping Computer).
Apple issued upgrades for a number of its products, including macOS, iOS, watchOS, tvOS, Safari, and iCloud and iTunes for Windows (Help Net Security). Apple revealed some significant enhancements to user privacy in its products. MacOS Mojave and iOS 12 include features designed to thwart various forms of tracking (SecurityWeek) and the newest version of Safari is said to aggressively suppress ad trackers (WIRED). One of the upgrades being tested in iOS 12 Beta is designed specifically to defeat the unlocking tools by Cellebrite and GrayShift that have been used in some law enforcement investigations (Motherboard). Some observers are skeptical, in an I"ll-believe-it-when-I-see-it mood (Gizmodo) but in general the upgrades have been well-received.
Adobe patched four vulnerabilities this week, including one emergency fix to a Flash zero-day that was undergoing active exploitation in the wild (Dark Reading). That particular vulnerability, CVE-2018-5002, is being used against a selected set of Windows users (KrebsOnSecurity). Those users are found for the most part in Qatar (CyberScoop).
A Facebook glitch inadvertently turned some 14 million users' private data public changing default settings from "private" to "public" between May 18th and 22nd. Facebook advises users to take a look at whatever stuff they may have posted last month (SecurityWeek).
Google will exit the military market, at least that part of it that uses AI to analyze drone footage. The company will not seek to renew its contract under Project Maven when it expires next year (TheHill). The decision is driven, apparently, by employee hostility to doing work for the US military (CRN). Few are likely to follow Google's lead (Bellingham Herald). A piece in Defense News argues that what happed with Maven has two roots: first, Google's employees got ahead of Google's marketing, and, second, Google is in the advertising and data analytics business, which makes its operations all the more sensitive to any disturbing vibes those sectors might be throwing off, especially post-Facebook, post-Cambridge Analytica. The company's settled position for now is that it won't contribute its artificial technology to weapons programs (SecurityWeek). Former Defense Secretary Ashton Carter, who set AI policy while in office, points out that no one really wants fully autonomous lethal systems—a human trigger-puller would remain in the loop (Defense One). It's unclear whether that will satisfy Googlers.
CACI has picked up a very large task order from the US Department of Homeland Security, with a potential total contract value of $407 million (Defense Daily).
On Monday Microsoft announced that it had bought Github for $7.5 billion in stock (BBC). CIOs in other companies were guardedly optimistic about what the acquisition might mean for the industry as a whole, but they stressed the important place GitHub occupies as an "environment for open source innovation" (Wall Street Journal). (SD Times has a round-up of industry reaction. Developers, a famously difficult crowd, are said by Naked Security to be feeling "wrath.") How Microsoft will handle GitHub remains to be seen, but it won't be an obvious or straightforward integration. For one thing, GitHub contains code used to produce things that Microsoft may regard as less than desirable (like xBox emulators) or that may entangle it, at one level of abstraction, in the kind of content-moderation coils in which Facebook and Twitter find themselves enmeshed (WIRED). Reports say that Google was also bidding for the open-source repository (CRN). Most of the commentary on the acquisition has focused on what it means for the open-source world, and what it says about Microsoft's intentions for that world, but let's not overlook the sheer amount of money involved. Here's one point of comparison: Northrop Grumman this week received anti-trust clearance to buy Orbital ATK, a large aerospace concern and a serious player in the space-launch business. Northrop Grumman is paying $7.8 billion for Orbital (Washington Business Journal).
Leidos is the latest US Federal contractor to exit the commercial cybersecurity market (Washington Technology). It's sold its commercial cyber unit to Capgemini, which intends to use its acquisition for a push into the North American market (Economic Times).
Solar Winds has filed for an IPO (Channel e2e).
In an upstate New York deal, GreyCastle Security (of Troy) has acquired the cybersecurity unit of Rochester-based EagleDream (Rochester Business Journal). This is GreyCastle's second acquisition since it picked up Minneapolis-based Orange Parachute in November (Albany Business Journal).
Fortinet has acquired Boston-based IoT security firm Bradford Networks for $17 million, with $2 million more possible in earn-outs (CRN).
Intertek announced its acquisition of network security shop NTA monitor, noted for its operations in Malaysia and the UK (Proactive Investors).
CounterTack has announced its acquisition of managed detection and response shop GoSecure in a bid to encroach on CrowdStrike's and Carbon Black's marketshare (Channel Partners).
Calian Group has bought Ottawa-based Secure Technologies International with a view toward increasing their resilience services. They're particularly interested in the company's training offerings (Computer Dealer News).
Endpoint protection company Reason Software has purchased Tel Aviv-based Filelock for its encryption and data protection capabilities (PRNewswire).
Qualys has issued a letter of intent to acquire Second Front Systems. The goal of the prospective acquisition is to increase Qualys's position in US Federal markets, especially military and security markets (PRNewswire).
Duff and Phelps, which last month acquired Kroll, has rolled Kroll's capabilities into a new division, the Governance, Risk, Investigations, and Disputes business unit (BusinessWire).
Frontier Capital has increased its majority growth stake in MediaPRO, the SaaS company that offers an array of security training programs. They also announced the appointment of a new CEO for MediaPRO.
Cyberbit has raised $30 million from Claridge Israel. A subsidiary of Elbit, Cyberbit intends to use the funds to expand the availability of its security offerings, particularly its cyber range services (PRNewswire). Bain Capital Private Equity announced its intention to recapitalize public safety software shop TriTech Software Systems (PE Hub).
ClearForce, a Virginia-based firm whose employee risk-management offerings have some relevance to insider threat mitigation programs, announced a new strategic investment round from Centricus Partners (PRNewswire).
Texas-based ALTR emerged from stealth Wednesday with $15 million in funding. ALTR's flagship offering is a blockchain-secured data storage and access solution (SecurityWeek).
CrowdStrike announced a $1 million breach warranty for users of its EPP Complete security solutions package (CRN).
CRN takes a jaundiced look at the cyber start-up scene that was on display at Infosec Europe 2018 this week, and concludes that the market has peaked. They think there's too much money carelessly chasing too small a potential return.
Dog bites man: analysts reckon IBM is a better long-term investment than Bitcoin (cryptona). You think?
On the Podcast
Two podcasts are particularly worth your attention this weekend.
First, in the current episode of Hacking Humans, our hosts examine the anatomy of a phishing attack, explore pretexting, and review how a scammer targets real estate agents. And Professor Stephen Lewandowsky from the University of Bristol joins us to share his research on misinformation, fake news, and how one might try to inoculate people against them.
Second, of course, is Research Saturday. This week we talk with ProtectWise's Tom Hegel, Senior Threat Researcher at 401TRG. He shares their research into the Winnti Umbrella, a Chinese state-sponsored actor.
© 2018 CyberWire, Inc.
Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story.