We're pleased to announce our new subscription program, CyberWire Pro, launching early in 2020. For cyber security professionals and others who want to stay abreast of our rapidly evolving industry, CyberWire Pro is a premium news service that will save you time as it keeps you informed. Learn more and sign up to get launch updates here.
By the CyberWire staff
Phishing campaign targets government procurement agencies.
Researchers at Anomali have identified a phishing campaign apparently intended to harvest credentials from some twenty-two government agencies and government contractors in several countries around the world. US targets have received the most attention, but Australia, Canada, China, Japan, Mexico, Peru, Poland, Singapore, South Africa, and Sweden were also targeted. The US targets include the Departments of Commerce, Energy, Housing and Urban Development, Transportation, and Veterans Affairs. Some of the attacks also targeted shipping companies such as DHL, along with email services. The sites used in this campaign are currently dormant, but the researchers believe the attackers are either still active or will be active again in the future.
ZDNet says no one knows who's behind the operation or what their goal might be. Anomali speculates that the campaign's motivation "could be a financial incentive to out compete a rival bidder, or more long term insight regarding the trust relationship between the potential supplier and the government in question."
Telegram hacks may point to telecom infrastructure compromise.
At least thirteen Russian entrepreneurs have had their Telegram accounts hacked, and the attacks may suggest that an unknown threat actor has compromised SS7 telecom infrastructure to bypass SMS-based two-factor authentication, researchers at Group-IB told Forbes. Telegram texts a one-time-use authentication code to a user's phone whenever someone tries to log in to their account from a new device. Bypassing SMS-based authentication is nothing new, but it generally requires an attacker to have control over the targeted device. The researchers said they found no evidence that the victims' devices had been hacked or otherwise compromised, so they suspect the attacker intercepted the text messages from an external source. Group-IB is investigating whether the attacks compromised SS7 infrastructure, which has been exploited in the past to get around multifactor authentication.
Dragos and CrowdStrike Webinar: Bridging the IT and OT cybersecurity gap.
Join Dragos and CrowdStrike on December 17 for a 30 minute webinar on the unique challenges in IT and OT environments. Hear how to improve your ICS security posture, address the OT skills gap and prevent future attacks. Register today.
TrickBot gang offers Anchor for long-term attacks.
Cybereason outlines a Trickbot campaign that's delivering the newly discovered Anchor malware to high-profile targets. The researchers say Anchor "has been in operation since August 2018 and appears to be tightly related to TrickBot." The malware is used in targeted, stealthy attacks, often focusing on point-of-sale systems. SentinelOne's research unit SentinelLabs describes it as "a complex and concealed tool for targeted data extraction from secure environments and long-term persistence." As ZDNet puts it, Anchor offers stealth-focused modules that aren't necessary for the majority of TrickBot's customers, but which can be very useful in attacks against high-value corporate environments.
Anchor's stealth and persistence has apparently made it an attractive tool for nation-state actors. SentinelLabs concluded that one of Anchor's users is North Korea's Lazarus Group, based on an incident in which the malware was used to download the PowerRatankba backdoor. PowerRatankba is a PowerShell toolkit that's been associated with Lazarus Group in the past. Additionally, the domain that was called to download PowerRatankba was involved in the December 2018 breach of Chile's Redbanc, which was also attributed to the Lazarus Group.
There is a long-recognised skills gap within the cyber security sector.
The CyBOK project aims to bring cyber security into line with the more established sciences by distilling knowledge from major internationally-recognised experts to form a Cyber Security Body of Knowledge that will provide much-needed foundations for this emerging topic. Through a partnership with the CyberWire, each of CyBOK's knowledge areas will be featured in its own podcast. The first few episodes are available on your favorite podcast app. Visit the website to learn more.
OceanLotus targets automotive companies.
Bayerische Rundfunk reported last Friday that OceanLotus (also known as APT32), a hacking group associated with the government of Vietnam, compromised the networks of BMW and Hyundai. In BMW's case, the attackers used Cobalt Strike spread throughout the network with the apparent goal of industrial espionage. BMW reportedly detected the attack and monitored the hackers' movements for months before kicking them out at the end of last month.
OceanLotus has been linked to the Vietnamese government for years, and the group turned its attention to the automotive sector when Vietnam began trying to build up its domestic automotive industry. Vietnamese automotive startup VinFast began selling cars with BMW-licensed parts in June 2019. Engadget observes that this places BMW in an awkward position, as one of its trading partners seems interested in stealing its intellectual property.
Ring hackers harass homeowners and children for entertainment.
WMC5 reported an incident Wednesday in which a hacker gained access to a Ring camera in an 8-year-old girl's room and creepily taunted the child until her father disconnected the camera. Motherboard came across a podcast livestreamed on Discord in which the hosts hack into Ring and Nest cameras in order to harass homeowners on the air. These hackers have apparently been responsible for a number of home camera hacks that have made the news recently. Motherboard also discovered that the hackers were using credential-stuffing software capable of breaking into Ring cameras that don't have two-factor authentication enabled.
Some administrators of the hacking forum "Nulled," where these hackers congregated, tried to distance themselves from the behavior, stating that "Nulled does not and will not tolerate the harassments [sic] of individuals over Ring cameras or similar." The aspiring podcasters seemed less intimidated, however, writing on a Discord server that they would continue their show despite being under active investigation by law enforcement.
Why You Need to Check Your Email Attack Surface - New Breach Data Sources
Your users are your largest attack surface. Data breaches are getting larger and more frequent. Bad guys are getting smarter every year.
Find out your email attack surface now with the NEW version of KnowBe4’s Email Exposure Check Pro. It identifies your at-risk users by crawling business social media information and now also thousands of breach databases.
You’ll receive your EEC Pro report in less than 5 minutes! It’s complimentary and is often an eye-opening discovery. Give it a try.
Snatch ransomware encrypts machines in Safe Mode.
Researchers at Sophos describe a new strain of the Snatch ransomware that automatically reboots Windows machines into Safe Mode before encrypting the hard drive, which allows it to avoid detection by antivirus programs. Sophos says that "the severity of the risk posed by ransomware which runs in Safe Mode cannot be overstated." The attackers use brute force attacks to break into organizations, and then manually spread laterally throughout the network. The malware is written in the Go programming language, and so far it can only run on Windows. In addition to the ransomware element, Snatch also contains components for data exfiltration.
The criminal group behind Snatch is seeking affiliates to assist them in their work, particularly people with "with access to RDP\VNC\TeamViewer\WebShell\SQL inj [SQL injection] in corporate networks, stores and other companies." They're also offering to train people to use their malware for free, apparently in an effort to grow their team.
Register Now for the Information Security Institute Virtual Information Session
Our graduate students in the Johns Hopkins University Information Security Institute work alongside our faculty who are world-renowned for their research in cryptography, privacy, medical information security, and network and system security. To learn more, register for the one-hour session to get an overview of the Information Security Institute. Panelists will provide a program overview, areas of research, admissions requirements, and discuss life in Baltimore.
Microsoft's December Patch Tuesday includes fixes for thirty-six vulnerabilities, seven of which were deemed critical, BleepingComputer says. One of the bugs, CVE-2019-1458, is an elevation-of-privilege vulnerability that's being exploited in the wild. Exploiting this vulnerability could allow a logged-on user to "run arbitrary code in kernel mode." Researchers at Kaspersky observed this flaw being exploited in an attack campaign they've dubbed "Operation WizardOpium." This campaign displayed "very weak code similarities" to attacks by the Lazarus Group, but the researchers say the similarities may just as well be false flags.
Amazon released fixes for several vulnerabilities in its Blink XT2 home security cameras that could have allowed hackers to gain full control over the devices, according to ZDNet. The flaws were reported by Tenable.
Google Chrome version 79 will notify users if their passwords are detected in data breaches, according to the Verge. When users sign into a site, Google says Chrome will "send a hashed copy of your username and password to Google encrypted with a secret key only known to Chrome." This hash is then checked against a database containing more than four billion previously breached credentials.
When Windows 7 expires in January, it's taking Microsoft Security Essentials with it. Redmond "strongly recommends that you move to Windows 10 sometime before January 2020."
Crime and punishment.
Google gave 1,494 device identifiers to the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) in response to two search warrants, Forbes reports. The warrants requested data on Google customers located within three hectares during a timeframe relevant to four arson incidents in Wisconsin. The data was stored in Google's Sensorvault database, which stores detailed location information on customers who have the location history setting enabled.
Wester Ross Fisheries, a salmon farm in northern Scotland, fell victim to a phishing scam that netted more than £2 million, and one of the men involved in laundering the money is now on trial in the UK, according to the Fish Site. Prosecutor Anthony Hucklesby said the scam took place over the phone in July 2017, with the fraudsters posing as employees of the Bank of Scotland.
The US Justice Department sentenced a social media influencer from Cedar Rapids, Iowa, to fourteen years in prison after he attempted to hijack an Internet domain by hiring his cousin to hold the domain's owner at gunpoint. The defendant, Rossi Lorathio Adams II, who goes by "Polo," ran a boorish social media company called "State Snaps." Mr. Adams wanted control of the domain "doitforstate[.]com." After failing to convince the domain's owner with threats, Adams enlisted the help of his cousin, who broke into the victim's house and ordered him at gunpoint to transfer the domain to Adams's GoDaddy account. During the encounter, the victim gained control of the weapon and shot Adams' cousin.
The UK's National Crime Agency (NCA) revealed that a member of the cybercriminal group known as "Lurk" was sentenced to six years in prison and ordered to pay £270,000 ($355,000), ZDNet says. The fraudster, Zain Qaiser, would impersonate legitimate companies and buy ad space on adult websites, which was then used for malvertising.
Courts and torts.
Reuters reports that Apple has expressed "deep concerns" that two former employees accused of stealing trade secrets were at risk of fleeing the US. The Federal prosecutors in the case agreed and argued that the two men, both of whom have family in China, should be subject to constant monitoring, as it would be next to impossible to extradite them should they succeed in reaching China.
German call center 1&1 Telecommunications was fined €9.6 million ($10.5 million) under GDPR for lax authentication practices, Naked Security reports. Apparently the company only required customers to provide their name and date of birth in order to gain access to their accounts, which contained "extensive information on further personal customer data." Germany's data protection authority determined that this violated GDPR's Article 32, which specifies "appropriate technical and organisational measures to ensure a level of security appropriate to the risk."
The ACLU has sued US Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE) over their use of Stingray phone surveillance devices, according to CNET.
Policies, procurements, and agency equities.
The US Senate appears to be leaning towards the Justice Department's position on encryption, the Washington Post reports. During a Senate Judiciary Committee hearing on Wednesday, committee chairman Lindsey Graham told representatives from tech companies including Apple and Facebook that "You’re going to find a way to do this or we’re going to do it for you," referring to lawful access to encrypted data. Fortune notes that senators' arguments against end-to-end encryption tended to focus on fighting child exploitation and sex trafficking.
Facebook is currently leading the pro-encryption side of the argument, and the Telegraph believes the company has strategically chosen this as a battle it can win, because "by embracing encryption...Facebook can begin again to curry favour with the pro-privacy lobby and the civil libertarian Left, whose support is otherwise tepid."
The US Justice Department released its Inspector General's report on the FBI's 2016 Crossfire Hurricane investigation, which was opened to investigate allegations of Russian influence in President Trump's campaign. The IG said that the FBI did have grounds to open the investigation, but the investigation itself displayed "serious failures," particularly relating to the way the FBI obtained and used FISA warrants, and in the way it handled confidential human sources.
David Kaye, the UN special rapporteur on freedom of expression, urged the Ethiopian government to stop arbitrarily shutting down the Internet in the country, Reuters reports. Ethiopia only has one Internet service provider, and it's owned by the state. Addis Ababa shuts off the Internet somewhat frequently, sometimes citing national security reasons and other times offering no explanation at all.
Iran and China are both making progress toward Internet sovereignty. CNET notes that Iran's president Hassan Rouhani told the country's parliament that Iran's intranet will be strengthened so that "people will not need foreign [networks] to meet their needs." Radio Farda observes that users can't use VPNs on Iran's domestic intranet, and the network is subject to strict censorship. Meanwhile, China's president Xi Jinping ordered that all foreign-made computer hardware and software must be removed from government offices within the next three years, according to the Guardian. Two Chinese software companies, Tianjin Kylin Information (TKC) and China Standard Software (CS2C), announced last Friday that they would jointly develop a new domestic operating system, Computing reports.
Fortunes of commerce.
Naked Security observes that Facebook will now use Oculus VR data to improve ad targeting on the company's products. The measure affects users who have logged into Oculus using their Facebook accounts. The company said the targeted ads might relate to "Oculus Events you might like to attend or ads for VR apps available on the Oculus Store."
YouTube on Wednesday updated its harassment policy to prohibit "veiled or implied threats" and "demeaning language that goes too far." The latter category includes "content that maliciously insults someone based on protected attributes such as their race, gender expression, or sexual orientation."
The US Department of Defense says that employee retention can be improved by placing an emphasis on the difference government workers are making. Cyber Command's senior enlisted leader, Marine Corps Master Gunnery Sgt. Scott H. Stalker, said on Monday that retention is "not so much 'Here’s more money, we’ll keep you in....We want them to know that what they are doing is relevant....When it comes to targets like China, Russia, Iran, North Korea and violent extremist organizations, on a daily basis they are employed. They are working hard. That's what they want to be doing. They want to be on mission doing their job. I’d say that's probably the same in most domains. They want to do the job they came in for."
Mergers and acquisitions.
Fortinet has acquired Virginia-based CyberSponse. Fortinet, headquartered in Sunnyvale, California, intends to add CyberSponse's Security Orchestration, Automation and Response (SOAR) platform to its portfolio of offerings, ZDNet reports. The terms of the acquisition were not immediately available.
Switzerland and Singapore-headquartered cloud backup and data security company Acronis has acquired Florida-based cloud management and security company 5nine.
Irish cybersecurity automation startup Tines has raised an additional $11 million, bringing the total amount raised in its Series A round to $15.1 million, according to VentureBeat. The added funding comes from Accel, with participation from Index Ventures and Blossom Capital.
Today's issue includes events affecting Australia, Canada, China, European Union, Germany, Ireland, Japan, Democratic People's Republic of Korea, Mexico, Peru, Poland, Russia, Singapore, South Africa, Sweden, Switzerland, United Kingdom, United States, Vietnam.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.