Get comprehensive information about securing the DIB supply chain
The week that was.
Ransomware (temporarily) stops the presses.
A cyberattack disrupted printing operations at several major US newspaper companies over the last weekend of 2018. Malware affected systems used by Tribune Publishing, whose printing plants support publication of numerous other newspapers (SecurityWeek). Papers affected included the Los Angeles Times, the San Diego Union Tribune, the New York Times, and the Wall Street Journal. Tribune Publishing said that every market of its own company was affected. Among its properties are the Baltimore Sun, the New York Daily News, the Capital Gazette, the Hartford Courant, the Chicago Tribune, the South Florida Sun Sentinel, and the Orlando Sentinel (The Los Angeles Times).
The malware used in the incident is suspected to be Ryuk, a ransomware strain used in tailored attacks. Check Point analyzed Ryuk in August, and concluded that "its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers." Check Point researcher Ben Herzog calls Ryuk "artisinal" malware designed to target critical resources at specific companies (Government Technology).
Check Point researchers believe the author of Ryuk had access to the HERMES ransomware source code, based on extensive similarities and code overlap. HERMES is generally attributed to North Korea's Lazarus Group, but that doesn't necessarily mean that Ryuk is a Lazarus production. Naked Security notes that "all attackers have an incentive to make it look like somebody else is behind their work, and ransomware groups have a history of copying one another’s code and tactics."
The motive for the attack is also unknown. The Los Angeles Times quoted an anonymous inside source as saying that the attack appears to have originated from outside of the United States. The source added that the attack appeared to be intended to disable servers rather than stealing information. The latter assertion is congruent with a statement from Tribune Publishing, which said that "the personal data of our subscribers, online users, and advertising clients has not been compromised."
Ryuk was also used in an attack against cloud hosting provider Data Resolution on Christmas Eve (KrebsOnSecurity). An attacker was able to compromise an internal account and take over the company's data center domain. The attack was apparently financially-motivated, but the victim wisely refused to pay the ransom (The Daily Swig). Data Resolution shut down its network to contain the attack, and is still working to restore its systems from backups.
Open Source Network Security Tools for Beginners
US citizen accused of espionage arrested in Russia.
Russia's FSB on December 28th arrested a US citizen it accuses of spying. The FSB said that Paul Whelan, an ex-Marine who now works as the global security director for automotive component supplier BorgWarner, was arrested while he was “in the course of carrying out espionage activities” (Foreign Policy). Russian news agency Rosbalt claims that Whelan had just received a USB drive containing a list of classified names minutes before FSB officers stormed his hotel room and arrested him (The Guardian). His defense attorney is seeking bail, but he faces up to twenty years in prison if he's found guilty (BBC).
Most observers believe the arrest represents Russia's attempt to set up a swap for the recently-convicted Maria Butina, a Russian citizen who pleaded guilty in the US last month to conspiring to act as a foreign agent. Whelan's lawyer, Vladimir Zherebenkov, is already talking about a prisoner exchange involving either Ms. Butina or two other Russians currently on sabbatical in the US correctional system (ABC News).
Retired CIA officer John Siphon believes that "there is almost a zero percent chance that Mr. Whelan was involved in espionage," observing that US intelligence services would have known that Whelan's background as a US Marine would put him in the spotlight for Russian security services (Foreign Policy). Part of that military background included a 2008 court-martial for multiple violations of the Uniform Code of Military Justice (Washington Post).
Get your copy of the definitive guide to threat intelligence.
Hackers dox hundreds of German politicians.
A large doxing campaign exposed data of hundreds of senior German government officials, including Chancellor Merkel and President Steinmeier. A Twitter account had been leaking the data since before Christmas, in an Advent calendar parody (BBC). The staggering amount of data includes email addresses, home addresses, phone numbers, photos, passwords for Facebook and Twitter accounts, credit card information, identity documents, letters, invoices, text and voicemail messages, and information on family members. The leak also included the data of various non-politicians, including journalists, artists, and comedians (Graham Cluley). Chancellor Merkel only had two email addresses, a fax number, and some letters leaked. Nothing particularly scurrilous or discreditable, but the sheet volume is impressive.
According to the BBC, Interior Minister Horst Seehofer said the hacks were carried out through "wrongful use of log-in information for cloud services, email accounts or social networks." The BSI, Germany's information security agency, simply said that government networks remain secure, suggesting that credential-based hacking was to blame. Security expert Graham Cluley said that the sheer scope of the data "suggests that this has been a coordinated effort by a determined group over many, many months, amassing as much personal and sensitive data as possible and releasing it with an as yet unknown end goal." Some observers and at least one German politician noted that the right-wing Alternative for Germany (AfD) party was the only political party that wasn't affected by the leak, leading to speculation that either Russia or right-wing sympathizers were behind the hack (Ars Technica). The BSI is investigating.
As of yet, however, there's no hard evidence to establish attribution. We did receive an interesting email from CrowdStrike, whose Vice President of Intelligence, Adam Meyers, thinks there are suggestive connections among some of the social media accounts associated with the incident. "An analysis of the Twitter follower network used to leak the data indicates that the leak may have a political angle—the user @_0rbit is part of a small cluster of four accounts that follow each other. CrowdStrike Intelligence assesses that these accounts are likely managed by the same group or individual. The motivation behind the leaks remains unclear. With the analysis presently available, CrowdStrike Intelligence cannot rule out an information operation."
Since Twitter's European headquarters are located in Dublin, the breach falls under the jurisdiction of Ireland's Data Protection Commissioner. That agency is working with the German Land of Hamburg to stop the spread of the data on Twitter (RTE). Twitter deleted the account that was posting the data, but the hackers spread the data across so many different mirrors and and other sites that it's proving difficult to contain or assess the breach (TechCrunch).
What if your security solution could provide zero doubt?
Victoria suffers data breach.
Australia's state of Victoria suffered a data breach affecting about 30,000 government workers. On December 22, an attacker reportedly gained access to a government employee's email account through a phishing attack, then downloaded a folder containing civil servants' email addresses, phone numbers, and job titles (Australian Broadcasting Corporation). Employees received an email notification of the incident, which warned that as a result of the breach they "may experience increased phishing, spam and social engineering attempts via your work email address and telephone numbers" (Infosecurity Magazine). The information will likely be used in more targeted attacks in the coming weeks and months.
Ground Truth or Consequences: the challenges and opportunities of regulation in cyberspace.
CenturyLink outage traced to faulty network card.
CenturyLink experienced an outage last Thursday and Friday that affected 911 emergency services across the US. A spokeswoman for the company told the Billings Gazette that the issue was caused by a "faulty network management card" from a third-party vendor, and was compounded by the fact that it "impacted CenturyLink's visibility into our network management system, impairing our ability to troubleshoot and prolonging the duration of the outage." FCC Chairman Ajit Pai said the length and extent of the outage was "particularly troubling," and he announced that the FCC had launched an investigation into the matter (CNET).
Schneider Electric has patched three flaws in its EVLink Parking car charging stations, including a critical hard-coded credentials vulnerability that would have allowed an attacker to access the system (Threatpost).
Google patched an information disclosure bug in Chrome for Android that could be used to track users across the internet. The vulnerability was first discovered three years ago (SecurityWeek).
Adobe released an emergency out-of-band update on Thursday to fix two vulnerabilities. The first is a use-after-free bug and the second is a security bypass vulnerability that could lead to privilege escalation (SecurityWeek).
Crime and punishment.
The US Department of Justice charged a Chinese national with stealing trade secrets worth more than $1 billion from the US-based petroleum company that employed him. The FBI says that Hongjin Tan, a US permanent legal resident, downloaded hundreds of files from the company, a number of which were related to the manufacture of a valuable "research and development downstream energy market product" (Dark Reading).
A court ruling shows that the FBI raid that led to alleged NSA leaker Hal Martin's arrest was prompted by a suspiciously-timed Twitter message he sent hours before the 2016 ShadowBrokers leak. The partially-redacted ruling shows that Mr. Martin sent a message requesting a meeting with someone that involved something with "shelf life, three weeks." Mr. Martin has been in jail for the past two years and faces a maximum of 200 years in prison for keeping a massive amount of classified information at his place of residence. While it's still not clear if any of this information was intentionally leaked, it certainly wasn't secure in Mr. Martin's backyard shed (Politico).
The Baltimore court ruling also shows that Hal Martin's attorneys successfully convinced the judge that Mr. Martin's statements to the FBI at the time of his arrest were inadmissible in court, since the FBI failed to Mirandize him. The physical evidence seized in the raid is still fair game, however (Politico).
Courts and torts.
French data protection watchdog CNIL has fined Uber €400,000 over the company’s 2016 data breach. The breach affected 57 million people, 1.4 million of which were in France. CNIL said that the breach could have been prevented if Uber had followed simple security protocols. In particular, CNIL said that the company should have required its employees to use two-factor authentication to log in to GitHub, and that those employees shouldn't have stored plaintext AWS login credentials in the source code on GitHub. CNIL also states that the company should have used IP filtering to access AWS servers (Lexology). The UK and the Netherlands previously fined the company £385,000 and €600,000, respectively. In total, Uber faces the equivalent of $1.6 million in fines from European countries (TechCrunch).
Policies, procurements, and agency equities.
Vietnam's heavy-handed cybersecurity law came into effect on January 1st. The widely-criticized law requires internet companies to censor content deemed "toxic" by the government. It also requires the companies to store user data locally and to allow the government to access that data upon request (NPR). A multitude of governments, companies, and organizations have criticized the law, both on human rights grounds and for economic reasons. Phil Robertson, deputy director of Human Rights Watch's Asia division, called the law "the legal equivalent of a hammer to bash online critics, with overly broad provisions that can be easily used to classify almost any critical comment as criminal" (The Guardian). Google and Facebook spoke out against the law in December through the Asia Internet Coalition, saying it would have a detrimental effect on investment and economic growth in Vietnam (Financial Times). Vietnam's government has asked Facebook and Google to open local offices in the country, and it claims that Google already is planning to do so. Google hasn't commented on the matter, however (ET Telecom).
House Democrats plan on pushing legislation responding to Equifax's 2017 data breach (The Wall Street Journal). Last month, the House Oversight and Government Reform Committee released a report that was extremely critical of Equifax's handling of the breach (Atlanta Business Chronicle). Following that report, Democrats on the oversight panel released their own report criticizing the committee for failing to include Democrats' suggestions for legislation (The Hill).
President Trump is considering an executive order that would effectively ban Huawei and ZTE from the US market (Reuters). The executive order, which could pass this month, would declare a national emergency to prohibit US companies from purchasing foreign telecoms equipment that poses a threat to national security. While the order won't name Huawei or ZTE specifically, the Commerce Department is expected to interpret it as a directive to prevent US carriers from using the two companies' products (TechRadar).
Fortunes of commerce.
Apple issued a sales warning to investors on Wednesday, lowering its expected first-quarter revenue from between $89 billion and $93 billion down to $84 billion (Business Insider). In a letter to investors, Apple CEO Tim Cook said that "lower than anticipated iPhone revenue, primarily in Greater China, accounts for all of our revenue shortfall to our guidance and for much more than our entire year-over-year revenue decline." He goes on to explain that while they had "expected economic weakness in some emerging markets," they "did not foresee the magnitude of the economic deceleration, particularly in Greater China." Nearly all Wall Street analysts cut their price targets on Apple following the news, and the company's shares dropped 10% on Thursday (Wall Street Journal). It's seen as a possible harbinger of a more general tech industry correction likely to accelerate security industry consolidation (MarketWatch).
The US and a number of its allies around the world are facing a dilemma after essentially banning or working to ban Huawei from their markets over security concerns: they don't have a comparable alternative telecom company to turn to for their 5G network equipment (Asia Times). European wireless providers say that Huawei's two largest competitors—Finland's Nokia Corp. and Sweden's Ericsson AB—are much slower to produce equipment that's far more expensive than Huawei's. An executive at a major wireless carrier in the UK told the Wall Street Journal that barring Huawei from the market could delay the UK's 5G launch by up to nine months.
Thirteen Canadian citizens have been detained in China since the arrest of Huawei's CFO Meng Wanzhou on December 1st. Global Affairs Canada Spokesman Guillaume Bérubé told The Globe and Mail on Thursday that at least eight of the detained Canadians had been released. The Canadian government has said that it doesn't see any explicit links between the detentions and the arrest of Wanzhou, but a number of diplomats view them as acts of reprisal by China (Reuters). Bérubé noted that the number of Canadians detained by China hasn't significantly fluctuated over the past several years (The Telegraph).
Mergers and acquisitions.
Investments and exits.
Palo Alto-based blockchain cybersecurity startup Xage Security raised $4 million from Saudi Aramco Energy Ventures, a subsidiary of Saudi Aramco. The company plans to use the money to develop its Industrial IoT devices (CISOMAG).
This CyberWire look back at the Week that Was discusses events affecting Australia, China, Germany, Ireland, Russia, Saudi Arabia, United Kingdom, United States, and Vietnam.
On the Podcast
Research Saturday is up. In this episode, "NOKKI, Reaper and Dogcall target Russians and Cambodians," we hear from Palo Alto Networks' Unit 43. They've discovered an interesting relationship between the NOKKI and DOGCALL malware families, as well as a new RAT being used to deploy the malware. Jen Miller-Osborn is Deputy Director of Threat Intelligence with Unit 42, and she joins us to share their findings.
© 2019 CyberWire, Inc.
Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story.