Do you know what are the hackers’ paths to your critical assets?
Find out how you can be equipped with a continuous 360° view of which critical assets are at risk, what security issues you should focus on, and how best to harness your resources to resolve them. Simulate, validate and remediate every hacker’s path to your organizational critical assets.
The Week that Was.
July 20, 2019.
By the CyberWire staff
GandCrab operators may have shifted to REvil.
Brian Krebs believes that the GandCrab ransomware gang may not have retired after all, and instead moved their efforts behind a new, more exclusive strain of ransomware known as REvil, Sodin, or Sodinokibi. Krebs points to a report from Cisco Talos in April which described a Sodinokibi attack; in the report, the researchers noted that the attackers oddly deployed GandCrab within the same target's network about eight hours after they had distributed Sodinokibi. Security firm Tesorion notes technical similarities between GandCrab and REvil, relating to the way the malware constructs random URLs. Krebs concludes that the rebranded itself to reduce the attention they had garnered behind the helm of GandCrab.
250 million email addresses collected by new TrickBot module.
The notorious banking Trojan TrickBot has a stealthy new module called "TrickBooster" that allows it to harvest email credentials and contacts, according to researchers at Deep Instinct. It can send out emails to a victim's contacts before deleting the emails from the account's sent and trash folders. This functionality is used for at least three purposes: collecting email contacts for use in further campaigns, sending out generic spam, and sending out phishing emails in the hope of infecting more victims. (In a separate report on Thursday, Barracuda described the latter type of behavior "lateral phishing").
Modernizing security analytics and operations with SOAPA.
Security operations is held back by the compromises of existing security analytics solutions, and throwing more money and time at the problem isn’t helping. Instead, you are left dealing with an army of point tools, exponential data growth, lack of context... the list goes on.
It's time to take a new approach to security analytics - explore how Devo can help evolve your SOC in this report by ESG.
Persistent engagement in the fifth domain's gray zone.
The concerns are at one level of abstraction a recurrence of familiar tugging between the Legislative and Executive Branches over war powers. Cyber operations still constitute a kind of gray area between not only clearly marked regions of the spectrum of conflict, but a gray area between intelligence activities and combat. The cyber operations the House Armed Services Committee is interested in learning more about would constitute the kind of “persistent engagement” US Cyber Command tested earlier this summer in exercise Cyber Flag 2019. This was not purely a Cyber Command exercise. Air Force Magazine notes not only extensive allied participation by the usual Five Eyes, the United Kingdom, Australia, New Zealand, and Canada, with a Canadian officer actually leading the exercise, but also interagency participation from elsewhere in the US Government. The Departments of Homeland Security and Energy sent players, as did the FBI, the United States Postal Service, and the House of Representatives.
To return to the notion of gray zone conflict, that's the title of a recently released study by CSIS, the Center for Strategic and International Studies. CSIS notes that the familiar four actors likely to challenge the US in the more ambiguous modes of conflict are Russia, China, Iran, and North Korea. CSIS identifies seven "tools" in the familiar four's toolkits. Two of them, information operations and cyber operations, are of particular significance to cyber warriors.
Conduct secure and anonymous research on the open and dark web.
If you are doing online research, the common web browser can betray you by exposing you and your organization to cyber attacks. Authentic8, the maker of Silo Cloud Browser and Silo Research Toolbox, ends this betrayal. Silo insulates and isolates all web data and code execution from user endpoints, providing powerful, proactive security even if you are gathering data and collections across the deep and dark web. Learn more.
Kazakhstan man-in-the-middles local HTTPS traffic.
On Wednesday, the Kazakhstan government began intercepting all HTTPS traffic within the country, ZDNet reports. Local ISPs have been required to force their customers to install a government-issued certificate on every device and in every browser, which will allow the government to decrypt traffic, read it, and then re-encrypt it with the government's certificate before sending it on to its destination. Kazakh officials say the move is meant to protect citizens, companies, and government agencies from fraud and other cyber threats, but the measure raises privacy and security concerns. Browser developers at Google, Microsoft, and Mozilla are currently trying to come up with a strategy to handle sites that have been re-encrypted by Kazakhstan's certificate.
Voting security may be less secure than thought.
The Commonwealth of Pennsylvania has announced its determination to upgrade its election security before 2020, and it’s spent more than $14 million in funds, mostly contributed to the state by the Federal Government, to do so. But this upgrade hasn’t proceeded happily. The Associated Press reported in an exclusive over the weekend that county election authorities have for the most part gone with voting machines running on Windows 7, an operating system that will reach its end-of-life in January. The systems are used, the AP says, “to create ballots, program voting machines, tally votes and report counts.
Have Your Users Made You an Easy Target for Spear Phishing?
Many of your organization’s email addresses and identities are exposed on the internet, and are easy for cybercriminals to find. With email’s enormous attack surface, cybercriminals are able to launch potentially devastating social engineering, spear phishing and ransomware attacks on your organization. Try KnowBe4’s Email Exposure Check Pro for free today, and see how you can identify the at-risk users in your organization by crawling business social media information and hundreds of breach databases.
Crime and punishment.
On Friday Hal Martin, formerly a contract worker at the US National Security Agency, received a sentence of nine years in prison. Martin had taken a guilty plea in Federal Court, admitting to theft of classified documents. Nine years is a stiff enough sentence, especially when compared to the maximum of ten years he faced for each of the twenty counts against him, but it's in line with his plea agreement. Martin's defense attorneys had presented him as a hoarder, a pack rat and not a traitor, and after the sentence was passed they pointed out that the Government had not demonstrated treason or treasonous intent. They said that his problems amounted to an extenuating mental health issue. The prosecutors didn't buy it, according to CyberScoop: “This is not a case of hoarding, this is stealing,” and they noted that the fifty terabytes of information Martin had squirreled away in his Glen Burnie shed was not squirreled away "in a disorganized manner.” The presiding judge also observed that, for a hoarder, Mr. Martin seemed pretty well organized.
Bulgarian police on Tuesday arrested a 20-year-old cybersecurity worker in connection with a data breach at the country's tax agency, which exposed PII and financial records belonging to some 7 million Bulgarians, Reuters reports. The hack occurred at the end of June, and half of the stolen data were sent to local reporters. ZDNet noted on Thursday that these data had leaked online after a Bulgarian TV station showed a screenshot of an email that inadvertently included the download link.
Courts and torts.
FedEx is facing a class-action lawsuit which claims that the company violated federal securities laws by misleading its shareholders about the effects the NotPetya cyberattack had on its Netherlands-based subsidiary TNT Express. FedEx had acquired for $4.4 billion in 2016, as WMC Action News 5 reminds us. Commercial Appeal explains that the lawsuit represents investors who bought FedEx shares between September 19th, 2017 and December 18th, 2018. It alleges that the company “failed to disclose important details of TNT's deteriorating business” and made misleading statements “in regard to the anticipated costs and timeframe it would take to integrate and restore the TNT network."
Heather Mills, a British philanthropist and ex-wife of Paul McCartney, won a “substantial” sum in the settlement of a lawsuit over the News International phone hacking scandal. Mills and her sister, Fiona Mills, had sued News Group Newspapers (NGN) for invasion of privacy, after the hacking and subsequent publication of private information led to “a lot of distrust and suspicion” between friends and family members Reuters reports. Threatpost says the wide-ranging scandal encompassed a number of British tabloids who had hacked the phones of hundreds of high-profile individuals and victims of crimes. Mills’ settlement was made on the basis that the Sun, another NGN-owned publication, would not be held liable for allegations of its involvement.
Policies, procurements, and agency equities.
Facebook’s plans for Libra received Congressional scrutiny this week. The concerns are familiar, but the regulatory way forward is, as WIRED points out, unclear. Should Libra be regulated like a bank, an investment, a contract, or what? And how might necessary regulation preserve the decentralization that makes alt-coins so interesting in the first place?
The US Federal Trade Commission had a busy week, at least in terms of requests that it look into various matters related to privacy and content curation.
EPIC (the Electronic Privacy Information Center) on July 11th asked the FTC to investigate Zoom. The advocacy group alleges that the video teleconferencing company’s design exposed users to “foreseeable harm.” “Zoom intentionally designed their web conferencing service to bypass browser security settings and remotely enable a user’s web camera without the consent of the user,” the complaint said. The complaint also asks that the FTC investigate “other companies engaged in similar practices,” which probably means the white-badged versions of Zoom's technology that Buzzfeed reports is used by video conferencing companies including RingCentral and Zhumu.
NBC News tweeted late Wednesday that Senator Charles Schumer (Democrat of New York) has asked the US Federal Trade Commission to open an investigation into FaceApp. At issue is what the Senator characterizes as FaceApp's requirement that users give it "full and irrevocable access" to their images and associated data. He sees the Russian-developed app as posing a threat to both privacy and national security. The Moscow Times harrumphs that FaceApp doesn't really store data in Russia, and Help Net Security suggests that FaceApp's EULA may sound scarier than the St. Petersburg actual practices may in fact be. On the other hand, it's a useful reminder that far too many apps come with similarly intrusive terms and conditions. As WIRED puts it, "Think FaceApp is scary? Wait till you hear about Facebook." Undeniably a great deal of the concern arises from the simply fact that FaceApp is a Russian outfit. There are plenty of legitimate businesses in the country, but realistically the rest of the world will inevitably be skittish about products made in Russia.
Senators Josh Hawley (Republican of Missouri) and Ted Cruz (Republican of Texas) on Monday wrote the US Federal Trade Commission and asked that it undertake a section 6(b) investigation of how technology companies curate content. They name Google, Twitter, and Facebook in particular, citing the potential for abuse inherent in such companies’ control over the content that passes through their platforms. There are two pieces of relevant background to the request. (And Recode’s summary is a useful reference.) The first is widespread suspicion that the three companies named are not viewpoint neutral in their content curation, and that they have singled out conservative content for exclusion. The second is the status of the companies themselves: are they common carriers or are they publishers? There are certain advantages to being one or the other. The companies themselves would like to enjoy the best of both worlds, but it’s unlikely that they’ll be permitted to occupy that sweet spot.
The three referrals indicate that, among American regulatory bodies, the Federal Trade Commission is increasingly regarded for good or ill as one with teeth that it's willing to use.
Fortunes of commerce.
The Wall Street Journal reports that Huawei is preparing to lay off 'hundreds" of workers in its US facilities. Huawei isn't commenting, but the job cuts are expected to affect its research and development subsidiary Futurewei Technologies, which has labs in California, Texas, and Washington state.
Reuters reported on Monday that US technology firms may be allowed to resume sales to Huawei within two to four weeks. Companies will still need to apply for licenses in order to do so, and it's not clear which products will be approved. Huawei's CEO Ren Zhengfei maintains that the company will survive the restrictions either way by producing its own hardware and operating system, but he hopes to preserve access to the US market, according to WIRED. The company is deploying some trade-war stick against the Americans: the Wall Street Journal says there will be significant layoffs at Huawei's US-based R&D outfit. Italy is getting the carrot: Reuters says the company will invest some $3.1 billion in Italy as long as the Italians play "fair" with respect to 5G. In the UK, the British Parliamentary Science and Technology Committee stated on Monday that there was no technical evidence that a "complete exclusion of Huawei" would be a proportionate response to the potential threat.
Bloomberg reported that Palantir co-founder Peter Thiel on Sunday called for the FBI and CIA to investigate Google's "seemingly treasonous" actions involving the company's work in China. According to Axios Thiel said that Google's refusal of US military work on artificial intelligence while working with China on what he calls Google's "Manhattan Project for AI" makes him wonder if the company's senior management "consider[s] itself to have been thoroughly infiltrated by Chinese intelligence". A Google spokesman told Bloomberg that the company doesn't work with the Chinese military, but Thiel holds that the type of artificial intelligence tools being developed should be thought of as potential weapons.
CrowdStrike released its first post-IPO report on July 18th, and CRN says the markets received it very well. Revenue was up 103% to $96.1 million over the quarter ending April 30th. The company isn't yet profitable, but its losses fell to $25.0 million. The company's share price popped 17% on the news.
Arrow Electronics announced that it will exit the IT asset disposal (ITAD) business, according to Recycling Today. CRN cites Arrow's CEO as saying that the "business is not sustainable over the long term and is no longer aligned with our strategy." ERI, another ITAD company, announced that it would welcome Arrow's former customers. CRN reports that European computer service company Computacenter has expressed interest in buying Arrow's ITAD unit.
That there's a general shortage of labor in the cybersecurity sector isn't open to dispute. But that information by itself is less helpful than it seems, since such a disparate set of skills is involved in the industry. The CyberWire has a discussion of this issue with Mimecast's Michael Madon.
Mergers and acquisitions.
Broadcom's run at Symantec is apparently over. CNBC says the two companies ceased acquisition talks after Symantec declined to consider selling itself to Broadcom for less than $28 per share.
CRN reports that VMware is planning to acquire hardware accelerator virtualization company Bitfusion for an undisclosed amount.
Investments and exits.
Georgia-based DefenseStorm, specialists in cloud security and cyber compliance, has closed a $15 million Series A round led by Georgian Partners. The company intends to use its relationship with Georgian to "accelerate the adoption of applied artificial intelligence and trust," according to Yahoo.
PYMNTS reports that DUST Identity has received $10 million in a Series A round led by Kleiner Perkins, with participation by Airbus, Lockheed Martin, and others. DUST is a supply chain security shop whose flagship offering is an unclonable tracking tag that connects physical objects to their digital identities.
Kaspersky is the latest to gamify a cybersecurity training offering. CRN reports that the Kaspersky Interactive Protection Simulation (KIPS) is a video game that runs players through responses to various incidents a company might experience.
Today's issue includes events affecting Australia, Bulgaria, Canada, China, Democratic People's Republic of Korea, Iran, Kazakhstan, Lithuania, New Zealand, Russia, Ukraine, United Kingdom, United States.
ON THE PODCAST
Research Saturday is up. In this episode, "Nansh0u not your normal cryptominer," we hear from researchers at Guardicore Labs. They've been tracking an unusual cryptominer that seems to be based in China and is targeting Windows MS-SQL and phpMyAdmin servers. Some elements of the exploit make use of sophisticated components previously associated with nation-state actors. Ophir Harpaz and Daniel Goldberg are members of the Guardicore Labs team, and they join us to explain their findings.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.