How can industrial organizations stay ahead of ICS adversaries and proliferating threats?
Dragos identified the most dangerous threat to ICS, XENOTIME (the activity group behind TRISIS), has expanded its targeting beyond oil and gas--illustrating a trend that will likely continue for other ICS-targeting adversaries. To learn more about XENOTIME and the latest threats to ICS environments, visit our team at Black Hat or email firstname.lastname@example.org to set up a one-on-one meeting.
The Week that Was.
July 27, 2019.
By the CyberWire staff
Senate Intelligence Committee releases report on Russian election influence ops.
It's the first of several projected volumes. The contents were unsurprising, but they do summarize a great deal of what's come to be known about Russian influence operations: it was national in scope, sophisticated in execution, and aimed at exploiting social and political fissures in US civil society with a view to exciting mistrust and calling the legitimacy of institutions into doubt.
The Election Infrastructure Coordinating Council offered the following summary of where election protection stands: "The 2018 midterm elections saw unprecedented levels of coordination between all levels of government and the private sector election companies, and the 2020 election will improve on that effort. Currently, all 50 states are members of the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC), along with more than 1,800 local jurisdictions, and fourteen private sector companies making it the fastest growing ISAC in history. Additionally, all 50 states, two territories, and 96 localities have intrusion detection systems, known as Albert sensors, on their networks, and the Cybersecurity and Infrastructure Security Agency (CISA) is providing remote vulnerability scanning and risk assessments upon request to government and private sector entities."
Find out how you can be equipped with a continuous 360° view of which critical assets are at risk, what security issues you should focus on, and how best to harness your resources to resolve them. Simulate, validate and remediate every hacker’s path to your organizational critical assets.
Fancy Bear puts on a Monokle (and is maybe looking at you).
Researchers at Lookout have announced the discovery of "Monokle," which they describe as a "new and sophisticated set of custom Android surveillanceware tools." There are some indications that there may be an iOS version lurking somewhere, but for now the Android toolkit is in use in the wild. Lookout attributes Monokle to the Special Technology Centre, Ltd., also known as STC, Ltd. or simply STC. STC presents itself as essentially a SIGINT shop. The company is based in St. Petersburg, Russia, and with two other companies was sanctioned in 2016 by a US Executive Order for its work on behalf of the GRU.
Monokle is advanced mobile malware designed to collect and exfiltrate personal data from infected devices. Lookout says Monokle uses familiar methods, but in novel ways, and that it's been "extremely effective" against its targets. Its functionality includes profiling of the users it targets to gain a sense of what interests them. Lookout told CyberScoop that Monokle has been under development for years, and that it's reasonable to assume that work on the product continues. While STC was retained by the GRU during its efforts against the 2016 US elections, Lookout hasn't specified what Monokle's targets currently are.
Proofpoint describes the activities of a Chinese Advanced Persistent Threat group it calls "Operation LagTime IT” (which doesn't yet have a panda-themed name) and tracks internally as TA428. LagTime is a cyber espionage operation that collects against East Asian targets, for the most part government agencies that oversee "government information technology, domestic affairs, foreign affairs, economic development, and political processes." The campaign uses a Remote Access Trojan, Cotx RAT, as well as Poison Ivy payloads, all of which it distributes by phishing.
Guildma malware: a phish hook in Brazilian waters.
Avast has published an account of Guildma malware. They call it a "powerful combination of a RAT (remote access tool), spyware, password stealer and banker malware." It's being distributed for the most part in Brazil, and usually arrives as a baited attachment in phishing campaigns. The usual cautions about phishing-awareness of course apply. Guildma has been in use since 2015, and while Brazil remains its principal zone of action, the criminals behind it have also hit targets in Argentina, Chile, China, Ecuador, the European Union, Peru, and Uruguay.
With LookingGlass, it’s Game Over For Threat Actors
There are many weapons to choose from when it comes to cybersecurity solutions providers – and you must choose wisely. With LookingGlass Cyber Solutions as your security provider, its “Game Over” for threat actors trying to infiltrate your network. To learn more about our solutions, visit our experts at the LookingGlass Network & Chill Lounge, Mandalay Bay South, Palm A on level 3, August 7 & 8. Take a break from the hectic show floor for old school video games, happy hour from 3-7 PM, and a demo tailored to your organization’s security needs.
Renewed skirmishing in the cryptowars.
US Attorney General Barr has opened a major offensive in the crypto wars. He has begun with some artillery preparation he delivered in the form of a speech on July 23 at the International Conference on Cyber Security hosted by Fordham University in New York. He argued that widespread, end-to-end encryption has enabled criminals and terrorists to go dark, communicating and conspiring with lawless impunity. He called for industry to do something about this, and suggested that if industry doesn’t, they may be required to do so by law. His Constitutional argument was in essence that “The Fourth Amendment strikes a balance between the individual citizen's interest in conducting certain affairs in private and the general public's interest in subjecting possible criminal activity to investigation."
The counterarguments, as the Register summarizes them, come down to the reasonable contention that no one has any idea of how one might make it possible for the authorities to read encrypted traffic without placing online security at risk. That represents a family of technical objections. Critics also maintain that as a matter of fact the extent to which going dark is an actual problem has been exaggerated, and the Government's ability to access the traffic it needs to access for legitimate law enforcement and intelligence purposes has been underestimated. There are also political objections from those who believe they discern in the Attorney General's remarks a disposition to see data security in terms of first class citizens (the Government, and especially the Defense Department and the Intelligence Community, but also big business), and second class citizens (arguably everyone else).
The Washington Times reports that FBI Director Wray has joined Attorney General Barr's call for ways of accessing encrypted traffic.
Have Your Users Made You an Easy Target for Spear Phishing?
Many of your organization’s email addresses and identities are exposed on the internet, and are easy for cybercriminals to find. With email’s enormous attack surface, cybercriminals are able to launch potentially devastating social engineering, spear phishing and ransomware attacks on your organization. Try KnowBe4’s Email Exposure Check Pro for free today, and see how you can identify the at-risk users in your organization by crawling business social media information and hundreds of breach databases.
Utility failures, one cyber-related, another almost certainly not.
City Power, the electrical utility that serves Johannesburg, South Africa, was hit by ransomware, News24 reports. The attack didn't cause a power failure, but it did induce a kind of service disruption: customers who prepay for electricity are unable to do so because many of City Power's public-facing business services have been taken offline.
By contrast, Venezuela's blackouts this week, despite claims they were caused by American "electromagnetic attack," were almost certainly accidents in a decaying grid.
Does it scale? Not painlessly. And not without a lot of labor.
Content moderation at YouTube, Facebook, and Twitter is largely done in a very labor-intensive fashion, with employees in the Philippines looking at an awful lot of awful, the Washington Post reports. It's not clear that it could be otherwise.
Crime and punishment.
ZDNet reports that David Tinley, a Pennsylvania man who had for some years provided IT services to Siemens' Pittsburgh-area offices, took a guilty plea to charges that he put logic bombs inside spreadsheets he worked on for his customer. The software would crash after a certain date, at which point Siemens would call him in to fix the problem. Mr. Tinley would do so, collect his fee, and await further business. The scam was discovered, according to Law360, when Mr. Tinley had to provide Siemens techs with admin passwords to his software so they could fix an urgent problem that cropped up while he was on vacation. Evidently he hoped his logic bombs would pass unnoticed, but they were spotted and reported, blowing the gaffe. He'll be sentenced later this year and could face ten years in prison and a fine of two-hundred-fifty-thousand dollars on the Federal charges. He may not draw the maximum, but observers think some jail time is in the cards.
Lancaster University suffered a large breach of student data following a phishing attack, the BBC reports. The breach affected more than twelve-thousand students, and the data were used to send fraudulent invoices to undergraduate applicants. Undergraduate fees for the school reach tens of thousands of pounds, and sources told the Register that around six students paid the phony invoices. The UK's National Crime Agency arrested a twenty-five-year-old man in connection with the breach, and he was released under investigation.
Courts and torts.
If a breach is traced to a company that's been acquired by another, who's responsible? In the view of the UK's Information Commissioner's Office, responsibility for discovering the breach apparently lies with the acquiring corporation. That's Cooley's take on the $125 million fine the ICO proposed to levy under GDPR on Marriott for the data breach the hospitality company sustained as a result of its Starwood acquisition.
The US Federal Trade Commission announced Monday that Equifax will pay $575 million in its settlement over the credit bureau's 2017 breach. The agreed settlement doesn’t address only the FTC’s complaint, but it figures in “a global settlement” with the Federal Trade Commission, the Consumer Financial Protection Bureau, and fifty US states and territories.
The allegations hold that Equifax’s “failure to take reasonable steps to secure its network led to a data breach in 2017 that affected approximately 147 million people.” Some $300 million will go into a fund that will provide affected consumers with identity protection. It will also compensate people who bought credit-monitoring or identity-theft protection from Equifax, or who sustained other out-of-pocket expenses as a direct result of the breach. If $300 million isn’t enough to cover such compensation, Equifax is on the hook to pony up an additional $125 million, if necessary. The remainder of the amount will be distributed as follows. $175 million will go to 48 states, the District of Columbia and Puerto Rico. The rest of the $100 million will be paid to the Consumer Financial Protection Board in civil penalties.
There have been complaints in WIRED and other places that Equifax got off lightly. But things look different, perhaps, if one puts the settlement into a European as opposed to an American context. Observing from the UK, the Verdict sees the settlement as a very heavy one. At twenty-percent of Equifax's revenue, it amounts to five times the maximum penalty that would have been allowed under the European Union's GDPR.
Those who might expect a windfall from the settlement should probably trim those expectations. CNBC reports that proving you deserve a twenty-thousand-dollar payout will be difficult almost to the point of impossibility. A big part of the problem is showing evidence of harm. Showing that your data had turned up for sale on the dark web, for example, would normally suffice. The information stolen from Equifax has, for the most part, not shown up in the usual online criminal souks.
The FTC announced Wednesday the final details of its settlement with Facebook. Reuters reports that Facebook will, in addition to its financial penalties, be required to establish a board-level privacy committee. CEO Zuckerberg will be expected to certify, quarterly, that the company is properly safeguarding user privacy.
The complaint accompanying the settlement asserts that Facebook misled customers about use of their data, insecurely implemented two-factor authentication, and failed to properly inform users about the access third-party apps had to "friends'" data. The Washington Post headline calls the penalties "stunning," but this is a minority view, undercut by the article itself, which recounts the ways in which Facebook arguably got off lightly.
Consensus seems to be settling in on the side of those who saw $5 billion as a “slap on the wrist.” If anything, the fine may help solidify Facebook’s market dominance. Menlo Park can afford $5 billion, but smaller, upstart, would-be disruptors probably can’t. So the fine may amount to pricey form of rent-seeking. The Washington Post reports that, for all of its record-setting éclat, the Federal Trade Commission wanted the fine to be higher, and there are members of Congress who agree. There's said to be rising sentiment in favor of increasing penalties for privacy missteps.
Policies, procurements, and agency equities.
The US National Security Agency is creating a new directorate for cybersecurity. The Wall Street Journal reports that the new organization will become operational on October 1st, the start of the new Federal fiscal year, and that it will be led by Anne Neuberger, formerly NSA's Chief Risk Officer. The cybersecurity directorate is said to represent a closer coupling of the agency's defensive and offensive capabilities. Neal Ziring, who had served as Technical Director of the Agency's defensive Information Assurance Directorate, will fill the corresponding role in the new organization. But CyberScoop and NSA spokesman as saying, "This won't be IAD 2.0." Much of the new directorate's talent is expected to come from the Computer Network Operations team (better remembered under its older name, "Tailored Access Operations").
Fortunes of commerce.
The Washington Post obtained internal company documents a former Huawei employee leaked to the paper. The material shows Huawei's work with a partner, the Chinese-government-owned IT firm Panda International Information Technology, to establish and maintain North Korea's commercial WiFi networks. A Huawei spokesman neither disavowed nor authenticated the documents, saying merely that the company was "fully committed to comply with all applicable laws and regulations in the countries and regions where we operate, including all export control and sanction laws and regulations." Panda had no comment.
The documents indicate that Huawei and its partners supplied antennas, base stations, and other equipment necessary to standing up North Korea's Koryolink network. The US Justice Department has already charged Huawei with crimes connected to evasion of sanctions against Iran. Should the latest revelations be substantiated, they would amount to more legal hot water for the Shenzhen company.
And, while as TechCrunch points out, the DPRK's network is only 3G, Huawei's role in building it won't look good when countries think about the equipment they're willing to use to roll out 5G.
CrowdStrike released its first post-IPO report on July 18th, and CRN says the markets received it very well. Revenue was up 103% to $96.1 million over the quarter ending April 30th. The company isn't yet profitable, but its losses fell to $25.0 million. The company's share price popped 17% on the news.
Help Net Security reports conclusions from Forrester on how to recruit and retain cybersecurity talent. (Offering scope for creativity and opportunity for advancement are key to retention.)
Investments and exits.
Microsoft has announced a major investment in OpenAI, the Verge reports. OpenAI, whose founders include Elon Musk and Sam Altman, is a San Francisco-based research and development shop organized for the arguably quixotic pursuit of general artificial intelligence. The investment from Microsoft brings with it a range of collaborative operational and research endeavors. Originally a not-for-profit, OpenAI earlier this year established a for-profit arm to draw the capital necessary for its ambitious R&D program.
QOMPLX announced both a rebranding from its prior identity as Fractal Industries and a healthy Series A round amounting to $78.6 million. The investment was led by Cannae Holdings and Motive Partners. QOMPLX intends to use the funds, of course, to grow the market for its intelligent decision platform.
And security innovation.
DataTribe, the cybersecurity startup foundry based in greater Baltimore, has announced its second annual startup challenge. Cybersecurity startups with less than $1.2 million in seed financing are eligible to compete for $20,000 in prize money, with one winner eligible to receive up to $2 million in seed capital from DataTribe. There's also the further possibility of a follow-on Series A of up to $6.5 million from DataTribe and AllegisCyber. Contestants may apply here.
Cybersecurity innovation center DreamPort, Technical.ly Baltimore reports, will double the coworking, meeting, and lab space it offers startups.
Today's issue includes events affecting Brazil, China, France, Germany, Iran, Russia, United States.
ON THE PODCAST
Research Saturday is up. In this episode, "Day to day app fraud in the Google Play store," we hear about the badness that can lurk even in a reputable app store. Researchers at bot mitigation firm White Ops have been tracking fraudulent apps in the Google Play store. These apps often imitate legitimate apps, even going so far as to lift code directly from them, but instead of providing true functionality they harvest user data and send it back to command and control servers. Marcelle Lee is a principal threat intelligence researcher at White Ops, and she shares their findings.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.