How can industrial organizations strengthen defenses and prepare for the changing threat landscape?
The week that was.
Operation Sharpshooter and the Lazarus Group.
McAfee revealed Sunday that Operation Sharpshooter, a cyber-reconnaissance campaign discovered in December, is likely linked to North Korea's Lazarus Group. An unnamed government entity gave the researchers access to one of the command-and-control servers used to manage the campaign. The server showed that the ongoing campaign was "more extensive in complexity, scope, and duration of operations" than they initially thought. McAfee researchers told the New York Times that they saw the group launch attacks against more than a hundred companies, with recent attacks focusing on financial services, government, and critical infrastructure targets in Germany, Turkey, the United Kingdom, and the United States. The majority of the attacks were directed at the US, and the top targets were Houston and New York City. The Times says that many of the attacks were "aimed at engineers and executives who had broad access to their companies' computer networks and intellectual property."
The researchers had originally refrained from linking Operation Sharpshooter to the North Korean group based on code overlap, because the technical links were so obvious that they suggested a potential false flag. Their access to the server, however, allowed them to observe "striking similarities" with multiple other DPRK attacks, and so they're willing to call out the Lazarus Group.
Experiencing poor performance with your legacy antivirus? Try CB Defense.
Chinese hackers steal maritime secrets.
FireEye published details on Monday regarding the suspected Chinese cyberespionage actor they're calling "APT40." The threat actor’s activity has previously been attributed to two separate groups known as “TEMP.Periscope” and “TEMP.Jumper.” Based on significant overlap between the two groups, FireEye decided to merge them under the same term. FireEye believes APT40 is sponsored by the Chinese state based on technical clues and the fact that the group’s targeting falls in line with Chinese state interests. The hackers target the engineering, transportation, and defense industries, as well as universities, in search of maritime technologies that could be used to build up China's naval abilities. APT40 has also been observed influencing elections and focusing on other political goals in support of China's Belt and Road Initiative.
Separately, a report by Accenture Security’s iDefense unit on Tuesday covered the same group, which they call "Mudcarp." The iDefense report says the hackers stole "around 614 gigabytes of data pertaining to a number of US Navy programs, including program Sea Dragon, as well as sensitive cryptographic and electronic warfare libraries" from defense contractors in Rhode Island. The group also went after universities, including the Massachusetts Institute of Technology (MIT), the University of Hawaii, and the University of Washington.
Did you know that 91% of data breaches started with spear phishing?
GandCrab criminals switch tactics.
CrowdStrike says it's observed a shift in tactics from criminals using GandCrab ransomware. They're now using more targeted, hands-on techniques more often associated with nation-state APT groups, such as manual lateral movement within networks. CrowdStrike first saw these tactics used by two threat actors last month.
Their observations are in line with a recent advertising effort by GandCrab's developer, Pinchy Spider, which was directed at individuals with knowledge of Remote Desktop Protocol, Virtual Network Computing, and corporate network hacking. GandCrab is an affiliate program in which the malware's developers receive 40 percent of the profits from attacks carried out by their customers. The shift in tactics suggests that Pinchy Spider and its affiliates hope to maximize their revenue by launching the type of low-volume/high-return attacks used by sophisticated threat actors.
The CrowdStrike researchers call this strategy “big game hunting,” in which threat actors hack into an organization's network and deploy the malware manually after spreading out within the network and weakening defenses. This method is much more lucrative than widespread, untargeted ransomware campaigns, although it requires more technical skill. Threat groups using SamSam, BitPaymer, and Ryuk ransomware have been observed using these tactics very effectively. GandCrab differs from the ransomware used in those attacks, however, in that it requests a ransom payment for each individual infected machine, rather than asking for a lump sum in exchange for decrypting all of an organization’s computers.
Get comprehensive information about securing the DIB supply chain
India used “offensive measures” to counter cyberattacks from hackers in Pakistan who attacked more than 90 Indian government websites in the hours after the Pulwama suicide attack last month, senior security officials told the Hindustan Times. The officials didn't give details on the operation or disclose which agency was behind it, although a cybersecurity adviser to the government disclosed that the counterattacks "did help India get a grip of the situation." The officials noted that, after the attacks from Pakistan failed, the hackers turned to spreading disinformation on social media.
Times Now pointed out that Indian hacktivists attacked more that 200 Pakistan Government websites in the days following the Pulwama attack, but it's not clear if this campaign was related to the government's operation.
Can you be spoofed? Find out how hackers can spoof your domain.
A new vulnerability in Intel chips.
Intel CPUs are vulnerable to a new flaw stemming from speculative execution. Researchers from the Worcester Polytechnic Institute and the University of Lübeck released a paper outlining the vulnerability, which they call "Spoiler." The flaw can allow a non-privileged user to discover the physical layout of virtual memory by measuring the timing of speculative operations. The vulnerability increases the speed and efficiency of existing side-channel attacks to an extraordinary degree, speeding up the reverse engineering process by a factor of 256. The vulnerability, which isn't a Spectre flaw, affects all Intel core processors and will require a hardware-level fix. One of the researchers told the Register he doesn't think the issue will be fixed within the next five years, since any non-hardware patches would cause a significant loss in performance.
Whitefly versus SingHealth.
Symantec published a report on the group behind last year's SingHealth data breach, which they've dubbed "Whitefly." The group focuses on organizations based in Singapore in the healthcare, media, telecommunications, and engineering industries. The hackers often dwell within networks for months at a time, and their main objective is the theft of "large amounts of sensitive information." The researchers say that links to attacks in other nations might suggest that the group may be part of a larger intelligence gathering operation, but they don't have enough evidence make any attribution. They do, however, believe Whitefly is sponsored by a nation-state.
Google's latest Chrome update contains a patch for a high-severity use-after-free vulnerability that's being actively exploited in the wild. The bug is in the browser’s FileReader API, which allows Chrome to access local files. Google released the update on March 1st, at which point the patch notes didn't mention the vulnerability. On March 5th, however, the company disclosed that the update patched a serious zero-day vulnerability (BleepingComputer).
No more details were given until Thursday afternoon, when a post on Google's security blog `explained that the vulnerability was being exploited together with a Windows 7 zero-day that hasn't been patched yet. Further details of the flaw are being kept under wraps until a sufficient number of users have updated. Chrome's Security and Desktop Engineering Lead Justin Schuh explained in a tweet that they're bringing more attention than usual to this vulnerability because the initial exploit "targeted Chrome code directly, and thus required the user to have restarted the browser after the update was downloaded." Microsoft is working on a patch for the Windows 7 flaw, and newer versions of the operating system aren't affected. Google recommends, however, that users update to Windows 10.
Cisco released a series of security advisories for vulnerabilities affecting Cisco NX-OS Software and Cisco FXOS Software (Help Net Security).
Crime and punishment.
A Vancouver court ruled on Wednesday that the extradition hearings for Huawei's CFO, Meng Wanzhou, will begin on May 8th. It could be years before she enters the United States, however, due to Canada's slow-paced judicial process (The Straits Times).
Chelsea Manning was jailed on Friday after refusing to answer questions before a secret grand jury, and will remain in custody until she decides to testify or until the grand jury concludes its work, which could take up to eighteen months (ABC News).
Courts and torts.
Huawei filed its lawsuit against the US Federal government, claiming that banning its products from government use is unconstitutional. The lawsuit argues that Congress violated the Constitution's Bill of Attainder clause by specifically naming the company as a potential security threat. The clause forbids legislation that targets a particular person or entity without a trial. Most observers think it's very unlikely that Huawei will win the case, though some note that winning the lawsuit isn't as important as making a statement. Huawei has more to lose than just the US government market, as countries around the world consider ways to address the possible threats posed by 5G technology. Win or lose, a highly-publicized lawsuit is a good way to make people aware of the fact that the company disputes the charges (Forbes).
Huawei's Meng is suing Canadian police and border agency officials, claiming that they interrogated her for three hours before telling her she was under arrest (ZDNet).
Facebook and Instagram have filed a lawsuit in US federal court against four companies and three individuals in China for selling fake accounts, likes, and followers. Facebook said the defendants had also engaged in similar activity on Amazon, Apple, Google, LinkedIn and Twitter (Facebook Newsroom).
Policies, procurements, and agency equities.
Germany's Federal Network Agency on Thursday set stricter security requirements for all telecoms equipment vendors, rather than singling out Chinese companies. Under the new rules, critical network equipment will only be used after examination and certification by Germany's BSI information security agency, which assisted in drafting the guidelines (Reuters).
Former Prime Minister of Australia Malcolm Turnbull strongly warned Britain against using equipment produced by Huawei or ZTE in its upcoming 5G network (Sydney Morning Herald). In a speech given in London Tuesday night, Turnbull said Australia's decision to ban the Chinese companies from its 5G market was based on advice from the country's own intelligence agencies, and not because of external pressure from the US.
Thailand's parliament passed a controversial cybersecurity law that critics say will give the country's current government sweeping powers to monitor or seize data without a court order. Thailand's government says the legislation is intended to prevent cyberattacks, but the law's vague wording has raised concerns that it could be interpreted to mean whatever the government wants it to mean. Thailand has in the past sentenced people to prison for decades over online posts that were deemed offensive to the country's royal family (TechCrunch).
The law is similar to Vietnam's recent cybersecurity legislation, which went into effect on January 1st. Vietnam's law outlawed criticism of the government and gave authorities the ability to seize data from internet companies without a warrant. Unlike Vietnam's law, however, Thailand's legislation doesn't require international tech companies to open local offices and store citizens' data in-country. This has led to questions about the enforcement of Thailand's law internationally, since it will apply to all companies around the world that collect or use the personal data of Thai citizens.
Google won't run Canadian political ads during the country's upcoming election, in order to comply with Canada's new election law. The law, which is intended to promote transparency and curb foreign interference, requires internet companies to keep records of all political advertisements published on their platforms (Business Insider).
Fortunes of commerce.
Facebook faced more criticism this past week after users realized that the phone number they provided for two-factor authentication could be used to look up their profiles. Users also can't opt out of this feature (TechCrunch). The default setting for the look-up feature is set to "everyone," and it can only be restricted down to "friends." Facebook's former CSO Alex Stamos tweeted that "this isn't a mistake now, this is clearly an intentional product choice." Last year, Facebook admitted that it was using phone numbers provided for 2FA to carry out targeted advertising.
After several years of bad publicity related to the privacy of its users, Facebook is looking to change its image. Mark Zuckerberg posted a long essay on Wednesday outlining his vision for a new, privacy-focused platform. Zuckerberg said that communication "will increasingly shift to private, encrypted services where people can be confident what they say to each other stays secure and their messages and content won't stick around forever." He envisions users being able to communicate with each other in small, private groups across all of the company's apps. Zuckerberg says that a "great property of messaging services is that even as your contacts list grows, your individual threads and groups remain private." He admits that Facebook doesn't "currently have a strong reputation for building privacy protective services," but says the company is good at evolving to meet what people want.
Zuckerberg's pitch was met with skepticism from most observers. The Verge says the idea should be taken with "a whole shaker’s worth of salt," since Zuckerberg has failed to live up to stated goals in the past. It's not hard to see why the company is looking for a change, however. On Wednesday, an Axios Harris poll showed Facebook's reputation reaching an unprecedented low, and a survey by Edison Research found that its user base had dropped by 15 million since 2017.
The White House's new reskilling program, which was announced in November, has already received more than 1,500 applications. The goal of the program is to give non-technical federal employees the chance to receive cyber defense training, in order to address the shortage of cybersecurity talent (Nextgov).
Mergers and acquisitions.
NTT Security, the cybersecurity company of the major Japanese telecommunications provider NTT Group, announced on Tuesday that it will acquire application security provider WhiteHat Security (SecurityWeek).
Investments and exits.
DataTribe, the cybersecurity start-up incubator and investor located in greater Baltimore, looks forward to moving up to the city's harbor front, and discusses the active role it plays in preparing its portfolio companies for growth.(Washington Business Journal).
Cybersecurity company RackTop Systems raised $15 million in Series A funding from Razor’s Edge Ventures and Grotech Ventures, with participation from Maryland Venture Fund, Blu Venture Investors, and Gula Tech Adventures (CISO Magazine).
And security innovation.
The annual RSA Conference usually offers a window on innovation. 2019's version was no different. The themes common to the ten finalists in the conference's Innovation Sandbox included hybrid cloud, asset discovery, container security, API security, and privacy.
This CyberWire look back at the Week that Was discusses events affecting Canada, China, Democratic People's Republic of Korea, Germany, India, Pakistan, Russia, United Kingdom, United States, Thailand, Turkey.
On the Podcast
Research Saturday is up. In this episode, "Job-seeker exposes banking network to Lazurus Group," we hear from Vitali Kremez, a Director of Research at Flashpoint. His team discovered that the recently disclosed intrusion suffered in December 2018 by Chilean interbank network Redbanc involved PowerRatankba, a malware toolkit with ties to North Korea-linked group Lazarus.
© 2019 CyberWire, Inc.
Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story.