Integrating threat intelligence into your security infrastructure.
Threat intelligence and information sharing has become a critical component of an organization’s threat mitigation strategy. However, most organizations lack the resources to consume, operationalize, and gain value from the many and varied sources of threat intelligence. Find out how organizations are operationalizing threat intelligence to improve their cybersecurity measures in the 2019 CYBEREDGE CyberThreat Defense Report. Download the report here.
The Week that Was.
April 6, 2019.
By the CyberWire staff
Toyota hit by cyberattack.
Toyota suffered a major data breach at its headquarters in Japan, the company announced last Friday. Toyota said the hackers had access to sales information belonging to 3.1 million customers, and it's still investigating whether any data were exfiltrated. Toyota said the compromised servers didn't hold financial data, but haven't elaborated on what information was exposed (ZDNet). Toyota Vietnam and Toyota Thailand advised that they may have been similarly affected (Naked Security).
In February, Toyota's Australian division was hit by a cyberattack that disrupted its systems but was apparently unsuccessful in stealing data. Suspicion for that attack fell on the Vietnamese threat actor known as "OceanLotus," or "APT32." OceanLotus has been targeting car companies, allegedly in support of Vietnam's efforts to build a domestic automobile industry (CyberScoop). Blackberry Cylance published a report Tuesday detailing how OceanLotus uses steganography to deliver a malware loader via a .png image file.
Very few details have been released about Toyota's latest breach, but some observers theorize that the attack against Toyota Australia gave the hackers a foothold inside the company's wider networks. Others looking at the incidents wonder if the internal investigation following the February hack led the company to discover additional breaches (ZDNet). Toyota has been tight-lipped on the matter.
Prosecutors in Naples have been investigating an Italian company that developed spyware apps and uploaded them to the Google Play Store. Researchers at Security Without Borders discovered the spyware, which they've named "Exodus." Decoy apps purporting to be from Italian cellphone providers delivered Exodus. Google removed twenty-five affected apps from the Play Store, but they'd already been downloaded by hundreds of people, all of them in Italy.
The researchers traced Exodus to eSurv, an Italian firm that sells video surveillance products to Italian law enforcement. Italian police raided eSurv's office three weeks ago, seizing its computers and shutting down the infrastructure used by Exodus (Motherboard).
A Motherboard investigation raised suspicions that Exodus might have been commissioned by the Italian government. This may itself have been perfectly legal, but glaring issues in the tool's design and deployment raise suspicions. Exodus uses two stages. The first gathers basic information about the target and sends it to a command-and-control server, ostensibly to validate that it's infected the correct device (crucial for court-ordered lawful intercept operations). The second stage consists of the main payload, which has extensive data exfiltration capabilities. Researchers found that Exodus moved to this second stage immediately after initial contact with the command-and-control server, suggesting operators weren't enforcing target validation. The researchers' test device was never disinfected by the operators, which should happen with a lawful intercept tool. Exodus is poorly designed for security: it leaves compromised devices vulnerable to man-in-the-middle attacks (Threatpost).
Can you be spoofed? Find out how hackers can spoof your domain.
One of the first things hackers do to get into your organization is spoofing an email from someone in your own domain. An email that looks to be from someone you know, or someone in authority, is often the most convincing phishing attack, luring users into clicking on malicious links or take actions that threaten your organization. Do you know if hackers can spoof your domain? Try KnowBe4’s free Domain Spoof Test today and find out.
Chinese state-sponsored hackers suspected in Bayer hack.
German pharmaceutical company Bayer says it was targeted by malware developed by China's Winnti group (or "Wicked Panda"). The company detected the group's malware on its networks more than a year ago, but contained it and studied its activity until last month. While Winnti developed the malware used in the Bayer attack, other criminal outfits have access to the tool, so attribution isn't certain. However, Andreas Rohr from the German Cyber Security Organization (DCSO) told Reuters that the attack "bore the hallmarks" of a Chinese operation. Bayer worked with the DCSO to analyze the attackers' behavior. There was no evidence of data theft, but investigation continues.
Kaspersky Lab observed Winnti targeting Uyghur and Tibetan activists in 2013, but the group has recently turned to industrial espionage. CrowdStrike believes Winnti is made up of hackers-for-hire under contract to Chinese intelligence.
Adversaries are creating new attacks at such a speed and volume that signature and sandbox-based threat detection can’t keep up. Deep learning can help. By exposing neural nets to threat data, deep learning can learn to identify malicious traffic, even zero days seen for the first time. But why are advances possible today? How does deep learning differ from machine learning? Where’s the best place to apply deep learning? Get the answers here.
Facebook asks for email passwords...
On Sunday, a cybersecurity watcher on Twitter called "e-sushi" found that Facebook was asking some new users to enter their third-party email account passwords in order to verify their Facebook accounts. The Daily Beast confirmed this on Tuesday, and Facebook said it would end the practice, as they understand it "isn't the best way to go about this." The screen was presented to users who signed up with email addresses from providers that didn't support OAuth (Mashable). Business Insider found that if a user does enter their email password on this screen, they'll see a pop-up that says "Importing contacts." Gizmodo asked a Facebook spokesperson if the company accessed contact lists or other data in those email accounts, but the spokesperson didn't know and said they'd follow up with an answer.
...And third-parties leak Facebook user records.
UpGuard reported Wednesday that they had discovered two publicly-accessible AWS buckets containing more than 540 million Facebook user records. One server belonged to Cultura Colectiva, a Mexico-based digital media company, and contained user activity information including comments, likes, reactions, and more. UpGuard's attempts in January to contact Cultura Colectiva were unsuccessful, and the data remained exposed until April 3rd, when Facebook asked Amazon to take the bucket down.
The other server belonged to a now-defunct California-based app maker called "At the Pool," and held more detailed information on 22,000 users, such as friends' lists, photos, check-ins, and groups. It also contained plaintext passwords for all of these users. The researchers assume these passwords were for the app, and not the users' Facebook accounts, but they note that it posed a risk to users who reuse passwords. This database was taken offline while UpGuard was still investigating the server, but it's unclear how long it had been exposed (TechCrunch).
Did you know that 91% of data breaches started with spear phishing?
With spear phishing being one the most successful ways to compromise an organization, IT experts highly recommend regular phishing tests as an additional security layer. Phishing your own users is as important as antivirus and a firewall. It’s also a fun and effective best practice for patching your last line of defense— your users. Find out today if your users are Phish-prone™ with KnowBe4’s free phishing test.
Stop me before I abuse your data again.
In an op-ed for the Washington Post, Facebook CEO Mark Zuckerberg pleaded with governments around the world to regulate his industry. Zuckerberg said he agrees with lawmakers that Facebook has "too much power over speech," and that the company "shouldn't make so many important decisions about speech on [its] own." Specifically, he wants regulation covering "harmful content, election integrity, privacy and data portability."
First, regarding harmful content, he says regulation could provide a standardized approach to "set baselines for what's prohibited and require companies to build systems for keeping harmful content to a bare minimum." Second, he wants regulation to provide common standards for verifying political actors, noting that current laws relate to candidates and elections, while information campaigns focus on broader "divisive political issues." Third, Mr. Zuckerberg calls for a "globally harmonized framework" for data and privacy protection, similar to GDPR. Fourth, he wants legislation that guarantees data portability, so users can move their data from one service to another.
TechCrunch points out that "the story of why the letter breaks down each area doubles as kind of recent history of the social network." Bloomberg notes that Zuckerberg's statement is consistent with his practice of framing Facebook's "more critical problems as part of broader issues for the internet at large." The New York Times says the entire letter is meant to let Facebook dictate the terms of regulations that it knows are coming anyway, and that the proposal for data portability is particularly self-serving, since Facebook already owns most of the major social networking companies.
VMware released a patch for a critical vulnerability in its cloud provisioning and management platform vCloud Director, which allows service providers to define their clients' private clouds. The vulnerability could allow an attacker to impersonate a logged-in session and gain access to a service provider's Tenant or Provider Portals. The flaw can be fixed by upgrading to version 184.108.40.206 of the tool (CRN).
Huawei patched a driver in its device management software for Huawei MateBook laptops that could have allowed a non-privileged user to run processes with superuser privileges (Verge). Two vulnerabilities in the driver were discovered by Microsoft, who reported them to Huawei and worked with the company to develop a fix. Microsoft introduced kernel sensors with Windows 10 version 1809 that allow Microsoft Defender ATP to identify potential kernel-mode threats. The flawed Huawei driver monitored a user mode service and restarted it if the service crashed. To do this, the driver used an asynchronous procedure call (APC) to run code in a privileged Windows process. The second vulnerability in the driver allowed users to map any physical memory page into user-mode with read-write permissions, which again granted the user full control over the machine.
The vulnerabilities resemble backdoors leaked in other incidents, and they surface at a time of heightened suspicion that Chinese products may be particularly likely to have pre-installed backdoors. There's also the fact Windows 10 already has built-in features to achieve what the flawed driver was attempting to do, so it's not clear why the company added the function in the first place. If anything, Ars Technica says the incident serves to highlight "some of the extraordinarily awful things that hardware vendors do when they're tasked with writing software."
Android's April update includes patches for two critical Remote Code Execution vulnerabilities (Naked Security).
Verizon rolled out a software update for the Motorola Moto G6 that contains up-to-date Android security improvements (The Android Soul).
Crime and punishment.
Serial swatter Tyler Barriss has been sentenced to twenty years in prison after pleading guilty to 51 Federal charges related to hoax threats and phone calls. In December 2017, one of Barriss' swatting "pranks" over a video game feud led to the shooting death of 28-year-old Andrew Finch, an innocent man in Kansas who had nothing to do with the dispute (Associated Press).
Mexican police arrested the leader of a Romanian crime ring known for putting Bluetooth-based card-skimmers in ATM machines across Mexico. The man, named Florian Tudor, ran a shady ATM company called "Intacash," which owned an unusually high number of ATMs in tourist hotspots in Mexico. The gang bribed ATM technicians to place sophisticated skimmers inside competitors' ATMs.'Brian Krebs, who uncovered the scheme in 2015, heard from a source who claimed to work for Intacash that the gang had been paying the Mexican authorities to look the other way. Krebs says the group is part of a larger Romanian crime family with operations across North America (KrebsOnSecurity).
Canadian police raided the home of a Toronto man who developed and sold Orcus RAT, a tool the authorities say is a remote access Trojan. The developer says it's a legitimate remote administration tool, but it contains a number of stealthy surveillance capabilities that wouldn't be used by someone with good intentions. These include password retrieval, keylogging, and persistence capabilities, as well as the ability to access the webcam and microphone without alerting the user. It's worth noting that the tool has been widely used as malware—either in its original form or modified with custom plugins—since 2016 (KrebsOnSecurity).
Courts and torts.
Poland's data protection authority issued its first fine under GDPR: a relatively small €220,000 penalty against a Swedish digital marketing company called "Bisnode." TechCrunch notes that the real punishment is requiring the company to notify nearly six million people whose data was collected, which the company estimates will cost around €8 million. Poland's Personal Data Protection Office (UODO) took a literal interpretation of GDPR's Article 14, which requires data controllers to inform people whose data was obtained indirectly. While Bisnode's data contained plenty of physical addresses, the company only had roughly 679,000 email addresses on file. It did in fact send emails informing the owners of these email addresses, but the company deemed it too costly to contact the remaining 5.7 million people via snail mail or telephone. The UODO's penalty was based on the fact that Bisnode's decision not to contact the rest of the individuals was made for monetary reasons, rather than in consideration of its legal obligation as a data controller. Bisnode plans to sue the UODO over its decision, saying that contacting the remaining people would have constituted "a disproportionate effort" under the law (TechCrunch).
Policies, procurements, and agency equities.
US Vice President Mike Pence said in a speech to NATO leaders on Wednesday that the Atlantic Alliance should expect to find itself increasingly focused closely on countering future expansion of Chinese influence (Newsweek).
A report released on Tuesday by NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) outlined the risks of using Huawei's technology in 5G networks. The report cites China's "notorious reputation for persistent industrial espionage, and in particular for the close collaboration between government and Chinese industry." It treats 5G technology as a national security issue due to the fact that "core communications networks constitute fundamental infrastructure" relied upon by "systems of strategic importance for society, including security services and the military." Additionally, the report emphasizes that 5G technology will spur a "massive growth" in IoT services, increasing "not merely the degree but the very character of contemporary societies' digital dependency." The report is skeptical of claims that countries are restricting Huawei's technology on the basis of protectionism, given that the countries in question don't currently produce 5G technology and a ban on Huawei would delay the deployment of their networks.
The House Intelligence Committee plans to hold a hearing in the next few months to examine the threat that deepfake videos pose to elections (The Hill).
Fortunes of commerce.
The Massachusetts Institute of Technology (MIT) is ending its engagements with Huawei and ZTE "due to federal investigations regarding violations of sanction restrictions," the university's Vice President for Research announced in a letter on Wednesday (ZDNet).
Defense industry companies on Thursday announced the launch of the Supply Chain Cybersecurity Industry Task Force, which will be comprised of companies of all sizes who form the Defense Industrial Base Sector Coordinating Council. The task force's founders are BAE Systems, Boeing, Lockheed Martin, Northrop Grumman, and Raytheon (AiThority).
The Office of Personnel Management issued its final rule allowing US agencies to more easily hire IT and cyber personnel. The regulation goes into effect on May 3rd (FCW).
Mergers and acquisitions.
French multinational aerospace, defense, transportation, and security company Thales Group has completed its purchase of Dutch digital security company Gemalto. More than 85% of Gemalto's shares were tendered, and the company's operations were consolidated into Thales on April 1st (Business Wire).
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.