Identify and analyze user permissions and groups for FREE
With SolarWinds® Permissions Analyzer for Active Directory® Free Tool, you can get instant visibility into user and group permissions, and view a complete hierarchical view of the effective permissions and access rights for a specific NTFS file folder or share drive. Download it today!
The Week that Was.
May 18, 2019.
By the CyberWire staff
Fxmsp hacking victims identified.
Symantec, McAfee, and Trend Micro are said to be the security firms allegedly breached by the Fxmsp gang. BleepingComputer identified the victims from unredacted Fxmsp chat logs received from Advanced Intelligence. Trend Micro said data from a test lab had been accessed by unauthorized parties, but that no source code or customer information were compromised. Symantec denied being affected, and McAfee says it's investigating. There's no further confirmation of whether the breach is as serious a matter as some have held it to be.
New York-based Advanced Intelligence's youth (the company was founded only in March) elicited skepticism over its report, but the company stands by its work (Computer Business Review).
Disinformation from Tehran: Endless Mayfly.
The University of Toronto's Citizen Lab attributed a multi-year, multilingual influence operation to Iran, with "moderate confidence." The narratives pushed were unsurprising, directed against the United States, Israel, and Saudi Arabia. Citizen Lab called the campaign "Endless Mayfly" because its fake news was ephemeral and soon gone. Endless Mayfly's technique was simple but proven: typosquatting, with fairly convincing landing pages mimicking real publications, including Bloomberg, The Guardian, The Atlantic, and Politico. Thus they squatted at "theatlatnic" for the Atlantic (Citizen Lab). But note the persistence and the linguistic skill, and recall that Tehran’s hackers also began with amateurish-looking techniques, but they learned quickly and got better fast. There's every reason to think that Iran will improve its information operations game as well.
Make smarter decisions and move faster to block adversaries.
Understand how you can make smarter decisions to move faster — both by blocking an adversary and disrupting them altogether — by using orchestration with intelligence in this free white paper: Smarter = Faster: Security Orchestration with Threat Intelligence. You’ll learn how to automatically alert, block, and quarantine based on relevant threat intel as well as how to increase the accuracy, confidence, and precision of your security operations.
WhatsApp and Pegasus spyware.
WhatsApp patched a vulnerability that permitted remote installation of NSO Group's Pegasus intercept tool (SC Magazine). It's unknown how many phones were affected; the University of Toronto's Citizen Lab says they're aware of at least one (probable) case (New York Times). The vulnerability is said to have affected both Android and iOS devices, and to have been "highly targeted" (Decipher). NSO Group said it would not have been involved in such activity, and that it's investigating. The flaw that allowed the hack was, WhatsApp explained, a buffer overflow vulnerability in the VOIP stack that permitted remote code execution through specially crafted packets sent to a target's phone number. Facebook, WhatsApp's corporate parent, has urged users to patch (Threatpost).
Cisco is patching vulnerabilities discovered and reported by researchers at Red Balloon Security. One of them, called "Thrangrycat," affects the Trust Anchor module, which is a proprietary hardware security chip Cisco has used in its equipment since 2013. The vulnerability allows attackers with root access to install backdoors in Cisco devices. By itself Thrangrycat isn't much of a problem, since it does after all require root access. Unfortunately another vulnerability, a remote execution flaw without a cute name--it's known only as CVE-2019-1862--can be chained with Thrangrycat to provide the access necessary to install those backdoors (ZDNet). Cisco products are used worldwide, so while there are no reports of exploitation in the wild yet, it’s a matter of some concern (WIRED). Cisco issued fixes for both vulnerabilities.
The CyberWire team was joined by Sponsor KnowBe4 and recently recorded our show live at KB4-Con. On this episode, Dave Bittner describes a late-night phone call scam, Joe Carrigan explains a Social Security scheme, KnowBe4's Stu Sjouwerman shares deadly catch of the day, and Kevin Mitnick shares stories from his own hacking experience, and takes questions from the audience. Listen to the podcast.
New Intel "ZombieLoad" vulnerability disclosed.
Another set of speculative execution flaws similar to Spectre and Meltdown has been found in Intel chips (WIRED). As VentureBeat explains, the four vulnerabilities (which Intel calls "Microarchitectural Data Sampling" issues, and others "ZombieLoad") enable sidechannel attacks. Researchers at the Vrije Universiteit Amsterdam identified the three Rogue In-Flight Data Load issues. The remaining MDS problem, "Fallout," was discovered by an international team drawn from the University of Michigan, Worcester Polytechnic Institute, Graz University of Technology, KU Leuven, the University of Adelaide, and Data61.
Open source and questions of trust.
Australia's Commonwealth Scientific and Industrial Research Organisation's Data61 unit discerns a problem. They tracked 200,000 popular websites for two years, and they've found that while the websites may have had explicit agreements with what Data61 calls "first-tier" third-parties, there are further chains of third-party dependencies beyond that tier. These are seldom inspected and even less often accessible to the end user (Innovation Australia). A related problem was discussed at the Global Cyber Innovation Summit two weeks ago: open source code is pervasive, and it's often written by unknown people with unknown skills and qualifications, and with unknown motivations (The CyberWire).
Is your company passionate about empowering women to succeed in the cyber security industry?
The CyberWire’s 6th Annual Women in Cyber Security reception is a networking event that highlights and celebrates the value and successes of women in the cyber security industry. Leaders from the private sector, academia, and government from across the region and at varying points on the career spectrum can connect with each other to strengthen relationships while building new ones. Consider sponsoring the event. Limited sponsorships are available. Visit our website to learn more.
The Christchurch Call and its implications.
The massacre last month of Muslims at worship in a Christchurch, New Zealand, mosque prompted New Zealand's government to issue the "Christchurch Call," which enjoins governments to ban a range of "objectionable" material, and to create a framework in which media might report atrocities without amplifying them, thereby inspiring others to commit further atrocities. The Christchurch shooter's livestreaming of the murders in progress led to the Call. New Zealand will work initially with France to attempt to work out an appropriate regime of bans and filters (Australian Broadcasting Corporation).
The United States will not be among the nations signing on to the Call. It's not that Americans are in favor of violent extremism, but rather that the Administration sees no easy way of reconciling the Christchurch Call with First Amendment guarantees of freedom of speech (Washington Post).
Siemens, Apple, Adobe, and Microsoft all patched yesterday. Apple's patches addressed, among other things, the ZombieLoad sidechannel vulnerability in its products' Intel chips. Cupertino wasn't alone in working on ZombieLoad. As TechCrunch reports, Amazon, Google, Mozilla, and Microsoft also took on the speculative execution flaw. Intel itself has released a set of mitigations for the vulnerability. Fixes for ZombieLoad are thought likely to degrade CPU performance by some twenty (Reuters) to forty percent (VentureBeat).
Microsoft released sixteen updates in total, resolving seventy-nine distinct vulnerabilities. One involved a bug that could be exploited by a WannaCry-like worm, and Redmond drew particular attention to this issue. It was judged serious enough that Microsoft patched beyond end-of-life software including Windows XP and Windows 2003. Although no longer supported, both remain in wide use.
Siemens addressed issues in its industrial control systems, and Adobe fixed problems with several products, including Acrobat and Reader.
Have Your Users Made You an Easy Target for Spear Phishing?
Many of your organization’s email addresses and identities are exposed on the internet, and are easy for cybercriminals to find. With email’s enormous attack surface, cybercriminals are able to launch potentially devastating social engineering, spear phishing and ransomware attacks on your organization. Try KnowBe4’s Email Exposure Check Pro for free today, and see how you can identify the at-risk users in your organization by crawling business social media information and hundreds of breach databases.
Crime and punishment.
A joint EU-US investigation has resulted in the indictment of eleven hackers in connection with the use of the GozNym banking Trojan. The gang was widely distributed but Eastern European: five in Russia, two in Ukraine, two in Georgia, and one each in Bulgaria and Moldova. Their US indictment was filed in the District Court for the Western District of Pennsylvania, but a number of other jurisdictions will probably want to have their whack at these gentlemen before they show up in Pittsburgh. Five are in custody (and two of them will face trial in Georgia). Six are on the run (TechCrunch).
Six alleged members of a sim-swapping gang (lamely known among themselves as "the Community") were indicted last week for wire fraud by the US Attorney for the Eastern District of Michigan. An additional three were charged with wire fraud in a related action; these latter were former employees of mobile phone companies. The Community was after credentials that would give them access to their victims' cryptocurrency wallets, and are said to have been able to steal almost $2.5 million in alt-coin. The three ex-phone companies facilitated the crime, acting as stooges bribed to help swap SIM cards.
Colton Jurisic, 20, of Dubuque, Iowa, Ryan Stevenson, 26, of West Haven, Connecticut, Conor Freeman, 20, of Dublin, Ireland, Reyad Gafar Abbas, 19, of Rochester, New York, and Garrett Endicott, 21, of Warrensburg, Missouri are the Communitarians named in the indictment. Messrs. Jurisic and Stevenson had already made the acquaintance of the American law enforcement community, and the two of them glory in the noms-de-hack "Forza" (or, less modestly, "ForzaTheGod") and "Phobia," respectively. The three gentlemen facing the wire fraud beef are Fendley Joseph, 28, of Murrietta, California, Jarratt White, 22, and Robert Jack, 22, both of Tucson, Arizona. Wire fraud carries a maximum penalty of twenty years, and people have begun doing jail time for the sim-swapping version of the crime (KrebsOnSecurity).
Russian national Maria Butina, now in US custody after pleading guilty to conspiring to act as a foreign agent, said from jail that it's all a big misunderstanding. First of all the Mueller Report didn't even mention her, and second of all she never knew that foreign agents were supposed to register, and third of all she was just trying to "build peace" among Russians and Americans. Is that a crime? Well, sure, in the view of the US Justice Department, which humorlessly casts all that peace-building in a more sinister light: they call it "spotting and assessing" for Russian intelligence services, that is, recruiting Americans to spy for the Bears. Maybe she did it unwittingly, but the Justice Department doubts it, the Special Counsel's silence on Ms Butina notwithstanding (NPR).
Swedish prosecutors have reopened a sexual assault case against WikiLeaks' Julian Assange, and they're asking the UK to extradite him (Washington Post). In the US case against Mr. Assange, Ecuador has agreed to give the US computers and files their one-time embassy guest used during his stay in London (El Pais).
Courts and torts.
Amnesty International filed a suit in the District Court of Tel Aviv, asking Israel's Ministry of Defence to revoke NSO Group's export license. NSO's Pegasus lawful-intercept tool has been used in surveillance of human rights advocates, Amnesty among them, by the governments of Mexico, Saudi Arabia, and the United Arab Emirates. The lawsuit is supported by New York University (NYU) School of Law's Bernstein Institute for Human Rights and Global Justice Clinic. Amnesty maintains that NSO Group has failed in due diligence with respect to its customers.
In what some read with jaundiced eye as a move to get ahead of more data abuse news, Facebook sued South Korean analytics firm Rankwave for allegedly abusing Facebook's developer's platform data. TechCrunch notes that the news was broken late last Friday, and Friday evenings are the traditional time for releasing bad news one wishes to get out, but also hopes will be largely overlooked.
The US Supreme Court has decided that consumers can sue Apple over prices in its app store. The plaintiffs wish to allege that Apple's policy of not permitting apps from third-party stores on its phones amounts to a monopoly that artificially sustains high prices. This may not be a good thing for security. Apple's store has been more rigorous than most at keeping out rogue or sloppy software, and industry observers see the possibility that the decision will tend to relax that rigor (TheHill).
US allies may be nudged by both prudential policy and the Wassenaar Arrangement to follow suit, the Times says. Doing business with Huawei is cheap, but the optics are bad, and it can also be risky in its own right. As Forbes and others report, the Netherlands' intelligence service is investigating what appear to be Huawei-insinuated backdoors in Dutch telecommunications networks.
Following incidents in which Chinese government money found its way to startups, the US Defense Department is moving forward with its Trusted Capital Marketplace program, intended to connect entrepreneurs with investors who don't represent a security threat by offering a vetted list of VCs suitable for tech start-ups to consider. Consider it a security measure for the capital supply chain.
The Cyber Solarium, a US deliberative body modeled on the Eisenhower-era group that considered nuclear strategy in the early 1950s, is ready to begin its work. 5G issues figure high among the agenda (Smart Cities Dive). The Solarium will have three working groups: persistent engagement, deterrence and international norms and standards (Fifth Domain).
Fortunes of commerce.
Munich Re has agreed to underwrite the customers of cryptowallet provider Curv, offering some protection for losses they might sustain in cyberattacks (BTC Wires).
Insurers are increasingly involved in incident response planning (JD Supra), and offering security or recovery services bundled with the policies they sell. Those services are commonly offered under the aegis of a "breach coach," as Accenture's Justin Harvey explained on a recent CyberWire podcast. The interests of insurer and insured are aligned: both want to limit their losses.
Acumin has some advice on how to prepare to interview for a cybersecurity job. (They also point out what should be obvious, but isn't: the fact that there are a lot of open positions doesn't mean you're going to be offered one of them.) An easily accomplished yet often overlooked bit of advice: learn as much as you can about the organization that's interviewing you.
Mergers and acquisitions.
Maryland-based IT services shop Corsica Technologies has bought EDTS Cyber to expand its place in the cybersecurity market. Terms of the acquisition were not immediately disclosed (Yahoo).
VMware has acquired Bitnami, a company that specializes in packaging enterprise applications to facilitate their deployment into cloud environments (CRN).
Kaseya, which recently picked up ID Agent, is expected to pursue further acquisitions in the security and disaster recovery space (Search Data Backup).
Investments and exits.
CrowdStrike is expected to raise $100 million in its forthcoming initial public offering, and to achieve a valuation higher than the more than $3 billion the unicorn was appraised at during its last funding round (TechCrunch). The company filed its S-1 with the Securities and Exchange Commission Tuesday. The company says its Falcon platform creates a new category: the Security Cloud (CFO).
Machine data analytics shop Sumo Logic last week raised $110 million in a round led by Battery Ventures. Existing investors also participated, as did new investors Franklin Templeton and Tiger Global Management, have also contributed in the round, with existing investors (Algos). Sumo Logic has positioned itself in the market as a leading devsecops platform.
Respond Software has raised $20 million in a Series B round led by ClearSky Security, with participation from CRV and Foundation Capital. The company intends to use the funds to increase marketing and customer support for its robotic security decision automation solutions. ClearSky Managing Director Jay Leek will join Respond's board.
And security innovation.
PwC has introduced a program to support cybersecurity scale-ups, that is, companies that begin with at least ten employees and that experience average annualized growth of at least 20% over 3 years (Consultancy).
Today's issue includes events affecting Australia, Bulgaria, Canada, China, European Union, France, Georgia, Iran, Ireland, Moldova, New Zealand, Russia, Ukraine, United Kingdom, United States.
ON THE PODCAST
Research Saturday is up. In this week's episode, "Elfin APT group targets Middle East energy sector," we hear from researchers at Symantec who've been tracking an espionage group known as Elfin that has targeted dozens of organizations over the past three years, primarily focusing on Saudi Arabia and the United States. Alan Neville is a principal threat intelligence analyst at Symantec, and he joins us to share their findings.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.